# as follows:
#
#*************************************************************
-# Copyright (c) 2003-2020, Emerging Threats
+# Copyright (c) 2003-2022, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002928; classtype:attempted-dos; sid:2002928; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; distance:0; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED HELO Non-Displayable Characters MailEnable Denial of Service"; flow:established,to_server; content:"HELO "; nocase; depth:60; pcre:"/^[^\n]*[\x00-\x08\x0e-\x1f]/R"; reference:cve,2006-3277; reference:bugtraq,18630; reference:url,doc.emergingthreats.net/bin/view/Main/2002998; classtype:attempted-dos; sid:2002998; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; reference:url,doc.emergingthreats.net/bin/view/Main/2003369; classtype:attempted-admin; sid:2003369; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:3; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; reference:url,www.milw0rm.com/exploits/3244; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; classtype:attempted-admin; sid:2003378; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; classtype:attempted-admin; sid:2000048; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP HP-UX LIST command without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:"LIST "; nocase; depth:5; reference:cve,2005-3296; reference:bugtraq,15138; reference:url,doc.emergingthreats.net/bin/view/Main/2002851; classtype:attempted-recon; sid:2002851; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; distance:0; within:20; reference:cve,2005-3277; reference:bugtraq,15136; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; classtype:attempted-user; sid:2002852; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009860; reference:cve,2009-3023; classtype:attempted-admin; sid:2009860; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; content:"BM"; depth:400; byte_test:8,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; classtype:attempted-user; sid:2002802; rev:8; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_09_28;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT "; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; classtype:attempted-dos; sid:2003067; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; classtype:attempted-dos; sid:2003067; rev:5; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003081; classtype:misc-attack; sid:2003081; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2000017; classtype:bad-unknown; sid:2000017; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,support.microfocus.com/kb/doc.php?id=7006374; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexMetadata"; nocase; content:"sys.dbms_export_extension.get_domain_index_metadata"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002886; classtype:attempted-admin; sid:2002886; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"ET EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; reference:url,doc.emergingthreats.net/bin/view/Main/2000342; classtype:misc-attack; sid:2000342; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; distance:0; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003250; classtype:attempted-admin; sid:2003250; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Get"; content:"|01|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003198; classtype:non-standard-protocol; sid:2003198; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Put"; content:"|02|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003199; classtype:non-standard-protocol; sid:2003199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; uricontent:"/ISALogin.dll?"; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002406; classtype:attempted-recon; sid:2002406; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET 14942 (msg:"ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt"; flow:established,to_server; content:"splx_2376_info"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477; reference:url,www.trendmicro.com/download/product.asp?productid=20; reference:url,doc.emergingthreats.net/bin/view/Main/2003434; classtype:attempted-admin; sid:2003434; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET "; depth:4; uricontent:".m3u"; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002062; classtype:attempted-admin; sid:2002062; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2002068; classtype:attempted-recon; sid:2002068; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 ACK"; content:"|f1 be|"; depth:2; dsize:16; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011747; classtype:policy-violation; sid:2011747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Ad Report"; flow:to_server,established; content:"GET"; offset:0; depth:3; uricontent:"/online_game/ad_report.php"; content:"|0d 0a|User-Agent|3a| GameBox"; uricontent:"protocol="; uricontent:"author="; uricontent:"login="; uricontent:"zone="; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011758; classtype:policy-violation; sid:2011758; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; classtype:protocol-command-decode; sid:2003284; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; classtype:protocol-command-decode; sid:2003285; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (3)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"R0lGODlh"; depth:575; content:"AOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBgAACAACCA"; content:"AECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDAAEDAAGDAAIDA"; reference:url,doc.emergingthreats.net/2003120; classtype:misc-activity; sid:2003120; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (agtray)"; flow: to_server,established; uricontent:"/pr/agtray.txt"; nocase; reference:url,doc.emergingthreats.net/2000569; classtype:policy-violation; sid:2000569; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (autray)"; flow: to_server,established; uricontent:"/pr/autray.txt"; nocase; reference:url,doc.emergingthreats.net/2000570; classtype:policy-violation; sid:2000570; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MP3 File Transfer Outbound"; flow:established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002722; classtype:policy-violation; sid:2002722; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MP3 File Transfer Inbound"; flow: established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002723; classtype:policy-violation; sid:2002723; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Archive Download"; content:"GET /sploits/milw0rm.tar.bz2"; depth:60; flow:to_server,established; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2008524; classtype:misc-activity; sid:2008524; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> 76.74.9.19 $HTTP_PORTS (msg:"ET DELETED Packetstormsecurity Exploits Of The Month Download"; content:"GET /"; uricontent:"-exploits.tgz"; depth:70; flow:to_server,established; reference:url,www.packetstormsecurity.org; reference:url,doc.emergingthreats.net/2008525; classtype:misc-activity; sid:2008525; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Launch Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/exploit.php?id="; nocase; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2009586; classtype:misc-activity; sid:2009586; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
alert udp any any -> any any (msg:"ET POLICY Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; reference:url,doc.emergingthreats.net/2001597; classtype:policy-violation; sid:2001597; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001975; classtype:misc-activity; sid:2001975; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001976; classtype:misc-activity; sid:2001976; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001977; classtype:misc-activity; sid:2001977; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:7; metadata:created_at 2010_07_30, updated_at 2017_02_01;)
-
-#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001981; classtype:misc-activity; sid:2001981; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001983; classtype:misc-activity; sid:2001983; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 16680 (msg:"ET POLICY OperaUnite URL Registration"; flow:to_server,established; content:"REGISTER"; offset:0; depth:8; content:"operaunite.com"; within:109; reference:url,unite.opera.com; reference:url,doc.emergingthreats.net/2009895; classtype:policy-violation; sid:2009895; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:2008560; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; flow:established,to_server; depth:6; threshold: type both, track by_src, count 100, seconds 10; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; reference:url,doc.emergingthreats.net/2009286; classtype:bad-unknown; sid:2009286; rev:3; metadata:created_at 2010_07_30, updated_at 2020_11_12;)
-
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.0 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:5; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-323.html; reference:url,doc.emergingthreats.net/2001906; classtype:protocol-command-decode; sid:2001906; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.1 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:32; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html; reference:url,doc.emergingthreats.net/2002842; classtype:protocol-command-decode; sid:2002842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002895; classtype:trojan-activity; sid:2002895; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE Outbound AVISOSVB MSSQL Request"; flow:established,to_server; content:"|54 00 42 00 4c 00 5f 00 41 00 56 00 49 00 53 00 4f 00 53 00 56 00 42 00|"; reference:url,www.threatexpert.com/report.aspx?md5=1f5b6d6d94cc6272c937045e22e6d192; reference:url,doc.emergingthreats.net/2011199; classtype:trojan-activity; sid:2011199; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE Outbound AVISOSVB MSSQL Request"; flow:established,to_server; content:"|54 00 42 00 4c 00 5f 00 41 00 56 00 49 00 53 00 4f 00 53 00 56 00 42 00|"; reference:url,doc.emergingthreats.net/2011199; reference:md5,1f5b6d6d94cc6272c937045e22e6d192; classtype:trojan-activity; sid:2011199; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; reference:url,doc.emergingthreats.net/2010909; classtype:trojan-activity; sid:2010909; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET MALWARE Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; classtype:trojan-activity; sid:2009201; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009206; classtype:trojan-activity; sid:2009206; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009206; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009206; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009207; classtype:trojan-activity; sid:2009207; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009207; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009207; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009208; classtype:trojan-activity; sid:2009208; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET DELETED Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; classtype:trojan-activity; sid:2008390; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon System Stats Report (I-variant)"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:"<CPUI>"; content:"</CPUI><"; distance:0; within:27; content:"<MEMI>"; content:"</MEMI><"; distance:0; within:27; pcre:"/^\x00\x00\x00[\x72-\x74]/"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2009052; rev:3; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32.Hupigon Control Server Response"; flow:from_server,established; dsize:16; content:"|03 00 00 00 00 00 00 00 c4 ec 48 f5 5e 00 85 80|"; depth:16; threshold: type both, count 2, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2009350; classtype:trojan-activity; sid:2009350; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert icmp any any -> any any (msg:"ET DELETED ICMP Banking Trojan sending encrypted stolen data"; dsize:>64; itype:8; icode:0; content:"|08|"; depth:1; byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; reference:url,doc.emergingthreats.net/2003073; classtype:trojan-activity; sid:2003073; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 82 (msg:"ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt"; flow:established,to_server; content:"GET"; content:"script"; nocase; content:"/proxy.php?"; nocase; content:"url="; nocase; pcre:"/\/proxy\.php(\?|.*[\x26\x3B])url=[^&\;\x0D\x0A]*[<>\"\']/i"; reference:url,www.securityfocus.com/bid/37446/info; reference:url,doc.emergingthreats.net/2010602; classtype:web-application-attack; sid:2010602; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004585; classtype:web-application-attack; sid:2004585; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object IMAP4 Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.IMAP4.6"; distance:0; nocase; content:"LicenseKey"; nocase; reference:url,secunia.com/advisories/24199/; reference:url,doc.emergingthreats.net/2010658; classtype:web-application-attack; sid:2010658; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/lib/pathwirte.php?"; nocase; uricontent:"FSPHP_LIB="; nocase; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58317; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010361; classtype:web-application-attack; sid:2010361; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt"; flow:established,to_client; content:"/HtmlAdaptor"; nocase; content:"action=invokeOpByName"; nocase; within:25; content:"DeploymentFileRepository"; nocase; within:80; content:"methodName="; nocase; within:25; content:".war"; nocase; distance:0; content:".jsp"; nocase; distance:0; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011697; classtype:web-application-attack; sid:2011697; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ch_readalso.php?"; nocase; uricontent:"read_xml_include="; nocase; pcre:"/read_xml_include=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29251; reference:url,xforce.iss.net/xforce/xfdb/42459; reference:url,milw0rm.com/exploits/5624; reference:url,doc.emergingthreats.net/2010099; classtype:web-application-attack; sid:2010099; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/common.php?"; nocase; uricontent:"root="; nocase; pcre:"/root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/29904; reference:url,milw0rm.com/exploits/7218; reference:url,doc.emergingthreats.net/2008922; classtype:web-application-attack; sid:2008922; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls"; flow:established,to_server; uricontent:"/modules/noevents/templates/mfa_theme.php?"; nocase; uricontent:"tpls["; nocase; reference:cve,CVE-2007-2572; reference:url,www.milw0rm.com/exploits/3861; reference:url,doc.emergingthreats.net/2003694; classtype:web-application-attack; sid:2003694; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username"; flow:established,to_server; uricontent:"/de/pda/dev_logon.asp?"; nocase; uricontent:"username="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003894; classtype:web-application-attack; sid:2003894; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp"; flow:established,to_server; uricontent:"/usrmgr/registerAccount.asp?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003895; classtype:web-application-attack; sid:2003895; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp"; flow:established,to_server; uricontent:"/de/create_account.asp?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003896; classtype:web-application-attack; sid:2003896; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/resource_categories_view.php?"; nocase; uricontent:"CLASSES_ROOT="; nocase; pcre:"/CLASSES_ROOT=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/30784/; reference:url,milw0rm.com/exploits/5906; reference:url,doc.emergingthreats.net/2009333; classtype:web-application-attack; sid:2009333; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSTicket Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/osticket/include"; nocase; pcre:"/.*\[.*\].*\;/U"; reference:url,secunia.com/advisories/15216; reference:url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438; reference:cve,CAN-2005-1439; reference:url,doc.emergingthreats.net/bin/view/Main/2002702; classtype:web-application-attack; sid:2002702; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home"; flow:established,to_server; uricontent:"/skins/header.php?"; nocase; uricontent:"ote_home="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003741; classtype:web-application-attack; sid:2003741; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home"; flow:established,to_server; uricontent:"/skins/header.php?"; nocase; uricontent:"ote_home="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003878; classtype:web-application-attack; sid:2003878; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/filepool.php?"; nocase; uricontent:"oe_classpath="; nocase; pcre:"/oe_classpath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31423; reference:url,milw0rm.com/exploits/6585; reference:url,doc.emergingthreats.net/2009164; classtype:web-application-attack; sid:2009164; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/core/logger/init.php?"; nocase; uricontent:"GLOBALS[preloc]="; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009459; classtype:web-application-attack; sid:2009459; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/newscat.php?"; nocase; uricontent:"GLOBALS[preloc]="; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009460; classtype:web-application-attack; sid:2009460; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006528; classtype:web-application-attack; sid:2006528; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006529; classtype:web-application-attack; sid:2006529; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006530; classtype:web-application-attack; sid:2006530; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006531; classtype:web-application-attack; sid:2006531; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006532; classtype:web-application-attack; sid:2006532; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006533; classtype:web-application-attack; sid:2006533; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006534; classtype:web-application-attack; sid:2006534; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006535; classtype:web-application-attack; sid:2006535; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006536; classtype:web-application-attack; sid:2006536; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006537; classtype:web-application-attack; sid:2006537; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006538; classtype:web-application-attack; sid:2006538; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006539; classtype:web-application-attack; sid:2006539; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006540; classtype:web-application-attack; sid:2006540; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006541; classtype:web-application-attack; sid:2006541; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006542; classtype:web-application-attack; sid:2006542; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006543; classtype:web-application-attack; sid:2006543; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006544; classtype:web-application-attack; sid:2006544; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006545; classtype:web-application-attack; sid:2006545; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/converter.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009871; classtype:web-application-attack; sid:2009871; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/messages.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009872; classtype:web-application-attack; sid:2009872; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/settings.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009873; classtype:web-application-attack; sid:2009873; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED phpbb Session Cookie"; flow: established; content:"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"; nocase; reference:url,www.waraxe.us/ftopict-555.html; reference:url,doc.emergingthreats.net/2001762; classtype:web-application-attack; sid:2001762; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (private message)"; flow: established,from_server; content:"privmsg.php"; pcre:"/\<a href="[^"]*(script|about|applet|activex|chrome)\s*\:/i"; reference:url,www.securitytracker.com/alerts/2005/May/1013918.html; reference:url,doc.emergingthreats.net/2001928; classtype:web-application-attack; sid:2001928; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (signature)"; flow: established,from_server; content:"_________________"; pcre:"/\<br \/\>_________________\<br \/\>\<a href="[^"]*(script|about|applet|activex|chrome)\s*\:/i"; reference:url,www.securitytracker.com/alerts/2005/May/1013918.html; reference:url,doc.emergingthreats.net/2001929; classtype:web-application-attack; sid:2001929; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB Remote Code Execution Attempt"; flow:established,to_server; uricontent:"/viewtopic.php?"; pcre:"/highlight=.*?(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})/Ui"; reference:url,secunia.com/advisories/15845/; reference:bugtraq,14086; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; reference:url,doc.emergingthreats.net/2002070; classtype:web-application-attack; sid:2002070; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(ftps?|https?|php)/Ui"; reference:url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path; reference:url,doc.emergingthreats.net/2002731; classtype:web-application-attack; sid:2002731; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage1; flowbits:noalert; reference:url,doc.emergingthreats.net/2010890; classtype:attempted-user; sid:2010890; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; content:"agreed=I+agree+to+these+terms"; content:"change_lang="; content:"creation_time"; content:"form_token"; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage1; flowbits:set,ET.phpBB3_register_stage2; flowbits:noalert; reference:url,doc.emergingthreats.net/2010891; classtype:attempted-user; sid:2010891; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=confirm"; uricontent:"confirm_id="; uricontent:"type="; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage3; flowbits:noalert; reference:url,doc.emergingthreats.net/2010892; classtype:attempted-user; sid:2010892; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; content:"username="; content:"email="; content:"email_confirm="; content:"new_password"; content:"password_confirm"; content:"lang="; content:"tz="; content:"confirm_code="; content:"refresh_vc="; content:"confirm_id="; content:"agreed="; content:"change_lang="; content:"confirm_id="; content:"creation_time="; content:"form_token="; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage3; flowbits:set,ET.phpBB3_register_stage4; flowbits:noalert; reference:url,doc.emergingthreats.net/2010893; classtype:attempted-user; sid:2010893; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^Y$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010894; classtype:web-application-attack; sid:2010894; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^YYY$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010895; classtype:web-application-attack; sid:2010895; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Bogus Stage3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=confirm"; uricontent:"id="; pcre:"/(\?|&)id=/Ui"; uricontent:"type="; reference:url,doc.emergingthreats.net/2010898; classtype:web-application-attack; sid:2010898; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 multiple login attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=login"; threshold: type threshold, track by_src, count 2, seconds 60; reference:url,doc.emergingthreats.net/2010899; classtype:attempted-user; sid:2010899; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 possible spammer posting attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/posting.php"; nocase; uricontent:"mode=post"; threshold: type threshold, track by_src, count 2, seconds 30; reference:url,doc.emergingthreats.net/2010900; classtype:web-application-attack; sid:2010900; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible PHP-Calendar configfile Remote .PHP File Inclusion Arbitrary Code Execution Attempt"; flow:established,to_server; uricontent:"/php-calendar-1.1/update"; nocase; uricontent:"configfile="; nocase; content:".php"; nocase; pcre:"/\x2Fphp-calendar-1.1\x2Fupdate(08|10)\x2Ephp(\x3F|.*(\x26|\x3B))configfile=[^\x26\x3B]*[^a-zA-Z0-9_]/Ui"; reference:url,securitytracker.com/alerts/2009/Dec/1023375.html; reference:cve,2009-3702; reference:url,doc.emergingthreats.net/2010531; classtype:web-application-attack; sid:2010531; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid"; flow:established,to_server; uricontent:"/settings.php?"; nocase; uricontent:"catid="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003879; classtype:web-application-attack; sid:2003879; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid"; flow:established,to_server; uricontent:"/cat.php?"; nocase; uricontent:"catid="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003880; classtype:web-application-attack; sid:2003880; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config"; flow:established,to_server; uricontent:"/includes/language.php?"; nocase; uricontent:"config="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003742; classtype:web-application-attack; sid:2003742; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path"; flow:established,to_server; uricontent:"/layout_admin_cfg.php?"; nocase; uricontent:"Root_Path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003743; classtype:web-application-attack; sid:2003743; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path"; flow:established,to_server; uricontent:"/layout_cfg.php?"; nocase; uricontent:"Root_Path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003744; classtype:web-application-attack; sid:2003744; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path"; flow:established,to_server; uricontent:"/skins/phpchess/layout_t_top.php?"; nocase; uricontent:"Root_Path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003745; classtype:web-application-attack; sid:2003745; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEventMan remote file include"; flow:established,to_server; uricontent:"/controller/"; nocase; pcre:"/(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22358; reference:url,doc.emergingthreats.net/2003372; classtype:web-application-attack; sid:2003372; rev:5; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include"; flow:established,to_server; uricontent:"/block.php?"; nocase; uricontent:"Include="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2665; reference:url,www.milw0rm.com/exploits/3906; reference:url,doc.emergingthreats.net/2003740; classtype:web-application-attack; sid:2003740; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/CoupleDB.php?"; nocase; uricontent:"DataDirectory="; nocase; pcre:"/DataDirectory=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9155; reference:url,packetstormsecurity.org/0907-exploits/phpgenealogy-rfi.txt; reference:url,doc.emergingthreats.net/2010095; classtype:web-application-attack; sid:2010095; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003805; classtype:web-application-attack; sid:2003805; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UNION SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003806; classtype:web-application-attack; sid:2003806; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER INSERT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003807; classtype:web-application-attack; sid:2003807; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER DELETE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003808; classtype:web-application-attack; sid:2003808; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER ASCII"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003809; classtype:web-application-attack; sid:2003809; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003810; classtype:web-application-attack; sid:2003810; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003811; classtype:web-application-attack; sid:2003811; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UNION SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003812; classtype:web-application-attack; sid:2003812; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS INSERT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003813; classtype:web-application-attack; sid:2003813; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS DELETE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003814; classtype:web-application-attack; sid:2003814; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS ASCII"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003815; classtype:web-application-attack; sid:2003815; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003816; classtype:web-application-attack; sid:2003816; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib"; flow:established,to_server; uricontent:"/examples/widget8.php?"; nocase; uricontent:"phphtmllib="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2614; reference:url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded; reference:url,doc.emergingthreats.net/2003730; classtype:web-application-attack; sid:2003730; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local"; flow:established,to_server; uricontent:"/ftp.php?"; nocase; uricontent:"path_local="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003731; classtype:web-application-attack; sid:2003731; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local"; flow:established,to_server; uricontent:"/libs/db.php?"; nocase; uricontent:"path_local="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003732; classtype:web-application-attack; sid:2003732; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local"; flow:established,to_server; uricontent:"/libs/ftp.php?"; nocase; uricontent:"path_local="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003733; classtype:web-application-attack; sid:2003733; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/_conf/core/common-tpl-vars.php?"; nocase; uricontent:"confdir="; nocase; pcre:"/confdir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; reference:url,doc.emergingthreats.net/2008962; classtype:web-application-attack; sid:2008962; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPOutsourcing Zorum prod.php Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/prod.php?"; nocase; pcre:"/(argv[1]=\|.+)/"; reference:bugtraq,14601; reference:url,doc.emergingthreats.net/2002314; classtype:web-application-attack; sid:2002314; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH"; flow:established,to_server; uricontent:"/include/logout.php?"; nocase; uricontent:"PSA_PATH="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2628; reference:url,www.securityfocus.com/bid/23801; reference:url,doc.emergingthreats.net/2003735; classtype:web-application-attack; sid:2003735; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPStore Yahoo Answers id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"cmd=4"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32717/; reference:url,milw0rm.com/exploits/7131; reference:url,doc.emergingthreats.net/2008874; classtype:web-application-attack; sid:2008874; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt"; flow: to_server,established; uricontent:"/modules.php?"; uricontent:"name="; uricontent:"SCRIPT"; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,doc.emergingthreats.net/2001218; classtype:web-application-attack; sid:2001218; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt"; flow:established,to_server; uricontent:"/iframe.php"; nocase; uricontent:"file="; nocase; pcre:"/file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.zone-h.org/en/advisories/read/id=8694/; reference:url,doc.emergingthreats.net/2002800; classtype:web-application-attack; sid:2002800; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt"; flow:established,to_server; uricontent:"/send_reminders.php"; nocase; pcre:"/includedir=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,14651; reference:cve,2005-2717; reference:url,doc.emergingthreats.net/2002898; classtype:web-application-attack; sid:2002898; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir"; flow:established,to_server; uricontent:"/plugin/HP_DEV/cms2.php?"; nocase; uricontent:"s_dir="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2573; reference:url,www.milw0rm.com/exploits/3860; reference:url,doc.emergingthreats.net/2003693; classtype:web-application-attack; sid:2003693; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PmWiki Globals Variables Overwrite Attempt"; flow:to_server,established; uricontent:"/pmwiki.php"; nocase; content:"GLOBALS[FarmD]="; nocase; pcre:"/GLOBALS\x5bFarmD\x5d\x3d/i"; reference:cve,CVE-2006-0479; reference:bugtraq,16421; reference:nessus,20891; reference:url,doc.emergingthreats.net/2002837; classtype:web-application-attack; sid:2002837; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004606; classtype:web-application-attack; sid:2004606; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004607; classtype:web-application-attack; sid:2004607; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004608; classtype:web-application-attack; sid:2004608; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004609; classtype:web-application-attack; sid:2004609; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004610; classtype:web-application-attack; sid:2004610; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004611; classtype:web-application-attack; sid:2004611; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"order="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2962; reference:url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded; reference:url,doc.emergingthreats.net/2004582; classtype:web-application-attack; sid:2004582; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System"; flow:established,to_server; uricontent:"/blocks/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003660; classtype:web-application-attack; sid:2003660; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System"; flow:established,to_server; uricontent:"/files/blocks/latest_files.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003661; classtype:web-application-attack; sid:2003661; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System"; flow:established,to_server; uricontent:"/forums/blocks/latest_posts.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003662; classtype:web-application-attack; sid:2003662; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System"; flow:established,to_server; uricontent:"/groups/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003663; classtype:web-application-attack; sid:2003663; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System"; flow:established,to_server; uricontent:"/filters/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003664; classtype:web-application-attack; sid:2003664; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System"; flow:established,to_server; uricontent:"/links/blocks/links.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003665; classtype:web-application-attack; sid:2003665; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System"; flow:established,to_server; uricontent:"/menu/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003666; classtype:web-application-attack; sid:2003666; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System"; flow:established,to_server; uricontent:"/news/blocks/latest_news.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003667; classtype:web-application-attack; sid:2003667; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System"; flow:established,to_server; uricontent:"/settings/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003668; classtype:web-application-attack; sid:2003668; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System"; flow:established,to_server; uricontent:"/modules/users/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003681; classtype:web-application-attack; sid:2003681; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004089; classtype:web-application-attack; sid:2004089; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004090; classtype:web-application-attack; sid:2004090; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004091; classtype:web-application-attack; sid:2004091; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004092; classtype:web-application-attack; sid:2004092; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004093; classtype:web-application-attack; sid:2004093; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004094; classtype:web-application-attack; sid:2004094; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/basicfogfactory.class.php?"; nocase; uricontent:"PATH_TO_CODE="; nocase; pcre:"/PATH_TO_CODE=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,28588; reference:url,milw0rm.com/exploits/5348; reference:url,doc.emergingthreats.net/2009415; classtype:web-application-attack; sid:2009415; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/init.php?"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32335; reference:url,milw0rm.com/exploits/7143; reference:url,doc.emergingthreats.net/2008871; classtype:web-application-attack; sid:2008871; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lib/action/rss.php?"; nocase; uricontent:"lib="; nocase; pcre:"/lib=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32465; reference:url,milw0rm.com/exploits/7225; reference:url,doc.emergingthreats.net/2008899; classtype:web-application-attack; sid:2008899; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piranha default passwd attempt"; flow:to_server,established; uricontent:"/piranha/secure/control.php3"; content:"Authorization\: Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; reference:url,doc.emergingthreats.net/2002331; classtype:attempted-recon; sid:2002331; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt"; flow:to_server,established; uricontent:"/prepend.php"; nocase; content:"_px_config[manager_path]="; nocase; pcre:"/_px_config\x5bmanager_path\x5d=(https?|ftps?|php)\:/i"; reference:cve,CVE-2006-0725; reference:bugtraq,16662; reference:nessus,20972; reference:url,doc.emergingthreats.net/2002815; classtype:web-application-attack; sid:2002815; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id"; flow:established,to_server; uricontent:"/Default.aspx?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2555; reference:url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded; reference:url,doc.emergingthreats.net/2003914; classtype:web-application-attack; sid:2003914; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cms/modules/form.lib.php?"; nocase; uricontent:"sourceFolder="; nocase; pcre:"/sourceFolder=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,30235; reference:url,juniper.net/security/auto/vulnerabilities/vuln30235.html; reference:url,milw0rm.com/exploits/6078; reference:url,doc.emergingthreats.net/2009898; classtype:web-application-attack; sid:2009898; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS select_image.php dir Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/imagelibrary/select_image.php?"; nocase; uricontent:"dir="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009736; classtype:web-application-attack; sid:2009736; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS admin_theme_remove.php file Parameter Remote Directory Delete"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin_includes/admin_theme_remove.php?"; nocase; uricontent:"file="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009737; classtype:web-application-attack; sid:2009737; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php"; flow:established,to_server; uricontent:"/awards.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004587; classtype:web-application-attack; sid:2004587; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php"; flow:established,to_server; uricontent:"/login.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004588; classtype:web-application-attack; sid:2004588; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php"; flow:established,to_server; uricontent:"/register.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004589; classtype:web-application-attack; sid:2004589; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php"; flow:established,to_server; uricontent:"/weapons.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004590; classtype:web-application-attack; sid:2004590; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/server_request.php?"; nocase; uricontent:"CONFIG[gameroot]="; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009502; classtype:web-application-attack; sid:2009502; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/qlib/smarty.inc.php?"; nocase; uricontent:"CONFIG[gameroot]="; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009504; classtype:web-application-attack; sid:2009504; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/qte_web.php?"; nocase; uricontent:"qte_web_path="; nocase; pcre:"/qte_web_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009723; classtype:web-application-attack; sid:2009723; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d"; flow:established,to_server; uricontent:"cp/ps/Main/login/Login"; nocase; uricontent:"d="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2802; reference:url,www.secunia.com/advisories/25326; reference:url,doc.emergingthreats.net/2004571; classtype:web-application-attack; sid:2004571; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/display.php?"; nocase; uricontent:"path="; nocase; pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,29873; reference:url,milw0rm.com/exploits/5900; reference:url,doc.emergingthreats.net/2009788; classtype:web-application-attack; sid:2009788; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/define.php?"; nocase; uricontent:"INC_DIR="; nocase; pcre:"/INC_DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33227; reference:url,milw0rm.com/exploits/7743; reference:url,doc.emergingthreats.net/2009101; classtype:web-application-attack; sid:2009101; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/add_tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009059; classtype:web-application-attack; sid:2009059; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/edit_tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009060; classtype:web-application-attack; sid:2009060; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009062; classtype:web-application-attack; sid:2009062; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/competitions/add.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009466; classtype:web-application-attack; sid:2009466; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/competitions/competitions.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009467; classtype:web-application-attack; sid:2009467; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/settings/settings.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009468; classtype:web-application-attack; sid:2009468; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s"; flow:established,to_server; uricontent:"/wp-content/themes/redoable/searchloop.php?"; nocase; uricontent:"s="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003872; classtype:web-application-attack; sid:2003872; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s"; flow:established,to_server; uricontent:"/wp-content/themes/redoable/header.php?"; nocase; uricontent:"s="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003873; classtype:web-application-attack; sid:2003873; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv SELECT"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003829; classtype:web-application-attack; sid:2003829; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UNION SELECT"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003830; classtype:web-application-attack; sid:2003830; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv INSERT"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003831; classtype:web-application-attack; sid:2003831; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv DELETE"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003832; classtype:web-application-attack; sid:2003832; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv ASCII"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003833; classtype:web-application-attack; sid:2003833; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003834; classtype:web-application-attack; sid:2003834; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/download.php?"; nocase; uricontent:"filename="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,securityfocus.com/bid/32968; reference:url,milw0rm.com/exploits/7542; reference:url,doc.emergingthreats.net/2009018; classtype:web-application-attack; sid:2009018; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004660; classtype:web-application-attack; sid:2004660; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004661; classtype:web-application-attack; sid:2004661; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004662; classtype:web-application-attack; sid:2004662; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004663; classtype:web-application-attack; sid:2004663; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004664; classtype:web-application-attack; sid:2004664; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004665; classtype:web-application-attack; sid:2004665; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost"; flow:established,to_server; uricontent:"/contact/index.php?"; nocase; uricontent:"ripeformpost="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2206; reference:url,www.securityfocus.com/bid/23597; reference:url,doc.emergingthreats.net/2003871; classtype:web-application-attack; sid:2003871; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries SELECT"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003817; classtype:web-application-attack; sid:2003817; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UNION SELECT"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003818; classtype:web-application-attack; sid:2003818; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries INSERT"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003819; classtype:web-application-attack; sid:2003819; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries DELETE"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003820; classtype:web-application-attack; sid:2003820; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries ASCII"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003821; classtype:web-application-attack; sid:2003821; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003822; classtype:web-application-attack; sid:2003822; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003858; classtype:web-application-attack; sid:2003858; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003859; classtype:web-application-attack; sid:2003859; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003860; classtype:web-application-attack; sid:2003860; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003861; classtype:web-application-attack; sid:2003861; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003862; classtype:web-application-attack; sid:2003862; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003863; classtype:web-application-attack; sid:2003863; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/theme/format.php?"; nocase; uricontent:"_page_css="; nocase; pcre:"/_page_css=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009653; classtype:web-application-attack; sid:2009653; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/theme/format.php?"; nocase; uricontent:"_page_javascript="; nocase; pcre:"/_page_javascript=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009654; classtype:web-application-attack; sid:2009654; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/theme/format.php?"; nocase; uricontent:"_page_content="; nocase; pcre:"/_page_content=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009656; classtype:web-application-attack; sid:2009656; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Head Method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011207; classtype:web-application-attack; sid:2011207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004116; classtype:web-application-attack; sid:2004116; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004117; classtype:web-application-attack; sid:2004117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004118; classtype:web-application-attack; sid:2004118; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004119; classtype:web-application-attack; sid:2004119; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004120; classtype:web-application-attack; sid:2004120; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004121; classtype:web-application-attack; sid:2004121; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form"; flow:established,to_server; uricontent:"/sendcard.php?"; nocase; uricontent:"form="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2472; reference:url,www.secunia.com/advisories/25085; reference:url,doc.emergingthreats.net/2003922; classtype:web-application-attack; sid:2003922; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/SezHooTabsAndActions.php?"; nocase; uricontent:"IP="; nocase; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31756; reference:url,www.milw0rm.com/exploits/6751; reference:url,doc.emergingthreats.net/2009123; classtype:web-application-attack; sid:2009123; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003852; classtype:web-application-attack; sid:2003852; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UNION SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003853; classtype:web-application-attack; sid:2003853; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr INSERT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003854; classtype:web-application-attack; sid:2003854; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr DELETE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003855; classtype:web-application-attack; sid:2003855; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr ASCII"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003856; classtype:web-application-attack; sid:2003856; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003857; classtype:web-application-attack; sid:2003857; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gallery="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2679; reference:url,www.securityfocus.com/bid/23534; reference:url,doc.emergingthreats.net/2003746; classtype:web-application-attack; sid:2003746; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/slogin_lib.inc.php?"; nocase; uricontent:"slogin_path="; nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32811; reference:url,milw0rm.com/exploits/7444; reference:url,doc.emergingthreats.net/2008996; classtype:web-application-attack; sid:2008996; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005518; classtype:web-application-attack; sid:2005518; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005519; classtype:web-application-attack; sid:2005519; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005520; classtype:web-application-attack; sid:2005520; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005521; classtype:web-application-attack; sid:2005521; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005522; classtype:web-application-attack; sid:2005522; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005523; classtype:web-application-attack; sid:2005523; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005524; classtype:web-application-attack; sid:2005524; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005525; classtype:web-application-attack; sid:2005525; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005527; classtype:web-application-attack; sid:2005527; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005528; classtype:web-application-attack; sid:2005528; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005529; classtype:web-application-attack; sid:2005529; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005530; classtype:web-application-attack; sid:2005530; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005531; classtype:web-application-attack; sid:2005531; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005532; classtype:web-application-attack; sid:2005532; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005533; classtype:web-application-attack; sid:2005533; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005534; classtype:web-application-attack; sid:2005534; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005535; classtype:web-application-attack; sid:2005535; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005536; classtype:web-application-attack; sid:2005536; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005537; classtype:web-application-attack; sid:2005537; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005538; classtype:web-application-attack; sid:2005538; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005539; classtype:web-application-attack; sid:2005539; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005540; classtype:web-application-attack; sid:2005540; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005541; classtype:web-application-attack; sid:2005541; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/pcltar.lib.php?"; nocase; uricontent:"g_pcltar_lib_dir="; pcre:"/g_pcltar_lib_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009180; classtype:web-application-attack; sid:2009180; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftCab Sound Converter ActiveX SaveFormat File overwrite Attempt"; flow:established,to_client; content:"66757BFC-DA0C-41E6-B3FE-B6D461223FF5"; nocase; content:"SaveFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*66757BFC-DA0C-41E6-B3FE-B6D461223FF5/si"; reference:url,secunia.com/advisories/37967/; reference:url,doc.emergingthreats.net/2010943; classtype:web-application-attack; sid:2010943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"part="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1903; reference:url,www.netvigilance.com/advisory0020; reference:url,doc.emergingthreats.net/2003881; classtype:web-application-attack; sid:2003881; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004379; classtype:web-application-attack; sid:2004379; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004380; classtype:web-application-attack; sid:2004380; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004381; classtype:web-application-attack; sid:2004381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004382; classtype:web-application-attack; sid:2004382; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004383; classtype:web-application-attack; sid:2004383; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004384; classtype:web-application-attack; sid:2004384; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Synactis All_IN_THE_BOX ActiveX SaveDoc Method Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"B5576893-F948-4E0F-9BE1-A37CB56D66FF"; nocase; distance:0; content:"SaveDoc"; nocase; reference:url,milw0rm.com/exploits/7928; reference:bugtraq,33535; reference:url,doc.emergingthreats.net/2009138; classtype:web-application-attack; sid:2009138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe"; flow:established,to_server; uricontent:"/site_conf.php?"; nocase; uricontent:"ordnertiefe="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003705; classtype:web-application-attack; sid:2003705; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot"; flow:established,to_server; uricontent:"/class.csv.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003706; classtype:web-application-attack; sid:2003706; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot"; flow:established,to_server; uricontent:"/produkte_nach_serie.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003707; classtype:web-application-attack; sid:2003707; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; uricontent:"/functionen/ref_kd_rubrik.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003708; classtype:web-application-attack; sid:2003708; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot"; flow:established,to_server; uricontent:"/hg_referenz_jobgalerie.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003709; classtype:web-application-attack; sid:2003709; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot"; flow:established,to_server; uricontent:"/surfer_anmeldung_NWL.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003710; classtype:web-application-attack; sid:2003710; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot"; flow:established,to_server; uricontent:"/produkte_nach_serie_alle.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003711; classtype:web-application-attack; sid:2003711; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot"; flow:established,to_server; uricontent:"/surfer_aendern.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003712; classtype:web-application-attack; sid:2003712; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; uricontent:"/ref_kd_rubrik.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003715; classtype:web-application-attack; sid:2003715; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot"; flow:established,to_server; uricontent:"/module/referenz.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003713; classtype:web-application-attack; sid:2003713; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot"; flow:established,to_server; uricontent:"/standard/1/lay.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003714; classtype:web-application-attack; sid:2003714; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot"; flow:established,to_server; uricontent:"/standard/3/lay.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003867; classtype:web-application-attack; sid:2003867; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005567; classtype:web-application-attack; sid:2005567; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005568; classtype:web-application-attack; sid:2005568; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005569; classtype:web-application-attack; sid:2005569; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005571; classtype:web-application-attack; sid:2005571; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005572; classtype:web-application-attack; sid:2005572; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp"; flow:established,to_server; uricontent:"/implicit-objects.jsp?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2006-7195; reference:url,www.frsirt.com/english/advisories/2007/1729; reference:url,doc.emergingthreats.net/2003902; classtype:web-application-attack; sid:2003902; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test"; flow:established,to_server; uricontent:"/appdev/sample/web/hello.jsp?"; nocase; uricontent:"test="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-1355; reference:url,www.securityfocus.com/bid/24058; reference:url,doc.emergingthreats.net/2004575; classtype:web-application-attack; sid:2004575; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file"; flow:established,to_server; uricontent:"/templates/default/tpl_message.php?"; nocase; uricontent:"right_file="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2544; reference:url,www.milw0rm.com/exploits/3854; reference:url,doc.emergingthreats.net/2003669; classtype:web-application-attack; sid:2003669; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/config.php?"; nocase; uricontent:"inc_dir="; nocase; pcre:"/inc_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-attack; sid:2009663; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId"; flow:established,to_server; uricontent:"/reportItem.do?"; nocase; uricontent:"projId="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2819; reference:url,www.securityfocus.com/bid/24060; reference:url,doc.emergingthreats.net/2004558; classtype:web-application-attack; sid:2004558; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH"; flow:established,to_server; uricontent:"/dosearch.php?"; nocase; uricontent:"RESPATH="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2530; reference:url,www.milw0rm.com/exploits/3865; reference:url,doc.emergingthreats.net/2003678; classtype:web-application-attack; sid:2003678; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turnkey Arcade Script id parameter SQL injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"action=play"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32890/; reference:url,milw0rm.com/exploits/7256; reference:url,doc.emergingthreats.net/2008934; classtype:web-application-attack; sid:2008934; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin left.cgi XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/left.cgi?"; nocase; content:"dom="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009587; classtype:web-application-attack; sid:2009587; rev:5; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path"; flow:established,to_server; uricontent:"/include/payment/payflow_pro.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003687; classtype:web-application-attack; sid:2003687; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path"; flow:established,to_server; uricontent:"/global.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003688; classtype:web-application-attack; sid:2003688; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path"; flow:established,to_server; uricontent:"/libsecure.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003689; classtype:web-application-attack; sid:2003689; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"l="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2547; reference:url,www.securityfocus.com/bid/23856; reference:url,doc.emergingthreats.net/2003917; classtype:web-application-attack; sid:2003917; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile"; flow:established,to_server; uricontent:"/browseCat.php?"; nocase; uricontent:"catFile="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003888; classtype:web-application-attack; sid:2003888; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile"; flow:established,to_server; uricontent:"/browseSubCat.php?"; nocase; uricontent:"catFile="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003889; classtype:web-application-attack; sid:2003889; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id"; flow:established,to_server; uricontent:"/openTutorial.php?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003890; classtype:web-application-attack; sid:2003890; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id"; flow:established,to_server; uricontent:"/topFrame.php?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003891; classtype:web-application-attack; sid:2003891; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id"; flow:established,to_server; uricontent:"/admin/editListing.php?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003892; classtype:web-application-attack; sid:2003892; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003893; classtype:web-application-attack; sid:2003893; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TWiki INCLUDE remote command execution attempt"; flow:to_server,established; uricontent:"INCLUDE"; nocase; pcre:"/%INCLUDE\s*{.*rev=\"\d+\|.+\".*}\s*%/i"; reference:bugtraq,14960; reference:url,doc.emergingthreats.net/2002662; classtype:web-application-attack; sid:2002662; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED TxtBlog index.php m Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?m="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32498; reference:url,milw0rm.com/exploits/7241; reference:url,doc.emergingthreats.net/2008923; classtype:web-application-attack; sid:2008923; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrastats serverid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"serverid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32340; reference:url,milw0rm.com/exploits/7148; reference:url,doc.emergingthreats.net/2008872; classtype:web-application-attack; sid:2008872; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/timesheet.php?"; nocase; uricontent:"config[include_dir]="; pcre:"/config\[include_dir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010126; classtype:web-application-attack; sid:2010126; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR"; flow:established,to_server; uricontent:"/watermark.php?"; nocase; uricontent:"GALLERY_BASEDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2575; reference:url,www.milw0rm.com/exploits/3857; reference:url,doc.emergingthreats.net/2003692; classtype:web-application-attack; sid:2003692; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type"; flow:established,to_server; uricontent:"/shopcontent.asp?"; nocase; uricontent:"type="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2790; reference:url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded; reference:url,doc.emergingthreats.net/2004573; classtype:web-application-attack; sid:2004573; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php"; flow:established,to_server; uricontent:"/get_header.php"; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/1632; reference:cve,2006-1636; reference:bugtraq,17358; reference:url,doc.emergingthreats.net/2002899; classtype:web-application-attack; sid:2002899; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php"; flow:established,to_server; uricontent:"/functions_install.php"; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:cve,2006-1503; reference:bugtraq,17290; reference:url,doc.emergingthreats.net/2002902; classtype:web-application-attack; sid:2002902; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo"; flow:established,to_server; uricontent:"/includes/ajax_listado.php?"; nocase; uricontent:"urlModulo="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2541; reference:url,www.milw0rm.com/exploits/3847; reference:url,doc.emergingthreats.net/2003671; classtype:web-application-attack; sid:2003671; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin left.cgi XSS attempt "; flow:to_server,established; content:"GET "; depth:4; content:"/left.cgi?"; nocase; content:"dom="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009587; classtype:web-application-attack; sid:2009587; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin link.cgi XSS attempt "; flow:to_server,established; content:"GET "; depth:4; content:"/link.cgi/"; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009588; classtype:web-application-attack; sid:2009588; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin link.cgi XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/link.cgi/"; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009588; classtype:web-application-attack; sid:2009588; rev:5; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin Anonymous Proxy attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/virtual-server/link.cgi/"; nocase; content:"/http\://"; nocase; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009589; classtype:web-application-attack; sid:2009589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin.googlebase.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32098; reference:url,milw0rm.com/exploits/6975; reference:url,doc.emergingthreats.net/2009877; classtype:web-application-attack; sid:2009877; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; nocase; distance:0; content:"savePageAsBitmap"; nocase; reference:bugtraq,31984; reference:url,milw0rm.com/exploits/6875; reference:url,doc.emergingthreats.net/2008791; classtype:web-application-attack; sid:2008791; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOVIEPLAYER.MoviePlayerCtrl.1"; nocase; distance:0; content:"DrawText"; nocase; reference:url,www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt; reference:url,secunia.com/advisories/38156/; reference:url,doc.emergingthreats.net/2010944; classtype:attempted-user; sid:2010944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003993; classtype:web-application-attack; sid:2003993; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003994; classtype:web-application-attack; sid:2003994; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003995; classtype:web-application-attack; sid:2003995; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003996; classtype:web-application-attack; sid:2003996; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003997; classtype:web-application-attack; sid:2003997; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior crea.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"crea.php?"; nocase; uricontent:"plancia="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008825; classtype:web-application-attack; sid:2008825; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"crea.php?"; nocase; uricontent:"plancia="; nocase; pcre:"/plancia=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008826; classtype:web-application-attack; sid:2008826; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cron.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009307; classtype:web-application-attack; sid:2009307; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_browsers.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009309; classtype:web-application-attack; sid:2009309; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_countries.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009311; classtype:web-application-attack; sid:2009311; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_platforms.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009313; classtype:web-application-attack; sid:2009313; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webCalendar Remote File include"; flow: to_server,established; uricontent:"includedir="; pcre:"/\/ws\/(login|get_reminders|get_events)\.php/"; reference:url,www.securityfocus.com/archive/1/462957; reference:url,doc.emergingthreats.net/2003520; classtype:web-application-attack; sid:2003520; rev:8; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; content:"3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011723; classtype:attempted-user; sid:2011723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Control DoS Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TOOLBAR3Lib.ToolbarObj"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011724; classtype:attempted-user; sid:2011724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004754; classtype:web-application-attack; sid:2004754; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004755; classtype:web-application-attack; sid:2004755; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004756; classtype:web-application-attack; sid:2004756; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004757; classtype:web-application-attack; sid:2004757; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004758; classtype:web-application-attack; sid:2004758; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004759; classtype:web-application-attack; sid:2004759; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Framework/EmailTemplates.class.php?"; nocase; uricontent:"GLOBALS[RootPath]="; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010092; classtype:web-application-attack; sid:2010092; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Customers/PDPEmailReplaceConstants.class.php?"; nocase; uricontent:"GLOBALS[RootPath]="; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010093; classtype:web-application-attack; sid:2010093; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Admin/ResellersManager.class.php?"; nocase; uricontent:"GLOBALS[RootPath]="; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010094; classtype:web-application-attack; sid:2010094; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/include/header.php?"; nocase; uricontent:"config_path="; nocase; pcre:"/config_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32472; reference:url,milw0rm.com/exploits/7229; reference:url,doc.emergingthreats.net/2008935; classtype:web-application-attack; sid:2008935; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep"; flow:established,to_server; uricontent:"/handlers/page/show.php?"; nocase; uricontent:"sous_rep="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2570; reference:url,www.milw0rm.com/exploits/3863; reference:url,doc.emergingthreats.net/2003696; classtype:web-application-attack; sid:2003696; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name"; flow:established,to_server; uricontent:"/usersettings.php?"; nocase; uricontent:"name="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2551; reference:url,www.securityfocus.com/bid/23894; reference:url,doc.emergingthreats.net/2003916; classtype:web-application-attack; sid:2003916; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php"; flow:established,to_server; uricontent:"/include/sessionRegister.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2781; reference:url,www.secunia.com/advisories/25308; reference:url,doc.emergingthreats.net/2004574; classtype:web-application-attack; sid:2004574; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; classtype:web-application-attack; sid:2003508; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH"; flow:established,to_server; uricontent:"/js/wptable-button.php?"; nocase; uricontent:"wpPATH="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2484; reference:url,www.milw0rm.com/exploits/3824; reference:url,doc.emergingthreats.net/2003685; classtype:web-application-attack; sid:2003685; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH"; flow:established,to_server; uricontent:"/wordtube-button.php?"; nocase; uricontent:"wpPATH="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2481; reference:url,www.milw0rm.com/exploits/3825; reference:url,doc.emergingthreats.net/2003686; classtype:web-application-attack; sid:2003686; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php"; flow:established,to_server; uricontent:"/sidebar.php?"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2627; reference:url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded; reference:url,doc.emergingthreats.net/2003885; classtype:web-application-attack; sid:2003885; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/function_core.php?"; nocase; uricontent:"web_root="; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009925; classtype:web-application-attack; sid:2009925; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/templates/layout_lyrics.php?"; nocase; uricontent:"web_root="; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009927; classtype:web-application-attack; sid:2009927; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops Articles modules print.php SQL injection attempt"; flow:to_server,established; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; pcre:"/id=-?\d+.+UNION.+SELECT/Ui"; reference:bugtraq,23160; reference:url,doc.emergingthreats.net/2003516; classtype:web-application-attack; sid:2003516; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include"; flow:established,to_server; uricontent:"/header.php?"; nocase; uricontent:"set_menu="; nocase; pcre:"/set_menu=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,23189; reference:url,doc.emergingthreats.net/2003517; classtype:web-application-attack; sid:2003517; rev:6; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/update_trailer.php?"; nocase; uricontent:"context[path_to_root]="; nocase; pcre:"/context\[path_to_root\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8066; reference:url,secunia.com/advisories/33959/; reference:url,doc.emergingthreats.net/2009190; classtype:web-application-attack; sid:2009190; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path"; flow:established,to_server; uricontent:"/includes/common.php?"; nocase; uricontent:"root_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2664; reference:url,www.milw0rm.com/exploits/3908; reference:url,doc.emergingthreats.net/2003739; classtype:web-application-attack; sid:2003739; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5622772D-6C27-11D3-95E5-006008D14F3B"; nocase; distance:0; content:"Open"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5622772D-6C27-11D3-95E5-006008D14F3B/si"; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010945; classtype:attempted-user; sid:2010945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Yahoo CD Player ActiveX Open Stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YoPlayer.YoPlyCd.1"; nocase; distance:0; content:"open"; nocase; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010946; classtype:attempted-user; sid:2010946; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 4274 (msg:"ET WEB_SPECIFIC_APPS Possible Xedus Webserver Directory Traversal Attempt"; flow: to_server,established; content:"/../data/log.txt"; content:"/../WINNT/"; nocase; reference:url,www.gulftech.org/?node=research&article_id=00047-08302004; reference:url,doc.emergingthreats.net/2001238; classtype:web-application-activity; sid:2001238; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution "; flow:to_server,established; content:"POST "; depth:5; nocase; content:"admin/record_company.php/password_forgotten.php"; content:"action=insert"; nocase; depth:100; reference:url,www.securityfocus.com/bid/35467; reference:url,www.milw0rm.com/exploits/9004; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-activity; sid:2009693; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler SELECT"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003981; classtype:web-application-attack; sid:2003981; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UNION SELECT"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003982; classtype:web-application-attack; sid:2003982; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler INSERT"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003983; classtype:web-application-attack; sid:2003983; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler DELETE"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003984; classtype:web-application-attack; sid:2003984; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler ASCII"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003985; classtype:web-application-attack; sid:2003985; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003986; classtype:web-application-attack; sid:2003986; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php"; flow:established,to_server; uricontent:"/ReadMsg.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2825; reference:url,xforce.iss.net/xforce/xfdb/34376; reference:url,doc.emergingthreats.net/2004557; classtype:web-application-attack; sid:2004557; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008966; classtype:web-application-attack; sid:2008966; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/handle/proxy.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008967; classtype:web-application-attack; sid:2008967; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/header.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008968; classtype:web-application-attack; sid:2008968; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/include.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008969; classtype:web-application-attack; sid:2008969; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/workspace.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008970; classtype:web-application-attack; sid:2008970; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lib.module.php?"; nocase; uricontent:"mod_root"; nocase; pcre:"/mod_root=\s*(https?|ftps?|php)/Ui"; reference:url,milw0rm.com/exploits/5921; reference:bugtraq,29914; reference:url,doc.emergingthreats.net/2009367; classtype:web-application-attack; sid:2009367; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/_functions.php?"; nocase; uricontent:"GLOBALS[prefix]="; nocase; pcre:"/GLOBALS\[prefix\]=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009874; classtype:web-application-attack; sid:2009874; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006951; classtype:web-application-attack; sid:2006951; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006952; classtype:web-application-attack; sid:2006952; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006953; classtype:web-application-attack; sid:2006953; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006954; classtype:web-application-attack; sid:2006954; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006955; classtype:web-application-attack; sid:2006955; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006956; classtype:web-application-attack; sid:2006956; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006957; classtype:web-application-attack; sid:2006957; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006958; classtype:web-application-attack; sid:2006958; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006960; classtype:web-application-attack; sid:2006960; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006961; classtype:web-application-attack; sid:2006961; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006962; classtype:web-application-attack; sid:2006962; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006963; classtype:web-application-attack; sid:2006963; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006964; classtype:web-application-attack; sid:2006964; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006965; classtype:web-application-attack; sid:2006965; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006966; classtype:web-application-attack; sid:2006966; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006967; classtype:web-application-attack; sid:2006967; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006968; classtype:web-application-attack; sid:2006968; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/123flashchat.php?"; nocase; uricontent:"e107path="; nocase; pcre:"/e107path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/41867; reference:url,secunia.com/advisories/29870; reference:url,milw0rm.com/exploits/5459; reference:url,doc.emergingthreats.net/2009435; classtype:web-application-attack; sid:2009435; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"admin/record_company.php/password_forgotten.php"; content:"action=insert"; nocase; depth:100; reference:url,www.securityfocus.com/bid/35467; reference:url,www.milw0rm.com/exploits/9004; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-activity; sid:2009693; rev:4; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 10616 (msg:"ET WEB_SPECIFIC_APPS EiQNetworks Security Analyzer Buffer Overflow"; flow:established,to_server; content:"LICMGR_ADDLICENSE&"; nocase; depth:18; isdataat:450,relative; pcre:"/LICMGR_ADDLICENSE&[^\x00\n\r@&]{450}/i"; reference:cve,2006-3838; reference:url,secunia.com/advisories/21211/; reference:url,doc.emergingthreats.net/2003056; classtype:attempted-admin; sid:2003056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index_inc.php?"; nocase; uricontent:"inc_ordner="; nocase; pcre:"/inc_ordner=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; reference:url,doc.emergingthreats.net/2009225; classtype:web-application-attack; sid:2009225; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user"; flow:established,to_server; uricontent:"/all_photos.html?"; nocase; uricontent:"user="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2724; reference:url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded; reference:url,doc.emergingthreats.net/2003875; classtype:web-application-attack; sid:2003875; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/toolbar.php?"; nocase; uricontent:"dirDepth="; nocase; pcre:"/dirDepth=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2008/2059; reference:url,milw0rm.com/exploits/6036; reference:url,doc.emergingthreats.net/2009188; classtype:web-application-attack; sid:2009188; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; uricontent:"/libs/lom.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003718; classtype:web-application-attack; sid:2003718; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR"; flow:established,to_server; uricontent:"/lom_update.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003719; classtype:web-application-attack; sid:2003719; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR"; flow:established,to_server; uricontent:"/scripts/check-lom.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003720; classtype:web-application-attack; sid:2003720; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR"; flow:established,to_server; uricontent:"/scripts/weigh_keywords.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003721; classtype:web-application-attack; sid:2003721; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR"; flow:established,to_server; uricontent:"/logout.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003722; classtype:web-application-attack; sid:2003722; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR"; flow:established,to_server; uricontent:"/help.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003723; classtype:web-application-attack; sid:2003723; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003724; classtype:web-application-attack; sid:2003724; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR"; flow:established,to_server; uricontent:"/login.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003725; classtype:web-application-attack; sid:2003725; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; uricontent:"/web/lom.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003747; classtype:web-application-attack; sid:2003747; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/test/pages/contact.php?"; nocase; uricontent:"fs_jVroot="; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010191; classtype:web-application-attack; sid:2010191; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/system/pageTemplate.php?"; nocase; uricontent:"fs_jVroot="; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010192; classtype:web-application-attack; sid:2010192; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/system/utilities.php?"; nocase; uricontent:"fs_jVroot="; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010193; classtype:web-application-attack; sid:2010193; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path"; flow:established,to_server; uricontent:"/faq.php?"; nocase; uricontent:"module_root_path="; nocase; uricontent:"cmd="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2493; reference:url,www.milw0rm.com/exploits/3833; reference:url,doc.emergingthreats.net/2003684; classtype:web-application-attack; sid:2003684; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004469; classtype:web-application-attack; sid:2004469; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004470; classtype:web-application-attack; sid:2004470; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004471; classtype:web-application-attack; sid:2004471; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004472; classtype:web-application-attack; sid:2004472; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004473; classtype:web-application-attack; sid:2004473; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004474; classtype:web-application-attack; sid:2004474; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004475; classtype:web-application-attack; sid:2004475; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004476; classtype:web-application-attack; sid:2004476; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004477; classtype:web-application-attack; sid:2004477; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004478; classtype:web-application-attack; sid:2004478; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004479; classtype:web-application-attack; sid:2004479; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS nweb2fax viewrq.php var_filename Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/viewrq.php?"; nocase; uricontent:"format=ps"; nocase; uricontent:"var_filename="; content:"../"; reference:bugtraq,29804; reference:url,milw0rm.com/exploits/5856; reference:url,doc.emergingthreats.net/2009501; classtype:web-application-attack; sid:2009501; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003698; classtype:web-application-attack; sid:2003698; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path"; flow:established,to_server; uricontent:"/checkout.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003699; classtype:web-application-attack; sid:2003699; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path"; flow:established,to_server; uricontent:"/libsecure.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003700; classtype:web-application-attack; sid:2003700; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"repinc="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2558; reference:url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded; reference:url,doc.emergingthreats.net/2003701; classtype:web-application-attack; sid:2003701; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server"; flow:established,to_server; uricontent:"/sqledit.php?"; nocase; uricontent:"server="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2865; reference:url,www.securityfocus.com/bid/24115; reference:url,doc.emergingthreats.net/2004552; classtype:web-application-attack; sid:2004552; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/body_comm.inc.php?"; nocase; uricontent:"content="; nocase; pcre:"/content=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,27952; reference:url,milw0rm.com/exploits/5175; reference:url,doc.emergingthreats.net/2009397; classtype:web-application-attack; sid:2009397; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003782; classtype:web-application-attack; sid:2003782; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003783; classtype:web-application-attack; sid:2003783; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003784; classtype:web-application-attack; sid:2003784; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003785; classtype:web-application-attack; sid:2003785; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003786; classtype:web-application-attack; sid:2003786; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003787; classtype:web-application-attack; sid:2003787; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/footer.php?"; nocase; uricontent:"_path[counter]="; nocase; pcre:"/_path\[counter\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009321; classtype:web-application-attack; sid:2009321; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt"; flow:to_server,established; uricontent:"/tiki-featured_link.php?type="; nocase; uricontent:"/iframe>"; nocase; reference:url,www.securityfocus.com/archive/1/450268/30/0; reference:url,doc.emergingthreats.net/2003167; classtype:web-application-attack; sid:2003167; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/startup.php?"; nocase; uricontent:"CFG[txtsql][class]="; nocase; pcre:"/CFG\[txtsql\]\[class\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,30625; reference:url,milw0rm.com/exploits/6224; reference:url,doc.emergingthreats.net/2009416; classtype:web-application-attack; sid:2009416; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl"; flow:established,to_server; uricontent:"/printcal.pl?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2745; reference:url,www.securityfocus.com/bid/24022; reference:url,doc.emergingthreats.net/2003874; classtype:web-application-attack; sid:2003874; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004881; classtype:web-application-attack; sid:2004881; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004882; classtype:web-application-attack; sid:2004882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004883; classtype:web-application-attack; sid:2004883; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004884; classtype:web-application-attack; sid:2004884; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004885; classtype:web-application-attack; sid:2004885; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004886; classtype:web-application-attack; sid:2004886; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path"; flow:established,to_server; uricontent:"/header.php?"; nocase; uricontent:"path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2542; reference:url,www.milw0rm.com/exploits/3848; reference:url,doc.emergingthreats.net/2003670; classtype:web-application-attack; sid:2003670; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET HUNTING FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a|\\WINDOWS\\system32\\"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:6; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WebHack Control Center User-Agent Outbound (WHCC/)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:"WHCC"; http_header; fast_pattern; nocase; pcre:"/^User-Agent\:[^\n]+WHCC/Hmi"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003925; classtype:trojan-activity; sid:2003925; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002316; classtype:misc-attack; sid:2002316; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000568; classtype:misc-attack; sid:2000568; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Launch"; flow:to_server,established; content:"GET"; offset:0; depth:3; uricontent:"/online_game/launcher_init.php?"; content:"|0d 0a|User-Agent|3a| GameBox"; uricontent:"game="; uricontent:"lang="; uricontent:"protocol="; uricontent:"distro="; uricontent:"osdesc="; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011748; classtype:policy-violation; sid:2011748; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Check for Patch"; flow:to_server,established; content:"GET"; offset:0; depth:3; uricontent:"/online_game/patch.php?"; uricontent:"game="; uricontent:"lang="; uricontent:"protocol="; uricontent:"distro="; uricontent:"osdesc="; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011749; classtype:policy-violation; sid:2011749; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetConnectionAndGameParams"; flow:to_server,established; content:"POST"; offset:0; depth:4; uricontent:"/online_game/request.php"; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetConnectionAndGameParams</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011750; classtype:policy-violation; sid:2011750; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request OpenSession"; flow:to_server,established; content:"POST"; offset:0; depth:4; uricontent:"/online_game/request.php"; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>OpenSession</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011751; classtype:policy-violation; sid:2011751; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Connect"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>Connect</name>"; nocase; http_client_body; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011752; classtype:policy-violation; sid:2011752; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Disconnect"; flow:to_server,established; content:"POST"; offset:0; depth:4; uricontent:"/online_game/request.php"; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>Disconnect</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011753; classtype:policy-violation; sid:2011753; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetOnlineProfile"; flow:to_server,established; content:"POST"; offset:0; depth:4; uricontent:"/online_game/request.php"; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetOnlineProfile</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011754; classtype:policy-violation; sid:2011754; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetBuddies"; flow:to_server,established; content:"POST"; offset:0; depth:4; uricontent:"/online_game/request.php"; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetBuddies</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011755; classtype:policy-violation; sid:2011755; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request SearchNew"; flow:to_server,established; content:"POST"; offset:0; depth:4; uricontent:"/online_game/request.php"; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>SearchNew</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011756; classtype:policy-violation; sid:2011756; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request LiveUpdate"; flow:to_server,established; content:"POST"; offset:0; depth:4; uricontent:"/online_game/request.php"; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>LiveUpdate</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011757; classtype:policy-violation; sid:2011757; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INAPPROPRIATE Google Image Search, Safe Mode Off"; flow:established,to_server; uricontent:"&safe=off"; content:"|0d 0a|Host|3a| images.google.com|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002925; classtype:policy-violation; sid:2002925; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn preteen"; flow: from_server,established; content:"preteen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001346; classtype:policy-violation; sid:2001346; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pre-teen"; flow: from_server,established; content:"pre-teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001347; classtype:policy-violation; sid:2001347; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Likely Porn"; flow: established,from_server; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001608; classtype:policy-violation; sid:2001608; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:pup-activity; sid:2002003; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:pup-activity; sid:2002048; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:pup-activity; sid:2002099; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:pup-activity; sid:2002354; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Actionlibs Download"; flow:to_server,established; uricontent:"/actionurls/ActionUrlb"; nocase; uricontent:"partnerid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:pup-activity; sid:2003057; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; uricontent:"/ZangoTBInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:pup-activity; sid:2003059; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; uricontent:"/php/uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:pup-activity; sid:2003061; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Activity"; flow:to_server,established; uricontent:"/banman/banman.asp?ZoneID="; nocase; uricontent:"&Task="; nocase; uricontent:"&X="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; classtype:trojan-activity; sid:2003170; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:pup-activity; sid:2003610; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000327; classtype:trojan-activity; sid:2000327; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; classtype:pup-activity; sid:2001447; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 51yes.com Spyware Reporting User Activity"; flow:established,to_server; uricontent:"/sa.aspx?id="; nocase; uricontent:"&refe=http"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:pup-activity; sid:2003620; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV"; nocase; uricontent:"?ID={"; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:pup-activity; sid:2001730; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; classtype:policy-violation; sid:2000906; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; classtype:policy-violation; sid:2000598; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay|3b|"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001043; classtype:policy-violation; sid:2001043; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater.net Spyware Checkin"; flow:established,to_server; uricontent:"/popsetarray.php?&country="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; classtype:trojan-activity; sid:2002094; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; classtype:policy-violation; sid:2002194; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; uricontent:"/progs_traff/"; nocase; reference:url,research.sunbelt-software.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; classtype:trojan-activity; sid:2003034; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; uricontent:"/GetDesign60.aspx?Magic="; nocase; uricontent:"?ZipCode="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; classtype:trojan-activity; sid:2003423; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; classtype:trojan-activity; sid:2001698; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:!"rss"; nocase; pcre:"/User-Agent\:[^\n]+http\:\/\//i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003394; classtype:trojan-activity; sid:2003394; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:9; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious User Agent (Internet Antivirus Pro)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Internet Antivirus Pro|0d 0a|"; reference:url,doc.emergingthreats.net/2009440; classtype:trojan-activity; sid:2009440; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Internet Antivirus Pro)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Internet Antivirus Pro|0d 0a|"; reference:url,doc.emergingthreats.net/2009440; classtype:trojan-activity; sid:2009440; rev:6; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious User Agent (ClickAdsByIE)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| ClickAdsByIE"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009456; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (ClickAdsByIE)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| ClickAdsByIE"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009456; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; classtype:pup-activity; sid:2000514; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
alert udp $HOME_NET any -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape P2P streaming media"; content:"POST / HTTP/1."; depth:64; content:"Oshtcp-streamtype|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,doc.emergingthreats.net/2010008; classtype:policy-violation; sid:2010008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Crewbox Proxy Scan"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"crewbox.by.ru/crew/"; nocase; reference:url,doc.emergingthreats.net/2003156; classtype:attempted-recon; sid:2003156; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipsak SIP scan"; content:"sip|3a|sipsak@"; offset:90; reference:url,sipsak.org/; reference:url,doc.emergingthreats.net/2008598; classtype:attempted-recon; sid:2008598; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner <sip|3a|SIVuS"; offset:130; threshold:type threshold, track by_src, count 3, seconds 10; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008609; classtype:attempted-recon; sid:2008609; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM Shell Bot Code Download"; flow:to_client,established; content:"##################### IRC #######################"; nocase; reference:url,doc.emergingthreats.net/2002684; classtype:trojan-activity; sid:2002684; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM SDBot HTTP Checkin"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|quem=dodoi&tit="; content:"&txt="; distance:0; within:40; reference:url,doc.emergingthreats.net/2007914; classtype:trojan-activity; sid:2007914; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; uricontent:"/g"; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; reference:url,doc.emergingthreats.net/bin/view/Main/2003329; reference:cve,2007-0528; classtype:attempted-user; sid:2003329; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Torpig Related Fake User-Agent (Apache (compatible...))"; flow:established,to_server; content:"User-Agent|3a| Apache (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; reference:url,doc.emergingthreats.net/2010823; classtype:trojan-activity; sid:2010823; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CGI AWstats Migrate Command Attempt"; flow:established,to_server; uricontent:"/awstats.pl?"; nocase; uricontent:"/migrate"; pcre:"/migrate\s*=\s*\|/Ui"; reference:bugtraq,17844; reference:url,doc.emergingthreats.net/2002900; classtype:web-application-attack; sid:2002900; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/cgi-bin/img.pl?"; nocase; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; reference:url,doc.emergingthreats.net/2002362; classtype:web-application-attack; sid:2002362; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; uricontent:"/cgi-bin/img.pl?"; nocase; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; reference:url,doc.emergingthreats.net/2002685; classtype:web-application-attack; sid:2002685; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution"; flow: to_server,established; uricontent:"/cgi-bin/preview_email.cgi?"; nocase; pcre:"/file=.*\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003086; classtype:web-application-attack; sid:2003086; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt"; flow: to_server,established; uricontent:"/cgi-bin/preview_email.cgi?"; nocase; pcre:"/file=.+\.\..+\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003087; classtype:web-application-attack; sid:2003087; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa CaSpEr RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa CaSpEr|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP set enable password attack"; flow:established,to_server; uricontent:"/configure/"; uricontent:"/enable/"; reference:cve,2005-3921; reference:bugtraq,15602; reference:url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html; reference:url,doc.emergingthreats.net/2002721; classtype:web-application-attack; sid:2002721; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern"; flow:established,to_server; uricontent:"/CCMAdmin/serverlist.asp?"; nocase; uricontent:"pattern="; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2832; reference:url,www.secunia.com/advisories/25377; reference:url,doc.emergingthreats.net/2004556; classtype:web-application-attack; sid:2004556; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible UNION SELECT SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"UNION%20"; within:200; nocase; content:"SELECT"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]+UNION.+SELECT/i"; reference:url,www.w3schools.com/sql/sql_union.asp; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009770; classtype:web-application-attack; sid:2009770; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SELECT FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0d\x0aCookie\x3a[^\n]+SELECT.+FROM/i"; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009771; classtype:web-application-attack; sid:2009771; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INTO OUTFILE Arbitrary File Write SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INTO%20"; nocase; within:200; content:"OUTFILE"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010038; classtype:web-application-attack; sid:2010038; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure"; flow:to_server,established; content:"GET "; depth:4; uricontent:"lastvist.html?"; nocase; uricontent:"domain="; nocase; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9039; reference:bugtraq,35518; reference:url,doc.emergingthreats.net/2009484; classtype:web-application-attack; sid:2009484; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; uricontent:"OpenForm"; nocase; pcre:"/BaseTarget=.*?\"/iU"; reference:bugtraq,14845; reference:url,doc.emergingthreats.net/2002376; classtype:web-application-attack; sid:2002376; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino Src XSS attempt"; flow:to_server,established; uricontent:"OpenFrameSet"; nocase; pcre:"/src=.*\"><\/FRAMESET>.*<script>.*<\/script>/iU"; reference:bugtraq,14846; reference:url,doc.emergingthreats.net/2002377; classtype:web-application-attack; sid:2002377; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010517; classtype:web-application-attack; sid:2010517; rev:3; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2017_09_08;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/OvCgi/OvWebHelp.exe"; nocase; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2009-4178; reference:url,doc.emergingthreats.net/2010970; classtype:web-application-attack; sid:2010970; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow: to_server,established; uricontent:".aspx"; nocase; content:"GET"; nocase; depth: 3; content:"%5C"; depth: 200; nocase; content:"aspx"; within:100; reference:url,doc.emergingthreats.net/2001343; classtype:web-application-attack; sid:2001343; rev:22; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER osCommerce extras/update.php disclosure"; flow:to_server,established; uricontent:"extras/update.php"; nocase; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002864; classtype:attempted-recon; sid:2002864; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"CUSTOMIZE=/"; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; reference:url,doc.emergingthreats.net/2002131; classtype:web-application-activity; sid:2002131; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"destype=file"; nocase; uricontent:"desformat="; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html; reference:url,doc.emergingthreats.net/2002132; classtype:web-application-activity; sid:2002132; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"report="; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; reference:url,doc.emergingthreats.net/2002133; classtype:web-application-activity; sid:2002133; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED PHP remote file include exploit attempt"; flow: to_server,established; content:"GET "; nocase; depth:4; uricontent:".php?"; nocase; uricontent:"cmd="; nocase; pcre:"/=(https?|ftps?|php)\:\/.{0,100}cmd=/Ui"; reference:url,doc.emergingthreats.net/2001810; classtype:attempted-admin; sid:2001810; rev:28; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED PacketShaper DoS attempt"; flow:to_server,established; uricontent:"/rpttop.htm"; pcre:"/MEAS\.TYPE=(?!(link|class)&)/U"; reference:url,doc.emergingthreats.net/2004449; classtype:denial-of-service; sid:2004449; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)"; flow:to_server,established; uricontent:".php"; nocase; uricontent:"=http|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009151; classtype:web-application-attack; sid:2009151; rev:8; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED RSA Web Auth Exploit Attempt - Long URL"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; uricontent:"?Redirect?"; nocase; pcre:"/url=.{8000}/iU"; reference:url,secunia.com/advisories/17281; reference:url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm; reference:url,doc.emergingthreats.net/2002660; reference:url,doc.emergingthreats.net/2002660; classtype:web-application-activity; sid:2002660; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in Cookie, Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"INSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010286; classtype:web-application-attack; sid:2010286; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in Cookie, Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"SUBSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010287; classtype:web-application-attack; sid:2010287; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection"; flow:established,to_server; uricontent:"/*"; uricontent:"*/"; pcre:"/\x2F\x2A.+\x2A\x2F/U"; reference:url,dev.mysql.com/doc/refman/5.0/en/comments.html; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2011040; classtype:web-application-attack; sid:2011040; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx"; flow:established,to_server; uricontent:"/default.aspx?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2581; reference:url,www.securityfocus.com/bid/23832; reference:url,doc.emergingthreats.net/2003903; classtype:web-application-attack; sid:2003903; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail"; flow:established,to_server; uricontent:"/contact/contact/index.php?"; nocase; uricontent:"form[mail]="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003904; classtype:web-application-attack; sid:2003904; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt"; flow:established,to_server; content:"UNLOCK"; nocase; depth:6; content:"Connection|3A| Close"; nocase; distance:0; content:"Lock-token|3A|"; nocase; within:100; reference:url,www.packetstormsecurity.org/1004-exploits/sun-knockout.txt; reference:url,doc.emergingthreats.net/2011015; classtype:web-application-attack; sid:2011015; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept"; flow:established,to_server; content:"OPTIONS|20|"; depth:8; nocase; isdataat:400,relative; content:!"|0A|"; within:400; reference:url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt; reference:cve,2010-0361; reference:url,doc.emergingthreats.net/2011016; classtype:web-application-attack; sid:2011016; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Poison Null Byte"; flow:established,to_server; uricontent:"|00|"; depth:2400; reference:cve,2006-4542; reference:cve,2006-4458; reference:cve,2006-3602; reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf; reference:url,doc.emergingthreats.net/2003099; classtype:web-application-activity; sid:2003099; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebDAV search overflow"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; isdataat:1000,relative; content:!"|0a|"; within:1000; reference:cve,2003-0109; reference:url,doc.emergingthreats.net/2002844; classtype:web-application-attack; sid:2002844; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara) SMTP"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010591; classtype:policy-violation; sid:2010591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method Remote Code Execution Attempt"; flow:established,to_client; content:"-J-jar -J"; pcre:"/(launch\x28.+-J-jar -J|-J-jar -J.+launch\x28)/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/; reference:url,doc.emergingthreats.net/2011053; classtype:attempted-user; sid:2011053; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/axis2/services/Version?"; nocase; uricontent:"xsd="; nocase; content:"../"; depth:200; reference:bugtraq,40343; reference:url,doc.emergingthreats.net/2011160; classtype:web-application-attack; sid:2011160; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows Shortcut LNK File Automatic File Execution Attempt Via WebDAV"; flow:established,to_client; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; content:"<D|3A|locktype><D|3A|write/></D|3A|locktype>"; nocase; distance:0; content:"<D|3A|getcontenttype>shortcut</D|3A|getcontenttype>"; nocase; distance:0; reference:url,support.microsoft.com/kb/2286198; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:cve,2010-2568; reference:url,doc.emergingthreats.net/2011239; classtype:attempted-user; sid:2011239; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft DirectShow ActiveX Exploit Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro"; nocase; content:"logo.gif"; nocase; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009491; classtype:web-application-attack; sid:2009491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installer/InstallerClean.exe"; nocase; reference:url,doc.emergingthreats.net/2010053; classtype:trojan-activity; sid:2010053; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/softwarefortubeview.40009.exe"; nocase; reference:url,doc.emergingthreats.net/2010058; classtype:trojan-activity; sid:2010058; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/Soft_21.exe"; nocase; reference:url,doc.emergingthreats.net/2010060; classtype:trojan-activity; sid:2010060; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010444; classtype:bad-unknown; sid:2010444; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; uricontent:"/ssp/loadjavad.php"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010446; classtype:bad-unknown; sid:2010446; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010447; classtype:bad-unknown; sid:2010447; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010448; classtype:bad-unknown; sid:2010448; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl - wywg executable download Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/wywg/"; nocase; uricontent:".exe"; nocase; pcre:"/\/wywg\/[a-z0-9]{2,5}\/[a-z0-9]+\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010716; classtype:trojan-activity; sid:2010716; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; uricontent:"/kav"; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; classtype:exploit-kit; sid:2010870; rev:6; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte)"; flow:established,to_server; uricontent:"/nte/"; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010871; classtype:exploit-kit; sid:2010871; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Related CSS Download"; flow:established,from_server; content:"#hello_nod32_guys_how_u_doing"; nocase; reference:url,doc.emergingthreats.net/2011670; classtype:trojan-activity; sid:2011670; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Executable requested from /wp-content/languages"; flow:established,to_server; uricontent:"/wp-content/languages/"; nocase; uricontent:".exe"; nocase; reference:url,www.malewareurl.com; reference:url,doc.emergingthreats.net/2011220; classtype:trojan-activity; sid:2011220; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av-i386-daily.zip)"; flow:established,to_server; uricontent:"av_base/av-i386-daily.zip"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010568; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av-i386-daily.zip)"; flow:established,to_server; uricontent:"av_base/av-i386-daily.zip"; nocase; reference:url,doc.emergingthreats.net/2010565; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010568; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/pay.php)"; flow:established,to_server; uricontent:"av_base/pay.php"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010566; classtype:trojan-activity; sid:2010566; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/pay.php)"; flow:established,to_server; uricontent:"av_base/pay.php"; nocase; reference:url,doc.emergingthreats.net/2010566; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010566; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/ip.php)"; flow:established,to_server; uricontent:"av_base/ip.php"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; classtype:trojan-activity; sid:2010567; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/ip.php)"; flow:established,to_server; uricontent:"av_base/ip.php"; nocase; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; classtype:trojan-activity; sid:2010567; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Trojan.Win32.Small.yml client registration"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyMyIP="; within:27; reference:url,doc.emergingthreats.net/2008950; classtype:trojan-activity; sid:2008950; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Reply Outbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003295; classtype:trojan-activity; sid:2003295; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely FAKEAV scanner page encountered - i1000000.gif"; flow:established,to_server; uricontent:"/i1000000.gif"; nocase; reference:url,doc.emergingthreats.net/2011760; classtype:bad-unknown; sid:2011760; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iPhone Bot iKee.B Contacting C&C"; flow:to_server,established; uricontent:"/xml/p.php?id="; nocase; pcre:"/\/xml\/p\.php\?id=\d{2,}/Ui"; reference:url,mtc.sri.com/iPhone/; reference:url,doc.emergingthreats.net/2010551; classtype:trojan-activity; sid:2010551; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hidden iframe Served by nginx - Likely Hostile Code"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; nocase; offset:15; depth:15; content:"<iframe src="; nocase; content:"style=|22|visibility|3a|hidden|3b 22| width=|22|1|22| height=|22|1|22|></iframe>"; nocase; reference:url,doc.emergingthreats.net/2011714; classtype:bad-unknown; sid:2011714; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"<html><head></head><body>Loading...<div id=|22|page|22| style=|22|display|3a| none|22|>"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5; metadata:created_at 2010_07_30, former_category CURRENT_EVENTS, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting drive by - /x/?src="; flow:established,to_server; uricontent:"/x/?src="; nocase; uricontent:"&o=o"; nocase; reference:url,doc.emergingthreats.net/2011230; classtype:bad-unknown; sid:2011230; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; nocase; content:!"nextgen-gallery"; nocase; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; classtype:trojan-activity; sid:2008373; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:!"nextgen-gallery"; nocase; within:15; content:"/ngg.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008387; reference:url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html; classtype:trojan-activity; sid:2008387; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:"/b.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008388; classtype:trojan-activity; sid:2008388; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"IbmEgath.IbmEgathCtl.1"; distance:0; nocase; content:"GetXMLValue"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010482; classtype:attempted-user; sid:2010482; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object"; flow:from_server,established; content:" DirectAnimation.PathControl"; content:".Spline|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003103; classtype:attempted-user; sid:2003103; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object"; flow:from_server,established; content:" DirectAnimation.PathControl"; content:".Spline|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003103; classtype:attempted-user; sid:2003103; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"DirectAnimation.PathControl"; nocase; content:".KeyFrame|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003105; classtype:attempted-user; sid:2003105; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009"; flow:from_server,established; content:"CLSID"; nocase; content:"00000535-0000-0010-8000-00AA006D2EA4"; nocase; reference:url,www.milw0rm.com/exploits/3577; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx; reference:url,doc.emergingthreats.net/2003514; classtype:attempted-user; sid:2003514; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution"; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url, osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003231; classtype:attempted-user; sid:2003231; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution"; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url,osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003231; classtype:attempted-user; sid:2003231; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)"; flow:from_server,established; content:" ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003232; classtype:attempted-user; sid:2003232; rev:59; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)"; flow:from_server,established; content:" ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003232; classtype:attempted-user; sid:2003232; rev:59; metadata:created_at 2010_07_30, former_category ACTIVEX, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution"; flow:from_server,established; content:" Shell.Application"; content:"GetLink"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003233; classtype:attempted-user; sid:2003233; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution"; flow:from_server,established; content:" Shell.Application"; content:"GetLink"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003233; classtype:attempted-user; sid:2003233; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)"; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; nocase; content:"GetLink"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url, osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003234; classtype:attempted-user; sid:2003234; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)"; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; nocase; content:"GetLink"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url,osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003234; classtype:attempted-user; sid:2003234; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<body\s+[^>]*onUnload\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009132; classtype:web-application-attack; sid:2009132; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001048; classtype:misc-activity; sid:2001048; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory copy"; flow:to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice"; nocase; content:"0x7ffffff"; nocase; reference:url, riosec.com/msie-setslice-vuln; reference:url,osvdb.org/27110; reference:cve,2006-3730; reference:url,doc.emergingthreats.net/bin/view/Main/2003110; classtype:attempted-user; sid:2003110; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory copy"; flow:to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice"; nocase; content:"0x7ffffff"; nocase; reference:url,riosec.com/msie-setslice-vuln; reference:url,osvdb.org/27110; reference:cve,2006-3730; reference:url,doc.emergingthreats.net/bin/view/Main/2003110; classtype:attempted-user; sid:2003110; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE FTP URL Arbitrary Command Injection"; flow:from_server,established; content:"ftp|3a|//"; nocase; pcre:"/ftp\://[^\' \"]*%0a/i"; reference:url,osvdb.org/12299; reference:cve,2004-1166; reference:url,doc.emergingthreats.net/bin/view/Main/2003230; classtype:attempted-user; sid:2003230; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/admin/device_admin.php?"; nocase; uricontent:"cs_base_path="; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; classtype:web-application-attack; sid:2011556; rev:1; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/nmap.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=\w*\;/Ui"; reference:url,osvdb.org/show/osvdb/67739; classtype:web-application-attack; sid:2011555; rev:1; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Remediation Client Enginecom.Dll ActiveX Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Enginecom.imagineLANEngine.1"; nocase; distance:0; content:"DeleteSnapshot"; nocase; reference:url,fgc.fortinet.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; reference:url,doc.emergingthreats.net/2010692; classtype:attempted-user; sid:2010692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FFakerecy.A; reference:url,support.microsoft.com/kb/971029; classtype:suspicious-filename-detect; sid:2011526; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
-#alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:1; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
-
-#alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:1; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"<!DOCTYPE"; nocase; distance:0; content:"<!ENTITY"; nocase; distance:0; content:"<soapenv|3A|Envelope"; nocase; distance:0; content:"<ns1|3A|Username>"; nocase; distance:0; flowbits:set,ET.etrust.fieldis; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011502; rev:1; metadata:created_at 2010_09_27, former_category EXPLOIT, updated_at 2010_09_27;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 ActiveX File Creation Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCTAVIFileLib.AVIFileM"; nocase; distance:0; content:"OpenFile"; nocase; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010357; classtype:web-application-attack; sid:2010357; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET DELETED Yoyo-DDoS Bot Command from CnC Server"; flow:established,from_server; dsize:124; content:"|C1 00 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011401; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHARMSPAM image requested layout viagra_super_active.jpg"; flow:established,to_server; uricontent:"layout"; content:"viagra_super_active.jpg"; http_uri; classtype:bad-unknown; sid:2011339; rev:2; metadata:created_at 2010_09_28, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; classtype:bad-unknown; sid:2011546; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_client; content:"WScript.Shell"; nocase; content:"shell.Run"; nocase; within:40; content:"|22|"; within:6; reference:url,msdn.microsoft.com/en-us/library/d5fk67ky(VS.85).aspx; reference:url,doc.emergingthreats.net/2010961; classtype:attempted-user; sid:2010961; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; nocase; distance:0; content:"ExecuteRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c/si"; reference:url,www.exploit-db.com/moaub-14-novell-iprint-client-browser-plugin-executerequest-debug-parameter-stack-overflow/; reference:bid,42100; reference:url,doc.emergingthreats.net/2011509; classtype:attempted-user; sid:2011509; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; nocase; distance:0; content:"ExecuteRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c/si"; reference:url,www.exploit-db.com/moaub-14-novell-iprint-client-browser-plugin-executerequest-debug-parameter-stack-overflow/; reference:bid,42100; reference:url,doc.emergingthreats.net/2011509; classtype:attempted-user; sid:2011509; rev:2; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"_Marshaled_pUnk"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; reference:url,www.exploit-db.com/exploits/14843/; classtype:attempted-user; sid:2011412; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV redirecting to fake scanner page - /?777"; flow:established,to_server; uricontent:"/?777"; classtype:bad-unknown; sid:2011421; rev:2; metadata:created_at 2010_09_28, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"_Marshaled_pUnk"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; reference:url,www.exploit-db.com/exploits/14843/; classtype:attempted-user; sid:2011412; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby bredolab jquery.jxx"; flow:established,to_server; content:"/jquery.jxx?v="; http_uri; classtype:bad-unknown; sid:2011353; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Delf/Hupigon C&C Channel Version Report"; flow:established,to_server; dsize:<25; content:"VERSON|3a|"; depth:7; reference:url,doc.emergingthreats.net/2007930; classtype:command-and-control; sid:2007930; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo Cert Exchange"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 a6 ed b9 1e 40 75 6f 88 0a 30 85 7b 68 b1 8d 48 89 27 33 36 20 ac 1e e8 d6 44 31 78 37 f7 e1 d0 d5 44 cf 4e 67 cb 64 ba 6c fa b6 5f a2 51 c3 5e e4 4a 31 76 c6 15 d4 85 d2 75 d8 ce 8b 4f 0b 38 bb 19 ab b0 10 94 d9 ca bd bb 65 98 c0 d4 2e 9a a4 64 90 f4 6c ee c0 db d9 e2 b0 97 ca cb 55 11 a8 00 4b c3 90 e0 7d c3 e1 d5 92 d7 b6 60 df 52 02 6f 9a 38 13 9a f4 cf 4f 68 fd 4c f8 ea ed 15|"; classtype:not-suspicious; sid:2011525; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo Cert Exchange"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 a6 ed b9 1e 40 75 6f 88 0a 30 85 7b 68 b1 8d 48 89 27 33 36 20 ac 1e e8 d6 44 31 78 37 f7 e1 d0 d5 44 cf 4e 67 cb 64 ba 6c fa b6 5f a2 51 c3 5e e4 4a 31 76 c6 15 d4 85 d2 75 d8 ce 8b 4f 0b 38 bb 19 ab b0 10 94 d9 ca bd bb 65 98 c0 d4 2e 9a a4 64 90 f4 6c ee c0 db d9 e2 b0 97 ca cb 55 11 a8 00 4b c3 90 e0 7d c3 e1 d5 92 d7 b6 60 df 52 02 6f 9a 38 13 9a f4 cf 4f 68 fd 4c f8 ea ed 15|"; classtype:not-suspicious; sid:2011525; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F56F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/5086; reference:url,www.milw0rm.com/exploits/5100; reference:url,doc.emergingthreats.net/bin/view/Main/2007847; classtype:web-application-attack; sid:2007847; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Browser HiJacker/Infostealer Stat file"; flow:established,to_server; content:"|5B00|u|00|p|00|d|00|a|00|t|00|e|005D|"; nocase; content:"v|00|e|00|r|00|="; nocase; reference:url,doc.emergingthreats.net/2007777; classtype:trojan-activity; sid:2007777; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006609; classtype:web-application-attack; sid:2006609; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006611; classtype:web-application-attack; sid:2006611; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006612; classtype:web-application-attack; sid:2006612; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE"; flow:established,to_server;uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006614; classtype:web-application-attack; sid:2006614; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE Likely eCard Malware Laden Email Inbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| You have received an eCard"; nocase; content:"e-card.zip"; nocase; reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/; reference:url,doc.emergingthreats.net/2008674; classtype:trojan-activity; sid:2008674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Egspy Infection Report Email"; flow:established,to_server; content:"FROM\: EgySpy Victim"; content:"TO|3a| EgySpy User"; distance:0; content:"SUBJECT|3a| E g y S p y KeyLogger"; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008039; classtype:trojan-activity; sid:2008039; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/admin/global.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33691; reference:url,milw0rm.com/exploits/8026; reference:url,doc.emergingthreats.net/2009846; classtype:web-application-attack; sid:2009846; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003764; classtype:web-application-attack; sid:2003764; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UNION SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003765; classtype:web-application-attack; sid:2003765; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid INSERT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003766; classtype:web-application-attack; sid:2003766; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)"; flow: established,to_server; content:"/proxyjudge.cgi"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003048; classtype:policy-violation; sid:2003048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious Microsoft Windows NT 6.1 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| "; nocase; http_header; content:"|3b 20|Windows NT 6.1|3b 20|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.aspx; reference:url,doc.emergingthreats.net/2010228; classtype:policy-violation; sid:2010228; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| "; nocase; http_header; content:"|3b 20|Windows NT 6.1|3b 20|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.aspx; reference:url,doc.emergingthreats.net/2010228; classtype:policy-violation; sid:2010228; rev:7; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winamp Streaming User Agent"; flow:established,to_server; content:"Winamp"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Winamp/Hi"; reference:url,doc.emergingthreats.net/2003168; classtype:policy-violation; sid:2003168; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 3alupKo/Win32.Socks.n Related Checkin URL (3)"; flow:established,to_server; content:"&ns="; http_uri; content:"&id="; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008395; classtype:command-and-control; sid:2008395; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zalupko/Koceg/Mandaph manda.php Checkin"; flow:established,to_server; content:"/manda.php?"; nocase; http_uri; content:"ns="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2008324; classtype:command-and-control; sid:2008324; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zalupko/Koceg/Mandaph manda.php Checkin"; flow:established,to_server; content:"/manda.php?"; nocase; http_uri; content:"ns="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008324; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:md5,b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; classtype:command-and-control; sid:2008324; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake.Googlebar or Softcash.org Related Post-Infection Checkin"; flow:established,to_server; content:"bl="; http_uri; content:"&cuid="; http_uri; content:"&cnid="; http_uri; content:"&luid="; http_uri; content:"&rnd="; http_uri; reference:url,doc.emergingthreats.net/2008236; classtype:command-and-control; sid:2008236; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BackDoor-EGB Check-in"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".asp"; http_uri; content:"?username="; http_uri; content:"&serverMac="; http_uri; content:"&edition="; pcre:"/.asp\?username=.+&serverMac=([0-9A-F]{2}-){5}[0-9A-F]{2}&edition=/Ui"; reference:url,doc.emergingthreats.net/2009532; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=239060; classtype:trojan-activity; sid:2009532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE smain?scout=acxc Generic Download landing"; flow:established,to_server; content:"GET"; depth:3; http_method; nocase; content:"/smain?scout=acxc"; nocase; http_uri; pcre:"/\/smain\?scout=acxc[a-z]{3}$/Ui"; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; reference:url,doc.emergingthreats.net/2010822; classtype:trojan-activity; sid:2010822; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE smain?scout=acxc Generic Download landing"; flow:established,to_server; content:"GET"; depth:3; http_method; nocase; content:"/smain?scout=acxc"; nocase; http_uri; pcre:"/\/smain\?scout=acxc[a-z]{3}$/Ui"; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:md5,513077916da4e86827a6000b40db95d5; reference:url,doc.emergingthreats.net/2010822; classtype:trojan-activity; sid:2010822; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.StartPage activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; reference:url,doc.emergingthreats.net/2011228; classtype:trojan-activity; sid:2011228; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Variant Reporting to Controller via HTTP (2)"; flow:established,to_server; content:"php?"; nocase; http_uri; content:"cmp="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&dn_uid="; nocase; http_uri; content:"&dn_affid="; nocase; http_uri; content:"&vm_guid="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&altid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007285; classtype:trojan-activity; sid:2007285; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virut Counter/Check-in "; flow:established,to_server; content:"POST"; depth:4; http_method; content:".asp?mac="; http_uri; content:"&rw="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009457; classtype:trojan-activity; sid:2009457; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virut Counter/Check-in"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".asp?mac="; http_uri; content:"&rw="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009457; classtype:trojan-activity; sid:2009457; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?SoftName="; nocase; http_uri; content:"&SoftVersion="; nocase; http_uri; content:"&UserIP"; nocase; http_uri; content:"&Mac"; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html; reference:url,www.threatexpert.com/threats/w32-virut-i.html; reference:url,doc.emergingthreats.net/2009829; classtype:trojan-activity; sid:2009829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Small.yml or Related HTTP Command"; flow:established,to_server; content:"/ClientTask.aspx?mac="; http_uri; content:"&Type="; http_uri; content:"&Sn="; http_uri; pcre:"/mac=([0-9A-F]{2}:){5}([0-9A-F]{2})/Ui"; reference:url,doc.emergingthreats.net/2008952; classtype:trojan-activity; sid:2008952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; content:"HEAD"; depth:4; http_method; content:"?controller="; http_uri; content:"&abbr="; http_uri; content:"&setupType="; http_uri; content:"&ttl="; http_uri; content:"&pid="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010240; classtype:trojan-activity; sid:2010240; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; content:"HEAD"; depth:4; http_method; content:"?controller="; http_uri; content:"&abbr="; http_uri; content:"&setupType="; http_uri; content:"&ttl="; http_uri; content:"&pid="; http_uri; reference:url,doc.emergingthreats.net/2010240; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010240; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winspywareprotect.com Fake AV/Anti-Spyware Install Checkin"; flow:established,to_server; content:"/stat.php?func=install&pid="; http_uri; content:"&ip="; http_uri; content:"&landing="; http_uri; reference:url,doc.emergingthreats.net/2008250; classtype:command-and-control; sid:2008250; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:"libwww-perl/"; nocase; http_header; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002934; classtype:attempted-recon; sid:2002934; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"googlebot"; nocase; http_header; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002828; classtype:not-suspicious; sid:2002828; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"googlebot"; nocase; http_header; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002828; classtype:not-suspicious; sid:2002828; rev:9; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002830; classtype:not-suspicious; sid:2002830; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002832; classtype:not-suspicious; sid:2002832; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002832; classtype:not-suspicious; sid:2002832; rev:9; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002833; classtype:attempted-recon; sid:2002833; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Yahoo Crawler Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002833; classtype:attempted-recon; sid:2002833; rev:7; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"python.urllib/"; nocase; http_header; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002944; classtype:attempted-recon; sid:2002944; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow"; flow:to_client,established; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; nocase; content:"CanUninstall"; nocase; reference:bugtraq,31435; reference:url,securitytracker.com/alerts/2008/Sep/1020951.html; reference:url,doc.emergingthreats.net/2008619; classtype:web-application-attack; sid:2008619; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:established,to_server; content:"getfile.php?r="; http_uri; content:"&p="; http_uri; pcre:"/php\?r=\d+&p=/U"; classtype:trojan-activity; sid:2011474; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:established,to_server; content:"getfile.php?r="; http_uri; content:"&p="; http_uri; pcre:"/php\?r=\d+&p=/U"; classtype:trojan-activity; sid:2011474; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Execute SYN Flood Command Message From CnC Server"; flow:established,from_server; dsize:124; content:"|80 04 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011400; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|10|"; within:6; flowbits:noalert; reference:url,doc.emergingthreats.net/2003007; classtype:unusual-client-port-connection; sid:2003007; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; reference:url,doc.emergingthreats.net/2003006; classtype:unusual-client-port-connection; sid:2003006; rev:8; metadata:created_at 2010_07_30, updated_at 2019_06_06;)
-
#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003012; classtype:unusual-client-port-connection; sid:2003012; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003013; classtype:unusual-client-port-connection; sid:2003013; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; reference:url,doc.emergingthreats.net/bin/view/Main/2000930; classtype:trojan-activity; sid:2000930; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (action url reported)"; flow: to_server,established; uricontent:"/actionurls/ActionUrl"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001399; classtype:trojan-activity; sid:2001399; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| ABC/ABC"; nocase; reference:url,pingpong-abc.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003475; classtype:trojan-activity; sid:2003475; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; classtype:attempted-recon; sid:2009749; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FakeAV SetupSecure Download Attempt SetupSecure"; flow:established,to_server; content:"/download/SetupSecure_"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=virus-scanner-6.com; classtype:trojan-activity; sid:2011357; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Win32.FraudPack.aweo"; flow:established,to_server; content:"GET"; http_method; content:"update.php?do="; http_uri; content:"&coid="; http_uri; content:"&IP="; http_uri; content:"&fff="; http_uri; content:"&lct="; http_uri; content:"&ttt="; http_uri; content:"&v="; reference:url,www.threatexpert.com/report.aspx?md5=4bc4c32a8d93c29b026bbfb24ccecd14; classtype:trojan-activity; sid:2011294; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Win32.FraudPack.aweo"; flow:established,to_server; content:"GET"; http_method; content:"update.php?do="; http_uri; content:"&coid="; http_uri; content:"&IP="; http_uri; content:"&fff="; http_uri; content:"&lct="; http_uri; content:"&ttt="; http_uri; content:"&v="; reference:md5,4bc4c32a8d93c29b026bbfb24ccecd14; classtype:trojan-activity; sid:2011294; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Variant Checkin Activity"; flow:established,to_server; content:"/sm.php?pizda"; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:url,www.threatexpert.com/report.aspx?md5=f39d0a669ad98b95370a4f525d7d79ec; classtype:trojan-activity; sid:2011335; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Variant Checkin Activity"; flow:established,to_server; content:"/sm.php?pizda"; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:md5,f39d0a669ad98b95370a4f525d7d79ec; classtype:trojan-activity; sid:2011335; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stupid Stealer C&C Communication (1)"; flow:established,to_server; content:"cmd=give&pcname="; nocase; http_uri; content:"&status="; http_uri; nocase; pcre:"/cmd=give&pcname=.+&status=\d+$/U"; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:command-and-control; sid:2011370; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE wisp backdoor detected reporting"; flow:established,to_server; content:"getkys.kys"; nocase; http_uri; content:"hostname="; nocase; http_uri; classtype:trojan-activity; sid:2011395; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.Win32.Zlob.bgs Checkin(1)"; flow:established,to_server; content:"GET"; http_header; content:"/gatech.php?pn="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=ffdcea0ed88d47bc21d71040f9289ef4; classtype:command-and-control; sid:2011490; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.Win32.Zlob.bgs Checkin(1)"; flow:established,to_server; content:"GET"; http_header; content:"/gatech.php?pn="; nocase; http_uri; reference:md5,ffdcea0ed88d47bc21d71040f9289ef4; classtype:command-and-control; sid:2011490; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.Win32.Zlob.bgs Checkin(2)"; flow:established,to_server; content:"GET"; http_method; content:"/gatech.php?id="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=ffdcea0ed88d47bc21d71040f9289ef4; classtype:command-and-control; sid:2011491; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.Win32.Zlob.bgs Checkin(2)"; flow:established,to_server; content:"GET"; http_method; content:"/gatech.php?id="; nocase; http_uri; reference:md5,ffdcea0ed88d47bc21d71040f9289ef4; classtype:command-and-control; sid:2011491; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz/Rohimafo Proxy Registration"; flow:established,to_server; content:"/socks.php?name="; nocase; http_uri; content:"&port="; nocase; http_uri; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011792; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz/Rohimafo Proxy Registration"; flow:established,to_server; content:"/socks.php?name="; nocase; http_uri; content:"&port="; nocase; http_uri; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011792; rev:5; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz or Rohimafo config loaded"; flow: established,to_server; content:"knock.php"; nocase; http_uri; content:"=seller-"; nocase; http_uri; content:"load|5f|success"; nocase; content:!"User-Agent"; http_header; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011522; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz or Rohimafo config loaded"; flow: established,to_server; content:"knock.php"; nocase; http_uri; content:"=seller-"; nocase; http_uri; content:"load|5f|success"; nocase; content:!"User-Agent"; http_header; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011522; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Knok.php Shiz or Rohimafo Host Information Submission to CnC Server"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/knok.php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:command-and-control; sid:2011524; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Knok.php Shiz or Rohimafo Host Information Submission to CnC Server"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/knok.php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011524; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Daurso FTP Credential Theft Reported"; flow:to_server,established; content:"/receiver/ftp"; http_uri; nocase; content:"|0d 0a 0d 0a|ftp_uri_0="; nocase; content:"&ftp_source_0="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:url,www.threatexpert.com/report.aspx?md5=348ba619aab3a92b99701335f95fe2a7; reference:url,www.threatexpert.com/report.aspx?md5=8be56dbd057c3bde42ae804bfd647bb6; classtype:trojan-activity; sid:2011470; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Daurso FTP Credential Theft Reported"; flow:to_server,established; content:"/receiver/ftp"; http_uri; nocase; content:"|0d 0a 0d 0a|ftp_uri_0="; nocase; content:"&ftp_source_0="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:md5,348ba619aab3a92b99701335f95fe2a7; reference:md5,8be56dbd057c3bde42ae804bfd647bb6; classtype:trojan-activity; sid:2011470; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Daurso Checkin"; flow:established,to_server; content:"POST"; http_method; content:"receiver/online"; http_uri; content:"|0d 0a 0d 0a|guid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:url,www.threatexpert.com/report.aspx?md5=348ba619aab3a92b99701335f95fe2a7; reference:url,www.threatexpert.com/report.aspx?md5=8be56dbd057c3bde42ae804bfd647bb6; classtype:command-and-control; sid:2011471; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Daurso Checkin"; flow:established,to_server; content:"POST"; http_method; content:"receiver/online"; http_uri; content:"|0d 0a 0d 0a|guid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:md5,348ba619aab3a92b99701335f95fe2a7; reference:md5,8be56dbd057c3bde42ae804bfd647bb6; classtype:command-and-control; sid:2011471; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pthc"; flow: from_server,established; content:" pthc "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001386; classtype:policy-violation; sid:2001386; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net failed account login (NLS) wrong password"; flow:established,from_server; content:"|FF 54 1C 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002116; classtype:policy-violation; sid:2002116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to eleonore exploit kit"; flow:established,to_client; content:"SL_"; http_cookie; content:"_0000="; http_cookie; classtype:exploit-kit; sid:2011810; rev:1; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to eleonore exploit kit"; flow:established,to_client; content:"SL_"; http_cookie; content:"_0000="; http_cookie; classtype:exploit-kit; sid:2011810; rev:1; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/layouts/standard.php?"; nocase; http_uri; content:"page_include="; nocase; http_uri; pcre:"/page_include=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2009/0360; reference:url,milw0rm.com/exploits/8003; reference:url,doc.emergingthreats.net/2009717; classtype:web-application-attack; sid:2009717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007509; classtype:web-application-attack; sid:2007509; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/xml.xml"; nocase; http_uri; content:"<request"; nocase; http_client_body; content:"<key "; nocase; http_client_body; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2892; reference:url,www.securityfocus.com/bid/24135; reference:url,doc.emergingthreats.net/2004594; classtype:web-application-attack; sid:2004594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Zero Content-Length HTTP POST with data (outbound)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|"; distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819; rev:1; metadata:created_at 2010_10_14, updated_at 2010_10_14;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system)"; flow:established,to_server; content:"POST"; http_method; uricontent:"/scripts/setup.php"; nocase; content:"token="; http_client_body; depth:6; content:"host"; http_client_body; content:"system|28 24 5F|"; nocase; http_client_body; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009710; classtype:web-application-attack; sid:2009710; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Danim.dll and Dxtmsft.dll COM Objects"; flow:established,from_server; pcre:"/42B07B28-2280-4937-B035-0293FB812781|542FB453-5003-11CF-92A2-00AA00B8A733/i"; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx; reference:url,doc.emergingthreats.net/2002861; classtype:web-application-attack; sid:2002861; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; distance:0; within:500; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; reference:url,doc.emergingthreats.net/2003328; classtype:web-application-attack; sid:2003328; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"18B409DA-241A-4BD8-AC69-B5D547D5B141"; nocase; pcre:"/(Save|ExportImage)/i"; reference:url,milw0rm.com/exploits/8208; reference:bugtraq,23934; reference:url,doc.emergingthreats.net/2009334; classtype:web-application-attack; sid:2009334; rev:30; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 Activex File Creation clsid access attempt"; flow:established,to_client; content:"6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790"; nocase; content:"OpenFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790/si"; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010356; classtype:web-application-attack; sid:2010356; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion"; flow:to_client,established; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; nocase; pcre:"/(DeleteFile|write)/i"; reference:bugtraq,33867; reference:bugtraq,33942; reference:url,doc.emergingthreats.net/2009187; classtype:web-application-attack; sid:2009187; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/scripts/setup.php"; nocase; content:"|0D 0A 0D 0A|token="; content:"host"; content:"phpinfo|25|28|25|29|25|3b"; nocase; within:64; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009709; classtype:web-application-attack; sid:2009709; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/main.inc.php?"; nocase; http_uri; content:"mj_config[src_path]="; nocase; http_uri; pcre:"/mj_config\[src_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009196; classtype:web-application-attack; sid:2009196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath"; flow:established,to_server; content:"/language/1/splash.lang.php?"; nocase; http_uri; content:"languagePath="; nocase; http_uri; reference:cve,CVE-2007-2663; reference:url,www.milw0rm.com/exploits/3909; reference:url,doc.emergingthreats.net/2003738; classtype:web-application-attack; sid:2003738; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath"; flow:established,to_server; content:"/language/1/splash.lang.php?"; nocase; http_uri; content:"languagePath="; nocase; http_uri; reference:cve,CVE-2007-2663; reference:url,www.milw0rm.com/exploits/3909; reference:url,doc.emergingthreats.net/2003738; classtype:web-application-attack; sid:2003738; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/linkadmin.php?"; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009364; classtype:web-application-attack; sid:2009364; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs"; flow:established,to_server; content:"/cand_login.asp?"; nocase; http_uri; content:"strJobIDs="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.*script/iU"; reference:cve,CVE-2007-2818; reference:url,www.securityfocus.com/bid/24078; reference:url,doc.emergingthreats.net/2004559; classtype:web-application-attack; sid:2004559; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Pre Projects E-Smart Cart login.asp Arbitrary SQL Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/embadmin/login.asp"; http_uri; nocase; content:"%27"; depth:300; reference:url,juniper-federal.org/security/auto/vulnerabilities/vuln37418.html; reference:url,exploit-db.com/exploits/14376; classtype:web-application-attack; sid:2011826; rev:2; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Pre Projects E-Smart Cart login.asp Arbitrary SQL Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/embadmin/login.asp"; http_uri; nocase; content:"%27"; depth:300; reference:url,juniper-federal.org/security/auto/vulnerabilities/vuln37418.html; reference:url,exploit-db.com/exploits/14376; classtype:web-application-attack; sid:2011826; rev:2; metadata:created_at 2010_10_19, updated_at 2010_10_19;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand"; flow:established,to_server; content:"/scripts/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004569; classtype:web-application-attack; sid:2004569; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo Chat Signin Success Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|85|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007067; classtype:policy-violation; sid:2007067; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"Test PCA (1024 bit)"; within:50; classtype:trojan-activity; sid:2011541; rev:4; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
-
#alert ip [192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET DELETED Reserved IP Space Traffic - Bogon Nets 3"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002751; classtype:bad-unknown; sid:2002751; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 5050 <> $HOME_NET any (msg:"ET DELETED Yahoo Chat Activity Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007068; classtype:policy-violation; sid:2007068; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; fast_pattern; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003837; classtype:web-application-attack; sid:2003837; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003838; classtype:web-application-attack; sid:2003838; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; fast_pattern; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003839; classtype:web-application-attack; sid:2003839; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; fast_pattern; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003840; classtype:web-application-attack; sid:2003840; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.inc.php?"; nocase; http_uri; content:"root="; nocase; http_uri; pcre:"/root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5393; reference:bugtraq,28660; reference:url,doc.emergingthreats.net/2009848; classtype:web-application-attack; sid:2009848; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Small.gen!AQ Communication with Controller"; flow:established,to_server; content:"?uid="; nocase; http_uri; fast_pattern; content:"&action="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&b="; nocase; http_uri; pcre:"/\?uid=[0-9a-f]{40}&action=\w+&v=[\w.]+&b=\d+$/U"; reference:url,perpetualhorizon.blogspot.com/2010/08/shot-in-dark-analysis-of-failed-malware.html; reference:url,www.threatexpert.com/report.aspx?md5=eb3140416c06fa8cb7851076dd100dfb; reference:url,www.threatexpert.com/report.aspx?md5=8033dffa899dcd16769f389073f9f053; classtype:trojan-activity; sid:2011414; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Small.gen!AQ Communication with Controller"; flow:established,to_server; content:"?uid="; nocase; http_uri; fast_pattern; content:"&action="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&b="; nocase; http_uri; pcre:"/\?uid=[0-9a-f]{40}&action=\w+&v=[\w.]+&b=\d+$/U"; reference:md5,eb3140416c06fa8cb7851076dd100dfb; reference:url,perpetualhorizon.blogspot.com/2010/08/shot-in-dark-analysis-of-failed-malware.html; reference:md5,8033dffa899dcd16769f389073f9f053; classtype:trojan-activity; sid:2011414; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006718; classtype:web-application-attack; sid:2006718; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2003999; classtype:web-application-attack; sid:2003999; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rogue antivirus downloader x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; flow:established,to_server; content:"GET"; http_method; content:"x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; nocase; http_uri; classtype:bad-unknown; sid:2011898; rev:1; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rogue antivirus downloader x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; flow:established,to_server; content:"GET"; http_method; content:"x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; nocase; http_uri; classtype:bad-unknown; sid:2011898; rev:1; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojandropper dunik!rts xxx/download7/21/install_flash_player.exe"; flow:established,to_server; content:"GET"; http_method; content:"xxx/download7/21/install_flash_player.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011900; rev:1; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojandropper dunik!rts xxx/download7/21/install_flash_player.exe"; flow:established,to_server; content:"GET"; http_method; content:"xxx/download7/21/install_flash_player.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011900; rev:1; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY Possible hidden zip extension .cpl"; flow:established; content:"|20 20 2E 63 70 6C 50 4B|"; reference:url,doc.emergingthreats.net/2001406; classtype:suspicious-filename-detect; sid:2001406; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES"; flow:established,to_server; uricontent:"/inc/articles.inc.php?"; nocase; uricontent:"GLOBALS[CHEMINMODULES]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2594; reference:url,www.milw0rm.com/exploits/3879; reference:url,doc.emergingthreats.net/2003703; classtype:web-application-attack; sid:2003703; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore"; flow:established,to_server; uricontent:"/user/turbulence.php?"; nocase; uricontent:"GLOBALS[tcore]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2504; reference:url,www.securityfocus.com/bid/23580; reference:url,doc.emergingthreats.net/2003683; classtype:web-application-attack; sid:2003683; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/image/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003672; classtype:web-application-attack; sid:2003672; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/liens/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003673; classtype:web-application-attack; sid:2003673; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/liste/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003674; classtype:web-application-attack; sid:2003674; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/special/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003675; classtype:web-application-attack; sid:2003675; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/texte/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003676; classtype:web-application-attack; sid:2003676; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path"; flow:established,to_server; uricontent:"/psg.smarty.lib.php?"; nocase; uricontent:"cfg[sys][base_path]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2458; reference:url,www.frsirt.com/english/advisories/2007/1390; reference:url,doc.emergingthreats.net/2003691; classtype:web-application-attack; sid:2003691; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path"; flow:established,to_server; uricontent:"/resources/includes/class.Smarty.php?"; nocase; uricontent:"cfg[sys][base_path]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2457; reference:url,www.milw0rm.com/exploits/3733; reference:url,doc.emergingthreats.net/2003702; classtype:web-application-attack; sid:2003702; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/subscription.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009061; classtype:web-application-attack; sid:2009061; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plugin/themes/default/init.php?"; nocase; uricontent:"apps_path[themes]="; nocase; pcre:"/apps_path\[themes\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009086; classtype:web-application-attack; sid:2009086; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lib/function.php?"; nocase; uricontent:"apps_path[libs]="; nocase; pcre:"/apps_path\[libs\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009088; classtype:web-application-attack; sid:2009088; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; classtype:denial-of-service; sid:2001882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary Command Execution Attempt"; flow:established,to_server; content:"/exec_raw.php"; http_uri; fast_pattern; nocase; content:"cmd="; http_uri; nocase; reference:bid,44974; classtype:web-application-attack; sid:2011940; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary Command Execution Attempt"; flow:established,to_server; content:"/exec_raw.php"; http_uri; fast_pattern; nocase; content:"cmd="; http_uri; nocase; reference:bid,44974; classtype:web-application-attack; sid:2011940; rev:2; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 (Free Edition) Scan Detected"; flow:to_server,established; content:"(Acunetix Web Vulnerability Scanner"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2009646; classtype:attempted-recon; sid:2009646; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; depth:12; classtype:bad-unknown; sid:2011962; rev:1; metadata:created_at 2010_11_19, updated_at 2010_11_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; depth:12; classtype:bad-unknown; sid:2011962; rev:1; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (2)"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Facebook"; pcre:"/filename=\x22Facebook_(Password|Support|Document)_[A-Z0-9]{4,7}\.zip\x22/m"; reference:url,doc.emergingthreats.net/2010498; classtype:trojan-activity; sid:2010498; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003998; classtype:web-application-attack; sid:2003998; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; classtype:attempted-dos; sid:2001366; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"ET POLICY TeamViewer Keep-alive outbound"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:set,ET.teamviewerkeepaliveout; flowbits:noalert; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008794; classtype:misc-activity; sid:2008794; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Notes1.pdf Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Notes1.pdf"; http_uri; classtype:policy-violation; sid:2011325; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a| "; http_header; nocase; pcre:"/User-Agent|3a|[^\n]+Windows-Update-Agent/Hsmi"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002948; classtype:policy-violation; sid:2002948; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Notes1.pdf Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Notes1.pdf"; http_uri; classtype:policy-violation; sid:2011325; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010422; classtype:shellcode-detect; sid:2010422; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/ "; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1; metadata:created_at 2010_11_23, updated_at 2010_11_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN RatProxy in-use"; flow:established,to_server; content:"X-Ratproxy-Loop|3A| "; threshold: type limit, track by_src,count 1, seconds 60; classtype:attempted-recon; sid:2011975; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/scorm/lib.inc.php?"; nocase; http_uri; content:"CONFIG[BASE_PATH]="; nocase; http_uri; pcre:"/CONFIG\[BASE_PATH\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5526; reference:bugtraq,28996; reference:url,doc.emergingthreats.net/2009386; classtype:web-application-attack; sid:2009386; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt"; flow:to_client,established; content:"3C88113F-8CEC-48DC-A0E5-983EF9458687"; nocase; content:"OpenFile"; distance:0; nocase; reference:url,exploit-db.com/exploits/14309/; reference:url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt; reference:url,doc.emergingthreats.net/2011249; classtype:web-application-attack; sid:2011249; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_20;)
-
#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; classtype:policy-violation; sid:2002949; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL Radio AmpX ActiveX Control ConvertFile Method Buffer Overflow"; flow:to_client,established; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; content:"ConvertFile"; nocase; reference:url,milw0rm.com/exploits/8733; reference:bugtraq,35028; reference:url,doc.emergingthreats.net/2009469; classtype:web-application-attack; sid:2009469; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt"; flow:established,to_client; content:"appletComponentArch.DynamicTreeApplet"; nocase; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-37.html; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:2011538; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt"; flow:established,to_client; content:"FLV"; nocase; depth:300; content:"onMetaData"; nocase; distance:0; content:"|07 50 75 08|"; within:100; reference:url,service.real.com/realplayer/security/08262010_player/en/; reference:url,www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:2011485; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt"; flow:established,to_client; content:"FLV"; nocase; depth:300; content:"onMetaData"; nocase; distance:0; content:"|07 50 75 08|"; within:100; reference:url,service.real.com/realplayer/security/08262010_player/en/; reference:url,www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:2011485; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Apple Quicktime Invalid SMIL URI Buffer Overflow Attempt"; flow:established,to_client; content:"|3C|smil"; nocase; content:"|3C|img src="; nocase; distance:0; content:!"http"; nocase; within:20; content:"|3A|//"; within:20; isdataat:700,relative; content:!"|3C 2F|smil|3E|"; nocase; within:700; content:!"|0A|"; within:700; reference:url,securitytracker.com/alerts/2010/Aug/1024336.html; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:2011366; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java JAR file download"; flow:from_server,established; content:"PK"; depth:500; content:"META-INF/"; within:100; content:"MANIFEST"; within:100; classtype:not-suspicious; sid:2011854; rev:3; metadata:created_at 2010_10_26, updated_at 2010_10_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious HTTP GET to JPG with query string"; flow:established,to_server; content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri; classtype:trojan-activity; sid:2011873; rev:4; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious HTTP GET to JPG with query string"; flow:established,to_server; content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri; classtype:trojan-activity; sid:2011873; rev:4; metadata:created_at 2010_10_29, former_category HUNTING, updated_at 2021_06_23;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mac User-Agent Typo Likely Hostile/Trojan Infection"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Macintosh|3b|"; http_header; content:"(KHTML, like Geco,"; http_header; reference:url,doc.emergingthreats.net/2008954; classtype:trojan-activity; sid:2008954; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2686; reference:url,www.osvdb.org/34791; reference:url,doc.emergingthreats.net/2004572; classtype:web-application-attack; sid:2004572; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012041; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012041; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding"; flow:established,to_client; content:"%63%68%61%72%43%6f%64%65%41%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012043; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding"; flow:established,to_client; content:"%63%68%61%72%43%6f%64%65%41%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012043; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding"; flow:established,to_client; content:"%u63%u68%u61%u72%u43%u6f%u64%u65%u41%u74"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012044; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding"; flow:established,to_client; content:"%u63%u68%u61%u72%u43%u6f%u64%u65%u41%u74"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012044; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding"; flow:established,to_client; content:"%u53%u74%u72%u69%u6e%u67%u2e%u66%u72%u6f%u6d%u43%u68%u61%u72%u43%u6f%u64%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012042; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding"; flow:established,to_client; content:"%u53%u74%u72%u69%u6e%u67%u2e%u66%u72%u6f%u6d%u43%u68%u61%u72%u43%u6f%u64%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012042; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|IconIndex|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15695/; classtype:misc-attack; sid:2012052; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|Text|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15694/; classtype:misc-attack; sid:2012053; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"|0d 0a|HeaderX|3a 20|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3; metadata:created_at 2010_12_14, updated_at 2010_12_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"|0d 0a|HeaderX|3a 20|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
#alert http any any -> $HOME_NET 8765 (msg:"ET EXPLOIT JDownloader Webinterface Source Code Disclosure"; flow:established,to_server; content:"|2f|index|2e|tmpl"; depth:80; nocase; pcre:"/\x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a/i"; reference:url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt; classtype:attempted-recon; sid:2012055; rev:2; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
#alert http $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:2; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; distance:0; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; distance:0; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:1; metadata:created_at 2010_12_15, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004122; classtype:web-application-attack; sid:2004122; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004123; classtype:web-application-attack; sid:2004123; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Server Status Request"; dsize:44; content:"|8c 97|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009972; classtype:policy-violation; sid:2009972; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Send Username"; flow:established; content:"|e3|"; depth:1; content:"|00 00 00 01|"; distance:1; within:4; byte_test:1,<,51,37; threshold: type limit, count 5, seconds 600, track by_src; reference:url, emule-project.net; reference:url,doc.emergingthreats.net/2009973; classtype:policy-violation; sid:2009973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Send Username"; flow:established; content:"|e3|"; depth:1; content:"|00 00 00 01|"; distance:1; within:4; byte_test:1,<,51,37; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009973; classtype:policy-violation; sid:2009973; rev:4; metadata:created_at 2010_07_30, former_category P2P, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella Connect"; flow: established,to_server; content:"GNUTELLA CONNECT/"; nocase; depth:17; reference:url,www.gnutella.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001664; classtype:policy-violation; sid:2001664; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Flowbits Set"; flow:to_client,established; content:"NtDllImageBase|22|"; nocase; content:"getModuleInfos|28|"; distance:0; content:"|27|ntdll.dll|27|"; nocase; within:50; flowbits:set,NtDll.ImageBase.Module.Called; flowbits:noalert; classtype:not-suspicious; sid:2012085; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt"; flow:established,to_client; content:"@import url(|22|"; nocase; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,www.microsoft.com/technet/security/advisory/2488013.mspx; reference:bid,45246; reference:cve,2010-3971; classtype:attempted-user; sid:2012075; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt"; flow:established,to_client; content:"@import url(|22|"; nocase; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,www.microsoft.com/technet/security/advisory/2488013.mspx; reference:bid,45246; reference:cve,2010-3971; classtype:attempted-user; sid:2012075; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-16 Encoding"; flow:established,to_client; content:"%u646f%u6375%u6d65%u6e74%u2e77%u7269%u7465"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012107; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:2; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
-
-#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:2; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Megaupload file download service access"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a| "; http_header; content:"megaupload.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2009301; classtype:policy-violation; sid:2009301; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent no space"; flow:established,to_server; content:"|0d 0a|User-Agent|3a|"; content:!"|0d 0a|User-Agent|3a 20|"; classtype:bad-unknown; sid:2012180; rev:3; metadata:created_at 2011_01_14, former_category HUNTING, updated_at 2011_01_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent no space"; flow:established,to_server; content:"|0d 0a|User-Agent|3a|"; content:!"|0d 0a|User-Agent|3a 20|"; classtype:bad-unknown; sid:2012180; rev:3; metadata:created_at 2011_01_15, former_category HUNTING, updated_at 2011_01_15;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt"; flow:established,to_client; content:"0B68B7EB-02FF-4A41-BC14-3C303BB853F9"; nocase; content:"DelFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B68B7EB-02FF-4A41-BC14-3C303BB853F9/si"; reference:url,packetstormsecurity.org/files/view/97394/newvcommon-insecure.txt; classtype:attempted-user; sid:2012192; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write # Encoding"; flow:established,to_client; content:"#64#6f#63#75#6d#65#6e#74#2e#77#72#69#74#65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012245; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity to document.doc"; flow:established,to_server; content:"/forum/document.doc"; http_uri; content:"!Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012280; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
#alert ip [0.0.0.0/8,192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET POLICY Unallocated IP Space Traffic - Bogon Nets"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002749; classtype:bad-unknown; sid:2002749; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A| Asterisk PBX"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html; classtype:attempted-recon; sid:2012296; rev:2; metadata:created_at 2011_02_06, updated_at 2011_02_06;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A| Asterisk PBX"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html; classtype:attempted-recon; sid:2012296; rev:2; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper"; content:"|0d 0a|User-Agent|3A| Zoiper"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html; classtype:attempted-recon; sid:2012297; rev:2; metadata:created_at 2011_02_06, updated_at 2011_02_06;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper"; content:"|0d 0a|User-Agent|3A| Zoiper"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html; classtype:attempted-recon; sid:2012297; rev:2; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm Worm HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/?"; http_uri; pcre:"/GET \/\?[0-9a-f]{16}/Ui"; pcre:"/Host\x3a [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i"; reference:url,doc.emergingthreats.net/2006411; classtype:trojan-activity; sid:2006411; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CnC Traffic Outbound 2"; flow:established,to_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012306; rev:6; metadata:created_at 2011_02_10, former_category MALWARE, updated_at 2011_02_10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CnC Beacon Outbound"; flow:established,to_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:command-and-control; sid:2012303; rev:4; metadata:created_at 2011_02_10, former_category MALWARE, updated_at 2011_02_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CnC Beacon Outbound"; flow:established,to_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:command-and-control; sid:2012303; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2011_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon CnC Beacon Inbound"; flow:established,from_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012304; rev:6; metadata:created_at 2011_02_10, former_category MALWARE, updated_at 2011_02_10;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon CnC Beacon Inbound"; flow:established,from_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012304; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2011_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon Dropper Download Command"; flow:established,from_server; dsize:5; content:"|01 08 00 00 00|"; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012308; rev:2; metadata:created_at 2011_02_11, updated_at 2011_02_11;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon Dropper Download Command"; flow:established,from_server; dsize:5; content:"|01 08 00 00 00|"; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012308; rev:2; metadata:created_at 2011_02_11, former_category MALWARE, updated_at 2011_02_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.SillyP2P Checkin"; flow:to_server,established; content:"GET"; http_method; content:"csi?v="; http_uri; content:"&s=webhp&action=&e=0&ei="; http_uri; content:"&expi="; http_uri; content:"&imc="; http_uri; content:"&imn="; http_uri; content:"&imp="; http_uri; content:"&rt=xjsls"; http_uri; reference:url,www.securehomenetwork.blogspot.com/2011/02/anonleaks-continues-relationship-with.html; reference:url,www.threatexpert.com/report.aspx?md5=a7e1388c38c1fed12785bc335f95b15d; classtype:trojan-activity; sid:2012311; rev:4; metadata:created_at 2011_02_14, updated_at 2011_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.SillyP2P Checkin"; flow:to_server,established; content:"GET"; http_method; content:"csi?v="; http_uri; content:"&s=webhp&action=&e=0&ei="; http_uri; content:"&expi="; http_uri; content:"&imc="; http_uri; content:"&imn="; http_uri; content:"&imp="; http_uri; content:"&rt=xjsls"; http_uri; reference:md5,a7e1388c38c1fed12785bc335f95b15d; reference:url,www.securehomenetwork.blogspot.com/2011/02/anonleaks-continues-relationship-with.html; classtype:trojan-activity; sid:2012311; rev:4; metadata:created_at 2011_02_14, updated_at 2011_02_14;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE PWS Banker Trojan Sending Report of Infection"; flow: established,to_server; content:"From|3a 20 22|PC ID|3a|"; nocase; content:"Subject|3a| INFECTED"; nocase; content:"esta infectado"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.banker.b.html; reference:url,doc.emergingthreats.net/2001933; classtype:trojan-activity; sid:2001933; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt"; content:"|42 4F 00|"; content:"BROWSER"; nocase; distance:0; content:"|08 09 A8 0F 01 20|"; fast_pattern; distance:0; isdataat:65,relative; content:!"|0A|"; within:65; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=22457; reference:bid,46360; classtype:attempted-admin; sid:2012317; rev:2; metadata:created_at 2011_02_17, updated_at 2011_02_17;)
+alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt"; content:"|42 4F 00|"; content:"BROWSER"; nocase; distance:0; content:"|08 09 A8 0F 01 20|"; fast_pattern; distance:0; isdataat:65,relative; content:!"|0A|"; within:65; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=22457; reference:bid,46360; classtype:attempted-admin; sid:2012317; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:3; metadata:created_at 2011_02_22, former_category CURRENT_EVENTS, updated_at 2011_02_22;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/index.jsp"; nocase; http_uri; pcre:"/help\x2Findex\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012396; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/index.jsp"; nocase; http_uri; pcre:"/help\x2Findex\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012396; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/advanced/content.jsp"; nocase; http_uri; pcre:"/content\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012397; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/advanced/content.jsp"; nocase; http_uri; pcre:"/content\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012397; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Hostile Eval CRYPT.obfuscate Usage"; flow:established,to_client; content:"eval|28|CRYPT.obfuscate|28|"; nocase; fast_pattern; reference:url,research.zscaler.com/2010/05/malicious-hidden-iframes-using-publicly.html; classtype:bad-unknown; sid:2012404; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Modified Sipvicious OPTIONS Scan"; content:"OPTIONS "; depth:8; content:"ccxllrlflgig|22|<sip|3A|100"; nocase; distance:0; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; classtype:attempted-recon; sid:2011422; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] any (msg:"ET DELETED Facebook URL Redirect Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/track.php?"; nocase; http_uri; content:"r="; nocase; http_uri; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079577.html; classtype:trojan-activity; sid:2012402; rev:7; metadata:created_at 2011_02_28, updated_at 2011_02_28;)
+#alert http $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] any (msg:"ET DELETED Facebook URL Redirect Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/track.php?"; nocase; http_uri; content:"r="; nocase; http_uri; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079577.html; classtype:trojan-activity; sid:2012402; rev:7; metadata:created_at 2011_03_01, updated_at 2011_03_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Eleonore Exploit pack download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/load/load.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=ultranichehost.com; classtype:trojan-activity; sid:2012446; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Agent.FakeAV.AVG 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=vv&i="; http_uri; content:"&id="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012449; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2016_07_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Android Use-After-Free Remote Code Execution on Webkit"; flow:to_client,established; content:".appendChild"; content:"-parseFloat("; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/15548/; classtype:web-application-attack; sid:2012046; rev:3; metadata:created_at 2010_12_10, updated_at 2010_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Android Use-After-Free Remote Code Execution on Webkit"; flow:to_client,established; content:".appendChild"; content:"-parseFloat("; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/15548/; classtype:web-application-attack; sid:2012046; rev:3; metadata:created_at 2010_12_11, updated_at 2010_12_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; nocase; http_header; content:!"Host|3a| toolbar.live.com|0d 0a|"; nocase; http_header; content:!"Host|3a| downloadfree.avg.com|0d 0a|"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE"; content:"Accept|3a| */*|0d 0a|"; content:".bin"; http_uri; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; classtype:trojan-activity; sid:2010348; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot Request to CnC"; flow:established,to_server; uricontent:".bin"; content:"GET"; depth:3; http_method; content:".bin HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; content:!"|0d 0a|Referer|3a|"; nocase; reference:url,doc.emergingthreats.net/2010861; classtype:command-and-control; sid:2010861; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS http client library detected"; flow:established,to_server; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:3; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus GET Request to CnC"; flow:established,to_server; content:"GET"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; distance:0; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:command-and-control; sid:2011817; rev:3; metadata:created_at 2010_10_14, updated_at 2020_08_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus http client library detected"; flow:established,to_server; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0D 0A|User-Agent|3a| "; http_header; classtype:trojan-activity; sid:2011818; rev:4; metadata:created_at 2010_10_14, updated_at 2010_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus http client library detected"; flow:established,to_server; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0D 0A|User-Agent|3a| "; http_header; classtype:trojan-activity; sid:2011818; rev:4; metadata:created_at 2010_10_15, updated_at 2010_10_15;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"|29 20|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:5; metadata:created_at 2010_11_15, updated_at 2010_11_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"|29 20|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:5; metadata:created_at 2010_11_16, updated_at 2010_11_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Bozvanovna Zeus Campaign Config File URL"; flow:established,to_server; content:"000"; http_uri; content:".so"; http_uri; nocase; fast_pattern; pcre:"/\/000[a-z][0-9]{3}\x2Eso/Ui"; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012081; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Inject.ql Checkin Post"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"MAC="; nocase; http_client_body; content:"&IP="; nocase; http_client_body; content:"&NAME="; nocase; http_client_body; content:"&OS="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007803; classtype:command-and-control; sid:2007803; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential-Hiloti/FakeAV site access"; flow:established,to_server; uricontent:"?p=p52dcW"; pcre:"/\/\?p=p52dcW[A-Za-z]{4}/U"; classtype:trojan-activity; sid:2011591; rev:3; metadata:created_at 2010_10_06, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection"; flow:to_server; content:"POST|20|/c/a"; byte_test:1,<,64,0,relative; content:"HTTP/1.0|0d 0a|Host|3a20|"; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008434; classtype:trojan-activity; sid:2008434; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Publisher Array Indexing Memory Corruption SET"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; content:"MSPublisher"; flowbits:set,ms.publisher.file; flowbits:noalert; reference:cve,2010-3995; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; classtype:attempted-user; sid:2012519; rev:4; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/png"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/png/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; classtype:web-application-attack; sid:2008315; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:pup-activity; sid:2012615; rev:2; metadata:created_at 2011_04_01, former_category ADWARE_PUP, updated_at 2011_04_01;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:pup-activity; sid:2012615; rev:2; metadata:created_at 2011_03_31, former_category ADWARE_PUP, updated_at 2011_03_31;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED .dll Request Without User-Agent Likely Malware"; flow:established,to_server; content:".dll"; nocase; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:trojan-activity; sid:2012618; rev:2; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED .dll Request Without User-Agent Likely Malware"; flow:established,to_server; content:".dll"; nocase; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:trojan-activity; sid:2012618; rev:2; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:"AllowScriptAccess"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15698/; classtype:attempted-dos; sid:2012056; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5; metadata:created_at 2011_04_01, former_category CURRENT_EVENTS, updated_at 2011_04_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monkif/DlKroha Trojan Activity HTTP Outbound"; flow:to_server,established; content:".php?"; http_uri; content:"4x4x4x4x4x6x"; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2009752; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; classtype:trojan-activity; sid:2009752; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:3; metadata:created_at 2011_04_06, former_category CURRENT_EVENTS, updated_at 2011_04_06;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3; metadata:created_at 2011_04_06, former_category CURRENT_EVENTS, updated_at 2011_04_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3; metadata:created_at 2011_04_07, former_category CURRENT_EVENTS, updated_at 2011_04_07;)
alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |22|"; distance:0; threshold:type limit, count 1, seconds 3600, track by_src; classtype:policy-violation; sid:2012648; rev:3; metadata:created_at 2011_04_07, updated_at 2011_04_07;)
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/OvCgi/snmpviewer.exe"; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:5; metadata:created_at 2010_09_25, updated_at 2019_08_22;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Outbound"; flow:established; content:"|16 03 00|"; content:"|00 5c|"; distance:0; content:"|c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012078; rev:5; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2"; flow:established; content:"|16 03 00|"; content:"|00 26|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012079; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 3"; flow:established; content:"|16 03 00|"; content:"|00 34|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012080; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_uri; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=0398af3218eb6f21195d701a0b001445; classtype:trojan-activity; sid:2012589; rev:4; metadata:created_at 2011_03_28, updated_at 2019_11_21;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"x-shockwave-flash"; nocase; distance:0; pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i"; classtype:bad-unknown; sid:2011866; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"unescape|28|"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010881; classtype:bad-unknown; sid:2010881; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"unescape|28|"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010881; classtype:bad-unknown; sid:2010881; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hex Obfuscated arguments.callee Javascript Method in PDF Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"|61|"; distance:0; content:"|72|"; distance:1; within:2; content:"|67|"; distance:1; within:2; content:"|75|"; distance:1; within:2; content:"|6d|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|6e|"; distance:1; within:2; content:"|74|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|2e|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|65|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2010879; classtype:misc-activity; sid:2010879; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2; metadata:created_at 2011_04_13, former_category CURRENT_EVENTS, updated_at 2011_04_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Buzus Posting Data"; flow:established,to_server; content:"POST "; nocase; depth:5; uricontent:"/fdsupdate"; nocase; content:"|0d 0a 0d 0a|PUTF"; reference:url,doc.emergingthreats.net/2010064; classtype:trojan-activity; sid:2010064; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Buzus FTP Log Upload"; flow:established,to_server; dsize:100<>500; content:"|20 20 20 20|"; depth:4; content:"************CD-Key Pack************"; distance:0; content:"Microsoft Windows Product ID CD Key\: "; distance:0; reference:url,doc.emergingthreats.net/2008750; classtype:trojan-activity; sid:2008750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system"; flow:established; dsize:<110; content:"Microsoft Windows "; depth:20; content:"Copyright 1985-20"; distance:0; content:"Microsoft Corp"; distance:0; content:"|0a 0a|"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2008953; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101869; rev:6; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSetSystemInformation"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012769; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSetSystemInformation"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012769; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSystemDebugControl"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012770; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSystemDebugControl"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012770; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"SetSfcFileException"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012771; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"SetSfcFileException"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012771; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012772; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012772; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012773; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012773; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NoExecuteAddFileOptOutList"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012774; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NoExecuteAddFileOptOutList"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012774; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ModifyExecuteProtectionSupport"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012775; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ModifyExecuteProtectionSupport"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012775; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"LdrLoadDll"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012776; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"LdrLoadDll"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012776; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Likely MSVIDCTL.dll exploit in transit"; flow:to_client,established; content:"|00 03 00 00 11 20 34|"; content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009493; classtype:trojan-activity; sid:2009493; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Twitter Worm Attack"; flow:to_server,established; content:"m28sx.html"; http_uri; nocase; reference:url,threatpost.com/en_us/blogs/twitter-worm-uses-google-url-shortener-spread-scareware-012011; classtype:misc-attack; sid:2012207; rev:4; metadata:created_at 2011_01_20, updated_at 2011_01_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Twitter Worm Attack"; flow:to_server,established; content:"m28sx.html"; http_uri; nocase; reference:url,threatpost.com/en_us/blogs/twitter-worm-uses-google-url-shortener-spread-scareware-012011; classtype:misc-attack; sid:2012207; rev:4; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ZBot sp107fb/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"sp107fb/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011896; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ZBot sp107fb/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"sp107fb/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011896; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT QuickTime Remote Exploit (exploit specific)"; flow:established,to_client; content:"|2f 2f|mshtml|2e|dll"; nocase; content:"unescape|28|"; nocase; distance:0; content:"onload"; nocase; distance:0; content:"ObjectLoad|28|"; within:32; pcre:"/src\s*\x3d\s*\x22res\x3a\x2f\x2fmshtml\x2edll/"; reference:url,www.1337day.com/exploits/16077; classtype:attempted-user; sid:2012806; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/jpeg"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/jpeg/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; classtype:web-application-attack; sid:2008313; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/gif"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/gif/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; classtype:web-application-attack; sid:2008314; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:2101809; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:4; metadata:created_at 2011_05_18, updated_at 2011_05_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:4; metadata:created_at 2011_05_18, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NamedPipe"; nocase; fast_pattern:only; pcre:"/(Create|Connect|Peek)NamedPipe/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012778; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NamedPipe"; nocase; fast_pattern:only; pcre:"/(Create|Connect|Peek)NamedPipe/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012778; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; http_uri; nocase; content:"hotmail.msn.com"; http_header; nocase; content:"/cgi-bin/compose?/"; nocase; http_uri; reference:url,doc.emergingthreats.net/2000037; classtype:policy-violation; sid:2000037; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:2101776; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101777; rev:11; metadata:created_at 2010_09_23, former_category FTP, updated_at 2020_08_20;)
-
#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101778; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:2101779; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:2101727; rev:8; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012844; rev:2; metadata:created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012844; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012845; rev:2; metadata:created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012845; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012846; rev:2; metadata:created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012846; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012847; rev:2; metadata:created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012847; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012853; rev:2; metadata:created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012853; rev:2; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater"; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003584; classtype:trojan-activity; sid:2003584; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012851; rev:3; metadata:created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012851; rev:3; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012852; rev:4; metadata:created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012852; rev:4; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER global.inc access"; flow:to_server,established; content:"/global.inc"; nocase; http_uri; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:2101738; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.Win32.AutoIt.ai Checkin"; flow:to_server,established; content:"/getpmnum"; http_uri; content:".asp?"; http_uri; content:"id="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=39d0dbe4f6923ed36864ae339f558963; classtype:command-and-control; sid:2012867; rev:3; metadata:created_at 2011_05_26, former_category MALWARE, updated_at 2011_05_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.Win32.AutoIt.ai Checkin"; flow:to_server,established; content:"/getpmnum"; http_uri; content:".asp?"; http_uri; content:"id="; http_uri; reference:md5,39d0dbe4f6923ed36864ae339f558963; classtype:command-and-control; sid:2012867; rev:3; metadata:created_at 2011_05_26, former_category MALWARE, updated_at 2011_05_26;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request containing a password"; flow:established,to_server; content:"password|3a|"; nocase; http_header; classtype:policy-violation; sid:2012868; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Magneto ICMP ActiveX ICMPSendEchoRequest Remote Code Execution Attempt"; flow:established,to_client; content:"3A86F1F2-4921-4C75-AF2C-A1AA241E12BA"; nocase; content:"ICMPSendEchoRequest"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A86F1F2-4921-4C75-AF2C-A1AA241E12BA/si"; reference:url,www.exploit-db.com/exploits/17328/; classtype:attempted-user; sid:2012905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; reference:url,anubis.iseclab.org/?action=result&task_id=138559df2a6ed04a401366a9c60e2e1cf&format=txt; classtype:bad-unknown; sid:2012908; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; classtype:bad-unknown; sid:2012908; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 288 (msg:"ET MALWARE Dropper.Win32.Agent.ahju Checkin"; flow:established,to_server; content:"|44 78 47 54 33 43 6D 42 66 39 73 39 6C 74 62 6A 35 61 4A 7C 0A|"; depth:21; reference:url,www.threatexpert.com/report.aspx?md5=48ad09c574a4bd3bb24d007005382e63; reference:url,www.threatexpert.com/report.aspx?md5=a264690a775a4e1b3d91c2dbcd850ce9; classtype:command-and-control; sid:2012895; rev:2; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 288 (msg:"ET MALWARE Dropper.Win32.Agent.ahju Checkin"; flow:established,to_server; content:"|44 78 47 54 33 43 6D 42 66 39 73 39 6C 74 62 6A 35 61 4A 7C 0A|"; depth:21; reference:md5,48ad09c574a4bd3bb24d007005382e63; reference:md5,a264690a775a4e1b3d91c2dbcd850ce9; classtype:command-and-control; sid:2012895; rev:2; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID"; flow:from_server,established; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".KeyFrame|28|"; nocase; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003104; classtype:attempted-user; sid:2003104; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Banker Trojan CnC Server Ping"; flow:established,from_server; dsize:<100; content:"PING|7c|"; reference:url,doc.emergingthreats.net/2009864; classtype:command-and-control; sid:2009864; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY eval(function(p a c k e d) JavaScript from nginx Detected - Likely Hostile"; flow:established,to_client; content:"Server|3a| nginx"; nocase; offset:15; depth:15; content:"Content-Type|3a| text/html"; nocase; distance:20; content:"eval(function(p,a,c,k,e,d)"; nocase; distance:50; reference:url,doc.emergingthreats.net/2011765; classtype:bad-unknown; sid:2011765; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY eval(function(p a c k e d) JavaScript from nginx Detected - Likely Hostile"; flow:established,to_client; content:"Server|3a| nginx"; nocase; offset:15; depth:15; content:"Content-Type|3a| text/html"; nocase; distance:20; content:"eval(function(p,a,c,k,e,d)"; nocase; distance:50; reference:url,doc.emergingthreats.net/2011765; classtype:bad-unknown; sid:2011765; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; isdataat:261; content:!"|0A|"; depth:261; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; isdataat:261; content:!"|0A|"; depth:261; reference:url,zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:2; metadata:created_at 2011_06_07, former_category DOS, updated_at 2011_06_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, former_category CURRENT_EVENTS, updated_at 2011_06_07;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Java Exploit Attempt applet via file URI"; flow:established,from_server; content:"applet|20|"; nocase; content:"codebase"; nocase; distance:0; content:"|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"|5c|java|5c|jre6|5c|lib|5c|ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012608; rev:7; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.ZZSlash/Redosdru.E checkin"; flow:established,to_server; content:"|14 00 00 00 04 00 00 00 78 9C 63 60 60 60 00 00 00 04 00 01|"; depth:20; reference:url,www.threatexpert.com/report.aspx?md5=3b0299d72c853f56a1595c855776f89f; reference:url,www.threatexpert.com/report.aspx?md5=adc3a35d1244c9129be6edd6ccfaec5b; classtype:command-and-control; sid:2012957; rev:2; metadata:created_at 2011_06_08, former_category MALWARE, updated_at 2011_06_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.ZZSlash/Redosdru.E checkin"; flow:established,to_server; content:"|14 00 00 00 04 00 00 00 78 9C 63 60 60 60 00 00 00 04 00 01|"; depth:20; reference:md5,3b0299d72c853f56a1595c855776f89f; reference:md5,adc3a35d1244c9129be6edd6ccfaec5b; classtype:command-and-control; sid:2012957; rev:2; metadata:created_at 2011_06_08, former_category MALWARE, updated_at 2011_06_08;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:2101698; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"GPL DELETED iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:2101604; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit"; flow:established,to_server; content:"/tds/in.cgi?"; http_uri; depth:12; classtype:exploit-kit; sid:2011468; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit"; flow:established,to_server; content:"/tds/in.cgi?"; http_uri; depth:12; classtype:exploit-kit; sid:2011468; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious Advertizing URL in.cgi/antibot_hash"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"ab_iframe="; nocase; http_uri; content:"ab_badtraffic="; nocase; http_uri; content:"antibot_hash="; nocase; http_uri; content:"ur="; nocase; http_uri; content:"HTTP_REFERER="; nocase; http_uri; classtype:bad-unknown; sid:2012323; rev:3; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious SEO landing in.cgi with URI HTTP_REFERER"; flow:established,to_server; content:"/in.cgi?"; http_uri; content:"&seoref=http"; http_uri; content:"¶meter=$"; http_uri; content:"&HTTP_REFERER=http"; http_uri; fast_pattern; classtype:bad-unknown; sid:2012796; rev:3; metadata:created_at 2011_05_09, updated_at 2011_05_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot .cb File Extention FTP Upload"; flow:established,to_server; content:"si_"; content:".cb"; distance:10; within:3; pcre:"/si\x5F[a-z]{5}[0-9]{5}\x2Ecb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012974; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Seclog FTP Upload"; flow:established,to_server; content:"seclog_"; content:".kcb"; within:30; pcre:"/seclog\x5F[a-z]{5}[0-9]{5}\x5F.+\x2Ekcb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012975; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot .cb File Extention FTP Upload"; flow:established,to_server; content:"si_"; content:".cb"; distance:10; within:3; pcre:"/si\x5F[a-z]{5}[0-9]{5}\x2Ecb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012974; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Seclog FTP Upload"; flow:established,to_server; content:"seclog_"; content:".kcb"; within:30; pcre:"/seclog\x5F[a-z]{5}[0-9]{5}\x5F.+\x2Ekcb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012975; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antivirus2010 Checkin port 8082"; flow:established,to_server;content:"/ask?"; http_uri; content:"&u="; http_uri; content:"a="; http_uri; content:"&m="; http_uri; content:"&h="; http_uri; reference:url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/; reference:url,doc.emergingthreats.net/2011473; classtype:command-and-control; sid:2011473; rev:4; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Robtex.com Block Message"; flow:established,from_server; content:"robtex.com"; classtype:not-suspicious; sid:2012986; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY bredolab - hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; content:"<div style=\"visibility|3a| hidden|3b|\"><"; depth:120; classtype:bad-unknown; sid:2011307; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Carberp CnC Reply no tasks"; flow:established,from_server; content:"|0d 0a 0d 0a|no tasks"; classtype:command-and-control; sid:2011851; rev:7; metadata:created_at 2010_10_25, former_category MALWARE, updated_at 2010_10_25;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Exploit Suspected PHP Injection Attack (name=)"; flow:to_server,established; content:"GET "; nocase; depth:4; uricontent:".php?"; nocase; uricontent:"name="; nocase; pcre:"/name=(https?|ftps?|php)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2001621; classtype:web-application-attack; sid:2001621; rev:35; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Carberp CnC Reply no tasks"; flow:established,from_server; content:"|0d 0a 0d 0a|no tasks"; classtype:command-and-control; sid:2011851; rev:7; metadata:created_at 2010_10_26, former_category MALWARE, updated_at 2010_10_26;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING SL_*_0000 JavaScript redirect"; flow:established,to_client; content:"200"; http_stat_code; content:"SL_"; http_cookie; content:"_0000="; http_cookie; content:"window.location"; classtype:bad-unknown; sid:2013012; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible http Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=http|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012997; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent Detected (DigitAl56K/6.3)"; flow:established,to_server; content:"User-Agent|3a| DigitAl56K/"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008659; classtype:trojan-activity; sid:2008659; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (DigitAl56K/6.3)"; flow:established,to_server; content:"User-Agent|3a| DigitAl56K/"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008659; classtype:trojan-activity; sid:2008659; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:exploit-kit; sid:2013025; rev:2; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DLoader PWS Module Data Upload Activity"; flow:established,to_server; content:"/grabbers.php"; http_uri; content:"logs="; content:"&module=grabbers"; distance:0; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:url,www.threatexpert.com/report.aspx?md5=3310259795b787210dd6825e7b6d6d28; reference:url,www.threatexpert.com/report.aspx?md5=12554e7f2e78daf26e73a2f92d01e7a7; reference:url,www.threatexpert.com/report.aspx?md5=7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013046; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DLoader PWS Module Data Upload Activity"; flow:established,to_server; content:"/grabbers.php"; http_uri; content:"logs="; content:"&module=grabbers"; distance:0; reference:md5,12554e7f2e78daf26e73a2f92d01e7a7; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:md5,3310259795b787210dd6825e7b6d6d28; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:md5,7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013046; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyeEye Trojan Request file=grabbers"; flow:established,to_server; content:".php?file="; nocase; http_uri; content:"grabber"; distance: 0; http_uri; classtype:trojan-activity; sid:2012613; rev:5; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by 2"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src="; content:"style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011961; rev:4; metadata:created_at 2010_11_19, updated_at 2010_11_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by 2"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src="; content:"style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011961; rev:4; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Trojan Downloader Request Observed"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&x="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&n="; http_uri; nocase; reference:url,www.threatexpert.com/report.aspx?md5=3dd8193692b62a875985349b67da38c6; reference:url,www.threatexpert.com/report.aspx?md5=6c9ad4d06f72edcd2b301d66b25ad101; reference:url,www.threatexpert.com/report.aspx?md5=91fa03240b5a59853d0dad708055a7a8; classtype:trojan-activity; sid:2011415; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Trojan Downloader Request Observed"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&x="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&n="; http_uri; nocase; reference:md5,6c9ad4d06f72edcd2b301d66b25ad101; reference:md5,91fa03240b5a59853d0dad708055a7a8; reference:md5,3dd8193692b62a875985349b67da38c6; classtype:trojan-activity; sid:2011415; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Client Visiting Sidename.js Injected Website - Malware Related"; flow:established,to_client; content:"/sidename.js\"></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013060; rev:3; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacShield FakeAV CnC Communication"; flow:established,to_server; content:"/mac/soft.php?affid="; nocase; http_uri; fast_pattern:only; reference:url,blog.trendmicro.com/obfuscated-ip-addresses-and-affiliate-ids-in-mac-fakeav/; classtype:command-and-control; sid:2013062; rev:2; metadata:created_at 2011_06_17, former_category MALWARE, updated_at 2011_06_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_17, former_category MOBILE_MALWARE, updated_at 2011_06_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED OneStep Adware related User Agent (x)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| x|0d 0a|"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; classtype:trojan-activity; sid:2009987; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3; metadata:created_at 2011_06_17, former_category CURRENT_EVENTS, updated_at 2011_06_17;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1064 (msg:"ET DELETED Win32/Fynloski Backdoor Keepalive Message"; flow:established,to_server; content:"KEEPALIVE"; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; reference:url,www.threatexpert.com/report.aspx?md5=baca8170608c189e2911dc4e430c7719; classtype:trojan-activity; sid:2013067; rev:2; metadata:created_at 2011_06_20, updated_at 2011_06_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1064 (msg:"ET DELETED Win32/Fynloski Backdoor Keepalive Message"; flow:established,to_server; content:"KEEPALIVE"; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; reference:md5,baca8170608c189e2911dc4e430c7719; classtype:trojan-activity; sid:2013067; rev:2; metadata:created_at 2011_06_20, updated_at 2011_06_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Scanner Landing Page (Initializing Virus Protection System...)"; flow:established,from_server; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; classtype:bad-unknown; sid:2012815; rev:3; metadata:created_at 2011_05_18, updated_at 2011_05_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Muieblackcat scanner"; flow:established,to_server; content:"GET /muieblackcat HTTP/1.1"; depth:26; classtype:attempted-recon; sid:2013115; rev:3; metadata:created_at 2011_06_24, updated_at 2011_06_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MacDefender OS X Fake AV Scareware"; flow:established,to_server; content:"GET"; http_method; content:"affid="; http_uri; content:"data="; http_uri; content:"v="; http_uri; content:"User-Agent|3a 20|MacShield"; http_header; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012958; rev:5; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MacDefender OS X Fake AV Scareware"; flow:established,to_server; content:"GET"; http_method; content:"affid="; http_uri; content:"data="; http_uri; content:"v="; http_uri; content:"User-Agent|3a 20|MacShield"; http_header; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012958; rev:5; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"ET SCADA Siemens FactoryLink 8 CSService Logging Buffer Overflow Vulnerability"; flow:established,to_server; content:"CSService"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,packetstormsecurity.org/files/view/102579/factorylink_csservice.rb.txt; classtype:denial-of-service; sid:2013120; rev:1; metadata:created_at 2011_06_27, updated_at 2011_06_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"ET SCADA Siemens FactoryLink 8 CSService Logging Buffer Overflow Vulnerability"; flow:established,to_server; content:"CSService"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,packetstormsecurity.org/files/view/102579/factorylink_csservice.rb.txt; classtype:denial-of-service; sid:2013120; rev:1; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RiskTool.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=c81be1cf10d9578803dab8c1bc62ccfa; classtype:web-application-attack; sid:2012588; rev:4; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RiskTool.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; reference:md5,c81be1cf10d9578803dab8c1bc62ccfa; classtype:web-application-attack; sid:2012588; rev:4; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vilsel.ayjv Checkin (aid)"; flow:to_server,established; content:"?aid="; http_uri; content:"&si="; http_uri; content:"&rd="; http_uri; pcre:"/&si=\d+&si=\d+&rd=20\d{11}/U"; classtype:command-and-control; sid:2013122; rev:5; metadata:created_at 2011_06_28, former_category MALWARE, updated_at 2011_06_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vilsel.ayjv Checkin (aid)"; flow:to_server,established; content:"?aid="; http_uri; content:"&si="; http_uri; content:"&rd="; http_uri; pcre:"/&si=\d+&si=\d+&rd=20\d{11}/U"; classtype:command-and-control; sid:2013122; rev:5; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2E980303-C865-11CF-BA24-444553540000"; nocase; distance:0; content:".GetFirstItem"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013132; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"79956462-F148-497F-B247-DF35A095F80B"; nocase; distance:0; content:".DownloadImageFileURL"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79956462-F148-497F-B247-DF35A095F80B/si"; reference:url,exploit-db.com/exploits/17415/; reference:cve,2008-2683; classtype:attempted-user; sid:2013130; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.VB.OWR Checkin"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1B 00 01 02 00 1C 00|"; within:19; reference:url,www.threatexpert.com/report.aspx?md5=7684532e7e1d717427f6842e9d5ecd56; reference:url,anubis.iseclab.org/?action=result&task_id=1ac5dbffd86ddd7f49da78a66fbeb6c37&format=txt; classtype:trojan-activity; sid:2013121; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.VB.OWR Checkin"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1B 00 01 02 00 1C 00|"; within:19; reference:md5,7684532e7e1d717427f6842e9d5ecd56; classtype:trojan-activity; sid:2013121; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeAlert.Rena.n Checkin Flowbit set"; flow:established,to_server; content:"/1020000"; http_uri; depth:8; content:" HTTP/1.0|0d 0a|"; http_header; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:command-and-control; sid:2013135; rev:1; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013142; rev:3; metadata:created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013143; rev:2; metadata:created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2011_06_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013143; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2011_06_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById(|27|treeset|27|)"; nocase; content:"view.selection"; nocase; distance:0; content:"invalidateRange"; nocase; distance:0; reference:bid,41853; reference:cve,2010-2753; classtype:attempted-user; sid:2013144; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of URL"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"URL"; within:3; content:"#"; within:7; pcre:"/\x3C\x3C[^>]*\x2F[^URL](U|#55)(R|#52)(L|#4C)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011533; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013140; rev:3; metadata:created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2011_06_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013140; rev:3; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2011_06_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:"<param name="; nocase; content:"value="; nocase; distance:0; content:"|2E|swf?info="; fast_pattern; nocase; distance:0; pcre:"/value\x22[^\x22]*\x2Eswf\x3finfo\x3D/smi"; reference:url,stopmalvertising.com/malware-reports/all-ur-swf-bel0ng-2-us-analysis-of-cve-2011-2110.html; reference:bid,48268; reference:cve,2011-2110; classtype:attempted-user; sid:2013137; rev:3; metadata:created_at 2011_06_30, former_category CURRENT_EVENTS, updated_at 2011_06_30;)
#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via POST"; flow:established,to_server; content:"/xslt"; http_uri; content:"PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_client_body; content:"&PASSWORD="; http_client_body; distance:0; content:"&PASSWORD_CONF="; http_client_body; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013166; rev:2; metadata:created_at 2011_07_01, updated_at 2011_07_01;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Backdoor Win32/IRCbot.FJ Cnc connection dns lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|minerva|05|cdmon|03|org"; fast_pattern; distance:0; nocase; reference:url,www.exposedbotnets.com/2011/02/minervacdmonorgbotnet-hosted-in.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.FJ; reference:url,www.threatexpert.com/report.aspx?md5=13e43c44681ba9acb8fd42217bd3dbd2; reference:url,www.bfk.de/bfk_dnslogger_en.html?query=minerva.cdmon.org; classtype:command-and-control; sid:2013187; rev:1; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2011_07_05;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Backdoor Win32/IRCbot.FJ Cnc connection dns lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|minerva|05|cdmon|03|org"; fast_pattern; distance:0; nocase; reference:url,www.bfk.de/bfk_dnslogger_en.html?query=minerva.cdmon.org; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.FJ; reference:url,www.exposedbotnets.com/2011/02/minervacdmonorgbotnet-hosted-in.html; reference:md5,13e43c44681ba9acb8fd42217bd3dbd2; classtype:command-and-control; sid:2013187; rev:1; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2011_07_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"c="; http_uri; content:"&wv="; http_uri; content:"&wd="; http_uri; content:"&ie="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/2008347; classtype:successful-recon-limited; sid:2008347; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VSFTPD Backdoor User Login Smiley"; flow:established,to_server; content:"USER "; depth:5; content:"|3a 29|"; distance:0; classtype:attempted-admin; sid:2013188; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Hooker Checkin Message"; flow:established,to_server; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&sin="; http_uri; classtype:trojan-activity; sid:2013205; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Hooker Checkin Message"; flow:established,to_server; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&sin="; http_uri; classtype:trojan-activity; sid:2013205; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alworo CnC Checkin"; flow:established,to_server; content:".php?userid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&msg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&pauid="; nocase; http_uri; content:"&checkId="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2; classtype:command-and-control; sid:2013215; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:2; metadata:created_at 2011_07_11, former_category CURRENT_EVENTS, updated_at 2011_07_11;)
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo Download Command"; flow:established,to_server; content:"PRIVMSG #"; depth:9; content:"|3a 5b|d=|22|http|3a|//"; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=2d69d8d243499ab53b840c64f68cc830; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013245; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo Download Command"; flow:established,to_server; content:"PRIVMSG #"; depth:9; content:"|3a 5b|d=|22|http|3a|//"; distance:0; reference:md5,2d69d8d243499ab53b840c64f68cc830; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013245; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo CnC PONG"; flow:established,to_server; content:"PONG |3a|hub.us.com"; depth:16; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:command-and-control; sid:2013246; rev:2; metadata:created_at 2011_07_11, former_category MALWARE, updated_at 2011_07_11;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection variant 2 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Nome Computador|3a| "; nocase; content:"Data|3a| "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002978; classtype:trojan-activity; sid:2002978; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:command-and-control; sid:2013265; rev:2; metadata:created_at 2011_07_14, former_category MOBILE_MALWARE, updated_at 2011_07_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:command-and-control; sid:2013265; rev:2; metadata:attack_target Mobile_Client, created_at 2011_07_14, former_category MOBILE_MALWARE, updated_at 2011_07_14, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:command-and-control; sid:2013266; rev:2; metadata:created_at 2011_07_14, former_category MOBILE_MALWARE, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Majestic12 User-Agent Request Inbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013255; rev:4; metadata:created_at 2011_07_12, updated_at 2011_07_12;)
-#alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; classtype:trojan-activity; sid:2009205; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009205; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby bredolab request to a .ru 8080 URI"; flow:established,to_server; content:".ru|3a|8080|0D 0A|"; classtype:bad-unknown; sid:2011354; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Persona Not Validated)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Persona Not Validated"; classtype:policy-violation; sid:2013294; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Snake Oil CA"; classtype:policy-violation; sid:2013295; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Google Warning Infected Local User"; flow:established,from_server; content:"<span>It appears that your computer is infected with software that intercepts your connection to Google and other sites.</span>"; classtype:trojan-activity; sid:2013318; rev:1; metadata:created_at 2011_07_26, updated_at 2011_07_26;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:command-and-control; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"D="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006610; classtype:web-application-attack; sid:2006610; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-
alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:2101928; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET_Assassin.ses; content:"|43 4F 4F 4C 4E 45 53 53 50 F2 08 00|"; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:attempted-user; sid:2012814; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; content:!"|00|server."; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007711; classtype:trojan-activity; sid:2007711; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"GPL DELETED xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2102041; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Dropper.Win32.Agent.bpxo Checkin"; flow:established,to_server; content:"|71 4E 6C 39 34 65 66 59 41 7A 32 32 37 4F 71 45 44 4D 50 0A|"; depth:20; reference:url,www.threatexpert.com/report.aspx?md5=02e447b347a90680e03c8b7d843a8e46; reference:url,www.antivirus365.org/PCAntivirus/37128.html; classtype:command-and-control; sid:2012894; rev:4; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Dropper.Win32.Agent.bpxo Checkin"; flow:established,to_server; content:"|71 4E 6C 39 34 65 66 59 41 7A 32 32 37 4F 71 45 44 4D 50 0A|"; depth:20; reference:md5,02e447b347a90680e03c8b7d843a8e46; reference:url,www.antivirus365.org/PCAntivirus/37128.html; classtype:command-and-control; sid:2012894; rev:4; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose Client Checkin"; flow:established,to_server; content:"|00 00 99 4F B9 74 E2 75 94 0A 5A|"; offset:2; depth:11; classtype:command-and-control; sid:2013338; rev:2; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2011_08_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV/Application JPDesk/Delf checkin"; flow:established,to_server; content:"|2f 3f|data="; http_uri; nocase; content:"jpdesk.com|0d 0a|"; nocase; http_header; pcre:"/\x2f\x3fdata\x3d[a-fA-F0-9]{60}/U"; reference:url,www.threatexpert.com/report.aspx?md5=08f116cf4feff245dca581244e4f509c; classtype:command-and-control; sid:2013340; rev:2; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2011_08_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV/Application JPDesk/Delf checkin"; flow:established,to_server; content:"|2f 3f|data="; http_uri; nocase; content:"jpdesk.com|0d 0a|"; nocase; http_header; pcre:"/\x2f\x3fdata\x3d[a-fA-F0-9]{60}/U"; reference:md5,08f116cf4feff245dca581244e4f509c; classtype:command-and-control; sid:2013340; rev:2; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2011_08_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor W32/Phanta Checkin"; flow:established,to_server; content:"/do.php?userid="; http_uri; content:"&time="; http_uri; content:"&msg="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&fy="; http_uri; content:"&pauid="; http_uri; content:"&checkId="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A; reference:url,www.threatexpert.com/report.aspx?md5=0012a0b60572dfa4f42a4325507841d8; classtype:trojan-activity; sid:2013343; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor W32/Phanta Checkin"; flow:established,to_server; content:"/do.php?userid="; http_uri; content:"&time="; http_uri; content:"&msg="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&fy="; http_uri; content:"&pauid="; http_uri; content:"&checkId="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A; reference:md5,0012a0b60572dfa4f42a4325507841d8; classtype:trojan-activity; sid:2013343; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Generic Trojan Checkin"; flow:established,to_server; content:"unit_id="; http_uri; content:"&uv_id="; http_uri; content:"&uv_new="; http_uri; content:"&url="; http_uri; content:"&charset="; http_uri; content:"&hashval="; http_uri; content:"&app="; http_uri; content:"&lg="; http_uri; classtype:trojan-activity; sid:2013204; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Generic Trojan Checkin"; flow:established,to_server; content:"unit_id="; http_uri; content:"&uv_id="; http_uri; content:"&uv_new="; http_uri; content:"&url="; http_uri; content:"&charset="; http_uri; content:"&hashval="; http_uri; content:"&app="; http_uri; content:"&lg="; http_uri; classtype:trojan-activity; sid:2013204; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - flickr.com.*"; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - picasa.com.*"; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - blogger.com.*"; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - wordpress.com.*"; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - img.youtube.com.*"; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.*"; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Checkin"; flow:established,to_server; content:"/ping.php?v="; http_uri; content:"&cid="; http_uri; content:"&s="; http_uri; content:"&wid="; http_uri; content:"&fid="; http_uri; content:"&step="; http_uri; classtype:command-and-control; sid:2013366; rev:2; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2011_08_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alunik User Agent Detected"; flow:established,to_server; content:"User-Agent|3A| Alun4ik"; http_header; classtype:trojan-activity; sid:2013377; rev:2; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - Rar Requested but not received"; flow:established,from_server; flowbits:isset,ET.rar_seen; flowbits:unset,ET.rar_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:!"|0d 0a 0d 0a 52 61 72 21 1A 07|"; depth:300; reference:url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008783; classtype:trojan-activity; sid:2008783; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - Rar Requested but not received"; flow:established,from_server; flowbits:isset,ET.rar_seen; flowbits:unset,ET.rar_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:!"|0d 0a 0d 0a 52 61 72 21 1A 07|"; depth:300; reference:url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008783; classtype:trojan-activity; sid:2008783; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Set flow on rar file get"; flow:established,to_server; content:"GET"; http_method; content:".rar"; http_uri; content:".rar HTTP/1."; flowbits:set,ET.rar_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2008781; classtype:trojan-activity; sid:2008781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body><div|20|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:exploit-kit; sid:2013237; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body><div|20|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:exploit-kit; sid:2013237; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 1"; flow:established,to_server; content:"/images/thanks_25.php?id="; fast_pattern:only; content:"HTTP/1.1|0d 0a|User-Agent"; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2013383; rev:3; metadata:created_at 2011_08_08, former_category MALWARE, updated_at 2011_08_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 1"; flow:established,to_server; content:"/images/thanks_25.php?id="; fast_pattern:only; content:"HTTP/1.1|0d 0a|User-Agent"; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2013383; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2011_08_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Accept-encode HTTP header with UA indicating infected host"; flow:established,to_server; content:"Accept-encode|3a| "; fast_pattern; http_header; content:"Accept-Encoding|3a| "; http_header; threshold:type limit, count 1, seconds 360, track by_src; classtype:trojan-activity; sid:2013385; rev:3; metadata:created_at 2011_08_09, updated_at 2011_08_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent ksdl_1_0"; flow:established,to_server; content:"User-Agent|3A 20|ksdl_"; http_header; classtype:trojan-activity; sid:2013404; rev:2; metadata:created_at 2011_08_11, updated_at 2011_08_11;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET MALWARE Bancos.DV MSSQL CnC Connection Outbound"; flow:to_server,established; flowbits:isset,ET.MSSQL; content:"|49 00 B4 00 4D 00 20 00 54 00 48 00 45 00 20 00 4D 00 41 00 53 00 54 00 45 00 52 00|"; classtype:command-and-control; sid:2013411; rev:1; metadata:created_at 2011_08_15, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET MALWARE Bancos.DV MSSQL CnC Connection Outbound"; flow:to_server,established; flowbits:isset,ET.MSSQL; content:"|49 00 B4 00 4D 00 20 00 54 00 48 00 45 00 20 00 4D 00 41 00 53 00 54 00 45 00 52 00|"; classtype:command-and-control; sid:2013411; rev:1; metadata:created_at 2011_08_16, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/TrojanDropper.Agent Checkin"; flow:established,to_server; content:".gif?aid="; http_uri; content:"&lc="; http_uri; content:"&time="; http_uri; content:"&flag="; http_uri; content:"&domain="; http_uri; classtype:trojan-activity; sid:2013402; rev:3; metadata:created_at 2011_08_11, updated_at 2011_08_11;)
#alert http any any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; within: 12; reference:url,doc.emergingthreats.net/bin/view/Main/2001685; classtype:trojan-activity; sid:2001685; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; classtype:policy-violation; sid:2002309; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_08_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_08_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET 5938 -> $HOME_NET any (msg:"ET POLICY TeamViewer Keep-alive inbound"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.teamviewerkeepaliveout; threshold: type limit, count 1, seconds 120, track by_src; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008795; classtype:misc-activity; sid:2008795; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Response"; flow:from_server,established; flowbits:isset,et.trojan.valkik.kku; content:"Content-Length|3a 20|88|0d 0a|"; nocase; content:"|0d 0a 0d 0a|"; distance:0; content:"|48 00 00 00|"; distance:4; within:4; flowbits:unset,et.trojan.valkik.kku; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:command-and-control; sid:2012961; rev:3; metadata:created_at 2011_06_08, former_category MALWARE, updated_at 2011_06_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Response"; flow:from_server,established; flowbits:isset,et.trojan.valkik.kku; content:"Content-Length|3a 20|88|0d 0a|"; nocase; content:"|0d 0a 0d 0a|"; distance:0; content:"|48 00 00 00|"; distance:4; within:4; flowbits:unset,et.trojan.valkik.kku; reference:md5,9688d1d37a7ced200c53ec2b9332a0ad; reference:md5,81d8a235cb5f7345b5796483abe8145f; classtype:command-and-control; sid:2012961; rev:3; metadata:created_at 2011_06_09, former_category MALWARE, updated_at 2011_06_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 5"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002850; classtype:not-suspicious; sid:2002850; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Trojan CnC"; dsize:2; byte_test:2, >, 1024, 0; threshold:type both, track by_src, count 1000, seconds 300; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fMitglieder; classtype:command-and-control; sid:2013418; rev:5; metadata:created_at 2011_08_17, updated_at 2011_08_17;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Trojan CnC"; dsize:2; byte_test:2, >, 1024, 0; threshold:type both, track by_src, count 1000, seconds 300; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fMitglieder; classtype:command-and-control; sid:2013418; rev:5; metadata:created_at 2011_08_18, updated_at 2011_08_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Chekafe.D Initial Checkin"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&isInst="; http_uri; content:"&lockcode="; http_uri; content:"&pc="; http_uri; content:"&PcType="; http_uri; content:"&AvName="; http_uri; content:"&ProCount="; http_uri; classtype:command-and-control; sid:2013447; rev:3; metadata:created_at 2011_08_22, former_category MALWARE, updated_at 2011_08_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:pup-activity; sid:2013448; rev:6; metadata:created_at 2011_08_22, former_category ADWARE_PUP, updated_at 2011_08_22;)
-#alert tcp $EXTERNAL_NET 6000:10000 -> $HOME_NET any (msg:"ET MALWARE Vobfus/Changeup/Chinky Download Command"; flow:to_client,established; content:"|3a 2e|dl http|3a|"; depth:11; reference:url,doc.emergingthreats.net/2010973; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=beb8bc1ba5dbd8de0761ef362bc8b0a4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVobfus; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2; reference:url,www.symantec.com/connect/blogs/w32changeup-threat-profile; reference:url,www.threatexpert.com/report.aspx?md5=f8880b851ea5ed92dd97657574fb4f70; classtype:trojan-activity; sid:2010973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 6000:10000 -> $HOME_NET any (msg:"ET MALWARE Vobfus/Changeup/Chinky Download Command"; flow:to_client,established; content:"|3a 2e|dl http|3a|"; depth:11; reference:url,www.symantec.com/connect/blogs/w32changeup-threat-profile; reference:url,doc.emergingthreats.net/2010973; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=beb8bc1ba5dbd8de0761ef362bc8b0a4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVobfus; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2; reference:md5,f8880b851ea5ed92dd97657574fb4f70; classtype:trojan-activity; sid:2010973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSPlayer User-Agent Windows Media Player streaming detected"; flow:established,to_server; content:"User-Agent|3A 20|NSPlayer|2F|"; http_header; threshold: type limit, track by_src, seconds 300, count 1; reference:url,msdn.microsoft.com/en-us/library/cc234851; classtype:policy-violation; sid:2011874; rev:3; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3; metadata:created_at 2011_05_27, former_category CURRENT_EVENTS, updated_at 2011_05_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3; metadata:created_at 2011_05_28, former_category CURRENT_EVENTS, updated_at 2011_05_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (1)"; flow:to_server,established; content:"/uiserver.php?social_plugin=like"; http_uri; content:"external_page_url="; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013458; rev:2; metadata:created_at 2011_08_25, updated_at 2011_08_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (2)"; flow:to_server,established; content:"/plugins/like.php?"; http_uri; content:"href="; http_uri; content:"action=like"; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013459; rev:2; metadata:created_at 2011_08_25, updated_at 2011_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (2)"; flow:to_server,established; content:"/plugins/like.php?"; http_uri; content:"href="; http_uri; content:"action=like"; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013459; rev:2; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
-#alert http $HOME_NET any -> any any (msg:"ET MALWARE Win32/Wizpop Initial Checkin"; flow:established,to_server; content:"User-Agent|3a| WizPop"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:command-and-control; sid:2013461; rev:3; metadata:created_at 2011_08_25, former_category MALWARE, updated_at 2011_08_25;)
+#alert http $HOME_NET any -> any any (msg:"ET ADWARE_PUP Win32/Wizpop Initial Checkin"; flow:established,to_server; content:"User-Agent|3a| WizPop"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:pup-activity; sid:2013461; rev:3; metadata:created_at 2011_08_26, former_category MALWARE, updated_at 2011_08_26;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Phoenix Landing Page Obfuscated Javascript 2"; flow:established,to_client; content:"<html><body><input|20|type|3d 27|hidden|27 20|value|3d 27|"; pcre:"/\S{20,40}\'\>/R"; classtype:trojan-activity; sid:2013314; rev:5; metadata:created_at 2011_07_26, updated_at 2011_07_26;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED PDF Name Representation Obfuscation of JBIG2Decode, Very Likely Memory Corruption Attempt"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JBIG2Decode"; within:11; content:"#"; within:31; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JBIG2Decode](J|#4A)(B|#42)(I|#49)(G|#47)(2|#32)(D|#44)(e|#65)(c|#63)(o|#6F)(d|#64)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; reference:url,blog.didierstevens.com/2009/03/01/quickpost-jbig2decode-signatures/; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:2011534; rev:7; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wizpop Checkin"; flow:established,to_server; content:"/count.asp?exe="; http_uri; content:"&act="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:command-and-control; sid:2013502; rev:4; metadata:created_at 2011_08_31, former_category MALWARE, updated_at 2011_08_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Wizpop Checkin"; flow:established,to_server; content:"/count.asp?exe="; http_uri; content:"&act="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:pup-activity; sid:2013502; rev:4; metadata:created_at 2011_08_31, former_category MALWARE, updated_at 2011_08_31;)
alert tcp $HOME_NET any -> 11.11.11.11 55611 (msg:"ET MALWARE W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems"; flow:to_server; flags:S; reference:url,blog.eset.com/2011/08/03/win32delf-qcztrust-me-i%E2%80%99m-your-anti-virus; reference:url,www.eset.com/about/blog/blog/article/win32delf-qcz-additional-details; classtype:trojan-activity; sid:2013506; rev:1; metadata:created_at 2011_08_31, updated_at 2011_08_31;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent FSD - Possible FakeAV Related"; flow:established,to_server; content:"User-Agent|3A 20|FSD|0D 0A|"; http_header; classtype:trojan-activity; sid:2013393; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_10, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Loader Request sn.php"; flow:established,to_server; content:"/sn.php?c="; http_uri; depth:10; content:"&t="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013519; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Loader Request sn.php"; flow:established,to_server; content:"/sn.php?c="; http_uri; depth:10; content:"&t="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013519; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pitbull IRCbotnet Fetch"; flow:to_server,established; content:"Accept|3a20|*/*|0d0a|User-Agent|3a20|Mozilla/5.0|0d0a|"; http_header; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007626; classtype:trojan-activity; sid:2007626; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Fynloski.A Command Response"; flow:to_server,established; content:"#botCommand%"; depth:12; pcre:"/^\x23botCommand\x25(close\x20command|Error|Finish|Http\x20Flood|Mass\x20Download|Respond\x20\x5bOK|Syn\x20Flood|UDP\x20Flood|uninstall|Update|)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013533; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013514; rev:2; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013514; rev:2; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google"; flow:established,to_server; content:"/whatever.exe"; fast_pattern; http_uri; content:"Host|3A 20|google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013544; rev:2; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 54 (msg:"ET MALWARE Win32.Unknown.UDP.edsm CnC traffic"; content:"|65 f2 9c 64 cf 0a 5e d3 f6 5b 2a 9f 73 3c 91 4d|"; offset:16; depth:16; threshold:type limit, track by_src, count 1, seconds 600; reference:url,xml.ssdsandbox.net/view/11c0df38d31121885a76500140780cef; classtype:command-and-control; sid:2013547; rev:2; metadata:created_at 2011_09_06, former_category MALWARE, updated_at 2011_09_06;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 54 (msg:"ET MALWARE Win32.Unknown.UDP.edsm CnC traffic"; content:"|65 f2 9c 64 cf 0a 5e d3 f6 5b 2a 9f 73 3c 91 4d|"; offset:16; depth:16; threshold:type limit, track by_src, count 1, seconds 600; reference:url,xml.ssdsandbox.net/view/11c0df38d31121885a76500140780cef; classtype:command-and-control; sid:2013547; rev:2; metadata:created_at 2011_09_07, former_category MALWARE, updated_at 2011_09_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fivfrom Downloader (Unitrix)"; flow:established,to_server; content:".php?seller="; http_uri; content:"&hash={"; http_uri; pcre:"/hash=\{[a-f0-9]+-/Ui"; classtype:trojan-activity; sid:2013555; rev:5; metadata:created_at 2011_09_10, updated_at 2011_09_10;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Possible Memory Corruption Attempt Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1"; nocase; distance:0; classtype:attempted-user; sid:2013566; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;)
-#alert http $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; http_header; classtype:trojan-activity; sid:2012316; rev:3; metadata:created_at 2011_02_17, updated_at 2011_02_17;)
+#alert http $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; http_header; classtype:trojan-activity; sid:2012316; rev:3; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF File Containing Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/JavaScript"; nocase; distance:0; pcre:"/\x3C\x3C[^>]*\x2FJavaScript/smi"; threshold:type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2010882; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3; metadata:created_at 2011_08_08, updated_at 2011_08_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3; metadata:created_at 2011_08_09, updated_at 2011_08_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:pup-activity; sid:2013658; rev:2; metadata:created_at 2011_09_15, former_category ADWARE_PUP, updated_at 2011_09_15;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; within:25; classtype:bad-unknown; sid:2101884; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Exploit Pack Binary Load Request (server_privileges.php)"; flow:established,to_server; content:"/server_privileges.php?"; http_uri; pcre:"/\/server_privileges\.php\?[0-9a-f]{32}=\d+(&\w+)?$/U"; classtype:trojan-activity; sid:2013663; rev:2; metadata:created_at 2011_09_18, updated_at 2011_09_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Exploit Pack Binary Load Request (server_privileges.php)"; flow:established,to_server; content:"/server_privileges.php?"; http_uri; pcre:"/\/server_privileges\.php\?[0-9a-f]{32}=\d+(&\w+)?$/U"; classtype:trojan-activity; sid:2013663; rev:2; metadata:created_at 2011_09_19, updated_at 2011_09_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (touch)"; flow:to_server,established; content:"/touch.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013671; rev:2; metadata:created_at 2011_09_19, former_category MALWARE, updated_at 2011_09_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (touch)"; flow:to_server,established; content:"/touch.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013671; rev:2; metadata:created_at 2011_09_19, former_category MALWARE, updated_at 2011_09_19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102480; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103100; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103091; rev:5; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
-
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103101; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; flowbits:isnotset,et.httpproto; flowbits:set,et.httpproto; flowbits:set,ET.knowitsnothttpnow; flowbits:isnotset,ET.knowitsnothttpnow; threshold: type limit, count 1, seconds 30, track by_dst; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 2"; flow:established,to_server; content:".php?w="; http_uri; content:"&fail="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?w=\d+&fail=\d+&i=[0-9a-f]{32}$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:command-and-control; sid:2013686; rev:2; metadata:created_at 2011_09_21, former_category MALWARE, updated_at 2011_09_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 2"; flow:established,to_server; content:".php?w="; http_uri; content:"&fail="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?w=\d+&fail=\d+&i=[0-9a-f]{32}$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:command-and-control; sid:2013686; rev:2; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2011_09_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:exploit-kit; sid:2013551; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:exploit-kit; sid:2013551; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:exploit-kit; sid:2013552; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:exploit-kit; sid:2013552; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shylock Module Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a 23 23 23|ERROR_SRC|23 23 23|"; content:"|23 23 23|ERROR_SRC_END|23 23 23|"; distance:0; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:2; metadata:created_at 2011_09_21, updated_at 2011_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shylock Module Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a 23 23 23|ERROR_SRC|23 23 23|"; content:"|23 23 23|ERROR_SRC_END|23 23 23|"; distance:0; reference:md5,4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:2; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2011_09_22;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET MALWARE Win32.Parite Checkin SQL Database"; flow:established,to_server; content:"SHOW COLUMNS FROM webronaldogyn01"; reference:url,www.threatexpert.com/report.aspx?md5=19441bc629e6c1dcb54cb5febdf9a22d; classtype:command-and-control; sid:2013683; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_09_21, deployment Perimeter, former_category MALWARE, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET MALWARE Win32.Parite Checkin SQL Database"; flow:established,to_server; content:"SHOW COLUMNS FROM webronaldogyn01"; reference:md5,19441bc629e6c1dcb54cb5febdf9a22d; classtype:command-and-control; sid:2013683; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_09_22, deployment Perimeter, former_category MALWARE, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102383; rev:21; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit lo2.jar"; flow:established,to_server; content:"/lo2.jar"; http_uri; content:"|20|Java/"; http_header; classtype:exploit-kit; sid:2013698; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013334; rev:4; metadata:created_at 2011_07_29, updated_at 2011_07_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013334; rev:4; metadata:created_at 2011_07_30, updated_at 2011_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013335; rev:5; metadata:created_at 2011_07_29, updated_at 2011_07_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013335; rev:5; metadata:created_at 2011_07_30, updated_at 2011_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Rbot User-Agent (tiehttp)"; flow:established,to_server; content:"User-Agent|3A 20|tiehttp"; http_header; classtype:trojan-activity; sid:2013449; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)
alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"GPL POLICY PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:2100512; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:command-and-control; sid:2013722; rev:2; metadata:created_at 2011_09_30, updated_at 2011_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:command-and-control; sid:2013722; rev:2; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution|20 28|Win32|29|"; http_header; classtype:trojan-activity; sid:2013725; rev:2; metadata:created_at 2011_09_30, former_category TROJAN, updated_at 2017_10_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution|20 28|Win32|29|"; http_header; classtype:trojan-activity; sid:2013725; rev:2; metadata:created_at 2011_10_01, former_category TROJAN, updated_at 2017_10_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013727; rev:1; metadata:created_at 2011_09_30, updated_at 2011_09_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013727; rev:1; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:pup-activity; sid:2013729; rev:2; metadata:created_at 2011_09_30, former_category ADWARE_PUP, updated_at 2011_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:pup-activity; sid:2013729; rev:2; metadata:created_at 2011_10_01, former_category ADWARE_PUP, updated_at 2011_10_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BD9E5104-2F20-4A9F-AB14-82D558FF374E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD9E5104-2F20-4A9F-AB14-82D558FF374E/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013735; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt"; flow:established,to_client; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; nocase; content:"file|3A 2F 2F|"; nocase; distance:0; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616/smi"; reference:url,www.dl.packetstormsecurity.net/1109-advisories/sa45550.txt; classtype:attempted-user; sid:2013750; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:4; metadata:created_at 2011_07_12, updated_at 2011_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:4; metadata:attack_target Web_Server, created_at 2011_07_12, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2011_07_12, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:policy-violation; sid:2101837; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible German Governmental Backdoor/R2D2.A 1"; flow:from_client,established; content:"|11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c|"; fast_pattern; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013751; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Prosti Checkin"; flow:from_client,established; content:"&first& # 0d 0h "; depth:16; reference:url,www.threatexpert.com/report.aspx?md5=5113c6dbd644874482f3a26650970600; classtype:command-and-control; sid:2013769; rev:1; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Prosti Checkin"; flow:from_client,established; content:"&first& # 0d 0h "; depth:16; reference:md5,5113c6dbd644874482f3a26650970600; classtype:command-and-control; sid:2013769; rev:1; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Parite CnC Checkin"; flow:established,to_server; content:"?MI="; http_uri; content:"&os="; http_uri; content:"&TE="; http_uri; content:"&TV="; http_uri; content:!"SeaPort/"; http_header; classtype:command-and-control; sid:2013716; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_09_30, deployment Perimeter, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Parite CnC Checkin"; flow:established,to_server; content:"?MI="; http_uri; content:"&os="; http_uri; content:"&TE="; http_uri; content:"&TV="; http_uri; content:!"SeaPort/"; http_header; classtype:command-and-control; sid:2013716; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
-#alert ip 207.158.22.134 any -> $HOME_NET any (msg:"ET MALWARE Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013755; rev:4; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+#alert ip 207.158.22.134 any -> $HOME_NET any (msg:"ET MALWARE Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/gui/file/be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013755; rev:4; metadata:created_at 2011_10_11, former_category MALWARE, updated_at 2011_10_11;)
#alert ip $HOME_NET any -> 207.158.22.134 any (msg:"ET MALWARE Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1"; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013756; rev:4; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Cerberus RAT Server ping"; flow:from_server,established; content:"wBmpf3Pb7RJe|0d0a|"; depth:14; dsize:14; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013774; rev:2; metadata:created_at 2011_10_13, updated_at 2011_10_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Cerberus RAT Server ping"; flow:from_server,established; content:"wBmpf3Pb7RJe|0d0a|"; depth:14; dsize:14; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013774; rev:2; metadata:created_at 2011_10_14, updated_at 2011_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT Checkin Outbound"; flow:established,to_server; content:"Ypmw1Syv023QZD"; depth:30; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:command-and-control; sid:2013771; rev:4; metadata:created_at 2011_10_13, former_category MALWARE, updated_at 2011_10_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT Checkin Outbound"; flow:established,to_server; content:"Ypmw1Syv023QZD"; depth:30; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:command-and-control; sid:2013771; rev:4; metadata:created_at 2011_10_14, former_category MALWARE, updated_at 2011_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Cerberus RAT Checkin Response"; flow:established,to_client; content:"Ypmw1Syv023QZD"; depth:30; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:command-and-control; sid:2013772; rev:2; metadata:created_at 2011_10_13, former_category MALWARE, updated_at 2011_10_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Cerberus RAT Checkin Response"; flow:established,to_client; content:"Ypmw1Syv023QZD"; depth:30; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:command-and-control; sid:2013772; rev:2; metadata:created_at 2011_10_14, former_category MALWARE, updated_at 2011_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT Client pong"; flow:from_client,established; content:"wZ2pla"; depth:6; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013773; rev:2; metadata:created_at 2011_10_13, updated_at 2011_10_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT Client pong"; flow:from_client,established; content:"wZ2pla"; depth:6; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013773; rev:2; metadata:created_at 2011_10_14, updated_at 2011_10_14;)
#alert ssh any any -> any !$SSH_PORTS (msg:"ET POLICY SSH session in progress on Unusual Port"; flow:established,to_server; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001984; classtype:misc-activity; sid:2001984; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot Checkin"; flow:established,to_server; content:"POST "; rawbytes; depth:5; uricontent:"/script.php?"; content:!"User-Agent|3a|"; nocase; pcre:"/\/script\.php?\d{8}/Ui"; content:"Kernel|3a|"; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003433; classtype:trojan-activity; sid:2003433; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; uricontent:"/access.php?"; nocase; uricontent:"w="; nocase; uricontent:"&a="; nocase; content:"|0d 0a|Host|3a| "; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; content:!"|0d 0a|User-Agent|3a| "; reference:url,doc.emergingthreats.net/2008174; classtype:trojan-activity; sid:2008174; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; http_method; content:"/nte/"; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Java"; http_header; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; classtype:trojan-activity; sid:2011576; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE"; flow:established,to_server; content:"user-agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:!"|0d 0a|VIA|3a 20|"; http_header; classtype:trojan-activity; sid:2012607; rev:4; metadata:created_at 2011_03_30, updated_at 2011_03_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE"; flow:established,to_server; content:"user-agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:!"|0d 0a|VIA|3a 20|"; http_header; classtype:trojan-activity; sid:2012607; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
#alert ssh $HOME_NET any -> any any (msg:"ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server"; flow:established,from_server; content:"SSH-1.99-OpenSSH_3.5p1 FreeBSD-200"; reference:url,packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt; reference:url,seclists.org/2011/Jul/6; classtype:misc-activity; sid:2013167; rev:4; metadata:created_at 2011_07_01, updated_at 2011_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC DCC chat request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; nocase; depth:8; content:" |3a|.DCC CHAT chat"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000350; classtype:policy-violation; sid:2000350; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC Channel join on non-standard port"; flow:to_server,established; content:"JOIN |3a| #"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; classtype:policy-violation; sid:2000351; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC DNS request on non-standard port"; flow:to_server,established; content:"USERHOST "; nocase; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2000352; classtype:policy-violation; sid:2000352; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET !6666:7000 -> $HOME_NET any (msg:"ET DELETED IRC Name response on non-standard port"; flow: to_client,established; dsize:<128; content:"|3a|"; depth:1; content:" 302 "; content:"=+"; content:"@"; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; classtype:trojan-activity; sid:2000346; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo KCIK IRC Command"; flow:established,to_server; content:"KCIK |7b|"; depth:6; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013247; rev:5; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User Agent Maxthon"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Maxthon"; http_header; reference:url,doc.emergingthreats.net/2011118; classtype:trojan-activity; sid:2011118; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent Maxthon"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Maxthon"; http_header; reference:url,doc.emergingthreats.net/2011118; classtype:trojan-activity; sid:2011118; rev:4; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3; metadata:created_at 2011_10_19, updated_at 2011_10_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3; metadata:created_at 2011_10_20, updated_at 2011_10_20;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Agobot-SDBot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity; sid:2003157; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Client Checkin"; flow:established,to_server; content:"|40 1f|"; offset:1; depth:2; content:"|03|"; distance:1; within:1; content:"|20 00 00 00|"; distance:1; within:4; dsize:10; reference:url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b; classtype:command-and-control; sid:2013793; rev:1; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2011_10_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Client Checkin"; flow:established,to_server; content:"|40 1f|"; offset:1; depth:2; content:"|03|"; distance:1; within:1; content:"|20 00 00 00|"; distance:1; within:4; dsize:10; reference:md5,a7f4a7d08fa650a5f09a00519b944b0b; classtype:command-and-control; sid:2013793; rev:1; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2011_10_24;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Server Responce"; flow:from_server,established; content:"|40 1f|"; offset:1; depth:2; content:"|01|"; distance:1; within:1; content:"|10 00 00 00|"; distance:1; within:4; dsize:26; reference:url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013794; rev:1; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Server Responce"; flow:from_server,established; content:"|40 1f|"; offset:1; depth:2; content:"|01|"; distance:1; within:1; content:"|10 00 00 00|"; distance:1; within:4; dsize:26; reference:md5,a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013794; rev:1; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; ip_proto:!17; classtype:non-standard-protocol; sid:2101620; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Trojan.SuspectCRC FakeAV Checkin"; flow:established,to_server; content:"value.php?"; http_uri; content:"md="; http_uri; content:"&pc="; http_uri; content:"User-Agent|3a| sample"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=54c9d51661a05151e5143f4e80cbed86; classtype:command-and-control; sid:2013799; rev:3; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2011_10_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Trojan.SuspectCRC FakeAV Checkin"; flow:established,to_server; content:"value.php?"; http_uri; content:"md="; http_uri; content:"&pc="; http_uri; content:"User-Agent|3a| sample"; http_header; reference:md5,54c9d51661a05151e5143f4e80cbed86; classtype:command-and-control; sid:2013799; rev:3; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2011_10_24;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> any 6667 (msg:"ET DELETED Likely Botnet Activity"; flow:to_server,established; content:"PRIVMSG|20|"; depth:8; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; classtype:string-detect; sid:2001620; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Redirection to Unknown Exploit Pack"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|"; nocase; reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/; classtype:misc-attack; sid:2013804; rev:4; metadata:created_at 2011_10_25, updated_at 2011_10_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Redirection to Unknown Exploit Pack"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|"; nocase; reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/; classtype:misc-attack; sid:2013804; rev:4; metadata:created_at 2011_10_26, updated_at 2011_10_26;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV FakeAlertRena.n Checkin NO Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; content:"Content-Length|3a| 2|0d 0a 0d 0a|NO"; classtype:command-and-control; sid:2013420; rev:4; metadata:created_at 2011_08_18, former_category MALWARE, updated_at 2011_08_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Kryptik/proscan.co.kr Checkin"; flow:established,to_server; content:"User-Agent|3a| proscan-down"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:command-and-control; sid:2013821; rev:2; metadata:created_at 2011_11_03, former_category MALWARE, updated_at 2011_11_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Kryptik/proscan.co.kr Checkin"; flow:established,to_server; content:"User-Agent|3a| proscan-down"; http_header; reference:md5,bf156b649cb5da6603a5f665a7d8f13b; classtype:command-and-control; sid:2013821; rev:2; metadata:created_at 2011_11_04, former_category MALWARE, updated_at 2011_11_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (SaveCfg)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".SaveCfg"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013878; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Koobface Variant Initial Checkin"; flow:established,to_server; content:".php?datos=c|3A|"; http_uri; content:"&user="; http_uri; classtype:command-and-control; sid:2013890; rev:2; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2011_11_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Client Checkin"; flow:from_client,established; dsize:12; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; depth:12; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:command-and-control; sid:2013891; rev:1; metadata:created_at 2011_11_09, former_category MALWARE, updated_at 2011_11_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Client Checkin"; flow:from_client,established; dsize:12; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; depth:12; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:command-and-control; sid:2013891; rev:1; metadata:created_at 2011_11_09, former_category MALWARE, updated_at 2011_11_09;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Server Reply"; flow:from_server,established; dsize:44; content:"|33 39 0d ff 0a c4 e5 9f d5 ec 58 4a 69|"; depth:13; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013892; rev:1; metadata:created_at 2011_11_09, updated_at 2011_11_09;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Server Reply"; flow:from_server,established; dsize:44; content:"|33 39 0d ff 0a c4 e5 9f d5 ec 58 4a 69|"; depth:13; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013892; rev:1; metadata:created_at 2011_11_09, updated_at 2011_11_09;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Client Ping"; flow:from_client,established; dsize:7; content:"|33 0D FF 0A C5 F8 C1|"; depth:7; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013893; rev:2; metadata:created_at 2011_11_09, updated_at 2011_11_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Client Ping"; flow:from_client,established; dsize:7; content:"|33 0D FF 0A C5 F8 C1|"; depth:7; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013893; rev:2; metadata:created_at 2011_11_09, updated_at 2011_11_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Yaq Checkin"; flow:established,to_server; content:"/Submit.php?id="; http_uri; content:"&action="; http_uri; within:10; content:"&mac="; http_uri; within:10; content:"&lockcode="; http_uri; within:30; content:"&homepc="; http_uri; within:15; content:"User-Agent|3A 20|getinfo|0D 0A|"; http_header; classtype:command-and-control; sid:2013900; rev:2; metadata:created_at 2011_11_10, former_category MALWARE, updated_at 2011_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Yaq Checkin"; flow:established,to_server; content:"/Submit.php?id="; http_uri; content:"&action="; http_uri; within:10; content:"&mac="; http_uri; within:10; content:"&lockcode="; http_uri; within:30; content:"&homepc="; http_uri; within:15; content:"User-Agent|3A 20|getinfo|0D 0A|"; http_header; classtype:command-and-control; sid:2013900; rev:2; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GeneralDownloadApplication"; flow:established,to_server; content:"User-Agent|3A 20|GeneralDownloadApplication"; http_header; classtype:trojan-activity; sid:2013901; rev:2; metadata:created_at 2011_11_10, former_category TROJAN, updated_at 2017_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GeneralDownloadApplication"; flow:established,to_server; content:"User-Agent|3A 20|GeneralDownloadApplication"; http_header; classtype:trojan-activity; sid:2013901; rev:2; metadata:created_at 2011_11_11, former_category TROJAN, updated_at 2017_11_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.BlackControl Retrieving IP Information"; flow:established,to_server; content:"/v2/ip_query_country.php?key="; http_uri; content:"&timezone="; http_uri; content:"User-Agent|3A 20|1|0D 0A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2013902; rev:3; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.BlackControl Retrieving IP Information"; flow:established,to_server; content:"/v2/ip_query_country.php?key="; http_uri; content:"&timezone="; http_uri; content:"User-Agent|3A 20|1|0D 0A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2013902; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GetFile"; flow:established,to_server; content:"User-Agent|3A 20|GetFile|0D 0A|"; http_header; classtype:trojan-activity; sid:2013903; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GetFile"; flow:established,to_server; content:"User-Agent|3A 20|GetFile|0D 0A|"; http_header; classtype:trojan-activity; sid:2013903; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rimecud User Agent beat"; flow:established,to_server; content:"User-Agent|3A 20|beat|0D 0A|"; http_header; classtype:trojan-activity; sid:2013904; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rimecud User Agent beat"; flow:established,to_server; content:"User-Agent|3A 20|beat|0D 0A|"; http_header; classtype:trojan-activity; sid:2013904; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent banderas"; flow:established,to_server; content:"User-Agent|3A 20|banderas"; http_header; classtype:trojan-activity; sid:2013905; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent banderas"; flow:established,to_server; content:"User-Agent|3A 20|banderas"; http_header; classtype:trojan-activity; sid:2013905; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin 1"; flow:established,to_server; content:"/WebIpc.asp?UID="; http_uri; content:"&NAME="; http_uri; content:"&mode="; http_uri; classtype:trojan-activity; sid:2013370; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin 2"; flow:established,to_server; content:"/link32.asp?SID="; http_uri; content:"&UID="; http_uri; content:"&MID="; http_uri; classtype:trojan-activity; sid:2013371; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; http_header; classtype:bad-unknown; sid:2013836; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; http_header; classtype:bad-unknown; sid:2013836; rev:3; metadata:created_at 2011_11_05, updated_at 2011_11_05;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Net Trojan Connection"; flow:established; content:"maininfo|7c|"; depth:9; nocase; content:"|7c|"; distance:3; reference:url,doc.emergingthreats.net/2008644; classtype:trojan-activity; sid:2008644; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/dnscfg.cgi"; http_uri; content:"dnsPrimary="; http_client_body; content:"&dnsSecondary="; http_client_body; content:"&dnsDynamic="; http_client_body; content:"&dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:3; metadata:created_at 2011_11_17, updated_at 2011_11_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/dnscfg.cgi"; http_uri; content:"dnsPrimary="; http_client_body; content:"&dnsSecondary="; http_client_body; content:"&dnsDynamic="; http_client_body; content:"&dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:3; metadata:created_at 2011_11_18, updated_at 2011_11_18;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Emp Keepalive to CnC"; flow:established,to_server; content:"|7a 05 61 17 27 f5 09 f9 05 a2 ff 71 e0 49 96 47|"; offset:16; depth:16; dsize:48; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=541210; classtype:command-and-control; sid:2013922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_17, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Emp Keepalive to CnC"; flow:established,to_server; content:"|7a 05 61 17 27 f5 09 f9 05 a2 ff 71 e0 49 96 47|"; offset:16; depth:16; dsize:48; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=541210; classtype:command-and-control; sid:2013922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu2 Keepalive to CnC"; flow:established,to_server; content:"|1c e9 a1 06 39 95 48 0d 64 1f 39 23 21 7f dc 43|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_17, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu2 Keepalive to CnC"; flow:established,to_server; content:"|1c e9 a1 06 39 95 48 0d 64 1f 39 23 21 7f dc 43|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu3 Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_17, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu3 Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu4 Keepalive to CnC"; flow:established,to_server; content:"|ea a2 0d a1 b4 a9 a2 18 12 34 67 eb aa 6f ab 3f|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_17, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu4 Keepalive to CnC"; flow:established,to_server; content:"|ea a2 0d a1 b4 a9 a2 18 12 34 67 eb aa 6f ab 3f|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banker.OT Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"praquem="; http_client_body; fast_pattern; content:"&titulo="; http_client_body; content:"&texto="; http_client_body; reference:url,doc.emergingthreats.net/2007823; classtype:trojan-activity; sid:2007823; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript padded charcodes 25"; flow:established,from_server; content:"75"; depth:500; content:"86"; within:4; content:"74"; within:4; content:"92"; within:4; content:"84"; within:4; classtype:bad-unknown; sid:2013950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (needit)"; flow:to_server,established; content:"User-Agent|3a| needit|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=1b1fff82c72277aff808291d53df7fd8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013951; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (needit)"; flow:to_server,established; content:"User-Agent|3a| needit|0d 0a|"; http_header; reference:md5,1b1fff82c72277aff808291d53df7fd8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013951; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TR/Rimecud.aksa User-Agent (indy)"; flow:to_server,established; content:"User-Agent|3a| indy|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=1536a7072981ce5140efe6b9c193bb7e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013952; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TR/Rimecud.aksa User-Agent (indy)"; flow:to_server,established; content:"User-Agent|3a| indy|0d 0a|"; http_header; reference:md5,1536a7072981ce5140efe6b9c193bb7e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013952; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (counters)"; flow:to_server,established; content:"User-Agent|3a| counters|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=60ce66bd10fcac3c97151612c8a4d343; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013953; rev:3; metadata:created_at 2011_11_22, updated_at 2011_11_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (counters)"; flow:to_server,established; content:"User-Agent|3a| counters|0d 0a|"; http_header; reference:md5,60ce66bd10fcac3c97151612c8a4d343; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013953; rev:3; metadata:created_at 2011_11_22, updated_at 2011_11_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (giftz)"; flow:to_server,established; content:"User-Agent|3a| giftz|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f726e84bae5a8d1f166bbf6d09d821b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013954; rev:2; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (giftz)"; flow:to_server,established; content:"User-Agent|3a| giftz|0d 0a|"; http_header; reference:md5,0f726e84bae5a8d1f166bbf6d09d821b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013954; rev:2; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality User-Agent (Internet Explorer 5.01)"; flow:established,to_server; content:"User-Agent|3A 20|Internet Explorer 5.01|0D 0A|"; http_header; classtype:trojan-activity; sid:2013963; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:2100326; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:2100327; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:2100327; rev:10; metadata:created_at 2010_09_23, former_category MISC, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Root Query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:2100323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:2100361; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET MALWARE TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"|33 33 01 00 00 01 00 00 00 00 00 00 07|counter|05|yadro|02|ru|00 00 01 00 01|"; classtype:trojan-activity; sid:2013977; rev:1; metadata:created_at 2011_12_01, updated_at 2011_12_01;)
+#alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET MALWARE TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"|33 33 01 00 00 01 00 00 00 00 00 00 07|counter|05|yadro|02|ru|00 00 01 00 01|"; classtype:trojan-activity; sid:2013977; rev:1; metadata:created_at 2011_12_02, updated_at 2011_12_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hiloti loader receiving payload URL"; flow:established,from_server; content:"|0d 0a 0d 0a|20|0d 0a|http|3a|//"; classtype:trojan-activity; sid:2012515; rev:5; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Lilupophilupop Injected Script Being Served from Local Server"; flow:established,from_server; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013979; rev:3; metadata:created_at 2011_12_02, former_category CURRENT_EVENTS, updated_at 2011_12_02;)
-alert tls any [$HTTP_PORTS,443,8834] -> $HOME_NET any (msg:"ET POLICY Nessus Server SSL certificate detected"; flow:established,to_client; content:"|16 03 01|"; content:"|0b|"; within:6; content:"Nessus Certification Authority"; nocase; classtype:bad-unknown; sid:2013298; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus POST Request to CnC"; flow:established,to_server; content:"POST"; http_method; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|User-Agent|3a| Mozilla"; fast_pattern; content:"|0d 0a|Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:!"Content-Type|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2011816; rev:16; metadata:created_at 2010_10_14, updated_at 2010_10_14;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack"; flow:established,to_server; content:"GET"; http_method; content:"top_graph_header.php"; http_uri; pcre:"/top_graph_header\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; reference:url,doc.emergingthreats.net/2002129; classtype:web-application-activity; sid:2002129; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack 2"; flow:established,to_server; content:"GET"; http_method; content:"config_settings.php"; http_uri; pcre:"/config_settings\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; classtype:web-application-activity; sid:2013993; rev:2; metadata:created_at 2011_12_06, updated_at 2011_12_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack 2"; flow:established,to_server; content:"GET"; http_method; content:"config_settings.php"; http_uri; pcre:"/config_settings\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; classtype:web-application-activity; sid:2013993; rev:2; metadata:created_at 2011_12_07, updated_at 2011_12_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5; metadata:created_at 2011_08_30, former_category CURRENT_EVENTS, updated_at 2011_08_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:pup-activity; sid:2013999; rev:2; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2011_12_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.dytr Checkin"; flow:to_server,established; content:"/gate.php?id="; http_uri; content:"&pc="; http_uri; content:"&os="; http_uri; content:"&version="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=090986b0e303779bde1ddad3c65a9d78; classtype:command-and-control; sid:2014003; rev:3; metadata:created_at 2011_08_15, former_category MALWARE, updated_at 2011_08_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.dytr Checkin"; flow:to_server,established; content:"/gate.php?id="; http_uri; content:"&pc="; http_uri; content:"&os="; http_uri; content:"&version="; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,090986b0e303779bde1ddad3c65a9d78; classtype:command-and-control; sid:2014003; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Dropper User-Agent Firefox/3.6.3"; flow:established,to_server; content:"User-Agent|3A| Firefox/3.6.3"; http_header; classtype:trojan-activity; sid:2013341; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Checkin User-Agent (Gootkit HTTP Client)"; flow:to_server,established; content:"Gootkit HTTP Client"; http_header; nocase; reference:url,doc.emergingthreats.net/2010718; classtype:command-and-control; sid:2010718; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2014025; rev:1; metadata:created_at 2011_12_12, former_category EXPLOIT_KIT, updated_at 2011_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2014025; rev:1; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2011_12_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:exploit-kit; sid:2014027; rev:2; metadata:created_at 2011_12_12, former_category CURRENT_EVENTS, updated_at 2011_12_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:exploit-kit; sid:2014027; rev:2; metadata:created_at 2011_12_13, former_category CURRENT_EVENTS, updated_at 2011_12_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Altnet PeerPoints Manager Traffic User-Agent (Peer Points)"; flow: established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"Peer Points"; http_header; within:150; pcre:"/User-Agent\:[^\n]+Peer Points/iH"; reference:url,doc.emergingthreats.net/2001640; classtype:policy-violation; sid:2001640; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent|3a| AntiVermeans"; nocase; http_header; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; reference:url,doc.emergingthreats.net/2003531; classtype:pup-activity; sid:2003531; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:pup-activity; sid:2003336; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Agent User-Agent (Desktop Web System)"; flow:to_server,established; content:"User-Agent|3a| Desktop Web System"; nocase; http_header; reference:url,doc.emergingthreats.net/2003604; classtype:trojan-activity; sid:2003604; rev:8; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (BlueSky)"; flow:to_server,established; content:"User-Agent|3a| BlueSky|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011084; classtype:trojan-activity; sid:2011084; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (GETJOB)"; flow:to_server,established; content:"User-Agent|3a| GETJOB"; http_header; reference:url,doc.emergingthreats.net/2009124; classtype:pup-activity; sid:2009124; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern:12,17; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:pup-activity; sid:2009438; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HelpSrvc)"; flow:established,to_server; content:"User-Agent|3a| HelpSrvc|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009439; classtype:pup-activity; sid:2009439; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009995; classtype:pup-activity; sid:2009995; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html; reference:url,doc.emergingthreats.net/2010333; classtype:pup-activity; sid:2010333; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern:11,11; http_header; reference:url,doc.emergingthreats.net/2010904; classtype:pup-activity; sid:2010904; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,doc.emergingthreats.net/2010333; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:md5,e4664144f8e95cfec510d5efa24a35e7; reference:md5,fd2d6bb1d2a9803c49f1e175d558a934; classtype:pup-activity; sid:2010333; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern:48,20; classtype:pup-activity; sid:2011517; rev:3; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2010_09_27;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern:48,20; classtype:pup-activity; sid:2011518; rev:3; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2010_09_27;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:pup-activity; sid:2008205; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; content:!"|0d 0a|MZ"; classtype:trojan-activity; sid:2014019; rev:4; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; content:!"|0d 0a|MZ"; classtype:trojan-activity; sid:2014019; rev:4; metadata:created_at 2011_12_10, updated_at 2011_12_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:pup-activity; sid:2011679; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:pup-activity; sid:2011718; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ultimate HAckerz Team User-Agent (Made by UltimateHackerzTeam) - Likely Trojan Report"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made by UltimateHackerzTeam)"; http_header; fast_pattern:76,20; reference:url,doc.emergingthreats.net/2010346; classtype:trojan-activity; sid:2010346; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:pup-activity; sid:2008190; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent|3a| DNS Extractor"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003567; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:pup-activity; sid:2012172; rev:5; metadata:created_at 2011_01_12, former_category ADWARE_PUP, updated_at 2011_01_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; content:"|0d 0a 0d 0a|4d5a"; nocase; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; classtype:pup-activity; sid:2012804; rev:5; metadata:created_at 2011_05_13, former_category ADWARE_PUP, updated_at 2011_05_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; content:"|0d 0a 0d 0a|4d5a"; nocase; reference:md5,513077916da4e86827a6000b40db95d5; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; classtype:pup-activity; sid:2012804; rev:5; metadata:created_at 2011_05_14, former_category ADWARE_PUP, updated_at 2011_05_14;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Egspy Infection Report via HTTP"; flow:established,to_server; content:"/keylogkontrol/"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; classtype:trojan-activity; sid:2008047; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown checkin"; flow:established,to_server; content:"POST"; http_method; content:"/c.php"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| |0d 0a|"; http_header; classtype:trojan-activity; sid:2013803; rev:5; metadata:created_at 2011_10_25, updated_at 2011_10_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown checkin"; flow:established,to_server; content:"POST"; http_method; content:"/c.php"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| |0d 0a|"; http_header; classtype:trojan-activity; sid:2013803; rev:5; metadata:created_at 2011_10_26, updated_at 2011_10_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:exploit-kit; sid:2014031; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:exploit-kit; sid:2014031; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:exploit-kit; sid:2014032; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:exploit-kit; sid:2014032; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:exploit-kit; sid:2014033; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:exploit-kit; sid:2014033; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:exploit-kit; sid:2014034; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:exploit-kit; sid:2014034; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent|3a| Toolbar"; http_header; content:!"cf.icq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; classtype:pup-activity; sid:2003463; rev:17; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:2; metadata:created_at 2011_12_30, former_category CURRENT_EVENTS, updated_at 2011_12_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Hilgild!gen.A CnC Communication"; flow:established,to_server; content:"Y|00|M|00|S|00|G|00 2e 00 2e 00 2e 00 2e 00|"; depth:16; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6|"; dsize:1024; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014055; rev:1; metadata:created_at 2011_12_30, former_category MALWARE, updated_at 2011_12_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Hilgild!gen.A CnC Communication"; flow:established,to_server; content:"Y|00|M|00|S|00|G|00 2e 00 2e 00 2e 00 2e 00|"; depth:16; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6|"; dsize:1024; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014055; rev:1; metadata:created_at 2011_12_31, former_category MALWARE, updated_at 2011_12_31;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack"; flow:established,to_server; content:"Content-Type|3A| application|2F|x-www-form-urlencoded"; nocase; http_header; isdataat:1500; pcre:"/([\w\x25]+=[\w\x25]*&){500}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014045; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; content:"Content-Type|3A| multipart/form-data"; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_31, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu5 Keepalive to CnC"; flow:established,to_server; content:"|13 cb df 56 6f f3 20 08 c2 f1 ab d3 6f 75 56 a9|"; offset:16; depth:16; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu5 Keepalive to CnC"; flow:established,to_server; content:"|13 cb df 56 6f f3 20 08 c2 f1 ab d3 6f 75 56 a9|"; offset:16; depth:16; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_31, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER xp_cmdshell Attempt in Cookie"; flow:established,to_server; content:"xp_cmdshell"; nocase; http_header; pcre:"/\x0a\x0dCookie\x3a[^\n]+xp_cmdshell/i"; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=4072; reference:url,doc.emergingthreats.net/2010119; classtype:web-application-attack; sid:2010119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2102577; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit"; flow:established,to_client; content:"domain=trafficbiztds.com"; http_cookie; content:!"google.com"; classtype:exploit-kit; sid:2011469; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit"; flow:established,to_client; content:"domain=trafficbiztds.com"; http_cookie; content:!"google.com"; classtype:exploit-kit; sid:2011469; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Serving EXE/DLL File Often Malware Related"; flow:established,to_client; content:"Server|3a| nginx"; nocase; fast_pattern; content:"MZ"; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; classtype:misc-activity; sid:2012195; rev:3; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; nocase; content:"MZ"; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SecurityDefender exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; content:"SecurityDefender"; nocase; within:24; content:".exe"; within:24; classtype:trojan-activity; sid:2013826; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SecurityDefender exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; content:"SecurityDefender"; nocase; within:24; content:".exe"; within:24; classtype:trojan-activity; sid:2013826; rev:3; metadata:created_at 2011_11_05, updated_at 2011_11_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assistance Tool Download"; flow:established,from_server; content:"filename="; content:"bomgar-scc-"; nocase; distance:0; fast_pattern; content:".exe"; nocase; distance:0; reference:url,www.bomgar.com; classtype:policy-violation; sid:2013867; rev:3; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assistance Tool Download"; flow:established,from_server; content:"filename="; content:"bomgar-scc-"; nocase; distance:0; fast_pattern; content:".exe"; nocase; distance:0; reference:url,www.bomgar.com; classtype:policy-violation; sid:2013867; rev:3; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; classtype:policy-violation; sid:2101438; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014079; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014079; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Nurech Checkin UA"; flow:from_client,established; content:"User-Agent|3a| ipwf|0d 0a|"; http_header; classtype:command-and-control; sid:2014093; rev:3; metadata:created_at 2012_01_03, former_category MALWARE, updated_at 2012_01_03;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET POLICY Outbound MSSQL Connection to Standard port (1433)"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013410; rev:4; metadata:created_at 2011_08_15, updated_at 2011_08_15;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET POLICY Outbound MSSQL Connection to Standard port (1433)"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013410; rev:4; metadata:created_at 2011_08_16, updated_at 2011_08_16;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3; metadata:created_at 2011_08_15, updated_at 2011_08_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3; metadata:created_at 2011_08_16, updated_at 2011_08_16;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"|0d 0a 0d 0a|%PDF-"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013960; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"<applet"; nocase; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013961; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013788; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"<applet"; nocase; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013961; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 2"; flow:established,to_server; content:"/2ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013786; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 2"; flow:established,to_server; content:"/1ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2012401; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_02_28, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013548; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013665; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request"; flow:established,to_server; content:".php?v"; http_uri; pcre:"/\.php\?v[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013666; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013775; rev:2; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request"; flow:established,to_server; content:".php?v"; http_uri; pcre:"/\.php\?v[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013775; rev:2; metadata:created_at 2011_10_13, former_category EXPLOIT_KIT, updated_at 2011_10_13;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013777; rev:2; metadata:created_at 2011_10_13, former_category EXPLOIT_KIT, updated_at 2011_10_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013777; rev:2; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; content:"|25 32 36|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011348; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011813; rev:6; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2010_10_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013363; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013363; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013690; rev:3; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013690; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013691; rev:3; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013691; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013692; rev:3; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013692; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013693; rev:7; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013693; rev:7; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011988; rev:5; metadata:created_at 2010_12_01, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit All.pdf"; flow:established,to_server; content:"/tmp/all.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012944; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java exploit request"; flow:established,to_server; content:"/dl/apache.php"; depth:14; http_uri; classtype:exploit-kit; sid:2013776; rev:3; metadata:created_at 2011_10_13, former_category EXPLOIT_KIT, updated_at 2011_10_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java exploit request"; flow:established,to_server; content:"/dl/apache.php"; depth:14; http_uri; classtype:exploit-kit; sid:2013776; rev:3; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:exploit-kit; sid:2011972; rev:3; metadata:created_at 2010_11_23, former_category CURRENT_EVENTS, updated_at 2010_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:exploit-kit; sid:2011972; rev:3; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:exploit-kit; sid:2011973; rev:3; metadata:created_at 2010_11_23, former_category CURRENT_EVENTS, updated_at 2010_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:exploit-kit; sid:2011973; rev:3; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit pdfswf.pdf"; flow:established,to_server; content:"pdfswf.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011181; classtype:exploit-kit; sid:2011181; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body>"; within:500; content:"<script>|0d 0a 09 09 09|"; fast_pattern; within:500; pcre:"/([a-z$+-]{0,4}[0-9.*]+[a-z$+-]{0,4},){24}/R"; classtype:exploit-kit; sid:2013313; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit - libtiff.pdf"; flow:established,to_server; content:"libtiff.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011182; classtype:exploit-kit; sid:2011182; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:5; within:5; http_client_body; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011350; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Blackshades Payload Download Command"; flow:established,to_client; content:"x74|0C|64|0C|"; depth:7; content:"x49|0C|"; distance:64; classtype:trojan-activity; sid:2014101; rev:2; metadata:created_at 2012_01_04, updated_at 2012_01_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Blackshades Payload Download Command"; flow:established,to_client; content:"x74|0C|64|0C|"; depth:7; content:"x49|0C|"; distance:64; classtype:trojan-activity; sid:2014101; rev:2; metadata:created_at 2012_01_05, updated_at 2012_01_05;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Badongo file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/file/"; http_uri; content:"Host|3a| "; nocase; http_header; content:"badongo.com"; nocase; http_header; within:15; content:"badongoL="; http_cookie; reference:url,doc.emergingthreats.net/2009302; classtype:policy-violation; sid:2009302; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; nocase; http_uri; content:"cache="; nocase; content:"OvJavaLocale="; nocase; within:15; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; classtype:command-and-control; sid:2014104; rev:2; metadata:created_at 2012_01_09, updated_at 2012_01_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; classtype:command-and-control; sid:2014104; rev:2; metadata:created_at 2012_01_10, updated_at 2012_01_10;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu6 Keepalive to CnC"; flow:established,to_server; content:"|29 a7 7b 28 9b c5 b8 b6 10 d7 d7 6b e1 3e 62 f1|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2014108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_09, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu6 Keepalive to CnC"; flow:established,to_server; content:"|29 a7 7b 28 9b c5 b8 b6 10 d7 d7 6b e1 3e 62 f1|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2014108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.UFRStealer.A issuing MKD command FTP"; flow:to_server,established; content:"MKD UFR_Stealer"; nocase; depth:15; reference:url,www.threatexpert.com/report.aspx?md5=a251ef38f048d695eae52626e57d617d; classtype:trojan-activity; sid:2014111; rev:6; metadata:created_at 2011_04_20, updated_at 2011_04_20;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.UFRStealer.A issuing MKD command FTP"; flow:to_server,established; content:"MKD UFR_Stealer"; nocase; depth:15; reference:md5,a251ef38f048d695eae52626e57d617d; classtype:trojan-activity; sid:2014111; rev:6; metadata:created_at 2011_04_20, updated_at 2011_04_20;)
#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET MALWARE Cythosia V2 DDoS WebPanel Hosted Locally"; flow:established,from_server; content:"|3C|title|3E|Cythosia|20|V2|20|Bot|20|Webpanel|20 2D 20|Login|3C 2F|title|3E|"; nocase; reference:url,blog.webroot.com/2012/01/09/a-peek-inside-the-cythosia-v2-ddos-bot/; classtype:successful-admin; sid:2014118; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 5"; flow:established,to_server; content:"|7A 7A 7A 7A 72 71 71 71 71 73 73 73 73 7D 7D 7D 7D|"; offset:5; depth:17; classtype:trojan-activity; sid:2013526; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 5"; flow:established,to_server; content:"|7A 7A 7A 7A 72 71 71 71 71 73 73 73 73 7D 7D 7D 7D|"; offset:5; depth:17; classtype:trojan-activity; sid:2013526; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 6"; flow:established,to_server; content:"|B5 B5 B5 B5 BD BE BE BE BE BC BC BC BC B2 B2 B2 B2|"; offset:5; depth:17; classtype:trojan-activity; sid:2013527; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 6"; flow:established,to_server; content:"|B5 B5 B5 B5 BD BE BE BE BE BC BC BC BC B2 B2 B2 B2|"; offset:5; depth:17; classtype:trojan-activity; sid:2013527; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 7"; flow:established,to_server; content:"|6F 6F 6F 6F 67 64 64 64 64 66 66 66 66 68 68 68 68|"; offset:5; depth:17; classtype:trojan-activity; sid:2013528; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 7"; flow:established,to_server; content:"|6F 6F 6F 6F 67 64 64 64 64 66 66 66 66 68 68 68 68|"; offset:5; depth:17; classtype:trojan-activity; sid:2013528; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 8"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013529; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 8"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013529; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 9"; flow:established,to_server; content:"|0F 0F 0F 0F 07 04 04 04 04 06 06 06 06 08 08 08 08|"; offset:5; depth:17; classtype:trojan-activity; sid:2013530; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 9"; flow:established,to_server; content:"|0F 0F 0F 0F 07 04 04 04 04 06 06 06 06 08 08 08 08|"; offset:5; depth:17; classtype:trojan-activity; sid:2013530; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 0"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 0"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 1"; flow:established,to_server; content:"|40 40 40 40 48 4B 4B 4B 4B 49 49 49 49 47 47 47 47|"; offset:5; depth:17; classtype:trojan-activity; sid:2013522; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 1"; flow:established,to_server; content:"|40 40 40 40 48 4B 4B 4B 4B 49 49 49 49 47 47 47 47|"; offset:5; depth:17; classtype:trojan-activity; sid:2013522; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 2"; flow:established,to_server; content:"|0B 0B 0B 0B 03 00 00 00 00 02 02 02 02 0C 0C 0C 0C|"; offset:5; depth:17; classtype:trojan-activity; sid:2013523; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 2"; flow:established,to_server; content:"|0B 0B 0B 0B 03 00 00 00 00 02 02 02 02 0C 0C 0C 0C|"; offset:5; depth:17; classtype:trojan-activity; sid:2013523; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 3"; flow:established,to_server; content:"|AC AC AC AC A4 A7 A7 A7 A7 A5 A5 A5 A5 AB AB AB AB|"; offset:5; depth:17; classtype:trojan-activity; sid:2013524; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 3"; flow:established,to_server; content:"|AC AC AC AC A4 A7 A7 A7 A7 A5 A5 A5 A5 AB AB AB AB|"; offset:5; depth:17; classtype:trojan-activity; sid:2013524; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 4"; flow:established,to_server; content:"|DD DD DD DD D5 D6 D6 D6 D6 D4 D4 D4 D4 DA DA DA DA|"; offset:5; depth:17; classtype:trojan-activity; sid:2013525; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 4"; flow:established,to_server; content:"|DD DD DD DD D5 D6 D6 D6 D6 D4 D4 D4 D4 DA DA DA DA|"; offset:5; depth:17; classtype:trojan-activity; sid:2013525; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert tcp any any <> any 179 (msg:"GPL MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2102158; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102157; rev:3; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102131; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; fast_pattern; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2102125; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; fast_pattern:32,4; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:12; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2102089; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2102088; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102035; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2102034; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2102034; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2102033; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED W32/Ramnit Initial CnC Connection"; flow:established,to_server; dsize:6; content:"|00 FF FB 00 00 00|"; fast_pattern:only; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:command-and-control; sid:2014131; rev:3; metadata:created_at 2012_01_17, updated_at 2012_01_17;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/class.class"; http_uri; classtype:trojan-activity; sid:2014138; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_21, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.Lpxenur Checkin"; flow:established,to_server; content:"/data/mail.js?yaru="; http_uri; classtype:trojan-activity; sid:2013714; rev:3; metadata:created_at 2011_09_30, updated_at 2011_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.Lpxenur Checkin"; flow:established,to_server; content:"/data/mail.js?yaru="; http_uri; classtype:trojan-activity; sid:2013714; rev:3; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Esf Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:md5,e6ca06e9b000933567a8604300094a85; classtype:command-and-control; sid:2014143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Esf Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:md5,e6ca06e9b000933567a8604300094a85; classtype:command-and-control; sid:2014143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Eks Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:md5,9a494e7a48436e6defcb44dd6f053b33; classtype:command-and-control; sid:2014144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Eks Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:md5,9a494e7a48436e6defcb44dd6f053b33; classtype:command-and-control; sid:2014144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Ehy Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:md5,d2311b7208d563ac59c9114f5d422441; classtype:command-and-control; sid:2014145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Ehy Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:md5,d2311b7208d563ac59c9114f5d422441; classtype:command-and-control; sid:2014145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/Spy.Banker Reporting Via SMTP"; flow:established,to_server; content:"|3A 3A 3A 3A 3A 28 20|Cliente"; content:"Sistem S/"; distance:0; content:"Versao S/"; distance:0; classtype:trojan-activity; sid:2014146; rev:1; metadata:created_at 2012_01_23, updated_at 2012_01_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/Spy.Banker Reporting Via SMTP"; flow:established,to_server; content:"|3A 3A 3A 3A 3A 28 20|Cliente"; content:"Sistem S/"; distance:0; content:"Versao S/"; distance:0; classtype:trojan-activity; sid:2014146; rev:1; metadata:created_at 2012_01_24, updated_at 2012_01_24;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blink.com related Upgrade Command Given"; flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging|3a| This is an important download|0d 0a|Location|3a| http|3a|//"; reference:url,doc.emergingthreats.net/2007806; classtype:trojan-activity; sid:2007806; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.PEx.C.91139756616/Win32.Zwangi-BU Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?vn="; http_uri; content:"&partner="; http_uri; content:"&ptag="; http_uri; content:"&cid="; http_uri; content:"&se="; http_uri; content:"&au="; http_uri; content:"&pver="; http_uri; reference:url,threatcenter.crdf.fr/?More&ID=49889&D=CRDF.Win32.Win32.PEx.C.91139756616; reference:md5,2c969afbe71f35571d11e30f1e854b29; reference:url,www.pcsafedoctor.com/Adware/remove-AdWare.Win32.Zwangi.bu.html; classtype:trojan-activity; sid:2013789; rev:3; metadata:created_at 2011_10_21, updated_at 2011_10_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe"; flow:established,to_server; content:"/yahoo.com"; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2014029; rev:3; metadata:created_at 2011_12_14, updated_at 2011_12_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe"; flow:established,to_server; content:"/yahoo.com"; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2014029; rev:3; metadata:created_at 2011_12_15, updated_at 2011_12_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>400; classtype:bad-unknown; sid:2013093; rev:3; metadata:created_at 2011_06_22, updated_at 2011_06_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VB.aie Reporting User Activity"; flow:established,to_server; content:"php?iso="; nocase; http_uri; content:"&country="; nocase; http_uri; content:"&proxy="; nocase; http_uri; content:"&tel="; nocase; http_uri; content:"&ftp="; nocase; http_uri; content:"&socks="; nocase; http_uri; content:"&remote="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002857; classtype:trojan-activity; sid:2002857; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi Checkin to CnC"; flow:to_server,established; content:"user_id="; depth:8; http_client_body; content:"&version_id="; http_client_body; content:"&socks="; fast_pattern; http_client_body; content:"&build="; http_client_body; classtype:command-and-control; sid:2014152; rev:3; metadata:created_at 2012_01_26, former_category MALWARE, updated_at 2012_01_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi Checkin to CnC"; flow:to_server,established; content:"user_id="; depth:8; http_client_body; content:"&version_id="; http_client_body; content:"&socks="; fast_pattern; http_client_body; content:"&build="; http_client_body; classtype:command-and-control; sid:2014152; rev:3; metadata:created_at 2012_01_27, former_category MALWARE, updated_at 2012_01_27;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto Outbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013531; rev:2; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto Outbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013531; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; content:"[UPDATE]|0D 0A|VER ="; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014166; rev:2; metadata:created_at 2012_01_27, former_category MALWARE, updated_at 2012_01_27;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; content:"[UPDATE]|0D 0A|VER ="; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014166; rev:2; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2012_01_28;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing File Info Details"; flow:established,to_client; content:"[DBINFO]|0D 0A|Info ="; content:"Version ="; distance:0; content:"[TotalCount]|0D 0A|Count ="; distance:0; content:"[GaruYac"; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014167; rev:2; metadata:created_at 2012_01_27, former_category MALWARE, updated_at 2012_01_27;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing File Info Details"; flow:established,to_client; content:"[DBINFO]|0D 0A|Info ="; content:"Version ="; distance:0; content:"[TotalCount]|0D 0A|Count ="; distance:0; content:"[GaruYac"; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014167; rev:2; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2012_01_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Poison.AU checkin"; flow:established,to_server; content:"|4D 53 47 20 35 20 4E 20 31 33 30 0D 0A 4D 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a|"; depth:32; fast_pattern; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; reference:url,www.threatexpert.com/report.aspx?md5=4b8adc7612e984d12b77f197c59827a2; classtype:command-and-control; sid:2012882; rev:4; metadata:created_at 2011_05_27, former_category MALWARE, updated_at 2011_05_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Poison.AU checkin"; flow:established,to_server; content:"|4D 53 47 20 35 20 4E 20 31 33 30 0D 0A 4D 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a|"; depth:32; fast_pattern; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; reference:md5,4b8adc7612e984d12b77f197c59827a2; classtype:command-and-control; sid:2012882; rev:4; metadata:created_at 2011_05_27, former_category MALWARE, updated_at 2011_05_27;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (TheWorld)"; flow:established,to_server; content:"TheWorld"; http_header; pcre:"/User-Agent\x3A[^\n]+TheWorld/H"; reference:url,www.virustotal.com/file-scan/report.html?id=70e502c9b8752da6dc0ff2a41c6975d59090482d2c0758387aca1b5702f96988-1305238279; classtype:trojan-activity; sid:2013403; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_11, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"GPL DELETED Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102598; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt"; flow:established,to_client; content:"document.createElement('applet'"; nocase; content:"setAttribute('code"; nocase; distance:0; content:"setAttribute('archive"; nocase; distance:0; content:".jar"; nocase; distance:0; content:"document.createElement('param"; nocase; distance:0; content:"setAttribute('name"; nocase; distance:0; content:"setAttribute('value"; nocase; distance:0; reference:url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye; reference:bid,50218; reference:cve,2011-3544; classtype:exploit-kit; sid:2014048; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; content:!"Host|3a 20|update.cooliris.com|0d 0a|"; http_header; classtype:command-and-control; sid:2014106; rev:3; metadata:created_at 2012_01_09, updated_at 2012_01_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; content:!"Host|3a 20|update.cooliris.com|0d 0a|"; http_header; classtype:command-and-control; sid:2014106; rev:3; metadata:created_at 2012_01_10, updated_at 2012_01_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Malware Checkin Possibly ZeuS"; flow:established,to_server; content:"POST"; http_method; content:"/rssfeed.php"; http_uri; content:"bn1="; http_client_body; content:"&sk1="; http_client_body; reference:url,anubis.iseclab.org/?action=result&task_id=1c19710e150ee00941148dee842a02976; classtype:trojan-activity; sid:2014178; rev:2; metadata:created_at 2012_02_02, updated_at 2012_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Malware Checkin Possibly ZeuS"; flow:established,to_server; content:"POST"; http_method; content:"/rssfeed.php"; http_uri; content:"bn1="; http_client_body; content:"&sk1="; http_client_body; classtype:trojan-activity; sid:2014178; rev:2; metadata:created_at 2012_02_03, updated_at 2012_02_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious getpvstat.php file Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/getpvstat.php"; nocase; http_uri; content:"p="; nocase; http_uri; content:"jss.155game.com"; http_header; nocase; classtype:trojan-activity; sid:2014182; rev:3; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"vssMlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014244; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin 4"; flow:established,to_server; content:"?aid="; http_uri; content:"&url="; http_uri; pcre:"/\?aid=\d{9}&url=[\w\.\-]{23}$/Ui"; classtype:command-and-control; sid:2014247; rev:2; metadata:created_at 2012_02_20, former_category MALWARE, updated_at 2012_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin 4"; flow:established,to_server; content:"?aid="; http_uri; content:"&url="; http_uri; pcre:"/\?aid=\d{9}&url=[\w\.\-]{23}$/Ui"; classtype:command-and-control; sid:2014247; rev:2; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin 5"; flow:established,to_server; content:"?subid="; http_uri; content:"&u="; distance:0; http_uri; pcre:"/\?subid=\d{9}&u=[\w\.\-]{23}$/Ui"; classtype:command-and-control; sid:2014248; rev:2; metadata:created_at 2012_02_20, former_category MALWARE, updated_at 2012_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin 5"; flow:established,to_server; content:"?subid="; http_uri; content:"&u="; distance:0; http_uri; pcre:"/\?subid=\d{9}&u=[\w\.\-]{23}$/Ui"; classtype:command-and-control; sid:2014248; rev:2; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
#alert http $HOME_NET any -> any any (msg:"ET DELETED Http Client Body contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; http_client_body; classtype:policy-violation; sid:2012889; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:command-and-control; sid:2014300; rev:1; metadata:created_at 2012_03_02, former_category MALWARE, updated_at 2012_03_02;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script"; flow:established,to_client; content:"document.cookie=|22|dadong"; fast_pattern:17,6; nocase; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:bad-unknown; sid:2014308; rev:1; metadata:created_at 2012_03_05, updated_at 2012_03_05;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; content:"|3B 20|Ini download file modue"; nocase; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; content:"|3B 20|Ini download file modue"; nocase; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Requested"; flow:established,to_server; content:"/lib.php"; http_uri; content:".php?showtopic="; http_header; classtype:exploit-kit; sid:2014315; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Requested"; flow:established,to_server; content:"/lib.php"; http_uri; content:".php?showtopic="; http_header; classtype:exploit-kit; sid:2014315; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE ZeuS Clickfraud List Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|<xml>"; content:"<time>"; distance:0; content:"<doc>"; distance:0; content:"<url>http|3a|//"; distance:0; content:"<ref>"; distance:0; content:"<n>"; distance:0; classtype:trojan-activity; sid:2014317; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE ZeuS Clickfraud List Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|<xml>"; content:"<time>"; distance:0; content:"<doc>"; distance:0; content:"<url>http|3a|//"; distance:0; content:"<ref>"; distance:0; content:"<n>"; distance:0; classtype:trojan-activity; sid:2014317; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"HTTP/1.1 30"; depth:11; content:"clickpayz.com/"; classtype:bad-unknown; sid:2014318; rev:2; metadata:created_at 2012_03_06, former_category CURRENT_EVENTS, updated_at 2012_03_06;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"HTTP/1.1 30"; depth:11; content:"clickpayz.com/"; classtype:bad-unknown; sid:2014318; rev:2; metadata:created_at 2012_03_05, former_category CURRENT_EVENTS, updated_at 2012_03_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:2; metadata:created_at 2012_03_05, former_category CURRENT_EVENTS, updated_at 2012_03_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:2; metadata:created_at 2012_03_06, former_category CURRENT_EVENTS, updated_at 2012_03_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ActiveX CxDbgPrint Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ipswcom.IPSWComItf"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible jBroFuzz Fuzzer Detected"; flow:to_server,established; content:"Host|3a| localhost"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-GB|3b| rv|3b|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; threshold: type threshold, track by_src, count 3, seconds 6; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; classtype:attempted-recon; sid:2009476; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_08, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_08, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_08, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Riern.K Checkin Off Port"; flow:established,from_client; content:"|01|new_host_"; depth:10; fast_pattern; content:"|ff ff ff ff ff 00 00 00 00 00 00 00 00|"; distance:0; classtype:command-and-control; sid:2014358; rev:2; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:5; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=|22|http|3a|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014362; rev:3; metadata:created_at 2012_03_09, former_category EXPLOIT_KIT, updated_at 2012_03_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=|22|http|3a|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014362; rev:3; metadata:created_at 2012_03_10, former_category EXPLOIT_KIT, updated_at 2012_03_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy Checkin"; flow:established,to_server; content:"/guidcheck.php?q="; http_uri; content:"&g="; http_uri; content:"&n="; http_uri; content:"&h="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; reference:md5,bb129d433271951abb0e5262060a4583; classtype:command-and-control; sid:2014357; rev:4; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent|3a| ManInTheMiddle-Proxy"; http_header; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; classtype:pup-activity; sid:2001586; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Percentage Symbol Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; nocase; content:!"|0d 0a|"; within:50; content:"%"; distance:0; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011487; rev:2; metadata:created_at 2010_09_28, former_category FTP, updated_at 2010_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Percentage Symbol Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; nocase; content:!"|0d 0a|"; within:50; content:"%"; distance:0; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011487; rev:2; metadata:created_at 2010_09_29, former_category FTP, updated_at 2010_09_29;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; classtype:attempted-admin; sid:2003518; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3939; reference:url,doc.emergingthreats.net/bin/view/Main/2003750; classtype:attempted-dos; sid:2003750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e 00 00 00 00 00 00 00 00|"; within:12; reference:url, www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; classtype:attempted-dos; sid:2003751; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; classtype:attempted-dos; sid:2003751; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00|"; distance:14; within:22; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; reference:url,doc.emergingthreats.net/bin/view/Main/2007584; classtype:misc-attack; sid:2007584; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Spambot-Spyware Access"; flow:established,to_server; content:"/synctl/"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002963; classtype:trojan-activity; sid:2002963; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Shiz or Rohimafo config download"; flow: established,to_client; content:"|21|config"; nocase; content:"|21|load"; nocase; content:"|2e|php|3f|id|3d|1|26|magic|3d|"; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011521; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Shiz or Rohimafo config download"; flow: established,to_client; content:"|21|config"; nocase; content:"|21|load"; nocase; content:"|2e|php|3f|id|3d|1|26|magic|3d|"; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011521; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:3; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco Router HTTP DoS"; flow:to_server,established; content:"/%%"; http_uri; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url, securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url,securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:4; metadata:created_at 2010_07_30, former_category DOS, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; content:".pdf|00|"; http_uri; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; reference:url,doc.emergingthreats.net/bin/view/Main/2001217; classtype:attempted-admin; sid:2001217; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Blocker Checkin"; flow:established,to_server; content:"/gate.php?cmd="; http_uri; content:"&botnet="; http_uri; content:"&userid="; http_uri; content:"&os="; http_uri; reference:md5,1d8841128e63ed7e26200d4ed3bc8e05; classtype:command-and-control; sid:2014364; rev:2; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2012_03_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT FTP File Interaction"; flow:established,to_client; content:"ftp"; nocase; content:"file"; nocase; within:8; pcre:"/ftp(open|get)file/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012779; rev:4; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT FTP File Interaction"; flow:established,to_client; content:"ftp"; nocase; content:"file"; nocase; within:8; pcre:"/ftp(open|get)file/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012779; rev:4; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Malicious PDF Containing StrReverse"; flow:established,to_client; content:"%PDF-"; content:"StrReverse|28|"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011246; classtype:bad-unknown; sid:2011246; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting Install"; flow: to_server,established; content:"/count/count.php?&mm"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; classtype:pup-activity; sid:2001416; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Receiving Config"; flow: to_server,established; content:"/config/?"; nocase; http_uri; content: "v=5"; nocase; http_uri;content: "n=mm2"; nocase; http_uri; content: "i="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:pup-activity; sid:2001417; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting"; flow: to_server,established; content:"/count/count.php?&mm2cpr"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; classtype:pup-activity; sid:2001423; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Spyware Reporting (check url)"; flow: to_server,established; content:"/go/check?build="; nocase; http_uri; content:"&source="; nocase; http_uri; content:"&merchants="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; classtype:pup-activity; sid:2003504; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Reporting"; flow: to_server,established; content:"/f1/audit/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; classtype:pup-activity; sid:2000582; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Config Download"; flow: to_server,established; content:"/F1/Cmd4F1"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; classtype:pup-activity; sid:2001221; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Malware Related Numerical .co Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02co\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012144; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit secondary request"; flow:established,to_server; content:"=1.6.0_"; http_uri; pcre:"/^\/[a-z][0-9a-z_+=-]{10,30}\?\w=[0-9.]+\&\w=1.6.0_\d\d$/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014024; rev:4; metadata:created_at 2011_12_12, former_category EXPLOIT_KIT, updated_at 2011_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit secondary request"; flow:established,to_server; content:"=1.6.0_"; http_uri; pcre:"/^\/[a-z][0-9a-z_+=-]{10,30}\?\w=[0-9.]+\&\w=1.6.0_\d\d$/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014024; rev:4; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2011_12_13;)
#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2; metadata:created_at 2012_03_15, former_category DOS, updated_at 2012_03_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Install"; flow: to_server,established; content:"/ctxad-"; nocase; http_uri; pcre:"/ctxad-\d+\.sig/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; classtype:pup-activity; sid:2001495; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:pup-activity; sid:2008456; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:pup-activity; sid:2008456; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:pup-activity; sid:2002083; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; content:"/?action="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&pc_id="; nocase; http_uri; content:"&abbr="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; classtype:trojan-activity; sid:2003548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; content:"?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri;content:"&v="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"&platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri;content:"&ac="; nocase; http_uri; content:"&appid="; nocase; http_uri; content:"&em="; nocase; http_uri; content:"&pcid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:pup-activity; sid:2007664; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
#alert http $HOME_NET any -> any any (msg:"ET ADWARE_PUP Pynix.dll BHO Activity"; flow: established,to_server; content:"ABETTERINTERNET.EXE"; nocase; http_uri; content:"bho=PYNIX.DLL"; nocase; http_uri; reference:url,www.pynix.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; classtype:pup-activity; sid:2001748; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; classtype:trojan-activity; sid:2000024; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sexmaniack Install Tracking"; flow: to_server,established; content:"/counted.php?ref="; nocase; http_uri; content:"Host|3a| counter.sexmaniack.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; classtype:pup-activity; sid:2001460; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:pup-activity; sid:2000580; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:pup-activity; sid:2000581; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:pup-activity; sid:2000580; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat¶m="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:pup-activity; sid:2001708; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:pup-activity; sid:2000581; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:pup-activity; sid:2002037; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat¶m="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:pup-activity; sid:2001708; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:pup-activity; sid:2002000; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:pup-activity; sid:2002037; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopcenter.co.kr Spyware Install Report"; flow:established,to_server; content:"/RewardInstall.php?mac=0"; http_uri; content:"&hdd="; http_uri;content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:pup-activity; sid:2008370; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:pup-activity; sid:2002000; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Install"; flow: to_server,established; content:"/servlet/sbinstservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; classtype:pup-activity; sid:2001016; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; classtype:pup-activity; sid:2000588; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (downloads)"; flow: to_server,established; content:"/external/builds/downloads2/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:pup-activity; sid:2000589; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (common)"; flow: to_server,established; content:"/external/builds/common/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:pup-activity; sid:2000590; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (1)"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; classtype:pup-activity; sid:2001646; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (2)"; flow: established,to_server; content:"/builds/"; nocase; http_uri; content:"AutoTrack_Install.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; classtype:pup-activity; sid:2001647; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:pup-activity; sid:2011229; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de1adb1df396863e7e3967271e7db734; classtype:pup-activity; sid:2011856; rev:3; metadata:created_at 2010_10_26, former_category ADWARE_PUP, updated_at 2010_10_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,de1adb1df396863e7e3967271e7db734; classtype:pup-activity; sid:2011856; rev:3; metadata:created_at 2010_10_26, former_category ADWARE_PUP, updated_at 2010_10_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:pup-activity; sid:2011938; rev:5; metadata:created_at 2010_11_19, former_category ADWARE_PUP, updated_at 2010_11_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:pup-activity; sid:2011938; rev:5; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:pup-activity; sid:2011939; rev:7; metadata:created_at 2010_11_19, former_category ADWARE_PUP, updated_at 2010_11_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:pup-activity; sid:2011939; rev:7; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Russian Content-Language Ru Which May Be Malware Related"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012228; rev:5; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh Communication with Controller"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?type=slg&id="; http_uri; nocase; pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td; reference:url,doc.emergingthreats.net/2009351; classtype:trojan-activity; sid:2009351; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family URLZone, tag Banking_Trojan, updated_at 2018_04_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:command-and-control; sid:2009297; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; reference:url,doc.emergingthreats.net/2010790; classtype:trojan-activity; sid:2010790; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Downloader Communicating With Controller (2)"; flow:established,to_server; content:"action="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&rnd="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&entity="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009354; classtype:trojan-activity; sid:2009354; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; content:".php?hid=NT"; nocase; http_uri; content:"&wp="; nocase; http_uri; content:"&sp="; nocase; http_uri; content:"&eep="; nocase; http_uri; content:"&edp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008153; classtype:command-and-control; sid:2008153; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; http_client_body; content:"&affid="; http_client_body; content:"="; http_client_body; content:"&subid="; http_client_body; content:"=="; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:command-and-control; sid:2008442; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conficker/MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008739; classtype:trojan-activity; sid:2008739; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&s="; http_client_body; content:"&h="; http_client_body; content:"&d="; http_client_body; content:"&panic"; http_client_body; content:"&ie="; http_client_body; content:"&input="; http_client_body; content:"&c="; http_client_body; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/a?"; nocase; http_uri; content:"wg="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&i="; http_client_body; nocase; content:"&panic="; http_client_body; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008353; classtype:command-and-control; sid:2008353; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Corpes.j Infection Report"; flow:established,to_server; content:".php?tma="; http_uri; content:"&mode="; http_uri; pcre:"/mode=\d+D[0-9A-F]{150}/U"; reference:url,doc.emergingthreats.net/2008144; classtype:trojan-activity; sid:2008144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"User-Agent|3a| linkrunner"; nocase; http_header; reference:url,doc.emergingthreats.net/2003648; classtype:trojan-activity; sid:2003648; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bwr CnC Beacon"; flow:established,to_server; content:"?m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006377; classtype:command-and-control; sid:2006377; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bwr CnC Beacon"; flow:established,to_server; content:"?m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006377; classtype:command-and-control; sid:2006377; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"wall_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006400; classtype:trojan-activity; sid:2006400; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.VB.CEJ HTTP Checkin"; flow:established,to_server; content:"/down"; http_uri; content:"/down/?"; http_uri; content:"s="; http_uri; content:"&t="; http_uri; content:"&v="; http_uri; pcre:"/\/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20/U"; reference:url,doc.emergingthreats.net/2008087; classtype:command-and-control; sid:2008087; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; content:"m="; http_uri; content:"&a="; http_uri; content:"&r="; http_uri;content:"&os="; http_uri; content:"00000"; http_uri; pcre:"/\/s_\d\d_\d+\?/U"; pcre:"/&os=[0-9a-z]{40}/Ui"; reference:url,doc.emergingthreats.net/2008412; classtype:command-and-control; sid:2008412; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Downloader.pgp Checkin"; flow:established,to_server; content:"?id="; http_uri; content:"&e="; http_uri; content:"&err="; http_uri;content:"&c="; http_uri; reference:url,doc.emergingthreats.net/2008492; classtype:trojan-activity; sid:2008492; rev:5; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; classtype:trojan-activity; sid:2008546; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity variant May 2010"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\?spl=MS[0-9]{2}-[0-9]{3}$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2011128; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; content:"php?i="; http_uri; content:"&v="; http_uri;content:"&win=Windows"; http_uri; content:"&un="; http_uri; content:"&uv="; http_uri; content:"&s="; http_uri; content:"&onl="; http_uri; content:"&ip="; http_uri; content:"&f="; http_uri; reference:url,doc.emergingthreats.net/2007700; classtype:command-and-control; sid:2007700; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FSG Packed Binary via HTTP Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/2002773; classtype:trojan-activity; sid:2002773; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue A/V Win32/FakeXPA GET Request"; flow:to_server,established; content:"?campaign="; http_uri; content:"&country="; http_uri; content:"&counter="; http_uri; content:"&campaign="; http_uri; content:"&landid="; http_uri; reference:url,doc.emergingthreats.net/2009209; classtype:trojan-activity; sid:2009209; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Gamania Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"un="; http_client_body; content:"&pw="; http_client_body; content:"&sn="; http_client_body; content:"&l="; http_client_body; content:"&gd1="; http_client_body; content:"&pn="; http_client_body; reference:url,doc.emergingthreats.net/2008431; classtype:command-and-control; sid:2008431; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&hAssunto=infect-"; http_client_body; content:"&hCorpo="; http_client_body; content:"&hPara="; http_client_body; reference:url,doc.emergingthreats.net/2008984; classtype:trojan-activity; sid:2008984; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; content:"/Layouts/Landings/CentralLandings/"; nocase; http_uri; content:"/images/"; nocase; http_uri; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010450; classtype:trojan-activity; sid:2010450; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Infostealer - GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| wget 3.0|0d 0a|"; nocase; http_header; content:"aid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009539; classtype:command-and-control; sid:2009539; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimmiv.A.dll Infection"; flow: to_server,established; content:"/test"; http_uri; content:".php"; http_uri; content:"?abc="; http_uri; content:"?def="; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A; reference:url,doc.emergingthreats.net/2008689; classtype:trojan-activity; sid:2008689; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46; reference:url,doc.emergingthreats.net/2010163; classtype:command-and-control; sid:2010163; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:md5,fd3d061ee86987e8f3f245c2dc0ceb46; reference:md5,912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,doc.emergingthreats.net/2010163; classtype:command-and-control; sid:2010163; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert http any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Bobax trojan infection"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/reg|3f|u="; http_uri; content:"|26|v="; http_uri; reference:url,www.lurhq.com/bobax.html; reference:url,doc.emergingthreats.net/2001901; classtype:trojan-activity; sid:2001901; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET 1025:5000 (msg:"ET MALWARE Possible Web-based DDoS-command being issued"; flow: established,from_server; content: "Server|3a| nginx/0."; offset: 17; depth: 19; content: "Content-Type|3a| text/html"; content:"|3a|80|3b|255.255.255.255"; fast_pattern; reference:url,doc.emergingthreats.net/2003296; classtype:trojan-activity; sid:2003296; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Family GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"szclientid="; http_uri;content:"szmac="; http_uri; content:"szusername="; http_uri; content:"szver="; http_uri; content:"mode="; http_uri; content:"value="; http_uri; content:"systype="; http_uri; content:"rid="; http_uri; content:"szname="; http_uri; content:"szpaname="; http_uri; content:"palen="; http_uri; content:"szpapaname="; http_uri; content:"chksum="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=ed06e3cd6f57fc260194bf9fa224181e; reference:url,doc.emergingthreats.net/2009441; classtype:trojan-activity; sid:2009441; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ld/mat"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_client_body; depth:3; content:"&hit="; http_client_body; reference:url,doc.emergingthreats.net/2007747; classtype:trojan-activity; sid:2007747; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mcboo.com/Bundlext.com related Trojan Checkin URL"; flow:established,to_server; content:"/ack.php?version="; http_uri; content:"&uid="; http_uri; content:"&status="; http_uri; reference:url,doc.emergingthreats.net/2008758; classtype:command-and-control; sid:2008758; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic PSW Agent server reply"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"|0d 0a|[Uptade]|0d 0a|Web="; content:"|0d 0a|[Guncellestirme]|0d 0a|Version="; within:100; reference:url,doc.emergingthreats.net/2008662; classtype:trojan-activity; sid:2008662; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Password Stealer (PSW.Win32.Magania Family) GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"pass="; http_uri; content:"type="; http_uri; content:"host="; http_uri; content:"port="; http_uri; content:"name="; http_uri; content:"pc="; http_uri; content:"user="; http_uri;content:"ip="; http_uri; content:"version="; http_uri; content:"User-Agent|3a| NR"; http_header; reference:url,www.f-secure.com/v-descs/trojan-psw_w32_magania.shtml; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-PWS.Magania; reference:url,doc.emergingthreats.net/2009094; classtype:trojan-activity; sid:2009094; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.AR Variant Winifixer.com Related Checkin URL"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?affid="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&tm="; nocase; http_uri; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008277; classtype:command-and-control; sid:2008277; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_15;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PassSickle Reporting User Activity"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&data="; nocase; http_uri; content:"PassSickle"; http_header; nocase; pcre:"/^User-Agent\:[^\n]+PassSickle/Hmi"; reference:url,doc.emergingthreats.net/2002859; classtype:trojan-activity; sid:2002859; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; nocase; http_method; content:".gif?"; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:command-and-control; sid:2009522; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointfree.co.kr Trojan/Spyware Infection Checkin"; flow:established,to_server; content:"log.php?mac="; http_uri; content:"&hdd="; content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/2008972; classtype:command-and-control; sid:2008972; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointpack.kr Related Trojan Checkin"; flow:established,to_server; content:"php?"; http_uri; content:"kind="; http_uri; content:"&pid="; http_uri; content:"&ver="; http_uri; content:"&uniq="; http_uri; content:"&addresses="; http_uri; content:"&hdmacid="; http_uri;content:"&dllver="; http_uri; content:"&subv="; http_uri; reference:url,doc.emergingthreats.net/2008260; classtype:command-and-control; sid:2008260; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx CnC Beacon"; flow:established,to_server; content:"q.php"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006405; classtype:command-and-control; sid:2006405; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx CnC Beacon"; flow:established,to_server; content:"q.php"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006405; classtype:command-and-control; sid:2006405; rev:4; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushdo Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; pcre:"/&os=[a-f0-9]{50}/U"; reference:url,doc.emergingthreats.net/2008493; classtype:command-and-control; sid:2008493; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - log"; flow:to_server,established; content:"POST"; nocase; http_method; content:"?mod=log&user="; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^POST\x20[^\x0D\x0A]+\x3Fmod\x3Dlog\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+.*\x0D\x0A\x0D\x0Acurr\x3D.*\x26next\x3D/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008140; classtype:trojan-activity; sid:2008140; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV CnC Checkin cycle_report"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fa078834dd3b4c6604d12823a6f9f17e; classtype:command-and-control; sid:2011820; rev:3; metadata:created_at 2010_10_14, former_category MALWARE, updated_at 2010_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV CnC Checkin cycle_report"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri; reference:md5,fa078834dd3b4c6604d12823a6f9f17e; classtype:command-and-control; sid:2011820; rev:3; metadata:created_at 2010_10_15, former_category MALWARE, updated_at 2010_10_15;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:4; metadata:created_at 2010_10_25, updated_at 2010_10_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:md5,5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:4; metadata:created_at 2010_10_25, updated_at 2010_10_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:12; metadata:created_at 2010_10_27, updated_at 2010_10_27;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Feodo Banking Trojan Account Details Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"AccountSummary"; nocase; fast_pattern; content:"userid|3A|"; nocase; distance:0; content:"password|3A|"; nocase; distance:0; content:"screenid|3A|"; nocase; distance:0; content:"origination|3A|"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more; classtype:trojan-activity; sid:2011862; rev:4; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Krap.ar Infection URL Request"; flow:established,to_server; content:"type="; http_uri; nocase; content:"email="; http_uri; nocase; content:"hwinfo="; http_uri; nocase; reference:url,www.threatexpert.com/report.aspx?md5=df29b9866397fd311a5259c5d4bc00dd; classtype:trojan-activity; sid:2012076; rev:2; metadata:created_at 2010_12_17, updated_at 2010_12_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Krap.ar Infection URL Request"; flow:established,to_server; content:"type="; http_uri; nocase; content:"email="; http_uri; nocase; content:"hwinfo="; http_uri; nocase; reference:md5,df29b9866397fd311a5259c5d4bc00dd; classtype:trojan-activity; sid:2012076; rev:2; metadata:created_at 2010_12_18, updated_at 2010_12_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/zok.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"url="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"hlto="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=d5ff6df296c068fcc0ddd303984fa6b9; reference:url,support.clean-mx.de/clean-mx/viruses.php?domain=wyunion.com&sort=first desc; classtype:trojan-activity; sid:2012114; rev:3; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/zok.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"url="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"hlto="; http_uri; nocase; reference:md5,d5ff6df296c068fcc0ddd303984fa6b9; classtype:trojan-activity; sid:2012114; rev:3; metadata:created_at 2010_12_30, former_category MALWARE, updated_at 2010_12_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".htm"; http_uri; content:"Host|3a| "; http_header; content:"Content-Length|3a| "; http_header; content:".htm HTTP/1.1"; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:command-and-control; sid:2012137; rev:5; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2011_01_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy Banker Outbound Communication Attempt"; flow:established,to_server; content:"praquem="; nocase; content:"titulo="; distance:0; nocase; content:"Dir+System32"; nocase; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=58b3c37b61d27cdc0a55321f4c12ef04; classtype:trojan-activity; sid:2012225; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Banbra Banking Trojan Communication"; flow:established,to_server; content:"para="; nocase; content:"titulo="; nocase; distance:0; content:"mensagem="; nocase; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=7ce03717d6879444d8e45b7cf6470c67; classtype:trojan-activity; sid:2012226; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy Banker Outbound Communication Attempt"; flow:established,to_server; content:"praquem="; nocase; content:"titulo="; distance:0; nocase; content:"Dir+System32"; nocase; distance:0; reference:md5,58b3c37b61d27cdc0a55321f4c12ef04; classtype:trojan-activity; sid:2012225; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include"; flow:established,to_server; uricontent:"/includes/includes.php"; uricontent:"site_path"; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22361; reference:url,doc.emergingthreats.net/2003371; classtype:web-application-attack; sid:2003371; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Banbra Banking Trojan Communication"; flow:established,to_server; content:"para="; nocase; content:"titulo="; nocase; distance:0; content:"mensagem="; nocase; distance:0; reference:md5,7ce03717d6879444d8e45b7cf6470c67; classtype:trojan-activity; sid:2012226; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.AZG Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"eve="; nocase; http_uri; content:"username="; nocase; http_uri; content:"anma="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0; reference:url,vil.nai.com/vil/content/v_145056.htm; reference:url,doc.emergingthreats.net/2008515; classtype:command-and-control; sid:2008515; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Unknown Web Backdoor Keep-Alive"; flow:established,to_server; urilen:13; content:"POST"; http_method; nocase; content:"/bbs/info.asp"; http_uri; classtype:trojan-activity; sid:2012250; rev:3; metadata:created_at 2011_02_01, updated_at 2011_02_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Unknown Web Backdoor Keep-Alive"; flow:established,to_server; urilen:13; content:"POST"; http_method; nocase; content:"/bbs/info.asp"; http_uri; classtype:trojan-activity; sid:2012250; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH|3b|"; http_uri; content:"loc=100|3b|"; http_uri; content:"target=_blank|3b|"; http_uri; content:"grp|3d 5b|group|5d 3b|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Troxen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/report3.ashx?"; http_uri; nocase; content:"m="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"d="; nocase; http_uri; content:"uid="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=664a5147e6258f10893c3fd375f16ce4; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts; classtype:trojan-activity; sid:2012289; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Troxen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/report3.ashx?"; http_uri; nocase; content:"m="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"d="; nocase; http_uri; content:"uid="; http_uri; nocase; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts; reference:md5,664a5147e6258f10893c3fd375f16ce4; classtype:trojan-activity; sid:2012289; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/inst.php?"; http_uri; nocase; content:"ucode="; nocase; http_uri; content:"pcode="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012290; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/inst.php?"; http_uri; nocase; content:"ucode="; nocase; http_uri; content:"pcode="; http_uri; nocase; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012290; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/boot.php?"; nocase; http_uri; content:"ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012288; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/boot.php?"; nocase; http_uri; content:"ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012288; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"3310FA24-A027-47B3-8C49-1091077317E9"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3310FA24-A027-47B3-8C49-1091077317E9/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Twitter m28sx Worm"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"gdfgdfgdgdfgdfg|02|in|02|ua"; nocase; distance:0; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012210; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Banker.AAD CnC Communication"; flow:established,to_server; content:"filename=|22|C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; content:"Content-Type|3A| C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; reference:url,www.threatexpert.com/report.aspx?md5=8556aec7ff96824e2da9d1b948ed7029; classtype:command-and-control; sid:2012300; rev:3; metadata:created_at 2011_02_06, former_category TROJAN, updated_at 2017_03_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Banker.AAD CnC Communication"; flow:established,to_server; content:"filename=|22|C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; content:"Content-Type|3A| C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; reference:md5,8556aec7ff96824e2da9d1b948ed7029; classtype:command-and-control; sid:2012300; rev:3; metadata:created_at 2011_02_07, former_category TROJAN, updated_at 2017_03_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java Exploit Kit Success Check-in Executable Download Likely"; flow:established,to_server; content:".php?"; http_uri; content:"=javajsm"; http_uri; classtype:exploit-kit; sid:2012389; rev:3; metadata:created_at 2011_02_27, former_category EXPLOIT_KIT, updated_at 2011_02_27;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?build="; http_uri; content:"&id="; http_uri; content:"&SA=1-0"; http_uri; content:"&SP=1-"; http_uri; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojtatangac.html; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=4b5eb54de32f86819c638878ac2c7985&id=740958; reference:url,www.malware-control.com/statics-pages/06198e9b72e1bb0c256769c5754ed821.php; classtype:command-and-control; sid:2012391; rev:3; metadata:created_at 2011_02_28, former_category MALWARE, updated_at 2011_02_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Vilsel.akd Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app_count/ag4_del_count.php?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=2d6cede13913b17bc2ea7c7f70ce5fa8; classtype:trojan-activity; sid:2012439; rev:4; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Vilsel.akd Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app_count/ag4_del_count.php?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,2d6cede13913b17bc2ea7c7f70ce5fa8; classtype:trojan-activity; sid:2012439; rev:4; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bqkb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/updata/"; nocase; http_uri; content:"lg1="; nocase; http_uri; content:"lg2="; nocase; http_uri; content:"lg3="; nocase; http_uri; content:"lg5="; nocase; http_uri; content:"lg6="; nocase; http_uri; content:"lg7="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de85ae919d48325189bead995e8052e7; reference:url,support.clean-mx.de/clean-mx/viruses.php?ip=210.163.9.69&sort=first desc; classtype:trojan-activity; sid:2012440; rev:4; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bqkb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/updata/"; nocase; http_uri; content:"lg1="; nocase; http_uri; content:"lg2="; nocase; http_uri; content:"lg3="; nocase; http_uri; content:"lg5="; nocase; http_uri; content:"lg6="; nocase; http_uri; content:"lg7="; nocase; http_uri; reference:md5,de85ae919d48325189bead995e8052e7; classtype:trojan-activity; sid:2012440; rev:4; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monkif Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/photo/"; http_uri; content:"6x5x5772=712x5772=716x"; http_uri; classtype:command-and-control; sid:2012505; rev:4; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.B Activity"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&acc=ups"; http_uri; content:"&nick="; http_uri; content:"&botver=Beta&code="; http_uri; content:"User-Agent|3a 20|"; nocase; http_header; content:"|3b 20|es-ES|3b|"; distance:39; http_header; content:"plist|3d 2d 2d 2d|"; depth:9; http_client_body; content:"Passwords"; distance:0; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=01dd7102b9d36ec8556eed2909b74f52; classtype:trojan-activity; sid:2012517; rev:2; metadata:created_at 2011_03_17, updated_at 2011_03_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.B Activity"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&acc=ups"; http_uri; content:"&nick="; http_uri; content:"&botver=Beta&code="; http_uri; content:"User-Agent|3a 20|"; nocase; http_header; content:"|3b 20|es-ES|3b|"; distance:39; http_header; content:"plist|3d 2d 2d 2d|"; depth:9; http_client_body; content:"Passwords"; distance:0; http_client_body; reference:md5,01dd7102b9d36ec8556eed2909b74f52; classtype:trojan-activity; sid:2012517; rev:2; metadata:created_at 2011_03_17, updated_at 2011_03_17;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.djrm Checkin"; flow:to_server,established; content:"/index.html?mac="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&dtime="; fast_pattern; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; reference:md5,b895249cce7d2c27cb9c480feb36560c; reference:md5,f70a5f52d4c0071963602c25b62865cb; classtype:command-and-control; sid:2014399; rev:3; metadata:created_at 2012_03_15, former_category MALWARE, updated_at 2012_03_15;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud /qvod/ff.txt Checkin"; flow:established,to_server; content:"/qvod/ff.txt"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; reference:md5,f97e1c4aefbd2595fcfeb0f482c47517; reference:md5,f96a29bcf6cba870efd8f7dd9344c39e; reference:md5,fae8675502d909d6b546c111625bcfba; classtype:trojan-activity; sid:2014401; rev:2; metadata:created_at 2012_03_19, updated_at 2012_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud /qvod/ff.txt Checkin"; flow:established,to_server; content:"/qvod/ff.txt"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; reference:md5,f97e1c4aefbd2595fcfeb0f482c47517; reference:md5,f96a29bcf6cba870efd8f7dd9344c39e; reference:md5,fae8675502d909d6b546c111625bcfba; classtype:trojan-activity; sid:2014401; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS-Banker.gen.b Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/curubacom.php?"; http_uri; nocase; content:"op="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=e3fdf31ce57b3807352971a62f85c55b; classtype:trojan-activity; sid:2012592; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS-Banker.gen.b Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/curubacom.php?"; http_uri; nocase; content:"op="; http_uri; nocase; reference:md5,e3fdf31ce57b3807352971a62f85c55b; classtype:trojan-activity; sid:2012592; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best Spyware Scanner FaveAV Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/BestSpywareScanner_Setup.exe"; nocase; http_uri; classtype:trojan-activity; sid:2012590; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:pup-activity; sid:2014403; rev:2; metadata:created_at 2012_03_19, former_category ADWARE_PUP, updated_at 2012_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:pup-activity; sid:2014403; rev:2; metadata:created_at 2012_03_20, former_category ADWARE_PUP, updated_at 2012_03_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Clicker.Win32.Agent.qqf Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2f|sogou"; http_uri; pcre:"/\x2fsogou(config)?\x2f/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f468778836fd27a2ccca88c99f6dd3e9; classtype:trojan-activity; sid:2012643; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Clicker.Win32.Agent.qqf Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2f|sogou"; http_uri; pcre:"/\x2fsogou(config)?\x2f/Ui"; reference:md5,f468778836fd27a2ccca88c99f6dd3e9; classtype:trojan-activity; sid:2012643; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET 897 (msg:"ET DELETED Backdoor PcClient.CAK.Pakes POST on non-http Port"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jsp"; nocase; depth:35; pcre:"/\/\d{8,}\/\d{4,}\/\d{4,}\.jsp/"; reference:url,doc.emergingthreats.net/2009093; classtype:trojan-activity; sid:2009093; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (bmp)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".bmp"; nocase; http_uri; content:".bmp HTTP"; nocase; pcre:"/\.bmp$/i"; reference:url,doc.emergingthreats.net/2010069; classtype:trojan-activity; sid:2010069; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"|2e|ashx|3f|m|3d|"; http_uri; content:"|2d|"; distance:2; within:1; http_uri; content:"|26|mid|3d|"; http_uri; distance:0; content:"|26|tid|3d|"; http_uri; distance:0; content:"|26|d|3d|"; http_uri; distance:0; content:"|26|uid|3d|"; http_uri; distance:0; content:"|26|t|3d|"; http_uri; distance:0; reference:url,threatexpert.com/report.aspx?md5=48432bdd116dccb684c8cef84579b963; classtype:command-and-control; sid:2012839; rev:4; metadata:created_at 2011_05_23, former_category MALWARE, updated_at 2011_05_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"|2e|ashx|3f|m|3d|"; http_uri; content:"|2d|"; distance:2; within:1; http_uri; content:"|26|mid|3d|"; http_uri; distance:0; content:"|26|tid|3d|"; http_uri; distance:0; content:"|26|d|3d|"; http_uri; distance:0; content:"|26|uid|3d|"; http_uri; distance:0; content:"|26|t|3d|"; http_uri; distance:0; reference:md5,48432bdd116dccb684c8cef84579b963; classtype:command-and-control; sid:2012839; rev:4; metadata:created_at 2011_05_23, former_category MALWARE, updated_at 2011_05_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:4; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic adClicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"web"; http_uri; content:"getinfo"; http_uri; content:".aspx?"; http_uri; content:"ver="; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; classtype:command-and-control; sid:2012934; rev:4; metadata:created_at 2011_06_06, former_category MALWARE, updated_at 2011_06_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WebToolbar.Win32.WhenU.r Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/prod/MEADInst.exe"; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=27867435a1b6b3f35daf13faac6f77b7; classtype:trojan-activity; sid:2013034; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WebToolbar.Win32.WhenU.r Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/prod/MEADInst.exe"; http_uri; nocase; reference:md5,27867435a1b6b3f35daf13faac6f77b7; classtype:trojan-activity; sid:2013034; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.MSIL.Agent.ate Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/bot.php?"; http_uri; content:"hwid="; http_uri; content:"pcname="; http_uri; reference:url,threatexpert.com/report.aspx?md5=4860e53b7e71cd57956e10ef48342b5f; classtype:command-and-control; sid:2013071; rev:4; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2011_06_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.MSIL.Agent.ate Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/bot.php?"; http_uri; content:"hwid="; http_uri; content:"pcname="; http_uri; reference:md5,4860e53b7e71cd57956e10ef48342b5f; classtype:command-and-control; sid:2013071; rev:4; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2011_06_21;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.HV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/popcode.php?aid="; http_uri; content:"&lc="; http_uri; content:"&domain="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FVB.HV; classtype:command-and-control; sid:2013456; rev:5; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; content:"NICK"; distance:0; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:command-and-control; sid:2013451; rev:3; metadata:created_at 2011_08_23, former_category MALWARE, updated_at 2011_08_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; content:"NICK"; distance:0; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:command-and-control; sid:2013451; rev:3; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
-#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_21, updated_at 2012_03_21;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; classtype:trojan-activity; sid:2013543; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Einstein CnC Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?id="; http_uri; content:"&ext="; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; reference:url,www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/; classtype:command-and-control; sid:2013767; rev:3; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=07ed70b6e7775a510d725c9f032c70d8; classtype:command-and-control; sid:2013781; rev:4; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2011_10_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:md5,07ed70b6e7775a510d725c9f032c70d8; classtype:command-and-control; sid:2013781; rev:4; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2011_10_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sefbov.E Reporting"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CallBack/SomeScripts/mgsGetMGList.php"; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=f50d954f1fd38c6eb10e7e399caab480; classtype:trojan-activity; sid:2013868; rev:4; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sefbov.E Reporting"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CallBack/SomeScripts/mgsGetMGList.php"; nocase; http_uri; reference:md5,f50d954f1fd38c6eb10e7e399caab480; classtype:trojan-activity; sid:2013868; rev:4; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; classtype:command-and-control; sid:2013948; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flow:established,from_server; content:"VirtualProtect|00|"; reference:url,doc.emergingthreats.net/2009080; classtype:trojan-activity; sid:2009080; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"NtQueryInformationProcess"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012764; rev:5; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"NtQueryInformationProcess"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012764; rev:5; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT GetStartupInfo"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetStartupInfo"; distance:0; nocase; reference:url, sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012765; rev:7; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"EnableExecuteProtectionSupport"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012777; rev:5; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetStartupInfo"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetStartupInfo"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012765; rev:7; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwProtectVirtualMemory"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012768; rev:7; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"DebuggerPresent"; nocase; distance:0; pcre:"/(Is|CheckRemote)DebuggerPresent/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012763; rev:9; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"DebuggerPresent"; nocase; distance:0; pcre:"/(Is|CheckRemote)DebuggerPresent/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012763; rev:9; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT SetKeyboardState - Can Be Used for Keylogging"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"SetKeyboardState"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012780; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2011_05_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send Javascript"; flow:established,from_server; content:"Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; classtype:trojan-activity; sid:2008367; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT GetComputerName"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetComputerName"; nocase; fast_pattern:only; reference:url, sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012766; rev:5; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetComputerName"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetComputerName"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012766; rev:5; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 2"; flow:from_server,established; content:"<object"; nocase; content:"E065E4A-BD9D-4547-8F90-985DC62A5591"; nocase; distance:0; content:"|2e|SetSource("; distance:0; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32.OnlineGames.Bft Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/urlrcv.php?"; nocase; http_uri; content:"mc="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"uuid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=e488fca95cb923a0ecd329642c076e0d; reference:url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131; classtype:trojan-activity; sid:2014084; rev:5; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32.OnlineGames.Bft Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/urlrcv.php?"; nocase; http_uri; content:"mc="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"uuid="; nocase; http_uri; reference:md5,e488fca95cb923a0ecd329642c076e0d; reference:url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131; classtype:trojan-activity; sid:2014084; rev:5; metadata:created_at 2012_01_03, updated_at 2012_01_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - cookie variation"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; distance:1; within:51; content:"User-Agent|3a 20|Mozilla"; distance:0; content:"Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache|0d 0a 0d 0a|"; distance:0; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:command-and-control; sid:2014107; rev:3; metadata:created_at 2012_01_09, former_category MALWARE, updated_at 2012_01_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - cookie variation"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; distance:1; within:51; content:"User-Agent|3a 20|Mozilla"; distance:0; content:"Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache|0d 0a 0d 0a|"; distance:0; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:command-and-control; sid:2014107; rev:3; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2012_01_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&s="; http_uri; content:"&v="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?m=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&[vs]=/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014114; rev:4; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SelfStarterInternet.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/login.aspx?ReturnUrl=/card/Pay_query.aspx"; http_uri; content:"VIEWSTATE="; nocase; http_client_body; content:"EVENTVALIDATION="; nocase; distance:0; http_client_body; content:"&txtUser="; nocase; distance:0; http_client_body; content:"&txtPwd="; nocase; distance:0; http_client_body; content:"&btnEnter="; nocase; distance:0; http_client_body; reference:md5,67c748f3ecc0278f1f94596f86edc509; classtype:command-and-control; sid:2014307; rev:4; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2012_03_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 3"; flow:established,to_server; content:"POST"; http_method; nocase; content:"data=mIqWm8"; http_client_body; depth:11; classtype:command-and-control; sid:2014428; rev:6; metadata:created_at 2012_03_26, former_category MALWARE, updated_at 2020_08_20;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 4 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 04|"; distance:1; within:2; byte_test:4,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014434; rev:10; metadata:created_at 2012_03_23, updated_at 2012_03_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 4 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 04|"; distance:1; within:2; byte_test:4,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014434; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 3 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 03|"; distance:1; within:2; byte_test:3,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014433; rev:10; metadata:created_at 2012_03_23, updated_at 2012_03_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 3 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 03|"; distance:1; within:2; byte_test:3,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014433; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 2 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 02|"; distance:1; within:2; byte_test:2,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014432; rev:9; metadata:created_at 2012_03_23, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 2 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 02|"; distance:1; within:2; byte_test:2,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014432; rev:9; metadata:created_at 2012_03_24, updated_at 2020_08_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dropper.Wlock Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"hardware_id="; http_client_body; content:"&user_id="; http_client_body; content:"&os_ver="; http_client_body; content:"&os_sp="; http_client_body; content:"&os_arch="; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=881e21645e5ffe1ffb959835f8fdf71d; classtype:command-and-control; sid:2013768; rev:4; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dropper.Wlock Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"hardware_id="; http_client_body; content:"&user_id="; http_client_body; content:"&os_ver="; http_client_body; content:"&os_sp="; http_client_body; content:"&os_arch="; http_client_body; reference:md5,881e21645e5ffe1ffb959835f8fdf71d; classtype:command-and-control; sid:2013768; rev:4; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit JavaScript dotted quad hostile applet"; flow:established,from_server; content:"<html><body><applet"; fast_pattern; content:"archive="; distance:0; content:"code="; pcre:"/archive=[^\x3e]+?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014415; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; content:"|0d 0a 0d 0a|"; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; classtype:bad-unknown; sid:2014444; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; content:"|0d 0a 0d 0a|"; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; classtype:bad-unknown; sid:2014444; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"/Filter"; nocase; distance:0; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; reference:url,www.symantec.com/connect/blogs/journey-center-pdf-stream; reference:url,doc.emergingthreats.net/2011008; classtype:misc-activity; sid:2011008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany/Kazy Obfuscated Payload Download"; flow:established,to_client; content:"Content-Disposition|3a| "; http_header; content:"windows-update-"; fast_pattern; http_header; distance:0; content:".exe"; distance:0; http_header; content:!"|0d 0a 0d 0a|MZ"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I; reference:url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/; classtype:trojan-activity; sid:2014230; rev:5; metadata:created_at 2012_02_16, updated_at 2012_02_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0="; http_client_body; depth:9; fast_pattern; content:"%3D%0D%0A"; http_client_body; offset:109; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:command-and-control; sid:2014347; rev:5; metadata:created_at 2012_03_08, former_category MALWARE, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Backdoor.Kbot Config Retrieval"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; content:"oop="; http_client_body; depth:4; reference:md5,b8ee86e57261fd3fb422a2b20a3c3e09; classtype:trojan-activity; sid:2014291; rev:4; metadata:created_at 2012_02_29, updated_at 2012_02_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AnnotationX.AnnList.1"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014454; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"E5D2CE27-5FA0-11D2-A666-204C4F4F5020"; nocase; distance:0; content:"SelectServer"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020/si"; reference:url,exploit-db.com/exploits/16002/; classtype:web-application-attack; sid:2012218; rev:3; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Request to CnC 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Accept|3a| */*|0d 0a|If-None-Match|3a| "; fast_pattern; depth:28; http_header; content:"Cache-Control|3a| no-cache|0d 0a|User-Agent|3a| Mozilla"; distance:0; http_header; content:"Connection|3a| Close|0d 0a 0d 0a|"; distance:0; http_header; classtype:command-and-control; sid:2013348; rev:8; metadata:created_at 2011_08_03, former_category MALWARE, updated_at 2011_08_03;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 1"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/"; urilen:1; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.google.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:85; fast_pattern:18,20; content:"PREF=ID="; http_cookie; depth:8; classtype:trojan-activity; sid:2013349; rev:4; metadata:created_at 2011_08_04, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 2"; flow:to_server,established; content:"GET"; content:"/whois/usgoodluck.com"; http_uri; fast_pattern:only; urilen:21; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.whois-search.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:91; classtype:trojan-activity; sid:2013350; rev:3; metadata:created_at 2011_08_04, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 3"; flow:to_server,established; content:"GET"; http_method; content:"/images/logo.gif"; http_uri; urilen:16; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.study-centers.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; fast_pattern:45,20; depth:92; classtype:trojan-activity; sid:2013351; rev:3; metadata:created_at 2011_08_04, updated_at 2011_08_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Request to CnC 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Accept|3a| */*|0d 0a|If-None-Match|3a| "; fast_pattern; depth:28; http_header; content:"Cache-Control|3a| no-cache|0d 0a|User-Agent|3a| Mozilla"; distance:0; http_header; content:"Connection|3a| Close|0d 0a 0d 0a|"; distance:0; http_header; classtype:command-and-control; sid:2013348; rev:8; metadata:created_at 2011_08_04, former_category MALWARE, updated_at 2011_08_04;)
alert tcp $HOME_NET 1723 -> $EXTERNAL_NET any (msg:"ET POLICY PPTP Requester is not authorized to establish a command channel"; flow:to_client,established,no_stream; content:"|00 01|"; offset:2; depth:4; content:"|00 02|"; offset:8; depth:10; content:"|04|"; offset:12; depth:13; reference:url,tools.ietf.org/html/rfc2637; reference:url,doc.emergingthreats.net/2009387; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-June/002705.html; classtype:attempted-admin; sid:2009387; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch V2 Communication with Controller"; flow:established,to_server; content:"id="; nocase; http_uri; content:"&check="; nocase; http_uri; content:"&version2="; http_uri; nocase; pcre:"/\?id=[A-Za-z]+_[A-Za-z0-9]+&/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBanker.O; classtype:trojan-activity; sid:2009408; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4; metadata:created_at 2011_06_21, updated_at 2011_06_21;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4; metadata:created_at 2011_06_22, updated_at 2011_06_22;)
#alert tcp $SQL_SERVERS $ORACLE_PORTS -> $EXTERNAL_NET any (msg:"GPL SQL Oracle misparsed login response"; flow:to_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:2101675; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:3; metadata:created_at 2012_04_03, updated_at 2012_04_03;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe|0d 0a|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary"; flow:established,to_server; content:"/ngt.exe"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014464; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be"; flow:established,to_server; content:"Host|3a| zaletelly"; http_header; nocase; content:".be|0d 0a|"; http_header; within:9; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014476; rev:2; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2012_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be"; flow:established,to_server; content:"Host|3a| zaletelly"; http_header; nocase; content:".be|0d 0a|"; http_header; within:9; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014476; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host|3a| atserver"; http_header; nocase; content:".info|0d 0a|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014477; rev:2; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2012_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host|3a| atserver"; http_header; nocase; content:".info|0d 0a|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014477; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014474; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin"; flow:to_server,established; content:"/index.dat?"; http_uri; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)|0D 0A|Host|3a| "; fast_pattern:35,7; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; classtype:command-and-control; sid:2014466; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2012_04_04;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin NewAgent"; flow:to_server,established; content:"/index.dat?"; http_uri; content:" NewAgent|0d 0a|Host|3a| "; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,77d68770fcdc6052bd8d761d14a14f5a; classtype:command-and-control; sid:2014467; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2012_04_04;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; flow:from_server,established; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; reference:url,milw0rm.com/exploits/6699; reference:url,doc.emergingthreats.net/2008673; classtype:web-application-attack; sid:2008673; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Intel Arch"; flow:established,to_client; content:"|0D 0A 0D 0A CE FA ED FE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014516; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Intel Arch"; flow:established,to_client; content:"|0D 0A 0D 0A CE FA ED FE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014516; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - PowerPC Arch"; flow:established,to_client; content:"|0D 0A 0D 0A FE ED FA CE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014517; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - PowerPC Arch"; flow:established,to_client; content:"|0D 0A 0D 0A FE ED FA CE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014517; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/PowerPC"; flow:established,to_client; content:"|0D 0A 0D 0A CA FE BA BE|"; content:"|FE ED FA CE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014515; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/PowerPC"; flow:established,to_client; content:"|0D 0A 0D 0A CA FE BA BE|"; content:"|FE ED FA CE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014515; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Disk Image Download"; flow:established,to_client; content:"|0D 0A 0D 0A|"; content:"<plist version="; distance:0; content:"Apple_partition_map"; distance:0; content:"Apple_HFS"; distance:0; classtype:misc-activity; sid:2014518; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Disk Image Download"; flow:established,to_client; content:"|0D 0A 0D 0A|"; content:"<plist version="; distance:0; content:"Apple_partition_map"; distance:0; content:"Apple_HFS"; distance:0; classtype:misc-activity; sid:2014518; rev:5; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Taidoor.Backdoor Command Request CnC Checkin"; flow:established,to_server; content:".php?id="; http_uri; content:"&ext="; fast_pattern; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+[a-f0-9]{12}&ext\x3D/Ui"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:command-and-control; sid:2014528; rev:2; metadata:created_at 2012_04_06, former_category MALWARE, updated_at 2012_04_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Dynamic DNS Exploit Pack Payload"; flow:established,to_server; content:".php"; http_uri; content:"quote="; distance:0; http_uri; content:"tid=";http_uri; content:"fid="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014445; rev:5; metadata:created_at 2012_03_29, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Dynamic DNS Exploit Pack Payload"; flow:established,to_server; content:".php"; http_uri; content:"quote="; distance:0; http_uri; content:"tid=";http_uri; content:"fid="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014445; rev:5; metadata:created_at 2012_03_30, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Winwebsec.B Checkin"; flow:established,to_server; content:"/temp1.jpg"; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; reference:md5,9c9109cea5845272d6abd1b5523c8de7; classtype:command-and-control; sid:2014578; rev:3; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2012_04_16;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent|3A 20|aw v3"; http_header; classtype:pup-activity; sid:2014606; rev:4; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/OvCgi/snmpviewer.exe"; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:6; metadata:created_at 2010_09_25, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3; metadata:created_at 2012_04_17, updated_at 2012_04_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; content:"IOS-Self-Signed-Certificate-"; classtype:misc-activity; sid:2014617; rev:2; metadata:created_at 2012_04_19, updated_at 2012_04_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3; metadata:created_at 2012_04_18, updated_at 2012_04_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014619; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002421; classtype:policy-violation; sid:2002421; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.E Keepalive to CnC"; flow:established,to_server; dsize:>30; content:"|90 48 5c d5 ec 70 a3 8b 41 72 28 50 ec f6 d5 2a|"; offset:16; depth:16; reference:url,www.threatexpert.com/report.aspx?md5=fc414168a5b4ca074ea6e03f770659ef; classtype:command-and-control; sid:2013337; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_01, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.E Keepalive to CnC"; flow:established,to_server; dsize:>30; content:"|90 48 5c d5 ec 70 a3 8b 41 72 28 50 ec f6 d5 2a|"; offset:16; depth:16; reference:md5,fc414168a5b4ca074ea6e03f770659ef; classtype:command-and-control; sid:2013337; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_01, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002422; classtype:policy-violation; sid:2002422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002578; classtype:policy-violation; sid:2002578; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:19; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002579; classtype:policy-violation; sid:2002579; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002580; classtype:policy-violation; sid:2002580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Ping"; flow: to_server,established; content:"Host|3a| srv.peopleonpage.com"; nocase; http_header; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; classtype:policy-violation; sid:2001446; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Pro Update Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<root><clnt>"; http_client_body; content:"</clnt><code>CheckUpdate</code>"; http_client_body; nocase; fast_pattern; pcre:"/<root><clnt>\d{8}-\d{4}-\d{4}-\d{4}-[0-9A-F]{12}</clnt><code>CheckUpdate</code>/P"; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009533; classtype:trojan-activity; sid:2009533; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:command-and-control; sid:2013805; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:command-and-control; sid:2013805; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:command-and-control; sid:2013806; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:command-and-control; sid:2013806; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_jump:1,34,relative; byte_test:2,>,SSL.Client_Hello.length,0,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014635; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for OS X"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.py"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014638; rev:4; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2013975; rev:3; metadata:created_at 2011_11_30, former_category EXPLOIT_KIT, updated_at 2011_11_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2013975; rev:3; metadata:created_at 2011_12_01, former_category EXPLOIT_KIT, updated_at 2011_12_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=MSIE"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; classtype:exploit-kit; sid:2014568; rev:3; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014658; rev:1; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2012_04_30;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"replace|28 2F|"; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; classtype:exploit-kit; sid:2014098; rev:4; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"replace|28 2F|"; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; classtype:exploit-kit; sid:2014098; rev:4; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:command-and-control; sid:2013911; rev:9; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url, www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i Viewer-Active-X-SEH-Overwrite.html; classtype:attempted-user; sid:2014710; rev:3; metadata:created_at 2012_05_04, updated_at 2012_05_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.com/files/112363; classtype:attempted-user; sid:2014710; rev:3; metadata:created_at 2012_05_04, former_category ACTIVEX, updated_at 2012_05_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; content:"CLSID"; nocase; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"/rclgx.php?id="; depth:14; http_uri; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:command-and-control; sid:2014719; rev:2; metadata:created_at 2012_05_07, former_category MALWARE, updated_at 2012_05_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"/rclgx.php?id="; depth:14; http_uri; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:command-and-control; sid:2014719; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"|5C 7C 3F 2F|"; within:6; content:".exe|5C 7C 3F 2F|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:command-and-control; sid:2014720; rev:2; metadata:created_at 2012_05_07, former_category MALWARE, updated_at 2012_05_07;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"|5C 7C 3F 2F|"; within:6; content:".exe|5C 7C 3F 2F|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:command-and-control; sid:2014720; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:command-and-control; sid:2014721; rev:2; metadata:created_at 2012_05_07, former_category MALWARE, updated_at 2012_05_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:command-and-control; sid:2014721; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspicious lcon http header in response seen with Medfos/Midhos downloader"; flow:to_client,established; content:"|0d 0a|lcon|3a 20|"; http_header; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014723; rev:2; metadata:created_at 2012_05_08, updated_at 2012_05_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2014725; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:command-and-control; sid:2014731; rev:2; metadata:created_at 2012_05_10, former_category MALWARE, updated_at 2012_05_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:command-and-control; sid:2014731; rev:2; metadata:created_at 2012_05_11, former_category MALWARE, updated_at 2012_05_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving DDoS Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|ddos|7c|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:5; metadata:created_at 2012_05_10, updated_at 2012_05_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving DDoS Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|ddos|7c|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving Download Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|dlexec|7c|"; nocase; distance:1; within:12; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:4; metadata:created_at 2012_05_10, updated_at 2012_05_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving Download Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|dlexec|7c|"; nocase; distance:1; within:12; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:4; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:pup-activity; sid:2014735; rev:3; metadata:created_at 2012_05_11, former_category ADWARE_PUP, updated_at 2012_05_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer|3a| Blat "; content:"Subject|3A 20|Contents of file|3A 20|stdin.txt"; content:"name|3D|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3; metadata:created_at 2012_05_18, updated_at 2012_05_18;)
-
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comrerop Checkin to FTP server"; flow:established,to_server; content:"USER griptoloji|0d 0a|"; fast_pattern:5,12; reference:md5,6b16290b05afd1a9d638737924f2ab5c; classtype:command-and-control; sid:2014757; rev:4; metadata:created_at 2012_05_15, former_category MALWARE, updated_at 2012_05_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer|3a| Blat "; content:"Subject|3A 20|Contents of file|3A 20|stdin.txt"; content:"name|3D|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3; metadata:created_at 2012_05_19, updated_at 2012_05_19;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:pup-activity; sid:2014798; rev:2; metadata:created_at 2012_05_21, former_category ADWARE_PUP, updated_at 2012_05_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:pup-activity; sid:2014798; rev:2; metadata:created_at 2012_05_22, former_category ADWARE_PUP, updated_at 2012_05_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptic Checkin with Opera/9 User-Agent"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&c="; http_uri; content:"&d="; http_uri; content:"|0d 0a|User-Agent|3a 20|Opera/9 (Windows"; fast_pattern:14,16; http_header; reference:url,malwr.com/analysis/18c5b31198777f93a629a0357b22f2f8/; reference:md5,18c5b31198777f93a629a0357b22f2f8; reference:url,www.virustotal.com/file/94cf780fa829c16cd0b09a462b5419cd1175bac01ba935e906a109d97b4dadaa/; classtype:command-and-control; sid:2014777; rev:2; metadata:created_at 2012_05_18, former_category MALWARE, updated_at 2012_05_18;)
-
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; content:"getElementById']('qwe')"; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; content:"getElementById']('qwe')"; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2; metadata:created_at 2012_05_23, former_category CURRENT_EVENTS, updated_at 2012_05_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2; metadata:created_at 2012_05_24, former_category CURRENT_EVENTS, updated_at 2012_05_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"|16 00 00 00|down"; http_client_body; depth:8; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:command-and-control; sid:2014804; rev:6; metadata:created_at 2011_11_04, former_category MALWARE, updated_at 2011_11_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"|16 00 00 00|down"; http_client_body; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,6fd7493e56fdc3b0dd8ecd24aea20da1; classtype:command-and-control; sid:2014804; rev:6; metadata:created_at 2011_11_05, former_category MALWARE, updated_at 2011_11_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:pup-activity; sid:2001489; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:pup-activity; sid:2001491; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:4; metadata:created_at 2012_05_21, updated_at 2012_05_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:4; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:pup-activity; sid:2014810; rev:4; metadata:created_at 2012_05_25, former_category ADWARE_PUP, updated_at 2012_05_25;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:3; metadata:created_at 2012_02_20, updated_at 2012_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Packed Executable Download"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; isdataat:100,relative; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; content:!"data"; within:400; content:!"text"; within:400; content:!"rsrc"; within:400; classtype:misc-activity; sid:2014819; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22|"; nocase; within:100; classtype:trojan-activity; sid:2012235; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 1"; flow:established,to_server; content:"?mp=1"; http_uri; content:"&jz="; http_uri; distance:0; content:"&fd="; http_uri; distance:0; content:"&am="; http_uri; distance:0; content:"&ef="; http_uri; distance:0; content:"&pr="; http_uri; distance:0; content:"&ec="; http_uri; distance:0; content:"&ov="; http_uri; distance:0; content:"&pl="; http_uri; distance:0; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014849; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014852; rev:3; metadata:created_at 2012_06_04, former_category EXPLOIT_KIT, updated_at 2012_06_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014852; rev:3; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2012_06_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"<applet"; depth:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014176; rev:3; metadata:created_at 2012_01_31, former_category EXPLOIT_KIT, updated_at 2012_01_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"<applet"; depth:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014176; rev:3; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:exploit-kit; sid:2014177; rev:5; metadata:created_at 2012_01_31, former_category EXPLOIT_KIT, updated_at 2012_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:exploit-kit; sid:2014177; rev:5; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:2; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:2; metadata:created_at 2012_06_05, updated_at 2012_06_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (John Doe)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|08|John Doe0"; classtype:trojan-activity; sid:2014872; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; content:"<p>Your current User-Agent string appears to be from an automated process,"; classtype:trojan-activity; sid:2012692; rev:6; metadata:created_at 2011_04_19, updated_at 2011_04_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE W32/Bakcorox.A ProxyBot CnC Server Connection"; flow:established,to_server; content:"GET favicon.ico HTTP/1.1"; depth:24; content:"Host|3A 20|bcProxyBot.com"; fast_pattern; distance:0; reference:url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html; classtype:command-and-control; sid:2014887; rev:2; metadata:created_at 2012_06_12, former_category MALWARE, updated_at 2012_06_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; content:"var g_szURL = |22|http|3a 2f 2f|"; content:"var g_szFolder = |22|"; content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
-alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET MALWARE IRC Bot Download http Command"; flow:established,from_server; content:"JOIN |3a|#"; nocase; content:"dl|20|http|3a 2f 2f|"; distance:0; content:"|2e|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:4; metadata:created_at 2012_03_28, updated_at 2012_03_28;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe File requested over FTP"; flow:established,to_server; dsize:>10; content:"RETR"; depth:4; content:".exe|0d 0a|"; distance:0; pcre:"/^RETR\s+[^\r\n]+?\x2eexe\r?$/m"; classtype:policy-violation; sid:2014906; rev:2; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free "; flow:established,from_server; content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free"; flow:established,from_server; content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:exploit-kit; sid:2014913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; distance:0; within:12; classtype:trojan-activity; sid:2014921; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:exploit-kit; sid:2014913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014824; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:exploit-kit; sid:2014922; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:exploit-kit; sid:2014922; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:exploit-kit; sid:2014923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:exploit-kit; sid:2014923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1; metadata:created_at 2012_06_20, former_category CURRENT_EVENTS, updated_at 2012_06_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp|3a|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>]*)?\>((?!\<\/xdp[^\>]*\>).)*?\<pdf/si"; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:2014926; rev:3; metadata:created_at 2012_06_20, updated_at 2012_06_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1; metadata:created_at 2012_06_20, updated_at 2012_06_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:command-and-control; sid:2014135; rev:3; metadata:created_at 2012_01_18, former_category MALWARE, updated_at 2018_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:command-and-control; sid:2014135; rev:3; metadata:created_at 2012_01_19, former_category MALWARE, updated_at 2018_02_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rabio Spyware/Adware Initial Registration"; flow:established,to_server; content:"POST"; http_method; nocase; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:pup-activity; sid:2007820; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:9; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010246; classtype:trojan-activity; sid:2010246; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,doc.emergingthreats.net/2010246; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010246; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&panic="; fast_pattern; http_client_body; content:"&input="; http_client_body; reference:url,doc.emergingthreats.net/2009287; classtype:command-and-control; sid:2009287; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; content:"|0d 0a 0d 0a|ne_unik"; classtype:command-and-control; sid:2014933; rev:3; metadata:created_at 2012_06_21, former_category MALWARE, updated_at 2012_06_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; content:"|0d 0a 0d 0a|ne_unik"; classtype:command-and-control; sid:2014933; rev:3; metadata:created_at 2012_06_22, former_category MALWARE, updated_at 2012_06_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:3; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"|00 00 00 18 01 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; classtype:command-and-control; sid:2014955; rev:2; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2012_06_25;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 01 00 01|"; distance:2; within:5; classtype:command-and-control; sid:2014956; rev:1; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2012_06_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 01 00 01|"; distance:2; within:5; classtype:command-and-control; sid:2014956; rev:1; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"|00 00 00 02 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00|"; distance:3; within:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"|00 00 00 02 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00|"; distance:3; within:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 1f 00 1f|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 1f 00 1f|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2; metadata:created_at 2012_06_25, former_category CURRENT_EVENTS, updated_at 2012_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2; metadata:created_at 2012_06_25, former_category CURRENT_EVENTS, updated_at 2012_06_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:command-and-control; sid:2014961; rev:2; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2012_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:command-and-control; sid:2014961; rev:2; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.msn .com)"; flow:established,to_client; dsize:>19; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:3; metadata:created_at 2012_06_18, former_category POLICY, updated_at 2012_06_18;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.msn .com)"; flow:established,to_client; dsize:>19; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.live .com)"; flow:established,to_client; dsize:>20; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:3; metadata:created_at 2012_06_18, former_category POLICY, updated_at 2012_06_18;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.live .com)"; flow:established,to_client; dsize:>20; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP"; flow:established,to_client; content:"|0d 0a 0d 0a|SZDD"; content:"PE|00 00|"; distance:0; reference:url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more; reference:url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html; classtype:bad-unknown; sid:2015004; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015018; rev:2; metadata:created_at 2012_07_03, former_category ADWARE_PUP, updated_at 2012_07_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015018; rev:2; metadata:created_at 2012_07_04, former_category ADWARE_PUP, updated_at 2012_07_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match|3A 20|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:command-and-control; sid:2015022; rev:2; metadata:created_at 2012_07_03, former_category MALWARE, updated_at 2012_07_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match|3A 20|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:command-and-control; sid:2015022; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushbot User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|cvc_v105"; fast_pattern:only; http_header; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015002; rev:6; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015010; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:exploit-kit; sid:2015042; rev:2; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3; metadata:created_at 2012_07_06, former_category CURRENT_EVENTS, updated_at 2012_07_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3; metadata:created_at 2012_07_06, updated_at 2012_07_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:8; metadata:created_at 2011_05_18, former_category MALWARE, updated_at 2011_05_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015462; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015462; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"|3a| bloxgsfzinxmdspt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015244; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015463; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015463; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"|3a| gvujhzvjxwptrtdg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015189; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"|3a| iblpdiqdmmsbnuxb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015190; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"|3a| gqortbbbsnksxpmm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015257; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2; metadata:created_at 2012_07_14, updated_at 2012_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:exploit-kit; sid:2014894; rev:4; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http|3a|//"; depth:12; content:"C|3a|\\"; distance:0; nocase; content:".exe|00 00|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; content:"hcp|3a|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:exploit-kit; sid:2014915; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:exploit-kit; sid:2014915; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS sgrunt Dialer User Agent (sgrunt)"; flow:to_server,established; content:"sgrunt"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+sgrunt/Hi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003385; classtype:trojan-activity; sid:2003385; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; content:"methodCall"; http_client_body; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/PR"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:command-and-control; sid:2015489; rev:2; metadata:created_at 2012_07_19, former_category MALWARE, updated_at 2012_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:command-and-control; sid:2015489; rev:2; metadata:created_at 2012_07_20, former_category MALWARE, updated_at 2012_07_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/jmx-console/HtmlAdaptor"; nocase; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_23, updated_at 2012_07_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:exploit-kit; sid:2015516; rev:3; metadata:created_at 2012_07_23, former_category CURRENT_EVENTS, updated_at 2012_07_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:exploit-kit; sid:2015516; rev:3; metadata:created_at 2012_07_24, former_category CURRENT_EVENTS, updated_at 2012_07_24;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; distance:0; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:3; metadata:created_at 2012_07_23, former_category CURRENT_EVENTS, updated_at 2012_07_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2014105; rev:4; metadata:created_at 2012_01_09, former_category MALWARE, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"|01 00 01 ae 84 e3 aa 1f 90|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater)"; flow:established,to_server; content:"User-Agent|3a| Microsoft|20|Internet|20|Updater|0d 0a|"; http_header; fast_pattern:12,20; reference:md5,2c832d51e4e72dc3939c224cc282152c; classtype:trojan-activity; sid:2015528; rev:4; metadata:created_at 2012_07_26, updated_at 2012_07_26;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; nocase; classtype:trojan-activity; sid:2015532; rev:2; metadata:created_at 2012_07_26, updated_at 2012_07_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; nocase; classtype:trojan-activity; sid:2015532; rev:2; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject|3a| Perfect Keylogger was installed successfully|3a|"; fast_pattern:7,20; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; fast_pattern; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:command-and-control; sid:2014219; rev:4; metadata:created_at 2012_02_10, former_category MALWARE, updated_at 2012_02_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; fast_pattern; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:command-and-control; sid:2014219; rev:4; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2012_02_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Krunchy/BZub HTTP POST Update"; flow:established,to_server; content:"POST"; nocase; http_method; content:"action="; fast_pattern; http_client_body; depth:7; content:"|25 35 46|script"; http_client_body; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007776; classtype:trojan-activity; sid:2007776; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader (Win32.Doneltart) Checkin - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?open="; nocase; http_uri; content:"&myid="; fast_pattern; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009814; classtype:trojan-activity; sid:2009814; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:".php?gd="; fast_pattern; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:command-and-control; sid:2013701; rev:2; metadata:created_at 2011_09_27, former_category MALWARE, updated_at 2011_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:".php?gd="; fast_pattern; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:command-and-control; sid:2013701; rev:2; metadata:created_at 2011_09_28, former_category MALWARE, updated_at 2011_09_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; fast_pattern; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:pup-activity; sid:2008149; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; fast_pattern; content:"Set-Cookie|3a| "; content:"avtor="; within:40; classtype:trojan-activity; sid:2013011; rev:6; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:!"BM"; content:!"|00 00 00 00|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Set flow on bmp file get"; flow:established,to_server; content:"GET"; http_method; content:".bmp"; http_uri; content:".bmp HTTP/1."; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:2; metadata:created_at 2012_08_06, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:pup-activity; sid:2008742; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101418; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:command-and-control; sid:2013440; rev:6; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:2; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
#alert http any any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:pup-activity; sid:2001683; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:15; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DriveBy, updated_at 2020_08_20;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:7; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"|0d 0a|Server|3A| AmazonS3"; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:10; metadata:created_at 2011_08_16, updated_at 2011_08_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"|0d 0a|Server|3A| AmazonS3"; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:10; metadata:created_at 2011_08_17, updated_at 2011_08_17;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:7; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP UPX encrypted file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:pup-activity; sid:2001047; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:command-and-control; sid:2015587; rev:2; metadata:created_at 2012_08_07, former_category MALWARE, updated_at 2012_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:command-and-control; sid:2015587; rev:2; metadata:created_at 2012_08_08, former_category MALWARE, updated_at 2012_08_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_07, former_category POLICY, updated_at 2012_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2012_08_08;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; reference:url,threatexpert.com/report.aspx?md5=5f1296995c7ccba13c0c0655baf03a3a; reference:md5,119ee859144111dbc5419f4d5fd9b6b1; reference:md5,095d76e0bc48361b40d717b238f11501; classtype:trojan-activity; sid:2013236; rev:2; metadata:created_at 2011_07_08, former_category TROJAN, updated_at 2018_06_26;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; reference:md5,119ee859144111dbc5419f4d5fd9b6b1; reference:md5,095d76e0bc48361b40d717b238f11501; reference:md5,5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:2; metadata:created_at 2011_07_09, former_category TROJAN, updated_at 2018_06_26;)
#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; depth:1; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015594; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:exploit-kit; sid:2015043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:exploit-kit; sid:2015043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"|0d 0a|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:2; metadata:created_at 2012_08_10, updated_at 2012_08_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"|0d 0a|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:2; metadata:created_at 2012_08_11, updated_at 2012_08_11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2021_06_23;)
-#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:command-and-control; sid:2014351; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv|3a|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern:20,20; content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:5; metadata:created_at 2011_10_19, updated_at 2011_10_19;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Briba Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"loginmid="; http_client_body; content:"nickid="; http_client_body; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:command-and-control; sid:2015635; rev:3; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2012_08_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:url,threatexpert.com/report.aspx?md5=47a6dd02ee197f82b28cee0ab2b9bd35; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:command-and-control; sid:2012960; rev:8; metadata:created_at 2011_06_08, former_category MALWARE, updated_at 2011_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:md5,9688d1d37a7ced200c53ec2b9332a0ad; reference:md5,81d8a235cb5f7345b5796483abe8145f; reference:md5,47a6dd02ee197f82b28cee0ab2b9bd35; classtype:command-and-control; sid:2012960; rev:8; metadata:created_at 2011_06_09, former_category MALWARE, updated_at 2011_06_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:3; metadata:created_at 2011_11_03, updated_at 2011_11_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:md5,bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fjgtmicxtlxynlpf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015258; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015461; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015461; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"|3a| bdvkpbuldslsapeb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015061; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015647; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:25; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Install"; flow:to_server,established; content:"/api/stats/install/?affid="; content:"&ver=30"; http_uri; content:"&group="; http_uri; reference:md5,5310a7d855a14c93b12a36869cd252ec; classtype:trojan-activity; sid:2015653; rev:4; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|http|3a|//"; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:4; metadata:created_at 2012_01_23, updated_at 2012_01_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|http|3a|//"; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:4; metadata:created_at 2012_01_24, updated_at 2012_01_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10; metadata:created_at 2012_08_22, former_category CURRENT_EVENTS, updated_at 2012_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10; metadata:created_at 2012_08_23, former_category WEB_CLIENT, updated_at 2012_08_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2; metadata:created_at 2012_08_28, former_category CURRENT_EVENTS, updated_at 2012_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4; metadata:created_at 2012_08_28, former_category CURRENT_EVENTS, updated_at 2012_08_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2015670; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:8; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"|3c|!-- DOCHTMLhttp|3a|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:command-and-control; sid:2015616; rev:3; metadata:created_at 2012_08_10, former_category MALWARE, updated_at 2012_08_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"|3c|!-- DOCHTMLhttp|3a|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:command-and-control; sid:2015616; rev:3; metadata:created_at 2012_08_11, former_category MALWARE, updated_at 2012_08_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCFlashbang.com Spyware Checkin (PCFlashBangA)"; flow:to_server,established; content:"User-Agent|3a| PCFlashBang"; http_header; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:command-and-control; sid:2009540; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET EXPLOIT_KIT Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:exploit-kit; sid:2015672; rev:5; metadata:created_at 2012_08_29, former_category EXPLOIT_KIT, updated_at 2012_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET EXPLOIT_KIT Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:exploit-kit; sid:2015672; rev:5; metadata:created_at 2012_08_30, former_category EXPLOIT_KIT, updated_at 2012_08_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
#alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Trojan Web Update"; flow:to_server,established; uricontent:"/new_array2.php?speed="; nocase; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_09_13;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; fast_pattern; http_header; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; fast_pattern; http_header; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:13; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:exploit-kit; sid:2015676; rev:3; metadata:created_at 2012_09_05, former_category EXPLOIT_KIT, updated_at 2012_09_05;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; content:"String("; nocase; distance:0; pcre:"/^\s*?[0-9]{4}/R"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3; metadata:created_at 2012_09_07, updated_at 2012_09_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3; metadata:created_at 2012_09_08, updated_at 2012_09_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/lol.php"; http_uri; content:"data="; depth:5; http_client_body; reference:url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper; classtype:command-and-control; sid:2014669; rev:4; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102768; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102664; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Eurobarre.us Setup User-Agent"; flow:established,to_server; content:"eurobarre "; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/2008336; classtype:policy-violation; sid:2008336; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:2; metadata:created_at 2012_09_17, updated_at 2012_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:2; metadata:created_at 2012_09_18, updated_at 2012_09_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_09_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102860; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102892; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6; metadata:created_at 2012_09_17, former_category CURRENT_EVENTS, updated_at 2012_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6; metadata:created_at 2012_09_18, former_category CURRENT_EVENTS, updated_at 2012_09_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"Mozilla/4.1"; http_user_agent; depth:11; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:command-and-control; sid:2015713; rev:3; metadata:created_at 2012_09_18, former_category MALWARE, updated_at 2012_09_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:3; metadata:created_at 2011_12_31, updated_at 2011_12_31;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; http_header; fast_pattern:only; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; depth:2; classtype:trojan-activity; sid:2014968; rev:8; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d; reference:url,doc.emergingthreats.net/2009305; classtype:trojan-activity; sid:2009305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,doc.emergingthreats.net/2009305; reference:md5,1ca433d3f5538fda49c5defb59232f9d; classtype:trojan-activity; sid:2009305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5; metadata:created_at 2012_05_21, updated_at 2012_05_21;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:pup-activity; sid:2008757; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,from_server; content:"ashburn@gmail.com"; classtype:exploit-kit; sid:2015717; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_09_19, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 0a 0c 0C|The Internet"; distance:3; within:Certs.len; content:"|55 04 03 0c 03|web"; distance:0; classtype:exploit-kit; sid:2015718; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_09_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 0a 0c 0C|The Internet"; distance:3; within:Certs.len; content:"|55 04 03 0c 03|web"; distance:0; classtype:exploit-kit; sid:2015718; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN IM Poll via HTTP"; flow: established,to_server; content:"/gateway/gateway.dll?Action=poll&SessionID="; http_uri; nocase; threshold: type limit, track by_src, count 10, seconds 3600; reference:url,doc.emergingthreats.net/2001682; classtype:policy-violation; sid:2001682; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3; metadata:created_at 2012_06_27, updated_at 2012_06_27;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER sumthin scan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sumthin"; nocase; http_uri; reference:url,www.webmasterworld.com/forum11/2100.htm; reference:url,doc.emergingthreats.net/2002667; classtype:attempted-recon; sid:2002667; rev:38; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"HttpAddRequestHeader"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012767; rev:11; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015729; rev:2; metadata:created_at 2012_09_21, updated_at 2012_09_21;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015729; rev:2; metadata:created_at 2012_09_22, updated_at 2012_09_22;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015733; rev:3; metadata:created_at 2012_09_24, former_category EXPLOIT_KIT, updated_at 2012_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015733; rev:3; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2012_09_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015549; rev:5; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2012_07_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015549; rev:5; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015558; rev:4; metadata:created_at 2012_08_01, former_category EXPLOIT_KIT, updated_at 2012_08_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015558; rev:4; metadata:created_at 2012_08_02, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015696; rev:4; metadata:created_at 2012_09_11, former_category EXPLOIT_KIT, updated_at 2012_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015696; rev:4; metadata:created_at 2012_09_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015705; rev:4; metadata:created_at 2012_09_17, former_category EXPLOIT_KIT, updated_at 2012_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015705; rev:4; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015706; rev:4; metadata:created_at 2012_09_17, former_category EXPLOIT_KIT, updated_at 2012_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015706; rev:4; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; classtype:exploit-kit; sid:2015731; rev:3; metadata:created_at 2012_09_22, former_category EXPLOIT_KIT, updated_at 2012_09_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; classtype:exploit-kit; sid:2015731; rev:3; metadata:created_at 2012_09_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> any any (msg:"ET POLICY Internet Explorer 6 in use - Significant Security Risk"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; http_user_agent; depth:34; threshold: type limit, track by_src, seconds 180, count 1; classtype:policy-violation; sid:2010706; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:3; metadata:created_at 2012_08_28, updated_at 2012_08_28;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Asynchronous WinHTTP"; http_user_agent; depth:20; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:command-and-control; sid:2015753; rev:3; metadata:created_at 2012_10_01, former_category MALWARE, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:3; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2014371; rev:6; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server; content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:19; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:exploit-kit; sid:2015046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:exploit-kit; sid:2015046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_02, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_18, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Set.jar"; flow:established,to_server; content:"/Set.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014457; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014457; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; content:"|16 03|"; depth:2; content:"|55 04 0a|"; distance:0; content:"|0d|LogMeIn, Inc."; distance:1; within:14; content:".app"; classtype:policy-violation; sid:2014756; rev:5; metadata:created_at 2010_10_31, updated_at 2010_10_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; metadata:created_at 2012_10_09, updated_at 2012_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; metadata:created_at 2012_10_10, updated_at 2012_10_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:3; metadata:created_at 2012_09_11, updated_at 2012_09_11;)
-#alert http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET EXPLOIT_KIT Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:exploit-kit; sid:2015792; rev:2; metadata:created_at 2012_10_11, updated_at 2012_10_11;)
+#alert http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET EXPLOIT_KIT Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:exploit-kit; sid:2015792; rev:2; metadata:created_at 2012_10_12, updated_at 2012_10_12;)
-#alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET EXPLOIT Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2; metadata:created_at 2012_10_11, former_category CURRENT_EVENTS, updated_at 2012_10_11;)
+#alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET EXPLOIT Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2; metadata:created_at 2012_10_12, former_category CURRENT_EVENTS, updated_at 2012_10_12;)
#alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:command-and-control; sid:2015630; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:5; metadata:created_at 2012_01_27, updated_at 2012_01_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:5; metadata:created_at 2012_01_28, updated_at 2012_01_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:7; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:7; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:exploit-kit; sid:2015699; rev:3; metadata:created_at 2012_09_12, former_category EXPLOIT_KIT, updated_at 2012_09_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:exploit-kit; sid:2015699; rev:3; metadata:created_at 2012_09_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:8; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:8; metadata:created_at 2012_10_22, updated_at 2012_10_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|00 c8 b9 67 4e 25 75 e9 92|"; content:"|55 04 06 13 02 4e 4c|"; distance:0; content:"|55 04 07 0c 01 20|"; distance:0; content:"|55 04 03 0c 01 20|"; distance:0; classtype:exploit-kit; sid:2015837; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|00 c8 b9 67 4e 25 75 e9 92|"; content:"|55 04 06 13 02 4e 4c|"; distance:0; content:"|55 04 07 0c 01 20|"; distance:0; content:"|55 04 03 0c 01 20|"; distance:0; classtype:exploit-kit; sid:2015837; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:exploit-kit; sid:2015841; rev:3; metadata:created_at 2012_10_24, former_category EXPLOIT_KIT, updated_at 2012_10_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:exploit-kit; sid:2015841; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:exploit-kit; sid:2015840; rev:3; metadata:created_at 2012_10_24, former_category EXPLOIT_KIT, updated_at 2012_10_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:exploit-kit; sid:2015840; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
-alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"|80 00 00 01 00 01|"; offset:2; depth:6; content:"|04|wpad|00 00 01 00 01 04|wpad|00 00 01 00 01|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2; metadata:created_at 2012_10_24, updated_at 2012_10_24;)
+alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"|80 00 00 01 00 01|"; offset:2; depth:6; content:"|04|wpad|00 00 01 00 01 04|wpad|00 00 01 00 01|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2; metadata:created_at 2012_10_25, updated_at 2012_10_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:exploit-kit; sid:2014036; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(data|https?|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013976; rev:10; metadata:created_at 2011_12_01, former_category MALWARE, updated_at 2011_12_01;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:exploit-kit; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_10_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:exploit-kit; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_10_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:4; metadata:created_at 2011_04_29, updated_at 2011_04_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:exploit-kit; sid:2015859; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_11_02, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2; metadata:created_at 2012_11_06, updated_at 2012_11_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2; metadata:created_at 2012_11_07, updated_at 2012_11_07;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|ddoser|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015868; rev:2; metadata:created_at 2012_11_06, former_category MALWARE, updated_at 2012_11_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|ddoser|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015868; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Zombie|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015869; rev:2; metadata:created_at 2012_11_06, former_category MALWARE, updated_at 2012_11_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Zombie|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015869; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015870; rev:2; metadata:created_at 2012_11_06, former_category MALWARE, updated_at 2012_11_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015870; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:4; metadata:created_at 2012_11_06, updated_at 2012_11_06;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Self-Signed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:exploit-kit; sid:2015865; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015735; rev:3; metadata:created_at 2012_09_24, updated_at 2012_09_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015735; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Alms backdoor checkin"; content:"/getnewv.php?keyword=google&id="; http_uri; nocase; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_user_agent; flow:to_server,established; classtype:command-and-control; sid:2012803; rev:5; metadata:created_at 2011_05_11, former_category MALWARE, updated_at 2011_05_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:exploit-kit; sid:2014220; rev:7; metadata:created_at 2012_02_10, former_category EXPLOIT_KIT, updated_at 2012_02_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:exploit-kit; sid:2014220; rev:7; metadata:created_at 2012_02_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3; metadata:created_at 2012_11_09, updated_at 2012_11_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3; metadata:created_at 2012_11_10, updated_at 2012_11_10;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015881; rev:3; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015882; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:2; metadata:created_at 2012_11_14, former_category CURRENT_EVENTS, updated_at 2012_11_14;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:exploit-kit; sid:2015884; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:exploit-kit; sid:2015886; rev:2; metadata:created_at 2012_11_14, updated_at 2012_11_14;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP|3a|"; depth:100; content:"??IP|3a|"; distance:0; content:"????|3a|"; distance:0; pcre:"/IP\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:command-and-control; sid:2014599; rev:5; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2012_04_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:command-and-control; sid:2014599; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2012_04_17;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:4; metadata:created_at 2010_12_27, updated_at 2010_12_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; distance:0; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:4; metadata:created_at 2011_01_05, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; distance:0; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; distance:0; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:8; metadata:created_at 2011_01_05, updated_at 2020_08_20;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_05, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:exploit-kit; sid:2015890; rev:3; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:exploit-kit; sid:2015890; rev:3; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2012_11_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown FakeAV - /get/*.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:2; metadata:created_at 2012_11_19, updated_at 2012_11_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown FakeAV - /get/*.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:2; metadata:created_at 2012_11_20, updated_at 2012_11_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*88d96(9c(0|1)|9e(5|6)|a0(5|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:18; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(|22|p"; fast_pattern; content:"|3b|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_25, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:2; metadata:created_at 2012_11_23, updated_at 2012_11_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:2; metadata:created_at 2012_11_24, updated_at 2012_11_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"cv_v"; depth:4; http_user_agent; nocase; reference:url,doc.emergingthreats.net/2007926; classtype:trojan-activity; sid:2007926; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015930; rev:2; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2012_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015930; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015931; rev:2; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2012_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015931; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2015936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_26, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2015936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:exploit-kit; sid:2015943; rev:3; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:exploit-kit; sid:2015783; rev:5; metadata:created_at 2012_10_06, former_category EXPLOIT_KIT, updated_at 2017_09_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:exploit-kit; sid:2015949; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:exploit-kit; sid:2015949; rev:2; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx|0d 0a|"; nocase; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:2; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:exploit-kit; sid:2015955; rev:2; metadata:created_at 2012_11_28, former_category CURRENT_EVENTS, updated_at 2012_11_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:exploit-kit; sid:2015955; rev:2; metadata:created_at 2012_11_29, former_category CURRENT_EVENTS, updated_at 2012_11_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:exploit-kit; sid:2015956; rev:2; metadata:created_at 2012_11_28, former_category EXPLOIT_KIT, updated_at 2012_11_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:exploit-kit; sid:2015956; rev:2; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2012_11_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:3; metadata:created_at 2012_11_28, former_category INFO, updated_at 2012_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:3; metadata:created_at 2012_11_29, former_category INFO, updated_at 2012_11_29;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_27, former_category HUNTING, updated_at 2010_09_27;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_27, former_category HUNTING, updated_at 2010_09_27;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_27, former_category HUNTING, updated_at 2010_09_27;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:command-and-control; sid:2014460; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:exploit-kit; sid:2015970; rev:11; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:exploit-kit; sid:2015970; rev:11; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:exploit-kit; sid:2015971; rev:9; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:exploit-kit; sid:2015971; rev:9; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type|3a20|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2015979; rev:1; metadata:created_at 2012_12_03, former_category EXPLOIT_KIT, updated_at 2012_12_03;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2015979; rev:1; metadata:created_at 2012_12_04, former_category EXPLOIT_KIT, updated_at 2012_12_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:social-engineering; sid:2015983; rev:2; metadata:created_at 2012_12_04, former_category CURRENT_EVENTS, updated_at 2017_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:social-engineering; sid:2015983; rev:2; metadata:created_at 2012_12_05, former_category CURRENT_EVENTS, updated_at 2017_06_08;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:exploit-kit; sid:2015988; rev:2; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:exploit-kit; sid:2015988; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:exploit-kit; sid:2015989; rev:2; metadata:created_at 2012_12_05, former_category EXPLOIT_KIT, updated_at 2012_12_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:exploit-kit; sid:2015989; rev:2; metadata:created_at 2012_12_06, former_category EXPLOIT_KIT, updated_at 2012_12_06;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |40 40|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s*?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |40 40|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s*?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED probable malicious Glazunov Javascript injection"; flow:established,from_server; content:"|22|,|22|"; content:"|22|)|3b|</script></body>"; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:5; metadata:created_at 2012_08_28, updated_at 2012_08_28;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:4; metadata:created_at 2012_08_28, updated_at 2012_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:5; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015922; rev:6; metadata:created_at 2012_11_23, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A 20|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:2; metadata:created_at 2012_12_07, updated_at 2012_12_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A 20|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:2; metadata:created_at 2012_12_08, updated_at 2012_12_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:exploit-kit; sid:2016001; rev:5; metadata:created_at 2012_12_07, former_category CURRENT_EVENTS, updated_at 2012_12_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:exploit-kit; sid:2016001; rev:5; metadata:created_at 2012_12_08, former_category CURRENT_EVENTS, updated_at 2012_12_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3; metadata:created_at 2012_08_22, updated_at 2012_08_22;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016018; rev:2; metadata:created_at 2012_12_12, former_category CURRENT_EVENTS, updated_at 2012_12_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_12, former_category CURRENT_EVENTS, updated_at 2012_12_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_13, former_category CURRENT_EVENTS, updated_at 2012_12_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_12, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:exploit-kit; sid:2016024; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_14, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5; metadata:created_at 2012_10_06, updated_at 2012_10_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server; content:"/command?user_id="; fast_pattern; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016047; rev:2; metadata:created_at 2012_12_17, former_category MALWARE, updated_at 2012_12_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server; content:"/command?user_id="; fast_pattern; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016047; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Configuration Update Request"; flow:established,to_server; content:"/options?user_id="; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port="; http_uri; content:"&ip="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016048; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Configuration Update Request"; flow:established,to_server; content:"/options?user_id="; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port="; http_uri; content:"&ip="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016048; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Prinimalka.py Script In CnC Beacon"; flow:established,to_server; content:"/prinimalka.py/"; http_uri; fast_pattern:only; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016049; rev:2; metadata:created_at 2012_12_17, former_category MALWARE, updated_at 2012_12_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Prinimalka.py Script In CnC Beacon"; flow:established,to_server; content:"/prinimalka.py/"; http_uri; fast_pattern:only; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016049; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:exploit-kit; sid:2016053; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:exploit-kit; sid:2016053; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:exploit-kit; sid:2016056; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:exploit-kit; sid:2016056; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; fast_pattern; content:"Accept-Language|3A| ko-kr"; http_header; content:"db="; http_client_body; depth:3; content:"&ch="; distance:0; http_client_body; content:"&name="; distance:0; http_client_body; content:"&email="; http_client_body; distance:0; content:"&pw="; http_client_body; distance:0; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016051; rev:5; metadata:created_at 2012_12_17, former_category MALWARE, updated_at 2012_12_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; fast_pattern; content:"Accept-Language|3A| ko-kr"; http_header; content:"db="; http_client_body; depth:3; content:"&ch="; distance:0; http_client_body; content:"&name="; distance:0; http_client_body; content:"&email="; http_client_body; distance:0; content:"&pw="; http_client_body; distance:0; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016051; rev:5; metadata:created_at 2012_12_18, former_category MALWARE, updated_at 2012_12_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:exploit-kit; sid:2016054; rev:3; metadata:created_at 2012_12_17, updated_at 2012_12_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:exploit-kit; sid:2016054; rev:3; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Chapro.A Malicious Apache Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2; content:"&version="; http_client_body; distance:0; content:"&uname="; fast_pattern; http_client_body; distance:0; reference:url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a; classtype:command-and-control; sid:2016062; rev:2; metadata:created_at 2012_12_19, former_category MALWARE, updated_at 2012_12_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Chapro.A Malicious Apache Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2; content:"&version="; http_client_body; distance:0; content:"&uname="; fast_pattern; http_client_body; distance:0; reference:url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a; classtype:command-and-control; sid:2016062; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; fast_pattern; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:6; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; fast_pattern; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:6; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016071; rev:4; metadata:created_at 2012_12_20, updated_at 2012_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016071; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016072; rev:3; metadata:created_at 2012_12_20, updated_at 2012_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016072; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0; content:".SetShapeNodeType("; nocase; distance:0; reference:url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html; classtype:attempted-user; sid:2016084; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2; metadata:created_at 2012_12_27, former_category CURRENT_EVENTS, updated_at 2012_12_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2; metadata:created_at 2012_12_27, former_category CURRENT_EVENTS, updated_at 2012_12_27;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:exploit-kit; sid:2016106; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Download antivirus-installer.exe"; flow:to_server,established; content:"/antivirus-install.exe"; http_uri; classtype:trojan-activity; sid:2016110; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Download antivirus-installer.exe"; flow:to_server,established; content:"/antivirus-install.exe"; http_uri; classtype:trojan-activity; sid:2016110; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; flow:established,to_server; content:"/clientregister.php?type="; http_uri; content:"&uniqid="; http_uri; content:"&winver="; http_uri; content:"&compusername="; http_uri; content:"&compnetname="; http_uri; classtype:command-and-control; sid:2016124; rev:2; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2012_12_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; flow:established,to_server; content:"/clientregister.php?type="; http_uri; content:"&uniqid="; http_uri; content:"&winver="; http_uri; content:"&compusername="; http_uri; content:"&compnetname="; http_uri; classtype:command-and-control; sid:2016124; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; content:"&ver="; http_uri; content:"bitensiteler="; http_uri; classtype:command-and-control; sid:2016126; rev:2; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2012_12_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; content:"&ver="; http_uri; content:"bitensiteler="; http_uri; classtype:command-and-control; sid:2016126; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri; content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri; classtype:command-and-control; sid:2016127; rev:2; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2012_12_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri; content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri; classtype:command-and-control; sid:2016127; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:exploit-kit; sid:2016128; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:exploit-kit; sid:2016128; rev:2; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2012_12_30;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PTUNNEL OUTBOUND"; itype:8; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016145; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern:48,20; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:exploit-kit; sid:2016144; rev:3; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2013_01_03;)
-
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PTUNNEL INBOUND"; itype:0; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016146; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"|00 01 00 01|"; content:"|00 04 c7 02 89|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"|00 01 00 01|"; content:"|00 04 c7 02 89|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"|00 01 00 01|"; content:"|00 04 cf 2e 5a|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|X-ID|3a 20|"; fast_pattern:23,6; pcre:"/^X-ID\x3a\x20\d+\r?$/Hm"; classtype:command-and-control; sid:2014014; rev:6; metadata:created_at 2011_12_08, former_category MALWARE, updated_at 2020_08_20;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"|00 01 00 01|"; content:"|00 04 cf 2e 5a|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:exploit-kit; sid:2016169; rev:3; metadata:created_at 2013_01_08, updated_at 2013_01_08;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 4"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016181; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015977; rev:7; metadata:created_at 2012_12_03, updated_at 2012_12_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015977; rev:7; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:exploit-kit; sid:2016190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:exploit-kit; sid:2016190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:exploit-kit; sid:2016191; rev:6; metadata:created_at 2013_01_11, former_category EXPLOIT_KIT, updated_at 2013_01_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:exploit-kit; sid:2016191; rev:6; metadata:created_at 2013_01_12, former_category EXPLOIT_KIT, updated_at 2013_01_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:exploit-kit; sid:2016192; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_11, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:exploit-kit; sid:2016192; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_09_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; urilen:6; content:".htm"; http_uri; content:"Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.0|3B| Trident/5.0)"; fast_pattern:35,20; http_user_agent; pcre:"/^\x2F[a-z]{1}\x2Ehtm$/U"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html; reference:url,www.fortiguard.com/latest/av/4057936; reference:md5,92899c20da4d9db5627af89998aadc58; classtype:command-and-control; sid:2016211; rev:5; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2013_01_15;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016240; rev:5; metadata:created_at 2013_01_18, former_category EXPLOIT_KIT, updated_at 2013_01_18;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"KeyHelp.KeyScript"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:exploit-kit; sid:2016092; rev:3; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:exploit-kit; sid:2016092; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:2; metadata:created_at 2013_01_21, updated_at 2013_01_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:2; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016247; rev:6; metadata:created_at 2013_01_21, updated_at 2013_01_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016247; rev:6; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software|3a|"; content:"<b>uname -a|3a|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:3; metadata:created_at 2013_01_21, updated_at 2013_01_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software|3a|"; content:"<b>uname -a|3a|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016255; rev:2; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016255; rev:2; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:exploit-kit; sid:2016277; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:exploit-kit; sid:2016277; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:exploit-kit; sid:2016276; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:exploit-kit; sid:2016276; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; nocase; distance:0; content:".SaveToFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/24319/; classtype:attempted-user; sid:2016286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RevProxy - ClickFraud - MIDUIDEND"; flow:established,to_server; dsize:46; content:"MID"; depth:3; content:"UID"; distance:32; within:3; content:"END"; distance:5; within:3; classtype:trojan-activity; sid:2016293; rev:2; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:4; metadata:created_at 2013_01_28, former_category CURRENT_EVENTS, updated_at 2013_01_28;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:4; metadata:created_at 2013_01_28, former_category CURRENT_EVENTS, updated_at 2013_01_28;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:exploit-kit; sid:2016307; rev:6; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2013_01_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:exploit-kit; sid:2016307; rev:6; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2013_01_30;)
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..|8\.0.|(6\.[0-9]|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016304; rev:2; metadata:created_at 2013_01_29, updated_at 2013_01_29;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..|8\.0.|(6\.[0-9]|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016304; rev:2; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016303; rev:4; metadata:created_at 2013_01_29, updated_at 2013_01_29;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016303; rev:4; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016315; rev:3; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016315; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_01_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET DELETED Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015858; rev:3; metadata:created_at 2012_10_31, former_category EXPLOIT_KIT, updated_at 2012_10_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015858; rev:3; metadata:created_at 2012_11_01, former_category EXPLOIT_KIT, updated_at 2012_11_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016353; rev:2; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2013_02_05;)
-#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, former_category MOBILE_MALWARE, updated_at 2013_02_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2016356; rev:2; metadata:created_at 2013_02_06, former_category EXPLOIT_KIT, updated_at 2013_02_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2016356; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:exploit-kit; sid:2016357; rev:2; metadata:created_at 2013_02_06, former_category EXPLOIT_KIT, updated_at 2013_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:exploit-kit; sid:2016357; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"CAFEEFAC-00"; content:"-FFFF-ABCDEFFEDCBA"; distance:7; within:18; classtype:misc-activity; sid:2016361; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"CAFEEFAC-00"; content:"-FFFF-ABCDEFFEDCBA"; distance:7; within:18; classtype:misc-activity; sid:2016361; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
-alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
+alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:exploit-kit; sid:2016373; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:2; metadata:created_at 2013_02_08, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016393; rev:3; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016393; rev:3; metadata:created_at 2013_02_09, former_category EXPLOIT_KIT, updated_at 2013_02_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_02_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5; metadata:created_at 2013_02_08, former_category CURRENT_EVENTS, updated_at 2013_02_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5; metadata:created_at 2013_02_09, former_category CURRENT_EVENTS, updated_at 2013_02_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4; metadata:created_at 2013_02_08, former_category CURRENT_EVENTS, updated_at 2013_02_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4; metadata:created_at 2013_02_09, former_category CURRENT_EVENTS, updated_at 2013_02_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:exploit-kit; sid:2016321; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; reference:url,anubis.iseclab.org/index.php?action=result&task_id=4fdbf09e9bb20824658cfd45b63a309e; classtype:trojan-activity; sid:2016385; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; classtype:trojan-activity; sid:2016385; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3; metadata:created_at 2013_02_12, former_category CURRENT_EVENTS, updated_at 2013_02_12;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MPEG Download Over HTTP (1)"; flow:established,to_client; file_data; content:"|00 00 01 ba|"; depth:4; flowbits:set,ET.mpeg.HTTP; flowbits:noalert; classtype:not-suspicious; sid:2016404; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016407; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016407; rev:3; metadata:created_at 2013_02_13, updated_at 2013_02_13;)
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_14, updated_at 2013_02_14;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_15, updated_at 2013_02_15;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016426; rev:3; metadata:created_at 2013_02_18, former_category EXPLOIT_KIT, updated_at 2013_02_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016426; rev:3; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2013_02_19;)
#alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"POST|2C|"; fast_pattern; nocase; depth:100; content:"ACCEPT|3A|"; nocase; within:300; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Likseput.B Checkin 2"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 0d 0a 3c|img border="; nocase; content:"|2f 23|KX8|2E|"; distance:5; within:64; fast_pattern; pcre:"/^\x3c\x21\x2d\x2d\x0d\x0a\x3cimg\x20border=\d+\x20src=\x22\S+\x2f\x23KX8\x2e/mi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fLikseput.B; classtype:command-and-control; sid:2016428; rev:7; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shady Rat/HTran style HTTP Header Pattern Request UHCa and Google MSIE UA"; flow:established,to_server; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32|3b|Google|3b|)|0d 0a|Host|3a| "; fast_pattern:54,20; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:70; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:2016429; rev:4; metadata:created_at 2011_08_04, updated_at 2011_08_04;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; flowbits:isset,ET.webc2; file_data; content:"<!---<table<b"; reference:url,www.mandiant.com/apt1; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; classtype:targeted-activity; sid:2016438; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SEASALT Client Checkin"; flow:established,to_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016441; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,to_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016443; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SWORD Sending Sword Marker"; flow:established,to_server; content:"|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40|"; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-ADSPACE Server Response"; flow:established,from_server; file_data; content:"<!---HEADER ADSPACE style=|22|"; content:"|5c|text $-->"; distance:0; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016448; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!-- DOCHTMLAuthor"; pcre:"/^\d+\s*-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,0cf9e999c574ec89595263446978dc9f; classtype:targeted-activity; sid:2016449; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,from_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016444; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--|0d 0a|<img border="; pcre:"/^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,b5e9ce72771217680efaeecfafe3da3f; classtype:targeted-activity; sid:2016455; rev:3; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2013_02_21;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016456; rev:2; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2013_02_21;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016457; rev:3; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2013_02_21;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Fake Virtually SSL Cert APT1"; flow:established,from_server; content:"|55 04 03|"; content:"|03|new"; distance:1; within:4; content:"|55 04 0b|"; content:"|03|new"; distance:1; within:4; content:"|55 04 0a|"; content:"|16|www.virtuallythere.com"; distance:1; within:23; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016462; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Fake IBM SSL Cert APT1"; flow:established,from_server; content:"|55 04 03|"; content:"|03|IBM"; distance:1; within:4; content:"|55 04 0a|"; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016463; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE EMAIL SSL Cert APT1"; flow:established,from_server; content:"|2f 09 dd e0 ff 81 b7 6c bf 2f 17 92 0c d8 bd 57|"; content:"|55 04 03|"; content:"|05|EMAIL"; distance:1; within:6; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016464; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE LAME SSL Cert APT1"; flow:established,from_server; content:"|0e 97 88 1c 6c a1 37 96 42 03 bc 45 42 24 75 6c|"; content:"|55 04 03|"; content:"|0F|LM-68AB71FBD8F5"; distance:1; within:16; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016465; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE NS SSL Cert APT1"; flow:established,from_server; content:"|72 a2 5c 8a b4 18 71 4e bf c6 6f 3f 98 d6 f7 74|"; content:"|55 04 03|"; content:"|02|NS"; distance:1; within:3; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016466; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SERVER SSL Cert APT1"; flow:established,from_server; content:"|52 55 38 16 fb 0d 1a 8a 4b 45 04 cb 06 bc c4 af|"; content:"|55 04 03|"; content:"|06|SERVER"; distance:1; within:7; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016467; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SUR SSL Cert APT1"; flow:established,from_server; content:"|20 82 92 3f 43 2c 8f 75 b7 ef 0f 6a d9 3c 8e 5d|"; content:"|55 04 03|"; content:"|03|SUR"; distance:1; within:4; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016468; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--|0d 0a|<img border="; pcre:"/^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,b5e9ce72771217680efaeecfafe3da3f; classtype:targeted-activity; sid:2016455; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE FAKE AOL SSL Cert APT1"; flow:established,from_server; content:"|7c a2 74 d0 fb c3 d1 54 b3 d1 a3 00 62 e3 7e f6|"; content:"|55 04 03|"; content:"|0c|mail.aol.com"; distance:1; within:13; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016469; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016456; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE FAKE YAHOO SSL Cert APT1"; flow:established,from_server; content:"|0a 38 c9 27 08 6f 96 4b be 75 dc 9f c0 1a c6 28|"; content:"|55 04 03|"; content:"|0e|mail.yahoo.com"; distance:1; within:15; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016470; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016457; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016472; rev:2; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2013_02_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016472; rev:2; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gimemo Ransomware Checkin"; flow:established,to_client; file_data; content:"/gate.php?computername="; nocase; classtype:command-and-control; sid:2016496; rev:4; metadata:created_at 2013_02_25, former_category MALWARE, updated_at 2013_02_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gimemo Ransomware Checkin"; flow:established,to_client; file_data; content:"/gate.php?computername="; nocase; classtype:command-and-control; sid:2016496; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2013_02_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016497; rev:7; metadata:created_at 2013_02_25, updated_at 2013_02_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016497; rev:7; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:exploit-kit; sid:2016500; rev:8; metadata:created_at 2013_02_25, updated_at 2013_02_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:exploit-kit; sid:2016500; rev:8; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=|22|GET|22| NAME=|22|comments|22| ACTION=|22 22|>"; classtype:attempted-user; sid:2016501; rev:2; metadata:created_at 2013_02_25, updated_at 2013_02_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=|22|GET|22| NAME=|22|comments|22| ACTION=|22 22|>"; classtype:attempted-user; sid:2016501; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:2; metadata:created_at 2013_02_25, updated_at 2013_02_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016503; rev:2; metadata:created_at 2013_02_25, updated_at 2013_02_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016503; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:2; metadata:created_at 2013_02_25, updated_at 2013_02_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:exploit-kit; sid:2016333; rev:4; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2013_01_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:exploit-kit; sid:2016333; rev:4; metadata:created_at 2013_02_01, former_category EXPLOIT_KIT, updated_at 2013_02_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:pup-activity; sid:2007995; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:exploit-kit; sid:2016522; rev:2; metadata:created_at 2013_03_04, former_category EXPLOIT_KIT, updated_at 2018_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:exploit-kit; sid:2016524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; http_client_body; content:"&comp="; distance:0; http_client_body; content:"&src="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:command-and-control; sid:2016096; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific - 4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:exploit-kit; sid:2016525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download"; flowbits:isset,min.gethttp; flow:established,to_client; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2016538; rev:3; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole V2 Exploit Kit Landing Page Try Catch False Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:exploit-kit; sid:2016526; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:3; metadata:created_at 2013_03_07, updated_at 2013_03_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; http_client_body; content:"&comp="; distance:0; http_client_body; content:"&src="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:command-and-control; sid:2016096; rev:4; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download"; flowbits:isset,min.gethttp; flow:established,to_client; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2016538; rev:3; metadata:created_at 2013_03_05, updated_at 2013_03_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:3; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:exploit-kit; sid:2016558; rev:4; metadata:created_at 2013_03_08, updated_at 2013_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:exploit-kit; sid:2016558; rev:4; metadata:created_at 2013_03_09, updated_at 2013_03_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:exploit-kit; sid:2016562; rev:7; metadata:created_at 2013_03_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:2; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:2; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier|3a|"; content:"Exeuta comada|3a|"; classtype:bad-unknown; sid:2016577; rev:4; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier|3a|"; content:"Exeuta comada|3a|"; classtype:bad-unknown; sid:2016577; rev:4; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT_NGO_wuaclt PDF file"; flow:from_server,established; file_data; content:"%PDF-"; within:5; content:"|3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A|"; within:200; reference:url,labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/; classtype:targeted-activity; sid:2016579; rev:2; metadata:created_at 2013_03_15, former_category MALWARE, updated_at 2013_03_15;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RevProxy Java Settings"; flow:established,to_client; file_data; content:"USE_USERAGENT="; content:"DELAY_BETWEEN_SYNCS="; content:"CONNECTION_TIMEOUT="; classtype:trojan-activity; sid:2016592; rev:3; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RevProxy Java Settings"; flow:established,to_client; file_data; content:"USE_USERAGENT="; content:"DELAY_BETWEEN_SYNCS="; content:"CONNECTION_TIMEOUT="; classtype:trojan-activity; sid:2016592; rev:3; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:4; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2102485; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:exploit-kit; sid:2016643; rev:5; metadata:created_at 2013_03_21, updated_at 2013_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:exploit-kit; sid:2016643; rev:5; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"4BF0D1BD8B85D111B16A00C0F0283628"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025082; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"4BF0D1BD8B85D111B16A00C0F0283628"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025082; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"E0F56B9944805046ADEB0B013914E99C"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"E0F56B9944805046ADEB0B013914E99C"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3"; flow:from_server,established; flowbits:isset,ETPRO.RTF; content:"|5c|object"; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"5FDC81917DE08A41ACA68EEA1ECB8E9E"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3"; flow:from_server,established; flowbits:isset,ETPRO.RTF; content:"|5c|object"; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"5FDC81917DE08A41ACA68EEA1ECB8E9E"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Web Capture [8-9].0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Web Capture "; pcre:"/^[8-9]\.0/R"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016646; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe LiveCycle Designer ES 8.2"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe LiveCycle Designer ES 8.2"; fast_pattern:11,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016647; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Python PDF Library"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"Python PDF Library - http|3a|//pybrary.net/pyPdf/"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016648; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016561; rev:3; metadata:created_at 2013_03_12, updated_at 2013_03_12;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 9.0.0 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 9.0.0 (Windows)"; fast_pattern:3,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016649; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 6.0.1 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 6.0.1 (Windows)"; fast_pattern:3,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016650; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016561; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_03_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator pdfeTeX-1.21a"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"pdfeTeX-1.21a"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016651; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:2; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow:established, to_server; content: "Adobe"; depth:5; content:"|e0 00 00 00 78 9c|"; distance: 4; within:15; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow:established, to_server; content: "Adobe"; depth:5; content:"|e0 00 00 00 78 9c|"; distance: 4; within:15; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits:isset,ET.Torn.toread_header; content:"|40 7e 7e 7e|"; offset:196; depth:4; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016660; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits:isset,ET.Torn.toread_header; content:"|40 7e 7e 7e|"; offset:196; depth:4; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016660; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016073; rev:7; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016663; rev:2; metadata:created_at 2013_03_25, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016663; rev:2; metadata:created_at 2013_03_26, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tracker"; fast_pattern; distance:0; threshold: type both, count 3, seconds 10, track by_src; classtype:policy-violation; sid:2016662; rev:3; metadata:created_at 2013_03_25, updated_at 2013_03_25;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tracker"; fast_pattern; distance:0; threshold: type both, count 3, seconds 10, track by_src; classtype:policy-violation; sid:2016662; rev:3; metadata:created_at 2013_03_26, updated_at 2013_03_26;)
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016676; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSPCMD - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\"GET\" NAME=\"comments\" ACTION=\"\">"; classtype:bad-unknown; sid:2016684; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delfinject Check-in"; flow:established,to_server; content: "|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
-
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET FTP Outbound Java Anonymous FTP Login"; flow:to_server,established; content:"USER anonymous|0d 0a|PASS Java1."; fast_pattern:7,20; pcre:"/^\d\.\d(_\d+)?\@\r\n/R"; flowbits:set,ET.Java.FTP.Logon; classtype:misc-activity; sid:2016687; rev:3; metadata:created_at 2013_03_28, updated_at 2013_03_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delfinject Check-in"; flow:established,to_server; content: "|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2; metadata:created_at 2013_03_28, updated_at 2013_03_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:2; metadata:created_at 2013_04_01, updated_at 2013_04_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:2; metadata:created_at 2013_04_02, updated_at 2013_04_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016704; rev:3; metadata:created_at 2013_04_01, former_category EXPLOIT_KIT, updated_at 2013_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016704; rev:3; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2013_04_02;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013175; rev:4; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2011_07_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:2; metadata:created_at 2013_04_03, former_category SHELLCODE, updated_at 2017_09_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:2; metadata:created_at 2013_04_04, former_category SHELLCODE, updated_at 2017_09_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016726; rev:6; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2013_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016726; rev:6; metadata:created_at 2013_04_05, former_category EXPLOIT_KIT, updated_at 2013_04_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:command-and-control; sid:2016712; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:command-and-control; sid:2016712; rev:3; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; fast_pattern; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008107; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_21, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016734; rev:2; metadata:created_at 2013_04_08, former_category EXPLOIT_KIT, updated_at 2013_04_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016734; rev:2; metadata:created_at 2013_04_09, former_category EXPLOIT_KIT, updated_at 2013_04_09;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016737; rev:11; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"Mozilla/0."; http_user_agent; depth:10; reference:url,doc.emergingthreats.net/2010905; classtype:pup-activity; sid:2010905; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_15, updated_at 2012_11_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_16, updated_at 2012_11_16;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - PHPShell - Comment"; flow:established,to_client; file_data; content:"<!-- PHPShell "; classtype:attempted-user; sid:2016760; rev:2; metadata:created_at 2013_04_16, updated_at 2013_04_16;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:4; metadata:created_at 2013_01_21, updated_at 2013_01_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:4; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:6; metadata:created_at 2012_12_17, updated_at 2012_12_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:6; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015006; rev:6; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015006; rev:6; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015007; rev:9; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015007; rev:9; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015009; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015009; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016070; rev:5; metadata:created_at 2012_12_20, updated_at 2012_12_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016070; rev:5; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF - Acrobat Enumeration - var PDFObject"; flow:established,to_client; file_data; content:"var PDFObject="; classtype:misc-activity; sid:2016766; rev:2; metadata:created_at 2013_04_17, updated_at 2013_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF - Acrobat Enumeration - var PDFObject"; flow:established,to_client; file_data; content:"var PDFObject="; classtype:misc-activity; sid:2016766; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - SCR in PKZip Compressed Data Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:".scr"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2016767; rev:3; metadata:created_at 2013_04_17, updated_at 2013_04_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - SCR in PKZip Compressed Data Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:".scr"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2016767; rev:3; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:3; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016753; rev:10; metadata:created_at 2013_04_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016753; rev:10; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016781; rev:2; metadata:created_at 2013_04_22, updated_at 2013_04_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016781; rev:2; metadata:created_at 2013_04_23, updated_at 2013_04_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:exploit-kit; sid:2016782; rev:15; metadata:created_at 2013_04_23, former_category EXPLOIT_KIT, updated_at 2013_04_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:exploit-kit; sid:2016782; rev:15; metadata:created_at 2013_04_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:3; metadata:created_at 2012_04_13, updated_at 2012_04_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:4; metadata:created_at 2013_04_22, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:4; metadata:created_at 2013_04_23, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos User-Agent Detected vb wininet"; flow:established,to_server; content:"vb wininet"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2004114; classtype:trojan-activity; sid:2004114; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:exploit-kit; sid:2016784; rev:3; metadata:created_at 2013_04_26, former_category EXPLOIT_KIT, updated_at 2013_04_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016113; rev:3; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016113; rev:3; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet code=|27|buildService.MapYandex.class|27|"; content:".jar"; content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013664; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09|<field qwe=|22|213123|22| name=|22|qwe123|22|"; distance:0; content:"application/x-javascript"; distance:0; classtype:exploit-kit; sid:2013990; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; http_header; content:"client=done"; http_cookie; depth:11; classtype:bad-unknown; sid:2014413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; file_data; content:"<applet"; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014281; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:"<jnlp "; nocase; content:"__applet_ssv_validated"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016797; rev:2; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016585; rev:7; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2013_03_15;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5; metadata:created_at 2012_10_26, former_category CURRENT_EVENTS, updated_at 2012_10_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5; metadata:created_at 2012_10_27, former_category CURRENT_EVENTS, updated_at 2012_10_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016112; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016112; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016111; rev:4; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016111; rev:4; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|3d 3b|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016143; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016655; rev:5; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2013_03_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:exploit-kit; sid:2016093; rev:4; metadata:created_at 2012_12_27, former_category EXPLOIT_KIT, updated_at 2012_12_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:exploit-kit; sid:2016093; rev:4; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2012_12_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015161; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_25, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:exploit-kit; sid:2016213; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:exploit-kit; sid:2016213; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; within:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_25, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; within:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; content:"|3c|script"; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:exploit-kit; sid:2015648; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:exploit-kit; sid:2015648; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; content:"=0|3B|i<document.body.childNodes.length|3B|i++{"; classtype:trojan-activity; sid:2015621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; content:".replace(/hwehes/g"; classtype:trojan-activity; sid:2015592; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_08, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; content:".replace(/hwehes/g"; classtype:trojan-activity; sid:2015592; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_08, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; content:"|0d 0a 0d 0a 3C|html|3E 3C|body|3E 3C|script|3E|"; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_08, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; content:"|0d 0a 0d 0a 3C|html|3E 3C|body|3E 3C|script|3E|"; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; content:"<h1><b>Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; classtype:trojan-activity; sid:2015582; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:exploit-kit; sid:2015579; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:exploit-kit; sid:2015579; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; classtype:trojan-activity; sid:2015476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:exploit-kit; sid:2015056; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; classtype:trojan-activity; sid:2015476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:exploit-kit; sid:2015047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:exploit-kit; sid:2015047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:exploit-kit; sid:2015044; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:exploit-kit; sid:2015044; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:exploit-kit; sid:2016025; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:exploit-kit; sid:2016025; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=|22|visibility|3a|hidden|3b 22|"; pcre:"/(-?\d+\x3a-?\d+\x3a){100}/"; classtype:exploit-kit; sid:2014194; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=|22|visibility|3a|hidden|3b 22|"; pcre:"/(-?\d+\x3a-?\d+\x3a){100}/"; classtype:exploit-kit; sid:2014194; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_03, updated_at 2012_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
#alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print|0A 5C|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET"; http_method; pcre:"/(listen.php|download.php)/Ui"; content:"?src="; nocase; http_uri; pcre:"/(\.\.\/){1}/"; reference:url,www.exploit-db.com/exploits/6669/; reference:url,doc.emergingthreats.net/2008651; classtype:web-application-attack; sid:2008651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"main.php?action=download"; nocase; uricontent:"&id="; nocase; pcre:"/(\.\.\/){1}/"; reference:url,www.milw0rm.com/exploits/6715; reference:url,secunia.com/Advisories/32210/; reference:url,doc.emergingthreats.net/2008652; classtype:web-application-attack; sid:2008652; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/passwiki.php?site_id="; nocase; pcre:"/(\.\.\/){1}/U"; reference:bugtraq,29455; reference:url,doc.emergingthreats.net/2008687; classtype:web-application-attack; sid:2008687; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:command-and-control; sid:2014276; rev:4; metadata:created_at 2012_02_24, former_category MALWARE, updated_at 2012_02_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Possible BlackHole request with decryption Base "; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Possible BlackHole request with decryption Base"; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware Command Client Checkin"; flow: to_server,established; content:"/client.php?str="; nocase; http_uri; content:"Indy Library)"; nocase; http_user_agent; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; classtype:pup-activity; sid:2003446; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_03_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_03_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_05_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_05_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 1"; flow:established,from_server; file_data; content:"Q29sbGVjdEdhcmJhZ2U"; classtype:misc-activity; sid:2016825; rev:3; metadata:created_at 2013_05_06, former_category INFO, updated_at 2013_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 1"; flow:established,from_server; file_data; content:"Q29sbGVjdEdhcmJhZ2U"; classtype:misc-activity; sid:2016825; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 2"; flow:established,from_server; file_data; content:"NvbGxlY3RHYXJiYWdlK"; classtype:misc-activity; sid:2016826; rev:3; metadata:created_at 2013_05_06, former_category INFO, updated_at 2013_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 2"; flow:established,from_server; file_data; content:"NvbGxlY3RHYXJiYWdlK"; classtype:misc-activity; sid:2016826; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 3"; flow:established,from_server; file_data; content:"Db2xsZWN0R2FyYmFnZS"; classtype:misc-activity; sid:2016827; rev:3; metadata:created_at 2013_05_06, former_category INFO, updated_at 2013_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 3"; flow:established,from_server; file_data; content:"Db2xsZWN0R2FyYmFnZS"; classtype:misc-activity; sid:2016827; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2; metadata:created_at 2013_05_07, former_category CURRENT_EVENTS, updated_at 2013_05_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"/a/"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016834; rev:2; metadata:created_at 2013_05_08, updated_at 2013_05_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016852; rev:3; metadata:created_at 2013_05_15, updated_at 2013_05_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016852; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"dex|0A|"; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016854; rev:3; metadata:created_at 2013_05_15, updated_at 2013_05_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"dex|0A|"; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016854; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex|0A|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex|0A|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; http_method; content:"?o="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)"; flow:established,to_server; content:"wininetget/"; nocase; depth:11; http_user_agent; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016889; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:8; metadata:created_at 2013_05_23, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:8; metadata:created_at 2013_05_24, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016921; rev:5; metadata:created_at 2013_05_23, former_category INFO, updated_at 2017_10_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016921; rev:5; metadata:created_at 2013_05_24, former_category INFO, updated_at 2017_10_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015575; rev:11; metadata:created_at 2012_08_03, former_category EXPLOIT_KIT, updated_at 2012_08_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015575; rev:11; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016925; rev:2; metadata:created_at 2013_05_24, updated_at 2013_05_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016925; rev:2; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:exploit-kit; sid:2016927; rev:11; metadata:created_at 2013_05_24, updated_at 2013_05_24;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:exploit-kit; sid:2016791; rev:6; metadata:created_at 2013_04_26, updated_at 2013_04_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:exploit-kit; sid:2016791; rev:6; metadata:created_at 2013_04_27, updated_at 2013_04_27;)
#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:exploit-kit; sid:2016785; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"<div id"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]*?>((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:exploit-kit; sid:2016942; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"EoAgence-"; http_user_agent; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:pup-activity; sid:2014120; rev:3; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_01, former_category CURRENT_EVENTS, updated_at 2010_10_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_02, former_category CURRENT_EVENTS, updated_at 2010_10_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2"; flow:to_server,established; pcre:"/^\d+?.\x00\x00\x00/"; byte_extract:4,-4,d_size,relative,little; byte_test:4,>,d_size,0,relative,little; content:"|78 9c|"; distance:4; within:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2016962; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2"; flow:to_server,established; pcre:"/^\d+?.\x00\x00\x00/"; byte_extract:4,-4,d_size,relative,little; byte_test:4,>,d_size,0,relative,little; content:"|78 9c|"; distance:4; within:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2016962; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_01, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:exploit-kit; sid:2016365; rev:5; metadata:created_at 2013_02_06, former_category CURRENT_EVENTS, updated_at 2013_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:exploit-kit; sid:2016365; rev:5; metadata:created_at 2013_02_07, former_category CURRENT_EVENTS, updated_at 2013_02_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016966; rev:7; metadata:created_at 2013_06_03, updated_at 2013_06_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016966; rev:7; metadata:created_at 2013_06_04, updated_at 2013_06_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:exploit-kit; sid:2016984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:exploit-kit; sid:2016984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET GAMES PunkBuster Server webkey Buffer Overflow"; flow:established,to_server; content:"/pbsvweb"; http_uri; nocase; content:"webkey="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; content:!"&"; within:500; reference:url,aluigi.altervista.org/adv/pbwebbof-adv.txt; reference:url,doc.emergingthreats.net/2002947; classtype:attempted-admin; sid:2002947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent|3A| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:3; metadata:created_at 2011_01_14, updated_at 2011_01_14;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent|3A| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor Login"; flow:to_server,established; content:"|c4 4c 87 3f 11 1e c4 1a|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016986; rev:2; metadata:created_at 2013_06_07, updated_at 2013_06_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor Login"; flow:to_server,established; content:"|c4 4c 87 3f 11 1e c4 1a|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016986; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor SysInfo Response header"; flow:to_server,established; content:"|ac 09 7b 09 4b 2a 92 bd ac 00|"; depth:10; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016987; rev:2; metadata:created_at 2013_06_07, updated_at 2013_06_07;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor SysInfo Response header"; flow:to_server,established; content:"|ac 09 7b 09 4b 2a 92 bd ac 00|"; depth:10; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016987; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3; metadata:created_at 2013_06_08, updated_at 2013_06_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Download Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00|"; depth:15; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016989; rev:2; metadata:created_at 2013_06_08, updated_at 2013_06_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Download Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00|"; depth:15; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016989; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Upload Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00|"; depth:13; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016990; rev:2; metadata:created_at 2013_06_08, updated_at 2013_06_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Upload Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00|"; depth:13; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016990; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2015724; rev:10; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2012_09_21;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; http_header; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; file_data; content:"%PDF-"; within:5; classtype:exploit-kit; sid:2015725; rev:8; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2012_09_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; http_header; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; file_data; content:"%PDF-"; within:5; classtype:exploit-kit; sid:2015725; rev:8; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_25, former_category CURRENT_EVENTS, updated_at 2012_09_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_26, former_category CURRENT_EVENTS, updated_at 2012_09_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6; metadata:created_at 2012_09_25, updated_at 2012_09_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6; metadata:created_at 2012_09_26, updated_at 2012_09_26;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:4; metadata:created_at 2012_10_09, updated_at 2012_10_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Srv.SSA-KeyLogger Checkin Traffic"; flow:to_server,established; content:"Srv.SSA-KeyLogger"; http_uri; reference:url,doc.emergingthreats.net/2002175; classtype:command-and-control; sid:2002175; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert ip $HOME_NET any -> [50.57.148.87,166.78.144.80] any (msg:"ET MALWARE Connection to Georgia Tech Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016994; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)
+#alert ip $HOME_NET any -> [50.57.148.87,166.78.144.80] any (msg:"ET MALWARE Connection to Georgia Tech Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016994; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
-#alert ip $HOME_NET any -> 176.31.62.76 any (msg:"ET MALWARE Connection to Zinkhole Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016996; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)
+#alert ip $HOME_NET any -> 176.31.62.76 any (msg:"ET MALWARE Connection to Zinkhole Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016996; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
-#alert ip $HOME_NET any -> 212.227.20.19 any (msg:"ET MALWARE Connection to 1&1 Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016995; rev:3; metadata:created_at 2013_06_10, updated_at 2013_06_10;)
+#alert ip $HOME_NET any -> 212.227.20.19 any (msg:"ET MALWARE Connection to 1&1 Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016995; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
-#alert ip $HOME_NET any -> 91.233.244.106 any (msg:"ET MALWARE Connection to Dr Web Sinkhole IP(Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016997; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)
+#alert ip $HOME_NET any -> 91.233.244.106 any (msg:"ET MALWARE Connection to Dr Web Sinkhole IP(Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016997; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
-#alert ip $HOME_NET any -> 193.166.255.171 any (msg:"ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016998; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)
+#alert ip $HOME_NET any -> 193.166.255.171 any (msg:"ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016998; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
-#alert ip $HOME_NET any -> 148.81.111.111 any (msg:"ET MALWARE Connection to a cert.pl Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017001; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)
+#alert ip $HOME_NET any -> 148.81.111.111 any (msg:"ET MALWARE Connection to a cert.pl Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017001; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin"; flow:to_server,established; content:"POST"; http_method; content:"magic="; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; content:"&ox="; http_uri; content:!"Mozilla"; http_user_agent; reference:md5,29457bd7a95e11bfd0e614a6e237a344; reference:md5,173a060ed791e620c2ec84d7b360ed60; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:command-and-control; sid:2008523; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"|00|h|00|t|00|t|00|p|00 3a 00 2f 00 2f 00|"; content:"|2f 00|v|00|w|00|.|00|p|00|h|00|p|00|?|00|i|00|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:5; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,from_server; content:"|55 04 03|"; content:"|18|*.dropboxusercontent.com"; nocase; distance:1; within:25; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
-
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:3; metadata:created_at 2012_12_27, former_category TROJAN, updated_at 2018_04_03;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:3; metadata:created_at 2012_12_28, former_category TROJAN, updated_at 2018_04_03;)
-#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET POLICY Connection to previously unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017000; rev:3; metadata:created_at 2013_06_10, former_category POLICY, updated_at 2018_04_24;)
+#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET POLICY Connection to previously unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017000; rev:3; metadata:created_at 2013_06_11, former_category POLICY, updated_at 2018_04_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY JBOSS/JMX port 80 access from outside"; flow:established,to_server; content:"GET"; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010377; classtype:web-application-attack; sid:2010377; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(file)"; flow:established,to_server; content:"User-Agent|3a| file|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016890; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016970; rev:4; metadata:created_at 2013_06_04, former_category EXPLOIT_KIT, updated_at 2013_06_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016970; rev:4; metadata:created_at 2013_06_05, former_category EXPLOIT_KIT, updated_at 2013_06_05;)
-alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for |5C 5C|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3; metadata:created_at 2013_06_17, updated_at 2013_06_17;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for |5C 5C|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor Domain (google-analytcs)"; flow:established,to_server; content:"google-analytcs.com|0d 0a|"; nocase; http_header; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017027; rev:2; metadata:created_at 2013_06_17, updated_at 2013_06_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor Domain (google-analytcs)"; flow:established,to_server; content:"google-analytcs.com|0d 0a|"; nocase; http_header; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017027; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.*[a-f].*$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:exploit-kit; sid:2017028; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:exploit-kit; sid:2017028; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:exploit-kit; sid:2017029; rev:5; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:exploit-kit; sid:2017029; rev:5; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:exploit-kit; sid:2017030; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:exploit-kit; sid:2017030; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2; metadata:created_at 2013_06_18, former_category CURRENT_EVENTS, updated_at 2013_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:exploit-kit; sid:2017034; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:exploit-kit; sid:2017040; rev:2; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2013_06_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:exploit-kit; sid:2017040; rev:2; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2013_06_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving UDP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-udp "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017051; rev:3; metadata:created_at 2013_06_21, updated_at 2013_06_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving UDP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-udp "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017051; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip2 "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017050; rev:4; metadata:created_at 2013_06_21, updated_at 2013_06_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip2 "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017050; rev:4; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017049; rev:3; metadata:created_at 2013_06_21, updated_at 2013_06_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017049; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post2 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017048; rev:3; metadata:created_at 2013_06_21, updated_at 2013_06_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post2 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017048; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST1 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post1 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017047; rev:3; metadata:created_at 2013_06_21, updated_at 2013_06_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST1 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post1 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017047; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving GET DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-get http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017046; rev:3; metadata:created_at 2013_06_21, updated_at 2013_06_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving GET DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-get http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017046; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent|3a| iexp|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:12; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:command-and-control; sid:2017056; rev:1; metadata:created_at 2013_06_24, former_category MALWARE, updated_at 2013_06_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:command-and-control; sid:2017056; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016796; rev:5; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016817; rev:4; metadata:created_at 2013_05_03, updated_at 2013_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016817; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016818; rev:4; metadata:created_at 2013_05_03, updated_at 2013_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016818; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:exploit-kit; sid:2017020; rev:10; metadata:created_at 2013_06_14, updated_at 2013_06_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:exploit-kit; sid:2017020; rev:10; metadata:created_at 2013_06_15, updated_at 2013_06_15;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; content:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; http_uri; content:"commandId="; http_uri; nocase; distance:0; pcre:"/commandId\x3D[a-z]/Ui"; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010762; classtype:web-application-attack; sid:2010762; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:command-and-control; sid:2017055; rev:1; metadata:created_at 2013_06_24, former_category MALWARE, updated_at 2013_06_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:command-and-control; sid:2017055; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017073; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|prettylikeher|03|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:3; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|prettylikeher|03|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:3; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016733; rev:4; metadata:created_at 2013_04_08, updated_at 2013_04_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016733; rev:4; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GOD Hacker"; flow:established,to_client; file_data; content:"GOD Hacker"; classtype:trojan-activity; sid:2017083; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GODSpy title"; flow:established,to_client; file_data; content:"GODSpy</title>"; classtype:trojan-activity; sid:2017084; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; classtype:exploit-kit; sid:2017095; rev:2; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2013_07_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; classtype:exploit-kit; sid:2017095; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:exploit-kit; sid:2017098; rev:2; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2013_07_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:exploit-kit; sid:2017098; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
-alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_03, updated_at 2013_07_03;)
+alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_04, updated_at 2013_07_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe pull"; flow:established,to_server; content:"GET"; http_method; content:"FlashPlayerSetup.x86.exe"; http_uri; content:".swf|0d 0a|"; http_header; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017107; rev:2; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; classtype:exploit-kit; sid:2016705; rev:19; metadata:created_at 2013_04_01, former_category EXPLOIT_KIT, updated_at 2013_04_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016756; rev:6; metadata:created_at 2013_04_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016756; rev:6; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Plugin-Detect July 08 2013"; flow:established,from_server; file_data; content:"cGRwZD17dmVyc2lvbjoiMC4"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017117; rev:2; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator/Clarian Spyware Posting Data"; flow: to_server,established; content:"/gs_med"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; classtype:trojan-activity; sid:2003575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; classtype:trojan-activity; sid:2017126; rev:2; metadata:created_at 2013_07_10, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; classtype:trojan-activity; sid:2017126; rev:2; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JJEncode Encoded Script"; flow:established,from_server; file_data; content:"$$$$|3a|(![]+|22 22|)["; pcre:"/^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var)/R"; classtype:bad-unknown; sid:2017127; rev:2; metadata:created_at 2013_07_10, updated_at 2013_07_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JJEncode Encoded Script"; flow:established,from_server; file_data; content:"$$$$|3a|(![]+|22 22|)["; pcre:"/^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var)/R"; classtype:bad-unknown; sid:2017127; rev:2; metadata:created_at 2013_07_11, updated_at 2013_07_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163"; flow:established,from_server; file_data; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.body.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptmen FakAV page Title"; flow:established,from_server; file_data; content:"<title>Viruses were found on your computer</title>"; classtype:trojan-activity; sid:2017137; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptmen FakAV page Title"; flow:established,from_server; file_data; content:"<title>Viruses were found on your computer</title>"; classtype:trojan-activity; sid:2017137; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025066; rev:1; metadata:created_at 2013_07_12, former_category CHAT, updated_at 2017_11_28;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025066; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
-alert tcp any any -> any !6666:7000 (msg:"ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025067; rev:1; metadata:created_at 2013_07_12, former_category CHAT, updated_at 2017_11_28;)
+alert tcp any any -> any !6666:7000 (msg:"ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025067; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length|3A|"; http_header; content:"Content-Length|3A|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:3; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length|3A|"; http_header; content:"Content-Length|3A|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:3; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; content:"Transfer-Encoding"; http_header; content:"Transfer-Encoding"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; content:"Transfer-Encoding"; http_header; content:"Transfer-Encoding"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:3; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS trac q variable open redirect"; flow:to_server,established; content:"/search?q"; nocase; http_uri; pcre:"/search\?q=(ht|f)tp?\:\//iU"; reference:cve,CVE-2008-2951; reference:url,doc.emergingthreats.net/2008648; classtype:web-application-attack; sid:2008648; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_16, updated_at 2013_07_16;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern:22,20; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:exploit-kit; sid:2016721; rev:4; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
+#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:exploit-kit; sid:2016945; rev:8; metadata:created_at 2013_05_29, updated_at 2013_05_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:exploit-kit; sid:2016945; rev:8; metadata:created_at 2013_05_30, updated_at 2013_05_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tlog.php?logn="; http_uri; pcre:"/\/tlog\.php\?logn=[^\s]+&pss=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007683; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea\.php\?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updateb)"; flowbits:isset,BT.ppagent.updatea; flow:to_server,established; content:"/updateb.php?p="; nocase; http_uri; pcre:"/updateb\.php\?p=\d/Ui";flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:2; metadata:created_at 2013_07_18, updated_at 2013_07_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Ransomware, updated_at 2013_07_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"calc."; http_header; distance:0; fast_pattern; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?calc\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014237; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?info\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014235; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?readme\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014301; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:"Java/1."; http_user_agent; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016107; rev:6; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016250; rev:8; metadata:created_at 2013_01_21, former_category EXPLOIT_KIT, updated_at 2013_01_21;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern:10,20; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016490; rev:12; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2013_02_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern:11,20; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016491; rev:11; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2013_02_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern:13,20; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016492; rev:12; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2013_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016250; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:4; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2013_03_15;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6; metadata:created_at 2013_03_19, former_category HUNTING, updated_at 2013_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6; metadata:created_at 2013_03_20, former_category HUNTING, updated_at 2013_03_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016640; rev:4; metadata:created_at 2013_03_21, updated_at 2013_03_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016640; rev:4; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016735; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:"Java/1."; http_user_agent; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016930; rev:4; metadata:created_at 2013_05_24, updated_at 2013_05_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016930; rev:4; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016931; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016931; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017016; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017018; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017097; rev:4; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2013_07_03;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016554; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2013_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017097; rev:4; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016555; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2013_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016554; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016557; rev:6; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2013_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016555; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:5; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016557; rev:6; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern:12,20; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016493; rev:11; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2013_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:5; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded|3a 22|PD94b"; classtype:exploit-kit; sid:2017182; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_23, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded|3a 22|PD94b"; classtype:exploit-kit; sid:2017182; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file_data; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/R"; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/Ri";content:"|22 20|>|0a|<applet"; within:11; fast_pattern; classtype:exploit-kit; sid:2017177; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017184; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017185; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017189; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016052; rev:4; metadata:created_at 2012_12_17, updated_at 2012_12_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016052; rev:4; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016249; rev:8; metadata:created_at 2013_01_21, former_category EXPLOIT_KIT, updated_at 2013_01_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016249; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:"Java/"; http_user_agent; classtype:exploit-kit; sid:2016374; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016514; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016597; rev:5; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016597; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:exploit-kit; sid:2016598; rev:5; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:exploit-kit; sid:2016598; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016859; rev:4; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016859; rev:4; metadata:created_at 2013_05_17, updated_at 2013_05_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JNLP embedded file"; flow:established,to_client; file_data; content:"jnlp"; content:"PD94bWwgdmVyc2lvbj0"; distance:0; classtype:bad-unknown; sid:2017197; rev:3; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JNLP embedded file"; flow:established,to_client; file_data; content:"jnlp"; content:"PD94bWwgdmVyc2lvbj0"; distance:0; classtype:bad-unknown; sid:2017197; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:exploit-kit; sid:2017200; rev:5; metadata:created_at 2013_07_25, former_category EXPLOIT_KIT, updated_at 2013_07_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:exploit-kit; sid:2017200; rev:5; metadata:created_at 2013_07_26, former_category EXPLOIT_KIT, updated_at 2013_07_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017201; rev:6; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017201; rev:6; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017202; rev:3; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017202; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017203; rev:5; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017203; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017204; rev:5; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017204; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:3; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:3; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:3; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:3; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:3; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:exploit-kit; sid:2017071; rev:3; metadata:created_at 2013_06_26, former_category EXPLOIT_KIT, updated_at 2013_06_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:exploit-kit; sid:2017071; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 1"; flow:established,from_server; file_data; content:"|22|e|22|+|22|val|22|"; classtype:trojan-activity; sid:2017206; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 1"; flow:established,from_server; file_data; content:"|22|e|22|+|22|val|22|"; classtype:trojan-activity; sid:2017206; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 2"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|al|22|"; classtype:trojan-activity; sid:2017207; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 2"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|al|22|"; classtype:trojan-activity; sid:2017207; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 3"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|al|22|"; classtype:trojan-activity; sid:2017208; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 3"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|al|22|"; classtype:trojan-activity; sid:2017208; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 4"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017209; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 4"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017209; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 5"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017210; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 5"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017210; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 6"; flow:established,from_server; file_data; content:"|22|e|22|+|22|va|22|+|22|l|22|"; classtype:trojan-activity; sid:2017211; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 6"; flow:established,from_server; file_data; content:"|22|e|22|+|22|va|22|+|22|l|22|"; classtype:trojan-activity; sid:2017211; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|e|27|+|27|val|27|"; classtype:trojan-activity; sid:2017212; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|e|27|+|27|val|27|"; classtype:trojan-activity; sid:2017212; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|al|27|"; classtype:trojan-activity; sid:2017213; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|al|27|"; classtype:trojan-activity; sid:2017213; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|eva|27|+|27|l|27|"; classtype:trojan-activity; sid:2017214; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|eva|27|+|27|l|27|"; classtype:trojan-activity; sid:2017214; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|al|27|"; classtype:trojan-activity; sid:2017215; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|al|27|"; classtype:trojan-activity; sid:2017215; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017216; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017216; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|e|27|+|27|va|27|+|27|l|27|"; classtype:trojan-activity; sid:2017218; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|e|27|+|27|va|27|+|27|l|27|"; classtype:trojan-activity; sid:2017218; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017217; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017217; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 7"; flow:established,from_server; file_data; content:"|22|eva|22|+|22|l|22|"; classtype:trojan-activity; sid:2017219; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 7"; flow:established,from_server; file_data; content:"|22|eva|22|+|22|l|22|"; classtype:trojan-activity; sid:2017219; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|s|27|+|27|plit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017220; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|s|27|+|27|plit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017220; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017221; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017221; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017222; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017222; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017223; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017223; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017224; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017224; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017225; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017225; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 8"; flow:established,from_server; file_data; content:"|27|spli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017227; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 8"; flow:established,from_server; file_data; content:"|27|spli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017227; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 9"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017228; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 9"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017228; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 10"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|li|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017229; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 10"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|li|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017229; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 11"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017230; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 11"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017230; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 12"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017231; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 12"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017231; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 13"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017232; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 13"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017232; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 1"; flow:established,from_server; file_data; content:"|22|s|22|+|22|plit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017233; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 1"; flow:established,from_server; file_data; content:"|22|s|22|+|22|plit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017233; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 2"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017234; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 2"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017234; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 3"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017235; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 3"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017235; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 4"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017236; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 4"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017236; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 5"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017237; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 5"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017237; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 6"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017238; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 6"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017238; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 7"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017239; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 7"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017239; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 8"; flow:established,from_server; file_data; content:"|22|spli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017240; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 8"; flow:established,from_server; file_data; content:"|22|spli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017240; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 9"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017241; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 9"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017241; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 10"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|li|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017242; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 10"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|li|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017242; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 11"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017243; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 11"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017243; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 12"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017244; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 12"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017244; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 13"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017245; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 13"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017245; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:2; metadata:created_at 2013_07_29, former_category CURRENT_EVENTS, updated_at 2013_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:2; metadata:created_at 2013_07_30, former_category CURRENT_EVENTS, updated_at 2013_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017248; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017248; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017249; rev:2; metadata:created_at 2013_07_29, updated_at 2016_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017249; rev:2; metadata:created_at 2013_07_30, updated_at 2016_10_21;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|6a|25|6e|25|6c|25|70|25|5f|25|65|25|6d|25|62|25|65|25|64|25|64|25|65|25|64"; flowbits:set,et.exploitkitlanding; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172 url,foobar; classtype:exploit-kit; sid:2017250; rev:2; metadata:created_at 2013_07_29, cve CVE_1234_CVE_341, former_category EXPLOIT_KIT, updated_at 2020_08_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|6a|25|6e|25|6c|25|70|25|5f|25|65|25|6d|25|62|25|65|25|64|25|64|25|65|25|64"; flowbits:set,et.exploitkitlanding; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; classtype:exploit-kit; sid:2017250; rev:2; metadata:created_at 2013_07_30, cve CVE_1234_CVE_341, former_category EXPLOIT_KIT, updated_at 2020_08_31;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74|25|5f|25|73|25|73|25|76|25|5f|25|76|25|61|25|6c|25|69|25|64|25|61|25|74|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017251; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74|25|5f|25|73|25|73|25|76|25|5f|25|76|25|61|25|6c|25|69|25|64|25|61|25|74|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017251; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|58|25|31|25|39|25|68|25|63|25|48|25|42|25|73|25|5a|25|58|25|52|25|66|25|63|25|33|25|4e|25|32|25|58|25|33|25|5a|25|68|25|62|25|47|25|6c|25|6b|25|59|25|58|25|52|25|6c"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017252; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|58|25|31|25|39|25|68|25|63|25|48|25|42|25|73|25|5a|25|58|25|52|25|66|25|63|25|33|25|4e|25|32|25|58|25|33|25|5a|25|68|25|62|25|47|25|6c|25|6b|25|59|25|58|25|52|25|6c"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017252; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|39|25|66|25|59|25|58|25|42|25|77|25|62|25|47|25|56|25|30|25|58|25|33|25|4e|25|7a|25|64|25|6c|25|39|25|32|25|59|25|57|25|78|25|70|25|5a|25|47|25|46|25|30"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017253; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|39|25|66|25|59|25|58|25|42|25|77|25|62|25|47|25|56|25|30|25|58|25|33|25|4e|25|7a|25|64|25|6c|25|39|25|32|25|59|25|57|25|78|25|70|25|5a|25|47|25|46|25|30"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017253; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|66|25|58|25|32|25|46|25|77|25|63|25|47|25|78|25|6c|25|64|25|46|25|39|25|7a|25|63|25|33|25|5a|25|66|25|64|25|6d|25|46|25|73|25|61|25|57|25|52|25|68|25|64|25|47|25|56|25|6b"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017254; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|66|25|58|25|32|25|46|25|77|25|63|25|47|25|78|25|6c|25|64|25|46|25|39|25|7a|25|63|25|33|25|5a|25|66|25|64|25|6d|25|46|25|73|25|61|25|57|25|52|25|68|25|64|25|47|25|56|25|6b"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017254; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32/Mutopy.A Checkin"; flow:to_server,established; content:"/protocol.php?p="; fast_pattern:only; http_uri; content:"&d="; http_uri; pcre:"/&d=.{44}$/U"; reference:md5,2a0344bac492c65400eb944ac79ac3c3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FMutopy.A&ThreatID=-2147312217; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-hides-malware-communication/; classtype:command-and-control; sid:2016963; rev:5; metadata:created_at 2012_04_13, former_category MALWARE, updated_at 2012_04_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"</title>|0D 0A|<link href=|22|favicon.ico|22| rel=|22|shortcut icon|22| type=|22|image/x-icon|22| />"; classtype:exploit-kit; sid:2016066; rev:3; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2012_12_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"</title>|0D 0A|<link href=|22|favicon.ico|22| rel=|22|shortcut icon|22| type=|22|image/x-icon|22| />"; classtype:exploit-kit; sid:2016066; rev:3; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf/Styx EK - fnts.html "; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:exploit-kit; sid:2016129; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf/Styx EK - fnts.html"; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:exploit-kit; sid:2016129; rev:4; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jlnp.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jlnp.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017100; rev:4; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jorg.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jorg.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017102; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2017270; rev:7; metadata:created_at 2013_08_02, former_category EXPLOIT_KIT, updated_at 2013_08_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2017270; rev:7; metadata:created_at 2013_08_03, former_category EXPLOIT_KIT, updated_at 2013_08_03;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:exploit-kit; sid:2017271; rev:3; metadata:created_at 2013_08_02, updated_at 2013_08_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:exploit-kit; sid:2017271; rev:3; metadata:created_at 2013_08_03, updated_at 2013_08_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/StealRat.SpamBot CnC Server Configuration File Response"; flowbits:isset,et.stealrat.config; flow:established,to_client; file_data; content:"<repo"; distance:0; content:"<dudp>"; within:50; content:"<|2F|dudp>"; within:100; content:"<pudp>"; within:50; content:"<|2F|pudp>"; within:100; content:"<tbd>"; within:50; content:"<dom>"; within:50; content:"<|2F|dom>"; within:100; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:command-and-control; sid:2017275; rev:2; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2013_08_05;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<h"; within:6; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017114; rev:5; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Script Encoder Encoded File"; flow:established,from_server; file_data; content:"#@~^"; within:4; classtype:trojan-activity; sid:2017282; rev:3; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Script Encoder Encoded File"; flow:established,from_server; file_data; content:"#@~^"; within:4; classtype:trojan-activity; sid:2017282; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack Jar Download"; flow:established,from_server; content:"filename=j"; http_header; content:".jar"; distance:23; within:4; http_header; pcre:"/filename=j[a-f0-9]{23}\.jar/H"; classtype:exploit-kit; sid:2017296; rev:5; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version"; flow:established,to_server; content:"POST"; http_method; content:"&v="; http_client_body; depth:3; pcre:"/^&v=(null|(\d+\.)+?\d+)\x3b\d+\x3b\x3b\d{3,5}x\d{3,5}\x3b/P"; classtype:trojan-activity; sid:2017300; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Trojan Dropper purporting to be missing application page landing"; flow:established,from_server; content:"Unable to find |22|"; content:"|20|Please Click Here to install......"; distance:0; within:85; classtype:trojan-activity; sid:2017301; rev:2; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader"; flow:established,to_server; content:"/findloader"; http_uri; pcre:"/findloader[^\x2f\.\?]*?\.php\?[a-z]=[^&]+$/U"; classtype:trojan-activity; sid:2017302; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017306; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"var "; content:" = |22|"; within:10; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; content:" & 15) << 4)"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017265; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"keyStr = |22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017164; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_18, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"keyStr = |22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017164; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sinowal/Mebroot/Torpig Client POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"|0d 0a|Connection|3a| close|0d 0a 0d 0a a9 3a d4 31 4b 84|"; fast_pattern; reference:url,doc.emergingthreats.net/2008520; classtype:trojan-activity; sid:2008520; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Sinowal/Torpig Phoning Home"; flow:established,to_server; content:"GET"; http_method; content:"/ld/"; http_uri; content:".php"; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC"; flow:from_server,established; file_data; content:"c=run&u=/get/"; content:".exe"; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015902; rev:7; metadata:created_at 2012_09_20, former_category MALWARE, updated_at 2012_09_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC"; flow:from_server,established; file_data; content:"c=run&u=/get/"; content:".exe"; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015902; rev:7; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 2"; flow:from_server,established; file_data; content:"c=idl"; within:5; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015903; rev:5; metadata:created_at 2012_09_24, former_category MALWARE, updated_at 2012_09_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 2"; flow:from_server,established; file_data; content:"c=idl"; within:5; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015903; rev:5; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2012_09_25;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6; metadata:created_at 2013_08_13, former_category HUNTING, updated_at 2013_08_13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Win"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*win/Ri"; classtype:bad-unknown; sid:2017322; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and -PC"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*-PC/Ri"; classtype:bad-unknown; sid:2017323; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:exploit-kit; sid:2017328; rev:2; metadata:created_at 2013_08_14, former_category CURRENT_EVENTS, updated_at 2013_08_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:exploit-kit; sid:2017328; rev:2; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"jquery.js"; content:"archive"; fast_pattern; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017166; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:2; metadata:created_at 2013_08_14, updated_at 2013_08_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK - /jvvn.html"; flow:established,to_server; content:"/jvvn.html"; http_uri; classtype:exploit-kit; sid:2017333; rev:3; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 3"; flow:established,from_server; file_data; content:"=[|27|eval|27|]|3b|"; classtype:bad-unknown; sid:2017336; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net add PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"net"; within:200; content:"/add"; within:100; classtype:trojan-activity; sid:2017285; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net add PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net"; within:200; content:"/add"; within:100; classtype:trojan-activity; sid:2017285; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - netsh - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"netsh"; within:50; classtype:trojan-activity; sid:2017286; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - netsh - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"netsh"; within:50; classtype:trojan-activity; sid:2017286; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - ipconfig - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"ipconfig"; within:100; classtype:trojan-activity; sid:2017287; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - ipconfig - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"ipconfig"; within:100; classtype:trojan-activity; sid:2017287; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - reg - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"reg "; within:50; content:"HKEY_"; within:20; classtype:trojan-activity; sid:2017288; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - reg - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"reg "; within:50; content:"HKEY_"; within:20; classtype:trojan-activity; sid:2017288; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - The command completed successfully - PRIVMSG Response"; flow:established,from_client; content:"PRIVMSG "; content:"The command completed successfully."; distance:0; classtype:trojan-activity; sid:2017289; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - The command completed successfully - PRIVMSG Response"; flow:established,from_client; content:"PRIVMSG "; content:"The command completed successfully."; distance:0; classtype:trojan-activity; sid:2017289; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - net command output"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:trojan-activity; sid:2017291; rev:5; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - net command output"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:trojan-activity; sid:2017291; rev:5; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - ipconfig command output"; flow:established,from_client; content:"PRIVMSG "; content:"Windows IP"; within:200; classtype:trojan-activity; sid:2017292; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - ipconfig command output"; flow:established,from_client; content:"PRIVMSG "; content:"Windows IP"; within:200; classtype:trojan-activity; sid:2017292; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net localgroup - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net localgroup"; within:200; classtype:trojan-activity; sid:2017284; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net localgroup - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net localgroup"; within:200; classtype:trojan-activity; sid:2017284; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing *nix"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-rw-r--r--"; within:300; classtype:trojan-activity; sid:2017303; rev:5; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing"; flow:established,from_client; content:"PRIVMSG "; content:" <DIR>"; within:200; classtype:trojan-activity; sid:2017290; rev:3; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing"; flow:established,from_client; content:"PRIVMSG "; content:" <DIR>"; within:200; classtype:trojan-activity; sid:2017290; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net user - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"net user"; within:200; classtype:trojan-activity; sid:2017283; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net user - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net user"; within:200; classtype:trojan-activity; sid:2017283; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"Optix Pro v"; content:"Installed Trojan Port|3a|"; distance:0; reference:url,en.wikipedia.org/wiki/Optix_Pro; classtype:trojan-activity; sid:2008212; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns"; flow:established,to_server; content:"SELECT"; nocase; content:"information_schema.columns"; distance:0; nocase; classtype:attempted-user; sid:2017337; rev:2; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; reference:cve,2011-3402; classtype:exploit-kit; sid:2017340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description|3A| File Transfer"; http_header; content:"Content-Disposition|3A| attachment|3B| filename=font.eot"; http_header; fast_pattern:33,17; reference:cve,2011-3402; classtype:exploit-kit; sid:2017341; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.APT.9002 CnC Traffic"; flow:to_server,established; dsize:24; content:"|0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00|"; offset:4; depth:20; reference:md5,81687637b7bf2b90258a5006683e781c; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html; classtype:targeted-activity; sid:2016398; rev:8; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2012_06_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:exploit-kit; sid:2016064; rev:5; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2012_12_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:exploit-kit; sid:2016064; rev:5; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Iframe For IP Address Site"; flow:established,to_client; file_data; content:"iframe src=|22|http|3A|//"; nocase; distance:0; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}[^\r\n]*\x3C\x2Fiframe\x3E/Ri"; classtype:bad-unknown; sid:2017342; rev:3; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible g01pack Exploit Pack Malicious JAR File Request"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; content:"User-Agent|3a|"; nocase; http_header; content:"Java/"; within:200; http_header; pcre:"/\/[0-9a-f]{32}\.jar$/U"; reference:url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/; reference:url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx; classtype:exploit-kit; sid:2012807; rev:4; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6; metadata:created_at 2012_08_28, former_category CURRENT_EVENTS, updated_at 2012_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPCIOUS Non-standard base64 charset used for encoding"; flow:established,from_server; file_data; content:" & 15) << 4)"; fast_pattern; content:"(|22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2017364; rev:7; metadata:created_at 2013_08_21, updated_at 2013_08_21;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL"; flow:established,to_server; content:"GET"; http_method; content:"/panel/panel.bin"; http_uri; reference:url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/; classtype:trojan-activity; sid:2017370; rev:2; metadata:created_at 2013_08_23, updated_at 2013_08_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:3; metadata:created_at 2013_05_15, former_category CURRENT_EVENTS, updated_at 2013_05_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:3; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2013_05_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Updating"; flow: to_server,established; content:"/perl/uptodate.pl"; nocase; http_uri; content:"uptodate.browseraid.com"; nocase; http_header; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; classtype:trojan-activity; sid:2001304; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC ([country|so version|CPU])"; flow:established,to_server; content:"NICK {"; content:"x86"; within:12; content:"}"; distance:0; pcre:"/NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z]/i"; flowbits:set,ET.IRC.BOT.CntSOCPU; classtype:trojan-activity; sid:2017395; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Apple CoreText Exploit Specific string"; flow:established,from_server; file_data; content:"|D8 B3 D9 85 D9 8E D9 80 D9 8E D9 91 D9 88 D9 8F D9 88 D9 8F D8 AD D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 D8 A7 D9 85 D8 A7 D8 B1 D8 AA D9 8A D8 AE 20 CC B7 CC B4 CC 90 D8 AE|"; reference:url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/; classtype:bad-unknown; sid:2017397; rev:2; metadata:created_at 2013_08_29, updated_at 2013_08_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Apple CoreText Exploit Specific string"; flow:established,from_server; file_data; content:"|D8 B3 D9 85 D9 8E D9 80 D9 8E D9 91 D9 88 D9 8F D9 88 D9 8F D8 AD D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 D8 A7 D9 85 D8 A7 D8 B1 D8 AA D9 8A D8 AE 20 CC B7 CC B4 CC 90 D8 AE|"; reference:url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/; classtype:bad-unknown; sid:2017397; rev:2; metadata:created_at 2013_08_30, updated_at 2013_08_30;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"|e4 21|"; depth:2; threshold: type limit, count 1, seconds 300, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet July 08 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27]/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017115; rev:8; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:command-and-control; sid:2017404; rev:3; metadata:created_at 2013_08_31, former_category WORM, updated_at 2013_08_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:command-and-control; sid:2017404; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_08_31, deployment Perimeter, former_category WORM, signature_severity Major, tag c2, updated_at 2013_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:".getVersion"; nocase; content:"|22|PGFwcGxld"; fast_pattern; content:"|22|PGFwcGxld"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017407; rev:2; metadata:created_at 2013_09_03, updated_at 2013_09_03;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GondadEK Landing Sept 03 2013"; flow:established,from_server; file_data; content:"expires=|22|+expires.toGMTString()"; fast_pattern:3,20; nocase; content:"51yes.com/click.aspx?"; nocase; content:"|22|gb2312|22|"; nocase; content:"delete "; nocase; content:"eval"; nocase; pcre:"/^[^A-Za-z0-9]/R"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit; classtype:exploit-kit; sid:2017408; rev:3; metadata:created_at 2013_09_03, updated_at 2013_09_03;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winsoftware.com Spyware Activity"; flow: to_server,established; content:"/?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri; content:"&appid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; classtype:trojan-activity; sid:2003471; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weird on the Web /180 Solutions Update"; flow: to_server,established; content:"/notifier/updates"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; classtype:trojan-activity; sid:2002041; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Cam)"; flow:from_server,established; content:"CAM|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017424; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Remote Cam)"; flow:to_server,established; content:"USB Video Device[endof]"; depth:23; fast_pattern:3,20; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017425; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
-
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Shell)"; flow:from_server,established; content:"rs|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017426; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Process listing)"; flow:to_server,established; content:"proc|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017427; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:exploit-kit; sid:2017376; rev:7; metadata:created_at 2013_08_27, former_category EXPLOIT_KIT, updated_at 2013_08_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&|$)/Ui"; classtype:exploit-kit; sid:2017435; rev:4; metadata:created_at 2013_09_06, former_category CURRENT_EVENTS, updated_at 2013_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&|$)/Ui"; classtype:exploit-kit; sid:2017435; rev:4; metadata:created_at 2013_09_07, former_category CURRENT_EVENTS, updated_at 2013_09_07;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Page"; flow:established,from_server; file_data; content:"|22|0x|22 3b|"; content:"="; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017451; rev:6; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2017452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017456; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017456; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Landing July 22 2013"; flow:established,from_server; file_data; content:"&7&.y|22|></param></applet></table></body></html>"; nocase; classtype:exploit-kit; sid:2017167; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated base64 decoder Sep 12 2013"; flow:established,from_server; file_data; content:" & 15) << 4)"; content:" & 3) << (3+3))"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017470; rev:2; metadata:created_at 2013_09_16, updated_at 2013_09_16;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017471; rev:2; metadata:created_at 2013_09_16, updated_at 2013_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017470; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017472; rev:2; metadata:created_at 2013_09_16, updated_at 2013_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017471; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Downloading Payload"; flow:to_server,established; content:"get"; http_uri; content:"?src="; http_uri; fast_pattern; distance:0;content:"snet"; http_uri; distance:0; pcre:"/\?src=[a-z]+snet$/U"; content:" WinHttp.WinHttpRequest"; http_user_agent; classtype:exploit-kit; sid:2016566; rev:4; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017472; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; http_uri; fast_pattern; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:exploit-kit; sid:2017469; rev:5; metadata:created_at 2013_09_16, former_category CURRENT_EVENTS, updated_at 2013_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; http_uri; fast_pattern; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:exploit-kit; sid:2017469; rev:5; metadata:created_at 2013_09_17, former_category CURRENT_EVENTS, updated_at 2013_09_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016065; rev:4; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2012_12_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016065; rev:4; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2012_12_20;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole initial landing/gate"; flow:established,to_server; content:"/jquery/get.php?ver=jquery.latest.js"; http_uri; classtype:trojan-activity; sid:2017481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2015901; rev:3; metadata:created_at 2012_11_20, former_category EXPLOIT_KIT, updated_at 2012_11_20;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Outbound udp traffic detected"; content:"|28 94 8d ab c9 c0 d1 99|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:8; metadata:created_at 2012_07_16, updated_at 2012_07_16;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Outbound udp traffic detected"; content:"|28 94 8d ab c9 c0 d1 99|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:8; metadata:created_at 2012_07_17, updated_at 2012_07_17;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown Malware CnC response with exe file"; flow:from_server,established; dsize:>0; byte_jump:2,1,little,post_offset -4; isdataat:!2,relative; content:"!This program cannot be run in DOS mode."; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017414; rev:3; metadata:created_at 2013_09_03, updated_at 2013_09_03;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown Malware CnC response with exe file"; flow:from_server,established; dsize:>0; byte_jump:2,1,little,post_offset -4; isdataat:!2,relative; content:"!This program cannot be run in DOS mode."; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017414; rev:3; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function Suck("; fast_pattern:only; classtype:exploit-kit; sid:2017484; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|27 5f|u"; nocase; content:!"|27|"; within:100; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017502; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:exploit-kit; sid:2017503; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:exploit-kit; sid:2017503; rev:2; metadata:created_at 2013_09_21, former_category CURRENT_EVENTS, updated_at 2013_09_21;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:2; metadata:created_at 2013_09_23, former_category CURRENT_EVENTS, updated_at 2013_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:2; metadata:created_at 2013_09_23, former_category CURRENT_EVENTS, updated_at 2013_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx J7u21 click2play bypass"; flow:established,to_server; content:"/jplay.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017508; rev:2; metadata:created_at 2013_09_23, updated_at 2013_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx J7u21 click2play bypass"; flow:established,to_server; content:"/jplay.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017508; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx|3a|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:2; metadata:created_at 2013_09_23, updated_at 2013_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx|3a|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016380; rev:4; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT W32/Caphaw DriveBy Campaign Ping.html"; flow:established,to_server; content:"/ping.html?id="; http_uri; content:"&js="; http_uri; content:"&key="; http_uri; content:!"/utils/"; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017513; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:3; metadata:created_at 2013_09_10, updated_at 2013_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:3; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Leverage.A Checkin"; flow:established,to_server; content:"|00 00|"; offset:0; depth:2; content:"|00 00 00 01|"; distance:2; within:4; content:"RAM|0a 7c|"; pcre:"/^\d+\w+\/\d+\w+ free \(\d+% used\)/R"; classtype:command-and-control; sid:2017525; rev:2; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.jar"; flow:to_server,established; content:"/gami.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017543; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FortDisco POP3 Site list download"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|PrototypeB|0d 0a|"; http_header; fast_pattern:12,10; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,538a4cedad8791e27088666a4a6bf9c5; reference:md5,87c21bc9c804cefba6bb4148dbe4c4de; reference:url,www.abuse.ch/?p=5813; classtype:trojan-activity; sid:2017546; rev:3; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?function[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{.*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?.*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:exploit-kit; sid:2017547; rev:3; metadata:created_at 2013_09_30, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; classtype:exploit-kit; sid:2017140; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; classtype:exploit-kit; sid:2017140; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017551; rev:2; metadata:created_at 2013_10_01, updated_at 2013_10_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017551; rev:2; metadata:created_at 2013_10_02, updated_at 2013_10_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack EXE Download"; flow:established,from_server; content:"filename=e"; http_header; content:".exe"; distance:23; within:4; http_header; pcre:"/filename=e[a-f0-9]{23}\.exe/H"; classtype:exploit-kit; sid:2017297; rev:6; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017076; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017076; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:exploit-kit; sid:2017553; rev:3; metadata:created_at 2013_10_02, former_category CURRENT_EVENTS, updated_at 2013_10_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:exploit-kit; sid:2017553; rev:3; metadata:created_at 2013_10_03, former_category CURRENT_EVENTS, updated_at 2013_10_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK sort.html"; flow:to_server,established; content:"/sort.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017533; rev:5; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})*?&/U"; flowbits:set,et.BHEK.PDF; flowbits:noalert; classtype:exploit-kit; sid:2017556; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SSH Connection on 443 - Mevade Banner"; flow:to_server,established; content:"SSH-2.0-PuTTY_Local|3a|_Feb__5_2013_18|3a|26|3a|54"; depth:41; classtype:trojan-activity; sid:2017559; rev:2; metadata:created_at 2013_10_04, updated_at 2013_10_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SSH Connection on 443 - Mevade Banner"; flow:to_server,established; content:"SSH-2.0-PuTTY_Local|3a|_Feb__5_2013_18|3a|26|3a|54"; depth:41; classtype:trojan-activity; sid:2017559; rev:2; metadata:created_at 2013_10_05, updated_at 2013_10_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017562; rev:6; metadata:created_at 2013_10_04, former_category EXPLOIT_KIT, updated_at 2013_10_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017562; rev:6; metadata:created_at 2013_10_05, former_category EXPLOIT_KIT, updated_at 2013_10_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:exploit-kit; sid:2017563; rev:3; metadata:created_at 2013_10_07, updated_at 2013_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:exploit-kit; sid:2017563; rev:3; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=|22|kurban|22|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:3; metadata:created_at 2013_10_07, former_category CURRENT_EVENTS, updated_at 2013_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=|22|kurban|22|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:3; metadata:created_at 2013_10_08, former_category CURRENT_EVENTS, updated_at 2013_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2017576; rev:2; metadata:created_at 2013_10_09, former_category CURRENT_EVENTS, updated_at 2013_10_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2017576; rev:2; metadata:created_at 2013_10_10, former_category CURRENT_EVENTS, updated_at 2013_10_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:2; metadata:created_at 2013_10_10, former_category CURRENT_EVENTS, updated_at 2013_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:2; metadata:created_at 2013_10_11, former_category CURRENT_EVENTS, updated_at 2013_10_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:exploit-kit; sid:2017579; rev:2; metadata:created_at 2013_10_10, former_category EXPLOIT_KIT, updated_at 2013_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:exploit-kit; sid:2017579; rev:2; metadata:created_at 2013_10_11, former_category EXPLOIT_KIT, updated_at 2013_10_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:2; metadata:created_at 2013_10_10, updated_at 2013_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:2; metadata:created_at 2013_10_11, updated_at 2013_10_11;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:"var pp100"; fast_pattern; content:"document.write("; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27]<(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?a(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?l(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?e(?:[\x27\x22]\s*?\+\s*?[\x27\x22])?t/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017405; rev:6; metadata:created_at 2013_09_03, former_category EXPLOIT_KIT, updated_at 2013_09_03;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Oct 09 2013"; flow:established,from_server; file_data; content:"|27|urn|3a|schemas-microsoft-com|3a|vml|27|"; content:"=String.fromCharCode|3b|"; fast_pattern:1,20; content:"return parseInt"; content:"return |27 27|"; classtype:exploit-kit; sid:2017577; rev:4; metadata:created_at 2013_10_10, former_category CURRENT_EVENTS, updated_at 2013_10_10;)
-
-#alert ip $HOME_NET any -> [195.22.26.231,195.22.26.232] any (msg:"ET MALWARE Connection to AnubisNetworks Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3; metadata:created_at 2013_06_10, updated_at 2013_06_10;)
+#alert ip $HOME_NET any -> [195.22.26.231,195.22.26.232] any (msg:"ET MALWARE Connection to AnubisNetworks Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_user_agent; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:3; metadata:created_at 2013_10_13, updated_at 2013_10_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_user_agent; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:3; metadata:created_at 2013_10_14, updated_at 2013_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017589; rev:3; metadata:created_at 2013_10_13, former_category CURRENT_EVENTS, updated_at 2013_10_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017589; rev:3; metadata:created_at 2013_10_14, former_category CURRENT_EVENTS, updated_at 2013_10_14;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; pcre:"/^[\r\n\s]*?[\x22\x27]Java[\x22\x27]/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2017591; rev:2; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND)"; flow:established,from_server; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017608; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND)"; flow:established,from_server; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017609; rev:3; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
-
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED vBulletin Administrator Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/install/upgrade.php"; http_uri; content:"username"; http_client_body; content:"password"; http_client_body; distance:0; content:"confirmpassword"; http_client_body; distance:0; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017610; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET DELETED Kelihos p2p traffic detected via byte_test CnC Response"; flow:established,from_server; flowbits:isset,ET.Kelihos-P2P; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; classtype:command-and-control; sid:2017614; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|7c 68 a3 34 36|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:exploit-kit; sid:2017473; rev:6; metadata:created_at 2013_09_16, former_category EXPLOIT_KIT, updated_at 2013_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:exploit-kit; sid:2017473; rev:6; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:2; metadata:created_at 2013_10_24, updated_at 2013_10_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:2; metadata:created_at 2013_10_24, updated_at 2013_10_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:exploit-kit; sid:2017011; rev:7; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:exploit-kit; sid:2017011; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"fromCharCode"; content:"+0+0+3-1-1"; fast_pattern; within:100; content:"substr"; content:"(3-1)"; within:100; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017635; rev:4; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|22|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?m(?:\x22\s*?\+\s*?\x22)?C(?:\x22\s*?\+\s*?\x22)?h(?:\x22\s*?\+\s*?\x22)?a(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?c(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?d(?:\x22\s*?\+\s*?\x22)?e/Ri"; classtype:bad-unknown; sid:2017565; rev:4; metadata:created_at 2013_10_07, updated_at 2013_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|22|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?m(?:\x22\s*?\+\s*?\x22)?C(?:\x22\s*?\+\s*?\x22)?h(?:\x22\s*?\+\s*?\x22)?a(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?c(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?d(?:\x22\s*?\+\s*?\x22)?e/Ri"; classtype:bad-unknown; sid:2017565; rev:4; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|27|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?m(?:\x27\s*?\+\s*?\x27)?C(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?c(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?d(?:\x27\s*?\+\s*?\x27)?e/Ri"; classtype:bad-unknown; sid:2017566; rev:5; metadata:created_at 2013_10_07, updated_at 2013_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|27|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?m(?:\x27\s*?\+\s*?\x27)?C(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?c(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?d(?:\x27\s*?\+\s*?\x27)?e/Ri"; classtype:bad-unknown; sid:2017566; rev:5; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:3; metadata:created_at 2012_12_14, updated_at 2012_12_14;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfStart.asp?ClientId="; http_uri; nocase; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014266; rev:4; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; fast_pattern:only; nocase; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui"; reference:url,doc.emergingthreats.net/2010565; classtype:command-and-control; sid:2010565; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/Grandsoft Plugin-Detect"; flow:established,to_client; file_data; content:"go2Page(|27|/|27|+PluginDetect.getVersion(|22|AdobeReader|22|)+|27|.pdf|27|)|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017650; rev:2; metadata:created_at 2013_10_31, updated_at 2013_10_31;)
#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK Landing URI Format Nov 1 2013"; flow:established,to_server; urilen:18<>37; content:"GET"; http_method; content:"?"; http_uri; offset:6; depth:11; content:"="; http_uri; distance:5; within:8; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017652; rev:8; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017493; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017493; rev:4; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017492; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017492; rev:4; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 19 2013"; flow:established,to_server; content:"GET"; http_method; content:"/g"; depth:2; http_uri; content:"?t"; http_uri; distance:0; pcre:"/^\/g[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?t[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017491; rev:5; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 30 2013"; flow:established,to_server; content:"GET"; http_method; content:"/k"; depth:2; http_uri; content:"?e"; http_uri; pcre:"/^\/k[a-z]{4,13}\?e[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017266; rev:7; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017267; rev:7; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/f"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017268; rev:7; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download 2"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017180; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download 2"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017180; rev:4; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017179; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017179; rev:4; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format July 04 2013"; flow:established,to_server; content:"GET"; http_method; content:"/s"; depth:2; http_uri; pcre:"/^\/s[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?d[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017104; rev:4; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2016975; rev:3; metadata:created_at 2013_06_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2016551; rev:8; metadata:created_at 2013_03_07, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2016551; rev:8; metadata:created_at 2013_03_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017571; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Cookie Set By Flash Malvertising"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|asg325we234=1|0d 0a|"; reference:md5,cce9dcad030c4cba605a8ee65572136a; classtype:trojan-activity; sid:2017660; rev:2; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2013_11_04;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_user_agent; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2013_11_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_user_agent; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
-#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:command-and-control; sid:2017665; rev:3; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2013_11_04;)
+#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:command-and-control; sid:2017665; rev:3; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
-#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123|0d 0a|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2013_11_04;)
+#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123|0d 0a|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Napolar Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"v="; depth:2; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"}&w="; fast_pattern; distance:0; http_client_body; content:"&b="; distance:0; http_client_body; pcre:"/&s=\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}&w=(\d{1,2}\.){2}\d{1,2}&b=(32|64)$/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017527; rev:3; metadata:created_at 2013_09_26, updated_at 2013_09_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Napolar Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"v="; depth:2; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"}&w="; fast_pattern; distance:0; http_client_body; content:"&b="; distance:0; http_client_body; pcre:"/&s=\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}&w=(\d{1,2}\.){2}\d{1,2}&b=(32|64)$/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017527; rev:3; metadata:created_at 2013_09_27, updated_at 2013_09_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download"; flow:established,from_server; file_data; content:"plugins/AdwindServer.class"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; classtype:attempted-user; sid:2017668; rev:4; metadata:created_at 2013_11_05, updated_at 2013_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download"; flow:established,from_server; file_data; content:"plugins/AdwindServer.class"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; classtype:attempted-user; sid:2017668; rev:4; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Zip File"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:set,et.http.PK; flowbits:noalert; classtype:misc-activity; sid:2017669; rev:5; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Word DOCX with Many ActiveX Objects and Media"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"word/activeX/activeX40.xml"; nocase; content:"word/media/"; nocase; reference:url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2; classtype:trojan-activity; sid:2017670; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017295; rev:6; metadata:created_at 2013_08_06, updated_at 2013_08_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017295; rev:6; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017693; rev:2; metadata:created_at 2013_11_07, updated_at 2013_11_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT FaceBook IM & Web Driven Facebook Trojan Download"; flow:established,to_server; content:"/dlimage4.php"; http_uri; content:".best.lt.ua|0d 0a|"; http_header; pcre:"/Host\x3a\x20[a-z]{6}\.best.lt\.ua\r$/Hm"; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017696; rev:5; metadata:created_at 2013_11_08, former_category CURRENT_EVENTS, updated_at 2013_11_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:4; metadata:created_at 2012_08_28, updated_at 2012_08_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.*"; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012582; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004146; classtype:web-application-attack; sid:2004146; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:exploit-kit; sid:2017698; rev:2; metadata:created_at 2013_11_08, former_category CURRENT_EVENTS, updated_at 2013_11_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:exploit-kit; sid:2017698; rev:2; metadata:created_at 2013_11_09, former_category CURRENT_EVENTS, updated_at 2013_11_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Websearch.com Cab Download"; flow: to_server,established; content:"/Dnl/T_"; nocase; http_uri; pcre:"/\/\S+\.cab/Ui"; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; classtype:trojan-activity; sid:2003242; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|25|u"; content:"|25|u"; distance:4; within:4; content:"|25|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017709; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; pcre:"/^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017695; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:2; metadata:created_at 2013_11_13, former_category CURRENT_EVENTS, updated_at 2013_11_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:2; metadata:created_at 2013_11_14, former_category CURRENT_EVENTS, updated_at 2013_11_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taidoor Checkin"; flow:to_server,established; content:".jsp?"; fast_pattern:only; http_uri; pcre:"/^\/(?:p(?:a(?:rs|g)e|rocess)|(?:securit|quer)y|(?:defaul|abou)t|index|login|user)\.jsp\?[a-z]{2}\x3d[a-z0-9]{9}[A-F0-9]{9}$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:!"Referer"; http_header; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017415; rev:4; metadata:created_at 2013_09_03, updated_at 2013_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taidoor Checkin"; flow:to_server,established; content:".jsp?"; fast_pattern:only; http_uri; pcre:"/^\/(?:p(?:a(?:rs|g)e|rocess)|(?:securit|quer)y|(?:defaul|abou)t|index|login|user)\.jsp\?[a-z]{2}\x3d[a-z0-9]{9}[A-F0-9]{9}$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:!"Referer"; http_header; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017415; rev:4; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_13, updated_at 2013_11_13;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"|5b|"; distance:1; within:1; pcre:"/^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"|5b|"; distance:1; within:1; pcre:"/^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Polling for DoS targets"; flow:established,to_server; content:"/gate.php?cmd=urls"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=urls$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016900; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getexe"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=getexe$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016901; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
-alert icmp any any -> any any (msg:"ET MALWARE PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This|27|s|20|Ping|20|Packet|21|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:command-and-control; sid:2017724; rev:3; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2013_11_14;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:command-and-control; sid:2017728; rev:2; metadata:created_at 2013_11_19, former_category MALWARE, updated_at 2013_11_19;)
+alert icmp any any -> any any (msg:"ET MALWARE PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This|27|s|20|Ping|20|Packet|21|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:command-and-control; sid:2017724; rev:3; metadata:created_at 2013_11_15, former_category MALWARE, updated_at 2013_11_15;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"SomeOrganizationalUnit"; classtype:policy-violation; sid:2013659; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_09_15, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:command-and-control; sid:2017728; rev:2; metadata:created_at 2013_11_20, former_category MALWARE, updated_at 2013_11_20;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016142; rev:3; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2013_01_03;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016860; rev:18; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2013_05_16;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure June 27 2013"; flow:established,from_server; file_data; content:"<applet"; content:"<param value=|22|1|22| name=|22|WindowSize|22|>"; fast_pattern:15,20; distance:0; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017075; rev:5; metadata:created_at 2013_06_27, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016860; rev:18; metadata:created_at 2013_05_17, former_category CURRENT_EVENTS, updated_at 2013_05_17;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure Jul 05 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; fast_pattern; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017110; rev:7; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2013_07_05;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing with Applet July 08 2013"; flow:established,from_server; file_data; content:" Passage to India "; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017116; rev:5; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2013_07_09;)
-alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET MALWARE Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"|3a 21 3b 2e|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
+alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET MALWARE Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"|3a 21 3b 2e|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6; metadata:created_at 2013_11_16, updated_at 2013_11_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; file_data; content:"makeid"; pcre:"/^[\r\n\s]*?\(/R"; content:"replaceIt"; pcre:"/^[\r\n\s]*?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:exploit-kit; sid:2017735; rev:4; metadata:created_at 2013_11_21, former_category CURRENT_EVENTS, updated_at 2013_11_21;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus Java Payload"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$/U"; classtype:trojan-activity; sid:2017739; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie|3a 20|fGGhTasdas=http"; classtype:exploit-kit; sid:2017744; rev:2; metadata:created_at 2013_11_21, former_category CURRENT_EVENTS, updated_at 2013_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie|3a 20|fGGhTasdas=http"; classtype:exploit-kit; sid:2017744; rev:2; metadata:created_at 2013_11_22, former_category CURRENT_EVENTS, updated_at 2013_11_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:2; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:2; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|read|(?:fo|tu)r)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:exploit-kit; sid:2016057; rev:8; metadata:created_at 2012_12_18, former_category EXPLOIT_KIT, updated_at 2012_12_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|read|(?:fo|tu)r)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:exploit-kit; sid:2016057; rev:8; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Archive flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017748; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; classtype:bad-unknown; sid:2017763; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:3; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:3; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:"Java/1"; http_user_agent; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2014751; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit"; flow:from_server,established; flowbits:isset,et.exploitkitlanding; content:"<applet"; classtype:bad-unknown; sid:2014443; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
+#alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request|3a 20|microsoft_update|0d 0a|"; pcre:"/^[^\s]*?\s*?\/[^\r\n\s]*?\?src=/i"; classtype:exploit-kit; sid:2017786; rev:2; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request|3a 20|microsoft_update|0d 0a|"; pcre:"/^[^\s]*?\s*?\/[^\r\n\s]*?\?src=/i"; classtype:exploit-kit; sid:2017786; rev:2; metadata:created_at 2013_11_28, former_category CURRENT_EVENTS, updated_at 2013_11_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:4; metadata:created_at 2013_11_29, updated_at 2013_11_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:4; metadata:created_at 2013_11_30, updated_at 2013_11_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign"; flow:established,to_server; content:"/golden/index.php"; http_uri; content:" MSIE 7.0"; http_header; content:"q=0.1|0d 0a|"; http_header; classtype:trojan-activity; sid:2017791; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Hostile fake DHL mailing campaign"; flow:established,to_server; content:"but no one bell unresponsive"; content:"The best regard DHL.com."; content:"filename=Notice"; classtype:trojan-activity; sid:2017792; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:exploit-kit; sid:2017794; rev:2; metadata:created_at 2013_12_04, former_category CURRENT_EVENTS, updated_at 2013_12_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:exploit-kit; sid:2017794; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:exploit-kit; sid:2017795; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:exploit-kit; sid:2017795; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:exploit-kit; sid:2017797; rev:2; metadata:created_at 2013_12_04, former_category CURRENT_EVENTS, updated_at 2013_12_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:exploit-kit; sid:2017797; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015888; rev:8; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect"; flow:established,to_client; file_data; content:"|7C|PluginDetect|7C|"; classtype:exploit-kit; sid:2017815; rev:2; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; reference:url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx; classtype:trojan-activity; sid:2017816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.AV server response"; flow:to_client,established; file_data; content:"|5b|Soft"; pcre:"/^\d+?\x5d/R"; content:"SoftTitle="; distance:0; flowbits:isset,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017747; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 3"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"qYXZhL2xhbmcvUnVudGltZ"; classtype:exploit-kit; sid:2017759; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016520; rev:3; metadata:created_at 2013_03_04, former_category EXPLOIT_KIT, updated_at 2013_03_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016520; rev:3; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2013_03_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object|22|.substring(15)"; content:"|22|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017740; rev:3; metadata:created_at 2013_11_21, former_category EXPLOIT_KIT, updated_at 2013_11_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object|22|.substring(15)"; content:"|22|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017740; rev:3; metadata:created_at 2013_11_22, former_category EXPLOIT_KIT, updated_at 2013_11_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:exploit-kit; sid:2017819; rev:5; metadata:created_at 2013_12_09, former_category CURRENT_EVENTS, updated_at 2013_12_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:exploit-kit; sid:2017819; rev:5; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:exploit-kit; sid:2017823; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:exploit-kit; sid:2017823; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Open port(s)|3A| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Open port(s)|3A| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3; metadata:created_at 2013_12_09, updated_at 2013_12_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:exploit-kit; sid:2016090; rev:3; metadata:created_at 2012_12_27, former_category CURRENT_EVENTS, updated_at 2012_12_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:exploit-kit; sid:2016090; rev:3; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; file_data; content:"try{"; content:"|3b|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|"; http_header; depth:12; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/H"; classtype:trojan-activity; sid:2017837; rev:3; metadata:created_at 2013_12_11, updated_at 2013_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|"; http_header; depth:12; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/H"; classtype:trojan-activity; sid:2017837; rev:3; metadata:created_at 2013_12_12, updated_at 2013_12_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_user_agent; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017840; rev:3; metadata:created_at 2013_12_11, former_category EXPLOIT_KIT, updated_at 2013_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_user_agent; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017840; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017844; rev:3; metadata:created_at 2013_12_11, former_category EXPLOIT_KIT, updated_at 2013_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017844; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:exploit-kit; sid:2017796; rev:3; metadata:created_at 2013_12_04, former_category CURRENT_EVENTS, updated_at 2013_12_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:exploit-kit; sid:2017796; rev:3; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Browlock Landing Page URI Struct"; flow:to_server,established; content:"/?flow_id"; http_uri; content:"/case_id="; http_uri; fast_pattern:only; pcre:"/\/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$/U"; classtype:trojan-activity; sid:2017847; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Exploit URI Struct"; flow:to_server,established; content:"=687474703a2f2f"; http_uri; content:".php?"; http_uri; pcre:"/\/(?:d|xie|fla)\.php\?[a-z]+?=687474703a2f2f/U"; classtype:exploit-kit; sid:2017851; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Secondary Landing"; flow:from_server,established; file_data; content:"<body onload=|27|Exploit()|3b 27|>"; fast_pattern:6,20; content:"|3a|stroke"; nocase; classtype:exploit-kit; sid:2017852; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(|22|Silverlight|22|)"; content:"$.getVersion(|22|Java|22|)"; content:"calcMD5(encode_utf8(location"; classtype:exploit-kit; sid:2017826; rev:3; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"domestic transit area.<br>"; fast_pattern:6,20; content:"display"; nocase; pcre:"/^[\r\n\s]*?\x3a[\r\n\s]*?none/Ri"; content:"<li"; nocase; pcre:"/^[^>]*?\>/R"; content:!"</li>"; nocase; within:500; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017634; rev:7; metadata:created_at 2013_10_25, former_category EXPLOIT_KIT, updated_at 2013_10_25;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(|22|Silverlight|22|)"; content:"$.getVersion(|22|Java|22|)"; content:"calcMD5(encode_utf8(location"; classtype:exploit-kit; sid:2017826; rev:3; metadata:created_at 2013_12_09, former_category CURRENT_EVENTS, updated_at 2013_12_09;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:exploit-kit; sid:2017827; rev:6; metadata:created_at 2013_12_09, former_category CURRENT_EVENTS, updated_at 2013_12_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:exploit-kit; sid:2017827; rev:6; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!--<2010QBP"; content:" 2010QBP//-->"; within:150; reference:url,intelreport.mandiant.com; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,fcdaa67e33357f64bc4ce7b57491fc53; classtype:targeted-activity; sid:2016451; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK Java Payload URI Struct"; flow:established,to_server; content:"Java/1."; http_header; pcre:"/^\/\d{4,5}\/\d{7}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017861; rev:3; metadata:created_at 2013_12_13, updated_at 2013_12_13;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017872; rev:2; metadata:created_at 2013_12_16, former_category COINMINER, updated_at 2013_12_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017872; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:coin-mining; sid:2017874; rev:2; metadata:created_at 2013_12_16, former_category COINMINER, updated_at 2013_12_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:coin-mining; sid:2017874; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:exploit-kit; sid:2011544; rev:7; metadata:created_at 2010_09_27, former_category MALWARE, updated_at 2010_09_27;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017873; rev:3; metadata:created_at 2013_12_16, former_category COINMINER, updated_at 2013_12_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017873; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3A| |22|getblocktemplate|22|"; within:40; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017878; rev:3; metadata:created_at 2013_12_17, former_category COINMINER, updated_at 2013_12_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3A| |22|getblocktemplate|22|"; within:40; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017878; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"|22|result|22 3A| {"; depth:50; content:"|22|coinbasetxn|22 3A| {"; within:30; content:"|22|data|22 3A| |22|"; within:30; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017879; rev:3; metadata:created_at 2013_12_17, former_category COINMINER, updated_at 2013_12_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"|22|result|22 3A| {"; depth:50; content:"|22|coinbasetxn|22 3A| {"; within:30; content:"|22|data|22 3A| |22|"; within:30; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017879; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ferret DDOS Bot CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/hor/input.php"; http_uri; content:"Mozilla Gecko Firefox 25"; http_user_agent; content:"m="; http_client_body; depth:2; content:"&h="; http_client_body; within:50; reference:md5,c49e3411294521d63c7cc28e08cf8a77; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017883; rev:3; metadata:created_at 2013_12_18, updated_at 2013_12_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ferret DDOS Bot CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/hor/input.php"; http_uri; content:"Mozilla Gecko Firefox 25"; http_user_agent; content:"m="; http_client_body; depth:2; content:"&h="; http_client_body; within:50; reference:md5,c49e3411294521d63c7cc28e08cf8a77; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017883; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_19, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; classtype:trojan-activity; sid:2017733; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_19, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; classtype:trojan-activity; sid:2017733; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017884; rev:5; metadata:created_at 2013_12_19, former_category INFO, updated_at 2013_12_19;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017884; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .exe filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017885; rev:5; metadata:created_at 2013_12_19, former_category INFO, updated_at 2013_12_19;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .exe filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017885; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017887; rev:2; metadata:created_at 2013_12_19, former_category INFO, updated_at 2013_12_19;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017887; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017888; rev:2; metadata:created_at 2013_12_19, former_category INFO, updated_at 2013_12_19;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017888; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017889; rev:2; metadata:created_at 2013_12_19, former_category INFO, updated_at 2013_12_19;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017889; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017890; rev:2; metadata:created_at 2013_12_19, former_category INFO, updated_at 2013_12_19;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017890; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE|5c|SOFTWARE|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:command-and-control; sid:2017891; rev:2; metadata:created_at 2013_12_19, former_category MALWARE, updated_at 2013_12_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE|5c|SOFTWARE|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:command-and-control; sid:2017891; rev:2; metadata:created_at 2013_12_20, former_category MALWARE, updated_at 2013_12_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017893; rev:4; metadata:created_at 2013_12_20, updated_at 2013_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017893; rev:4; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017894; rev:3; metadata:created_at 2013_12_20, updated_at 2013_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017894; rev:3; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:attempted-admin; sid:2017900; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_23, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category MALWARE, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:attempted-admin; sid:2017900; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category MALWARE, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017901; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017901; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; classtype:exploit-kit; sid:2017904; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; classtype:exploit-kit; sid:2017904; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:3; metadata:created_at 2013_12_26, updated_at 2013_12_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:3; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:2; metadata:created_at 2013_12_26, updated_at 2013_12_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:2; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:4; metadata:created_at 2013_12_23, former_category INFO, updated_at 2013_12_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:4; metadata:created_at 2013_12_24, former_category INFO, updated_at 2013_12_24;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (1)"; flow:established,to_client; file_data; content:"|20 69 c3 34 55 6d 33 53|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017908; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - gzipped file via JAVA - could be pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017910; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7"; flow:to_server,established; dsize:>11; content:"|79 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x95/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:command-and-control; sid:2017913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_02, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8"; flow:to_server,established; dsize:>11; content:"|79 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,be92836bee1e8abc1d19d1c552e6c115; classtype:command-and-control; sid:2017914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_02, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9"; flow:to_server,established; dsize:>11; content:"|7a 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:command-and-control; sid:2017915; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_02, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
+alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
-alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
-
-alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
+alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"|3b 20|Antivir"; http_user_agent; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:pup-activity; sid:2008549; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
-
-alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
+alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; content:"|00 16|bridges.torproject.org"; nocase; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
+alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14"; flow:to_server,established; dsize:>11; byte_extract:4,0,c_size,little; byte_test:4,>,c_size,4,little; content:"|08 01|"; offset:2; depth:2; content:"|79 94|"; offset:13; depth:2; pcre:"/^.{8}[\x20-\x7e]+?\x79\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,9fae15fa8ab6bb8d78d609bdceafe28e; classtype:command-and-control; sid:2017944; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch Reporting User Activity"; flow:established,to_server; content:".php?ut="; nocase; http_uri; content:"&idr="; nocase; http_uri; content:"&lang="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002812; classtype:trojan-activity; sid:2002812; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin (3)"; flow:established,to_server; content:"a="; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:command-and-control; sid:2007862; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:3; metadata:created_at 2014_01_10, updated_at 2014_01_10;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; classtype:exploit-kit; sid:2017953; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:3; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27]/R"; classtype:exploit-kit; sid:2017954; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; classtype:exploit-kit; sid:2017953; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27]/R"; classtype:exploit-kit; sid:2017955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27]/R"; classtype:exploit-kit; sid:2017954; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; classtype:exploit-kit; sid:2017956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27]/R"; classtype:exploit-kit; sid:2017955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:exploit-kit; sid:2017957; rev:2; metadata:created_at 2014_01_10, updated_at 2014_01_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; classtype:exploit-kit; sid:2017956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016853; rev:15; metadata:created_at 2013_05_15, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:exploit-kit; sid:2017957; rev:2; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
#alert tcp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"ET DELETED Possible Neutrino EK SilverLight Exploit Jan 11 2014"; flow:established,from_server; file_data; content:"AppManifest.xaml"; content:"dig.dll"; nocase; fast_pattern:only; pcre:"/\bdig\.dll\b/"; classtype:exploit-kit; sid:2017958; rev:2; metadata:created_at 2014_01_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET MALWARE Win32.Morix.B checkin"; flow:to_server,established; content:"|00 00 42 42 43 42 43|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:command-and-control; sid:2017922; rev:3; metadata:created_at 2014_01_02, former_category MALWARE, updated_at 2014_01_02;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET MALWARE Win32.Morix.B checkin"; flow:to_server,established; content:"|00 00 42 42 43 42 43|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:command-and-control; sid:2017922; rev:3; metadata:created_at 2014_01_03, former_category MALWARE, updated_at 2014_01_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0; reference:url,doc.emergingthreats.net/2010789; classtype:trojan-activity; sid:2010789; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,doc.emergingthreats.net/2010789; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:md5,2b8a408b56eaf3ce0198c9d1d8a75ec0; classtype:trojan-activity; sid:2010789; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download disguised as ASCII - SET"; flow:established; content:"|34 44 35 41|"; byte_jump:8,116,relative,multiplier 2,little,string; isdataat:1,relative; flowbits:set,ET.http.binary.ASCII; flowbits:noalert; classtype:trojan-activity; sid:2017961; rev:5; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017973; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_15, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017973; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:domain-c2; sid:2017977; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:domain-c2; sid:2017977; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"|02 07 04 81 e4 de 05 6a 5a|"; content:"|0b|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"|02 07 04 81 e4 de 05 6a 5a|"; content:"|0b|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"|02 07 2b 00 ee 19 5e ab 1f|"; content:"|10|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"|02 07 2b 00 ee 19 5e ab 1f|"; content:"|10|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918)"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:misc-activity; sid:2017980; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918)"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:misc-activity; sid:2017980; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"|02 07 27 7d 65 4a cd bf 4e|"; content:"|17|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"|02 07 27 7d 65 4a cd bf 4e|"; content:"|17|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2017732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2017732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (2) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 3e f2 32 30 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017985; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site appsredeeem"; flow:established,to_client; content:"|12|www.appsredeem.com"; nocase; classtype:trojan-activity; sid:2017987; rev:2; metadata:created_at 2014_01_17, former_category CURRENT_EVENTS, updated_at 2014_01_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:exploit-kit; sid:2017975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:exploit-kit; sid:2017975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true/Rsi"; classtype:exploit-kit; sid:2017569; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>"; content:"soft apple."; fast_pattern; distance:0; content:"</title>"; distance:0; content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; classtype:exploit-kit; sid:2017729; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 36 f4 6f 6d 6a 66 67|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017984; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (4)"; flow:established,to_client; file_data; content:"|21 3b e3 70 65 6e 66 64|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017989; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Feodo Banking Trojan Receiving Configuration File"; flow:established,from_server; content:"ibanking-services.com"; nocase; content:"webcash"; nocase; distance:0; content:"/wires/"; nocase; content:"amazon.com"; nocase; distance:0; content:"EncryptPassword"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; classtype:trojan-activity; sid:2011863; rev:5; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Browlock Hostname Format US"; flow:established,to_server; content:"Host|3a 20|fbi.gov."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2018006; rev:3; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17"; flow:to_server,established; dsize:>11; content:"AngeL"; depth:5; byte_jump:4,0,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2018007; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_23, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Browlock Hostname Format US"; flow:established,to_server; content:"Host|3a 20|fbi.gov."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2018006; rev:3; metadata:created_at 2014_01_23, updated_at 2014_01_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Jan 24 2013"; flow:established,to_client; file_data; content:"0x3dcde1&&"; nocase; content:"0x4e207d"; nocase; within:50; classtype:exploit-kit; sid:2018011; rev:2; metadata:created_at 2014_01_24, former_category CURRENT_EVENTS, updated_at 2014_01_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent|3a 20|"; http_header; pcre:"/^([\x7f-\xff]){100}/HRi"; reference:md5,176638536e926019e3e79370777d5e03; classtype:pup-activity; sid:2017982; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1f46b1e0a7fe83d24352e98b3ab3fc3f; classtype:command-and-control; sid:2018013; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Limitless Logger|20 3a 20 3a|"; nocase; fast_pattern:9,20; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018015; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Win32/Antilam.2_0 Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|CigiCigi Logger"; fast_pattern:4,20; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018018; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Xtrat C2 Response"; flow:established,from_server; content:"S|00|T|00|A|00|R|00|T|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R"; depth:33; reference:url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2018027; rev:2; metadata:created_at 2014_01_27, former_category MALWARE, updated_at 2014_01_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Xtrat C2 Response"; flow:established,from_server; content:"S|00|T|00|A|00|R|00|T|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R"; depth:33; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2018027; rev:2; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2014_01_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; pcre:"/^\/[a-f0-9]{8}\.swf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:2; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2014_01_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-6,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2b0f0479b14069b378fb454c92086897; classtype:command-and-control; sid:2018032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banker.AALV checkin"; flow:to_server,established; content:"CHEGOU-NOIS"; fast_pattern; content:"|20 7c 20|PLUGIN|3a|"; distance:0; content:"|20 7c 20|BROWSER|3a|"; reference:md5,74bfd81b345a6ef36be5fcf6964af6e1; classtype:command-and-control; sid:2018034; rev:1; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2014_01_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Win32.Genome.boescz Checkin"; flow:to_server,established; content:"|0d 0a|Subject|3a 20|TenInfect"; fast_pattern:9,9; content:"|0d 0a 0d 0a|TenInfect"; distance:0; reference:md5,313535d09865f3629423cd0e9b2903b2; reference:url,www.virustotal.com/en/file/75c454bbcfc06375ad1e8b45d4167d7830083202f06c6309146e9a4870cddfba/analysis/; classtype:command-and-control; sid:2018033; rev:3; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2014_01_29;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:4; metadata:created_at 2014_01_29, former_category CURRENT_EVENTS, updated_at 2014_01_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:4; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2014_01_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHISH Visa - Landing Page"; flow:established,to_client; file_data; content:"Enter your password Verified by Visa / MasterCard SecureCode"; classtype:social-engineering; sid:2018043; rev:2; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR|00|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:5; metadata:created_at 2014_01_29, updated_at 2014_01_29;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15"; flow:to_server,established; dsize:>11; content:"FWKJGH"; offset:8; depth:6; byte_jump:4,0,little,from_beginning,post_offset 5; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,edd8c8009fc1ce2991eef6069ae6bf82; classtype:command-and-control; sid:2017974; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20"; flow:to_server,established; dsize:>11; content:"|7d 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a037b3241c0b957efe6037b25570292f; classtype:command-and-control; sid:2018054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA SMB Naming Format"; flow:to_server,established; content:"SMB|A2|"; content:"|5c 00|W|00|I|00|N|00|D|00|O|00|W|00|S|00 5c 00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00 5c|"; distance:0; fast_pattern:15,20; pcre:"/^(?:(?!\x00\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?\x2e\x00t\x00x\x00t/Rsi"; flowbits:set,ET.kaptoxa; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018058; rev:1; metadata:created_at 2014_02_03, former_category MALWARE, updated_at 2014_02_03;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 22"; flow:to_server,established; dsize:>11; content:"|7d 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2018069; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR|00|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:5; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|ru|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x02ru\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014373; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading VBS"; flow:to_server,established; content:"SIZE explore.vbs|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018073; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-18,relative,little,from_beginning, post_offset 1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?.{2}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:command-and-control; sid:2018075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24"; flow:to_server,established; dsize:>11; content:"|7c 9f|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7c\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,0be9e3f4507a8ee23bb0c2b6c218d1cc; classtype:command-and-control; sid:2018076; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26"; flow:to_server,established; dsize:>11; content:"|71 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x71\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,b316680fd2578a2781ee9497888bd1e4; classtype:command-and-control; sid:2018085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Control Panel Applet File Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"CPlApplet"; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/bb776392%28v=vs.85%29.aspx; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf; classtype:policy-violation; sid:2018087; rev:2; metadata:created_at 2014_02_06, updated_at 2014_02_06;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Default SSL Cert"; flow:established,from_server; content:"|0b|Bovine Land"; fast_pattern; content:"|1e|Browser Exploitation Framework"; classtype:attempted-user; sid:2018089; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2016_07_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.execute"; pcre:"/^\s*?\(/Rs"; threshold: type limit, track by_src, seconds 300, count 1; classtype:attempted-user; sid:2018090; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Default SSL Cert"; flow:established,from_server; content:"|0b|Bovine Land"; fast_pattern; content:"|1e|Browser Exploitation Framework"; classtype:attempted-user; sid:2018089; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Flash Exploit CVE-2014-0497"; flow:established,from_server; file_data; content:"makePayloadWin"; reference:url,www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability; classtype:exploit-kit; sid:2018091; rev:2; metadata:created_at 2014_02_06, updated_at 2014_02_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.execute"; pcre:"/^\s*?\(/Rs"; threshold: type limit, track by_src, seconds 300, count 1; classtype:attempted-user; sid:2018090; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153"; flow:established,to_client; file_data; content:"Result Reports Server Command"; content:"userid="; distance:0; content:"/"; distance:0; content:"@"; distance:0; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018093; rev:2; metadata:created_at 2014_02_06, updated_at 2014_02_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Flash Exploit CVE-2014-0497"; flow:established,from_server; file_data; content:"makePayloadWin"; reference:url,www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability; classtype:exploit-kit; sid:2018091; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25"; flow:to_server,established; dsize:>11; content:"|7a 5d|"; offset:8; byte_jump:4,-12,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{10}\x7a\x5d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,794eac549f98320b818037b8074da320; classtype:command-and-control; sid:2018077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153"; flow:established,to_client; file_data; content:"Result Reports Server Command"; content:"userid="; distance:0; content:"/"; distance:0; content:"@"; distance:0; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018093; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:pup-activity; sid:2018099; rev:2; metadata:created_at 2014_02_10, former_category ADWARE_PUP, updated_at 2014_02_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:pup-activity; sid:2018099; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TecSystems (Possible Mask) Signed PE EXE Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|55 04 0a|"; content:"|0e|TecSystem Ltd."; distance:1; within:15; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018103; rev:2; metadata:created_at 2014_02_10, former_category CURRENT_EVENTS, updated_at 2014_02_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TecSystems (Possible Mask) Signed PE EXE Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|55 04 0a|"; content:"|0e|TecSystem Ltd."; distance:1; within:15; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018103; rev:2; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE FTP File Upload - BlackPOS Naming Scheme"; flow:established,to_server; content:"STOR "; depth:5; content:".txt"; pcre:"/data_\d{4}_\d{1,2}_\d{1,2}_\d{1,2}_\d{1,2}\.txt/"; reference:url,www.cyphort.com/blog/cyphort-tracks-down-new-variants-of-target-malware/; classtype:trojan-activity; sid:2018115; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Sality.bh Checkin"; flow:to_server,established; content:"/logo.gif?"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50728)|0d 0a|Host|3a| "; http_header; pcre:"/\x2flogo\x2egif\x3f([0-9a-z]){5}\x3d\d{6,7}/U"; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; reference:md5,c15f4fe2e180150dc511aa64427404c5; classtype:trojan-activity; sid:2018111; rev:3; metadata:created_at 2012_04_09, updated_at 2012_04_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .CPL File Inside of Zip"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".cpl"; nocase; fast_pattern; distance:42; within:500; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018126; rev:3; metadata:created_at 2014_02_12, former_category CURRENT_EVENTS, updated_at 2014_02_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .CPL File Inside of Zip"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".cpl"; nocase; fast_pattern; distance:42; within:500; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018126; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon EK Java JNLP URI Struct Feb 12 2014"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".xml"; http_uri; pcre:"/\/[A-Z]\.xml$/U"; classtype:exploit-kit; sid:2018127; rev:3; metadata:created_at 2014_02_12, former_category CURRENT_EVENTS, updated_at 2014_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon EK Java JNLP URI Struct Feb 12 2014"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".xml"; http_uri; pcre:"/\/[A-Z]\.xml$/U"; classtype:exploit-kit; sid:2018127; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014844; rev:3; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2012_06_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014844; rev:3; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:exploit-kit; sid:2014845; rev:3; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2012_06_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:exploit-kit; sid:2014845; rev:3; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A"; flow:established,to_server; content:"GIVEME|7c|"; reference:md5,dc7284b199d212e73c26a21a0913c69d; classtype:trojan-activity; sid:2018133; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A 2"; flow:established,to_server; content:"GETSERVER|7c|"; reference:md5,030f3840d2729243280d3cea3d99d8e6; classtype:trojan-activity; sid:2018134; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:4; metadata:created_at 2014_01_29, updated_at 2014_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:4; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign 2"; flow:established,to_server; urilen:>60; content:"/handler.php?"; http_uri; fast_pattern:only; pcre:"/\/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018135; rev:3; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign 2"; flow:established,to_server; urilen:>60; content:"/handler.php?"; http_uri; fast_pattern:only; pcre:"/\/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018135; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;)
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - photobucket.com.*"; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EXE Accessing Kaspersky System Driver (Possible Mask)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|5c 5c 2e 5c|KLIF"; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018104; rev:3; metadata:created_at 2014_02_10, former_category CURRENT_EVENTS, updated_at 2014_02_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EXE Accessing Kaspersky System Driver (Possible Mask)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|5c 5c 2e 5c|KLIF"; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018104; rev:3; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP EXE - ZIP file with .pif filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnBpZ|5waW|ucGlm)/R"; classtype:bad-unknown; sid:2018144; rev:2; metadata:created_at 2014_02_14, updated_at 2014_02_14;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP EXE - ZIP file with .pif filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnBpZ|5waW|ucGlm)/R"; classtype:bad-unknown; sid:2018144; rev:2; metadata:created_at 2014_02_15, updated_at 2014_02_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Torrent Client User-Agent (Solid Core/0.82)"; flow:to_server,established; content:"User-Agent|3a| Solid Core/"; http_header; reference:url,sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=4a9f376e8d01cb5f7990576ed927869b; classtype:policy-violation; sid:2013869; rev:7; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:pup-activity; sid:2018149; rev:3; metadata:created_at 2014_02_17, former_category ADWARE_PUP, updated_at 2014_02_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:pup-activity; sid:2018149; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Azbreg.Backdoor CnC Beacon"; flow:established,to_server; urilen:17; content:"/instant_messages"; http_uri; content:"sid="; http_cookie; content:"locale="; http_cookie; distance:0; content:"name="; http_cookie; distance:0; content:"password="; http_cookie; content:"uid="; http_cookie; distance:0; reference:md5,4b435a3f43d0e7ffa71453cf18804b70; classtype:command-and-control; sid:2018151; rev:2; metadata:created_at 2014_02_17, updated_at 2014_02_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Azbreg.Backdoor CnC Beacon"; flow:established,to_server; urilen:17; content:"/instant_messages"; http_uri; content:"sid="; http_cookie; content:"locale="; http_cookie; distance:0; content:"name="; http_cookie; distance:0; content:"password="; http_cookie; content:"uid="; http_cookie; distance:0; reference:md5,4b435a3f43d0e7ffa71453cf18804b70; classtype:command-and-control; sid:2018151; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!" Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:75; content:!" Googlebot/2.1 (+http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:50; content:"Googlebot"; fast_pattern; http_header; nocase; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot[^\-].+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:4; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
-alert http $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; file_data; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_18, updated_at 2014_02_18;)
+alert http $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; file_data; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_19, updated_at 2014_02_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake FedEX/Pony spam campaign URI Struct"; flow:established,to_server; content:".php?label="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?label=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; content:!"dynamicdrive.com"; nocase; http_header; classtype:trojan-activity; sid:2017258; rev:5; metadata:created_at 2013_07_29, updated_at 2013_07_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake FedEX/Pony spam campaign URI Struct"; flow:established,to_server; content:".php?label="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?label=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; content:!"dynamicdrive.com"; nocase; http_header; classtype:trojan-activity; sid:2017258; rev:5; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible GoonEK Landing Feb 19 2014 1"; flow:from_server,established; file_data; content:"javafx_version"; nocase; fast_pattern:only; content:"jnlp_href"; nocase; content:"</applet><object"; nocase; content:"data|3a|application/x-silverlight-2"; nocase; within:100; classtype:exploit-kit; sid:2018161; rev:2; metadata:created_at 2014_02_19, updated_at 2014_02_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible GoonEK Landing Feb 19 2014 1"; flow:from_server,established; file_data; content:"javafx_version"; nocase; fast_pattern:only; content:"jnlp_href"; nocase; content:"</applet><object"; nocase; content:"data|3a|application/x-silverlight-2"; nocase; within:100; classtype:exploit-kit; sid:2018161; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Feb 19 2014 2"; flow:from_server,established; file_data; content:"stroke>"; fast_pattern:only; content:!"#default#VML"; content:"eval"; content:"35"; pcre:"/^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018163; rev:2; metadata:created_at 2014_02_19, updated_at 2014_02_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Feb 19 2014 2"; flow:from_server,established; file_data; content:"stroke>"; fast_pattern:only; content:!"#default#VML"; content:"eval"; content:"35"; pcre:"/^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018163; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Ebury SSH Rootkit data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,cert-bund.de/ebury-faq; classtype:trojan-activity; sid:2018164; rev:1; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 28"; flow:to_server,established; dsize:>11; content:"|7f 9b|"; offset:8; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,52849773bc0d08eb9dfcb0df2b7caf33; classtype:command-and-control; sid:2018166; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Ebury SSH Rootkit data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,cert-bund.de/ebury-faq; classtype:trojan-activity; sid:2018164; rev:1; metadata:created_at 2014_02_21, updated_at 2014_02_21;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic CnC"; flow:established,to_server; content:" Mini BackDoor|00|"; offset:9; depth:20; reference:md5,398b6622a2c86d472a4340d3e79e654b; classtype:command-and-control; sid:2018167; rev:1; metadata:created_at 2014_02_21, former_category MALWARE, updated_at 2014_02_21;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Trojan CnC 3"; flow:established,to_server; dsize:14; content:"Gh0st"; depth:5; reference:md5,6a814cacb0c4b464d85ab874f68a5344; classtype:command-and-control; sid:2018165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 27"; flow:to_server,established; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7c\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,29aabeba14f6b5950edcd2a5d99acc94; classtype:command-and-control; sid:2018153; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS XXTEA UTF-16 Encoded HTTP Response"; flow:from_server,established; content:"u|00|t|00|f|00|8|00|t|00|o|00|1|00|6|00|"; nocase; content:"x|00|x|00|t|00|e|00|a|00|_|00|d|00|e|00|c|00|r|00|y|00|p|00|t|00|"; nocase; fast_pattern; content:"b|00|a|00|s|00|e|00|6|00|4|00|d|00|e|00|c|00|o|00|d|00|e"; nocase; classtype:bad-unknown; sid:2018175; rev:2; metadata:created_at 2014_02_25, former_category CURRENT_EVENTS, updated_at 2014_02_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; pcre:"/\/tds\/[a-f0-9]{32}$/U"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:5; metadata:created_at 2014_02_25, updated_at 2014_02_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; pcre:"/\/tds\/[a-f0-9]{32}$/U"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:5; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014"; flow:established,from_server; file_data; content:"<form"; nocase; content:"action"; nocase; distance:0; content:"/tds/"; fast_pattern; distance:0; pcre:"/^[a-f0-9]{32}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018178; rev:4; metadata:created_at 2014_02_25, updated_at 2014_02_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014"; flow:established,from_server; file_data; content:"<form"; nocase; content:"action"; nocase; distance:0; content:"/tds/"; fast_pattern; distance:0; pcre:"/^[a-f0-9]{32}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018178; rev:4; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5; metadata:created_at 2014_02_12, former_category CURRENT_EVENTS, updated_at 2014_02_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon"; flow:established,to_server; dsize:8; content:"PutToken"; depth:8; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018185; rev:1; metadata:created_at 2014_02_26, former_category MALWARE, updated_at 2014_02_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon"; flow:established,to_server; dsize:8; content:"PutToken"; depth:8; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018185; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement"; flow:established,to_client; dsize:12; content:"TokenRecived"; depth:12; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018186; rev:1; metadata:created_at 2014_02_26, former_category MALWARE, updated_at 2014_02_26;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement"; flow:established,to_client; dsize:12; content:"TokenRecived"; depth:12; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018186; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper PutInformation CnC Beacon"; flow:established,to_server; dsize:18; content:"PutInformation_New"; depth:18; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018187; rev:1; metadata:created_at 2014_02_26, former_category MALWARE, updated_at 2014_02_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper PutInformation CnC Beacon"; flow:established,to_server; dsize:18; content:"PutInformation_New"; depth:18; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018187; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement"; flow:established,to_client; dsize:14; content:"GetInformation"; depth:14; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018188; rev:1; metadata:created_at 2014_02_26, former_category MALWARE, updated_at 2014_02_26;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement"; flow:established,to_client; dsize:14; content:"GetInformation"; depth:14; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018188; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.joggver backdoor initialization packet"; flow:established,to_server; dsize:32; content:"|03 01 74 80|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:14; within:14; classtype:trojan-activity; sid:2018189; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.joggver backdoor initialization packet"; flow:established,to_server; dsize:32; content:"|03 01 74 80|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:14; within:14; classtype:trojan-activity; sid:2018189; rev:1; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 New Infection Report"; flow:established,to_server; dsize:<500; content:"|7c|OnConnect|7c|"; depth:20; pcre:"/^\d+?\x7cOnConnect\x7c/"; reference:url,doc.emergingthreats.net/2008908; reference:md5,3a7f11fbaf815cd2338d633de175e252; classtype:trojan-activity; sid:2008908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition"; flow:established,to_client; content:".exe.vbe"; http_header; nocase; fast_pattern:only; pcre:"/Content-Disposition\x3a[^\r\n]*?\.exe\.vbe/Hi"; reference:url,www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/; classtype:trojan-activity; sid:2018190; rev:3; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition"; flow:established,to_client; content:".exe.vbe"; http_header; nocase; fast_pattern:only; pcre:"/Content-Disposition\x3a[^\r\n]*?\.exe\.vbe/Hi"; reference:url,www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/; classtype:trojan-activity; sid:2018190; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android FakeInst.BX checkin"; flow:to_server; content:".html?c="; http_uri; content:"&o="; http_uri; distance:2; within:3; content:"&n="; http_uri; distance:0; content:"&pid="; http_uri; distance:10; within:10; content:"Apache-HttpClient"; http_user_agent; reference:md5,b2397ddc90e57f2d0eb6b0d3b8bb63f8; classtype:trojan-activity; sid:2018180; rev:6; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android FakeInst.BX checkin"; flow:to_server; content:".html?c="; http_uri; content:"&o="; http_uri; distance:2; within:3; content:"&n="; http_uri; distance:0; content:"&pid="; http_uri; distance:10; within:10; content:"Apache-HttpClient"; http_user_agent; reference:md5,b2397ddc90e57f2d0eb6b0d3b8bb63f8; classtype:trojan-activity; sid:2018180; rev:6; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heap"; nocase; content:"spray"; nocase; within:6; classtype:trojan-activity; sid:2017498; rev:3; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Spam Redirection Feb 28 2014"; flow:established,from_server; file_data; content:"Connecting to server...</div></td></tr></table>"; within:500; classtype:trojan-activity; sid:2018196; rev:3; metadata:created_at 2014_02_28, former_category CURRENT_EVENTS, updated_at 2014_02_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hello/LightsOut EK Secondary Landing"; flow:established,to_server; content:".php?a="; http_uri; fast_pattern:only; content:"&f="; http_uri; content:"&u="; http_uri; pcre:"/\.php\?a=[^&]+&f=[a-f0-9]{32}&u=[^&]+$/I"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; classtype:exploit-kit; sid:2018206; rev:2; metadata:created_at 2014_03_04, former_category CURRENT_EVENTS, updated_at 2014_03_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hello/LightsOut EK Secondary Landing"; flow:established,to_server; content:".php?a="; http_uri; fast_pattern:only; content:"&f="; http_uri; content:"&u="; http_uri; pcre:"/\.php\?a=[^&]+&f=[a-f0-9]{32}&u=[^&]+$/I"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; classtype:exploit-kit; sid:2018206; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Exploit/Payload Request"; flow:to_server,established; content:".php?a="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?a=(?:dw[a-z0-9]|[hr][2-7])$/U"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; classtype:exploit-kit; sid:2018207; rev:2; metadata:created_at 2014_03_04, former_category CURRENT_EVENTS, updated_at 2014_03_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Exploit/Payload Request"; flow:to_server,established; content:".php?a="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?a=(?:dw[a-z0-9]|[hr][2-7])$/U"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; classtype:exploit-kit; sid:2018207; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java fakav.jar"; flow:established,to_server; content:"/fakav.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018209; rev:7; metadata:created_at 2014_03_04, former_category CURRENT_EVENTS, updated_at 2014_03_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java fakav.jar"; flow:established,to_server; content:"/fakav.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018209; rev:7; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Fiesta Jar with four-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018225; rev:2; metadata:created_at 2014_03_05, former_category EXPLOIT_KIT, updated_at 2014_03_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Fiesta Jar with four-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018225; rev:2; metadata:created_at 2014_03_06, former_category EXPLOIT_KIT, updated_at 2014_03_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Rawin Flash Landing URI Struct March 05 2014"; flow:established,to_server; content:".php?b="; http_uri; content:"&css="; http_uri; pcre:"/\.php\?b=[A-F0-9]{6}&css=[a-z]+$/"; classtype:trojan-activity; sid:2018227; rev:2; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2014_03_06;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkshell.A Checkin XOR C0 Win XP"; flow:to_server,established; dsize:<512; content:"|e0 e0 e0 e0 97 89 8e 84 8f|"; content:"|98 90 e0|"; distance:2; within:3; classtype:command-and-control; sid:2018229; rev:2; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2014_03_06;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Hack.PcClient.g CnC (OUTBOUND) XOR b5"; flow:to_server,established; content:"|d0 cd d0 db d4 d8 d0|"; content:"|d9 da d2 dc db|"; distance:0; content:"|d1 da d6 d8 d1|"; distance:0; content:"|dd da c6 c1 db d4 d8 d0|"; fast_pattern; distance:0; content:"|c2 dc db d1 da c2 c6|"; distance:0; reference:md5,dfd6b93dac698dccd9ef565a172123f3; classtype:command-and-control; sid:2018154; rev:3; metadata:created_at 2014_02_18, former_category MALWARE, updated_at 2014_02_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Hack.PcClient.g CnC (OUTBOUND) XOR b5"; flow:to_server,established; content:"|d0 cd d0 db d4 d8 d0|"; content:"|d9 da d2 dc db|"; distance:0; content:"|d1 da d6 d8 d1|"; distance:0; content:"|dd da c6 c1 db d4 d8 d0|"; fast_pattern; distance:0; content:"|c2 dc db d1 da c2 c6|"; distance:0; reference:md5,dfd6b93dac698dccd9ef565a172123f3; classtype:command-and-control; sid:2018154; rev:3; metadata:created_at 2014_02_19, former_category MALWARE, updated_at 2014_02_19;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:pup-activity; sid:2008474; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:exploit-kit; sid:2016751; rev:10; metadata:created_at 2013_04_11, former_category EXPLOIT_KIT, updated_at 2013_04_11;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:exploit-kit; sid:2018235; rev:2; metadata:created_at 2014_03_07, former_category CURRENT_EVENTS, updated_at 2014_03_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:exploit-kit; sid:2016751; rev:10; metadata:created_at 2013_04_12, former_category EXPLOIT_KIT, updated_at 2013_04_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CritX/SafePack/FlashPack SilverLight Secondary Landing"; flow:established,from_server; file_data; content:"/x-silverlight-2"; content:"aHR0cDov"; distance:0; pcre:"/^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27]/Rsi"; content:".eot"; classtype:exploit-kit; sid:2018236; rev:2; metadata:created_at 2014_03_07, former_category CURRENT_EVENTS, updated_at 2014_03_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:exploit-kit; sid:2018235; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018237; rev:2; metadata:created_at 2014_03_07, former_category CURRENT_EVENTS, updated_at 2014_03_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CritX/SafePack/FlashPack SilverLight Secondary Landing"; flow:established,from_server; file_data; content:"/x-silverlight-2"; content:"aHR0cDov"; distance:0; pcre:"/^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27]/Rsi"; content:".eot"; classtype:exploit-kit; sid:2018236; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php"; flow:established,to_server; content:"/javadb.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018238; rev:4; metadata:created_at 2014_03_07, former_category CURRENT_EVENTS, updated_at 2014_03_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018237; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php"; flow:established,to_server; content:"/javaim.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018239; rev:2; metadata:created_at 2014_03_07, former_category CURRENT_EVENTS, updated_at 2014_03_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php"; flow:established,to_server; content:"/javadb.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018238; rev:4; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php"; flow:established,to_server; content:"/javarh.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018240; rev:2; metadata:created_at 2014_03_07, former_category CURRENT_EVENTS, updated_at 2014_03_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php"; flow:established,to_server; content:"/javaim.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018239; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response"; flow:established,from_server; file_data; content:"|3c 21 2d 2d|havexhavex|2d 2d 3e|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018243; rev:2; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2014_03_11;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; file_data; content:"|3c|mega http|2d|equiv|3d|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018244; rev:2; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2014_03_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php"; flow:established,to_server; content:"/javarh.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018240; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Havex Rat Check-in URI Struct"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a 20|"; content:".php?id"; http_uri; content:"&v1="; http_uri; content:"&v2="; http_uri; content:"&q="; http_uri; pcre:"/\.php\?id=[A-F0-9]+\-[A-F0-9]+&v1=[A-F0-9]+&v2=[A-F0-9]+&q=[A-F0-9]+$/U"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018251; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Page Mar 12 2014"; flow:established,from_server; file_data; content:"/[a-zA-Z]/g|3b|"; fast_pattern; content:"/[0-9]/g|3b|"; content:"|22|f"; pcre:"/^\d+r\d+o\d+m\d/R"; content:"|22|p"; pcre:"/^\d+u\d+s\d+h\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018261; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert http any any -> any any (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:2; metadata:created_at 2014_03_12, former_category CURRENT_EVENTS, updated_at 2014_03_12;)
+#alert http any any -> any any (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:2; metadata:created_at 2014_03_13, former_category CURRENT_EVENTS, updated_at 2014_03_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017064; rev:18; metadata:created_at 2013_06_25, former_category EXPLOIT_KIT, updated_at 2013_06_25;)
+
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017064; rev:18; metadata:created_at 2013_06_25, former_category EXPLOIT_KIT, updated_at 2013_06_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx Landing Page Mar 08 2014"; flow:established,from_server; file_data; content:"fromCharCode"; content:"substr"; within:200; content:",2,"; within:20; fast_pattern; content:"-"; distance:2; within:4; pcre:"/^\s*?\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018260; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self-Signed Cert Observed in Various Zbot Strains"; flow:established,from_server; content:"|55 04 0a 13 02|XX"; content:"|55 04 0a 13 02|XX"; distance:0; reference:md5,00e7afce84c84cd70fe329d8bb8c0731; classtype:trojan-activity; sid:2018284; rev:2; metadata:created_at 2014_03_17, updated_at 2014_03_17;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EMET.DLL in jjencode"; flow:established,from_server; file_data; content:"|22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22|+"; pcre:"/^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22/R"; classtype:trojan-activity; sid:2018286; rev:3; metadata:created_at 2014_03_17, updated_at 2014_03_17;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31"; flow:to_server,established; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7d\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:command-and-control; sid:2018287; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_03_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EMET.DLL in jjencode"; flow:established,from_server; file_data; content:"|22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22|+"; pcre:"/^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22/R"; classtype:trojan-activity; sid:2018286; rev:3; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Outbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018275; rev:8; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Inbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018276; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
-#alert tcp any any -> any $SSH_PORTS (msg:"ET MALWARE Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8; metadata:created_at 2014_03_12, updated_at 2014_03_12;)
+#alert tcp any any -> any $SSH_PORTS (msg:"ET MALWARE Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8; metadata:created_at 2014_03_13, updated_at 2014_03_13;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html; classtype:command-and-control; sid:2017417; rev:9; metadata:created_at 2012_07_30, former_category MALWARE, updated_at 2012_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html; classtype:command-and-control; sid:2017417; rev:9; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"|0d 0a|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"|0d 0a|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.WinSpy.pob Sending Data over SMTP 2"; flow:to_server,established; content:"Subject|3a 20|LOG|20|FILE|20 20|Current User|3a|"; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018020; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.WinSpy.pob Sending Data over SMTP 2"; flow:to_server,established; content:"Subject|3a 20|LOG|20|FILE|20 20|Current User|3a|"; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018020; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET MALWARE MultiThreat/Winspy.RAT FTP File Download Command"; flow:established,to_server; dsize:>0; content:"/CD |5C 5C 5C|"; depth:9; pcre:"/^(?:(?:PCACTIV|ONLIN)ETIME|WEBSITE[DS]|CHATROOM|KEYLOGS)/Ri"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018294; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (3) "; flow:established,to_client; file_data; content:"|89 b4 f4 6a 24 1f 46 14|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018297; rev:2; metadata:created_at 2014_03_20, updated_at 2014_03_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (3)"; flow:established,to_client; file_data; content:"|89 b4 f4 6a 24 1f 46 14|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018297; rev:2; metadata:created_at 2014_03_20, former_category EXPLOIT_KIT, updated_at 2014_03_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Mar 20 2014"; flow:established,from_server; file_data; content:"jnlp_href"; nocase; fast_pattern:only; content:"application/x-silverlight-2"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-zA-z0-9\/\+]{10}/R"; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-f0-9]{20}/R"; classtype:exploit-kit; sid:2018298; rev:3; metadata:created_at 2014_03_20, updated_at 2014_03_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Stoberox.B"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"Host|3a|"; http_header; depth:5; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:"Accept-Encoding|3a 20|none|0d 0a|"; http_header; fast_pattern:3,20; content:!"Referer"; http_header; pcre:"/^[a-zA-Z0-9\+\/]+={0,2}$/P"; reference:md5,6ca1690720b3726bc76ef0e7310c9ee7; classtype:trojan-activity; sid:2018300; rev:3; metadata:created_at 2014_03_20, former_category MALWARE, updated_at 2014_03_20;)
-
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00 dc|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001259; classtype:policy-violation; sid:2001259; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 3"; flow:from_server,established; file_data; content:"c=rdl&u="; depth:8; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,96255178f15033362c81fb6d9b9c3ce4; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015904; rev:6; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2020_08_20;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-1761 HTTP"; flow:from_server,established; file_data; content:"{|5c|rt{"; content:"|5c|objocx|5c|"; distance:0; content:"MSComctlLib."; content:"|5c|u-554"; fast_pattern; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018313; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-1761 HTTP"; flow:from_server,established; file_data; content:"{|5c|rt{"; content:"|5c|objocx|5c|"; distance:0; content:"MSComctlLib."; content:"|5c|u-554"; fast_pattern; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018313; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_25, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NMAP SIP Version Detect OPTIONS Scan"; flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Bozok.RAT checkin"; flow:to_server; content:"|00 00 00|"; offset:1; depth:4; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:64; content:"|00 7C 00|"; within:12; content:"|00 7C 00|"; within:5; content:"|00 7C 00|0|00 7c 00|2|00|"; within:32; reference:md5,a45d3564d1fa27161b33712f035a5962; reference:url,www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html; classtype:command-and-control; sid:2018325; rev:3; metadata:created_at 2014_03_26, former_category MALWARE, updated_at 2014_03_26;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Kryptik.AZER C2 SSL Stolen Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:md5,b27e0561283697c1fb1a973c37b52265; classtype:command-and-control; sid:2018328; rev:2; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Kryptik.AZER C2 SSL Stolen Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:md5,b27e0561283697c1fb1a973c37b52265; classtype:command-and-control; sid:2018328; rev:2; metadata:created_at 2014_03_27, updated_at 2014_03_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Payload Filename Used in Various 2014-0322 Attacks"; flow:established,to_server; content:"/Erido.jpg"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018329; rev:2; metadata:created_at 2014_03_27, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Payload Filename Used in Various 2014-0322 Attacks"; flow:established,to_server; content:"/Erido.jpg"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018329; rev:2; metadata:created_at 2014_03_28, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n|7B|"; nocase; pcre:"/^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:4; metadata:created_at 2013_04_17, updated_at 2013_04_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n|7B|"; nocase; pcre:"/^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:4; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:bad-unknown; sid:2018334; rev:2; metadata:created_at 2014_03_31, former_category INFO, updated_at 2014_03_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:bad-unknown; sid:2018334; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2014_03_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018338; rev:3; metadata:created_at 2014_03_31, former_category ADWARE_PUP, updated_at 2014_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018338; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware Executable Download Request"; flow:established,to_server; content:"/download/"; http_uri; content:"/dl?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&brand="; http_uri; content:"&pid="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; content:"&cb="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018339; rev:3; metadata:created_at 2014_03_31, former_category ADWARE_PUP, updated_at 2014_03_31;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY fetch User Agent"; flow:established,to_server; content:"fetch"; nocase; http_user_agent; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002826; classtype:attempted-recon; sid:2002826; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:"117"; fast_pattern; content:"108"; within:24; content:"116"; within:24; content:"35"; pcre:"/^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d]/Rsi"; classtype:exploit-kit; sid:2018342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:"117"; fast_pattern; content:"108"; within:24; content:"116"; within:24; content:"35"; pcre:"/^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d]/Rsi"; classtype:exploit-kit; sid:2018342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http any any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/k.php?h="; http_uri; depth:9; content:"ballsack"; depth:8; http_user_agent; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:3; metadata:created_at 2014_04_01, former_category CURRENT_EVENTS, updated_at 2014_04_01;)
+#alert http any any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/k.php?h="; http_uri; depth:9; content:"ballsack"; depth:8; http_user_agent; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:3; metadata:created_at 2014_04_02, former_category CURRENT_EVENTS, updated_at 2014_04_02;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; file_data; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; classtype:exploit-kit; sid:2018346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; file_data; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; classtype:exploit-kit; sid:2018346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct"; flow:established,to_server; content:".php?v=webhp"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018348; rev:3; metadata:created_at 2014_04_01, updated_at 2014_04_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct"; flow:established,to_server; content:".php?v=webhp"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018348; rev:3; metadata:created_at 2014_04_02, updated_at 2014_04_02;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; classtype:attempted-admin; sid:2002061; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP MyWaySearch Products Spyware User Agent"; flow: established,to_server; content:"MyWay"; http_user_agent; reference:url,doc.emergingthreats.net/2002079; reference:url,www.funwebproducts.com; classtype:pup-activity; sid:2002079; rev:19; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016541; rev:4; metadata:created_at 2013_03_05, updated_at 2013_03_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"Opera/9 (Windows NT "; http_user_agent; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:5; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016541; rev:4; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN BankSnif/Nethelper User-Agent (nethelper)"; flow:to_server,established; content:"nethelper"; http_user_agent; fast_pattern:only; pcre:"/\bnethelper\b/Vi"; reference:url,doc.emergingthreats.net/2002877; classtype:trojan-activity; sid:2002877; rev:15; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"Opera/9 (Windows NT "; http_user_agent; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:5; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site potpourriflowers"; flow:established,to_client; content:"|55 04 03|"; content:"|1a|www.potpourriflowers.co.uk"; distance:1; within:27; nocase; classtype:trojan-activity; sid:2018350; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
#alert http $EXTERNAL_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (incoming)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; depth:35; http_user_agent; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018354; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
-#alert http any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:3; metadata:created_at 2014_04_03, updated_at 2014_04_03;)
+#alert http any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:3; metadata:created_at 2014_04_04, updated_at 2014_04_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT EvilTDS Redirection"; flow:established,to_server; content:"/zyso.cgi?"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018357; rev:10; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT EvilTDS Redirection"; flow:established,to_server; content:"/zyso.cgi?"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018357; rev:10; metadata:created_at 2014_04_04, former_category CURRENT_EVENTS, updated_at 2014_04_04;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; file_data; content:"13 0 obj"; pcre:"/^\s*?<<\s*?\/[A-Z0-9a-z]+\([A-Z0-9a-z]+\)\s*?/Rs"; content:"/XFA[(config)17 0 R] /Fields [14 0 R]|0d 0a|>>"; classtype:exploit-kit; sid:2018363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting User Activity 2"; flow:established,to_server; content:"?phid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&nn="; nocase; http_uri; content:"User-Agent|3a| z|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002780; classtype:trojan-activity; sid:2002780; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; content:"|55 04 03|"; byte_test:1,>,11,1,relative; byte_test:1,<,14,1,relative; content:"ssl"; distance:2; within:3; pcre:"/^\d{1,2}/R"; content:".ovh.net"; within:8; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category POLICY, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CWS Related Installer"; flow:established,to_server; content:"/image_tracker.php?l="; http_uri; fast_pattern:only; content:"&x="; http_uri; content:"&deptid="; distance:0; http_uri; content:"&page"; distance:0; http_uri; content:"&unique="; distance:0; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; classtype:trojan-activity; sid:2002932; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL K-Shell/ZHC Shell 1.0/Aspx Shell Backdoor NetCat_Listener"; flow:established,from_server; file_data; content:"Silentz's Tricks:"; content:"action=cmd2"; content:"Start NC"; reference:url,www.fidelissecurity.com/webfm_send/377; reference:url,pastebin.com/XAG1Hnfd; classtype:web-application-attack; sid:2018369; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Hacktool.Sniffer Successful Install Message"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013199; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .txt file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".txt"; nocase; http_uri; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; classtype:pup-activity; sid:2010500; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .cfg file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".cfg"; nocase; http_uri; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; classtype:pup-activity; sid:2010501; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:exploit-kit; sid:2017031; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:exploit-kit; sid:2017031; rev:3; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; pcre:"/\/1\.txt$/Ui"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:3; metadata:created_at 2014_02_19, former_category CURRENT_EVENTS, updated_at 2014_02_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; pcre:"/\/1\.txt$/Ui"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:3; metadata:created_at 2014_02_20, former_category CURRENT_EVENTS, updated_at 2014_02_20;)
alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP authorized_keys file transferred"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:2101927; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 1"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"M1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018059; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 1"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"M1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018059; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 2"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018060; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 2"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018060; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 3"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018061; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 3"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018061; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 4"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Ml"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018062; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 4"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Ml"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018062; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 5"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"T1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018063; rev:3; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 5"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"T1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018063; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 6"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018064; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 6"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018064; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 7"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Th"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018065; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 7"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Th"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018065; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 8"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018066; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 8"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018066; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 9"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018067; rev:3; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 9"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018067; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 10"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018068; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 10"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018068; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED eMule KAD Network Hello Request (2)"; dsize:27; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS 2search.org User Agent (2search)"; flow:to_server,established; content:"2search"; http_user_agent; fast_pattern:only; reference:url,doc.emergingthreats.net/2003335; classtype:trojan-activity; sid:2003335; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET"; flow:to_server,established; dsize:8; content:"|00 00|"; offset:2; depth:2; content:"|00 00|"; distance:2; within:2; flowbits:set,ET.gh0stFmly; flowbits:noalert; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:command-and-control; sid:2017935; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET"; http_method; content:"/stat/tuk/"; http_uri; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014758; rev:5; metadata:created_at 2012_05_16, former_category MALWARE, updated_at 2012_05_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie|3a| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014759; rev:4; metadata:created_at 2012_05_16, updated_at 2012_05_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE cryptodefense Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a| multipart/form-data|3b 20|boundary="; pcre:"/^[\x2d]+(?P<boundry>[0-9]+)\r\n.+filename\x3d[\x22\x27](?P=boundry)[\x22\x27]/Rsi"; content:!"Referer"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:"filename="; fast_pattern:only; http_client_body; content:"form-data|3b| name="; pcre:"/^[\x22\x27][a-z][\x27\x22]/Ri"; classtype:command-and-control; sid:2018386; rev:2; metadata:created_at 2014_04_14, former_category MALWARE, updated_at 2014_04_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; pcre:"/^\W/R"; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; classtype:bad-unknown; sid:2018387; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; pcre:"/^\W/R"; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; classtype:bad-unknown; sid:2018387; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET MALWARE Gh0st_Apple Checkin"; flow:to_server,established; content:"GET"; http_method; content:".gif?pid"; fast_pattern; content:"&v="; content:"Mozilla/4.0("; http_user_agent; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,82644661f6639c9fcb021ad197b565f7; classtype:command-and-control; sid:2017412; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET MALWARE Gh0st_Apple Checkin"; flow:to_server,established; content:"GET"; http_method; content:".gif?pid"; fast_pattern; content:"&v="; content:"Mozilla/4.0("; http_user_agent; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,82644661f6639c9fcb021ad197b565f7; classtype:command-and-control; sid:2017412; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_17, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus js.js"; flow:established,to_server; content:"/js.js"; http_uri; urilen:15; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/js\.js$/U"; classtype:bad-unknown; sid:2014629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|55 60 67 6c 69 70 9a|"; offset:8; depth:7; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,4f0d365408b439eb9aaf0b2352abb662; classtype:command-and-control; sid:2018390; rev:1; metadata:created_at 2014_04_15, former_category MALWARE, updated_at 2014_04_15;)
-
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO BrowseTor .onion Proxy Service SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|*.browsetor.com"; nocase; distance:1; within:16; classtype:bad-unknown; sid:2018396; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|55 60 67 6c 69 70 9a|"; offset:8; depth:7; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,4f0d365408b439eb9aaf0b2352abb662; classtype:command-and-control; sid:2018390; rev:1; metadata:created_at 2014_04_16, former_category MALWARE, updated_at 2014_04_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE CryptoDefense DNS Domain Lookup"; content:"|10|rj2bocejarqnpuhm"; nocase; pcre:"/^[^\x00]+?\x00/Rs"; classtype:trojan-activity; sid:2018397; rev:3; metadata:created_at 2014_04_16, updated_at 2014_04_16;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2web."; nocase; distance:2; within:10; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BitCrypt Ransomware Domain"; flow:established,to_server; content:"bitcrypt.cc"; nocase; http_header; pcre:"/Host\x3a\x20(?:[^\r\n]+\.)?bitcrypt\.cc(?:\x3a\d{1,5})?\r\n/Hmi"; classtype:trojan-activity; sid:2018400; rev:2; metadata:created_at 2014_04_17, updated_at 2014_04_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BitCrypt Ransomware Domain"; flow:established,to_server; content:"bitcrypt.cc"; nocase; http_header; pcre:"/Host\x3a\x20(?:[^\r\n]+\.)?bitcrypt\.cc(?:\x3a\d{1,5})?\r\n/Hmi"; classtype:trojan-activity; sid:2018400; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_04_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:"<!--[if IE]"; distance:0; content:"<img src=|22|data|3A|image/jpeg|3B|base64"; distance:0; reference:url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf; classtype:command-and-control; sid:2016857; rev:3; metadata:created_at 2013_05_15, updated_at 2013_05_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:"<!--[if IE]"; distance:0; content:"<img src=|22|data|3A|image/jpeg|3B|base64"; distance:0; reference:url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf; classtype:command-and-control; sid:2016857; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Inbox View"; flow:to_server,established; content:"/ym/ShowFolder"; http_uri; nocase; content:"rb=Inbox"; nocase; reference:url,doc.emergingthreats.net/2000041; classtype:policy-violation; sid:2000041; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Compose Open"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000043; classtype:policy-violation; sid:2000043; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host|3a 20|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)*?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:4; metadata:created_at 2014_01_08, updated_at 2014_01_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host|3a 20|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)*?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:4; metadata:created_at 2014_01_09, updated_at 2014_01_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; content:"for("; content:"|3B|"; within:20; content:">=0|3B|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n]*[0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\x29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:4; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.avan"; flow:to_server,established; content:"mac="; http_uri; content:"&hdid="; http_uri; content:"&wlid="; http_uri; fast_pattern:only; content:"&start="; http_uri; content:"&os="; http_uri; content:"&mem="; http_uri; content:"&alive="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2011236; classtype:trojan-activity; sid:2011236; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:exploit-kit; sid:2018408; rev:2; metadata:created_at 2014_04_22, former_category CURRENT_EVENTS, updated_at 2014_04_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:exploit-kit; sid:2018408; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta SilverLight Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"AppManifest.xaml"; nocase; classtype:exploit-kit; sid:2018409; rev:2; metadata:created_at 2014_04_22, former_category EXPLOIT_KIT, updated_at 2014_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta SilverLight Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"AppManifest.xaml"; nocase; classtype:exploit-kit; sid:2018409; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2018410; rev:2; metadata:created_at 2014_04_22, former_category CURRENT_EVENTS, updated_at 2014_04_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2018410; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2018411; rev:2; metadata:created_at 2014_04_22, former_category EXPLOIT_KIT, updated_at 2014_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2018411; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:exploit-kit; sid:2013094; rev:9; metadata:created_at 2011_06_22, former_category CURRENT_EVENTS, updated_at 2011_06_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wapomi.AD Variant Checkin"; flow:established,to_server; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; reference:md5,37ab252df52f5e1a46b3b40e9afb40c0; classtype:command-and-control; sid:2013720; rev:5; metadata:created_at 2011_09_30, former_category MALWARE, updated_at 2011_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wapomi.AD Variant Checkin"; flow:established,to_server; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; reference:md5,37ab252df52f5e1a46b3b40e9afb40c0; classtype:command-and-control; sid:2013720; rev:5; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin to CnC Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; classtype:command-and-control; sid:2013344; rev:5; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Secondary Download"; flow:established,to_server; content:"/calc.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017658; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ftpchk3.php possible upload success"; flow:to_client,established; content:"|0d 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018417; rev:3; metadata:created_at 2014_04_23, updated_at 2014_04_23;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ftpchk3.php possible upload success"; flow:to_client,established; content:"|0d 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018417; rev:3; metadata:created_at 2014_04_24, updated_at 2014_04_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:command-and-control; sid:2014272; rev:3; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:command-and-control; sid:2014272; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:command-and-control; sid:2014271; rev:3; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:command-and-control; sid:2014271; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Backdoor.Win32.RShot Ping Outbound"; icode:0; itype:8; icmp_id:512; dsize:32; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; reference:md5,34477e29f7408966d2703f3471741618; reference:md5,adf4c3a16f5f6d4baa634b2c50bf7454; classtype:trojan-activity; sid:2014270; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Upatre Binary Download April 28 2014"; flow:established,from_server; file_data; content:"|ff d1 4e 8d|"; within:4; classtype:trojan-activity; sid:2018422; rev:3; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.msn.com)"; flow:established,to_server; dsize:37; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.msn.com|0d 0a 0d 0a|"; distance:1; within:23; fast_pattern:3,20; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018431; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.bing.com)"; flow:established,to_server; dsize:38; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.bing.com|0d 0a 0d 0a|"; distance:1; within:24; fast_pattern:4,20; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018432; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.yahoo.com)"; flow:established,to_server; dsize:39; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.yahoo.com|0d 0a 0d 0a|"; distance:1; within:25; fast_pattern:5,20; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018433; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; pcre:"/^\s*?\(/Rs"; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:4; metadata:created_at 2014_04_30, former_category CURRENT_EVENTS, updated_at 2014_04_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon/Infinity URI Struct EK Landing May 05 2014"; flow:established,to_server; content:".php?req="; nocase; http_uri; fast_pattern; content:"&PHPSSESID="; http_uri; pcre:"/\.php\?req=(?:swf(?:IE)?|x(?:ap|ml)|jar|mp3)&/Ui"; classtype:exploit-kit; sid:2018441; rev:10; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015846; rev:3; metadata:created_at 2012_10_26, updated_at 2012_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015846; rev:3; metadata:created_at 2012_10_27, updated_at 2012_10_27;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ProxyChanger.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/abc.php"; http_uri; fast_pattern; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; http_header; content:"ABC="; http_client_body; depth:4; content:"&XRE="; http_client_body; within:30; reference:md5,67c9799940dce6b9af2e6f98f52afdf7; classtype:command-and-control; sid:2014356; rev:5; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.VBKrypt.cugq Checkin"; flow:to_server,established; content:"/bot.php"; http_uri; content:"umbra"; depth:5; nocase; http_user_agent; reference:url,www.securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,79e24434a74a985e1c64925fd0ac4b28; classtype:trojan-activity; sid:2017348; rev:6; metadata:created_at 2011_04_28, updated_at 2011_04_28;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake loc)"; flow:established,from_server; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<fake_loc>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x07.{2}(?P=fake_loc)/Rs"; classtype:trojan-activity; sid:2018457; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> 54.218.7.114 any (msg:"ET ADWARE_PUP DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern:14,20; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:pup-activity; sid:2018458; rev:3; metadata:created_at 2014_05_09, former_category ADWARE_PUP, updated_at 2014_05_09;)
-
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; file_data; content:"<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; within:120; isdataat:!2,relative; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018459; rev:2; metadata:created_at 2014_05_09, former_category WEB_SERVER, updated_at 2014_05_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"ID="; http_uri; content:"User-Agent|3a 20 5c 0d 0a|"; pcre:"/ID=\d{24}($|&)/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:command-and-control; sid:2013723; rev:3; metadata:created_at 2011_09_30, former_category MALWARE, updated_at 2011_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"ID="; http_uri; content:"User-Agent|3a 20 5c 0d 0a|"; pcre:"/ID=\d{24}($|&)/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:command-and-control; sid:2013723; rev:3; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site iclasshd.net"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|iclasshd.net"; distance:1; within:14; nocase; reference:md5,abe131828ce5beae41ef341238016547; classtype:trojan-activity; sid:2018460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site sabzevarsez.com"; flow:established,to_client; content:"|55 04 03|"; content:"|13|www.sabzevarsez.com"; distance:1; within:21; nocase; reference:md5,36cf205b39bd27b6dc981dd0da8a311a; classtype:trojan-activity; sid:2018461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:4; metadata:created_at 2012_06_25, updated_at 2012_06_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:4; metadata:created_at 2012_06_25, updated_at 2012_06_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET DELETED SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2000016; classtype:attempted-dos; sid:2000016; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Plugin-Detect May 13 2014"; flow:from_server,established; file_data; content:"javarhino"; fast_pattern; nocase; pcre:"/^[\x22\x27]/R"; content:"javaimage"; pcre:"/^[\x22\x27]/R"; content:"javadb"; pcre:"/^[\x22\x27]/R"; content:"getVersion"; content:"SilverLight"; classtype:exploit-kit; sid:2018472; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alina.POS-Trojan CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/insidee/loading.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| InfoPath.1 Spark v1.1|0D 0A|"; http_header; reference:url,pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf; classtype:command-and-control; sid:2018473; rev:2; metadata:created_at 2014_05_14, updated_at 2014_05_14;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?fixtool="; fast_pattern; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alina.POS-Trojan CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/insidee/loading.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| InfoPath.1 Spark v1.1|0D 0A|"; http_header; reference:url,pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf; classtype:command-and-control; sid:2018473; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED TROJAN Downloader.Win32.Tesch.A Client CnC Checkin"; flow:established,to_server; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018476; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_15, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Checkin Reply"; flow:established,to_client; content:"|02 00 06|"; depth:3; content:"|01 BB|"; distance:4; within:2; fast_pattern; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018477; rev:1; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2014_05_15;)
-
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site dfsdirect.ca"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|dfsdirect.ca"; distance:1; within:14; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; classtype:trojan-activity; sid:2018480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_16, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Webprefix checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?email="; fast_pattern:only; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^Accept\x3a\x20\*\/\*\r\nConnection\x3a\x20close\r\nHost\x3a\x20[^\r\n\x2e]+\x2e[^\r\n\x2e]+(?:\x3a\d{1,5})?\r\n(?:\r\n)?$/H"; reference:md5,8284c2202342102000ae9a04dd07bb76; classtype:command-and-control; sid:2018481; rev:8; metadata:created_at 2012_01_23, former_category MALWARE, updated_at 2017_11_27;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel"; flow:established,to_server; content:"USER ass localhost localhost"; nocase; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018482; rev:2; metadata:created_at 2014_05_18, updated_at 2014_05_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel"; flow:established,to_server; content:"USER ass localhost localhost"; nocase; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018482; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel 2"; flow:established,to_server; content:"PASS eYmUrmyAfG"; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018483; rev:2; metadata:created_at 2014_05_18, updated_at 2014_05_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel 2"; flow:established,to_server; content:"PASS eYmUrmyAfG"; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018483; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Server Banner"; dsize:>14; flow:established,from_server; content:"|3a|Hell.Network|0d 0a|"; depth:15; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018484; rev:2; metadata:created_at 2014_05_18, updated_at 2014_05_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Server Banner"; dsize:>14; flow:established,from_server; content:"|3a|Hell.Network|0d 0a|"; depth:15; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018484; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow:established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; classtype:misc-activity; sid:2001191; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET MALWARE .gadget Email Attachment - Possible Upatre"; flow:established,to_server; content:"Content-Type|3a| application/zip|3b|"; nocase; content:".gadget|22|"; distance:7; within:30; nocase; pcre:"/name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22/i"; reference:url,pastebin.com/5eNDazpL; classtype:trojan-activity; sid:2018490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_20, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET MALWARE .gadget Email Attachment - Possible Upatre"; flow:established,to_server; content:"Content-Type|3a| application/zip|3b|"; nocase; content:".gadget|22|"; distance:7; within:30; nocase; pcre:"/name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22/i"; reference:url,pastebin.com/5eNDazpL; classtype:trojan-activity; sid:2018490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_21, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sV"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert May 20 2014"; flow:established,from_server; content:"|11|www.myparadis.com"; reference:md5,ba7debd3ff51356135866a76116f595b; reference:md5,8a49c032efb6aa3a347a173d196a8bcb; classtype:trojan-activity; sid:2018492; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_05_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert May 20 2014"; flow:established,from_server; content:"|11|www.myparadis.com"; reference:md5,ba7debd3ff51356135866a76116f595b; reference:md5,8a49c032efb6aa3a347a173d196a8bcb; classtype:trojan-activity; sid:2018492; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; content:"update"; depth:6; http_user_agent; content:"statblaster"; http_header; fast_pattern:only; pcre:"/\/updatestats\/update\d+?\.xml$/U"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:pup-activity; sid:2001225; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; classtype:web-application-attack; sid:2001990; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Secondary Landing"; flow:established,from_server; file_data; content:"fdsaw[fwegg]"; nocase; pcre:"/^\s*?=\s*?window\.document\.createElement/Rsi"; classtype:exploit-kit; sid:2018501; rev:2; metadata:created_at 2014_05_27, former_category CURRENT_EVENTS, updated_at 2014_05_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Secondary Landing"; flow:established,from_server; file_data; content:"fdsaw[fwegg]"; nocase; pcre:"/^\s*?=\s*?window\.document\.createElement/Rsi"; classtype:exploit-kit; sid:2018501; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 1"; flow:established,from_server; file_data; content:"{var bmw=[263,275,275,271,217,206,206,262,256,274,269,260,274,205,258,270,268,217,215,207,210,206,207,207,208,205,260,279,159,260]"; classtype:exploit-kit; sid:2018502; rev:2; metadata:created_at 2014_05_27, former_category CURRENT_EVENTS, updated_at 2014_05_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 1"; flow:established,from_server; file_data; content:"{var bmw=[263,275,275,271,217,206,206,262,256,274,269,260,274,205,258,270,268,217,215,207,210,206,207,207,208,205,260,279,159,260]"; classtype:exploit-kit; sid:2018502; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 2"; flow:established,from_server; file_data; content:"function(/*jsckvip*/p,/*jsckvip*/a,/*jsckvip*/c,k,/*jsckvip*/e,/*jsckvip*/d/*jsckvip*/)"; classtype:exploit-kit; sid:2018503; rev:2; metadata:created_at 2014_05_27, former_category CURRENT_EVENTS, updated_at 2014_05_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 2"; flow:established,from_server; file_data; content:"function(/*jsckvip*/p,/*jsckvip*/a,/*jsckvip*/c,k,/*jsckvip*/e,/*jsckvip*/d/*jsckvip*/)"; classtype:exploit-kit; sid:2018503; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouder.Header; file_data; content:"MZ"; within:2; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2018464; rev:4; metadata:created_at 2014_05_12, former_category MALWARE, updated_at 2014_05_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouder.Header; file_data; content:"MZ"; within:2; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2018464; rev:4; metadata:created_at 2014_05_13, former_category MALWARE, updated_at 2014_05_13;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre Compromised Site hot-buys"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|hot-buys.org"; distance:1; within:14; nocase; reference:md5,bad758023d2e3cc17b61423720cdb5b7; classtype:trojan-activity; sid:2018506; rev:1; metadata:created_at 2014_05_28, updated_at 2014_05_28;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre Compromised Site hot-buys"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|hot-buys.org"; distance:1; within:14; nocase; reference:md5,bad758023d2e3cc17b61423720cdb5b7; classtype:trojan-activity; sid:2018506; rev:1; metadata:created_at 2014_05_29, updated_at 2014_05_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/MadnessPro.DDOSBot CnC Beacon"; flow:established,to_server; content:"/?uid="; http_uri; content:"&ver="; http_uri; content:"&mk="; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:command-and-control; sid:2018424; rev:4; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/MadnessPro.DDOSBot CnC Beacon"; flow:established,to_server; content:"/?uid="; http_uri; content:"&ver="; http_uri; content:"&mk="; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:command-and-control; sid:2018424; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (5)"; flow:established,to_client; file_data; content:"|3a 0e a6 51 77 79 53 59|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (5)"; flow:established,to_client; file_data; content:"|3a 0e a6 51 77 79 53 59|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (6)"; flow:established,to_client; file_data; content:"|2c 3e c2 32 61 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018510; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (6)"; flow:established,to_client; file_data; content:"|2c 3e c2 32 61 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018510; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (7)"; flow:established,to_client; file_data; content:"|0b 28 ff 53 4b 75 39 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_30, deployment Perimeter, former_category TROJAN, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (7)"; flow:established,to_client; file_data; content:"|0b 28 ff 53 4b 75 39 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category TROJAN, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious Injected Redirect June 02 2014"; flow:established,to_client; file_data; content:"s.src"; content:"+Math.random()|3b|document.body.appendChild(s)|3b|"; distance:0; classtype:trojan-activity; sid:2018514; rev:2; metadata:created_at 2014_06_02, former_category CURRENT_EVENTS, updated_at 2014_06_02;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit"; flow:established,from_server; file_data; content:"6f"; fast_pattern; nocase; content:"6c"; within:12; nocase; content:"43"; distance:-26; within:24; content:!"|22|"; within:14; content:!"|27|"; within:14; pcre:"/^(?P<sep>[^\x22\x27]{0,10})6f(?P=sep)6c(?P=sep)6c(?P=sep)65(?P=sep)63(?P=sep)74(?P=sep)47(?P=sep)61(?P=sep)72(?P=sep)62(?P=sep)61(?P=sep)67(?P=sep)65(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018330; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_27, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-
-alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_03, updated_at 2014_06_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit"; flow:established,from_server; file_data; content:"6f"; fast_pattern; nocase; content:"6c"; within:12; nocase; content:"43"; distance:-26; within:24; content:!"|22|"; within:14; content:!"|27|"; within:14; pcre:"/^(?P<sep>[^\x22\x27]{0,10})6f(?P=sep)6c(?P=sep)6c(?P=sep)65(?P=sep)63(?P=sep)74(?P=sep)47(?P=sep)61(?P=sep)72(?P=sep)62(?P=sep)61(?P=sep)67(?P=sep)65(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018330; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014"; flow:established,from_server; content:"lrtCfdP.FDP,FDP.FDPorcA"; fast_pattern:only; content:"reverse"; classtype:exploit-kit; sid:2018535; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing EK Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only; content:"/http|3a|/"; http_uri; pcre:"/\/3\/[a-f0-9]{32}\/http\x3a\x2f/U"; classtype:exploit-kit; sid:2018536; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Java Jar "; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:exploit-kit; sid:2017467; rev:4; metadata:created_at 2013_09_16, former_category CURRENT_EVENTS, updated_at 2013_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Java Jar"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:exploit-kit; sid:2017467; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET INFO tor2www .onion Proxy SSL cert"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2www."; nocase; distance:2; within:10; classtype:trojan-activity; sid:2018538; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET MALWARE TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware"; flow:established,to_client; content:"|55 04 03|"; content:"torexplorer.com"; distance:0; reference:url,www.malware-traffic-analysis.net/2014/05/28/index.html; classtype:trojan-activity; sid:2018539; rev:1; metadata:created_at 2014_06_06, former_category CURRENT_EVENTS, updated_at 2014_06_06;)
+#alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET MALWARE TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware"; flow:established,to_client; content:"|55 04 03|"; content:"torexplorer.com"; distance:0; reference:url,www.malware-traffic-analysis.net/2014/05/28/index.html; classtype:trojan-activity; sid:2018539; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert"; flow:established,to_client; content:"|55 04 03|"; content:"|1e|static-182-18-143-140.ctrls.in"; distance:1; within:31; reference:md5,b4d63a1178027f64c4c868181437284d; classtype:trojan-activity; sid:2018542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert"; flow:established,to_client; content:"|55 04 03|"; content:"|1e|static-182-18-143-140.ctrls.in"; distance:1; within:31; reference:md5,b4d63a1178027f64c4c868181437284d; classtype:trojan-activity; sid:2018542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014 2"; flow:established,from_server; file_data; content:"hsalFevawkcohS.hsalFevawkcohS"; content:"reverse"; classtype:exploit-kit; sid:2018544; rev:2; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2014_06_09;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda 3PARA RAT initial beacon"; flow:established,to_server; content:"|c4 65 f1 b3 cf a5 7e e2 c0 1a d4 7f 78 46 26 b5 86 15 f9 34 9c 3d 67 84 6a 48 aa df dc 30 60 24|"; depth:2000; reference:url,resources.crowdstrike.com/putterpanda/; classtype:trojan-activity; sid:2018555; rev:2; metadata:created_at 2014_06_10, updated_at 2014_06_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda 3PARA RAT initial beacon"; flow:established,to_server; content:"|c4 65 f1 b3 cf a5 7e e2 c0 1a d4 7f 78 46 26 b5 86 15 f9 34 9c 3d 67 84 6a 48 aa df dc 30 60 24|"; depth:2000; reference:url,resources.crowdstrike.com/putterpanda/; classtype:trojan-activity; sid:2018555; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_06_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit"; flow:established,to_server; content:"/services/help/"; nocase; http_uri; pcre:"/module=[^\;]*\;.*\"/UGi"; reference:url,www.exploit-db.com/exploits/1660; reference:cve,2006-1491; reference:bugtraq,17292; classtype:web-application-attack; sid:2002867; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit JAR Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".jar"; http_uri; distance:1; within:4; pcre:"/^\x2Fmodules\x2F(1|2)\x2Ejar$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2013-2465; classtype:exploit-kit; sid:2018564; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1; metadata:created_at 2014_06_16, updated_at 2014_06_16;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1; metadata:created_at 2014_06_16, updated_at 2014_06_16;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) "; flow:from_server,established; flowbits:isset,ET.Suspicious.Domain.Fake.Browser; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018572; rev:2; metadata:created_at 2014_06_16, former_category MALWARE, updated_at 2014_06_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)"; flow:from_server,established; flowbits:isset,ET.Suspicious.Domain.Fake.Browser; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018572; rev:2; metadata:created_at 2014_06_17, former_category HUNTING, updated_at 2014_06_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Java[\x22\x27]/Rsi"; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:exploit-kit; sid:2018573; rev:3; metadata:created_at 2014_06_16, former_category CURRENT_EVENTS, updated_at 2014_06_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Java[\x22\x27]/Rsi"; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:exploit-kit; sid:2018573; rev:3; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing 2"; flow:established,to_client; file_data; content:"/[a-z]/gi"; fast_pattern; content:"substring"; pcre:"/^(?:[\x22\x27]\s*?\])?\s*?\(\s*?(?P<num>\d+)\s*?\*\s*?(?P<cnt>\w+)\s*?,\s*?(?P=num)\s*?\*\s*?(?P=cnt)\s*?\+\s*?(?P=num)\s*?\)\s*?,\s*?\d+\s*?\)/Rsi"; content:"="; pcre:"/^\s*?[\x22\x27][A-Za-z0-9\s]{500}/Rsi"; classtype:exploit-kit; sid:2018577; rev:2; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008772; classtype:trojan-activity; sid:2008772; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Common Java Exploit"; flow:to_server,established; content:"/testi.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018583; rev:4; metadata:created_at 2014_06_19, former_category CURRENT_EVENTS, updated_at 2014_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Common Java Exploit"; flow:to_server,established; content:"/testi.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018583; rev:4; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect 8x8 script tag"; flow:established,from_server; file_data; content:".php?id="; content:"/"; distance:-17; within:1; pcre:"/^[a-z0-9A-Z]*?[A-Z0-9][a-z0-9A-Z]*?\.php\?id=\d{6,9}[\x22\x27]/R"; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{6,9}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:4; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2014_02_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK CVE-2013-3918"; flow:established,to_server; content:"/m20133918.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018593; rev:2; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:exploit-kit; sid:2018595; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_06_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:exploit-kit; sid:2018595; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_06_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto payment code"; flow:to_server,established; content:"/boleto"; http_uri; fast_pattern:only; content:".php?"; http_uri; pcre:"/^Host\x3a\x20[^\r\n]+(\r\n)?\r\n$/Hi"; reference:url,brazil.kaspersky.com/sobre-a-kaspersky/centro-de-imprensa/blog-da-kaspersky/extensoes-maliciosas-boleto; reference:md5,de38bc962f92eb99d63eebecb3930906; classtype:trojan-activity; sid:2018591; rev:5; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET DELETED EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000381; classtype:attempted-dos; sid:2000381; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32/Tesch.A Checkin"; flow:to_server,established; dsize:<100; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:!"|00|"; distance:3; within:1; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,f2e5900061c5ac470fa005580681be94; reference:md5,872763d48730506af7eee0bf22c2f47b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FTesch.A; classtype:trojan-activity; sid:2018611; rev:5; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32/Tesch.A Checkin"; flow:to_server,established; dsize:<100; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:!"|00|"; distance:3; within:1; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,f2e5900061c5ac470fa005580681be94; reference:md5,872763d48730506af7eee0bf22c2f47b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FTesch.A; classtype:trojan-activity; sid:2018611; rev:5; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct"; flow:established,to_server; content:"/assets/js/jquery-"; depth:18; http_uri; fast_pattern; content:"min.js?ver="; http_uri; distance:0; pcre:"/^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018454; rev:4; metadata:created_at 2014_05_07, former_category CURRENT_EVENTS, updated_at 2014_05_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct"; flow:established,to_server; content:"/assets/js/jquery-"; depth:18; http_uri; fast_pattern; content:"min.js?ver="; http_uri; distance:0; pcre:"/^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018454; rev:4; metadata:created_at 2014_05_08, former_category CURRENT_EVENTS, updated_at 2014_05_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie June 27 2014"; flow:established,from_server; content:"lvqwg="; depth:6; http_cookie; nocase; classtype:exploit-kit; sid:2018613; rev:3; metadata:created_at 2014_06_27, former_category CURRENT_EVENTS, updated_at 2014_06_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie June 27 2014"; flow:established,from_server; content:"lvqwg="; depth:6; http_cookie; nocase; classtype:exploit-kit; sid:2018613; rev:3; metadata:created_at 2014_06_28, former_category CURRENT_EVENTS, updated_at 2014_06_28;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Crafted Request"; flow:established,from_server; content:"|4d 00 02 02 00|"; depth:5; fast_pattern; content:"/"; distance:4; within:5; content:" HTTP/1."; distance:0; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018616; rev:1; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2014_06_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:exploit-kit; sid:2016059; rev:14; metadata:created_at 2012_12_18, former_category EXPLOIT_KIT, updated_at 2012_12_18;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:pup-activity; sid:2003606; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:exploit-kit; sid:2016059; rev:14; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Alexa Search Toolbar User-Agent (Alexa Toolbar)"; flow: to_server,established; content:" Alexa Toolbar|3b|"; http_header; reference:url,www.spywareguide.com/product_show.php?id=418; reference:url,doc.emergingthreats.net/2002166; classtype:trojan-activity; sid:2002166; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 25 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; fast_pattern:only; content:"<body>"; pcre:"/^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300}/R"; classtype:exploit-kit; sid:2018606; rev:4; metadata:created_at 2014_06_25, former_category CURRENT_EVENTS, updated_at 2014_06_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Sweet Orange WxH redirection"; flow:established,to_server; urilen:23<>50; content:"x"; http_uri; depth:4; offset:2; content:".php?"; fast_pattern; http_uri; content:"="; http_uri; within:3; pcre:"/^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$/U"; classtype:exploit-kit; sid:2018493; rev:4; metadata:created_at 2014_05_20, former_category CURRENT_EVENTS, updated_at 2014_05_20;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 2"; flow:established,to_server; dsize:51; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; flowbits:set,ET.Tesch; classtype:command-and-control; sid:2018620; rev:5; metadata:created_at 2014_07_01, former_category MALWARE, updated_at 2014_07_01;)
-
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)"; flow:established,from_server; dsize:4; flowbits:isset,ET.Tesch; content:"|05 00 01 01|"; depth:4; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018626; rev:5; metadata:created_at 2014_07_01, updated_at 2014_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 25 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; fast_pattern:only; content:"<body>"; pcre:"/^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300}/R"; classtype:exploit-kit; sid:2018606; rev:4; metadata:created_at 2014_06_26, former_category CURRENT_EVENTS, updated_at 2014_06_26;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|02 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018624; rev:5; metadata:created_at 2014_07_01, former_category MALWARE, updated_at 2014_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Sweet Orange WxH redirection"; flow:established,to_server; urilen:23<>50; content:"x"; http_uri; depth:4; offset:2; content:".php?"; fast_pattern; http_uri; content:"="; http_uri; within:3; pcre:"/^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$/U"; classtype:exploit-kit; sid:2018493; rev:4; metadata:created_at 2014_05_21, former_category CURRENT_EVENTS, updated_at 2014_05_21;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|04 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018625; rev:5; metadata:created_at 2014_07_01, former_category MALWARE, updated_at 2014_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)"; flow:established,from_server; dsize:4; flowbits:isset,ET.Tesch; content:"|05 00 01 01|"; depth:4; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018626; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (OK acknowledgement)"; flow:established,to_server; flowbits:isset,ET.Tesch; dsize:3; content:"|0a 00 00|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018622; rev:6; metadata:created_at 2014_07_01, updated_at 2014_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|04 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018625; rev:5; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2014_07_02;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (Proxy command)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:28; content:"|09 00 19|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018623; rev:5; metadata:created_at 2014_07_01, updated_at 2014_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (OK acknowledgement)"; flow:established,to_server; flowbits:isset,ET.Tesch; dsize:3; content:"|0a 00 00|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018622; rev:6; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 36"; flow:to_server,established; dsize:>11; content:"|79 da|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xda/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5b50cc5215694841b9faea0fde472648; classtype:command-and-control; sid:2018636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 37"; flow:to_server,established; dsize:>11; content:"|79 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,f80fc82b5ff8f65f02ba7af363f84264; classtype:command-and-control; sid:2018637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 38"; flow:to_server,established; dsize:>11; content:"|49 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa5/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,c8564898ab2598a075cbb478d104e750; classtype:command-and-control; sid:2018638; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3134e62b117f9994e173c262b1bcbca5; classtype:command-and-control; sid:2018639; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (Proxy command)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:28; content:"|09 00 19|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018623; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE TrojanSpy.Win32/Banker.AMB SQL Checkin"; flow:established,to_server; content:"I|00|N|00|S|00|E|00|R|00|T"; content:"I|00|N|00|T|00|O"; distance:0; content:"B|00|R|00|O|00|W|00|S|00|E|00|R|00|L|00|O|00|G|00|U|00|S|00|B|00|"; reference:md5,dd141287cb45a2067592eeb9d3aa7162; classtype:command-and-control; sid:2018645; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2014_07_07;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert July 7 2014"; flow:established,from_server; content:"|16 03 00|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"smalbach2424@hotmail.com"; distance:2; within:24; reference:md5,52084660d2ae0ee8f033621a9252cfb9; classtype:trojan-activity; sid:2018651; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_07_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Jar Download Method 2"; flow:established,from_server; content:"Content-Type|3a 20|application/octed-stream"; http_header; fast_pattern:18,20; flowbits:isset,ET.http.javaclient; classtype:exploit-kit; sid:2018545; rev:3; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2014_06_09;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED food.com compromise hostile JavaScript gate"; flow:established,to_server; content:".html?0."; http_uri; fast_pattern:only; pcre:"/\/[a-z]{1,6}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity; sid:2018505; rev:6; metadata:created_at 2014_05_28, updated_at 2014_05_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Enfal.F Checkin via HTTP Post 7"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/Owpp4.cgi"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; content:!"Referer|3a 20|"; pcre:"/^[^\r\n]{15}\x5f[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}/m"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; classtype:trojan-activity; sid:2018665; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url, blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, former_category MALWARE, updated_at 2014_07_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing Jul 11 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"/[a-z]/gi"; content:"|5c|x66|5c|x72|5c|x6F|5c|x6D|5c|x43|5c|x68|5c|x61|5c|x72|5c|x43|5c|x6F|5c|x64|5c|x65"; fast_pattern; classtype:exploit-kit; sid:2018668; rev:5; metadata:created_at 2014_07_11, former_category CURRENT_EVENTS, updated_at 2014_07_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing Jul 11 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"/[a-z]/gi"; content:"|5c|x66|5c|x72|5c|x6F|5c|x6D|5c|x43|5c|x68|5c|x61|5c|x72|5c|x43|5c|x6F|5c|x64|5c|x65"; fast_pattern; classtype:exploit-kit; sid:2018668; rev:5; metadata:created_at 2014_07_12, former_category CURRENT_EVENTS, updated_at 2014_07_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf|0d 0a|"; http_header; fast_pattern:only; content:!"revolvermaps.com"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; classtype:trojan-activity; sid:2017125; rev:4; metadata:created_at 2013_07_10, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf|0d 0a|"; http_header; fast_pattern:only; content:!"revolvermaps.com"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; classtype:trojan-activity; sid:2017125; rev:4; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert acesecureshop.com"; flow:established,to_client; content:"|55 04 03|"; content:"|11|acesecureshop.com"; distance:1; within:18; reference:md5,c2e85512ceaacbf8306321f9cc2b1eaf; classtype:trojan-activity; sid:2018671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct Jul 16 2014"; flow:established,to_server; content:"/js/metrika/watch.js?ver="; depth:25; http_uri; fast_pattern; pcre:"/^\/js\/metrika\/watch\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018686; rev:5; metadata:created_at 2014_07_16, former_category CURRENT_EVENTS, updated_at 2014_07_16;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain"; content:"|00 01 00 01|"; content:"|00 04 cc 5f 63|"; distance:4; within:5; classtype:trojan-activity; sid:2018642; rev:2; metadata:created_at 2014_07_03, updated_at 2014_07_03;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain"; content:"|00 01 00 01|"; content:"|00 04 cc 5f 63|"; distance:4; within:5; classtype:trojan-activity; sid:2018642; rev:2; metadata:created_at 2014_07_04, updated_at 2014_07_04;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert karinejoncas.com"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.karinejoncas.com"; distance:1; within:21; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deslematin.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|deslematin.ca"; distance:1; within:14; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET MALWARE Predator Pain Sending Data over SMTP"; flow:established,to_server; content:"Subject|3a 20|Predator Pain v"; fast_pattern:4,20; reference:md5,e774a7e6ca28487db649458f48230199; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018688; rev:3; metadata:created_at 2014_07_17, updated_at 2014_07_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.newdomaininfo.ru"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018692; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET MALWARE Predator Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Predator Logger|20|"; fast_pattern:5,20; reference:md5,91f885e08d627097fb1116a3d4634b82; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018017; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|duosecure.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018696; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.newdomaininfo.ru"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018692; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|duosecure.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018696; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|11|bloggershop.co.vu"; distance:1; within:19; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018494; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|11|bloggershop.co.vu"; distance:1; within:19; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018494; rev:2; metadata:attack_target Client_and_Server, created_at 2014_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake CDN Sweet Orange Gate July 17 2014"; flow:established,to_server; content:"GET"; http_method; urilen:>10; content:"?"; http_uri; offset:2; depth:1; content:"Host|3a 20|cdn"; http_header; fast_pattern:only; pcre:"/^\/[a-z]\?[a-z]=[0-9]{5,}$/U"; classtype:exploit-kit; sid:2018737; rev:2; metadata:created_at 2014_07_18, former_category CURRENT_EVENTS, updated_at 2014_07_18;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET MALWARE Pain File Stealer sending wallet.dat via SMTP"; flow:to_server,established; content:"Subject|3a| Pain File Stealer"; fast_pattern:9,17; content:"Content|2d|Type|3a 20|application|2f|octet|2d|stream|3b 20|name|3d|wallet.dat"; reference:url,www.cyphort.com/blog/nighthunter-massive-campaign-steal-credentials-revealed; classtype:trojan-activity; sid:2018738; rev:1; metadata:created_at 2014_07_18, former_category MALWARE, updated_at 2014_07_18;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; content:"/vsn/ISA/"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; classtype:pup-activity; sid:2000908; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; content:"/Appinstall?app=VVSN"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; classtype:pup-activity; sid:2000909; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f4 4b cc 89 9e b7 45 a8|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:md5,55f8682aab1089b68a8a391b927d7a74; classtype:trojan-activity; sid:2018759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|sslbl.abuse.ch"; distance:1; within:15; content:"|1b|we_love_selfsigned@abuse.ch"; distance:0; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:command-and-control; sid:2018767; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|sslbl.abuse.ch"; distance:1; within:15; content:"|1b|we_love_selfsigned@abuse.ch"; distance:0; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018767; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious SSL Cert With Script Tags"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"<script>"; content:"</script>"; distance:0; content:"|55 04 03|"; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:trojan-activity; sid:2018768; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious SSL Cert With Script Tags"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"<script>"; content:"</script>"; distance:0; content:"|55 04 03|"; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018768; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert thelabelnashville.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|thelabelnashville.com"; distance:1; within:22; reference:md5,f75b9bffe33999339d189b1a3d8d8b4e; classtype:trojan-activity; sid:2018776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File"; flow:from_server,established; file_data; content:"-2147023083"; nocase; fast_pattern:only; content:"res|3a 2f|"; nocase; content:"<!DOCTYPE html PUBLIC"; nocase; reference:url,alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi/; classtype:trojan-activity; sid:2018783; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|0d|fuck@abuse.ch"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018745; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|0d|fuck@abuse.ch"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018745; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert server.abaphome.net"; flow:established,from_server; content:"|55 04 03|"; content:"|13|server.abaphome.net"; distance:1; within:20; reference:md5,cfe7cade32e463f0ef7efd134c56b5c8; classtype:trojan-activity; sid:2018790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Flash Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Flash"; distance:0; content:"0515"; pcre:"/^[\x22\x27]/R"; distance:0; content:"0634"; pcre:"/^[\x22\x27]/R"; content:"0497"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018797; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.KLPROXY Checkin via SMTP"; flow:to_server,established; content:"Subject|3a|"; content:"C-H-E-G-O A-V-I-S-O! |2e 3a 3a|Infect|3a 3a 2e|"; distance:5; within:33; reference:md5,422ce789b284eb5aa32124a6bbe86000; classtype:command-and-control; sid:2018798; rev:2; metadata:created_at 2014_07_28, former_category MALWARE, updated_at 2014_07_28;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars"; flow:from_server,established; file_data; content:",0x"; fast_pattern; content:",0x"; distance:8; within:3; content:",0x"; distance:8; within:3; content:"FlashVars"; nocase; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15}/Rsi"; classtype:trojan-activity; sid:2018785; rev:3; metadata:created_at 2014_07_25, updated_at 2014_07_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.KLPROXY Checkin via SMTP"; flow:to_server,established; content:"Subject|3a|"; content:"C-H-E-G-O A-V-I-S-O! |2e 3a 3a|Infect|3a 3a 2e|"; distance:5; within:33; reference:md5,422ce789b284eb5aa32124a6bbe86000; classtype:command-and-control; sid:2018798; rev:2; metadata:created_at 2014_07_29, former_category MALWARE, updated_at 2014_07_29;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert disenart.info"; flow:established,from_server; content:"|55 04 03|"; content:"|0c 0d|disenart.info"; distance:0; within:15; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018801; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars"; flow:from_server,established; file_data; content:",0x"; fast_pattern; content:",0x"; distance:8; within:3; content:",0x"; distance:8; within:3; content:"FlashVars"; nocase; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15}/Rsi"; classtype:trojan-activity; sid:2018785; rev:3; metadata:created_at 2014_07_26, updated_at 2014_07_26;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert host-galaxy.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|host-galaxy.com"; distance:1; within:16; reference:md5,83c2eb9a2a5315e7fc15d85387886a19; classtype:trojan-activity; sid:2018802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.udderperfection.com"; distance:1; within:24; reference:md5,c8020934a53e888059e734b934043794; classtype:trojan-activity; sid:2018806; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET"; http_method; content:"stargalaxy.php?nebula="; http_uri; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018786; rev:3; metadata:created_at 2014_07_25, former_category CURRENT_EVENTS, updated_at 2014_07_25;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DoS.Linux/Elknot.G Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|Linux|20|"; offset:2; depth:21; fast_pattern:1,20; pcre:"/^\d/R"; reference:md5,917a2a3d8c30282acbe7b1ff121a4336; classtype:command-and-control; sid:2018808; rev:1; metadata:created_at 2014_07_30, former_category MALWARE, updated_at 2014_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET"; http_method; content:"stargalaxy.php?nebula="; http_uri; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018786; rev:3; metadata:created_at 2014_07_26, former_category CURRENT_EVENTS, updated_at 2014_07_26;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; content:".passinggas.net"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.passinggas\.net(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018847; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns2.sicher.in"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|ns2.sicher.in"; distance:1; within:14; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|badsokspad.in"; distance:1; within:14; reference:md5,c4fe829fc49bb9efec92fe4a8a5d29fc; classtype:command-and-control; sid:2018852; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|badsokspad.in"; distance:1; within:14; reference:md5,c4fe829fc49bb9efec92fe4a8a5d29fc; classtype:domain-c2; sid:2018852; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET PHISHING Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:social-engineering; sid:2018853; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET PHISHING Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:social-engineering; sid:2018853; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.rr.nu domain"; flow:established,to_server; content:".rr.nu|0D 0A|"; http_header; classtype:bad-unknown; sid:2012330; rev:5; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adodis.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|adodis.com"; distance:1; within:11; reference:md5,cca48e10973344ccc4e995be8e151176; classtype:trojan-activity; sid:2018871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 40"; flow:to_server,established; dsize:>11; content:"|7c 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:command-and-control; sid:2018880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert power2.mschosting.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|power2.mschosting.com"; distance:1; within:22; reference:md5,fb89ab865465d9bf38e24af73cdcd656; classtype:trojan-activity; sid:2018881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert power2.mschosting.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|power2.mschosting.com"; distance:1; within:22; reference:md5,fb89ab865465d9bf38e24af73cdcd656; classtype:trojan-activity; sid:2018881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Command Prompt OUTBOUND"; flow:established,to_server; content:"Microsoft Windows"; content:"[Version|20|"; distance:0; pcre:"/^\d\.\d\.\d{4}\]\r\n\(C\)\x20Copyright\x20\d{4}(\x2d\d{4})?\x20Microsoft Corp(:?\.|oration)/Ri"; content:"|0d 0a 0d 0a|C|3a 5c 3e|"; fast_pattern; distance:0; isdataat:!2,relative; classtype:trojan-activity; sid:2018885; rev:2; metadata:created_at 2014_08_04, updated_at 2014_08_04;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_08_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BitcoinMiner C2 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.webanalyticsystem.com"; distance:1; within:26; reference:url,www.malware-traffic-analysis.net/2014/07/28/index.html; classtype:coin-mining; sid:2018896; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BitcoinMiner C2 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.webanalyticsystem.com"; distance:1; within:26; reference:url,www.malware-traffic-analysis.net/2014/07/28/index.html; classtype:coin-mining; sid:2018896; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Coinminer, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|15 2a 2e|tradeledstore.co.uk"; distance:1; within:22; reference:md5,5b447247c8778b91650e0a9c2e36b1e6; classtype:trojan-activity; sid:2018898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|15 2a 2e|tradeledstore.co.uk"; distance:1; within:22; reference:md5,5b447247c8778b91650e0a9c2e36b1e6; classtype:trojan-activity; sid:2018898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:exploit-kit; sid:2017474; rev:4; metadata:created_at 2013_09_16, former_category EXPLOIT_KIT, updated_at 2013_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:exploit-kit; sid:2017474; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 2"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"param"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017169; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; fast_pattern; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyre SSL Self-Signed Cert Aug 06 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|94.23.236.54"; distance:1; within:13; reference:md5,384a3c3a250341aa7f7c6aba11467afb; classtype:trojan-activity; sid:2018903; rev:2; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyre SSL Self-Signed Cert Aug 06 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|94.23.236.54"; distance:1; within:13; reference:md5,384a3c3a250341aa7f7c6aba11467afb; classtype:trojan-activity; sid:2018903; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 3"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"jnlp_"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017170; rev:5; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 4"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:".jar"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017171; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 00|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018904; rev:6; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
-
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 02|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018905; rev:6; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
-
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 04|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018906; rev:6; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 00|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018904; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 02|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018905; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; tls.fingerprint:"4c:1c:1a:aa:58:80:31:74:58:79:8a:04:db:76:42:8e:ce:55:f1:40"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018703; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 04|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018906; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
-#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.softwareversion:"libssh-"; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
-#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH2 Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.softwareversion:"libssh2_"; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:3; metadata:created_at 2014_07_17, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; tls.fingerprint:"4c:1c:1a:aa:58:80:31:74:58:79:8a:04:db:76:42:8e:ce:55:f1:40"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018703; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.HavexSysinfo Response"; flow:from_server,established; file_data; content:"<!--havexhavex-->"; fast_pattern:only; reference:url,securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/; reference:md5,bdd1d473a56607ec366bb2e3af5aedea; reference:url,802bba9d078a09530189e95e459adcdf; classtype:trojan-activity; sid:2018921; rev:2; metadata:created_at 2014_08_11, updated_at 2014_08_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Applet"; flow:established,from_server; file_data; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; pcre:"/^[\x22\x27]/R"; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018922; rev:2; metadata:created_at 2014_08_11, former_category CURRENT_EVENTS, updated_at 2014_08_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Applet"; flow:established,from_server; file_data; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; pcre:"/^[\x22\x27]/R"; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018922; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"fawa/"; nocase; pcre:"/^[\w.]*?\.class/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018923; rev:2; metadata:created_at 2014_08_11, former_category CURRENT_EVENTS, updated_at 2014_08_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"fawa/"; nocase; pcre:"/^[\w.]*?\.class/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018923; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"a/hidden.class"; nocase; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018924; rev:2; metadata:created_at 2014_08_11, former_category CURRENT_EVENTS, updated_at 2014_08_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"a/hidden.class"; nocase; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018924; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013"; flow:established,from_server; file_data; content:"<div>"; content:!"<"; within:1000; pcre:"/^([0-9a-z]{8})?(?P<p>[0-9a-z]{2})(?P<d>(?!(?P=p))[0-9a-z]{2})(?P=p)(?P=d)([0-9a-z]{2}){10}(?P<q>[0-9a-z]{2})[0-9a-z]{2}(?P<dot>[0-9a-z]{2})[0-9a-z]{2}(?P=dot)[0-9a-z]{2}(?P=q)/R"; classtype:trojan-activity; sid:2017346; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK CVE-2013-2551 URI Struct"; flow:to_server,established; content:"/ie8910.html"; http_uri; classtype:exploit-kit; sid:2018931; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|12|alohafriends12.com"; distance:1; within:19; reference:md5,9c98ef776a651cc4269acde3755d3a5a; classtype:command-and-control; sid:2018935; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|12|alohafriends12.com"; distance:1; within:19; reference:md5,9c98ef776a651cc4269acde3755d3a5a; classtype:domain-c2; sid:2018935; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1f|kpai7ycr7jxqkilp.totortoweb.com"; distance:1; within:32; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018939; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1f|kpai7ycr7jxqkilp.totortoweb.com"; distance:1; within:32; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018939; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ClickFraud Trojan Socks5 Connection"; flow:to_server,established; content:"socks5init|3a|"; depth:11; threshold: type limit,track by_src, count 1, seconds 300; flowbits:set,ET.2018855; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; classtype:trojan-activity; sid:2018855; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ClickFraud Trojan Socks5 Init Response"; flow:established,from_server; flowbits:isset,ET.2018855; dsize:6<>9; content:"|fe|"; depth:1; content:"|1f|"; distance:4; within:1; reference:md5,de31e17ff4b3791c92a93b72d779e61f; classtype:trojan-activity; sid:2018941; rev:2; metadata:created_at 2014_08_14, updated_at 2014_08_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|koskoskos11.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018942; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|koskoskos11.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018942; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|atspotfto.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018943; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|atspotfto.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018943; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.securessl.in"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018944; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.securessl.in"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018944; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|zao-sky.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018947; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|zao-sky.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018947; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; file_data; content:"0|22 29 3b 0a 0d 0a|</script>"; pcre:"/^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>/Rsi"; classtype:exploit-kit; sid:2018950; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M2"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie.indexOf"; pcre:"/^\s*?\(\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27].+?document\.cookie\s*?=\s*?[\x22\x27][^\x22\x27]*?(?P=var)\s*?=\s*?readed\x3b/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018967; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code detected"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018972; rev:2; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code detected"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018972; rev:2; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE downloaded malicious SSL certificate (CZ Solutions)"; flow:established,to_client; flowbits:isset,ET.http.binary; file_data; content:"|43 5a 20 53 6f 6c 75 74 69 6f 6e 20 43 6f 2e 2c 20 4c 74 64 2e|"; reference:url,www.fireeye.com/blog/technical/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html; classtype:trojan-activity; sid:2018748; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE downloaded malicious SSL certificate (CZ Solutions)"; flow:established,to_client; flowbits:isset,ET.http.binary; file_data; content:"|43 5a 20 53 6f 6c 75 74 69 6f 6e 20 43 6f 2e 2c 20 4c 74 64 2e|"; reference:url,www.fireeye.com/blog/technical/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html; classtype:domain-c2; sid:2018748; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9c 96 01 9e 7e d5 38 fd|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2018974; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9c 96 01 9e 7e d5 38 fd|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2018974; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE LDPinch SMTP Password Report with mail client The Bat!"; flow:established,to_server; content:"X-Mailer|3a| The Bat!"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; reference:url,doc.emergingthreats.net/2008411; classtype:trojan-activity; sid:2008411; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hoic.zip retrieval"; flow:from_server,established; file_data; content:"Hoic/buttons2/PK"; content:"Hoic/buttons2/buttons.rar"; distance:0; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018976; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Machete FTP activity"; flow:established,to_server; content:"CWD |2e 2e 2f|KeyLog_History"; depth:21; classtype:trojan-activity; sid:2018980; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Machete FTP activity"; flow:established,to_server; content:"CWD |2e 2e 2f|KeyLog_History"; depth:21; classtype:trojan-activity; sid:2018980; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
-alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info)"; flow:to_server,established; content:"Auth"; nocase; depth:4; content:" @ "; within:128; content:"|5C 23 2F|"; within:128; content:"|5C 23 2F|"; within:32; content:"|5C 23 2F|"; fast_pattern; within:20; reference:url,www.threatexpert.com/report.aspx?md5=e7d9bc670d69ad8a6ad2784255324eec; reference:url,www.threatexpert.com/report.aspx?md5=37207835e128516fe17af3dacc83a00c; classtype:command-and-control; sid:2016913; rev:5; metadata:created_at 2011_05_16, former_category MALWARE, updated_at 2011_05_16;)
+alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info)"; flow:to_server,established; content:"Auth"; nocase; depth:4; content:" @ "; within:128; content:"|5C 23 2F|"; within:128; content:"|5C 23 2F|"; within:32; content:"|5C 23 2F|"; fast_pattern; within:20; reference:md5,37207835e128516fe17af3dacc83a00c; reference:md5,e7d9bc670d69ad8a6ad2784255324eec; classtype:command-and-control; sid:2016913; rev:5; metadata:created_at 2011_05_17, former_category MALWARE, updated_at 2011_05_17;)
#alert tcp 188.95.234.6 any -> $HOME_NET [22,443] (msg:"ET SCAN Non-Malicious SSH/SSL Scanner on the run"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,pki.net.in.tum.de/node/21; reference:url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532; classtype:network-scan; sid:2016763; rev:7; metadata:created_at 2013_04_17, updated_at 2013_04_17;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1023: (msg:"ET MALWARE Turkojan C&C nxt Command (nxt)"; flow:established,from_server; dsize:3; content:"nxt"; depth:3; reference:url,doc.emergingthreats.net/2008029; classtype:command-and-control; sid:2008029; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; content:"|0d 0a 0d 0a|CWS"; classtype:exploit-kit; sid:2014527; rev:4; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2012_04_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; content:"|0d 0a 0d 0a|CWS"; classtype:exploit-kit; sid:2014527; rev:4; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Thread Specific Java Exploit"; flow:established,to_server; content:"GET"; http_method; content:"/Fqxzdh.jar"; http_uri; fast_pattern:only; content:" Java/1."; http_user_agent; pcre:"/\/Fqxzdh\.jar$/U"; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018987; rev:4; metadata:created_at 2014_08_22, former_category CURRENT_EVENTS, updated_at 2014_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Thread Specific Java Exploit"; flow:established,to_server; content:"GET"; http_method; content:"/Fqxzdh.jar"; http_uri; fast_pattern:only; content:" Java/1."; http_user_agent; pcre:"/\/Fqxzdh\.jar$/U"; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018987; rev:4; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing Aug 22 2014"; flow:established,from_server; file_data; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; within:500; content:"ActiveXObject"; pcre:"/^\s*?\(\s*?[\x22\x27](?!AgControl\.AgControl)[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?\.[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?[\x22\x27]\s*?\.\s*?replace\s*?\(/Rsi"; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018988; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Secondary Landing Aug 24 2014"; flow:established,to_server; content:"/ie8910b.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018997; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net start Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"These Windows services are started|3a 0d|"; fast_pattern:8,16; content:"The command completed successfully|2e|"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019001; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows systeminfo Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Host Name|3a|"; content:"OS Name|3a|"; content:"OS Version|3a|"; content:"OS Manufacturer|3a|"; content:"Microsoft Corporation"; distance:0; content:"OS Configuration|3a|"; content:"OS Build Type|3a|"; content:"Registered Owner|3a|"; content:"Registered Organization|3a|"; content:"Product ID|3a|"; content:"Original Install Date|3a|"; content:"System Up Time|3a|"; content:"System Manufacturer|3a|"; content:"System Model|3a|"; content:"System type|3a|"; content:"Processor|28|s|29 3a|"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019002; rev:1; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows ipconfig Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Windows IP Configuration|0d|"; fast_pattern:8,16; content:"Ethernet adapter Local Area Connection|3a|"; distance:0; content:"Physical Address"; content:"IP Address"; content:"Subnet Mask"; content:"Default Gateway"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019000; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Flash Post Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&dom=687474703a2f2f"; http_client_body; fast_pattern:only; content:"2e706870"; http_client_body; pcre:"/^id=[^&]+&dom=687474703a2f2f[a-f0-9]+2e706870\s*?$/Ps"; classtype:exploit-kit; sid:2019004; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows systeminfo Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Host Name|3a|"; content:"OS Name|3a|"; content:"OS Version|3a|"; content:"OS Manufacturer|3a|"; content:"Microsoft Corporation"; distance:0; content:"OS Configuration|3a|"; content:"OS Build Type|3a|"; content:"Registered Owner|3a|"; content:"Registered Organization|3a|"; content:"Product ID|3a|"; content:"Original Install Date|3a|"; content:"System Up Time|3a|"; content:"System Manufacturer|3a|"; content:"System Model|3a|"; content:"System type|3a|"; content:"Processor|28|s|29 3a|"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019002; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Landing Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/msie.php"; http_uri; pcre:"/[^=]+?=(?:(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+?2e)+(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+\s*?/P"; classtype:exploit-kit; sid:2019006; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Flash Post Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&dom=687474703a2f2f"; http_client_body; fast_pattern:only; content:"2e706870"; http_client_body; pcre:"/^id=[^&]+&dom=687474703a2f2f[a-f0-9]+2e706870\s*?$/Ps"; classtype:exploit-kit; sid:2019004; rev:2; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlashPack EK JS Include Aug 25 2014"; flow:established,from_server; file_data; content:"function hex2bin(hex)"; within:21; content:"function rc4"; distance:0; content:!"function "; distance:0; classtype:exploit-kit; sid:2019007; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Landing Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/msie.php"; http_uri; pcre:"/[^=]+?=(?:(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+?2e)+(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+\s*?/P"; classtype:exploit-kit; sid:2019006; rev:2; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlashPack EK JS Include Aug 25 2014"; flow:established,from_server; file_data; content:"function hex2bin(hex)"; within:21; content:"function rc4"; distance:0; content:!"function "; distance:0; classtype:exploit-kit; sid:2019007; rev:2; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php?id="; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019008; rev:8; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php?id="; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019008; rev:8; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/\/load(?:fla(2001[34]|0515)|msie\d{0,2}|20132551|jimage|silver|0322|db|im|rh)\.php/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2017813; rev:9; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 b8 68 97 9e dc 1f a8 cc|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|local.domain"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019009; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 b8 68 97 9e dc 1f a8 cc|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|local.domain"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019009; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
+alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000339; classtype:trojan-activity; sid:2000339; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any 9996 (msg:"ET DELETED Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000047; classtype:misc-activity; sid:2000047; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; classtype:trojan-activity; sid:2000594; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Checkin Response"; flow:established,to_client; content:"|a5 46 da 53 0a 00 68 00 65 00 6c 00 6c 00 6f|"; offset:4; depth:15; reference:md5,b61145a54698753cecf8748359c9d81e; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018596; rev:3; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2014_06_12;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyreza RAT Checkin Response 2"; flow:established,to_client; dsize:3; content:"/1/"; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018597; rev:4; metadata:created_at 2014_06_23, updated_at 2014_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyreza RAT Checkin Response 2"; flow:established,to_client; dsize:3; content:"/1/"; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018597; rev:4; metadata:created_at 2014_06_24, updated_at 2014_06_24;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.b"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001056; classtype:misc-activity; sid:2001056; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"ET DELETED Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002389; classtype:successful-recon-limited; sid:2002389; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; uricontent:"/error.php?"; nocase; uricontent:"err="; nocase; uricontent:"_SERVER[REMOTE_ADDR]="; nocase; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2002703; classtype:web-application-attack; sid:2002703; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - all versions"; flow:established,from_server; flowbits:isnotset,emerging_wmf_http; content:"HTTP"; depth:4; nocase; flowbits:set,emerging_wmf_http; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002743; classtype:unknown; sid:2002743; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 3"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002741; classtype:unknown; sid:2002741; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit ie0604)"; flow:established,to_server; uricontent:"ie0604.cgi?exploit"; nocase; reference:url,doc.emergingthreats.net/2002870; classtype:web-application-attack; sid:2002870; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.U Reporting"; flow: to_server,established; uricontent:"/index.php?id="; nocase; uricontent:"cnt="; nocase; uricontent:"&scn="; nocase; uricontent:"&inf="; nocase; uricontent:"&ver="; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; reference:url,doc.emergingthreats.net/2003070; classtype:trojan-activity; sid:2003070; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 4C 24 00 8B 44 24 02 59 59 C3 E8 ED FF FF FF 25 00 00 00 FF 33 C9 3D 00 00 00 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003094; classtype:trojan-activity; sid:2003094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED (UPX) VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 27 00 C1 FB B5 D5 35 02 E2 C3 D1 66 25 32 BD 83 7F B7 4E 3D 06 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003095; classtype:trojan-activity; sid:2003095; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Post"; flow:to_server,established; uricontent:"/te.aspx?ver="; nocase; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; classtype:trojan-activity; sid:2007607; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.P Reporting"; flow: to_server,established; uricontent:"/index.php?id="; nocase; uricontent:"?cnt="; nocase; uricontent:"?scn="; nocase; uricontent:"?inf="; nocase; uricontent:"?ver="; nocase; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2008192; classtype:trojan-activity; sid:2008192; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"ET DELETED TroDjan 2.0 Infection Report"; flow:established,to_server; dsize:<60; content:"Windows NT "; depth:11; reference:url,doc.emergingthreats.net/2008587; classtype:trojan-activity; sid:2008587; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 1802 -> $HOME_NET any (msg:"ET DELETED TroDjan 2.0 FTP Channel Open Command"; flow:established,to_server; dsize:7; content:"ftpopen"; reference:url,doc.emergingthreats.net/2008588; classtype:trojan-activity; sid:2008588; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Downloader likely malicious payload download src=xrun"; flow:established,to_server; content:"/get?src=xrun"; nocase; content:"Request|3a| "; nocase; http_header; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010821; classtype:trojan-activity; sid:2010821; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet to Server"; flow:established,to_server; dsize:20; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; distance:0; within:4; flowbits:set,ET.onlinegames.ajok; reference:url,doc.emergingthreats.net/2008291; classtype:command-and-control; sid:2008291; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
-
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet from Server"; flow:established,from_server; flowbits:isset,ET.onlinegames.ajok; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; distance:0; within:4; reference:url,doc.emergingthreats.net/2008292; classtype:command-and-control; sid:2008292; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Pass Stealer FTP Upload"; flow:established,to_server; dsize:33; content:"STEAM nicht eingespeichert!!!"; reference:url,doc.emergingthreats.net/2008332; classtype:trojan-activity; sid:2008332; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirtualProtect Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 72 73 72 63|"; content:"|2E 70 61 63 6B 33 32 00|"; within:49; reference:url,bits.packetninjas.org/eblog/?p=3; reference:url,doc.emergingthreats.net/2008509; classtype:trojan-activity; sid:2008509; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert worldbuy.biz"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.worldbuy.biz"; distance:1; within:17; reference:md5,57c73f511f3ed23df07e2c1b88e007ca; classtype:trojan-activity; sid:2019068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 f3 e5 76 ad 16 4c 88 ff|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019069; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9a a1 97 0b 99 2b 46 07|"; distance:0; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|03|GER"; distance:1; within:4; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019070; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt with brace"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt"; flow:established,to_server; content:"|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; http_uri; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; reference:url,doc.emergingthreats.net/2010281; classtype:attempted-user; sid:2010281; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Communication with C&C"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&cnt="; http_uri; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010289; classtype:trojan-activity; sid:2010289; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Communication with C&C"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&cnt="; http_uri; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010289; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010289; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/chck.dat"; fast_pattern; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.clod1; flowbits:noalert; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010290; classtype:trojan-activity; sid:2010290; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/chck.dat"; fast_pattern; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.clod1; flowbits:noalert; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010290; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010290; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Clod/Sereki Checkin Response"; flow:established,from_server; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010291; classtype:trojan-activity; sid:2010291; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Clod/Sereki Checkin Response"; flow:established,from_server; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; reference:url,doc.emergingthreats.net/2010291; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010291; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN pangolin SQL injection tool"; flow:established,to_server; content:"pangolin"; http_user_agent; reference:url,www.lifedork.net/pangolin-best-sql-injection-tool.html; classtype:web-application-activity; sid:2010343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; classtype:trojan-activity; sid:2001015; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 fc 61 00 6b e6 e5 a0 17|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019079; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 fc 61 00 6b e6 e5 a0 17|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected"; flow:established,to_server; content:"PROPFIND "; depth:9; content:"D|3A|propfind xmlns|3A|D=|22|DAV|3A 22|><D|3A|allprop/></D|3A|propfind>"; distance:0; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011088; classtype:attempted-recon; sid:2011088; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 9295 (msg:"ET DELETED Troxen GetSpeed Request"; flow:established,to_server; content:"GetSpeed |0d 0a|"; depth:11; reference:url,www.threatexpert.com/report.aspx?md5=af89d15930fe59dcb621069abc83cc66; reference:url,doc.emergingthreats.net/2011233; classtype:trojan-activity; sid:2011233; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 9295 (msg:"ET DELETED Troxen GetSpeed Request"; flow:established,to_server; content:"GetSpeed |0d 0a|"; depth:11; reference:md5,af89d15930fe59dcb621069abc83cc66; reference:url,doc.emergingthreats.net/2011233; classtype:trojan-activity; sid:2011233; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Trojan FakeAV Downloader"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&n="; http_uri; classtype:trojan-activity; sid:2011416; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:attempted-dos; sid:2011767; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED vb exploits / trojan vietshow"; flow:established,to_server; content:"GET"; http_method; content:"~vietshow/"; nocase; http_uri; classtype:bad-unknown; sid:2011897; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED vb exploits / trojan vietshow"; flow:established,to_server; content:"GET"; http_method; content:"~vietshow/"; nocase; http_uri; classtype:bad-unknown; sid:2011897; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan perflogger ~duydati/inst_PCvw.exe"; flow:established,to_server; content:"GET"; http_method; content:"~duydati/inst_PCvw.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011899; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan perflogger ~duydati/inst_PCvw.exe"; flow:established,to_server; content:"GET"; http_method; content:"~duydati/inst_PCvw.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011899; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phishing ~mbscom/moneybookers/app/login/login.html"; flow:established,to_server; content:"GET"; http_method; content:"~mbscom/moneybookers/app/login/login.html"; nocase; http_uri; classtype:bad-unknown; sid:2011902; rev:2; metadata:attack_target Client_Endpoint, created_at 2010_11_08, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phishing ~mbscom/moneybookers/app/login/login.html"; flow:established,to_server; content:"GET"; http_method; content:"~mbscom/moneybookers/app/login/login.html"; nocase; http_uri; classtype:bad-unknown; sid:2011902; rev:2; metadata:attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hacked server to exploits ~rio1/admin/login.php"; flow:established,to_server; content:"GET"; http_method; content:"~rio1/admin/login.php"; nocase; http_uri; classtype:bad-unknown; sid:2011901; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hacked server to exploits ~rio1/admin/login.php"; flow:established,to_server; content:"GET"; http_method; content:"~rio1/admin/login.php"; nocase; http_uri; classtype:bad-unknown; sid:2011901; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iframe Phoenix Exploit & ZBot vt073pd/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"vt073pd/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011903; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iframe Phoenix Exploit & ZBot vt073pd/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"vt073pd/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011903; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED trojan renos Flash.HD.exe"; flow:established,to_server; content:"GET"; http_method; content:"Flash.HD.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011909; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED trojan renos Flash.HD.exe"; flow:established,to_server; content:"GET"; http_method; content:"Flash.HD.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011909; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED fast flux rogue antivirus download.php?id=2004"; flow:established,to_server; content:"GET"; http_method; nocase; content:"download.php?id=2004"; nocase; http_uri; classtype:bad-unknown; sid:2011904; rev:3; metadata:created_at 2010_11_08, updated_at 2010_11_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED fast flux rogue antivirus download.php?id=2004"; flow:established,to_server; content:"GET"; http_method; nocase; content:"download.php?id=2004"; nocase; http_uri; classtype:bad-unknown; sid:2011904; rev:3; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO/Malvertising Executable Landing exe2.php"; flow:established,to_server; uricontent:"/exe2.php?wm_id=acc"; classtype:trojan-activity; sid:2011916; rev:3; metadata:created_at 2010_11_09, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO/Malvertising Executable Landing exe2.php"; flow:established,to_server; uricontent:"/exe2.php?wm_id=acc"; classtype:trojan-activity; sid:2011916; rev:3; metadata:created_at 2010_11_10, updated_at 2019_08_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - packupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=packupdate"; classtype:trojan-activity; sid:2011919; rev:4; metadata:created_at 2010_11_09, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - packupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=packupdate"; classtype:trojan-activity; sid:2011919; rev:4; metadata:created_at 2010_11_10, updated_at 2020_08_20;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By SMB/JavaWebStart"; flow:established,to_server; content:"loadsmb.php"; http_uri; classtype:trojan-activity; sid:2011951; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By SMB/JavaWebStart"; flow:established,to_server; content:"loadsmb.php"; http_uri; classtype:trojan-activity; sid:2011951; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By PDF"; flow:established,to_server; content:"loadlibtiff.php"; http_uri; classtype:trojan-activity; sid:2011952; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By PDF"; flow:established,to_server; content:"loadlibtiff.php"; http_uri; classtype:trojan-activity; sid:2011952; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript srctable"; flow:established,to_client; content:"var srctable=|27|"; depth:14; classtype:bad-unknown; sid:2011959; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript srctable"; flow:established,to_client; content:"var srctable=|27|"; depth:14; classtype:bad-unknown; sid:2011959; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript desttable"; flow:established,to_client; content:"var desttable=|27|"; depth:15; classtype:bad-unknown; sid:2011958; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript desttable"; flow:established,to_client; content:"var desttable=|27|"; depth:15; classtype:bad-unknown; sid:2011958; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadpeers.php"; flow:established,to_server; content:"loadpeers.php"; http_uri; classtype:bad-unknown; sid:2011956; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadpeers.php"; flow:established,to_server; content:"loadpeers.php"; http_uri; classtype:bad-unknown; sid:2011956; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious lib.pdf"; flow:established,to_server; content:"/files/lib.pdf"; http_uri; classtype:bad-unknown; sid:2011955; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious lib.pdf"; flow:established,to_server; content:"/files/lib.pdf"; http_uri; classtype:bad-unknown; sid:2011955; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadjjar.php"; flow:established,to_server; content:"loadjjar.php"; http_uri; classtype:bad-unknown; sid:2011954; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadjjar.php"; flow:established,to_server; content:"loadjjar.php"; http_uri; classtype:bad-unknown; sid:2011954; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious jjar.jar"; flow:established,to_server; content:"/files/jjar.jar"; http_uri; classtype:bad-unknown; sid:2011953; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious jjar.jar"; flow:established,to_server; content:"/files/jjar.jar"; http_uri; classtype:bad-unknown; sid:2011953; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED ProFTPD Backdoor outbound Request Sent"; flow:established,to_server; content:"GET /AB"; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011993; rev:2; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED ProFTPD Backdoor outbound Request Sent"; flow:established,to_server; content:"GET /AB"; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011993; rev:2; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Spy.YEK MAC and IP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition|3A| form-data|3B| name=|22|MAC|22|"; http_header; nocase; content:"Content-Disposition|3A| form-data|3B| name=|22|IP|22|"; nocase; http_header; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115; classtype:trojan-activity; sid:2011999; rev:7; metadata:created_at 2010_12_07, updated_at 2010_12_07;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:5; metadata:created_at 2010_12_10, updated_at 2010_12_10;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; distance:0; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; distance:0; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; distance:0; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; distance:0; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:3; metadata:created_at 2010_12_27, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:5; metadata:created_at 2010_12_11, updated_at 2010_12_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful DD-WRT Information Disclosure"; flowbits:isset,et.ddwrt.infodis; flow:established,from_server; content:"lan_mac|3A 3A|"; content:"wlan_mac|3A 3A|"; distance:0; content:"lan_ip|3A 3A|"; distance:0; content:"mem_info|3A 3A|"; distance:0; reference:url,www.exploit-db.com/exploits/15842/; classtype:successful-recon-limited; sid:2012117; rev:3; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED AirOS admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/etc/persistent/.skynet/install&action=cli"; http_uri; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014042; rev:5; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41"; flow:to_server,established; dsize:>11; content:"|c3 70|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xc3\x70/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,23bb9c2ed95e942f886d544fefd20d70; classtype:command-and-control; sid:2019083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrian Malware Checkin"; flow:established,to_server; content:"|2f|j|7c|n|5c|"; offset:2; depth:5; content:"[endof]"; fast_pattern; distance:0; reference:url,fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html; reference:md5,a8cf815c3800202d448d035300985dc7; classtype:command-and-control; sid:2019084; rev:1; metadata:created_at 2014_08_29, former_category MALWARE, updated_at 2014_08_29;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dineshuthayakumar.in"; flow:established,from_server; content:"|55 04 03|"; content:"|14|dineshuthayakumar.in"; distance:1; within:21; reference:md5,0c96fd25ec4139063ac7d83511835d20; classtype:trojan-activity; sid:2019034; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor based locker Ransom Page"; flow:established,to_server; content:"/buy.php?"; http_uri; content:"iet7v4dciocgxhdv."; nocase; fast_pattern; http_header; classtype:trojan-activity; sid:2018873; rev:3; metadata:created_at 2014_08_01, updated_at 2014_08_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Random Base CharCode JS Encoded String"; flow:from_server,established; file_data; content:"String.fromCharCode("; pcre:"/^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\)/Rsi"; classtype:trojan-activity; sid:2019091; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:3; metadata:created_at 2014_08_29, updated_at 2014_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:3; metadata:created_at 2014_08_29, updated_at 2014_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:3; metadata:created_at 2014_08_29, updated_at 2014_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:exploit-kit; sid:2019098; rev:2; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:exploit-kit; sid:2019098; rev:2; metadata:created_at 2014_08_29, former_category CURRENT_EVENTS, updated_at 2014_08_29;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Archie/Metasploit SilverLight Exploit"; flow:from_server,established; file_data; content:"SilverApp1.dllPK"; classtype:exploit-kit; sid:2019099; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Archie/Metasploit SilverLight Exploit"; flow:from_server,established; file_data; content:"SilverApp1.dllPK"; classtype:exploit-kit; sid:2019099; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN FIN"; flags:SF; classtype:bad-unknown; sid:2011367; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007637; classtype:trojan-activity; sid:2007637; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:to_server,established; flowbits:isset,ET.gh0stFmly; content:"|78 9c 0b cf cc|"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:command-and-control; sid:2017936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"gate.php"; http_uri; fast_pattern:only; content:".swf/[[DYNAMIC]]/1"; http_header; classtype:exploit-kit; sid:2019005; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"gate.php"; http_uri; fast_pattern:only; content:".swf/[[DYNAMIC]]/1"; http_header; classtype:exploit-kit; sid:2019005; rev:3; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014"; flow:established,to_server; content:".php"; http_uri; pcre:"/\.php$/U"; content:".php/[[DYNAMIC]]/"; http_header; pcre:"/Referer\x3a[^\r\n]+\.php\/\[\[DYNAMIC\]\]\/\d/Hm"; classtype:exploit-kit; sid:2019100; rev:3; metadata:created_at 2014_09_02, former_category CURRENT_EVENTS, updated_at 2014_09_02;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4899 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate OUTBOUND"; flow:to_server,established; dsize:10; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; classtype:policy-violation; sid:2019101; rev:2; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; flow:established,to_server; content:"User-Agent|3a| We"; content:!"User-Agent|3a| Webmin|0d 0a|"; http_header; pcre:"/User-Agent\x3a We[a-z0-9]{4}\x0d\x0a/H"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010262; classtype:trojan-activity; sid:2010262; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; flow:established,to_server; content:"User-Agent|3a| We"; content:!"User-Agent|3a| Webmin|0d 0a|"; http_header; pcre:"/User-Agent\x3a We[a-z0-9]{4}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2010262; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010262; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
+alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_03, updated_at 2014_09_03;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9c c5 8b 5d c7 8a 96 b7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0d5ad9759753cb4639cd405eddbe2a16; classtype:trojan-activity; sid:2019104; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tls 66.147.244.132 any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bluehost.com Aug 27 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e 2a 2e|bluehost.com"; distance:1; within:15; reference:md5,19bb8e0b16c14194862d0750916ce338; classtype:trojan-activity; sid:2019105; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 7a 4e 2c 6d 48 5c a6|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019106; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 c6 af 2f 81 7b a2 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019107; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b2 a7 52 d6 65 0d 28 9f|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019108; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 7a 4e 2c 6d 48 5c a6|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019106; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 c0 04 78 81 0c 5a 2d|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019109; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 c6 af 2f 81 7b a2 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019107; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (AddPage)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".AddPage"; nocase; content:"<OBJECT"; nocase; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*?083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (DeletePage)"; flow:to_client,established; file_data; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".DeletePage"; nocase; content:"<OBJECT"; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 15 14 ca 74 7c 3d 96|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019120; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Upatre C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 11 bb c5 32 1e 9d 79|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019121; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bc 2a 7f f9 ef 67 4e ef|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019122; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET CHAT Skype Bootstrap Node (udp)"; threshold: type both, count 5, track by_src, seconds 120; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Adware/Antivirus360 Config to client"; flow:established,to_client; content:"[InstallerIni]"; nocase; depth:300; content:"|0d 0a|Pid="; nocase; within:6; content:"|0d 0a|Product="; nocase; content:"|0d 0a|FID="; nocase; content:"|0d 0a|Title="; nocase; reference:url,doc.emergingthreats.net/2009809; classtype:pup-activity; sid:2009809; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a5 72 6e 95 1a 1d 22|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019135; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel"; flow:established,to_client; content:"DZKS"; content:"DZJS"; within:50; reference:url,blogs.norman.com/2012/security-research/trojan-moves-its-configuration-to-twitter-linkedin-msdn-and-baidu; classtype:command-and-control; sid:2014618; rev:3; metadata:created_at 2012_04_19, former_category MALWARE, updated_at 2012_04_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel"; flow:established,to_client; content:"DZKS"; content:"DZJS"; within:50; reference:url,blogs.norman.com/2012/security-research/trojan-moves-its-configuration-to-twitter-linkedin-msdn-and-baidu; classtype:command-and-control; sid:2014618; rev:3; metadata:created_at 2012_04_20, former_category MALWARE, updated_at 2012_04_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Frosparf.B Downloading Hosts File"; flow:established,from_server; file_data; content:"9.9.9.9 "; within:8; pcre:"/^(?:[a-zA-Z0-9\x2d\x5f]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]*?9\.9\.9\.9\s+?(?:[a-zA-Z0-9\_\-]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]/R"; reference:md5,4ad55877464aa92e49231d913d00eb69; classtype:trojan-activity; sid:2019142; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET DELETED Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019147; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019147; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tomcat Successful default credential login from external source"; flow:from_server,established; content:"HTTP/1."; depth:7; content:"200"; http_stat_code; content:"OK"; http_stat_msg; reference:url,tomcat.apache.org; classtype:successful-admin; sid:2009219; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea c4 eb c7 a8 ae c0 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019148; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea c4 eb c7 a8 ae c0 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019148; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|groundbellsinc2@yahoo.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019149; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|groundbellsinc2@yahoo.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019149; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 10 d6 2f a9 1d 55 7b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019150; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 10 d6 2f a9 1d 55 7b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019150; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 2c 97 86 ef 94 08 62|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019151; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 2c 97 86 ef 94 08 62|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019151; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019152; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019152; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 69 ac|"; within:30; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0f|serveradmin.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019153; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 69 ac|"; within:30; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0f|serveradmin.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019153; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:6; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>TV"; content:"VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU"; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:6; metadata:created_at 2012_10_31, updated_at 2012_10_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>TV"; content:"VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU"; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:6; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:4; metadata:created_at 2012_10_31, updated_at 2012_10_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:4; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Java Exploit"; flow:established,to_server; content:"/view_policy_free.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019154; rev:3; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_POCARDL.U Possible FTP Login"; flow:established,to_server; content:"USER user drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019159; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018912; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018912; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert webhostingpad.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|10 00 89 36 39 2c a7 4f ef 26 13 4f 11 2e d4 22 64|"; fast_pattern:only; content:"|55 04 03|"; content:"|13|*.webhostingpad.com"; distance:1; within:20; reference:md5,be7a7252865b3407498170f142efe471; classtype:trojan-activity; sid:2018594; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Download with Cookie WinSec"; flow:established,to_server; content:"/down.php?c="; nocase; http_uri; content:"Cookie|3a| WinSec"; nocase; reference:url,www.virustotal.com/analisis/6b5ff522ddf418a5cca87ebd924736774c1a58a9b51bb44ee72dac01f0db317a-1278686791; reference:url,doc.emergingthreats.net/2011178; classtype:trojan-activity; sid:2011178; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download Setup_103s1 or Setup_207 variant"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/Setup_"; nocase; uricontent:".exe"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/Setup_[0-9]{3}([A-Z][0-9])?\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010867; classtype:trojan-activity; sid:2010867; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding|3a| pack200-gzip"; within:55; reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; classtype:attempted-user; sid:2009665; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt"; flow:established,to_client; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|exclusive/></D|3A|lockscope>"; nocase; distance:0; content:"</D|3A|lockentry>"; nocase; distance:0; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,2010-2568; classtype:attempted-user; sid:2011270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET"; http_method; content:"/pcdef.exe"; http_uri; nocase; classtype:trojan-activity; sid:2010055; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/codec/197.exe"; nocase; reference:url,doc.emergingthreats.net/2010056; classtype:trojan-activity; sid:2010056; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Fake Antivirus Download installpv.exe"; flow:established,to_server; content:"GET"; http_method; content:"/installpv.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010057; classtype:trojan-activity; sid:2010057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Malware Download flash-HQ-plugin exe"; flow:established,to_server; content:"GET"; http_method; content:"flash-"; http_uri; nocase; content:"-plugin"; http_uri; nocase; content:".exe"; nocase; http_uri; pcre:"/flash-[A-Z0-9]+-plugin\.[A-Z0-9]+\.exe/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; classtype:bad-unknown; sid:2010440; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Psyb0t Code Download"; flow:established,to_server; uricontent:"/udhcpc.env"; nocase; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; classtype:trojan-activity; sid:2009170; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK [NIP]-"; fast_pattern:only; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; classtype:trojan-activity; sid:2009171; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1"; flow:established,to_server; content:"POST"; http_method; content:"/senm.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,doc.emergingthreats.net/2010234; classtype:trojan-activity; sid:2010234; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1"; flow:established,to_server; content:"POST"; http_method; content:"/senm.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2010234; reference:md5,7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010234; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1"; flow:established,to_server; content:"GET"; http_method; content:"/perce/"; http_uri; nocase; content:"/qwerce.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; classtype:trojan-activity; sid:2010231; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 2"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/werber/"; nocase; uricontent:"/217.gif"; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; classtype:trojan-activity; sid:2010232; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 3"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/item/"; nocase; uricontent:"/titem.gif"; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; classtype:trojan-activity; sid:2010233; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2"; flow:established,to_server; content:"POST"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; classtype:trojan-activity; sid:2010235; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3"; flow:established,to_server; content:"POST"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; classtype:trojan-activity; sid:2010236; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5"; flow:established,to_server; content:"POST"; http_method; content:"/report.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; classtype:trojan-activity; sid:2010238; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6"; flow:established,to_server; content:"POST"; http_method; content:"/arrows/"; nocase; http_uri; content:"/arrow_up.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959; reference:url,doc.emergingthreats.net/2010239; classtype:trojan-activity; sid:2010239; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6"; flow:established,to_server; content:"POST"; http_method; content:"/arrows/"; nocase; http_uri; content:"/arrow_up.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010239; reference:md5,316fd88ac18d21889b1dbf9b979c1959; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010239; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET MALWARE Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:command-and-control; sid:2008531; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"SING"; distance:0; content:"|01 00 01 0E|"; within:100; content:"|00 3A|"; within:100; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html; reference:cve,2010-2883; classtype:attempted-user; sid:2011501; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be .com FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".com.exe"; http_uri; nocase; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011495; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be .com FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".com.exe"; http_uri; nocase; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011495; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe"; http_uri; nocase; fast_pattern; content:"."; depth:200; content:".exe"; nocase; distance:2; within:6; pcre:"/\/.+(www\.)?[a-z0-9]+\.[a-z]{2,3}\.exe$/Ui"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011496; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe"; http_uri; nocase; fast_pattern; content:"."; depth:200; content:".exe"; nocase; distance:2; within:6; pcre:"/\/.+(www\.)?[a-z0-9]+\.[a-z]{2,3}\.exe$/Ui"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011496; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Phoenix landing page - valium"; flow:established,to_client; content:"var string = val+|22|ium|22|\;"; classtype:bad-unknown; sid:2011486; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Phoenix landing page - valium"; flow:established,to_client; content:"var string = val+|22|ium|22|\;"; classtype:bad-unknown; sid:2011486; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV client requesting fake scanner page"; flow:established,to_server; content:"/?p=p"; http_uri; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011373; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV client requesting fake scanner page"; flow:established,to_server; content:"/?p=p"; http_uri; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011373; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY phoenix exploit kit landing page"; flow:established,to_client; content:"dev.s.AdgredY"; content:"tmp/des.jar"; content:".php?deserialize"; classtype:exploit-kit; sid:2011369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY phoenix exploit kit landing page"; flow:established,to_client; content:"dev.s.AdgredY"; content:"tmp/des.jar"; content:".php?deserialize"; classtype:exploit-kit; sid:2011369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host|3A|"; nocase; http_header; content:"hide|2d|my|2d|ip|2e|com"; nocase; within:20; http_header; content:"cmd|3d|"; nocase; content:"ver|3d|"; nocase; content:"hcode|3d|"; nocase; content:"product|3d|"; nocase; content:"year|3d|"; nocase; content:"xhcode|3d|"; nocase; classtype:policy-violation; sid:2011312; rev:4; metadata:created_at 2010_09_28, former_category POLICY, updated_at 2010_09_28;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Games.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Games.jar"; http_uri; classtype:policy-violation; sid:2011324; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING NewGames.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; uricontent:"/NewGames.jar"; classtype:policy-violation; sid:2011326; rev:3; metadata:created_at 2010_09_28, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Games.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Games.jar"; http_uri; classtype:policy-violation; sid:2011324; rev:4; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Fragus - landing page delivered"; flow:established,to_client; content:"|0d 0a 0d 0a|var CRYPT={signature|3a|"; classtype:bad-unknown; sid:2011330; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKEAV client requesting image - sector.hdd.png"; flow:established,to_server; content:"sector.hdd.png"; nocase; http_uri; classtype:bad-unknown; sid:2011420; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MALVERTISING redirect to exploit kit (unoeuro server)"; flow:established,to_client; content:"=|5b 22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; content:"|0d 0a|Serverxi|3a| Apache/Unoeuro (Unix) - Secured|0d 0a|"; classtype:exploit-kit; sid:2011479; rev:4; metadata:created_at 2010_09_28, former_category EXPLOIT_KIT, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to exploit kit (unoeuro server)"; flow:established,to_client; content:"=|5b 22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; content:"|0d 0a|Serverxi|3a| Apache/Unoeuro (Unix) - Secured|0d 0a|"; classtype:exploit-kit; sid:2011479; rev:4; metadata:created_at 2010_09_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV scanner page enocuntered - .hdd_icon"; flow:established,to_client; content:".hdd_icon"; nocase; classtype:bad-unknown; sid:2011475; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV scanner page enocuntered - .hdd_icon"; flow:established,to_client; content:".hdd_icon"; nocase; classtype:bad-unknown; sid:2011475; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby Bredolab - client requesting java exploit"; flow:established,to_server; content:"/Notes1.pdf"; depth:11; http_uri; classtype:bad-unknown; sid:2011795; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:from_server,established; file_data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb; classtype:attempted-user; sid:2011892; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Landing Page Encountered"; flow:established,to_client; content:"<script src=|27|src.js|27|></script><script src=|27|dest.js|27|></script><script>var "; depth:73; classtype:bad-unknown; sid:2011957; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Landing Page Encountered"; flow:established,to_client; content:"<script src=|27|src.js|27|></script><script src=|27|dest.js|27|></script><script>var "; depth:73; classtype:bad-unknown; sid:2011957; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src=|22 3b| content|3a 22|style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011960; rev:4; metadata:created_at 2010_11_19, updated_at 2010_11_19;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src=|22 3b| content|3a 22|style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011960; rev:4; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan downloader (AS8514)"; flow:established,to_server; content:"GET"; http_method; content:"/tube/Adobe__Flash__Player.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=1001jimm.ru; classtype:trojan-activity; sid:2011966; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_22, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Rogue AV (installer.xxxx.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer."; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/installer\.\d{4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=scripttoscan.co.cc; classtype:bad-unknown; sid:2011990; rev:4; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=systempack"; classtype:trojan-activity; sid:2011991; rev:3; metadata:created_at 2010_12_01, updated_at 2020_08_20;)
-
-#alert tcp any any -> $HOME_NET 21 (msg:"ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:5; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+#alert tcp any any -> $HOME_NET 21 (msg:"ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:5; metadata:created_at 2010_12_02, former_category FTP, updated_at 2010_12_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious invoice.scr Download Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|invoice.scr"; nocase; http_uri; pcre:"/\x2Finvoice\x2Escr$/Ui"; classtype:trojan-activity; sid:2011995; rev:4; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshare.org Malware Related Activity"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshare.org|3A|999"; http_header; classtype:trojan-activity; sid:2012132; rev:6; metadata:created_at 2011_01_04, updated_at 2011_01_04;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"|22|pack.exe|22|"; classtype:trojan-activity; sid:2012208; rev:5; metadata:created_at 2011_01_20, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini softupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=softupdate"; classtype:trojan-activity; sid:2012227; rev:6; metadata:created_at 2011_01_24, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan Checkin Forum"; flow:established,to_server; content:"GET"; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/forum/?"; http_uri; fast_pattern; pcre:"/forum\/\?[0-9a-f]{8}$/U"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; reference:url,www.threatexpert.com/report.aspx?md5=531e84b0894a7496479d186712acd7d2; classtype:command-and-control; sid:2012248; rev:5; metadata:created_at 2011_01_29, former_category MALWARE, updated_at 2011_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan Checkin Forum"; flow:established,to_server; content:"GET"; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/forum/?"; http_uri; fast_pattern; pcre:"/forum\/\?[0-9a-f]{8}$/U"; reference:md5,531e84b0894a7496479d186712acd7d2; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:command-and-control; sid:2012248; rev:5; metadata:created_at 2011_01_29, former_category MALWARE, updated_at 2011_01_29;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_Document.zip"; nocase; classtype:trojan-activity; sid:2012276; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake AV Scan (AS31252)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/powersecure_2005-19_ibr8.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=scan.dpowerprotection.com; classtype:trojan-activity; sid:2012302; rev:3; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV download (AntiSpyWareSetup.exe)"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=AntiSpy"; nocase; content:"etup.exe"; nocase; classtype:trojan-activity; sid:2012318; rev:6; metadata:created_at 2011_02_18, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SMTP Malware"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|irs_legalauth-tax_payment_notice_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012319; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|IRS-TaxPaymentNotification"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012320; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Rogue Antivirus FakePAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/firefox_update_2011.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=76.76.102.214; classtype:trojan-activity; sid:2012403; rev:3; metadata:created_at 2011_03_01, updated_at 2011_03_01;)
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS"; nocase; content:".zip|22|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-|-Delivery-Notification-Message_)\S*\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:2; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS"; nocase; content:".zip|22|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-|-Delivery-Notification-Message_)\S*\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:3; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:3; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Post Express Inbound bad attachment"; flow:established,to_server; content:"Post Express|22|"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|Post_Express_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012445; rev:6; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Post Express Inbound bad attachment"; flow:established,to_server; content:"Post Express|22|"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|Post_Express_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012445; rev:6; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"|40|dhl.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012492; rev:2; metadata:created_at 2011_03_11, updated_at 2011_03_11;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"|40|dhl.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012492; rev:2; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; content:"|22|filename=dhl_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012493; rev:3; metadata:created_at 2011_03_11, updated_at 2011_03_11;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; content:"|22|filename=dhl_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012493; rev:3; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV InstallInternetDefender Download"; flow:established,from_server; content:"attachment|3b 20|filename=|22|InstallInternetDefender_"; nocase; classtype:trojan-activity; sid:2012494; rev:4; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/trusteer.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012537; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for addons.mozilla.org"; flow:established,from_server; content:"|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|"; content:"addons.mozilla.org"; within:250; classtype:misc-activity; sid:2012546; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for addons.mozilla.org"; flow:established,from_server; content:"|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|"; content:"addons.mozilla.org"; within:250; classtype:misc-activity; sid:2012546; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for Global Trustee"; flow:established,from_server; content:"|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|"; classtype:misc-activity; sid:2012547; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for Global Trustee"; flow:established,from_server; content:"|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|"; classtype:misc-activity; sid:2012547; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.live.com"; flow:established,from_server; content:"|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|"; content:"login.live.com"; within:250; classtype:misc-activity; sid:2012548; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.live.com"; flow:established,from_server; content:"|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|"; content:"login.live.com"; within:250; classtype:misc-activity; sid:2012548; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.skype.com"; flow:established,from_server; content:"|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|"; content:"login.skype.com"; within:250; classtype:misc-activity; sid:2012549; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.skype.com"; flow:established,from_server; content:"|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|"; content:"login.skype.com"; within:250; classtype:misc-activity; sid:2012549; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 1"; flow:established,from_server; content:"|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012550; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 1"; flow:established,from_server; content:"|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012550; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 2"; flow:established,from_server; content:"|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012551; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 2"; flow:established,from_server; content:"|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012551; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 3"; flow:established,from_server; content:"|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012552; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 3"; flow:established,from_server; content:"|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012552; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for mail.google.com"; flow:established,from_server; content:"|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|"; content:"mail.google.com"; within:250; classtype:misc-activity; sid:2012553; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for mail.google.com"; flow:established,from_server; content:"|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|"; content:"mail.google.com"; within:250; classtype:misc-activity; sid:2012553; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for www.google.com"; flow:established,from_server; content:"|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|"; content:"www.google.com"; within:250; classtype:misc-activity; sid:2012554; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for www.google.com"; flow:established,from_server; content:"|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|"; content:"www.google.com"; within:250; classtype:misc-activity; sid:2012554; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware PatchPathNewS3.dat Request"; flow:established,to_server; content:"/PatchPathNewS3.dat"; nocase; http_uri; classtype:trojan-activity; sid:2012617; rev:5; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinese Bootkit Checkin"; flow:established,to_server; content:".aspx"; http_uri; content:"a=Windows"; nocase; http_uri; content:"&b="; http_uri; content:"&c="; http_uri; content:"&f="; http_uri; content:"&k="; pcre:"/c=[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}/iU"; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:command-and-control; sid:2012631; rev:5; metadata:created_at 2011_04_05, former_category MALWARE, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware PatchPathNewS3.dat Request"; flow:established,to_server; content:"/PatchPathNewS3.dat"; nocase; http_uri; classtype:trojan-activity; sid:2012617; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a Malware Related Numerical .cn Domain"; flow:established,to_server; content:"Host|3a| "; http_header; content:".cn|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{4,30}\x2Ecn\x0D\x0A/Hi"; classtype:misc-activity; sid:2012650; rev:7; metadata:created_at 2011_04_08, updated_at 2011_04_08;)
alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain citi-bank.ru Lookup"; content:"|09|citi-bank|02|ru|00|"; nocase; classtype:trojan-activity; sid:2012728; rev:4; metadata:created_at 2011_04_26, updated_at 2011_04_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin"; flow:to_server,established; content:"|20|HTTP|2f|1|2e|1|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"|0d 0a|Host|3a 20|"; within:13; content:"|3a|8080|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; http_header; pcre:"/User-Agent\x3a\x20[a-z]{3,4}\x0d\x0a/H"; reference:url,www.threatexpert.com/report.aspx?md5=014945cf93ffc94833f7a3efd92fe263; classtype:command-and-control; sid:2012736; rev:9; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2011_04_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin"; flow:to_server,established; content:"|20|HTTP|2f|1|2e|1|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"|0d 0a|Host|3a 20|"; within:13; content:"|3a|8080|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; http_header; pcre:"/User-Agent\x3a\x20[a-z]{3,4}\x0d\x0a/H"; reference:md5,014945cf93ffc94833f7a3efd92fe263; classtype:command-and-control; sid:2012736; rev:9; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2011_04_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Malicious Facebook Javascript"; flow:established,to_client; content:"eval|28|function|28|p,a,c,k,e,"; nocase; content:"replace|28|newRegExp|28|"; nocase; distance:0; content:"SocialGraphManager"; fast_pattern; nocase; distance:0; reference:url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/; classtype:bad-unknown; sid:2012812; rev:4; metadata:created_at 2011_05_16, updated_at 2011_05_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Malicious Facebook Javascript"; flow:established,to_client; content:"eval|28|function|28|p,a,c,k,e,"; nocase; content:"replace|28|newRegExp|28|"; nocase; distance:0; content:"SocialGraphManager"; fast_pattern; nocase; distance:0; reference:url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/; classtype:bad-unknown; sid:2012812; rev:4; metadata:created_at 2011_05_17, updated_at 2011_05_17;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TDSS Trojan GET with xxxx_ string"; flow:established,to_server; content:"/xxxx_"; http_uri; pcre:"/\/xxxx_\d+\//U"; classtype:trojan-activity; sid:2012918; rev:4; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini - JavaScript Redirection To Scanning Page"; flow:established,to_client; content:"|28|navigator.appVersion.indexof|28 22|Mac|22 29|!=-1|29|"; nocase; content:"window.location="; nocase; within:17; classtype:bad-unknown; sid:2011917; rev:4; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini - JavaScript Redirection To Scanning Page"; flow:established,to_client; content:"|28|navigator.appVersion.indexof|28 22|Mac|22 29|!=-1|29|"; nocase; content:"window.location="; nocase; within:17; classtype:bad-unknown; sid:2011917; rev:4; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Random Named DeObfuscation JavaScript File Download"; flow:established,from_server; content:"encrypt|3a| function|28|m, e, n|29|"; depth:64; classtype:bad-unknown; sid:2011922; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshares.org Related Malware"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshares.org|3A|"; http_header; classtype:trojan-activity; sid:2012177; rev:6; metadata:created_at 2011_01_12, updated_at 2011_01_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshares.org Related Malware"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshares.org|3A|"; http_header; classtype:trojan-activity; sid:2012177; rev:6; metadata:created_at 2011_01_13, updated_at 2011_01_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request"; flow:established,to_server; content:"GET"; http_method; content:"/log.txt"; http_uri; content:"|2E|swf?info=02"; http_header; reference:cve,2011-2110; reference:url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html; classtype:trojan-activity; sid:2013113; rev:4; metadata:created_at 2011_06_23, updated_at 2011_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request"; flow:established,to_server; content:"GET"; http_method; content:"/log.txt"; http_uri; content:"|2E|swf?info=02"; http_header; reference:cve,2011-2110; reference:url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html; classtype:trojan-activity; sid:2013113; rev:4; metadata:created_at 2011_06_24, updated_at 2011_06_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update before fake JPEG download"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/shopping3.cgi?a="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013179; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropper HTTP POST Check-in"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| NSIS_InetLoad (Mozilla)"; http_header; content:"spill&a="; http_client_body; reference:url,www.mywot.com/en/forum/13816-clickjacking-scam-spreading-on-facebook; classtype:trojan-activity; sid:2013189; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED PHP Remote File Inclusion (monster list http)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"http"; nocase; http_uri; pcre:"/\.php.+?(?:c(?:(?:onfi|f)g|alendar)|p(?:a(?:ge|th)|rog)|l(?:ang(uage)?|ib)|f(?:older|ile|ad)|d(?:omain|ir|f)|s(?:ettings|bp)|a(?:genda|uth)|i(?:con|ncl|d)|n(?:ame|ews)|r(?:oot|f)|gallery|type|ext|mod|[a-z](\[.*\])+?)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; reference:url,doc.emergingthreats.net/2002997; classtype:web-application-attack; sid:2002997; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:4; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A response to infected host"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013361; rev:5; metadata:created_at 2011_08_04, updated_at 2011_08_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A response to infected host"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013361; rev:5; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:command-and-control; sid:2013362; rev:7; metadata:created_at 2011_08_04, former_category MALWARE, updated_at 2011_08_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:command-and-control; sid:2013362; rev:7; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2011_08_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE windows_security_update Fake AV download"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:7; metadata:created_at 2011_08_04, updated_at 2011_08_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE windows_security_update Fake AV download"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:7; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"|5c|r|5c|n Checking firewall status|5c|r|5c|n"; classtype:command-and-control; sid:2013413; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Morto Worm Rar Download"; flow:established,to_server; content:"GET /160.rar HTTP"; depth:17; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:trojan-activity; sid:2013517; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; content:".exe"; within:32; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; classtype:trojan-activity; sid:2013770; rev:5; metadata:created_at 2011_10_12, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Morto Worm Rar Download"; flow:established,to_server; content:"GET /160.rar HTTP"; depth:17; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:trojan-activity; sid:2013517; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type|3A 20|image/jpeg"; http_header; file_data; content:"|54 48 00 F7 20 10 72 6F 67 52|"; content:"|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:7; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS estatements mailing campaign landing page"; flow:established,to_server; content:"/estatements/stetement_id."; http_uri; pcre:"/\/stetement_id\.\d+\//U"; classtype:trojan-activity; sid:2013908; rev:3; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS estatements mailing campaign landing page"; flow:established,to_server; content:"/estatements/stetement_id."; http_uri; pcre:"/\/stetement_id\.\d+\//U"; classtype:trojan-activity; sid:2013908; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ZeuS estatements fake transaction page flash warning"; flow:established,from_server; content:" |3b|Notification of Incompatibility</font></strong></font></td>"; content:">Your version of Macromedia Flash Player is too old to continue. <a href="; classtype:trojan-activity; sid:2013909; rev:3; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ZeuS estatements fake transaction page flash warning"; flow:established,from_server; content:" |3b|Notification of Incompatibility</font></strong></font></td>"; content:">Your version of Macromedia Flash Player is too old to continue. <a href="; classtype:trojan-activity; sid:2013909; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=|22|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:3; metadata:created_at 2011_12_14, updated_at 2011_12_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=|22|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:3; metadata:created_at 2011_12_15, updated_at 2011_12_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:3; metadata:created_at 2012_01_26, updated_at 2012_01_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:3; metadata:created_at 2012_06_21, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN ClickCounter Connectivity Check"; flow:established,to_server; content:" clickme=1|0d 0a|"; http_header; content:"clickme=1"; http_cookie; classtype:trojan-activity; sid:2014172; rev:3; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa"; flow:established,to_server; content:"/searches?q=#pepbyfadxeoa"; fast_pattern; http_uri; content:"Host|3A 20|mobile.twitter.com|0d 0a|"; http_header; reference:url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/; classtype:trojan-activity; sid:2014333; rev:4; metadata:created_at 2012_03_07, updated_at 2012_03_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_03_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of Algorithm Generated Zeus CnC Domain (DGA)"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; pcre:"/[a-z0-9]{33,}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014363; rev:7; metadata:created_at 2012_03_12, former_category MALWARE, updated_at 2012_03_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Banload Trojan Downloader Dropped Binary"; flow:established,to_client; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e|00|"; content:"m|00|i|00|l|00|k|00|"; fast_pattern; within:30; content:"I|00|n|00|t|00|e|00|r|00|n|00|a|00|l|00|N|00|a|00|m|00|e|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; content:"L|00|e|00|g|00|a|00|l|00|C|00|o|00|p|00|y|00|r|00|i|00|g|00|h|00|t|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; reference:md5,31bb4e0d67a5af96d5b5691966e25d73; classtype:trojan-activity; sid:2014367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a a known malware domain (sektori. org)"; flow: to_server,established; content:"sektori.org|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014571; rev:6; metadata:created_at 2012_04_16, former_category TROJAN, updated_at 2018_01_02;)
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET INFO RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:3; metadata:created_at 2012_04_27, former_category INFO, updated_at 2012_04_27;)
-
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET MISC RuggedCom factory account backdoor"; flow:to_client,established;flowbits:isset,ET.RUGGED.BANNER; content:"Enter User Name|3A|"; pcre:"/Enter User Name\x3a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*\s*(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*f(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*c(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*t(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*o(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*r(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*y(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*[\r\n]/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:4; metadata:created_at 2012_04_27, updated_at 2012_04_27;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET INFO RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:3; metadata:created_at 2012_04_28, former_category INFO, updated_at 2012_04_28;)
#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Backdoor.BAT.Agent.W User Botnet"; flow:established,to_server; content:"USER botnet"; reference:md5,fc7059ec1e3e86fd0a664c3747f09725; classtype:trojan-activity; sid:2014700; rev:3; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|d4ak4otavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014863; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SQL MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT|20|user|2c|password|20|from|20|mysql|2e|user"; classtype:bad-unknown; sid:2014910; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_15, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SQL MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT|20|user|2c|password|20|from|20|mysql|2e|user"; classtype:bad-unknown; sid:2014910; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:4; metadata:created_at 2012_07_26, updated_at 2012_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl|0D 0A|"; nocase; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:5; metadata:created_at 2012_07_26, updated_at 2012_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl|0D 0A|"; nocase; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:5; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4; metadata:created_at 2012_07_26, updated_at 2012_07_26;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015533; rev:4; metadata:created_at 2012_07_26, former_category MALWARE, updated_at 2012_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015533; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015534; rev:4; metadata:created_at 2012_07_26, former_category MALWARE, updated_at 2012_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015534; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:command-and-control; sid:2015546; rev:5; metadata:created_at 2012_07_30, former_category MALWARE, updated_at 2012_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:command-and-control; sid:2015546; rev:5; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 95 9f e1 a6 33 7b d9|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edefcbba2944872f31454fcb98802488; classtype:trojan-activity; sid:2019173; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M4"; flow:established,from_server; content:"Server|3a 20|nginx|0d 0a|"; http_header; content:"X-Powered-By|3a 20|PHP"; http_header; content:"text/javascript"; http_header; file_data; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; pcre:"/^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$/Rsi"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:exploit-kit; sid:2019180; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Gate"; flow:established,from_server; file_data; content:"AgControl.AgControl"; content:"document.cookie.indexOf|28 22|xap|22 29|"; fast_pattern:10,20; content:"Math.random()|3b|"; classtype:exploit-kit; sid:2019183; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Silverlight Based Redirect"; flow:established,from_server; file_data; content:"AppManifest.xamlPK"; fast_pattern:only; content:"iframe.dllPK"; classtype:exploit-kit; sid:2019184; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page Feb 24 2014"; flow:from_server,established; file_data; content:"AgControl.AgControl"; nocase; fast_pattern:only; content:"parseInt"; nocase; content:"32"; pcre:"/^\W/R"; content:"63"; nocase; within:100; pcre:"/^\W/R"; content:"if"; distance:-200; within:200; nocase; pcre:"/^(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P<vname>[^\s>=]+)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?<(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?32\b.{0,200}(?P=vname)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\x3d(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?63\b.{1,200}\+=.{0,200}\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P=vname)/Rsi"; classtype:exploit-kit; sid:2018171; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page Feb 24 2014"; flow:from_server,established; file_data; content:"AgControl.AgControl"; nocase; fast_pattern:only; content:"parseInt"; nocase; content:"32"; pcre:"/^\W/R"; content:"63"; nocase; within:100; pcre:"/^\W/R"; content:"if"; distance:-200; within:200; nocase; pcre:"/^(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P<vname>[^\s>=]+)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?<(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?32\b.{0,200}(?P=vname)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\x3d(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?63\b.{1,200}\+=.{0,200}\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P=vname)/Rsi"; classtype:exploit-kit; sid:2018171; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 66 93 12 61 52 ba b4|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|Zatusim.com"; distance:1; within:12; reference:md5,2f52d3921613b2fe06c9eb9051d45e60; classtype:trojan-activity; sid:2019186; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 05 2013"; flow:established,to_server; content:"/f/"; http_uri; depth:3; pcre:"/^\/f(?:\/[^\x2f]+)?\/14\d{8}(?:\/\d{9,10})?(?:\/\d)+(?:\/x[a-f0-9]+(?:\x3b\d)+?)?$/U"; classtype:exploit-kit; sid:2017667; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miras C2 Activity"; flow:established,to_server; content:"|36 36 36 36 58 36 36 36|"; offset:2; depth:8; reference:md5,98a3a68f76ed2eba763eb7bfb6648562; classtype:command-and-control; sid:2018979; rev:2; metadata:created_at 2014_08_21, former_category MALWARE, updated_at 2014_08_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WebSocket Session Initiation Request"; flow:established,to_server; flowbits:set,ETPRO.WebSocket.Request; content:"Connection|3a 20|Upgrade|0d 0a|"; fast_pattern; nocase; content:"Upgrade|3a 20|websocket|0d 0a|"; reference:url,tools.ietf.org/html/rfc6455; classtype:policy-violation; sid:2036219; rev:2; metadata:created_at 2014_09_17, former_category POLICY, updated_at 2014_09_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 Sept 17 2014 "; flow:established,from_server; file_data; content:"|76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d|"; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28|"; distance:0; content:"|3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b|"; distance:0; classtype:exploit-kit; sid:2019188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_17, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 Sept 17 2014"; flow:established,from_server; file_data; content:"|76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d|"; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28|"; distance:0; content:"|3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b|"; distance:0; classtype:exploit-kit; sid:2019188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; pcre:"/^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_17, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; pcre:"/^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; depth:8; threshold: type limit, count 1, seconds 120, track by_src; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000357; classtype:policy-violation; sid:2000357; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 3"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"return |22|PROXY"; pcre:"/^[^\x3b]+\\x(?:[57][0-9a]|4[0-9a-f]|6[1-9a-f]|3[0-9])/Ri"; reference:md5,6f2dc4ba05774f3e5ebf6c502db48a71; classtype:trojan-activity; sid:2019191; rev:13; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 27 b3 4f ab ba bf 8b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019192; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 27 b3 4f ab ba bf 8b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019192; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - JavaScript Redirection To FakeAV Binary"; flow:established,to_client; content:"<script type=|22|text/javascript|22|>"; nocase; content:"location.assign|28|"; nocase; within:17; classtype:bad-unknown; sid:2011918; rev:5; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - JavaScript Redirection To FakeAV Binary"; flow:established,to_client; content:"<script type=|22|text/javascript|22|>"; nocase; content:"location.assign|28|"; nocase; within:17; classtype:bad-unknown; sid:2011918; rev:5; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 2"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/^(?P<q>[\x22\x27])(?:(?!(?P=q))[^\r\n\x2c])+?(?P=q)\s*?\+\s*?[\x22\x27][^\r\n\x2c]*?[cg][\x22\x27\+\s]*?[o][\x22\x27\+\s]*?[vm][\x22\x27\+\s]*?\.[\x22\x27\+\s]*?b[\x22\x27\+\s]*?r[\x22\x27\+\s]*?\x2c/m"; reference:md5,6e4a990b1540fa6b5896034b976ccecf; classtype:trojan-activity; sid:2019190; rev:14; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET !25 (msg:"ET MALWARE Gh0st Trojan CnC 2"; flow:established,to_server; dsize:<250; content:"Gh0st"; offset:8; depth:5; classtype:command-and-control; sid:2017505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Suspicious Self Signed SSL Certificate to 'My Company Ltd'"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"My Company Ltd"; classtype:bad-unknown; sid:2013703; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_09_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !25 (msg:"ET MALWARE Gh0st Trojan CnC 2"; flow:established,to_server; dsize:<250; content:"Gh0st"; offset:8; depth:5; classtype:command-and-control; sid:2017505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Security Shield payment page request"; flow:established,to_server; content:!"Referer|3a| "; http_header; content:"/payform/?k="; http_uri; classtype:trojan-activity; sid:2014631; rev:4; metadata:created_at 2012_04_23, updated_at 2012_04_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established; content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:8; metadata:created_at 2012_05_10, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established; content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:8; metadata:created_at 2012_05_11, updated_at 2020_08_20;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu|0D 0A|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_09_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|palauone|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015719; rev:2; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|whatandwhyeh|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015722; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015728; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015728; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015730; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015730; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|defmaybe|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015736; rev:4; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2012_09_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|defmaybe|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015736; rev:4; metadata:created_at 2012_09_26, former_category MALWARE, updated_at 2012_09_26;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|adbullion|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015741; rev:4; metadata:created_at 2012_09_27, former_category MALWARE, updated_at 2012_09_27;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"|30 82|"; content:"|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00|"; distance:6; within:38; content:"|1e 17 0d|101215000000Z|17 0d|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:2; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"|30 82|"; content:"|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00|"; distance:6; within:38; content:"|1e 17 0d|101215000000Z|17 0d|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:2; metadata:created_at 2012_09_28, former_category INFO, updated_at 2012_09_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Anti-Hacking Tool"; flow:established,to_server; content:"/update/WinUpdater.exe"; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,93443e59c473b89b5afad940a843982a; reference:url,eff.org/deeplinks/2012/08/syrian-malware-post; classtype:trojan-activity; sid:2015748; rev:3; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015874; rev:5; metadata:created_at 2012_11_08, former_category TROJAN, updated_at 2018_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015874; rev:5; metadata:created_at 2012_11_09, former_category TROJAN, updated_at 2018_02_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:exploit-kit; sid:2015887; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_11_14, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
+#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:4; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Unk_Banker - Check In"; flow:established,to_server; content:"POST"; http_method; content:"Opera/11.1"; depth:10; http_user_agent; content:"&action=check"; http_client_body; content:"&id="; http_client_body; content:"&version2="; http_client_body; classtype:trojan-activity; sid:2016087; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Unk_Banker - Check In"; flow:established,to_server; content:"POST"; http_method; content:"Opera/11.1"; depth:10; http_user_agent; content:"&action=check"; http_client_body; content:"&id="; http_client_body; content:"&version2="; http_client_body; classtype:trojan-activity; sid:2016087; rev:4; metadata:created_at 2012_12_22, updated_at 2012_12_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE|00 00|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:4; metadata:created_at 2013_01_11, updated_at 2013_01_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE|00 00|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]*?\stype\s*=\s*(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:4; metadata:created_at 2013_01_11, updated_at 2013_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]*?\stype\s*=\s*(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:3; metadata:created_at 2013_01_21, updated_at 2013_01_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
#alert udp $HOME_NET any -> 78.47.139.110 53 (msg:"ET DELETED Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC"; reference:url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229; classtype:command-and-control; sid:2016473; rev:3; metadata:created_at 2013_02_22, updated_at 2020_08_20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew UGX Backdoor initial connection"; flow:established,to_server; content:"|dd b5 61 f0 20 47 20 57 d6 65 9c cb 31 1b 65 42 00 00 00 00|"; depth:20; classtype:targeted-activity; sid:2016474; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get system"; flow:established,to_client; content:"Y29tbWFuZD1nZXRzeXN0ZW07"; classtype:targeted-activity; sid:2016476; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get system"; flow:established,to_client; content:"Y29tbWFuZD1nZXRzeXN0ZW07"; classtype:targeted-activity; sid:2016476; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications html return 1 "; flow:established,to_client; content:"|48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a|"; content:"|43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a|"; content:"|43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a|"; content:"|53 65 74 2d 43 6f 6f 6b 69 65 3a|"; content:"|0d 0a 20 31|"; classtype:targeted-activity; sid:2016477; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications html return 1"; flow:established,to_client; content:"|48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a|"; content:"|43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a|"; content:"|43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a|"; content:"|53 65 74 2d 43 6f 6f 6b 69 65 3a|"; content:"|0d 0a 20 31|"; classtype:targeted-activity; sid:2016477; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep"; flow:established,to_client; file_data; content:"<!-- dWdzMTA= -->"; classtype:targeted-activity; sid:2016478; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep"; flow:established,to_client; file_data; content:"<!-- dWdzMTA= -->"; classtype:targeted-activity; sid:2016478; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep2"; flow:established,to_client; file_data; content:"<!-- dWdzMw== -->"; classtype:targeted-activity; sid:2016479; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep2"; flow:established,to_client; file_data; content:"<!-- dWdzMw== -->"; classtype:targeted-activity; sid:2016479; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep3"; flow:established,to_client; file_data; content:"<!--czoxMzc=--!>"; classtype:targeted-activity; sid:2016480; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep3"; flow:established,to_client; file_data; content:"<!--czoxMzc=--!>"; classtype:targeted-activity; sid:2016480; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep5"; flow:established,to_client; file_data; content:"<!-- czoy -->"; classtype:targeted-activity; sid:2016482; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep5"; flow:established,to_client; file_data; content:"<!-- czoy -->"; classtype:targeted-activity; sid:2016482; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications download client.png"; flow:established,to_client; file_data; content:"<!-- dWdlY2xpZW50LnBuZw== -->"; classtype:targeted-activity; sid:2016483; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications download client.png"; flow:established,to_client; file_data; content:"<!-- dWdlY2xpZW50LnBuZw== -->"; classtype:targeted-activity; sid:2016483; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head 2"; flow:established,to_client; file_data; content:"FSssJi01MWwnOic="; classtype:targeted-activity; sid:2016484; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT backdoor stage 2 download base64 update.gif"; flow:established,to_client; file_data; content:"IHVwZGF0ZS5naWY="; classtype:targeted-activity; sid:2016486; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get command client key"; flow:established,to_client; content:"Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT"; content:"O2hvc3RuYW1lPW"; classtype:targeted-activity; sid:2016488; rev:5; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get command client key"; flow:established,to_client; content:"Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT"; content:"O2hvc3RuYW1lPW"; classtype:targeted-activity; sid:2016488; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:4; metadata:created_at 2012_05_21, updated_at 2012_05_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2012_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014"; flow:established,to_client; file_data; content:"PK"; within:2; content:"pdf.exe"; distance:42; within:500; classtype:trojan-activity; sid:2018182; rev:3; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014"; flow:established,to_client; file_data; content:"PK"; within:2; content:"pdf.exe"; distance:42; within:500; classtype:trojan-activity; sid:2018182; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Zeus GameOver Possible DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:trojan-activity; sid:2018316; rev:4; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:trojan-activity; sid:2018316; rev:4; metadata:created_at 2014_03_25, former_category MALWARE, updated_at 2014_03_25;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Trojan Dropped by Angler Aug 29 2014"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 c4 a8 4b da 47 94 14 c1|"; within:35; content:"|55 04 0b|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|06|office"; distance:1; within:7; classtype:trojan-activity; sid:2019086; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_29, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 19 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f8 69 16 89 bb bc f3 d7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1da03b89c25c9f8999edb8c1abb0c4ed; classtype:trojan-activity; sid:2019200; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 e8 dc 5d 2a ee 44 a3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019205; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 e8 dc 5d 2a ee 44 a3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019205; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 b7 93 80 9f 87 5d ab|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c 31 30 38 2e 36 31 2e 34 39 2e 33 30|"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019206; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 b7 93 80 9f 87 5d ab|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c 31 30 38 2e 36 31 2e 34 39 2e 33 30|"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019206; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/BillGates Checkin"; flow:established,to_server; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 f4 01 00 00 32 00 00 00 e8 03|"; distance:0; content:"|01 01 02 00 00 00 01 00 00 00|"; distance:0; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019207; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 95 78 dc d3 77 1b bc 30|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bf019054fced52ff03ed8d371dfd371d; classtype:trojan-activity; sid:2019213; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:command-and-control; sid:2019203; rev:2; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:command-and-control; sid:2019203; rev:2; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
#alert tcp any any -> any any (msg:"ET DELETED njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019223; rev:1; metadata:created_at 2014_09_23, updated_at 2014_09_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Apr 01 2014"; flow:established,to_client; content:"Expires|3a| Sat, 26 Jul 1997 05|3a|00|3a|00 GMT|0d 0a|Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00|3a|00 GMT|0d 0a|"; fast_pattern:55,20; http_header; classtype:exploit-kit; sid:2019224; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"display|3a| none|3b 22|"; nocase; content:">"; within:500; content:!">"; nocase; within:500; content:"f"; within:200; pcre:"/^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017817; rev:11; metadata:created_at 2013_12_09, former_category EXPLOIT_KIT, updated_at 2013_12_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"display|3a| none|3b 22|"; nocase; content:">"; within:500; content:!">"; nocase; within:500; content:"f"; within:200; pcre:"/^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017817; rev:11; metadata:created_at 2013_12_10, former_category EXPLOIT_KIT, updated_at 2013_12_10;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 1f ee 3e 8f cb 87 80|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019225; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 1f ee 3e 8f cb 87 80|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019225; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"|de ad be ef|"; fast_pattern; content:"|00 01 00 00 00|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Yangji.A Checkin"; flow:established,to_server; dsize:1024; content:"cngameanti|7c|"; depth:11; pcre:"/^\x2d?\d/R"; reference:md5,b5badeb16414cba66999742601c092b8; classtype:command-and-control; sid:2019229; rev:1; metadata:created_at 2014_09_24, former_category MALWARE, updated_at 2014_09_24;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Aug 27 2014"; flow:from_server,established; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W/R"; classtype:exploit-kit; sid:2019078; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Aug 27 2014"; flow:from_server,established; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W/R"; classtype:exploit-kit; sid:2019078; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET MALWARE Pushdo v3 Checkin"; flow:established,to_server; dsize:20; content:"|02 00 00 00|"; depth:4; reference:md5,776d6c20a7016cb0f0db354785fe0d71; classtype:command-and-control; sid:2019235; rev:1; metadata:created_at 2014_09_24, former_category MALWARE, updated_at 2014_09_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET MALWARE Pushdo v3 Checkin"; flow:established,to_server; dsize:20; content:"|02 00 00 00|"; depth:4; reference:md5,776d6c20a7016cb0f0db354785fe0d71; classtype:command-and-control; sid:2019235; rev:1; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2014_09_25;)
#alert udp any 67 -> any 68 (msg:"ET DELETED Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67"; content:"|02 01|"; depth:2; content:"|43|"; distance:238; content:"|28 29 20 7b 20|"; distance:1; within:10; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019238; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert glynwedasia.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|glynwedasia.com"; distance:1; within:16; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019279; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019279; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019280; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019280; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackEnergy Possible SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Output of id command from HTTP server"; flow:established; content:"uid="; pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5; pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; classtype:bad-unknown; sid:2019284; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Reporting IP"; flow:established,to_server; dsize:<24; content:"My IP|3A| "; depth:7; pcre:"/My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019294; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 2d 8e ea 67 c4 08 ea|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019305; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8b 77 b3 d1 92 8c 7d 48|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019306; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b f5 c0 6b 03 3a 00 3f|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,510b4db9aa400583e7927afa5f956179; classtype:trojan-activity; sid:2019307; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector GET Sept 29 2014"; flow:established,to_server; content:".php?h="; http_uri; fast_pattern; pcre:"/^\d+&w=\d+&ua=.+&e=1$/UR"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019311; rev:3; metadata:created_at 2014_09_29, former_category CURRENT_EVENTS, updated_at 2014_09_29;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 75 2c 71 a2 5b fd 9f|"; within:35; content:"|55 04 07|"; distance:0; content:"|07|Houston"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019316; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 75 2c 71 a2 5b fd 9f|"; within:35; content:"|55 04 07|"; distance:0; content:"|07|Houston"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019316; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019317; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019317; rev:4; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares over UDP"; content:"Ares "; offset:36; depth:7; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003437; classtype:policy-violation; sid:2003437; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (WebUpdate)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008074; classtype:trojan-activity; sid:2008074; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 7e e9 92 50 35 4f 1e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019328; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 7e e9 92 50 35 4f 1e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019328; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 90 47 1b dd 5a 78 af e5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019329; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 90 47 1b dd 5a 78 af e5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019329; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-2"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M[ACDEFGHKLMNOPQRSTUVWXYZ]|B[ABDEFGHIJLMNOQRSTVWYZ]|S[ABCDEGHIJKLMNORSTVXYZ]|C[ACDFGHIKLMNORUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|A[DEFGILMOQRSTUWXZ]|T[CDFGHJKLMNORTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRUZ]|K[EGHIMNPRWYZ]|L[ABCIKRSTUVY]|I[DELMNOQRST]|E[CEGHRST]|V[ACEGINU]|D[EJKMOZ]|F[IJKMOR]|H[KMNRTU]|U[AGMSYZ]|R[EOSUW]|J[EMOP]|Z[AMW]|W[FS]|Y[ET]|OM|QA)\b/R"; classtype:trojan-activity; sid:2019326; rev:6; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-3"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M(?:A[CFR]|D[AGV]|N[EGP]|L[IT]|Y[ST]|[MS]R|CO|EX|HL|KD|OZ|RT|TQ|US|WI)|S(?:L[BEV]|[DEH]N|[JOP]M|G[PS]|V[KN]|W[EZ]|Y[CR]|[MU]R|AU|RB|SD|TP)|B(?:L[MRZ]|R[ABN]|E[LN]|G[DR]|H[RS]|[FW]A|DI|IH|MU|OL|TN|VT)|C(?:O[DGKLM]|H[ELN]|A[FN]|Y[MP]|[IP]V|[MX]R|CK|RI|UB|ZE)|A(?:R[EGM]|T[AFG]|L[AB]|N[DT]|U[ST]|BW|FG|GO|IA|SM|ZE)|G(?:R[CDL]|U[FMY]|I[BN]|N[BQ]|[AM]B|BR|EO|GY|HA|LP|TM)|T(?:U[NRV]|C[AD]|K[LM]|[GT]O|[HZ]A|[OW]N|JK|LS)|P(?:R[IKTY]|A[KN]|[HO]L|CN|ER|LW|NG|SE|YF)|N(?:[CPZ]L|I[CU]|[EO]R|AM|FK|GA|LD|RU)|L(?:B[NRY]|[CKV]A|[AS]O|IE|TU|UX)|I(?:R[LNQ]|S[LR]|[DM]N|ND|OT|TA)|K(?:[AG]Z|[IO]R|EN|HM|NA|WT)|E(?:S[HPT]|CU|GY|RI|TH)|V(?:[ACU]T|EN|GB|IR|NM)|D(?:[MZ]A|EU|JI|NK|OM)|F(?:R[AO]|IN|JI|LK|SM)|H(?:[MN]D|KG|RV|TI|UN)|U(?:[GS]A|KR|MI|RY|ZB)|J(?:AM|EY|OR|PN)|R(?:[EO]U|US|WA)|Z(?:AF|MB|WE)|W(?:LF|SM)|OMN|QAT|YEM)\b/R"; classtype:trojan-activity; sid:2019327; rev:6; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
-alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
+alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 ea 18 ab 15 ab 25 ad|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019330; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 ea 18 ab 15 ab 25 ad|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019330; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download 2"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"Adwin"; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018465; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"fesexy.net"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; classtype:trojan-activity; sid:2002768; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010594; classtype:trojan-activity; sid:2010594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,doc.emergingthreats.net/2010594; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:md5,94e13e13c6da5e32bde00bc527475bd2; classtype:trojan-activity; sid:2010594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mypreschool.sg"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|mypreschool.sg"; distance:1; within:15; reference:md5,f186984320d0cf0a4fd501e50c7a40c5; classtype:trojan-activity; sid:2019337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Generic URLENCODED CollectGarbage"; flow:established,from_server; file_data; content:"%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65"; classtype:trojan-activity; sid:2019339; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32|29 0D 0A|"; http_header; reference:md5,0cab2e1959a2c9eaa3aed1f2e556bf17; classtype:trojan-activity; sid:2014361; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32|29 0D 0A|"; http_header; reference:md5,0cab2e1959a2c9eaa3aed1f2e556bf17; classtype:trojan-activity; sid:2014361; rev:3; metadata:created_at 2012_03_10, updated_at 2012_03_10;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 02 84 39 97 d9 ef df|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27b8d15950022f53ca4ca7004932cf2b; classtype:trojan-activity; sid:2019342; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Zonebac.D"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"cid="; nocase; http_uri;content:"&aid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&fw="; nocase; http_uri; content:"&v="; nocase; http_uri;content:"&m="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008682; classtype:trojan-activity; sid:2008682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 57 49 5f fb bc c6 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019360; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 57 49 5f fb bc c6 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019360; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 31 cd 1f 49 b2 be 4c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019361; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 31 cd 1f 49 b2 be 4c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019361; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 42"; flow:to_server,established; dsize:>11; content:"|7c 01|"; offset:9; depth:2; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5}.{4}\x7c\x01/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2019362; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 42"; flow:to_server,established; dsize:>11; content:"|7c 01|"; offset:9; depth:2; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5}.{4}\x7c\x01/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2019362; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; depth:27; reference:md5,06b522eacdfe51bed5d041fd672e880f; reference:url,doc.emergingthreats.net/2003603; classtype:trojan-activity; sid:2003603; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.reomesoess.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019363; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.reomesoess.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019363; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length|3a| 4|0d 0a|"; http_header; file_data; content:"Smk"; depth:3; fast_pattern; pcre:"/^\d+[\r\n]*?$/Rs"; classtype:command-and-control; sid:2015835; rev:7; metadata:created_at 2012_10_22, former_category MALWARE, updated_at 2012_10_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length|3a| 4|0d 0a|"; http_header; file_data; content:"Smk"; depth:3; fast_pattern; pcre:"/^\d+[\r\n]*?$/Rs"; classtype:command-and-control; sid:2015835; rev:7; metadata:created_at 2012_10_23, former_category MALWARE, updated_at 2012_10_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic CollectGarbage in Hex"; flow:established,from_server; file_data; content:"|5c|x43|5c|x6f|5c|x6c|5c|x6c|5c|x65|5c|x63|5c|x74|5c|x47|5c|x61|5c|x72|5c|x62|5c|x61|5c|x67|5c|x65"; nocase; classtype:suspicious-filename-detect; sid:2019338; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK Landing"; flow:established,from_server; file_data; content:"DetectFlashForMSIE()"; content:"DetectPdfForMSIE()"; content:"http|3a 2f 2f|localhost"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK Landing"; flow:established,from_server; file_data; content:"DetectFlashForMSIE()"; content:"DetectPdfForMSIE()"; content:"http|3a 2f 2f|localhost"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2"; flow:established,from_server; file_data; content:"|5c|x3c|5c|x64|5c|x69|5c|x76|5c|x20|5c|x69|5c|x64|5c|x3d|5c|x22|5c|x6c|5c|x6f|5c|x6c|5c|x22"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2"; flow:established,from_server; file_data; content:"|5c|x3c|5c|x64|5c|x69|5c|x76|5c|x20|5c|x69|5c|x64|5c|x3d|5c|x22|5c|x6c|5c|x6f|5c|x6c|5c|x22"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3"; flow:established,from_server; file_data; content:"1776_concat.swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019370; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3"; flow:established,from_server; file_data; content:"1776_concat.swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019370; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2"; flow:established,from_server; file_data; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; distance:0; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28|"; content:"|2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29|"; distance:4; within:29; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019372; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2"; flow:established,from_server; file_data; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; distance:0; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28|"; content:"|2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29|"; distance:4; within:29; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019372; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic CollectGarbage in JJEncode (Observed in Sednit)"; flow:established,from_server; file_data; content:".__$+"; pcre:"/^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+/R"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019373; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic CollectGarbage in JJEncode (Observed in Sednit)"; flow:established,from_server; file_data; content:".__$+"; pcre:"/^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+/R"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019373; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1"; flow:established,from_server; file_data; content:"|5c|x76|5c|x61|5c|x72|5c|x20|5c|x73|5c|x74|5c|x72|5c|x3d|5c|x75|5c|x6e|5c|x65|5c|x73|5c|x63|5c|x61|5c|x70|5c|x65|5c|x28|5c|x22|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x22|5c|x29|5c|x3b"; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019374; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1"; flow:established,from_server; file_data; content:"|5c|x76|5c|x61|5c|x72|5c|x20|5c|x73|5c|x74|5c|x72|5c|x3d|5c|x75|5c|x6e|5c|x65|5c|x73|5c|x63|5c|x61|5c|x70|5c|x65|5c|x28|5c|x22|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x22|5c|x29|5c|x3b"; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019374; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000: (msg:"ET DELETED Possible Sweet Orange Secondary Landing"; flow:established,to_server; content:"GET "; depth:4; pcre:"/(?:\/[a-z-]+)+\.php\?[a-z]+=[0-9]+[^\r\n]+HTTP\/1\.1/R"; content:"3 HTTP/1.1"; fast_pattern:only; classtype:exploit-kit; sid:2019351; rev:3; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6)"; flow:established,to_server; content:"X-Mailer|3a| XimianEvolution1.4.6"; fast_pattern:10,20; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; content:!"X-Barracuda-"; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/438-asprox-botnet-trojan-run-malware-spamming-1; reference:url,stopmalvertising.com/tag/asprox.html; classtype:trojan-activity; sid:2018336; rev:5; metadata:created_at 2014_03_31, updated_at 2014_03_31;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; content:"/inst.php?wmid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&s="; nocase; http_uri; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; classtype:trojan-activity; sid:2007865; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Job314 EK Payload Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/knock"; depth:6; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (X11|3b| Ubuntu|3b| Linux x86_64|3b| rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_user_agent; classtype:command-and-control; sid:2019286; rev:4; metadata:created_at 2014_09_26, former_category MALWARE, updated_at 2014_09_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Job314 EK Payload Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/knock"; depth:6; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (X11|3b| Ubuntu|3b| Linux x86_64|3b| rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_user_agent; classtype:command-and-control; sid:2019286; rev:4; metadata:created_at 2014_09_27, former_category MALWARE, updated_at 2014_09_27;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 9 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be cf d6 29 b3 79 8f e2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,3a9f4fc34e121fc2e5c0d7775091714c; classtype:trojan-activity; sid:2019382; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/SpyClicker.ClickFraud Click CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/click?sid="; http_uri; depth:11; content:"&cid="; http_uri; distance:0; pcre:"/&cid=\d+$/U"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019356; rev:3; metadata:created_at 2014_10_06, updated_at 2014_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/SpyClicker.ClickFraud Click CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/click?sid="; http_uri; depth:11; content:"&cid="; http_uri; distance:0; pcre:"/&cid=\d+$/U"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019356; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 3653 (msg:"ET POLICY gogo6/Freenet6 Authentication Attempt"; content:"AUTHENTICATE|20|"; offset:8; pcre:"/^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n/R"; threshold: type both, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2019383; rev:1; metadata:created_at 2014_10_09, updated_at 2014_10_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 3653 (msg:"ET POLICY gogo6/Freenet6 Authentication Attempt"; content:"AUTHENTICATE|20|"; offset:8; pcre:"/^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n/R"; threshold: type both, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2019383; rev:1; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products StationaryChooser Spyware"; flow: to_server,established; content:"/StationeryChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; classtype:pup-activity; sid:2002858; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki RCE attempt"; flow:established,to_server; content:"debugenableplugins="; http_uri; pcre:"/debugenableplugins=[a-zA-Z0-9]+?\x3b/U"; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236; reference:cve,2014-7236; classtype:attempted-admin; sid:2019385; rev:2; metadata:created_at 2014_10_09, updated_at 2014_10_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki RCE attempt"; flow:established,to_server; content:"debugenableplugins="; http_uri; pcre:"/debugenableplugins=[a-zA-Z0-9]+?\x3b/U"; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236; reference:cve,2014-7236; classtype:attempted-admin; sid:2019385; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:2; metadata:created_at 2014_10_09, updated_at 2014_10_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018719; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018719; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL Certificate IRC GEEKS Likely Encrypted IRC or CnC"; flow:established,from_server; content:"|16 03 00|"; content:"|0b|"; within:7; content:"|13 09|IRC geeks"; distance:0; classtype:command-and-control; sid:2019387; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_10, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|whaugirls.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019388; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Flashpack Redirect Method 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; content:"fvers="; fast_pattern; http_client_body; content:"osa="; http_client_body; classtype:trojan-activity; sid:2019134; rev:5; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|whaugirls.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019388; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download"; flow:to_client,established; file_data; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019395; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 2e c1 9c b6 e5 96 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,05823d6ec6d2a483f94ae1794a06c1a6; classtype:trojan-activity; sid:2019413; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 d5 29 cf 78 44 88 25|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019414; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 d5 29 cf 78 44 88 25|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019414; rev:3; metadata:attack_target Client_and_Server, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 29 c6 1c 85 a5 85 33|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,38f4f489bd7e59ed91dc6ff95f37999f; classtype:trojan-activity; sid:2019419; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; file_data; content:"String.fromCharCode(parseInt|28 28|"; pcre:"/^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b/Rs"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:exploit-kit; sid:2019375; rev:4; metadata:created_at 2014_10_08, former_category CURRENT_EVENTS, updated_at 2014_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; file_data; content:"String.fromCharCode(parseInt|28 28|"; pcre:"/^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b/Rs"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:exploit-kit; sid:2019375; rev:4; metadata:created_at 2014_10_09, former_category CURRENT_EVENTS, updated_at 2014_10_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014"; flow:established,to_server; content:"/loxotrap.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019456; rev:2; metadata:created_at 2014_10_16, updated_at 2014_10_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0497 Aug 24 2014"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?flashlow\.swf$/U"; classtype:exploit-kit; sid:2018996; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK SilverLight URI Struct"; flow:to_server,established; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019097; rev:3; metadata:created_at 2014_08_29, former_category CURRENT_EVENTS, updated_at 2014_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK SilverLight URI Struct"; flow:to_server,established; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019097; rev:3; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1"; flow:established,to_server; content:"/YXJyYWtpczAy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019461; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5"; flow:established,to_server; content:"/ZXBzaWxvbmVyaWRhbmkw/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019465; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|www.arrystreamre.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019466; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|www.arrystreamre.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019466; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.KeyLogger.ODN Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"pcname="; depth:7; http_client_body; content:"¬e="; distance:0; http_client_body; content:"&country="; distance:0; http_client_body; content:"&user="; distance:0; http_client_body; content:"&log="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019468; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 a0 9e 7c 8c 25 3a d0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,ae773f234152fb5df1ab35116dbb82bd; classtype:trojan-activity; sid:2019470; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 9e 90 15 d2 12 7f c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019477; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 9e 90 15 d2 12 7f c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019477; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Landing Struct"; flow:established,to_server; content:".html?action=lnd"; http_uri; pcre:"/\?action=lnd$/U"; classtype:exploit-kit; sid:2019480; rev:2; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Injected iframe Oct 22 2014"; flow:established,from_server; file_data; content:"|2f 2a 0a 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 30 37 20 46 72 65 65 20 53 6f 66 74 77 61 72 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2c 20 49 6e 63 2e 20 68 74 74 70 3a 2f 2f 66 73 66 2e 6f 72 67 2f 0a 2a 2f 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 6f 6f 6b 69 65 28 65 29|"; within:93; fast_pattern:73,20; classtype:exploit-kit; sid:2019497; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.tradeledstore.co.uk"; distance:1; within:24; reference:md5,b12730a51341a8bfaa5c7d7e4421fe6c; classtype:trojan-activity; sid:2019507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Oct 22 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00"; http_header; fast_pattern:15,20; classtype:exploit-kit; sid:2019488; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Backoff CnC)"; flow:from_server,established; content:"|55 04 08|"; content:"|0a|Some-State"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0d|cyberwise.biz"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019516; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Backoff CnC)"; flow:from_server,established; content:"|55 04 08|"; content:"|0a|Some-State"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0d|cyberwise.biz"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019516; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|rikitifer.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019517; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|rikitifer.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019517; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba 53 8e c8 a2 a1 6c 17|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019520; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|3e 5c d1 68 e7 8c 47 8c ea 2f da 02 fe 43 62 47|"; offset:16; depth:16; reference:md5,afc4d73bde2a536d7a9b7596288ce180; classtype:command-and-control; sid:2019593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:exploit-kit; sid:2019594; rev:2; metadata:created_at 2014_10_29, former_category CURRENT_EVENTS, updated_at 2014_10_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:exploit-kit; sid:2019594; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashPack Payload Download Oct 29"; flow:established,to_server; content:"/lofla1.php"; http_uri; classtype:trojan-activity; sid:2019595; rev:2; metadata:created_at 2014_10_29, former_category CURRENT_EVENTS, updated_at 2014_10_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashPack Payload Download Oct 29"; flow:established,to_server; content:"/lofla1.php"; http_uri; classtype:trojan-activity; sid:2019595; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlashPack Secondary Landing Oct 29"; flow:established,from_server; file_data; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; pcre:"/^\d/R"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:2; metadata:created_at 2014_10_29, former_category CURRENT_EVENTS, updated_at 2014_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlashPack Secondary Landing Oct 29"; flow:established,from_server; file_data; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; pcre:"/^\d/R"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JNLP)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jnlp"; http_uri; pcre:"/\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Z-a-z]{18}\.jnlp$/U"; classtype:exploit-kit; sid:2019600; rev:3; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 43"; flow:to_server,established; dsize:>11; content:"|83 7f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x83\x7f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f0c10c1705783d3f32742bce3b2aea5; classtype:command-and-control; sid:2019602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 39 70 34 44 e2 04 31|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019603; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 39 70 34 44 e2 04 31|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019603; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND set"; flow:established,from_server; content:"|28 00 00 00 00 01 00 00|"; depth:8; flowbits:set,ET.Zberp; flowbits:noalert; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025068; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange CDN Gate Sept 09 2014 Method 2"; flow:established,to_server; content:"/k?t"; http_uri; fast_pattern:only; pcre:"/\/k\?t[a-z]*=\d{5,}$/U"; classtype:exploit-kit; sid:2019146; rev:6; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Nov 4 2014"; flow:established,from_server; file_data; content:"var main_request_data_content"; within:29; fast_pattern:9,20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/27/index2.html; classtype:exploit-kit; sid:2019642; rev:2; metadata:created_at 2014_11_04, former_category EXPLOIT_KIT, updated_at 2014_11_04;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 19 September 2014"; flow:to_client,established; file_data; content:"var ajax_data_source"; within:20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/03/index.html; classtype:exploit-kit; sid:2019352; rev:3; metadata:created_at 2014_10_03, former_category EXPLOIT_KIT, updated_at 2014_10_03;)
#alert tcp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole TCP Connection"; flow:to_server; classtype:trojan-activity; sid:2019629; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method"; flow:to_client,established; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"WriteOFXDataFile"; nocase; reference:url,www.milw0rm.com/exploits/5416; reference:url,doc.emergingthreats.net/2008126; classtype:web-application-attack; sid:2008126; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 33 b2 e5 24 44 a4 09|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019648; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 33 b2 e5 24 44 a4 09|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019648; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 08 2f bd 75 7f 25 39|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019649; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 08 2f bd 75 7f 25 39|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019649; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Malicious Attachment With Double Extension Ending In EXE"; flow:established,to_client; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; http_header; content:".exe|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a\x20attachment\x3b\x20filename=[^\r\n]+?\.[a-z]{2,4}\.exe\r?$/Hmi"; classtype:trojan-activity; sid:2019650; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 05 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 49 68 e1 31 97 48 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c078788d86c653f428fc3a62dd030ede; classtype:trojan-activity; sid:2019651; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashhigh.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2019656; rev:2; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashhigh.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2019656; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashlow\.swf$/U"; classtype:exploit-kit; sid:2019657; rev:2; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashlow\.swf$/U"; classtype:exploit-kit; sid:2019657; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit IE URI Struct"; flow:established,to_server; content:"iebasic.html"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?iebasic\.html$/U"; classtype:exploit-kit; sid:2019659; rev:2; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit IE URI Struct"; flow:established,to_server; content:"iebasic.html"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?iebasic\.html$/U"; classtype:exploit-kit; sid:2019659; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
alert ip any 5060 -> any any (msg:"GPL VOIP SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:2100162; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DeleteFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010749; classtype:attempted-user; sid:2010749; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_02, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_02, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_02, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_02, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007578; classtype:trojan-activity; sid:2007578; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007581; classtype:trojan-activity; sid:2007581; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit SilverLight URI Struct"; flow:established,to_server; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019658; rev:4; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit SilverLight URI Struct"; flow:established,to_server; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019658; rev:4; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.SilverLight; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2019669; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.SilverLight; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2019669; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 62 d9 f2 16 04 d1 be|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019670; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 62 d9 f2 16 04 d1 be|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019670; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 de 17 24 ba 29 9a a6 c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019671; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 de 17 24 ba 29 9a a6 c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019671; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Flash Payload DL"; flow:to_server,established; content:"/"; http_uri; content:".php"; http_uri; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/U"; content:!"User-Agent"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Cache-Control|3a|"; http_header; classtype:exploit-kit; sid:2019672; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"prancerBlit15xa.swf"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019677; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Landing Page Nov 07 2014"; flow:established,to_server; content:"/tslyphper"; fast_pattern:only; http_uri; pcre:"/\/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019681; rev:3; metadata:created_at 2014_11_07, updated_at 2014_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Landing Page Nov 07 2014"; flow:established,to_server; content:"/tslyphper"; fast_pattern:only; http_uri; pcre:"/\/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019681; rev:3; metadata:created_at 2014_11_08, updated_at 2014_11_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 07 2014"; flow:established,from_server; content:"usid=sid|3a 7b 27|"; fast_pattern:only; reference:url,blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/; classtype:exploit-kit; sid:2019684; rev:3; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 07 2014"; flow:established,from_server; content:"usid=sid|3a 7b 27|"; fast_pattern:only; reference:url,blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/; classtype:exploit-kit; sid:2019684; rev:3; metadata:created_at 2014_11_08, former_category CURRENT_EVENTS, updated_at 2014_11_08;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct"; flow:established,to_server; urilen:15; content:"/abhgtnedg.html"; http_uri; classtype:exploit-kit; sid:2019685; rev:2; metadata:created_at 2014_11_10, former_category CURRENT_EVENTS, updated_at 2014_11_10;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Aug 24 2014"; flow:established,from_server; file_data; content:"+payload"; fast_pattern; nocase; content:"flashLow"; nocase; classtype:exploit-kit; sid:2018998; rev:10; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 db 12 6f 49 21 41 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019691; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_11, updated_at 2014_11_11;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/get/get.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/get\/get\.php$/U"; classtype:trojan-activity; sid:2019697; rev:2; metadata:created_at 2014_11_11, former_category CURRENT_EVENTS, updated_at 2014_11_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 db 12 6f 49 21 41 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019691; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_12, updated_at 2014_11_12;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 e0 8a 96 fb 4a 1b b6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019699; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/get/get.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/get\/get\.php$/U"; classtype:trojan-activity; sid:2019697; rev:2; metadata:created_at 2014_11_12, former_category CURRENT_EVENTS, updated_at 2014_11_12;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 65 21 19 a2 a2 9e 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019700; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 3d b1 87 b3 12 ff 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019701; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 e0 8a 96 fb 4a 1b b6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019699; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 e8 67 40 49 01 84 b1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019702; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 65 21 19 a2 a2 9e 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019700; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b c4 77 4f 2c d1 50 37|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019703; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 3d b1 87 b3 12 ff 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019701; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"xmlhttp.open(|22|POST|22|, |22|/foo|22|, false)|3b|"; fast_pattern:16,20; content:"xmlhttp.send(sendstr)|3b|"; distance:0; classtype:exploit-kit; sid:2019690; rev:3; metadata:created_at 2014_11_10, former_category CURRENT_EVENTS, updated_at 2014_11_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 e8 67 40 49 01 84 b1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019702; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Job314 EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"embedSWF(|22|index.swf?action=swf|22|"; fast_pattern:11,20; content:"src=|22|index.js?action=swfobject|22|"; classtype:exploit-kit; sid:2019689; rev:3; metadata:created_at 2014_11_10, former_category CURRENT_EVENTS, updated_at 2014_11_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b c4 77 4f 2c d1 50 37|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019703; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 12 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 48 5c e9 94 c7 59 03|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,31536d977dfc0e158d8f7a365c0543ec; classtype:trojan-activity; sid:2019705; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,from_server; file_data; content:"|7b 22|result|22 3a 7b 22|version|22 3a 22|"; flowbits:isset,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019663; rev:3; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2014_11_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,from_server; file_data; content:"|7b 22|result|22 3a 7b 22|version|22 3a 22|"; flowbits:isset,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019663; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 a5 38 e3 56 d4 39 67|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019708; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 a5 38 e3 56 d4 39 67|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019708; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 9b 4d b2 c7 f6 6f f2|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019709; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 9b 4d b2 c7 f6 6f f2|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019709; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded in XML"; flow: established,from_server; file_data; content:"bin.base64"; nocase; content:"<file"; nocase; content:"<stream"; nocase; content:"<?xml"; nocase; content:"TVqQA"; fast_pattern; pcre:"/^[A-Za-z0-9\s/+]{100}/Rs"; classtype:trojan-activity; sid:2019716; rev:9; metadata:created_at 2014_11_14, updated_at 2014_11_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded in XML"; flow: established,from_server; file_data; content:"bin.base64"; nocase; content:"<file"; nocase; content:"<stream"; nocase; content:"<?xml"; nocase; content:"TVqQA"; fast_pattern; pcre:"/^[A-Za-z0-9\s/+]{100}/Rs"; classtype:trojan-activity; sid:2019716; rev:9; metadata:created_at 2014_11_15, updated_at 2014_11_15;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8003,9004:] (msg:"ET MALWARE W32Autorun.worm.aaeh Checkin"; flow:established,to_server; content:"Host|3a| ns1.help"; pcre:"/^Host\x3a\x20ns1\.help(?:update(?:d\.(?:com?|net?|org?)|k\.(?:at?|eu?|tw)|r\.net|s\.com)|checks\.net)/mi"; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456; classtype:command-and-control; sid:2019711; rev:4; metadata:created_at 2014_11_14, former_category MALWARE, updated_at 2014_11_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8003,9004:] (msg:"ET MALWARE W32Autorun.worm.aaeh Checkin"; flow:established,to_server; content:"Host|3a| ns1.help"; pcre:"/^Host\x3a\x20ns1\.help(?:update(?:d\.(?:com?|net?|org?)|k\.(?:at?|eu?|tw)|r\.net|s\.com)|checks\.net)/mi"; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456; classtype:command-and-control; sid:2019711; rev:4; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 60 aa 87 c5 4a 56 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|fvhch6y1sszzgbh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019720; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 60 aa 87 c5 4a 56 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|fvhch6y1sszzgbh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019720; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 63 1a 95 03 94 55 2e|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0c|HAMBURG GMBH"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019721; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 63 1a 95 03 94 55 2e|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0c|HAMBURG GMBH"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019721; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014"; flow:established,from_server; file_data; content:"flash_run2"; nocase; content:"silver_run"; nocase; content:"msie_run"; nocase; classtype:exploit-kit; sid:2019722; rev:2; metadata:created_at 2014_11_17, former_category CURRENT_EVENTS, updated_at 2014_11_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014"; flow:established,from_server; file_data; content:"flash_run2"; nocase; content:"silver_run"; nocase; content:"msie_run"; nocase; classtype:exploit-kit; sid:2019722; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014 M2"; flow:established,from_server; file_data; content:"|66 66 62 67 72 6e 74 68 35 77 65 28 61 29|"; classtype:exploit-kit; sid:2019723; rev:2; metadata:created_at 2014_11_17, former_category CURRENT_EVENTS, updated_at 2014_11_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014 M2"; flow:established,from_server; file_data; content:"|66 66 62 67 72 6e 74 68 35 77 65 28 61 29|"; classtype:exploit-kit; sid:2019723; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct Nov 17 2014"; flow:established,to_server; content:"/5c5390116e606055c51b2c86340beb2bd1668f6e3bbf56240a01d43db5ac6b9d.swf"; http_uri; classtype:exploit-kit; sid:2019724; rev:2; metadata:created_at 2014_11_17, former_category CURRENT_EVENTS, updated_at 2014_11_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct Nov 17 2014"; flow:established,to_server; content:"/5c5390116e606055c51b2c86340beb2bd1668f6e3bbf56240a01d43db5ac6b9d.swf"; http_uri; classtype:exploit-kit; sid:2019724; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/6896a114d0047db5679d5da0be7eb87d77ef59ed49ef942e7b74f60fb3df2ce3.swf"; http_uri; classtype:exploit-kit; sid:2019725; rev:2; metadata:created_at 2014_11_17, former_category CURRENT_EVENTS, updated_at 2014_11_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/6896a114d0047db5679d5da0be7eb87d77ef59ed49ef942e7b74f60fb3df2ce3.swf"; http_uri; classtype:exploit-kit; sid:2019725; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/9e675626486f3804603227533ab83b26f4a95a0c4f5eebbc00507558da27edc0.html"; http_uri; classtype:exploit-kit; sid:2019726; rev:2; metadata:created_at 2014_11_17, former_category CURRENT_EVENTS, updated_at 2014_11_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/9e675626486f3804603227533ab83b26f4a95a0c4f5eebbc00507558da27edc0.html"; http_uri; classtype:exploit-kit; sid:2019726; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:exploit-kit; sid:2019727; rev:2; metadata:created_at 2014_11_17, former_category CURRENT_EVENTS, updated_at 2014_11_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malware Connectivity Check to Google"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Host|3a| google.com|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|29 0d 0a 0d 0a|"; fast_pattern:76,20; classtype:trojan-activity; sid:2019729; rev:3; metadata:created_at 2014_11_17, updated_at 2014_11_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:exploit-kit; sid:2019727; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim|25|"; nocase; fast_pattern; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; content:"redim|25|"; nocase; distance:0; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019732; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode"; flow:to_client,established; file_data; content:"chrw|25|"; pcre:"/^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801/Rs"; reference:cve,2014-6332; classtype:attempted-user; sid:2019735; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT SPL2 EK JS HashLib Nov 18 2014"; flow:to_server,established; urilen:8; content:"/mdd5.js"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019744; rev:3; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT SPL2 EK JS HashLib Nov 18 2014"; flow:to_server,established; urilen:8; content:"/mdd5.js"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019744; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Nov 18 2014"; flow:established,from_server; file_data; content:"v|3a|stroke id=|27|beg|27|"; fast_pattern:only; content:"<h1>Forbidden</h1>"; classtype:exploit-kit; sid:2019742; rev:3; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Nov 18 2014"; flow:established,from_server; file_data; content:"v|3a|stroke id=|27|beg|27|"; fast_pattern:only; content:"<h1>Forbidden</h1>"; classtype:exploit-kit; sid:2019742; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Flash Exploit Nov 18 2014"; flow:to_server,established; content:"/Drop2"; http_uri; fast_pattern:only; pcre:"/^\/Drop2(?:-\d+)\.swf$/U"; classtype:exploit-kit; sid:2019745; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Flash Exploit Nov 18 2014"; flow:to_server,established; content:"/Drop2"; http_uri; fast_pattern:only; pcre:"/^\/Drop2(?:-\d+)\.swf$/U"; classtype:exploit-kit; sid:2019745; rev:2; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; pcre:"/\/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$/U"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:exploit-kit; sid:2019743; rev:5; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; pcre:"/\/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$/U"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:exploit-kit; sid:2019743; rev:5; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct Nov 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"/load.php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+\/load\.php$/U"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2019753; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>35; content:".php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9A-Z]{15,35}\/((\d+[A-Z]){3}\d+|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016706; rev:20; metadata:created_at 2013_04_01, updated_at 2013_04_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit Requested - /spl/"; flow:established,to_server; content:"/spl/"; http_uri; fast_pattern:only; content:".jar"; http_uri; content:"Java/"; http_header; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018925; rev:5; metadata:created_at 2014_08_11, former_category CURRENT_EVENTS, updated_at 2014_08_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit Requested - /spl/"; flow:established,to_server; content:"/spl/"; http_uri; fast_pattern:only; content:".jar"; http_uri; content:"Java/"; http_header; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018925; rev:5; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Landing Struct Nov 20 2014"; flow:established,to_server; urilen:70; content:".html"; http_uri; offset:65; depth:5; pcre:"/^\/[a-f0-9]{64}\.html$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019769; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 PD Struct Nov 20 2014"; flow:established,to_server; urilen:68; content:"|2f|"; http_uri; depth:1; content:".js"; http_uri; offset:65; depth:3; pcre:"/^\/[a-f0-9]{64}\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[a-f0-9]{64}\.html\r$/Hm"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019768; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:exploit-kit; sid:2019655; rev:6; metadata:created_at 2014_11_05, former_category EXPLOIT_KIT, updated_at 2014_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:exploit-kit; sid:2019655; rev:6; metadata:created_at 2014_11_06, former_category EXPLOIT_KIT, updated_at 2014_11_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"Y2hydygwMSkmY2hydygyMTc2KSZjaHJ3KDAxKSZjaHJ3KDAwK"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019773; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"jaHJ3KDAxKSZjaHJ3KDIxNzYpJmNocncoMDEpJmNocncoMDAp"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019775; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 34 4a fb 16 96 9d 25|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|ewgcetiyu"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019786; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 34 4a fb 16 96 9d 25|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|ewgcetiyu"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019786; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 90 3b 8c 56 23 94 93|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0b|1234567egeg"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019787; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 90 3b 8c 56 23 94 93|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0b|1234567egeg"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019787; rev:3; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Payload"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:exploit-kit; sid:2019800; rev:2; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Nov 25 2014"; flow:established,from_server; file_data; content:"function ckl|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2019807; rev:2; metadata:created_at 2014_11_25, updated_at 2014_11_25;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1913 (msg:"ET MALWARE W32/DoubleTap.APT Downloader Socks5 Setup Request"; flow:established,to_server; content:"|05 01 00|"; depth:3; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019809; rev:2; metadata:created_at 2014_11_25, former_category MALWARE, updated_at 2014_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Nov 25 2014"; flow:established,from_server; file_data; content:"function ckl|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2019807; rev:2; metadata:created_at 2014_11_26, updated_at 2014_11_26;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 d9 8a 80 b1 c5 98 08|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|tvd5w4gytsfheyh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019810; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1913 (msg:"ET MALWARE W32/DoubleTap.APT Downloader Socks5 Setup Request"; flow:established,to_server; content:"|05 01 00|"; depth:3; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019809; rev:2; metadata:created_at 2014_11_26, former_category MALWARE, updated_at 2014_11_26;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|11|b85937-static.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019811; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 d9 8a 80 b1 c5 98 08|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|tvd5w4gytsfheyh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019810; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 b6 2a 4d 61 3d fa c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|09|vgergvwtd"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019812; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|11|b85937-static.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019811; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 02 6f 9a b5 ff c3 9c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019813; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 b6 2a 4d 61 3d fa c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|09|vgergvwtd"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019812; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 f1 2d d7 7c 92 29 6b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019814; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 02 6f 9a b5 ff c3 9c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019813; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 5c 3f 2b dc 29 86 c4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019815; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 f1 2d d7 7c 92 29 6b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019814; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 73 b3 58 98 16 a7 5b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0d|cewceawf2c4ed"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019818; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 5c 3f 2b dc 29 86 c4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019815; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e7 df 16 fb ce 8d dc 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0c|wrgw4r3gwrgh"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019819; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 73 b3 58 98 16 a7 5b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0d|cewceawf2c4ed"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019818; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK"; flow:established,from_server; file_data; content:"document.write((|22|<iframe src=|27|http|3a|"; within:35; pcre:"/^[^\x27]+[\x27]\s*/R"; content:"width=12 height=12 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></|22| + |22|iframe>|22|))|3b|"; fast_pattern:73,20; within:93; isdataat:!3,relative; classtype:exploit-kit; sid:2019798; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e7 df 16 fb ce 8d dc 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0c|wrgw4r3gwrgh"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019819; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"class=|22|green_class|22|"; pcre:"/^[^>\r\n<]+>[A-Za-z]{70}/R"; classtype:exploit-kit; sid:2019643; rev:3; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:exploit-kit; sid:2015677; rev:5; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:exploit-kit; sid:2015677; rev:5; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinHttpRequest Downloading EXE"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019822; rev:7; metadata:created_at 2014_12_01, former_category CURRENT_EVENTS, updated_at 2014_12_01;)
alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2019823; rev:7; metadata:created_at 2014_12_01, former_category EXPLOIT_KIT, updated_at 2014_12_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Compact Office Document Format File Download"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; flowbits:set,et.MCOFF; flowbits:noalert; classtype:misc-activity; sid:2019834; rev:2; metadata:created_at 2014_12_01, updated_at 2014_12_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake org name)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; content:"|0a|Some-State"; distance:1; within:11; content:"|06 03 55 04 0a|"; distance:0; pcre:"/^.{2}(?=[a-z]{0,15}\d)(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019832; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Compact Office Document Format File Download"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; flowbits:set,et.MCOFF; flowbits:noalert; classtype:misc-activity; sid:2019834; rev:2; metadata:created_at 2014_12_02, updated_at 2014_12_02;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|03 15 45 cd|"; within:35; content:"|55 04 03|"; distance:0; content:"|14|static-630567398.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019839; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|03 15 45 cd|"; within:35; content:"|55 04 03|"; distance:0; content:"|14|static-630567398.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019839; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Execute Shell Command CnC Server Message"; flow:established,to_client; content:"! SH"; depth:4; pcre:"/^[^\r\n]+?\n$/R"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019298; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Dec 03 2014"; flow:established,from_server; file_data; content:"=|22|replace|22 3b 27 29 3b|"; content:"|7b 41 3d 5b 5b 61 5d 2c 5b 65 76 61 6c 5d 5d 3b 7d 41 5b 31 5d 5b 30 5d 28 41 5b 30 5d 5b 30 5d 29 3b|"; classtype:exploit-kit; sid:2019874; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:exploit-kit; sid:2016058; rev:11; metadata:created_at 2012_12_18, former_category EXPLOIT_KIT, updated_at 2012_12_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:exploit-kit; sid:2016058; rev:11; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Dec 4 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 24 bd ca a0 48 b4 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|08|thfgtjyj"; distance:1; within:9; classtype:trojan-activity; sid:2019875; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET TFTP TFTPGUI Long Transport Mode Buffer Overflow"; content:"|00 02|"; depth:2; content:"|00|"; distance:0; within:50; content:!"|00|"; distance:0; within:9; reference:url,www.exploit-db.com/exploits/12482/; reference:url,packetstormsecurity.org/files/view/96395/tftputilgui-dos.rb.txt; reference:url,securityfocus.com/bid/39872/; classtype:attempted-dos; sid:2012051; rev:2; metadata:created_at 2010_12_14, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Dec 4 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 24 bd ca a0 48 b4 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|08|thfgtjyj"; distance:1; within:9; classtype:trojan-activity; sid:2019875; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlienSpy RAT Checkin Set"; flow:established,to_server; dsize:4; content:"|ac ed|"; depth:2; flowbits:set,ET.rat.alienspy; flowbits:noalert; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019738; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability"; flow:established,to_server; content:"GetFlexMLangIResourceBrowser"; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,exploit-db.com/exploits/17417/; classtype:denial-of-service; sid:2013074; rev:2; metadata:created_at 2011_06_21, updated_at 2011_06_21;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BitCrypt site accessed via .onion SSL Proxy"; flow:established,from_server; content:"|55 04 03|"; content:"kphijmuo2x5expag."; nocase; distance:2; within:17; classtype:trojan-activity; sid:2018399; rev:2; metadata:created_at 2014_04_17, updated_at 2014_04_17;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BitCrypt site accessed via .onion SSL Proxy"; flow:established,from_server; content:"|55 04 03|"; content:"kphijmuo2x5expag."; nocase; distance:2; within:17; classtype:trojan-activity; sid:2018399; rev:2; metadata:created_at 2014_04_18, updated_at 2014_04_18;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message"; flow:established,to_client; dsize:12; content:"! LOLNOGTFO|0A|"; depth:12; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019304; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message"; flow:established,to_client; dsize:11; content:"! KILLATTK|0A|"; depth:11; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019303; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim C2 Client Check-in"; flow:established,to_server; content:"some_magic_code1"; depth:16; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016772; rev:2; metadata:created_at 2013_04_18, former_category MALWARE, updated_at 2013_04_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim C2 Client Check-in"; flow:established,to_server; content:"some_magic_code1"; depth:16; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016772; rev:2; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server globdomain.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0A|globdomain|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012203; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock.6870 SSL Cert"; flow:from_server,established; content:"|00 cc 05 c7 80 14 cf 3f 50|"; content:"|55 04 08 13 0c|Someprovince"; distance:0; content:"|55 04 07 13 08|Sometown"; distance:0; classtype:trojan-activity; sid:2015795; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"Wy9GbCAvRmxd"; classtype:trojan-activity; sid:2019117; rev:2; metadata:created_at 2014_09_04, former_category CURRENT_EVENTS, updated_at 2014_09_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"Wy9GbCAvRmxd"; classtype:trojan-activity; sid:2019117; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"IFsvRmwgL0Zs"; classtype:trojan-activity; sid:2019119; rev:2; metadata:created_at 2014_09_04, former_category CURRENT_EVENTS, updated_at 2014_09_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"IFsvRmwgL0Zs"; classtype:trojan-activity; sid:2019119; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"L0ZsIC9GbF0g"; classtype:trojan-activity; sid:2019118; rev:3; metadata:created_at 2014_09_04, former_category CURRENT_EVENTS, updated_at 2014_09_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"L0ZsIC9GbF0g"; classtype:trojan-activity; sid:2019118; rev:3; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"ET INFO NetSSH SSH Version String Hardcoded in Metasploit"; flow:established,to_server; content:"SSH-2.0-OpenSSH_5.0|0d 0a|"; depth:21; reference:url,github.com/rapid7/metasploit-framework/blob/master/lib/net/ssh/transport/server_version.rb; classtype:attempted-user; sid:2014925; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_19, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"ET INFO NetSSH SSH Version String Hardcoded in Metasploit"; flow:established,to_server; content:"SSH-2.0-OpenSSH_5.0|0d 0a|"; depth:21; reference:url,github.com/rapid7/metasploit-framework/blob/master/lib/net/ssh/transport/server_version.rb; classtype:attempted-user; sid:2014925; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_20, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"ET SCADA Golden FTP Server PASS Command Remote Buffer Overflow Attempt"; flow:established,to_server; content:"PASS"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:bugtraq,45957; classtype:denial-of-service; sid:2013235; rev:2; metadata:created_at 2011_07_08, updated_at 2011_07_08;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FireEye.STX RAT Checkin"; flow:established,to_server; content:"GET /WinData.DLL?HELO-STX-1*"; depth:28; content:"$|0D 0A|"; distance:0; within:40; reference:url,blog.fireeye.com/research/2012/04/spear-phished-by-fireeye.html; reference:md5,89217de164ffca0f0fed54a8003eb98f; classtype:command-and-control; sid:2014632; rev:2; metadata:created_at 2012_04_23, former_category MALWARE, updated_at 2020_08_20;)
-
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message"; flow:established,to_client; dsize:7; content:"! PING|0A|"; depth:7; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019296; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
alert tcp any 6784 -> $HOME_NET 1024: (msg:"ET POLICY Splashtop Remote Control Session Keepalive Response"; flow:established,from_server; dsize:4; content:"|31 00|"; offset:2; depth:2; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014130; rev:2; metadata:created_at 2012_01_16, updated_at 2012_01_16;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) beacon"; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:42; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015966; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) beacon"; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:42; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015966; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_30, deployment Perimeter, former_category P2P, signature_severity Major, tag c2, updated_at 2012_11_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 1 with default BMC usernames (Admin|root|Administrator|USERID)"; content:"|06 12|"; offset:4; depth:2; pcre:"/((\x0d|\x05)Admin(istrator)?|\x04root|\x06USERID)/Ri"; classtype:protocol-command-decode; sid:2017120; rev:2; metadata:created_at 2013_07_09, former_category POLICY, updated_at 2013_07_09;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"8234E54E-20CB-4A88-9AB6-7986F99BE243"; nocase; content:"|2e|SetIdentity"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15655; classtype:attempted-user; sid:2012098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) payload"; content:"QVOD"; depth:32; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015967; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) payload"; content:"QVOD"; depth:32; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015967; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|)/si"; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message"; flow:established,to_client; content:"! JUNK "; depth:7; pcre:"/\x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019299; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MALWARE W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019808; rev:2; metadata:created_at 2014_11_25, former_category MALWARE, updated_at 2014_11_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MALWARE W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019808; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sorbs.net Block Message"; flow:established,from_server; content:"sorbs.net"; classtype:not-suspicious; sid:2012985; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sophos.com Block Message"; flow:established,from_server; content:"sophos.com"; classtype:not-suspicious; sid:2012984; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
#alert udp $HOME_NET any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Potential DNS Request from Trojan.DNSChanger infected system"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2014043; rev:2; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP"; flow:established,to_server; content:"Subject|3A 20|Installation of SC-KeyLog on host"; nocase; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=910563; reference:md5,cc439073eeb244e6bcecee8b6774b672; classtype:trojan-activity; sid:2014354; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"ET MALWARE W32/Keylogger.CI Checkin"; flow:established,to_server; dsize:5; content:"|47 00 46 00 49|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpyWin32/Keylogger.CI#tab=2; reference:url,www.virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:command-and-control; sid:2019712; rev:2; metadata:created_at 2014_11_14, former_category MALWARE, updated_at 2014_11_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"ET MALWARE W32/Keylogger.CI Checkin"; flow:established,to_server; dsize:5; content:"|47 00 46 00 49|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpyWin32/Keylogger.CI#tab=2; reference:url,www.virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:command-and-control; sid:2019712; rev:2; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
+alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|30 2b 06 03 55 04 03 13 24|DivX, Inc. Certificate Authority"; distance:0; classtype:policy-violation; sid:2013300; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_09_30, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2016_07_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2; metadata:created_at 2014_12_05, former_category CURRENT_EVENTS, updated_at 2014_12_05;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Destover RAT Check-in"; flow:established,to_server; content:"|17 03 01 00 0C E2 C4 Fd D9 E8 E3 F2 9F|"; reference:md5,d1c27ee7ce18675974edf42d4eea25c6; reference:url,www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea; classtype:trojan-activity; sid:2019878; rev:2; metadata:created_at 2014_12_05, updated_at 2014_12_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Destover RAT Check-in"; flow:established,to_server; content:"|17 03 01 00 0C E2 C4 Fd D9 E8 E3 F2 9F|"; reference:md5,d1c27ee7ce18675974edf42d4eea25c6; reference:url,www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea; classtype:trojan-activity; sid:2019878; rev:2; metadata:created_at 2014_12_06, updated_at 2014_12_06;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 62 ab fb 64 b9 bc de|"; within:35; content:"|55 04 03|"; distance:0; content:"|05|USTiD"; distance:1; within:6; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019879; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 62 ab fb 64 b9 bc de|"; within:35; content:"|55 04 03|"; distance:0; content:"|05|USTiD"; distance:1; within:6; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019879; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019762; rev:3; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019762; rev:3; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019761; rev:4; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019761; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cc)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|cc|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019882; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ee 63 19 d5 6a 4c 09 cf|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|UA"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019890; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ee 63 19 d5 6a 4c 09 cf|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|UA"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019890; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; file_data; content:"document.write(|22|<iframe name=|27|"; within:30; pcre:"/^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| + |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2019892; rev:2; metadata:created_at 2014_12_08, former_category CURRENT_EVENTS, updated_at 2014_12_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; file_data; content:"document.write(|22|<iframe name=|27|"; within:30; pcre:"/^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| + |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2019892; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (1)"; flow:established,to_client; file_data; content:"|0e c7 9d 28 8c cb ae 85|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (1)"; flow:established,to_client; file_data; content:"|0e c7 9d 28 8c cb ae 85|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Dec 08 2014"; flow:established,from_server; content:"Content-Type|3a 20 0d 0a|"; http_header; fast_pattern:only; pcre:"/^Last-Modified\x3a\x20[^A-Za-z]{2}/Hm"; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; classtype:exploit-kit; sid:2019895; rev:2; metadata:created_at 2014_12_08, former_category CURRENT_EVENTS, updated_at 2014_12_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Dec 08 2014"; flow:established,from_server; content:"Content-Type|3a 20 0d 0a|"; http_header; fast_pattern:only; pcre:"/^Last-Modified\x3a\x20[^A-Za-z]{2}/Hm"; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; classtype:exploit-kit; sid:2019895; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Linux.Turla Download"; flow:from_server,established; flowbits:isset,ET.ELFDownload; content:"__we_are_happy__"; content:"__TREX__STOP__STRING__"; distance:0; content:"/dev/random"; distance:1; within:11; reference:url,securelist.com/blog/research/67962/the-penquin-turla-2/; reference:md5,19fbd8cbfb12482e8020a887d6427315; classtype:targeted-activity; sid:2019896; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload (flowbits set)"; flow:established,to_server; urilen:>32; content:"/ABs"; http_uri; fast_pattern; depth:4; pcre:"/^\/ABs[A-Za-z0-9_]+(?:\/x?[a-f0-9]+(?:\x3b\d+)+)?$/U"; content:!"Referer"; http_header; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Cridex CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 00 83 69 b1 31 15 7b|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|176.99.6.57"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019906; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Cridex CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 00 83 69 b1 31 15 7b|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|176.99.6.57"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019906; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gootkit SSL Cert Dec 10 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 a9 3c 29 28 ec b0 b1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,c05453a18b6dc45bc258a377d2161b1c; classtype:trojan-activity; sid:2019907; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; classtype:exploit-kit; sid:2019908; rev:2; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; classtype:exploit-kit; sid:2019908; rev:2; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct"; flow:established,to_server; urilen:>32; content:"/AwoVG"; http_uri; fast_pattern; depth:6; pcre:"/^\/AwoVG[A-Za-z0-9_]+$/U"; content:".html|0d 0a|"; http_header; flowbits:set,et.Nuclear.Exploit; flowbits:noalert; classtype:exploit-kit; sid:2019844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (cargol.cat)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 a7 5c ad 38 d2 d7 fe|"; distance:9; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Tirabol Produccions"; distance:1; within:20; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019925; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE HawkEye Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| HawkEye Keylogger"; nocase; reference:md5,3bbd5ae250b2d912a701f8d74d85353b; classtype:trojan-activity; sid:2019926; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE HawkEye Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| HawkEye Keylogger"; nocase; reference:md5,3bbd5ae250b2d912a701f8d74d85353b; classtype:trojan-activity; sid:2019926; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Beastdoor Keylogger Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; content:"Victim IP-"; reference:md5,ad99a0a85e1410559030464aac390969; classtype:trojan-activity; sid:2019927; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Beastdoor Keylogger Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; content:"Victim IP-"; reference:md5,ad99a0a85e1410559030464aac390969; classtype:trojan-activity; sid:2019927; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Probable Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; classtype:trojan-activity; sid:2019928; rev:2; metadata:created_at 2014_12_12, updated_at 2014_12_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Probable Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; classtype:trojan-activity; sid:2019928; rev:2; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Win32.Espy Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"SUBJECT|3a| I Q - S P Y KeyLogger ["; content:"victim computer name"; reference:md5,1a9a06b11aa537734931f8098bae6b00; classtype:trojan-activity; sid:2019932; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Win32.Espy Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"SUBJECT|3a| I Q - S P Y KeyLogger ["; content:"victim computer name"; reference:md5,1a9a06b11aa537734931f8098bae6b00; classtype:trojan-activity; sid:2019932; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Code Download"; flow: to_server,established; content:"/updatestats/"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; classtype:policy-violation; sid:2001524; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Dec 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe 69 db 33 70 71 2c 70|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,d271218da70d0bceb69c477e7d13dcc8; classtype:trojan-activity; sid:2019936; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|soaksoak|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:1; metadata:created_at 2014_12_15, updated_at 2014_12_15;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|soaksoak|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 10001 (msg:"ET MALWARE Win32.Bumrat.B Checkin"; flow:established,to_server; dsize:19; content:"|0f 00 00 00|"; depth:4; content:"mconfig_10"; reference:md5,647edeb30a04eeb30b7f8921645c7369; classtype:command-and-control; sid:2019941; rev:1; metadata:created_at 2014_12_15, former_category MALWARE, updated_at 2014_12_15;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 10001 (msg:"ET MALWARE Win32.Bumrat.B Checkin"; flow:established,to_server; dsize:19; content:"|0f 00 00 00|"; depth:4; content:"mconfig_10"; reference:md5,647edeb30a04eeb30b7f8921645c7369; classtype:command-and-control; sid:2019941; rev:1; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2014_12_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bedep Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"Content-Length|3a 20|2"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/^Content-Length\x3a 2\d{2}\r?$/Hmi"; flowbits:set,ET.Trojan.Bedep; classtype:trojan-activity; sid:2019949; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014 set"; flow:established,to_server; content:"GET"; http_method; urilen:27; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]{10}\/[a-z]{10}\.html$/U"; flowbits:set,Upatre.Redirector; flowbits:noalert; classtype:trojan-activity; sid:2019953; rev:2; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:isset,Upatre.Redirector; classtype:trojan-activity; sid:2019954; rev:2; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:isset,Upatre.Redirector; classtype:trojan-activity; sid:2019954; rev:2; metadata:created_at 2014_12_17, former_category CURRENT_EVENTS, updated_at 2014_12_17;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:3; metadata:created_at 2014_12_15, updated_at 2014_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:3; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Page Sept 17 2014"; flow:established,from_server; file_data; content:"|41 63 74 69 76 65 58 4F 62 6A 65 63 74 28 22 4D 69 63 72 6F 73 22 2B 2F 2A|"; pcre:"/^[a-z0-9]+\x2A\x2F\x22\x6F\x66\x74\x2E/R"; classtype:exploit-kit; sid:2019193; rev:3; metadata:created_at 2014_09_18, former_category CURRENT_EVENTS, updated_at 2014_09_18;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IRC channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002385; classtype:trojan-activity; sid:2002385; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c8 da 58 e3 bc 80 72 25|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019962; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SweetOrange EK Landing Nov 19 2014"; flow:established,from_server; file_data; content:"|6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b|"; classtype:exploit-kit; sid:2019751; rev:6; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c8 da 58 e3 bc 80 72 25|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019962; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AGENT.NXNX checkin"; flow:established,to_server; content:"|24 5d 3b 30 2e 29 23 28 30 34 3b 14 1e 14 13 02 0a 54 55 59|"; reference:url,ahnlabasec.tistory.com/1007; classtype:command-and-control; sid:2019964; rev:1; metadata:created_at 2014_12_17, former_category MALWARE, updated_at 2014_12_17;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; pcre:"/^\/[a-f0-9]{64}\.swf$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:exploit-kit; sid:2019770; rev:5; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AGENT.NXNX checkin"; flow:established,to_server; content:"|24 5d 3b 30 2e 29 23 28 30 34 3b 14 1e 14 13 02 0a 54 55 59|"; reference:url,ahnlabasec.tistory.com/1007; classtype:command-and-control; sid:2019964; rev:1; metadata:created_at 2014_12_18, former_category MALWARE, updated_at 2014_12_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Referer Bulk Traffic Sometimes Leading to EKs (Possible Bedep infection) Dec 16 2014"; flow:established,to_server; content:"rowedmedia.com/search.php"; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+?rowedmedia\.com\/search\.php\r?$/Hmi"; threshold: type limit, track by_src, count 1, seconds 60; classtype:exploit-kit; sid:2019950; rev:3; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Syrian.Slideshow Sending Information via SMTP"; flow:established,to_server; content:"Subject|3a 20|repo|0d 0a|"; content:"filename=|22|mxtd|22|"; reference:md5,f8bfb82aa92ea6a8e4e0b378781b3859; reference:url,citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics; classtype:trojan-activity; sid:2019975; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Teerac.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019918; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Teerac.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019918; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; pcre:"/\/s?stat\/lldvs?\.php$/U"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:3; metadata:created_at 2014_12_19, former_category CURRENT_EVENTS, updated_at 2014_12_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; pcre:"/\/s?stat\/lldvs?\.php$/U"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:3; metadata:created_at 2014_12_20, former_category CURRENT_EVENTS, updated_at 2014_12_20;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 8c 5b 96 3a e7 56 95|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019987; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 8c 5b 96 3a e7 56 95|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019987; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (4)"; flow:established,to_client; file_data; content:"|41 ad 58 53 4c 7f 25 9e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (5)"; flow:established,to_client; file_data; content:"|b8 67 f0 44 43 1e fe 5b|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019993; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (5)"; flow:established,to_client; file_data; content:"|b8 67 f0 44 43 1e fe 5b|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019993; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Wiper 2"; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019994; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Wiper 2"; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019994; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 1"; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019995; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 1"; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019995; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 2"; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019996; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 2"; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019996; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 3"; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:trojan-activity; sid:2019997; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 3"; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:trojan-activity; sid:2019997; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 4"; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019998; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 4"; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019998; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 5"; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:trojan-activity; sid:2019999; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 5"; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:trojan-activity; sid:2019999; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 8"; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020002; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 8"; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020002; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 9"; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020003; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 9"; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020003; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 10"; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020004; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 10"; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020004; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 11"; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020005; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 11"; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020005; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 12"; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020006; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 12"; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020006; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 3"; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020009; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 3"; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020009; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any [547,8080,133,117,189,159] -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 7"; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020013; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any [547,8080,133,117,189,159] -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 7"; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020013; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 2"; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020018; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 2"; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020018; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp any any -> any [8000,8080] (msg:"ET MALWARE US-CERT TA14-353A WIPER4"; flow:established,to_server; dsize:42; content:"|28 00|"; depth:2; content:"|04 00 00 00|"; offset:38; depth:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020020; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp any any -> any [8000,8080] (msg:"ET MALWARE US-CERT TA14-353A WIPER4"; flow:established,to_server; dsize:42; content:"|28 00|"; depth:2; content:"|04 00 00 00|"; offset:38; depth:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020020; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Operation Poisoned Helmand jar download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jre7u61windows/x86/Update.class"; reference:url,threatconnect.com/news/operation-poisoned-helmand/; classtype:trojan-activity; sid:2020021; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Operation Poisoned Helmand jar download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jre7u61windows/x86/Update.class"; reference:url,threatconnect.com/news/operation-poisoned-helmand/; classtype:trojan-activity; sid:2020021; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE US-CERT TA14-353A Network Propagation Wiper"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"taskhost"; content:".exe"; distance:2; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020023; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)
+#alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE US-CERT TA14-353A Network Propagation Wiper"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"taskhost"; content:".exe"; distance:2; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020023; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 2"; flow:established,to_server; dsize:27; content:"bestpobeda"; depth:10; pcre:"/^[a-f0-9]+$/R"; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020025; rev:2; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2014_12_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 2"; flow:established,to_server; dsize:27; content:"bestpobeda"; depth:10; pcre:"/^[a-f0-9]+$/R"; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020025; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Keep-Alive"; flow:established,to_server; dsize:24; content:"|09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00|"; depth:20; threshold:type both, track by_src, count 1, seconds 120; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020026; rev:2; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2014_12_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Keep-Alive"; flow:established,to_server; dsize:24; content:"|09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00|"; depth:20; threshold:type both, track by_src, count 1, seconds 120; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020026; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trojan.Nurjax SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.njaxjs.me"; distance:1; within:14; classtype:trojan-activity; sid:2020033; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:3; metadata:created_at 2014_12_23, former_category CURRENT_EVENTS, updated_at 2014_12_23;)
-
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OS Commerce 2.2 RC2 Potential Anonymous Remote Code Execution"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php/"; pcre:"/\/[a-z_]+\.php\/[a-z_]+\.php/U"; reference:url,seclists.org/fulldisclosure/2009/Nov/169; reference:url,seclists.org/fulldisclosure/2009/Nov/170; reference:url,doc.emergingthreats.net/2010341; classtype:web-application-attack; sid:2010341; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:3; metadata:created_at 2014_12_24, former_category CURRENT_EVENTS, updated_at 2014_12_24;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (6)"; flow:established,to_client; file_data; content:"|82 67 9f c3 f1 71 70 fc|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (financialnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|financialnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020074; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CazinoSilver Checkin"; flow:established,to_server; content:".php?key="; http_uri; content:"User-Agent|3A 20|DMFR|0D 0A|"; http_header; fast_pattern:12,6; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2013511; rev:3; metadata:created_at 2011_08_31, former_category MALWARE, updated_at 2019_10_16;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5e db d7 9c 6d e0 4f|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020079; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5e db d7 9c 6d e0 4f|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"ET MALWARE Win32.Akdoor Reporting MAC Address"; flow:to_server,established; dsize:20; content:"|01 00 00 00 0c 00 00 00|"; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; reference:md5,f5ba42117dd02f50b12542131dcd8b5f; classtype:trojan-activity; sid:2020081; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|tdmodsecur.pw"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020075; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|tdmodsecur.pw"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020075; rev:3; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Ngrbot.lof Join IRC channel"; flow:to_server,established; content:"NICK New|7B|"; nocase; pcre:"/^\S{2,3}\x2d(XP|2K3|VIS|2K8|W7|ERR)\w?\x2d\w+?\x7D\w+?\r\n?/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,dd05fcd2368d8d410a5b85e8d504a435; classtype:trojan-activity; sid:2016849; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)
#alert udp any any -> 1.1.1.0 80 (msg:"ET MALWARE TROJ_WHAIM.A message"; content:"|57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 00|"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2020069; rev:3; metadata:created_at 2014_12_26, updated_at 2014_12_26;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound"; flow:established; content:"Windows PowerShell"; content:"Copyright |28|C|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020084; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft CScript Banner Outbound"; flow:established; content:"Windows Script Host Version"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020085; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft WMIC Prompt Outbound"; flow:established; content:"wmic|3a|root|5c|cli>"; classtype:successful-admin; sid:2020086; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file_data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:8; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2015_01_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 06 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern:4,20; pcre:"/^(?=[A-Z0-9]*?[a-z])(?=[a-z0-9]*?[A-Z])[A-Za-z0-9]+\x2a\x2f[^\n]*?Function\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28\s*?(?P=var1)\s*[=!]{2}\s*?[\x27\x22][\x22\x27]\s*?\x29\s*?\{/Rs"; classtype:exploit-kit; sid:2020103; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fd 0c f3 42 0f 46 07 68|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|xx"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020104; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fd 0c f3 42 0f 46 07 68|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|xx"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020104; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c7 7d 23 ec c3 18 fb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020149; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c7 7d 23 ec c3 18 fb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020149; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET 9000:10000 -> $HOME_NET any (msg:"ET MALWARE Win32/Recslurp.D C2 Response"; flow:established,from_server; flowbits:isset,ET.Reslurp.D.Client; content:"|e8 03 00 00|"; depth:4; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020155; rev:2; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2015_01_08;)
-alert tcp $EXTERNAL_NET 9000:10000 -> $HOME_NET any (msg:"ET MALWARE Win32/Recslurp.D C2 Response"; flow:established,from_server; flowbits:isset,ET.Reslurp.D.Client; content:"|e8 03 00 00|"; depth:4; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020155; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2015_01_07;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013962; rev:14; metadata:created_at 2011_11_23, former_category EXPLOIT_KIT, updated_at 2011_11_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013962; rev:14; metadata:created_at 2011_11_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.M distributed via CVE-2014-6271 Checkin"; flow:established,to_server; content:"BUILD "; depth:6; pcre:"/^(?:MIPS(?:EL)?|POWERPC|ARM|X86)\x0a$/R"; flowbits:set,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; classtype:command-and-control; sid:2019242; rev:2; metadata:created_at 2014_09_26, former_category MALWARE, updated_at 2014_09_26;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M JUNK command"; flow:established,to_client ; content:"JUNK "; depth:5; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020162; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M JUNK command"; flow:established,to_client ; content:"JUNK "; depth:5; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020162; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M GETLOCALIP command"; flow:established,to_client ; content:"GETLOCALIP "; depth:11; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020163; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M GETLOCALIP command"; flow:established,to_client ; content:"GETLOCALIP "; depth:11; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020163; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M SCANNER command"; flow:established,to_client ; content:"SCANNER "; depth:8; pcre:"/^(?:ON|OFF)/R"; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020164; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M SCANNER command"; flow:established,to_client ; content:"SCANNER "; depth:8; pcre:"/^(?:ON|OFF)/R"; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020164; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M KILLATTK command"; flow:established,to_client ; content:"KILLATTK "; depth:9; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020165; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M KILLATTK command"; flow:established,to_client ; content:"KILLATTK "; depth:9; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020165; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M LOLNOGTFO command"; flow:established,to_client ; content:"LOLNOGTFO "; depth:10; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020166; rev:2; metadata:created_at 2015_01_12, updated_at 2015_01_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M LOLNOGTFO command"; flow:established,to_client ; content:"LOLNOGTFO "; depth:10; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020166; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
-alert tcp any any -> any 1024: (msg:"ET MALWARE Linux/DDoS.M Admin console status"; flow:established,to_client ; content:"|1b 5d 30 3b|Bots connected|3a 20|"; content:"|7c 20|Clients connected|3a 20|"; distance:0; threshold: type both, count 1, seconds 10, track by_src; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020167; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)
+alert tcp any any -> any 1024: (msg:"ET MALWARE Linux/DDoS.M Admin console status"; flow:established,to_client ; content:"|1b 5d 30 3b|Bots connected|3a 20|"; content:"|7c 20|Clients connected|3a 20|"; distance:0; threshold: type both, count 1, seconds 10, track by_src; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020167; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00|"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019837; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00|"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019837; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"ET MALWARE Hong Kong SWC Attack PcClient CnC Beacon"; flow:established,to_server; content:"|BB 4E 4E BC BC BC 7E 7E|"; nocase; offset:160; depth:8; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:command-and-control; sid:2020169; rev:1; metadata:created_at 2015_01_12, former_category MALWARE, updated_at 2015_01_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"ET MALWARE Hong Kong SWC Attack PcClient CnC Beacon"; flow:established,to_server; content:"|BB 4E 4E BC BC BC 7E 7E|"; nocase; offset:160; depth:8; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:command-and-control; sid:2020169; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_01_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Office Doc with Embedded VBA containing Reverse Meterpreter Shell"; flow:established,from_server; flowbits:isset,et.DocVBAProject; file_data; content:"windows/meterpreter/reverse_"; nocase; reference:url,github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1; classtype:trojan-activity; sid:2020170; rev:2; metadata:created_at 2015_01_12, former_category MALWARE, updated_at 2015_01_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Office Doc with Embedded VBA containing Reverse Meterpreter Shell"; flow:established,from_server; flowbits:isset,et.DocVBAProject; file_data; content:"windows/meterpreter/reverse_"; nocase; reference:url,github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1; classtype:trojan-activity; sid:2020170; rev:2; metadata:created_at 2015_01_13, former_category MALWARE, updated_at 2015_01_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; file_data; content:"|3b|try{prototype|3b|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; file_data; content:"|3b|try{prototype|3b|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=|22|eva|22 3B|"; content:"+|22|l|22|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Bedep Checkin Response"; flow:established,from_server; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"Content-Length|3a| 108|0d 0a|"; http_header; fast_pattern:only; content:!"Keep-Alive|3a 20|"; http_header; file_data; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; classtype:trojan-activity; sid:2019952; rev:5; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 7d f1 a1 50 bc 27 18|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020187; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 7d f1 a1 50 bc 27 18|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020187; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin"; flow:established,to_server; content:"|00 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"MHz|00|"; distance:0; content:"|20 2a 20|"; distance:-12; within:5; pcre:"/^\d+MHz\x00/R"; content:"|20|MB|00|"; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3682; classtype:command-and-control; sid:2020188; rev:1; metadata:created_at 2015_01_15, former_category MALWARE, updated_at 2015_01_15;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 36 ff 20 e3 b5 4d 15|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020196; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 14 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern:4,20; content:"|24 2c|"; distance:0; pcre:"/^\s*?(?P<var1>[^\x29]+)\x29[^\n]*?=\s*?(?P=var1)\s*?\x7c{2}\s*?\d+?\s*?\x2c/R"; classtype:exploit-kit; sid:2020180; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 36 ff 20 e3 b5 4d 15|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020196; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (8)"; flow:established,to_client; file_data; content:"|31 90 49 ae c8 2b 73 75|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dalexis Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 d7 f0 71 9c ed 67 99 74|"; within:35; fast_pattern; reference:md5,a01fdd1585dc5c8b4e09536eede5e6d4; classtype:trojan-activity; sid:2020208; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Win32.ChinaZ.DDoSClient Checkin"; flow:established,to_server; content:"Windows "; depth:8; content:"|20|MHZ|00|"; fast_pattern; distance:0; content:"|00|Win"; distance:0; content:"|00|"; distance:2; within:2; reference:md5,8643a44febdf73159b2d5c437dc40cd3; classtype:command-and-control; sid:2020209; rev:2; metadata:created_at 2015_01_19, former_category MALWARE, updated_at 2015_01_19;)
-
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake state)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|06 03 55 04 08|"; distance:0; content:!"|0a|Some-State"; distance:1; within:11; pcre:"/^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P<var>[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019833; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dalexis Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 d7 f0 71 9c ed 67 99 74|"; within:35; fast_pattern; reference:md5,a01fdd1585dc5c8b4e09536eede5e6d4; classtype:trojan-activity; sid:2020208; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 84 73 78 53 8f 36 69|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020216; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family URLZone, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Win32.ChinaZ.DDoSClient Checkin"; flow:established,to_server; content:"Windows "; depth:8; content:"|20|MHZ|00|"; fast_pattern; distance:0; content:"|00|Win"; distance:0; content:"|00|"; distance:2; within:2; reference:md5,8643a44febdf73159b2d5c437dc40cd3; classtype:command-and-control; sid:2020209; rev:2; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2015_01_20;)
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 91 eb 37 30 e6 41 f6|"; within:35; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|CN"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|ST"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020217; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 84 73 78 53 8f 36 69|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020216; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e b5 fa 1e d4 7a 9e 36|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020218; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 91 eb 37 30 e6 41 f6|"; within:35; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|CN"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|ST"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020217; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 1c c2 15 72 83 e3 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020219; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e b5 fa 1e d4 7a 9e 36|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020218; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 44"; flow:to_server,established; dsize:>11; content:"|96 71|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x96\x71/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a09c176351398922770153bdd54c594; classtype:command-and-control; sid:2020214; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 1c c2 15 72 83 e3 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020219; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ae 79 0b f9 9e bd 14 a1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020220; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ae 79 0b f9 9e bd 14 a1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020220; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Checkin 2"; flow:from_client,established; dsize:260; content:"MB|00 00|"; content:"Windows|20|"; distance:0; content:"V1.0|00 00|"; offset:180; fast_pattern; reference:md5,b9096b87cf643c5f86789d995e9e773d; classtype:command-and-control; sid:2020222; rev:1; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2015_01_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:credential-theft; sid:2020224; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (9)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020225; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (10)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020227; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"wb v"; http_user_agent; fast_pattern; reference:url,doc.emergingthreats.net/2003449; classtype:pup-activity; sid:2003449; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 24 74 c1 1f 18 de bb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020242; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 24 74 c1 1f 18 de bb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020242; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Possible SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|10 6d 7a 85 10 89 c8 6f bb 41 41 46 e6 96 f2 68 cd|"; within:45; content:"|55 04 03|"; distance:0; content:"|10|RibbonLocalHTTPS"; distance:1; within:17; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020243; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Possible SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|10 6d 7a 85 10 89 c8 6f bb 41 41 46 e6 96 f2 68 cd|"; within:45; content:"|55 04 03|"; distance:0; content:"|10|RibbonLocalHTTPS"; distance:1; within:17; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020243; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Suspicious torwoman.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torwoman|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020283; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Suspicious torwoman.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torwoman|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020283; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 47 06 dd 12 ae 21|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0f|Dniepropetrovsk"; distance:1; within:16; classtype:trojan-activity; sid:2020288; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 47 06 dd 12 ae 21|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0f|Dniepropetrovsk"; distance:1; within:16; classtype:trojan-activity; sid:2020288; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Jan 22 2015"; flow:established,from_server; file_data; content:"var theme_customize"; within:19; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020291; rev:2; metadata:created_at 2015_01_22, former_category EXPLOIT_KIT, updated_at 2015_01_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Jan 22 2015"; flow:established,from_server; file_data; content:"var theme_customize"; within:19; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020291; rev:2; metadata:created_at 2015_01_23, former_category EXPLOIT_KIT, updated_at 2015_01_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Retrieving Information Response"; flow:established,from_server; file_data; content:"system"; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})system$/R"; flowbits:isset,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020297; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre IE Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|attachment|3b 20|"; http_header; content:".zip|20 3b 0d 0a|"; distance:0; http_header; content:"Content-Type|3a 20|$ctype|0d 0a|"; http_header; fast_pattern:2,20; file_data; content:"PK|03 04|"; within:4; classtype:trojan-activity; sid:2020160; rev:5; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2015_01_09;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/AGENT.NXNX Checkin 2"; flow:to_server,established; dsize:200; content:"D|3a 00 00 00|"; offset:7; depth:13; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$/"; reference:md5,fdcf0e3e3ad69cdd570387c4ce9aa8b3; reference:url,ahnlabasec.tistory.com/1007; reference:url,global.ahnlab.com/global/upload/download/asecreport/ASEC Report_Vol.58_Eng.pdf; classtype:command-and-control; sid:2020303; rev:2; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2015_01_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/AGENT.NXNX Checkin 2"; flow:to_server,established; dsize:200; content:"D|3a 00 00 00|"; offset:7; depth:13; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$/"; reference:md5,fdcf0e3e3ad69cdd570387c4ce9aa8b3; reference:url,ahnlabasec.tistory.com/1007; reference:url,global.ahnlab.com/global/upload/download/asecreport/ASEC%20Report_Vol.58_Eng.pdf; classtype:command-and-control; sid:2020303; rev:2; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2015_01_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 23 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/jquery-"; http_uri; fast_pattern:only; pcre:"/^\/js\/jquery-\d+\.\d{2}\.\d{2}\.js$/U"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020304; rev:2; metadata:created_at 2015_01_23, former_category CURRENT_EVENTS, updated_at 2015_01_23;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 12 4e cf d7 61 de 81|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020307; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 12 4e cf d7 61 de 81|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020307; rev:4; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET 1025 -> $HOME_NET any (msg:"ET MALWARE Possible Mailer Dropped by Dyre SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; reference:md5,dbcdaf617e19d2a35f763ac996cf8cd7; classtype:trojan-activity; sid:2020205; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dyre Downloading Mailer"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36|0d 0a|Host|3a|"; depth:132; http_header; fast_pattern:50,20; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RH"; pcre:"/\.tar$/U"; classtype:trojan-activity; sid:2020308; rev:3; metadata:created_at 2015_01_26, former_category MALWARE, updated_at 2020_08_20;)
-
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|6|00|f|00|b|00|e|00|8|00|7|00|a|00|-|00|4|00|3|00|7|00|2|00|-|00|1|00|f|00|5|00|1|00|-|00|1|00|0|00|1|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|0|00|4|00|3|00|1|00|2|00|7|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020309; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB Named Pipe (Unicode) 2"; flow:to_server,established; content:"|FF|SMB"; offset:4; depth:4; content:"|00|{|00|4|00|4|00|f|00|d|00|g|00|2|00|3|00|a|00|-|00|1|00|5|00|2|00|2|00|-|00|6|00|f|00|9|00|e|00|-|00|d|00|0|00|5|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|1|00|7|00|6|00|1|00|3|00|8|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020310; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; pcre:"/\d\.js\?get_message(?:=-?\d+?)?$/U"; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+?\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020212; rev:6; metadata:created_at 2015_01_19, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 10 f0 a9 8b a2 9b 82|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020313; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 10 f0 a9 8b a2 9b 82|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020313; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 95 bf 9b 4f 7d 85 0e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020314; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 95 bf 9b 4f 7d 85 0e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020314; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015501; rev:6; metadata:created_at 2012_07_21, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:exploit-kit; sid:2016278; rev:6; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:exploit-kit; sid:2016278; rev:6; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2013_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite|orld)|step)\/mypic\.dll$/U"; classtype:exploit-kit; sid:2016547; rev:10; metadata:created_at 2013_03_07, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite|orld)|step)\/mypic\.dll$/U"; classtype:exploit-kit; sid:2016547; rev:10; metadata:created_at 2013_03_06, former_category EXPLOIT_KIT, updated_at 2013_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:exploit-kit; sid:2015815; rev:4; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:exploit-kit; sid:2015815; rev:4; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2012_10_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:exploit-kit; sid:2015816; rev:4; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:exploit-kit; sid:2015816; rev:4; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2012_10_18;)
+#alert http $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015892; rev:4; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015892; rev:4; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015893; rev:5; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015893; rev:5; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015915; rev:4; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015915; rev:4; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2012_11_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:exploit-kit; sid:2015891; rev:4; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:exploit-kit; sid:2015891; rev:4; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015916; rev:4; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015916; rev:4; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2012_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/Host\x3a[^\r\n]+?\.(pw|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:exploit-kit; sid:2016060; rev:19; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/Host\x3a[^\r\n]+?\.(pw|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:exploit-kit; sid:2016060; rev:19; metadata:created_at 2012_12_18, former_category EXPLOIT_KIT, updated_at 2012_12_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/new\.png$/U"; classtype:exploit-kit; sid:2016221; rev:5; metadata:created_at 2013_01_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/new\.png$/U"; classtype:exploit-kit; sid:2016221; rev:5; metadata:created_at 2013_01_16, former_category EXPLOIT_KIT, updated_at 2013_01_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/foto\.png$/U"; classtype:exploit-kit; sid:2016280; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/image\.gif$/U"; classtype:exploit-kit; sid:2016279; rev:6; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:"<applet"; content:"SunJCE"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016406; rev:3; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/foto\.png$/U"; classtype:exploit-kit; sid:2016280; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2013_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (4)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; classtype:exploit-kit; sid:2016408; rev:14; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:"<applet"; content:"SunJCE"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016406; rev:3; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (4)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; classtype:exploit-kit; sid:2016408; rev:14; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Landing Aug 29 2013"; flow:established,from_server; file_data; content:".txt?e"; nocase; fast_pattern:only; content:"value"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])((?!(?P=q)).)+?\.txt\?e=\d+(&[fh]=\d+)?(?P=q)/Ri"; classtype:exploit-kit; sid:2017396; rev:6; metadata:created_at 2013_08_29, former_category EXPLOIT_KIT, updated_at 2013_08_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK Landing Aug 29 2013"; flow:established,from_server; file_data; content:".txt?e"; nocase; fast_pattern:only; content:"value"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])((?!(?P=q)).)+?\.txt\?e=\d+(&[fh]=\d+)?(?P=q)/Ri"; classtype:exploit-kit; sid:2017396; rev:6; metadata:created_at 2013_08_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; distance:15; within:16; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22|>"; within:23; pcre:"/^[a-zA-Z0-9]{9}<\/[^>]+>\s+?<[^\s]+\sid=\x22[a-zA-Z]{3,5}\x22\sstyle=\x22display\x3anone\x22>[A-Za-z0-9]{500}/Rs"; classtype:exploit-kit; sid:2020319; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020321; rev:4; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 98 f4 2b 01 ee fc d3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020322; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 98 f4 2b 01 ee fc d3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020322; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Jan 28 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/bin.exe?="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/js\/bin\.exe\?=\d+$/U"; classtype:trojan-activity; sid:2020328; rev:2; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2015_01_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Jan 28 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/bin.exe?="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/js\/bin\.exe\?=\d+$/U"; classtype:trojan-activity; sid:2020328; rev:2; metadata:created_at 2015_01_29, former_category CURRENT_EVENTS, updated_at 2015_01_29;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 45 b9 f1 e8 a9 d8 52|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020331; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 45 b9 f1 e8 a9 d8 52|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020331; rev:3; metadata:attack_target Client_and_Server, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:2; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:4; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected "; flow:established,to_server; content:"POST"; http_method; nocase; content:"/xmlrpc.php"; http_uri; content:"pingback.ping"; http_client_body; nocase; threshold: type both, track by_src, seconds 60, count 5; reference:url,seclists.org/bugtraq/2012/Dec/101; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:2016061; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/xmlrpc.php"; http_uri; content:"pingback.ping"; http_client_body; nocase; threshold: type both, track by_src, seconds 60, count 5; reference:url,seclists.org/bugtraq/2012/Dec/101; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:2016061; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.PYO Receiving Config"; flow:established,from_server; file_data; content:"path = "; within:7; content:"|0a|delay = "; distance:0; pcre:"/^\d+\n/R"; content:"hash = "; within:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020335; rev:2; metadata:created_at 2015_01_30, updated_at 2015_01_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Flashpack Redirect Method 3"; flow:established,to_server; content:"POST"; http_method; content:!"/gateway.php"; http_uri; content:"gate"; http_uri; fast_pattern:only; content:".php"; http_uri; content:".swf"; http_header; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; classtype:trojan-activity; sid:2019325; rev:9; metadata:created_at 2014_09_30, updated_at 2014_09_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dropper YABROD Downloading Files"; flow:from_client,established; urilen:11; content:"/Yabrod.pdf"; content:"User-Agent|3a 20|n1|0d 0a|"; fast_pattern:12,4; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,44df02ac28d80deb45f5c7c48b56a858; reference:url,fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020346; rev:2; metadata:created_at 2015_02_02, former_category MALWARE, updated_at 2019_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dropper YABROD Downloading Files"; flow:from_client,established; urilen:11; content:"/Yabrod.pdf"; content:"User-Agent|3a 20|n1|0d 0a|"; fast_pattern:12,4; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,44df02ac28d80deb45f5c7c48b56a858; reference:url,fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020346; rev:2; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2019_10_16;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; pcre:"/^[A-Za-z]{10,}/R"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:3; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2014_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; pcre:"/^[A-Za-z]{10,}/R"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:3; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BePush/Kilim Checkin response"; flow:established,from_server; file_data; content:"Server_ok"; depth:9; flowbits:isset,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:command-and-control; sid:2020349; rev:2; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2015_02_03;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE Possible Dridex e-mail inbound"; flow:established,to_server; content:"<no-replay"; fast_pattern:only; content:"User-Agent|3a 20|Roundcube"; classtype:bad-unknown; sid:2020351; rev:1; metadata:created_at 2015_02_03, former_category CURRENT_EVENTS, updated_at 2015_02_03;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|visibility|3a|hidden|22| title="; within:34; fast_pattern:14,20; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:exploit-kit; sid:2020352; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 01 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22| title="; within:29; fast_pattern:9,20; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:exploit-kit; sid:2020342; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_01, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015"; flow:established,from_server; content:"26 Jul 2039"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2039/H"; classtype:exploit-kit; sid:2020355; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015 M2"; flow:established,from_server; content:"26 Jul 2040"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2040/H"; classtype:exploit-kit; sid:2020356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Dashwood"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020366; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 45"; flow:to_server,established; dsize:>11; content:"|7a 9a|"; offset:13; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x7a\x9a/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,eb7909105fd05064b14a21465742952c; classtype:command-and-control; sid:2020371; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c5 19 74 50 39 69 7a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020372; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Chaintor/Tordal User-Agent spotted downloading payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"; fast_pattern:50,20; http_header; classtype:trojan-activity; sid:2020347; rev:4; metadata:created_at 2015_02_02, updated_at 2015_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Chaintor/Tordal User-Agent spotted downloading payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"; fast_pattern:50,20; http_header; classtype:trojan-activity; sid:2020347; rev:4; metadata:created_at 2015_02_03, updated_at 2015_02_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020379; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html; classtype:command-and-control; sid:2020381; rev:3; metadata:created_at 2015_02_06, former_category MALWARE, updated_at 2015_02_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html; classtype:command-and-control; sid:2020381; rev:3; metadata:created_at 2015_02_07, former_category MALWARE, malware_family XorDDoS, updated_at 2015_02_07;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|msuta64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020173; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020178; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic "; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|16 00|"; distance:0; content:"m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:21; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020382; rev:5; metadata:created_at 2015_02_06, updated_at 2015_02_06;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|16 00|"; distance:0; content:"m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:21; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020382; rev:5; metadata:created_at 2015_02_07, former_category MALWARE, updated_at 2015_02_07;)
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|12 00|"; distance:0; content:"o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020383; rev:4; metadata:created_at 2015_02_06, updated_at 2015_02_06;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|12 00|"; distance:0; content:"o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020383; rev:4; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0e 00|"; distance:0; content:"o|00|l|00|e|00|.|00|d|00|l|00|l"; distance:8; within:13; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020384; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0e 00|"; distance:0; content:"o|00|l|00|e|00|.|00|d|00|l|00|l"; distance:8; within:13; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020384; rev:2; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11)"; flow:established,to_client; file_data; content:"|c1 e4 07 2f 13 ad 23 2e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020387; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11)"; flow:established,to_client; file_data; content:"|c1 e4 07 2f 13 ad 23 2e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020387; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Nov 04 2013"; flow:from_server,established; file_data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e|"; fast_pattern:only; content:"|20|id=|22|"; pcre:"/^(?=[a-z]{0,7}[A-Z])(?=[A-Z]{0,7}[a-z])[A-Za-z]{8}\x22[^>]+?>[A-Za-z]{70}/Rs"; classtype:exploit-kit; sid:2019647; rev:5; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Mozilla"; http_header; fast_pattern; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){3,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2019764; rev:9; metadata:created_at 2014_11_20, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Mozilla"; http_header; fast_pattern; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){3,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2019764; rev:9; metadata:created_at 2014_11_21, updated_at 2018_06_18;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 6d|"; distance:4; within:11; pcre:"/^[\x53\x54]/R"; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019739; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Uknown EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"DFE42z.class"; classtype:exploit-kit; sid:2020429; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 2"; flow:established,to_server; content:"|00 00|OS|3a 20|"; offset:10; depth:6; fast_pattern; content:"|2c 20|Domain|3a 20|"; distance:0; content:"|2c 20|User|3a 20|"; distance:0; content:"|00|"; distance:0; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020456; rev:1; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2015_02_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 2"; flow:established,to_server; content:"|00 00|OS|3a 20|"; offset:10; depth:6; fast_pattern; content:"|2c 20|Domain|3a 20|"; distance:0; content:"|2c 20|User|3a 20|"; distance:0; content:"|00|"; distance:0; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020456; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit URI Structure Jan 21 2015"; flow:established,to_server; urilen:>48; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; pcre:"/^Referer\x3a[^\r\n]+\/(?:[a-z0-9]+\.php|\d+)\r$/Hm"; classtype:exploit-kit; sid:2020234; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M2 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020399; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M2 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020399; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:"|5b 2f 2a|"; fast_pattern; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f[a-zA-Z]{3,5}\W/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; classtype:exploit-kit; sid:2020318; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 DECS2"; flow:established,from_server; file_data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:4; metadata:created_at 2015_02_18, former_category CURRENT_EVENTS, updated_at 2015_02_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Post Checkin Activity 2"; flow:established,to_server; urilen:20<>100; content:!"Referer|3a|"; http_header; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; pcre:"/^Host\x3a\x20(?=[a-z0-9]{0,19}[A-Z])(?=[A-Z0-9]{0,19}[a-z])[a-zA-Z0-9]{4,20}\.[a-z]{2,3}/H"; content:"|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|Mozilla/"; http_header; within:41; fast_pattern:4,20; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:command-and-control; sid:2020302; rev:6; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2015_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; content:"cck_lasttime="; http_cookie; content:"cck_count="; http_cookie; classtype:exploit-kit; sid:2020477; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; content:"cck_lasttime="; http_cookie; content:"cck_count="; http_cookie; classtype:exploit-kit; sid:2020477; rev:3; metadata:created_at 2015_02_18, updated_at 2015_02_18;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; pcre:"/nb[\d+]=Yes/C"; classtype:exploit-kit; sid:2020478; rev:3; metadata:created_at 2015_02_18, updated_at 2015_02_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; pcre:"/nb[\d+]=Yes/C"; classtype:exploit-kit; sid:2020478; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC CollectGarbage in Hex String No Seps"; flow:to_client,established; file_data; content:"436f6c6c6563744761726261676528"; nocase; classtype:trojan-activity; sid:2020481; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Comment in Body"; flow:to_client,established; file_data; content:"|3c 21 2d 2d 20 30 39 38 30 32 33 37 36 34 32 20 2d 2d 3e|"; classtype:exploit-kit; sid:2020484; rev:2; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020492; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,from_server; content:"|55 04 0a|"; content:"|0f|Superfish, Inc."; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0f|Superfish, Inc."; distance:1; within:16; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020492; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page M2"; flow:from_server,established; file_data; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; pcre:"/^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020407; rev:5; metadata:created_at 2015_02_11, updated_at 2015_02_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page M2"; flow:from_server,established; file_data; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; pcre:"/^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020407; rev:5; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page M2"; flow:established,from_server; file_data; content:"function llll|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2020494; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M3"; flow:established,from_server; file_data; content:"|2a|0xffffffff|2a|"; content:"|2a|str2long|2a|"; content:"|2a|long2str|2a|"; classtype:exploit-kit; sid:2020495; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020455; rev:2; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2015_02_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020455; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Post-infection HTTP Request Feb 20 2015"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"?"; http_uri; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[a-z]{3}\?[A-F0-9]{8}$/U"; classtype:exploit-kit; sid:2020496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Post-infection HTTP Request Feb 20 2015"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"?"; http_uri; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[a-z]{3}\?[A-F0-9]{8}$/U"; classtype:exploit-kit; sid:2020496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Feb 04 2014 T1"; flow:established,from_server; flowbits:isset,ET.Angler.Primer; file_data; content:"|76 61 72 20 6b 3d 30 3b 20 6b 3c 31 3b 6b 2b 2b 29 7b 3b 7d 7d|"; classtype:exploit-kit; sid:2020367; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED Microsoft Access database error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"JET Database Engine"; fast_pattern:only; classtype:web-application-attack; sid:2020502; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"x-flash-version|3a|"; fast_pattern:only; http_header; pcre:"/^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,3}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/Hm"; classtype:exploit-kit; sid:2019763; rev:8; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
-
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mysql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020507; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL syntax"; fast_pattern; content:"MySQL"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020506; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020529; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle"; fast_pattern; content:"Driver"; distance:0; within:12; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020530; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"oci_"; distance:0; fast_pattern; pcre:"/Warning.*\Woci_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020531; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ora_"; fast_pattern; distance:0; pcre:"/Warning.*\Wora_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020532; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded"; flow:established,to_client; file_data; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020555; rev:2; metadata:created_at 2015_02_24, updated_at 2015_02_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole Content form tag appended to head"; flow:established,from_server; file_data; content:"document.getElementsByTagName('head').item(0).appendChild(form_tag)|3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020561; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole Content form tag appended to head"; flow:established,from_server; file_data; content:"document.getElementsByTagName('head').item(0).appendChild(form_tag)|3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020561; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole function return value"; flow:established,from_server; file_data; content:"return ((!a) ? 'x-'|3a| a) + Math.floor(Math.random() * 99999|29 3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020562; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole function return value"; flow:established,from_server; file_data; content:"return ((!a) ? 'x-'|3a| a) + Math.floor(Math.random() * 99999|29 3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020562; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole iframe"; flow:established,from_server; file_data; content:".item(0).appendChild(iframe_tag)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020559; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes PDF"; flow:established,from_server; file_data; content:"plugin_pdf_ie()"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework-whos-affected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020558; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020564; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020564; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client HeartBeat"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isset,ET.NetwireRAT.Client; threshold: type both,track by_src, count 3, seconds 300; reference:md5,495eef9238282e8f69f2284ca75d2ddc; classtype:trojan-activity; sid:2020566; rev:1; metadata:created_at 2015_02_24, former_category TROJAN, updated_at 2017_12_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client HeartBeat"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isset,ET.NetwireRAT.Client; threshold: type both,track by_src, count 3, seconds 300; reference:md5,495eef9238282e8f69f2284ca75d2ddc; classtype:trojan-activity; sid:2020566; rev:1; metadata:created_at 2015_02_25, former_category TROJAN, updated_at 2017_12_11;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020567; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020567; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET !1433 (msg:"ET MALWARE Unknown Trojan Downloading PE via MSSQL Connection to Non-Standard Port"; flow:from_server,established; flowbits:isset,ET.MSSQL; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,754b48c57a00b7c9f0e0640166ac7bb5; classtype:trojan-activity; sid:2020569; rev:1; metadata:created_at 2015_02_25, updated_at 2015_02_25;)
#alert tcp $EXTERNAL_NET [1024:7989,7991:] -> $HOME_NET any (msg:"ET DELETED Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007920; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a5 39 20 2d fb d7 22|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020582; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a5 39 20 2d fb d7 22|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020582; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; content:!".swf"; nocase; http_uri; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".php?"; http_header; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/U"; pcre:"/^Referer\x3a[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/Hm"; classtype:exploit-kit; sid:2020584; rev:3; metadata:created_at 2015_03_02, former_category EXPLOIT_KIT, updated_at 2015_03_02;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 46"; flow:to_server,established; dsize:>11; content:"|84 60|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x84\x60/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,019ab136fd79147b10ddb3e4162709db; classtype:command-and-control; sid:2020586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; content:!".swf"; nocase; http_uri; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".php?"; http_header; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/U"; pcre:"/^Referer\x3a[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/Hm"; classtype:exploit-kit; sid:2020584; rev:3; metadata:created_at 2015_03_03, former_category EXPLOIT_KIT, updated_at 2015_03_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Scam - FakeAV Alert Request March 2 2015"; flow:established,to_server; content:"afid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&Expires="; distance:0; http_uri; content:"&Signature="; distance:0; http_uri; content:"&Key-Pair-Id="; distance:0; http_uri; classtype:social-engineering; sid:2020587; rev:2; metadata:created_at 2015_03_03, updated_at 2015_03_03;)
#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[Microsoft]"; content:"[ODBC SQL Server Driver]"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020520; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55"; flow:to_server,established; dsize:>11; content:"|39 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f42a5b709bf9a1377d2464f936fc841; classtype:command-and-control; sid:2020614; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47"; flow:to_server,established; dsize:>11; content:"|79 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5ad0bb62806297fb8bf159d94f82dbb9; classtype:command-and-control; sid:2020606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48"; flow:to_server,established; dsize:>11; content:"|da 41|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xda\x41/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,69ffa441a8c3cf4d8fe643174bebb51d; classtype:command-and-control; sid:2020607; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 49"; flow:to_server,established; dsize:>11; content:"|79 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2e99b9462f95154e9f5b94eeed33a6e3; classtype:command-and-control; sid:2020608; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 50"; flow:to_server,established; dsize:>11; content:"|7b 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1701f8c71b5861a2f2890dc609ef6eda; classtype:command-and-control; sid:2020609; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 51"; flow:to_server,established; dsize:>11; content:"|7a 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4b70f302c72c94d0b9214808d9f72419; classtype:command-and-control; sid:2020610; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.eshaalfoundation.org"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 06 49 5e 75 fb 3f 44|"; within:35; fast_pattern; content:"|55 04 03|"; content:"|18|www.eshaalfoundation.org"; distance:1; within:25; reference:md5,e36073ba13e2df22348cd624ab0a9fbc; classtype:trojan-activity; sid:2020624; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 53"; flow:to_server,established; dsize:>11; content:"|70 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5a0e030383c472f7d94c0bcd6af71a90; classtype:command-and-control; sid:2020612; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 54"; flow:to_server,established; dsize:>11; content:"|70 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4d6e0de81f57461337ccfbcce6dc1056; classtype:command-and-control; sid:2020613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.eshaalfoundation.org"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 06 49 5e 75 fb 3f 44|"; within:35; fast_pattern; content:"|55 04 03|"; content:"|18|www.eshaalfoundation.org"; distance:1; within:25; reference:md5,e36073ba13e2df22348cd624ab0a9fbc; classtype:trojan-activity; sid:2020624; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 0b f5 0a 93 34 88 77|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020625; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 0b f5 0a 93 34 88 77|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020625; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; classtype:policy-violation; sid:2001443; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 11 9a 92 44 f0 ee 1a|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020647; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 11 9a 92 44 f0 ee 1a|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020647; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious Office doc hidden in XML file"; flow:established,from_server; file_data; content:"<?xml"; within:5; content:"<?mso-application progid=|22|Word.Document|22|?>"; nocase; distance:0; content:"macrosPresent=|22|yes|22|"; distance:0; fast_pattern; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/; classtype:trojan-activity; sid:2020657; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious Office doc hidden in XML file"; flow:established,from_server; file_data; content:"<?xml"; within:5; content:"<?mso-application progid=|22|Word.Document|22|?>"; nocase; distance:0; content:"macrosPresent=|22|yes|22|"; distance:0; fast_pattern; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/; classtype:trojan-activity; sid:2020657; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Firefox Plug-In Download"; flow:to_client,established; file_data; content:"PK|03 04|"; distance:0; content:"/addon-sdk/"; content:"|00 00|resources|2f|numberchangerfirefox|2f|PK"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020653; rev:3; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2016589; rev:8; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2016589; rev:8; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2015927; rev:4; metadata:created_at 2012_11_26, updated_at 2012_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2015927; rev:4; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:exploit-kit; sid:2014917; rev:4; metadata:created_at 2012_06_18, updated_at 2012_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:exploit-kit; sid:2014917; rev:4; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2014916; rev:3; metadata:created_at 2012_06_18, updated_at 2012_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2014916; rev:3; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 03|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020634; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0E|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020637; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET DELETED FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020658; rev:3; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET DELETED FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020658; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
-alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 11|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020673; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/U"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+\.html\r?$/RHmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:6; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
-
#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 17|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020675; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 19|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020676; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 14|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020674; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a3 08 37 22 97 2f 50|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020687; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 2b 72 5e 83 81 97 47|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020688; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a7 90 ac fd cd 02 3c 0d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020689; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 56"; flow:to_server,established; dsize:>11; content:"|2e 96|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x2e\x96/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fc4f20426ab1da2c705a4523d3baa0b; classtype:command-and-control; sid:2020691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 57"; flow:to_server,established; dsize:>11; content:"|7b 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,06be359c6e6396fe105e8b59ac5a992e; classtype:command-and-control; sid:2020692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a3 08 37 22 97 2f 50|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 58"; flow:to_server,established; dsize:>11; content:"|31 ad|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x31\xad/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,20a72c5af06e054ff840915b6632965f; classtype:command-and-control; sid:2020693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 2b 72 5e 83 81 97 47|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 59"; flow:to_server,established; dsize:>11; content:"|44 df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x44\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6a263de8d3f6d82e73330c84a83057bf; classtype:command-and-control; sid:2020694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a7 90 ac fd cd 02 3c 0d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020689; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 60"; flow:to_server,established; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fbca8d9f71265f44513e4f885587301; classtype:command-and-control; sid:2020695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61"; flow:to_server,established; dsize:>11; content:"|3f a6|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3f\xa6/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0045ce5ce7d697ecc86f1e44398bf404; classtype:command-and-control; sid:2020696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014"; flow:established,to_server; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_\-]{48}$/Ui"; classtype:exploit-kit; sid:2017976; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014"; flow:established,to_server; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_\-]{48}$/Ui"; classtype:exploit-kit; sid:2017976; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2021_06_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012089; rev:2; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2017_09_08;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 a9 58 45 25 d7 de 84|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020697; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 a9 58 45 25 d7 de 84|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020697; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; pcre:"/^\/a[a-z]{9,}\/[a-f0-9]{40}$/U"; pcre:"/^GET \/(?P<name>a[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:exploit-kit; sid:2020698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; fast_pattern; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:exploit-kit; sid:2014099; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015"; flow:established,from_server; file_data; content:"function iu7("; content:"ji2"; within:100; pcre:"/^\W/R"; content:"hu2"; pcre:"/^\W/R"; classtype:exploit-kit; sid:2020725; rev:2; metadata:created_at 2015_03_20, updated_at 2015_03_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015"; flow:established,from_server; file_data; content:"function iu7("; content:"ji2"; within:100; pcre:"/^\W/R"; content:"hu2"; pcre:"/^\W/R"; classtype:exploit-kit; sid:2020725; rev:2; metadata:created_at 2015_03_21, updated_at 2015_03_21;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015 M2"; flow:established,from_server; file_data; content:"|22 29 3b 2f 2a|"; pcre:"/^[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P<arg>[a-z0-9]{3,})(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28[^\x29]+\x29\x3b\x2f\x2a[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P=arg)(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28/R"; classtype:exploit-kit; sid:2020726; rev:2; metadata:created_at 2015_03_23, updated_at 2015_03_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)"; flow:established,from_server; content:"|0b|"; content:"|04 1f 23 9d bd|"; distance:18; within:20; content:"|55 04 0a|"; distance:0; content:"|0c|assylias.Inc"; distance:1; within:13; fast_pattern; reference:md5,4e5c28fab23b35dea2d48a1c2db32b56; reference:md5,b102c26e04e97bda97b11bfe7366e61e; classtype:trojan-activity; sid:2020728; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.DDoS Checkin"; flow:established,to_server; dsize:1024; content:"VERSONEX|3a|"; depth:9; content:"|7c|Hacker|00 00 00|"; distance:0; reference:md5,0eab12cebbf1c8f25d82c65f34aab9d7; classtype:command-and-control; sid:2019172; rev:4; metadata:created_at 2014_08_19, former_category MALWARE, updated_at 2014_08_19;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (22)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020730; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Ui"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020731; rev:2; metadata:created_at 2015_03_23, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (22)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020730; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; http_raw_header; distance:0; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Pmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020732; rev:2; metadata:created_at 2015_03_23, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 74 65 6a f0 91 13 26|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020735; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Cmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020733; rev:2; metadata:created_at 2015_03_23, updated_at 2020_08_20;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 74 65 6a f0 91 13 26|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020735; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020743; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020743; rev:3; metadata:created_at 2015_03_24, updated_at 2015_03_24;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020744; rev:3; metadata:created_at 2015_03_24, updated_at 2015_03_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020744; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains"; flow:established,from_server; content:"|55 04 0a|"; content:"|0a|MCSHOLDING"; distance:1; within:11; reference:url,googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html; classtype:trojan-activity; sid:2020736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 72 08 75 83 27 6f ba|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020745; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 72 08 75 83 27 6f ba|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020745; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:from_server,established; file_data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_25, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:from_server,established; file_data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; reference:md5,cb2903c89d60947fa4badec41e065d71; classtype:trojan-activity; sid:2020758; rev:2; metadata:created_at 2015_03_26, former_category CURRENT_EVENTS, updated_at 2015_03_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 1"; flow:from_server,established; file_data; content:"/title><script>window.setTimeout(function () { window.location="; fast_pattern:14,20; content:"<title>"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title/R"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020748; rev:7; metadata:created_at 2015_03_25, former_category MALWARE, updated_at 2015_03_25;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 62"; flow:to_server,established; dsize:>11; content:"|7b 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,bcb626c7cca304f927ec97450008e600; classtype:command-and-control; sid:2020763; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63"; flow:to_server,established; dsize:>11; content:"|71 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,00d4c1faeacaf45cfb02c592efe61a1d; classtype:command-and-control; sid:2020764; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 64"; flow:to_server,established; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2a6c1f4e14533d9f2af8d9e4fcf53338; classtype:command-and-control; sid:2020765; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 65"; flow:to_server,established; dsize:>11; content:"|40 a3|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x40\xa3/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a2ae5eada44872675561a97ea56c0df; classtype:command-and-control; sid:2020766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66"; flow:to_server,established; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ec6b10b55732f68a174bb5b751bff840; classtype:command-and-control; sid:2020767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 67"; flow:to_server,established; dsize:>11; content:"|7d 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,142b8df89b9ae5019c1f1855d2212e9f; classtype:command-and-control; sid:2020768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68"; flow:to_server,established; dsize:>11; content:"|7b 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8026990bea6f95613f6111b9a5506941; classtype:command-and-control; sid:2020769; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69"; flow:to_server,established; dsize:>11; content:"|7a 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,262d04177c4bec3215db085fc4c44493; classtype:command-and-control; sid:2020770; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70"; flow:to_server,established; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,d9d1fd5025f47caaaa276d747657e01b; classtype:command-and-control; sid:2020771; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 71"; flow:to_server,established; dsize:>11; content:"|79 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8b69118f7c25f79c4c7de5b0830dda39; classtype:command-and-control; sid:2020772; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 72"; flow:to_server,established; dsize:>11; content:"|78 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1bb5562b08bae781086095c439fc9e8b; classtype:command-and-control; sid:2020773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73"; flow:to_server,established; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9c44da3c6326deb5b802b1494b202a1d; classtype:command-and-control; sid:2020774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74"; flow:to_server,established; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,178f7f122f1de5c759a6538d78d67277; classtype:command-and-control; sid:2020775; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75"; flow:to_server,established; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9a3309620c23d821ea4e2f41538454a7; classtype:command-and-control; sid:2020776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 76"; flow:to_server,established; dsize:>11; content:"|3b df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1e3f91c46410d5205c7b6f6b53a45cff; classtype:command-and-control; sid:2020777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 77"; flow:to_server,established; dsize:>11; content:"|70 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,010c49cb69591e1738b7bdd78a54d8f8; classtype:command-and-control; sid:2020778; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79"; flow:to_server,established; dsize:>11; content:"|7d 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6168f11bb42ff767a224396c2656ea87; classtype:command-and-control; sid:2020780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 81"; flow:to_server,established; dsize:>11; content:"|7e 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7e\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,733d252921fa9b74b268c1e451d2e0c8; classtype:command-and-control; sid:2020782; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 83"; flow:to_server,established; dsize:>11; content:"|47 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x47\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4bd54550a23cb5bf40e0924dea7bad76; classtype:command-and-control; sid:2020784; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 86"; flow:to_server,established; dsize:>11; content:"|70 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4af85987c9aca11196eb1a603b40b18d; classtype:command-and-control; sid:2020787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87"; flow:to_server,established; dsize:>11; content:"|7a 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,32652a6c74e5358549a7c536c3080d58; classtype:command-and-control; sid:2020788; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 88"; flow:to_server,established; dsize:>11; content:"|7c 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,e3ac512a1978cec5eb8bc12fbb384e1f; classtype:command-and-control; sid:2020789; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 89"; flow:to_server,established; dsize:>11; content:"|30 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x30\xa5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3fb6b63928996a2fab06ba634710740b; classtype:command-and-control; sid:2020790; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91"; flow:to_server,established; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3d10b1c4471c7d29e968d9059f844aab; classtype:command-and-control; sid:2020792; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 92"; flow:to_server,established; dsize:>11; content:"|7f 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1dabf462f9c07878f6cd0b58cabf6538; classtype:command-and-control; sid:2020793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 93"; flow:to_server,established; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,29ac81a0607f6456bc886f6099fdb5c8; classtype:command-and-control; sid:2020794; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 94"; flow:to_server,established; dsize:>11; content:"|7b 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,7403a3a7c924a50cb205c5936cb57821; classtype:command-and-control; sid:2020795; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 95"; flow:to_server,established; dsize:>11; content:"|71 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9d/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,599fc172ebcd9f41557ba1293522f424; classtype:command-and-control; sid:2020796; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96"; flow:to_server,established; dsize:>11; content:"|49 a2|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa2/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0928c98b9702e3c8df4e44f31bea56ac; classtype:command-and-control; sid:2020797; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 97"; flow:to_server,established; dsize:>11; content:"|7d 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0c014b17729784f905f55e43347469ed; classtype:command-and-control; sid:2020798; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 98"; flow:to_server,established; dsize:>11; content:"|79 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,79dd610cc7a62ad237d21c050eae32ec; classtype:command-and-control; sid:2020799; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 99"; flow:to_server,established; dsize:>11; content:"|39 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\x99/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2499b8a890b084b9d4eb76d2bfaeff56; classtype:command-and-control; sid:2020800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ac 19 e6 fb 11 28 a2 20|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020802; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Remote Access - RView - SSL Certificate Seen"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|*.rview.com"; distance:1; within:12; classtype:policy-violation; sid:2020805; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_30, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ac 19 e6 fb 11 28 a2 20|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020802; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK JAR URI Struct Nov 05 2013"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/\/14\d{8}(?:\.jar)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017666; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern:4,20; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:2; metadata:created_at 2015_03_31, former_category CURRENT_EVENTS, updated_at 2015_03_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 1"; flow:established,to_server; content:"==gKg5XI+BmK"; depth:12; reference:md5,11657162940dcc1c124e607b0f248039; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020807; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 1"; flow:established,to_server; content:"==gKg5XI+BmK"; depth:12; reference:md5,11657162940dcc1c124e607b0f248039; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020807; rev:1; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2015_03_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 2"; flow:established,to_server; content:"|3C 2A 60|"; depth:3; fast_pattern; content:"|60 2A 3E|"; distance:0; pcre:"/^\x3c\x2a\x60[\x20-\x7e]+\x60\x2a\x3e$/"; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020808; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 2"; flow:established,to_server; content:"|3C 2A 60|"; depth:3; fast_pattern; content:"|60 2A 3E|"; distance:0; pcre:"/^\x3c\x2a\x60[\x20-\x7e]+\x60\x2a\x3e$/"; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020808; rev:1; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2015_03_31;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 3"; flow:established,to_server; content:">Explosive"; offset:4; depth:10; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020809; rev:1; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2015_03_31;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive External IP Leak"; flow:established,from_server; file_data; content:"<span id=|22|lblIPBehindProxy|22|>{"; within:29; fast_pattern:9,20; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:external-ip-check; sid:2020811; rev:3; metadata:created_at 2015_03_31, updated_at 2015_03_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 3"; flow:established,to_server; content:">Explosive"; offset:4; depth:10; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020809; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:exploit-kit; sid:2020832; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; pcre:"/^[a-z0-9]+\[\d+\]/R"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020836; rev:1; metadata:created_at 2015_04_02, former_category MALWARE, updated_at 2015_04_02;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"</script></head>|0d 0a|<body>"; fast_pattern:2,20; content:" id="; pcre:"/^\s*?[\x22\x27][A-Za-z]{3,10}[\x22\x27]/R"; content:" title="; content:!"<"; within:100; pcre:"/^\s*?[\x22\x27](?=[A-Z]{0,19}[a-z]{1,19}[A-Z])[a-zA-Z]{14,20}[\x22\x27][^<>]*?>(?=[A-Za-z]{0,99}\d)[A-Za-z0-9\x20]{100}/R"; classtype:exploit-kit; sid:2020354; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; pcre:"/^[a-z0-9]+\[\d+\]/R"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020836; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019845; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; classtype:web-application-attack; sid:2011698; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 3460 (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Init"; flow:established,to_server; dsize:256; flowbits:set,ET.Poison1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008380; classtype:command-and-control; sid:2008380; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Keep Alive"; flow:established; dsize:12; content:"/AVAILABL/|0d0a|"; reference:url,doc.emergingthreats.net/2010345; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_04, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_04, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,from_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset: 16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_24, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,from_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset: 16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,to_server; dsize:48; content:"|84 a5 f0 be 11 da ce 7e c9 4a 9a af 40 24 8a f5|"; offset:16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016271; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_24, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,to_server; dsize:48; content:"|84 a5 f0 be 11 da ce 7e c9 4a 9a af 40 24 8a f5|"; offset:16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016271; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Controller"; dsize:48; flow:established, from_server; content:"|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016657; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Victim"; dsize:48; flow: established, to_server; content: "|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016658; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy [victim beacon]"; flow:established; dsize:48; content:"|a160339a8a1b3bc0d1ab956cf98855a8|"; offset: 16; depth:16; classtype:trojan-activity; sid:2017052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_21, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy [victim beacon]"; flow:established; dsize:48; content:"|a160339a8a1b3bc0d1ab956cf98855a8|"; offset: 16; depth:16; classtype:trojan-activity; sid:2017052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy [server response]"; flow:established; dsize:48; content:"|b8abf415033717b74132d503b6ea381d|"; offset:16; depth:16; classtype:trojan-activity; sid:2017053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_21, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy [server response]"; flow:established; dsize:48; content:"|b8abf415033717b74132d503b6ea381d|"; offset:16; depth:16; classtype:trojan-activity; sid:2017053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke variant FTP upload"; flow:to_server,established; content:"USER "; pcre:"/^(?:(?:menelao|ho[mr]u)s|adair|johan|kweku)\r\n/R"; reference:md5,e175be029dd2b78c059278a567b3ada1; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:targeted-activity; sid:2023911; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2017_02_16;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Apr 03 2015"; flow:established,to_server; content:"/wordpress/?bf7N&utm_source="; http_uri; classtype:exploit-kit; sid:2020840; rev:2; metadata:created_at 2015_04_03, updated_at 2015_04_03;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a1 b6 29 6e e4 aa ec fe|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020843; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a1 b6 29 6e e4 aa ec fe|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; content:"/barcfg.jsp?"; nocase; http_uri; content:"MyWebSearchWB"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; classtype:pup-activity; sid:2002836; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"|0d 0a|data_before|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_inject|0d 0a|"; distance:0; fast_pattern; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_after|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016771; rev:5; metadata:created_at 2013_04_18, former_category MALWARE, updated_at 2013_04_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"|0d 0a|data_before|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_inject|0d 0a|"; distance:0; fast_pattern; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_after|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016771; rev:5; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Possible Upatre DNS Query (jamco.com.pk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jamco|03|com|02|pk|00|"; fast_pattern:only; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2015_04_06, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Possible Upatre DNS Query (jamco.com.pk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jamco|03|com|02|pk|00|"; fast_pattern:only; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2015_04_07, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x86"; content:"|00 00 00 02 00 00 00 00 00 00 32 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020152; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x64"; content:"|00 00 00 02 00 00 00 00 00 00 64 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020153; rev:3; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
-alert tcp any any -> $HOME_NET 1720 (msg:"ET SCAN H.323 Scanning device"; flow:established,to_server; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12; threshold: type limit, track by_src, count 1, seconds 60; reference:url,videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/; classtype:network-scan; sid:2020853; rev:2; metadata:created_at 2015_04_07, updated_at 2015_04_07;)
+alert tcp any any -> $HOME_NET 1720 (msg:"ET SCAN H.323 Scanning device"; flow:established,to_server; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12; threshold: type limit, track by_src, count 1, seconds 60; reference:url,videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/; classtype:network-scan; sid:2020853; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020854; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_07, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020854; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|04|gu2m"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020864; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|04|gu2m"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020864; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:pup-activity; sid:2000920; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; classtype:trojan-activity; sid:2020866; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; classtype:trojan-activity; sid:2020866; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587] (msg:"ET MALWARE Kriptovor SMTP Traffic"; flow:established,to_server; content:"|0d 0a|PC|3a 20|"; content:"|0d 0a|Text|3a 20|"; distance:0; content:"|0d 0a|IP|3a 20|"; distance:0; content:"|0d 0a|TS|3a 20|"; distance:0; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020884; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Vobus/Beebone Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 2E F4 15 04|"; distance:4; within:6; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/operation-source-botnet-takedown-trend-micro-solutions; classtype:trojan-activity; sid:2020889; rev:1; metadata:created_at 2015_04_10, updated_at 2015_04_10;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Vobus/Beebone Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 2E F4 15 04|"; distance:4; within:6; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/operation-source-botnet-takedown-trend-micro-solutions; classtype:trojan-activity; sid:2020889; rev:1; metadata:created_at 2015_04_11, updated_at 2015_04_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M2"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|27|4D5A90"; fast_pattern; nocase; content:!"|27|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020894; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern; content:"length"; pcre:"/^\s*?\<\s*?10/Rs"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020865; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M2"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|27|4D5A90"; fast_pattern; nocase; content:!"|27|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020894; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"4c2H"; nocase; http_uri; pcre:"/\/\??4c2H(?:$|[&?]utm_source=)/U"; classtype:exploit-kit; sid:2020715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"4c2H"; nocase; http_uri; pcre:"/\/\??4c2H(?:$|[&?]utm_source=)/U"; classtype:exploit-kit; sid:2020715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_server; dsize:>68; content:"|41 00 00 00 03|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018426; rev:2; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M3"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"BZG1pblJpZ2h0cz"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020905; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CoinVault CnC Beacon Response"; flow:established,from_server; file_data; content:"eyJrbm9ja3RpbWUiOj"; within:18; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020909; rev:2; metadata:created_at 2015_04_14, former_category MALWARE, updated_at 2015_04_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CoinVault CnC Beacon Response"; flow:established,from_server; file_data; content:"eyJrbm9ja3RpbWUiOj"; within:18; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020909; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan"; itype:8; icode:0; content:"=XXXXXXXX"; reference:url,doc.emergingthreats.net/2010686; classtype:network-scan; sid:2010686; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Exe32Pack Packed Executable Download"; flow:established,to_client; file_data; content:"Packed by exe32pack"; content:"SteelBytes All rights reserved"; distance:0; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:policy-violation; sid:2020914; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unit42 PoisonIvy Keepalive to CnC"; flow:established,to_server; dsize:48; content:"|b8 98 30 04 e8 10 e5 8c e4 06 39 1b e0 51 96 40|"; offset:16; depth:16; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_15, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unit42 PoisonIvy Keepalive to CnC"; flow:established,to_server; dsize:48; content:"|b8 98 30 04 e8 10 e5 8c e4 06 39 1b e0 51 96 40|"; offset:16; depth:16; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (1)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; within:2048; classtype:trojan-activity; sid:2020929; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (3)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; distance:32; within:8; classtype:trojan-activity; sid:2020931; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|10 58 85 8a 21 5a 27 a4 1f be 8f a1 3a f0 13 c5 94|"; within:40; content:"|55 04 03|"; distance:0; content:"|13|www.tennomewerto.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020932; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|10 58 85 8a 21 5a 27 a4 1f be 8f a1 3a f0 13 c5 94|"; within:40; content:"|55 04 03|"; distance:0; content:"|13|www.tennomewerto.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020932; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020943; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -s Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Connection Table"; fast_pattern; content:"Local Name"; distance:0; content:"State"; distance:0; content:"In/Out"; distance:0; content:"Remote Host"; distance:0; content:"Input"; distance:0; content:"Output"; distance:0; classtype:trojan-activity; sid:2020957; rev:2; metadata:created_at 2015_04_20, updated_at 2015_04_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -s Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Connection Table"; fast_pattern; content:"Local Name"; distance:0; content:"State"; distance:0; content:"In/Out"; distance:0; content:"Remote Host"; distance:0; content:"Input"; distance:0; content:"Output"; distance:0; classtype:trojan-activity; sid:2020957; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Windows nbtstat -r Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Names Resolution and Registration Statistics"; fast_pattern; content:"Name"; distance:0; content:"Type"; distance:0; content:"Status"; distance:0; classtype:trojan-activity; sid:2020956; rev:2; metadata:created_at 2015_04_20, former_category MALWARE, updated_at 2015_04_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Windows nbtstat -r Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Names Resolution and Registration Statistics"; fast_pattern; content:"Name"; distance:0; content:"Type"; distance:0; content:"Status"; distance:0; classtype:trojan-activity; sid:2020956; rev:2; metadata:created_at 2015_04_21, former_category MALWARE, updated_at 2015_04_21;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Remote Machine Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020954; rev:2; metadata:created_at 2015_04_20, updated_at 2015_04_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Remote Machine Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020954; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -n Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Local Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020955; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT HTTP CnC Beacon Response"; flow:established,from_server; file_data; content:"<--"; within:3; pcre:"/^[A-F0-9]{8,12}/R"; content:"-->|0a|<"; fast_pattern; within:5; flowbits:isset,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020965; rev:2; metadata:created_at 2015_04_22, former_category MALWARE, updated_at 2015_04_22;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 1"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 31 d5|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,d5a82520ebf38a0c595367ff0ca89fae; classtype:targeted-activity; sid:2020966; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 2"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 65 5d|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,859f167704b5c138ed9a9d4d3fdc0723; classtype:targeted-activity; sid:2020967; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 3"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 1b 3c|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,181a88c911b10d0fcb4682ae552c0de3; classtype:targeted-activity; sid:2020968; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 4"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 0f 0d|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,0e0182694c381f8b68afc5f3ff4c4653; classtype:targeted-activity; sid:2020969; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 5"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 03 5f|"; distance:9; within:20; content:"|55 04 0a|"; distance:0; content:"|1b|*.corp.utilitytelephone.com"; distance:1; within:28; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,4121414c63079b7fa836be00f8d0a93b; classtype:targeted-activity; sid:2020970; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 a9|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:targeted-activity; sid:2020971; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 7"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 2c 2f|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,9ad55b83f2eec0c19873a770b0c86a2f; classtype:targeted-activity; sid:2020972; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT HTTP CnC Beacon Response"; flow:established,from_server; file_data; content:"<--"; within:3; pcre:"/^[A-F0-9]{8,12}/R"; content:"-->|0a|<"; fast_pattern; within:5; flowbits:isset,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020965; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body"; flow:established,to_server; content:"|0d 0a|X-Library|3a| Indy "; content:"Nome do Computador.."; nocase; distance:0; reference:url,doc.emergingthreats.net/2007950; classtype:trojan-activity; sid:2007950; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Petite Packed Binary Download"; flow:to_client,established; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|43 6F 6D 70 72 65 73 73 65 64 20 62 79 20 50 65 74 69 74 65 20 28 63 29 31 39 39 39 20 49 61 6E 20 4C 75 63 6B 2E 00 00|"; distance:-44; flowbits:set,ET.http.binary; reference:md5,fa2c0e8b486c879f4baee1d5bebdf0a2; classtype:trojan-activity; sid:2020973; rev:5; metadata:created_at 2015_04_22, updated_at 2015_04_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 8"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 5f 31|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|--"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|SomeCity"; distance:1; within:9; content:"|0d 01 09 01|"; distance:0; content:"|1a|root@localhost.localdomain"; fast_pattern; distance:1; within:27; reference:md5,f58a4369b8176edbde4396dc977c9008; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-030500-0430-99; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; classtype:targeted-activity; sid:2020974; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; classtype:exploit-kit; sid:2020984; rev:2; metadata:created_at 2015_04_23, former_category CURRENT_EVENTS, updated_at 2017_04_04;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CORESHELL Malware Response from server"; flow:from_server,established; file_data; content:"O|00|K|00 00 00|"; within:6; pcre:"/^(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019584; rev:3; metadata:created_at 2014_10_29, updated_at 2014_10_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 100"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]{5}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:command-and-control; sid:2021012; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TorrentLocker SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a3 3c b6 6e 62 16 33|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,8b2b618a463b906a1005ff1ed7d5f875; classtype:trojan-activity; sid:2021014; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|10 05 86 8b f3 dc 2c ad 1f 00 dd ad fa 27 3c ea d0|"; content:"|55 04 03|"; distance:0; content:"|12|thewinesteward.com"; distance:1; within:19; reference:md5,331bec58cb113999f83c866de4976b62; classtype:trojan-activity; sid:2021015; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing Apr 20 2015"; flow:established,from_server; file_data; content:"|27 3b|d=unescape(m)|3b|document.write(d|29 3b|</script>"; content:".swf"; nocase; content:".swf"; nocase; content:"vbscript"; nocase; content:"System.Net.WebClient"; nocase; content:".exe"; nocase; classtype:exploit-kit; sid:2020950; rev:3; metadata:created_at 2015_04_20, updated_at 2015_04_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing Apr 20 2015"; flow:established,from_server; file_data; content:"|27 3b|d=unescape(m)|3b|document.write(d|29 3b|</script>"; content:".swf"; nocase; content:".swf"; nocase; content:"vbscript"; nocase; content:"System.Net.WebClient"; nocase; content:".exe"; nocase; classtype:exploit-kit; sid:2020950; rev:3; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 22 2015"; flow:established,from_server; content:"nginx"; http_header; file_data; content:"|0d 0a|<textarea "; fast_pattern; content:!">"; within:21; content:!"</textarea>"; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:exploit-kit; sid:2020975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2020388; rev:8; metadata:created_at 2015_02_09, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2020388; rev:8; metadata:created_at 2015_02_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 88 cb e4 d5 79 99 98|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021016; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 88 cb e4 d5 79 99 98|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021016; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Team Cymru Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:2021020; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
-alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021023; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
-
-alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021024; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021031; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:command-and-control; sid:2021031; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021032; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:command-and-control; sid:2021032; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:exploit-kit; sid:2021034; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:exploit-kit; sid:2021034; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:exploit-kit; sid:2021039; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:exploit-kit; sid:2021039; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01 00 44|"; depth:4; content:"|00 01 00 08|"; distance:16; within:4; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tools.ietf.org/html/rfc5389; classtype:protocol-command-decode; sid:2018908; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021044; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021043; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:exploit-kit; sid:2021046; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:exploit-kit; sid:2021046; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:exploit-kit; sid:2021047; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:exploit-kit; sid:2021047; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:exploit-kit; sid:2021048; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:exploit-kit; sid:2021048; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Trojan.IptabLex Variant Checkin"; flow:to_server,established; dsize:157; content:"|77|"; depth:1; pcre:"/^[\x01\x03\x08\x09\x0b]\x00/R"; content:"|20 40 20|"; distance:0; content:"Hz"; nocase; within:15; reference:md5,019765009f7142a89af15aaaac7400cc; reference:url,blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html; classtype:command-and-control; sid:2021050; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre Downloading Mailer 2"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0E|3b 20|.NET4.0C|3b 20|rv|3a|11.0) like Gecko|0d 0a|Host|3a|"; http_header; depth:195; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RHi"; pcre:"/\.tar$/U"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ursnif SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|athereforeencourage.pw"; distance:1; within:23; classtype:trojan-activity; sid:2021061; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8d 3d d5 97 44 08 33 d8|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021063; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 101"; flow:to_server,established; dsize:>11; content:"|71 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8776e617b59da52bcac43b380a354aa0; classtype:command-and-control; sid:2021065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8d 3d d5 97 44 08 33 d8|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021063; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response"; flow:established,to_client; flowbits:isset,http.dottedquadhost; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2021076; rev:2; metadata:created_at 2015_05_07, former_category INFO, updated_at 2015_05_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response"; flow:established,to_client; flowbits:isset,http.dottedquadhost; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2021076; rev:2; metadata:created_at 2015_05_08, former_category INFO, updated_at 2015_05_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_14, former_category CURRENT_EVENTS, updated_at 2015_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_15, former_category CURRENT_EVENTS, updated_at 2015_04_15;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Cryptolocker .onion Proxy Domain (24u4jf7s4regu6hn)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|24u4jf7s4regu6hn"; fast_pattern; distance:0; nocase; reference:md5,36095572717aee2399b6bdacef936e22; classtype:trojan-activity; sid:2021085; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Cryptolocker .onion Proxy Domain (24u4jf7s4regu6hn)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|24u4jf7s4regu6hn"; fast_pattern; distance:0; nocase; reference:md5,36095572717aee2399b6bdacef936e22; classtype:trojan-activity; sid:2021085; rev:1; metadata:created_at 2015_05_09, updated_at 2015_05_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017024; rev:4; metadata:created_at 2013_06_17, former_category CURRENT_EVENTS, updated_at 2013_06_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017024; rev:4; metadata:created_at 2013_06_18, former_category CURRENT_EVENTS, updated_at 2013_06_18;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|10 62 16 fe 1e af 85 65 68 82 0d d7 6f 8e 27 33 02|"; content:"|55 04 03|"; distance:0; content:"|0d|mainbytes.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021086; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|10 62 16 fe 1e af 85 65 68 82 0d d7 6f 8e 27 33 02|"; content:"|55 04 03|"; distance:0; content:"|0d|mainbytes.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021086; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a5 12 0c 27 cc 24 bb ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021087; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a5 12 0c 27 cc 24 bb ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021087; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"/vbaProject"; nocase; pcre:"/\d*?\.bin/Ri"; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019835; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"/vbaProject"; nocase; pcre:"/\d*?\.bin/Ri"; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019835; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"_VBA_PROJECT"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019836; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"_VBA_PROJECT"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019836; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2; metadata:created_at 2015_05_13, former_category MALWARE, updated_at 2015_05_13;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:2; metadata:created_at 2015_05_13, former_category CURRENT_EVENTS, updated_at 2015_05_13;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|roobox.info"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021096; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|roobox.info"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 21 e9 a1 69 3a 6e e9 a8 fb a3 ba 5b ee 9d 6e 60 02|"; fast_pattern; content:"|55 04 03|"; content:"|15|elyseeinvestments.com"; distance:1; within:22; reference:md5,1225b8c9b52d4828b9031267939e8260; classtype:trojan-activity; sid:2021097; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Troldesh.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 bf 81 b3 c2 61 36 e4 9d|"; fast_pattern; content:"|55 04 03|"; content:"|16|www.jyxc3nn7eu2iqd.net"; distance:1; within:23; reference:md5,3358793e79042faa2298856373e644dc; classtype:trojan-activity; sid:2021098; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Troldesh.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 bf 81 b3 c2 61 36 e4 9d|"; fast_pattern; content:"|55 04 03|"; content:"|16|www.jyxc3nn7eu2iqd.net"; distance:1; within:23; reference:md5,3358793e79042faa2298856373e644dc; classtype:trojan-activity; sid:2021098; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rofin.A CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|dd aa 99 66|"; depth:4; byte_jump:4,4,relative,little,from_beginning, post_offset -2; isdataat:!2,relative; reference:md5,6b71398418c7c6b01cf8abb105bc884d; classtype:command-and-control; sid:2020671; rev:3; metadata:created_at 2015_03_11, former_category MALWARE, updated_at 2015_03_11;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:command-and-control; sid:2021102; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Zemot Fake Search Page"; flow:established,from_server; file_data; content:"background|3a 20|url(btn_search.png|29 2f 2a|tpa=http"; fast_pattern:15,20; reference:md5,38cad3170f85c4f9903574941bd282a8; classtype:trojan-activity; sid:2021107; rev:2; metadata:created_at 2015_05_15, updated_at 2015_05_15;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea 29 4d 2c d5 53 a8 8e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021109; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:domain-c2; sid:2021102; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea 29 4d 2c d5 53 a8 8e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021109; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021090; rev:3; metadata:created_at 2015_05_12, updated_at 2015_05_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021110; rev:2; metadata:created_at 2015_05_16, updated_at 2015_05_16;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Widgets Numbers PTY"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021112; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Widgets Numbers PTY"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021112; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|srv2415.domain.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021113; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|srv2415.domain.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021113; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|11|Facebook Porn PTY"; distance:1; within:18; classtype:command-and-control; sid:2021106; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|11|Facebook Porn PTY"; distance:1; within:18; classtype:domain-c2; sid:2021106; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert ip $HOME_NET any -> [199.2.137.0/24,207.46.90.0/24] any (msg:"ET MALWARE Connection to Microsoft Sinkhole IP (Possbile Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016999; rev:4; metadata:created_at 2013_06_10, updated_at 2013_06_10;)
+#alert ip $HOME_NET any -> [199.2.137.0/24,207.46.90.0/24] any (msg:"ET MALWARE Connection to Microsoft Sinkhole IP (Possbile Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016999; rev:4; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6; metadata:created_at 2012_12_27, updated_at 2012_12_27;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT17 CnC Content in Public Website"; flow:from_server,established; file_data; content:"@MICR0S0FT"; pcre:"/^[a-zA-Z0-9]{8}/R"; content:"C0RP0RATI0N"; within:11; reference:url,github.com/fireeye/iocs/tree/master/APT17; classtype:targeted-activity; sid:2021116; rev:2; metadata:created_at 2015_05_19, former_category MALWARE, updated_at 2015_05_19;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Possible VirLock Connectivity Check"; flow:established,to_server; dsize:36; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; fast_pattern:16,20; threshold:type both,track by_src,count 2,seconds 10; reference:md5,94c9c2fddc99217e310d5c687adfc2f7; classtype:trojan-activity; sid:2020022; rev:2; metadata:created_at 2014_12_22, former_category TROJAN, updated_at 2017_11_27;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021121; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021121; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Montana"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|09|Liverpool"; distance:1; within:10; content:"|55 04 03|"; distance:0; content:"|0e|southnorth.org"; distance:1; within:15; fast_pattern; reference:md5,440e5c0aee33cba3c4707ada0856ff6d; classtype:trojan-activity; sid:2021145; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"|0e 00 00 00|"; offset:4; depth:4; fast_pattern; content:!"|00|"; within:1; content:!"|00|"; distance:3; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:28; content:!"|00 00 00 00|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021149; rev:1; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2015_05_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"|0e 00 00 00|"; offset:4; depth:4; fast_pattern; content:!"|00|"; within:1; content:!"|00|"; distance:3; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:28; content:!"|00 00 00 00|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021149; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_05_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|ns343677.ip-94-23-16.eu"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021154; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|ns343677.ip-94-23-16.eu"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021154; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021155; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021155; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup - whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; classtype:external-ip-check; sid:2021161; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup - whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; classtype:external-ip-check; sid:2021161; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea d4 96 1c 0a 8b 6f a4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021175; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea d4 96 1c 0a 8b 6f a4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021175; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (ASCII)"; flow:to_server,established; content:"SMB"; offset:5; depth:4; content:"{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021179; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (Unicode)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{|00|A|00|A|00|0|00|E|00|E|00|D|00|2|00|5|00|-|00|4|00|1|00|6|00|7|00|-|00|4|00|C|00|B|00|B|00|-|00|B|00|D|00|A|00|8|00|-|00|9|00|A|00|0|00|F|00|5|00|F|00|F|00|9|00|3|00|E|00|A|00|8|00|}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021180; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0b|YouPorn Ltd"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|0b|pornhub.xxx"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021186; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0b|YouPorn Ltd"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|0b|pornhub.xxx"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021186; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; classtype:exploit-kit; sid:2021157; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawfas.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021192; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawfas.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021192; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 01 dc 12 42 31 23 93|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021193; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 01 dc 12 42 31 23 93|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021193; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Qadars WebInject SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|www.freechristmasgifts2014.com"; distance:1; within:31; reference:md5,06588acf0112a84fe5f684bbafd7dc00; classtype:trojan-activity; sid:2021194; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|01 01|"; distance:18; within:2; content:"|55 04 03|"; distance:0; content:"|0d|web.gibnos.pw"; distance:1; within:14; reference:md5,c8131a48e834291be6c7402647250e73; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021196; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|01 01|"; distance:18; within:2; content:"|55 04 03|"; distance:0; content:"|0d|web.gibnos.pw"; distance:1; within:14; reference:md5,c8131a48e834291be6c7402647250e73; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021196; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawer.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021197; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawer.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021197; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|laxitr.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021198; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|laxitr.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021198; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|dazopla.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021199; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|dazopla.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021199; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|gipladfe.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021208; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|gipladfe.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021208; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|lazeca.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021209; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|lazeca.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021209; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|zolaxap.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021210; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|zolaxap.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021210; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|babapoti.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021211; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|babapoti.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021211; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|poknop.us"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021212; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|poknop.us"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021212; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Downloaded from Google Cloud Storage"; flow:established,to_client; content:"x-goog-generation|3a 20|"; http_header; fast_pattern; content:"x-goog-metageneration|3a 20|"; http_header; content:"x-goog-stored-content-encoding|3a 20|"; http_header; content:"x-goog-stored-content-length|3a 20|"; http_header; content:"x-goog-hash|3a 20|"; http_header; file_data; content:"MZ"; within:2; reference:md5,e742e844d0ea55ef9f1c68491c702120; classtype:trojan-activity; sid:2021216; rev:3; metadata:created_at 2015_06_08, updated_at 2015_06_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Downloaded from Google Cloud Storage"; flow:established,to_client; content:"x-goog-generation|3a 20|"; http_header; fast_pattern; content:"x-goog-metageneration|3a 20|"; http_header; content:"x-goog-stored-content-encoding|3a 20|"; http_header; content:"x-goog-stored-content-length|3a 20|"; http_header; content:"x-goog-hash|3a 20|"; http_header; file_data; content:"MZ"; within:2; reference:md5,e742e844d0ea55ef9f1c68491c702120; classtype:trojan-activity; sid:2021216; rev:3; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:exploit-kit; sid:2021217; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:44; fast_pattern:11,20; content:!"Mozilla"; within:7; http_header; content:"|0d 0a|Host|3a 20|"; distance:0; http_header; content:!"Taitus"; http_header; content:!"Sling/"; http_header; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:Connection\x3a Keep-Alive\r\n)?(?:\r\n)?$/H"; classtype:trojan-activity; sid:2018394; rev:7; metadata:created_at 2014_04_16, former_category TROJAN, updated_at 2017_11_27;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|10|www.carinsup.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021220; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|10|www.carinsup.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021220; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|polasde.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021221; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|polasde.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021221; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|paxerba.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021222; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|paxerba.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021222; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|molared.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021223; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|molared.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021223; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|halowsin.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021224; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|halowsin.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021224; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021230; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
#alert tcp any any -> any [139,445] (msg:"ET DELETED Possible Duqu 2.0 Accessing SMB/SMB2 backdoor"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"tttttttt"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021243; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Download June 10 2015"; flow:established,from_server; content:"filename=|22|crypted.120.exe|22|"; http_header; nocase; classtype:trojan-activity; sid:2021244; rev:2; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|<iframe src=|27|"; pcre:"/^http\x3a\x2f[^\x27]+[\x27](?:\swidth=\d{1,2}\sheight=\d{1,2}\s|\sheight=\d{1,2}\swidth=\d{1,2}\s)/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no> </|22 20|+|20 22|iframe>|22 29 29 3b|"; fast_pattern:55,20; isdataat:!3,relative; classtype:exploit-kit; sid:2021249; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Download June 10 2015"; flow:established,from_server; content:"filename=|22|crypted.120.exe|22|"; http_header; nocase; classtype:trojan-activity; sid:2021244; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cryptolocker C2 SSL cert serial"; flow:established,to_client; content:"|b3 b2 82 08 58 32 5e 8e|"; fast_pattern:only; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Torrentlocker C2 SSL cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b3 b2 82 08 58 32 5e 8e|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,77c99b6f06fe443b72a0efaf8f285e4d; classtype:command-and-control; sid:2021260; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing URI Struct Feb 21"; flow:established,to_server; urilen:<28; content:"/lists/"; depth:7; http_uri; pcre:"/^\/lists\/\d{15}(?:\d{5})?$/U"; classtype:exploit-kit; sid:2020497; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_21, deployment Perimeter, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing URI Struct Feb 21"; flow:established,to_server; urilen:<28; content:"/lists/"; depth:7; http_uri; pcre:"/^\/lists\/\d{15}(?:\d{5})?$/U"; classtype:exploit-kit; sid:2020497; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_22, deployment Perimeter, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Jar Naming Pattern March 03 2013"; flow:established,to_server; content:".jar"; http_uri; nocase; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z0-9]{2}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016588; rev:15; metadata:created_at 2013_03_15, updated_at 2013_03_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M3"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}\r$/Hmi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12 2a 2e|pillspharm24.com"; distance:1; within:19; reference:md5,1b4e97af9f327126146338b8cd21dd86; classtype:trojan-activity; sid:2021273; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12 2a 2e|pillspharm24.com"; distance:1; within:19; reference:md5,1b4e97af9f327126146338b8cd21dd86; classtype:domain-c2; sid:2021273; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Elise SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 03|"; distance:0; content:"|0b|eric-office"; distance:1; within:12; reference:md5,8334f346585aa27ac6ae86e5adcaefa2; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021279; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing June 16 2015 M3"; flow:established,to_client; file_data; content:"<title>Virus Firewall Alert!</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; content:"popup-mac-warning.png"; nocase; distance:0; classtype:social-engineering; sid:2021287; rev:2; metadata:created_at 2015_06_17, updated_at 2015_06_17;)
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 2d 4a 53 08 27 aa b4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:trojan-activity; sid:2021289; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client Check-in 2"; flow:established,to_server; dsize:5; content:"|01 00 00 00 02|"; flowbits:isset,ET.NetwireRAT.Client; reference:md5,acccfa6107c712a63b1473d524461163; classtype:trojan-activity; sid:2021290; rev:1; metadata:created_at 2015_06_17, former_category TROJAN, updated_at 2017_12_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M4"; flow:established,from_server; file_data; content:"|76 68 7a 32 7a 3d 27 27 3b 74 72 79 7b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2021291; rev:4; metadata:created_at 2015_06_18, updated_at 2015_06_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin Response"; flow:established,from_server; file_data; content:"[Config]|0d 0a|"; within:10; content:"[Process]|0d 0a|1="; distance:0; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021301; rev:4; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2015_06_18;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|howtoe.pw"; distance:1; within:14; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021314; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|howtoe.pw"; distance:1; within:14; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021314; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef ee 78 a7 ef c6 52 20|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|mainsinkhole"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021315; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef ee 78 a7 ef c6 52 20|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|mainsinkhole"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021315; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin 2 "; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; fast_pattern; within:7; content:"MB|00 00 00 00|"; distance:0; content:"M|00 00 00 00|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021316; rev:1; metadata:created_at 2015_06_22, former_category MALWARE, updated_at 2015_06_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin 2"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; fast_pattern; within:7; content:"MB|00 00 00 00|"; distance:0; content:"M|00 00 00 00|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021316; rev:1; metadata:created_at 2015_06_22, former_category MALWARE, updated_at 2015_06_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; http_method; content:"0/"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; fast_pattern:21,20; content:"%"; http_client_body; pcre:"/^\/[a-z]+\/[a-z]+\//U"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/P"; classtype:exploit-kit; sid:2021038; rev:4; metadata:created_at 2015_04_29, updated_at 2015_04_29;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021320; rev:2; metadata:created_at 2015_06_22, updated_at 2015_06_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021320; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)
#alert tcp $HOME_NET any -> [88.53.215.64,217.96.33.164,203.131.222.102,208.105.226.235,212.31.102.100,58.185.154.99,200.87.126.116] any (msg:"ET MALWARE Sony Breach Wiper Callout"; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:3; metadata:created_at 2014_12_03, updated_at 2014_12_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE Exploit URI Struct"; flow:to_server,established; content:"/ie7.html"; http_uri; classtype:exploit-kit; sid:2018932; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|13|1024sslsecurity.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021339; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|13|1024sslsecurity.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021339; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|typeofways.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021340; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|typeofways.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021340; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|digination.info"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021341; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|digination.info"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021341; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|ssl.savingscore.pw"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021342; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|ssl.savingscore.pw"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021342; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|supportupdate.info"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021343; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|supportupdate.info"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021343; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|17|patient-advertising.com"; distance:1; within:24; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021344; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|17|patient-advertising.com"; distance:1; within:24; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021344; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|pdata-next.ru"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021345; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|pdata-next.ru"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021345; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|live-advert.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021346; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|live-advert.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021346; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0a|can-ip.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021347; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0a|can-ip.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021347; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|pandolin.ru"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021348; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|pandolin.ru"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021348; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|securebnk.eu"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021349; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|securebnk.eu"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021349; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|fuxaloba.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021350; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|fuxaloba.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021350; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M1 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; offset:49; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"|0d 0a|Host|3a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020385; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 9 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 9 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_10, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Indiana"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|koalashelp.au"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021353; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Indiana"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|koalashelp.au"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021353; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8f e3 5b c8 ea 55 d6 4a|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021354; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8f e3 5b c8 ea 55 d6 4a|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021354; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|tsescase.tk"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021355; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|tsescase.tk"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021355; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (26)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:40; within:8; classtype:exploit-kit; sid:2021360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015698; rev:3; metadata:created_at 2012_09_12, updated_at 2012_09_12;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 02"; flow:established,from_server; file_data; content:"|2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 5d 2e 62 6f 72 64 65 72 20 3d 20 22 6e 6f 6e 65 22 3b|"; fast_pattern:46,20; content:" +="; pcre:"/^\s+\d{1,2}\x3b\s+else\s+(?P<var>[a-z]+)\s+\-=\s+\d{1,2}\x3b\s+return\s+[a-z]+\.charAt\x28(?P=var)\/\d{1,2}\x29\x7d/R"; classtype:exploit-kit; sid:2021374; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 95 12 ee 90 e8 0f 66|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,22b0d4ff64d3cb3080feb47ce52988e9; classtype:command-and-control; sid:2021375; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 95 12 ee 90 e8 0f 66|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,22b0d4ff64d3cb3080feb47ce52988e9; classtype:domain-c2; sid:2021375; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Mocelpa Client Hello CnC Beacon"; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|54 b4 c9 7b|"; distance:0; content:"|00 00 00 12 00 10 00 00 0d|www.apple.com"; distance:0; reference:url,blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html; classtype:command-and-control; sid:2021379; rev:2; metadata:created_at 2015_07_06, former_category MALWARE, updated_at 2015_07_06;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Mocelpa Client Hello CnC Beacon"; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|54 b4 c9 7b|"; distance:0; content:"|00 00 00 12 00 10 00 00 0d|www.apple.com"; distance:0; reference:url,blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html; classtype:command-and-control; sid:2021379; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dridex SSL Cert July 6 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 0e 34 be 9a f3 1e d7|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:8; reference:md5,0facc32fc6f9c67650575c8a8298bef2; classtype:trojan-activity; sid:2021380; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon"; content:"|7c 2a 26|"; depth:3; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:16; within:1; content:"|7c|"; distance:0; pcre:"/\x7c[a-f0-9]{16}\x7c\d+\x7c$/"; reference:md5,0075c4d976984436443b30926ad818dd; classtype:command-and-control; sid:2021385; rev:1; metadata:created_at 2015_07_06, former_category MALWARE, updated_at 2015_07_06;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon"; content:"|7c 2a 26|"; depth:3; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:16; within:1; content:"|7c|"; distance:0; pcre:"/\x7c[a-f0-9]{16}\x7c\d+\x7c$/"; reference:md5,0075c4d976984436443b30926ad818dd; classtype:command-and-control; sid:2021385; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 30 June 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|Passio dpt"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0b|romantik.it"; distance:1; within:12; reference:md5,0a977dfcb93301f1841dbe2272d3102b; classtype:trojan-activity; sid:2021370; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_06_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 1 July 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|gay rights"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:12; reference:md5,865164ef97c50bdd8e8740621234a3cf; classtype:trojan-activity; sid:2021372; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_01, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 1 July 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|gay rights"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:12; reference:md5,865164ef97c50bdd8e8740621234a3cf; classtype:trojan-activity; sid:2021372; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|08|portable"; distance:1; within:9; content:"|55 04 03|"; distance:0; content:"|0b|nintendo.jp"; distance:1; within:12; classtype:trojan-activity; sid:2021388; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon 2"; dsize:37; content:"|2a 26|"; depth:2; content:"|26 5e|"; distance:22; fast_pattern; reference:md5,aaa4304dd5f22a017930a9eeebc8898f; classtype:command-and-control; sid:2021389; rev:1; metadata:created_at 2015_07_07, former_category MALWARE, updated_at 2015_07_07;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon 2"; dsize:37; content:"|2a 26|"; depth:2; content:"|26 5e|"; distance:22; fast_pattern; reference:md5,aaa4304dd5f22a017930a9eeebc8898f; classtype:command-and-control; sid:2021389; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|disaronnoterrace.es"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021391; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|disaronnoterrace.es"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021391; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing"; flow:established,to_server; urilen:7; content:"/i.html"; http_uri; depth:7; fast_pattern; content:"Referer|3a| "; http_header; content:!"|0d 0a|"; http_header; within:100; content:"|0d 0a|"; distance:0; http_header; classtype:exploit-kit; sid:2014171; rev:5; metadata:created_at 2012_01_31, former_category EXPLOIT_KIT, updated_at 2012_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit Landing"; flow:established,to_server; urilen:7; content:"/i.html"; http_uri; depth:7; fast_pattern; content:"Referer|3a| "; http_header; content:!"|0d 0a|"; http_header; within:100; content:"|0d 0a|"; distance:0; http_header; classtype:exploit-kit; sid:2014171; rev:5; metadata:created_at 2012_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK SilverLight Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; fast_pattern; pcre:"/^\/0[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK SilverLight Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; fast_pattern; pcre:"/^\/0[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_14, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HiMan EK - Payload Requested"; flow:established,to_server; content:".php?e="; http_uri; content:"&ver="; http_uri; distance:0; classtype:exploit-kit; sid:2017793; rev:4; metadata:created_at 2013_12_04, updated_at 2013_12_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HiMan EK - Payload Requested"; flow:established,to_server; content:".php?e="; http_uri; content:"&ver="; http_uri; distance:0; classtype:exploit-kit; sid:2017793; rev:4; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 84 d3 15 4c 18 a1 18 9f|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021397; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 84 d3 15 4c 18 a1 18 9f|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021397; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup ip-api.com"; flow:established,to_server; content:"GET"; http_method; content:"/xml"; http_uri; content:"ip-api.com"; fast_pattern:only; http_header; classtype:external-ip-check; sid:2021406; rev:3; metadata:created_at 2015_07_13, updated_at 2015_07_13;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0e|protectthegays"; distance:1; within:15; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|08|gay team"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021393; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0e|protectthegays"; distance:1; within:15; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|08|gay team"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021393; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021411; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021411; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|10|mixticmotion.com"; distance:1; within:17; classtype:trojan-activity; sid:2021415; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 d3 05 ec 6a a7 12 c5|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021417; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.visionresearch.com"; distance:1; within:23; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021419; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 3d d6|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|--"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|SomeCity"; distance:1; within:9; content:"|0d 01 09 01|"; distance:0; content:"|1a|root@localhost.localdomain"; fast_pattern; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021420; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 d3 05 ec 6a a7 12 c5|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021417; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED APT CozyCar SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.illuminatistudios.net"; distance:1; within:26; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021421; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_03_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 5"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|extranet.qualityplanning.com"; distance:1; within:29; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021422; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|14|edadmin.kearsney.com"; distance:1; within:21; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021423; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|13|redbluffchamber.com"; distance:1; within:20; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021424; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 8"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|Connectads.com"; distance:1; within:15; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021425; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|cowsgirlz.es"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021426; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|cowsgirlz.es"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021426; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|16|Ubiquiti Networks Inc."; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|04|UBNT"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021427; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|16|Ubiquiti Networks Inc."; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|04|UBNT"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021427; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (HTTPBrowser CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 d3 99 b4 6f 4e 77 43|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021428; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30"; flow:to_server,established; dsize:>11; content:"|78 5e|"; offset:13; depth:2; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,aa717cce1ccfc766e0c8ad7a217f4be3; classtype:command-and-control; sid:2018193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (HTTPBrowser CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 d3 99 b4 6f 4e 77 43|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021428; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4"; flow:to_server,established; content:"|28 28|"; offset:2; depth:2; content:!"|28 28|"; within:2; content:"|28 28|"; distance:2; within:2; content:!"|28 28|"; within:2; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; pcre:"/[^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28/R"; reference:md5,0c2cb38062e0fb6b040518a384418b7b; classtype:command-and-control; sid:2019601; rev:6; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2014_10_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct"; flow:to_server,established; urilen:3; content:"/dd"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; classtype:exploit-kit; sid:2018934; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021431; rev:2; metadata:created_at 2015_07_16, former_category MALWARE, updated_at 2015_07_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021431; rev:2; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2015_07_17;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download"; flow:to_client,established; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|fb ff ff ff|"; content:"|0b 00 00 00 01 00 00 00|"; content:"|25 00 00 00 01 00 00 00|"; content:"|8b 00 00 00 01 00 00 00|"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4141; classtype:attempted-user; sid:2019420; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|httpsgatevalidator.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021436; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|httpsgatevalidator.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021436; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Tsyrval Panda CnC Beacon"; flow:established,to_server; content:"|75 1C 11 10 75 01 14 07 12 58 5F|"; offset:3; depth:14; classtype:command-and-control; sid:2021437; rev:1; metadata:created_at 2015_07_20, former_category MALWARE, updated_at 2015_07_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Tsyrval Panda CnC Beacon"; flow:established,to_server; content:"|75 1C 11 10 75 01 14 07 12 58 5F|"; offset:3; depth:14; classtype:command-and-control; sid:2021437; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|expresstrevel.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021445; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|expresstrevel.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021445; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 07 45 6b c2 ad 90 a1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021446; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 07 45 6b c2 ad 90 a1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021446; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 20 2015 M3"; flow:to_client,established; file_data; content:"html class=|22|js js sessionstorage|22|"; fast_pattern:13,20; content:"getURLParameter"; distance:0; content:"Toll Free"; nocase; distance:0; content:"myFunction|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2021448; rev:2; metadata:created_at 2015_07_20, updated_at 2015_07_20;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Checkin"; flow:established,to_server; content:"|73 72|"; depth:2; content:"|00 05|value"; distance:0; pcre:"/\x00\x05value$/"; classtype:command-and-control; sid:2021503; rev:1; metadata:created_at 2015_07_21, former_category MALWARE, malware_family QRat, updated_at 2018_03_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Checkin"; flow:established,to_server; content:"|73 72|"; depth:2; content:"|00 05|value"; distance:0; pcre:"/\x00\x05value$/"; classtype:command-and-control; sid:2021503; rev:1; metadata:created_at 2015_07_22, former_category MALWARE, malware_family QRat, updated_at 2018_03_06;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving Command 1"; flow:established,from_server; dsize:16; content:"|00 0d|giveClientMac"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021504; rev:1; metadata:created_at 2015_07_21, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving Command 1"; flow:established,from_server; dsize:16; content:"|00 0d|giveClientMac"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021504; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving No Commands"; flow:established,from_server; dsize:10; content:"|00 07|nothing"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021505; rev:1; metadata:created_at 2015_07_21, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving No Commands"; flow:established,from_server; dsize:10; content:"|00 07|nothing"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021505; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK SilverLight Payload Request - May 2014"; flow:established,to_server; urilen:71<>79; content:!"/aHR0c"; depth:6; http_uri; content:!"/Uk0v"; depth:5; http_uri; content:"="; http_uri; offset:71; depth:6; pcre:"/^\/[-a-zA-Z0-9_]{70,75}==?$/U"; reference:url,blogs.cisco.com/security/angling-for-silverlight-exploits/; classtype:exploit-kit; sid:2018497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (29)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:746; within:8; classtype:exploit-kit; sid:2021510; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:2; metadata:created_at 2015_07_22, updated_at 2015_07_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Tsukuba Banker Edwards Packed proxy.pac"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|credicard|7c|"; nocase; reference:url,securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters; classtype:social-engineering; sid:2020623; rev:3; metadata:created_at 2015_03_05, updated_at 2015_03_05;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|obama team"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021513; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|06|coffee"; distance:1; within:7; content:"|55 04 0b|"; distance:0; content:"|07|it dept"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021512; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|06|coffee"; distance:1; within:7; content:"|55 04 0b|"; distance:0; content:"|07|it dept"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021512; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|eurotranstele.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021515; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|eurotranstele.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021515; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0a|littlepony"; distance:1; within:11; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0a|just cause"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021514; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0a|littlepony"; distance:1; within:11; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0a|just cause"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021514; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|promotion-statistics.mobi"; distance:1; within:26; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021516; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|promotion-statistics.mobi"; distance:1; within:26; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021516; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|data-stats-collector.biz"; distance:1; within:25; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021517; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|data-stats-collector.biz"; distance:1; within:25; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021517; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|04|clan"; distance:1; within:5; content:"|55 04 0b|"; distance:0; content:"|06|bushes"; distance:1; within:7; fast_pattern; reference:md5,a5f7d314e2b996b69751a4e46503c644; classtype:trojan-activity; sid:2021518; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|07|dinasty"; distance:1; within:8; content:"|55 04 0b|"; distance:0; content:"|0d|klintons team"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021519; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|07|dinasty"; distance:1; within:8; content:"|55 04 0b|"; distance:0; content:"|0d|klintons team"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021519; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 23 2015"; flow:to_client,established; file_data; content:"navigator.sayswho"; content:"alertforSecuity"; fast_pattern; distance:0; content:"Firefox"; distance:0; content:"Chrome"; distance:0; content:"Netscape"; distance:0; classtype:social-engineering; sid:2021522; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021524; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 27 d2 2d d7 bd cb 5c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021525; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning; isdataat:!7,relative; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:command-and-control; sid:2017934; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021524; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xyligan Checkin"; flow:to_server,established; dsize:16; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:url,www.threatexpert.com/report.aspx?md5=bfbc0b106a440c111a42936906d36643; reference:url,www.threatexpert.com/report.aspx?md5=2190a2c0a3775bc9c60629ec2eb6f3b9; classtype:command-and-control; sid:2012842; rev:3; metadata:created_at 2011_05_25, former_category MALWARE, updated_at 2011_05_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 27 d2 2d d7 bd cb 5c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021525; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021529; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xyligan Checkin"; flow:to_server,established; dsize:16; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:md5,2190a2c0a3775bc9c60629ec2eb6f3b9; reference:md5,bfbc0b106a440c111a42936906d36643; classtype:command-and-control; sid:2012842; rev:3; metadata:created_at 2011_05_25, former_category MALWARE, updated_at 2011_05_25;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa ad 0a 9f da 99 c2 e3|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021541; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021529; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M3 T1"; flow:established,from_server; file_data; content:"|5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 5d 3b|"; fast_pattern:25,20; classtype:exploit-kit; sid:2021544; rev:2; metadata:created_at 2015_07_28, updated_at 2015_07_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa ad 0a 9f da 99 c2 e3|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021541; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a4 3d 09 0a 4c 60 be 70|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021546; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a4 3d 09 0a 4c 60 be 70|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021546; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021553; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021553; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:exploit-kit; sid:2021559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:exploit-kit; sid:2021559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|09|democracy"; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|09|obamacare"; distance:1; within:10; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021563; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|09|democracy"; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|09|obamacare"; distance:1; within:10; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021563; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16"; flow:to_server,established; dsize:>11; content:"|7d 9b|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:command-and-control; sid:2017988; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|srvreq.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021565; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|srvreq.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021565; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|www.pohiola.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021566; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|www.pohiola.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021566; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d8 17 61 5f e5 c3 b3 2c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021567; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d8 17 61 5f e5 c3 b3 2c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021567; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 29 bf 95 40 97 37 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021568; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 29 bf 95 40 97 37 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021568; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malvertising Redirection to Exploit Kit Aug 07 2014"; flow:established,to_server; content:".js?ver="; http_uri; fast_pattern:only; pcre:"/\.js\?ver=[0-9]\.[0-9]{2}\.[0-9]{4}$/U"; classtype:exploit-kit; sid:2018909; rev:4; metadata:created_at 2014_08_07, former_category EXPLOIT_KIT, updated_at 2014_08_07;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 0e 11 0a 91 e9 ea 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019604; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c0 15 80 14 58 47 62 12|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020961; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 0e 11 0a 91 e9 ea 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019604; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|uktranstele.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021530; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c0 15 80 14 58 47 62 12|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020961; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021562; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|uktranstele.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021530; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021562; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 12 85|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|--"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|SomeCity"; distance:1; within:9; content:"|0d 01 09 01|"; distance:0; content:"|1a|root@localhost.localdomain"; fast_pattern; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021591; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|safeboxkeyltd.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021592; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|safeboxkeyltd.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021592; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|safecitysup.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021593; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|safecitysup.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021593; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|89.104.95.236"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021594; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|89.104.95.236"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021594; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:2; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2015_08_04;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|08|Monsanto"; distance:1; within:9; content:"|55 04 0b|"; distance:0; content:"|0b|SmartPhones"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021596; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35"; flow:to_server,established; dsize:>11; content:"|7e 95|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,17274afd768cd0cbc2aa236cf82ab951; classtype:command-and-control; sid:2018488; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:to_server,established; dsize:>11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:command-and-control; sid:2018485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|08|Monsanto"; distance:1; within:9; content:"|55 04 0b|"; distance:0; content:"|0b|SmartPhones"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021596; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|enfinetoner.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021598; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|enfinetoner.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021598; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|ta-portfolio.com"; distance:1; within:17; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021599; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|ta-portfolio.com"; distance:1; within:17; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021599; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - HTML"; flow:to_server,established; urilen:>300; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.html?$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017841; rev:4; metadata:created_at 2013_12_11, former_category EXPLOIT_KIT, updated_at 2013_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit - HTML"; flow:to_server,established; urilen:>300; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.html?$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017841; rev:4; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M1"; flow:established,from_server; file_data; content:"|76 69 65 77 2d 73 6f 75 72 63 65 3a|"; nocase; content:"|61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73|"; fast_pattern:15,20; nocase; content:"|73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74|"; nocase; content:"return "; pcre:"/\We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W/"; reference:cve,2015-4495; classtype:attempted-user; sid:2021601; rev:2; metadata:created_at 2015_08_10, updated_at 2015_08_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gallinj.com"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021602; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gallinj.com"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021602; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 e5 ff f2 10 0a 35 d0|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021603; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 e5 ff f2 10 0a 35 d0|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021603; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.enfinetoner.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021604; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M1"; flow:to_client,established; file_data; content:"eval|28|"; pcre:"/^[a-z]\x29/Rsi"; content:"Problems in loading internet explorer"; distance:0; content:"Try again after update your systems."; distance:0; fast_pattern:16,20; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021609; rev:2; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2015_08_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.enfinetoner.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021604; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:2; metadata:created_at 2015_08_11, updated_at 2015_08_11;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021585; rev:3; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2015_08_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021585; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ghheranon.ad"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021613; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ghheranon.ad"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021613; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|idcythef.tj"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021614; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|idcythef.tj"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021614; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 14 63 ad 72 a8 8a 36|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; classtype:trojan-activity; sid:2021615; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot"; flow:established,to_server; urilen:>36; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\.eot$/U"; content:!"fonts.gstatic.com|0d 0a|"; http_header; content:!".fitbit.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2016155; rev:7; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; content:"|55 04 0b|"; distance:0; content:"|05|poker"; distance:1; within:6; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021622; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; content:"|55 04 0b|"; distance:0; content:"|05|poker"; distance:1; within:6; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021622; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 23 8b 36 d0 72 53 df|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021623; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 23 8b 36 d0 72 53 df|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021623; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|presidentjunction.org"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021633; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|presidentjunction.org"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021633; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|tradingdelivery.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021635; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|tradingdelivery.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021635; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 e2 af 07 71 4b 6c 75|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021636; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 e2 af 07 71 4b 6c 75|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021636; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Redyms CnC)"; flow:established,from_server; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Inc."; distance:1; within:15; content:"|55 04 03|"; content:"|02|*."; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021634; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Redyms CnC)"; flow:established,from_server; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Inc."; distance:1; within:15; content:"|55 04 03|"; content:"|02|*."; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021634; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Possible Windows XP/7"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*(?:W(?:in(?:dows)?)?[^a-z0-9]?(XP|[7-8])|Vista)/Ri"; content:!"|20|XP/7"; classtype:bad-unknown; sid:2017321; rev:8; metadata:created_at 2013_08_13, former_category INFO, updated_at 2013_08_13;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (rosesinchina.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|rosesinchina|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021684; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|lastinstanse.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021686; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|lastinstanse.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021686; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|deliverytrading.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021687; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|deliverytrading.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 d9 2f af b4 8c 02 29|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021688; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 d9 2f af b4 8c 02 29|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|contrarypresidentstspea.info"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021695; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|contrarypresidentstspea.info"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021695; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:exploit-kit; sid:2021696; rev:2; metadata:created_at 2015_08_19, updated_at 2015_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:exploit-kit; sid:2021696; rev:2; metadata:created_at 2015_08_20, updated_at 2015_08_20;)
alert tcp $EXTERNAL_NET 25565 -> $HOME_NET any (msg:"ET GAMES MINECRAFT Server response inbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021701; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)
#alert http $HOME_NET any -> $EXTERNAL_NET ![80,8080,3128,3129] (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Aug 19 2015"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/^Host\x3a[^\r\n]*?\x3a(?!(80(?:80)|312[89]))\d+\r$/Hm"; classtype:exploit-kit; sid:2021694; rev:5; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|mojojantes.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021703; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 91 48 c0 28 b4 2b 86 c7|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021704; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|serenyefa.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021705; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|mojojantes.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021703; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|1a|becomesthelegislatures.org"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021706; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 91 48 c0 28 b4 2b 86 c7|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021704; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:2; metadata:created_at 2015_08_24, former_category CURRENT_EVENTS, updated_at 2015_08_24;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|serenyefa.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021705; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern:13,20; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:3; metadata:created_at 2015_08_25, updated_at 2015_08_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|1a|becomesthelegislatures.org"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021706; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,little,post_offset -10; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5,}.{8}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2021716; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:2; metadata:created_at 2015_08_25, former_category CURRENT_EVENTS, updated_at 2015_08_25;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 f0 c2 3d 49 5e bb 16|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021717; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 f0 c2 3d 49 5e bb 16|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021717; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilGrab/Vidgrab Checkin"; flow:to_server,established; content:"|7c 28|"; pcre:"/^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/R"; content:"|29 7c|"; within:2; pcre:"/^\d{1,5}/R"; content:"|7c|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017413; rev:3; metadata:created_at 2013_09_03, former_category MALWARE, updated_at 2013_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilGrab/Vidgrab Checkin"; flow:to_server,established; content:"|7c 28|"; pcre:"/^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/R"; content:"|29 7c|"; within:2; pcre:"/^\d{1,5}/R"; content:"|7c|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017413; rev:3; metadata:created_at 2013_09_04, former_category MALWARE, updated_at 2013_09_04;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 45 0c e4 b7 4c af d5|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021722; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 45 0c e4 b7 4c af d5|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021722; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|hasselbladolsonson.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021721; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|hasselbladolsonson.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021721; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ssldata.ru"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021720; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ssldata.ru"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021720; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Aug 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|65 5d d1 c6 b0 88 68 62|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021725; rev:2; metadata:created_at 2015_08_27, former_category EXPLOIT_KIT, updated_at 2015_08_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude/Hunter EK IE Exploit Aug 23 2015"; flow:from_server,established; file_data; content:"|22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22|"; fast_pattern; content:"|22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22|"; classtype:exploit-kit; sid:2021707; rev:3; metadata:created_at 2015_08_24, former_category EXPLOIT_KIT, updated_at 2015_08_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; reference:md5,ee90ec9935c7b8e1a5dad364d4545851; classtype:command-and-control; sid:2021724; rev:3; metadata:created_at 2015_08_27, former_category MALWARE, updated_at 2015_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; reference:md5,ee90ec9935c7b8e1a5dad364d4545851; classtype:command-and-control; sid:2021724; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Aug 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; fast_pattern; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|0a|Scottsdale"; distance:1; within:11; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}\x30/Rs"; classtype:trojan-activity; sid:2021621; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Aug 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; fast_pattern; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|0a|Scottsdale"; distance:1; within:11; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}\x30/Rs"; classtype:trojan-activity; sid:2021621; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 1 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 08 47 4f 47 4f 47 4f 47 4f|"; content:"|01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c|"; content:"|01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74|"; classtype:targeted-activity; sid:2021726; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M2 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72|"; classtype:targeted-activity; sid:2021728; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 ff d7 c2 ee b9 dd f0|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021731; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 ff d7 c2 ee b9 dd f0|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021731; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5d 30 37 a7 6b 0d 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021732; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5d 30 37 a7 6b 0d 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021732; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|bri-secure.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021733; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|bri-secure.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021733; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|kingddomdirect.com"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021734; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|kingddomdirect.com"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021734; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:exploit-kit; sid:2021740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:exploit-kit; sid:2021740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Double-Encoded Reverse Base64/Dean Edwards Packed JavaScript Observed in Unknown EK Feb 16 2015 b64 1 M2"; flow:established,from_server; file_data; content:"CZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ"; classtype:exploit-kit; sid:2020426; rev:3; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE PredatorPain Keylogger FTP Activity"; flow:established,to_server; dsize:21; content:"USER|20|panzerhund2015|0d 0a|"; fast_pattern:5,14; reference:url,malwareconfig.com/stats/PredatorPain; reference:md5,e5ddca929924e4f34cb18692f09ac424; classtype:trojan-activity; sid:2021745; rev:1; metadata:created_at 2015_09_04, updated_at 2015_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Boaxxe.BR CnC Beacon"; flow:established,to_server; content:"|7c|CM01|7c|CM02|7c|CM03|7c|"; content:!">"; reference:md5,ec38ae7c35be4d7f8103bf1db692d2f8; classtype:command-and-control; sid:2021748; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Boaxxe.BR CnC Beacon"; flow:established,to_server; content:"|7c|CM01|7c|CM02|7c|CM03|7c|"; content:!">"; reference:md5,ec38ae7c35be4d7f8103bf1db692d2f8; classtype:command-and-control; sid:2021748; rev:2; metadata:created_at 2015_09_08, former_category MALWARE, updated_at 2015_09_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef 7e c0 ae 97 cf ff 23|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021750; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef 7e c0 ae 97 cf ff 23|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021750; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d4 45 4d a6 49 0c f1 ed|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021751; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Sept 3"; flow:established,from_server; file_data; content:"<title>Google Drive</title>"; fast_pattern:7,20; content:"For security reasons"; distance:0; content:"access shared files and folders"; distance:0; content:"select your email provider below"; distance:0; content:"-- Select your email provider --"; distance:0; content:"G Mail"; distance:0; content:"Others"; distance:0; content:"Email:"; distance:0; content:"Password:"; distance:0; classtype:social-engineering; sid:2025004; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_11_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d4 45 4d a6 49 0c f1 ed|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021751; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED possible Sofacy encrypted binary (1)"; flow:established,to_client; file_data; content:"|57 46 e8 67 27 3d 66 1a|"; within:8; flowbits:set,et.exploitkitlanding; reference:url,labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/; reference:url,www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021755; rev:2; metadata:created_at 2015_09_09, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:10; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"Content-Type|3a 20|application/postscript|0d 0a|"; http_header; fast_pattern:18,20; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; http_header; content:"Content-Disposition|3a 20|inline|3b| filename="; http_header; pcre:"/^[a-z]{10}\.[a-z]{3}\r?$/RHm"; classtype:exploit-kit; sid:2021064; rev:3; metadata:created_at 2015_05_07, updated_at 2015_05_07;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spartan EK Secondary Flash Exploit DL"; flow:established,from_server; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a|"; fast_pattern:18,20; http_header; file_data; content:"|3c 74 6f 70 70 69 6e 67 73 3e|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:exploit-kit; sid:2021762; rev:2; metadata:created_at 2015_09_12, updated_at 2015_09_12;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|fiopol.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021767; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|fiopol.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021767; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.creditoc.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021769; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.creditoc.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021769; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|static.coopsrv.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021770; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|static.coopsrv.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021770; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 20 1c 21 75 01 8e 93|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021771; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 20 1c 21 75 01 8e 93|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021771; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 805c 5f ec 50 39 a2 14|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:trojan-activity; sid:2021772; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text"; flow:established,from_server; file_data; content:"4D5A"; distance:0; byte_jump:8,114,relative,multiplier 2,little,string,hex; content:"50450000"; distance:-126; within:8; classtype:trojan-activity; sid:2021774; rev:2; metadata:created_at 2015_09_15, updated_at 2015_09_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text"; flow:established,from_server; file_data; content:"4D5A"; distance:0; byte_jump:8,114,relative,multiplier 2,little,string,hex; content:"50450000"; distance:-126; within:8; classtype:trojan-activity; sid:2021774; rev:2; metadata:created_at 2015_09_14, updated_at 2015_09_14;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|stat.coopswiss.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021776; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|stat.coopswiss.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021776; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.centersu.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021777; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.centersu.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021777; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Sept 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|23 31 f9 4f 62 57 73 67|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021778; rev:2; metadata:created_at 2015_09_15, former_category EXPLOIT_KIT, updated_at 2015_09_15;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|menardgevu.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021779; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|menardgevu.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021779; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|menardgevu.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021780; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|menardgevu.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021780; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|feedfeed.name"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021781; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|feedfeed.name"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021781; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|my.ubscard.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021782; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|my.ubscard.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021782; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|disaallowmediapartners.mn"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021783; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|disaallowmediapartners.mn"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021783; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f2 49 34 bb 25 38 61 40|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021784; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f2 49 34 bb 25 38 61 40|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021784; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/0"; depth:2; http_uri; pcre:"/^\/0[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017570; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-alert tcp any any -> $HOME_NET 80 (msg:"ET MALWARE SYNful Knock Cisco IOS Router Implant CnC Beacon (INBOUND)"; flow:established,to_server; content:"|00 00 00 00|text|00|"; byte_jump:4,0,relative,post_offset -1; isdataat:!2,relative; reference:url,fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html; classtype:command-and-control; sid:2021785; rev:3; metadata:created_at 2015_09_15, former_category MALWARE, updated_at 2015_09_15;)
+alert tcp any any -> $HOME_NET 80 (msg:"ET MALWARE SYNful Knock Cisco IOS Router Implant CnC Beacon (INBOUND)"; flow:established,to_server; content:"|00 00 00 00|text|00|"; byte_jump:4,0,relative,post_offset -1; isdataat:!2,relative; reference:url,fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html; classtype:command-and-control; sid:2021785; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 3"; flow:established,to_server; content:"ZEV4ZWN"; http_uri; classtype:trojan-activity; sid:2012923; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 2"; flow:established,to_server; content:"bWRFeGVj"; http_uri; classtype:trojan-activity; sid:2012922; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Iron Tiger DNSTunnel Retrieving CnC"; flow:established,from_server; file_data; content:"$$$$$$$$$$"; fast_pattern; pcre:"/^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10}/R"; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021789; rev:2; metadata:created_at 2015_09_16, former_category MALWARE, updated_at 2015_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Iron Tiger DNSTunnel Retrieving CnC"; flow:established,from_server; file_data; content:"$$$$$$$$$$"; fast_pattern; pcre:"/^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10}/R"; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021789; rev:2; metadata:created_at 2015_09_17, former_category MALWARE, updated_at 2015_09_17;)
-alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET MALWARE PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021791; rev:1; metadata:created_at 2015_09_16, former_category MALWARE, updated_at 2015_09_16;)
+alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET MALWARE PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021791; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021797; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021797; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|reportingdelivery.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021798; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|reportingdelivery.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021798; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|localinstanse.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021799; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|localinstanse.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021799; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|healthweather.name"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021801; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|healthweather.name"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021801; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 83 4c 61 ec 09 e6 03|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021802; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 83 4c 61 ec 09 e6 03|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021802; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021803; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021803; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f1 03 f7 ce 62 9d fb 5a|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021804; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f1 03 f7 ce 62 9d fb 5a|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021804; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Rovnix CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|cherniypoyas.ru"; distance:1; within:16; reference:md5,080db9578ea797cd231bc1160d3824f1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021805; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Rovnix CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|cherniypoyas.ru"; distance:1; within:16; reference:md5,080db9578ea797cd231bc1160d3824f1; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021805; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|sslsecureserver.eu"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021809; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|sslsecureserver.eu"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021809; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|uplinkadv.eu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021810; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|uplinkadv.eu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021810; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Meterpreter or Other Reverse Shell SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|04 08 bb 00 ee|"; distance:23; within:5; fast_pattern; content:"|55 04 06 13 00|"; distance:0; content:"|55 04 08 13 00|"; distance:0; content:"|55 04 07 13 00|"; distance:0; content:"|55 04 0a 13 00|"; distance:0; content:"|55 04 0b 13 00|"; distance:0; content:"|55 04 03 13 00|"; distance:0; reference:md5,c3f76f444edf0b90b887d7979342e9f0; classtype:trojan-activity; sid:2035651; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 1d 11|"; content:"|10|blatnoidomen.com"; distance:5; within:22; fast_pattern; reference:url,sslbl.abuse.ch; reference:md5,8217cc4fc3d5781206becbef148154ea; classtype:command-and-control; sid:2021815; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 1d 11|"; content:"|10|blatnoidomen.com"; distance:5; within:22; fast_pattern; reference:url,sslbl.abuse.ch; reference:md5,8217cc4fc3d5781206becbef148154ea; classtype:domain-c2; sid:2021815; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fc 56 1e 02 6c d4 e2 22|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,e448572aea062241c80dd2a15562e968; classtype:command-and-control; sid:2021816; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fc 56 1e 02 6c d4 e2 22|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,e448572aea062241c80dd2a15562e968; classtype:domain-c2; sid:2021816; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.fortamola.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021817; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.fortamola.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021817; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business--testing.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021818; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business--testing.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021818; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 99 38 87 d8 6a ee a7|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; reference:md5,ead31d4cbbd79466359d46694a9d56d3; classtype:command-and-control; sid:2021819; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 99 38 87 d8 6a ee a7|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; reference:md5,ead31d4cbbd79466359d46694a9d56d3; classtype:domain-c2; sid:2021819; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021823; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021823; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_09_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 a8 3c 4c d7 28 96 34|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021824; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 a8 3c 4c d7 28 96 34|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021824; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|e-securepass.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021825; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|e-securepass.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021825; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|contactexchangenetwork.biz"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021826; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|contactexchangenetwork.biz"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021826; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cserhtmlordi.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021827; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cserhtmlordi.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021827; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 06 34 93 99 f8 54 f2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0b|Companyname"; distance:1; within:12; reference:md5,c7872508eededb17cf864886270fd3e9; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021828; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 06 34 93 99 f8 54 f2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0b|Companyname"; distance:1; within:12; reference:md5,c7872508eededb17cf864886270fd3e9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021828; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Angler EK Redirector Sept 25 2015"; flow:to_client,established; file_data; content:"<body>"; pcre:"/^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe/Rsi"; content:"Content loading"; nocase; content:"Please wait"; nocase; distance:0; content:"<iframe s1=|22|off|22|"; fast_pattern; distance:0; content:"mask=true"; distance:0; classtype:exploit-kit; sid:2021840; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|adtejoyo1377.tk"; distance:1; within:17; reference:md5,b40fc2d1f343affad7bc02ae9b37cd89; classtype:command-and-control; sid:2021842; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|adtejoyo1377.tk"; distance:1; within:17; reference:md5,b40fc2d1f343affad7bc02ae9b37cd89; classtype:domain-c2; sid:2021842; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 b1 f4 fe 4c 79 ed e9 98|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:command-and-control; sid:2021843; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 b1 f4 fe 4c 79 ed e9 98|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 9e 0c 1c 4c 8a d4 41 f7|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:command-and-control; sid:2021844; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 9e 0c 1c 4c 8a d4 41 f7|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021844; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|usercheck.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021845; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_28, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|usercheck.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021845; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil JavaScript Injection Sep 29 2015"; flow:established,to_client; file_data; content:"|76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27|"; content:"|27 30 30 27 30 32 29 27 30 32 27 30 30|"; fast_pattern; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021846; rev:2; metadata:created_at 2015_09_29, former_category CURRENT_EVENTS, updated_at 2015_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil JavaScript Injection Sep 29 2015"; flow:established,to_client; file_data; content:"|76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27|"; content:"|27 30 30 27 30 32 29 27 30 32 27 30 30|"; fast_pattern; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021846; rev:2; metadata:created_at 2015_09_30, former_category CURRENT_EVENTS, updated_at 2015_09_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 86 21 67 18 96 8a 67 e1|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,4568bc3e9c1a24ba792666ad1c620560; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021863; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 86 21 67 18 96 8a 67 e1|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,4568bc3e9c1a24ba792666ad1c620560; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021863; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 fa 10 e1 67 c6 9a 67 1b|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:md5,c55a60bb04a449eb8bc182f52124c341; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021864; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 fa 10 e1 67 c6 9a 67 1b|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:md5,c55a60bb04a449eb8bc182f52124c341; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021864; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|legallyjumps.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021865; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|legallyjumps.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021865; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|inbancosistems.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021866; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|inbancosistems.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021866; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d5 f9 a6 1a fa 1e 76 c6|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,0453512c8c3bb940e8c40833d1076353; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021867; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET !443 (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flow:to_client; flags:R,12; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; classtype:policy-violation; sid:2002117; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|protecteding.su"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021884; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|protecteding.su"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021884; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|convertcodenj.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021885; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|convertcodenj.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021885; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JAR)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jar"; http_uri; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,20}\.jar$/U"; classtype:exploit-kit; sid:2019542; rev:7; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; reference:url,doc.emergingthreats.net/bin/view/Main/2002656; classtype:attempted-dos; sid:2002656; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a2 62 91 f3 d9 eb d2 e8|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021887; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a2 62 91 f3 d9 eb d2 e8|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021887; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 ba bc c3 80 e0 57 54 de|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021888; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 ba bc c3 80 e0 57 54 de|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021888; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-02"; flow:to_client,established; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"Thank you</title>"; nocase; distance:0; content:"information.Your submitted"; nocase; distance:0; content:"Accounts Management Department in 24 hours"; nocase; distance:0; classtype:credential-theft; sid:2031686; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2015_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021894; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 10 44 fc ef 4e 6d 2a|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021895; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 10 44 fc ef 4e 6d 2a|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021895; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021896; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021896; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 2a 97 16 3f bd a5|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021897; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 2a 97 16 3f bd a5|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021897; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|bannerexchangenet.pw"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021898; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|bannerexchangenet.pw"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021898; rev:4; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET"; http_method; content:"nsi_install.php?"; http_uri; nocase; content:"aff_id="; nocase; http_uri; content:"&inst_result="; http_uri; content:"&id="; nocase; http_uri; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; classtype:trojan-activity; sid:2009548; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET"; http_method; content:"nsi_install.php?"; http_uri; nocase; content:"aff_id="; nocase; http_uri; content:"&inst_result="; http_uri; content:"&id="; nocase; http_uri; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; classtype:trojan-activity; sid:2009548; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008055; classtype:command-and-control; sid:2008055; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response port 443"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008060; classtype:command-and-control; sid:2008060; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 95 51 3e 68 35 08 62 53|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021902; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 95 51 3e 68 35 08 62 53|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021902; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 4e a8 c7 a0 db 38 64|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021903; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 4e a8 c7 a0 db 38 64|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021903; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|8192bitssl.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021904; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|8192bitssl.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021904; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Oct 05 2015"; flow:established,from_server; file_data; content:"function ckl"; content:"VIP*/"; nocase; classtype:exploit-kit; sid:2021908; rev:3; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 80 9e 81 6b f8 7c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021909; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 80 9e 81 6b f8 7c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021909; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|1networkgate.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021910; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|1networkgate.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021910; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|golantus.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021911; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|golantus.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021911; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 1"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|Priv|20|Version"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021912; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 5"; flow:established,from_server; content:"NOTICE"; content:"|3a|Flooding with TCP"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021916; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 f7 36 c4 05 31 ea 21 d3|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021920; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 f7 36 c4 05 31 ea 21 d3|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021920; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 88 f8 8a 58 16 c2 f5 89|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021921; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 88 f8 8a 58 16 c2 f5 89|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021921; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021899; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021899; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021924; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021924; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021925; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021925; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021926; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021926; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Search Reply"; dsize:>200; content:"|e3 0f|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003315; classtype:policy-violation; sid:2003315; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule Kademlia Hello Request"; dsize:<48; content:"|e4 11|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009970; classtype:policy-violation; sid:2009970; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE MSIL/Banker.M Requesting Binary from SQL"; flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00 20 00|i|00|m|00|g"; content:"F|00|R|00|O|00|M|00 20 00|d|00|b|00|o|00 2e 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 20 00|"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021930; rev:1; metadata:created_at 2015_10_07, updated_at 2015_10_07;)
-
-#alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"ET MALWARE MSIL/Banker.M Downloading Binary from SQL"; flow:established,to_client; content:"|03 00|d|00|b|00|o|00 09 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 03|i|00|m|00|g"; fast_pattern:14,20; content:"This program cannot be run"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021931; rev:1; metadata:created_at 2015_10_07, updated_at 2015_10_07;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE MSIL/Banker.M Requesting Binary from SQL"; flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00 20 00|i|00|m|00|g"; content:"F|00|R|00|O|00|M|00 20 00|d|00|b|00|o|00 2e 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 20 00|"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021930; rev:1; metadata:created_at 2015_10_08, updated_at 2015_10_08;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 3"; flow:established,from_server; content:"PRIVMSG"; content:" MB|2c| Average speed|3a|"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021883; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|httpsvalidator.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021937; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|httpsvalidator.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021937; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|06|Denial"; distance:1; within:7; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0b|Springfield"; distance:1; within:12; content:"|55 04 0a|"; distance:0; content:"|03|Dis"; distance:1; within:4; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021938; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021932; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021932; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021933; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021933; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021934; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021934; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; dsize:100<>300; content:"Gh0st"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:command-and-control; sid:2013214; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|1gateway.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021940; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_09, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|1gateway.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021940; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen"; content:"|16|"; depth:1; content:"OWASP Zed Attack Proxy Root CA"; nocase; classtype:misc-activity; sid:2021941; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen"; content:"|16|"; depth:1; content:"OWASP Zed Attack Proxy Root CA"; nocase; classtype:misc-activity; sid:2021941; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate Seen"; content:"|16|"; depth:1; content:"PortSwigger CA"; nocase; classtype:misc-activity; sid:2021942; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate Seen"; content:"|16|"; depth:1; content:"PortSwigger CA"; nocase; classtype:misc-activity; sid:2021942; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen"; content:"|16|"; depth:1; content:"DO_NOT_TRUST_FiddlerRoot"; nocase; classtype:misc-activity; sid:2021943; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen"; content:"|16|"; depth:1; content:"DO_NOT_TRUST_FiddlerRoot"; nocase; classtype:misc-activity; sid:2021943; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|1networkpoint.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021945; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|1networkpoint.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021945; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Oct 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|AU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021946; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Oct 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|AU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021946; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:to_server,established; dsize:164; content:"|6c 55 55 45 03 10 48 40|"; offset:4; depth:8; reference:md5,dc226166dfbe28eee2576ea5141bc19d; reference:md5,dadee91e0b82fc91a25a66b61bb2f2dc; classtype:command-and-control; sid:2021947; rev:3; metadata:created_at 2015_10_12, former_category MALWARE, updated_at 2015_10_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:to_server,established; dsize:164; content:"|6c 55 55 45 03 10 48 40|"; offset:4; depth:8; reference:md5,dc226166dfbe28eee2576ea5141bc19d; reference:md5,dadee91e0b82fc91a25a66b61bb2f2dc; classtype:command-and-control; sid:2021947; rev:3; metadata:created_at 2015_10_13, former_category MALWARE, updated_at 2015_10_13;)
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2018_11_01;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2018_11_01;)
#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 c5 52 94 88 a7 4d 68 f4|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021950; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 c5 52 94 88 a7 4d 68 f4|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021950; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain)"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010578; classtype:policy-violation; sid:2010578; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading PDF payload"; flow:from_server,established; flowbits:isset,ET.nemucod.pdfrequest; file_data; content:"%PDF-"; within:5; fast_pattern; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021955; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 0f 9b a5 56 a0 f7 57|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021957; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 0f 9b a5 56 a0 f7 57|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021957; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 db d0 33 6a 28 4f 39 2c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021958; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 db d0 33 6a 28 4f 39 2c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021958; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|best-apps.name"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021959; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_16, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|best-apps.name"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021959; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Versatile Bulletin Board SQL Injection Attack"; flow:to_server,established; content:"/index.php?"; http_uri; nocase; content:"select="; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/URi"; reference:bugtraq,15068; reference:url,doc.emergingthreats.net/2002494; classtype:web-application-attack; sid:2002494; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (3)"; flow:established,to_client; file_data; content:"|08 42 7d|"; distance:4; within:3; pcre:"/^(?:\x4c|\x35)/R"; classtype:exploit-kit; sid:2021972; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; content:"/index.php?"; http_uri; content:"="; distance:1; within:1; http_uri; content:!"=aHR0"; http_uri; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2030249; rev:6; metadata:created_at 2013_10_01, former_category CURRENT_EVENTS, updated_at 2020_06_04;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|UK|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021980; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_10_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|UK|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:domain-c2; sid:2021980; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ethereum traffic"; flow:established,to_server; content:"POST"; depth:4; content:"|22|id|22 3a|"; nocase; distance:0; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22|method|22 3a|"; nocase; distance:0; pcre:"/^[^/s]*(?:eth_(?:g(?:et(?:B(?:lock(?:TransactionCountBy(?:Number|Hash)|By(?:Number|Hash))|alance)|Transaction(?:By(?:Block(?:Number|Hash)AndIndex|Hash)|(?:Receip|Coun)t)|Uncle(?:ByBlock(?:Number|Hash)AndIndex|CountByBlock(?:Number|Hash))|(?:Filter(?:Change|Log)|Log)s|Co(?:mpilers|de)|StorageAt|Work)|asPrice)|(?:(?:new(?:PendingTransaction|Block)?|uninstall)Filt|blockNumb)er|s(?:(?:end(?:Raw)?Transactio|ig)n|ubmit(?:Hashrate|Work)|yncing)|c(?:o(?:mpile(?:S(?:olidity|erpent)|LLL)|inbase)|all)|(?:estimateGa|account)s|protocolVersion|hashrate|mining)|shh_(?:new(?:Identity|Filter|Group)|get(?:FilterChan|Messa)ges|uninstallFilter|hasIdentity|addToGroup|version|post)|db_(?:get(?:String|Hex)|put(?:String|Hex))|net_(?:listening|peerCount|version)|web3_(?:clientVersion|sha3))/R"; reference:url,github.com/ethereum/wiki/wiki/JSON-RPC; classtype:policy-violation; sid:2021983; rev:2; metadata:created_at 2015_10_20, former_category POLICY, updated_at 2015_10_20;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fat.uk-fags.top"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021981; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fat.uk-fags.top"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021981; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|14|support@vpn-core.net"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021982; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|14|support@vpn-core.net"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021982; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:2; metadata:created_at 2015_10_21, former_category EXPLOIT, updated_at 2015_10_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Account Phish Landing Oct 22"; flow:established,from_server; file_data; content:"<title>Sign in</title>"; content:"name=chalbhai"; fast_pattern; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; classtype:social-engineering; sid:2025692; rev:2; metadata:created_at 2015_10_22, former_category CURRENT_EVENTS, updated_at 2018_07_12;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|FR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021993; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|FR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021993; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|volha.xyz"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021994; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|volha.xyz"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021994; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful"; flow:established,to_server; dsize:7; content:"ENDSNAP"; reference:md5,38abba51bdf98347fc4f91642b21b041; classtype:trojan-activity; sid:2021996; rev:1; metadata:created_at 2015_10_23, updated_at 2015_10_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit Aug 23 2015"; flow:to_server,established; urilen:>50; content:"POST"; http_method; content:"application/json"; http_header; content:"|22 67 22 3a 22|"; http_client_body; fast_pattern; content:"|22 70 22 3a 22|"; http_client_body; content:"|22 41 22 3a 22|"; http_client_body; pcre:"/\?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$/U"; classtype:exploit-kit; sid:2021708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|LU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022004; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|LU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022004; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LummoX Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| LummoX Logger"; fast_pattern; nocase; classtype:trojan-activity; sid:2022005; rev:2; metadata:created_at 2015_10_27, updated_at 2015_10_27;)
+#alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LummoX Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| LummoX Logger"; fast_pattern; nocase; classtype:trojan-activity; sid:2022005; rev:2; metadata:created_at 2015_10_28, updated_at 2015_10_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Redirect Leading to EK Oct 29"; flow:to_server,established; urilen:5; content:"/533L"; classtype:exploit-kit; sid:2022009; rev:3; metadata:created_at 2015_10_29, updated_at 2015_10_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_user_agent; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_user_agent; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:4; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:command-and-control; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:command-and-control; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 59 43 e2 96 23 5b 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c0c8178b7ef2a8c067c68a7fb7dc7ecd; classtype:command-and-control; sid:2022021; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 59 43 e2 96 23 5b 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c0c8178b7ef2a8c067c68a7fb7dc7ecd; classtype:domain-c2; sid:2022021; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from MERA RTU"; flow:to_server,established; content:"|22 c0 09 00 7a b7 07|MERA RTU|08|"; classtype:misc-attack; sid:2022022; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from MERA RTU"; flow:to_server,established; content:"|22 c0 09 00 7a b7 07|MERA RTU|08|"; classtype:misc-attack; sid:2022022; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; content:"|05 04|"; distance:3; within:2; classtype:misc-activity; sid:2022023; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; content:"|05 04|"; distance:3; within:2; classtype:misc-activity; sid:2022023; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP H.323 in Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; byte_jump:1,0,relative; content:"|05 04|"; within:2; byte_jump:1,0,relative; content:"|70|"; byte_jump:1,0,relative; content:"|7E|"; within:1; byte_test:1,!&,0x0F,3,relative; isdataat:31; classtype:misc-activity; sid:2022024; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP H.323 in Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; byte_jump:1,0,relative; content:"|05 04|"; within:2; byte_jump:1,0,relative; content:"|70|"; byte_jump:1,0,relative; content:"|7E|"; within:1; byte_test:1,!&,0x0F,3,relative; isdataat:31; classtype:misc-activity; sid:2022024; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo.com Phishing PDF via HTTP"; flow:established,from_server; file_data; content:"/Subtype/Link/Rect"; content:"/BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI (http|3a|//"; distance:0; content:".jimdo.com/)>"; distance:0; fast_pattern; content:"www.Neevia.com"; distance:0; content:"Neevia Document Converter"; distance:0; reference:md5,70eaba2ab6410e3541a2e24a482ddddd; classtype:social-engineering; sid:2022029; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google Drive (Remax) Phish Nov 4"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=---------"; http_header; content:"form-data|3b 20|name=|22|server|22|"; nocase; http_client_body; fast_pattern; content:"form-data|3b 20|name=|22|ipLists|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|ipEmpty|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Email|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Password|22|"; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022036; rev:2; metadata:created_at 2015_11_04, former_category PHISHING, updated_at 2019_09_06;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"|5c 5c 3a|"; content:"|5c 5c 3a|"; distance:0; content:".namespaces.add"; nocase; pcre:"/^[\r\n\s]*?\([^\)]*?[\x22\x27]#/Ri"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?e(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?f(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?a(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?u(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?l(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?t(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?#(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?V(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?M(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?L[\x22\x27]/Rs"; classtype:exploit-kit; sid:2017993; rev:9; metadata:created_at 2014_01_21, former_category MALWARE, updated_at 2014_01_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"var translate_dict = {"; nocase; content:"VERIFICATION_CODE"; nocase; distance:0; fast_pattern; content:"VERIFICATION_CODE_REQUIRED"; nocase; distance:0; content:"NOT_BEGIN_OR_END_WITH_SPACE"; nocase; distance:0; content:"USERNAME_ALL_NUMERIC"; nocase; distance:0; content:"PASSWORDS_DONT_MATCH"; nocase; distance:0; content:"PWD_HINT_REQUIRED"; nocase; distance:0; content:"PASSWORD_MATCHES_USERNAME"; nocase; distance:0; content:"REQUEST_PASSWORD_RESET"; nocase; distance:0; content:"ENTER_VALID_VERIFICATION_CODE"; nocase; distance:0; content:"PASSWORD_MATCH_HINT"; nocase; distance:0; content:"Your work here is done"; nocase; distance:0; content:"Yikes! Something's gone wrong."; nocase; distance:0; classtype:social-engineering; sid:2031691; rev:2; metadata:created_at 2015_11_05, former_category PHISHING, updated_at 2015_11_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AES Crypto Observed in Javascript - Possible Phishing Landing"; flow:established,from_server; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern:40,20; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:social-engineering; sid:2025656; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"|5c 5c 3a|"; content:"|5c 5c 3a|"; distance:0; content:".namespaces.add"; nocase; pcre:"/^[\r\n\s]*?\([^\)]*?[\x22\x27]#/Ri"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?e(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?f(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?a(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?u(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?l(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?t(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?#(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?V(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?M(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?L[\x22\x27]/Rs"; classtype:exploit-kit; sid:2017993; rev:9; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2014_01_22;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wrapper/Gholee/Wedex Checkin"; flow:established,to_server; dsize:12; content:"nocookie"; offset:4; depth:8; reference:md5,b7de8927998f3604762096125e114042; reference:url,blog.checkpoint.com/2015/11/09/rocket-kitten-a-campaign-with-9-lives/; classtype:command-and-control; sid:2022047; rev:1; metadata:created_at 2015_11_09, former_category MALWARE, updated_at 2015_11_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PK/Compressed doc/JAR header"; flow:from_server,established; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,ET.zipfile; flowbits:noalert; classtype:misc-activity; sid:2022055; rev:2; metadata:created_at 2015_11_10, updated_at 2015_11_10;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nyctradersacademy.com"; distance:1; within:22; reference:md5,cb690af981b61aa4779624db5d2489e1; reference:md5,040ac83b30a9bd111d06d238f39593fb; classtype:trojan-activity; sid:2022056; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nyctradersacademy.com"; distance:1; within:22; reference:md5,cb690af981b61aa4779624db5d2489e1; reference:md5,040ac83b30a9bd111d06d238f39593fb; classtype:domain-c2; sid:2022056; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|msupdcheck.com"; distance:1; within:16; reference:md5,4b689f711da45fb8523c95a85679f435; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022057; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|msupdcheck.com"; distance:1; within:16; reference:md5,4b689f711da45fb8523c95a85679f435; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022057; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 ae 7c 85 e8 a5 6b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5666cb1caca3fde7dd1c8195b76eac8e; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022058; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 ae 7c 85 e8 a5 6b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5666cb1caca3fde7dd1c8195b76eac8e; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022058; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)"; flow:from_client,established; content:"|00|pl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00pl\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022059; rev:1; metadata:created_at 2015_11_10, former_category MALWARE, updated_at 2015_11_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)"; flow:from_client,established; content:"|00|pl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00pl\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022059; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)"; flow:from_client,established; content:"|00|sc~|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00sc\x7e\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022060; rev:1; metadata:created_at 2015_11_10, former_category MALWARE, updated_at 2015_11_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)"; flow:from_client,established; content:"|00|sc~|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00sc\x7e\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022060; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)"; flow:from_client,established; content:"|00|scPK|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00scPK\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022061; rev:1; metadata:created_at 2015_11_10, former_category MALWARE, updated_at 2015_11_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)"; flow:from_client,established; content:"|00|scPK|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00scPK\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022061; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)"; flow:to_client,established; content:"|00|rn|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rn\x7c/i"; classtype:command-and-control; sid:2022062; rev:1; metadata:created_at 2015_11_10, former_category MALWARE, updated_at 2015_11_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)"; flow:to_client,established; content:"|00|rn|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rn\x7c/i"; classtype:command-and-control; sid:2022062; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
-alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Get Passwords)"; flow:established; content:"|00|ret|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00ret\x7c/i"; reference:md5,310c26fa0c7d07adbff32b569b1972f1; classtype:command-and-control; sid:2022063; rev:1; metadata:created_at 2015_11_10, former_category MALWARE, updated_at 2015_11_10;)
+alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Get Passwords)"; flow:established; content:"|00|ret|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00ret\x7c/i"; reference:md5,310c26fa0c7d07adbff32b569b1972f1; classtype:command-and-control; sid:2022063; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HideWindows.C IRC Checkin"; flow:established,to_server; content:"PASS 6667|0a|"; content:"NICK pr0n|7c 30 0a|"; distance:0; fast_pattern; content:"USER Pmx|20 22 2a 22 20 22|"; distance:0; content:"|22 20 3a|pr0n|0a|"; reference:md5,4645b7883d5c8fee6579cc79dee5f683; reference:url,thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/; classtype:command-and-control; sid:2022064; rev:1; metadata:created_at 2015_11_10, former_category MALWARE, updated_at 2015_11_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HideWindows.C IRC Checkin"; flow:established,to_server; content:"PASS 6667|0a|"; content:"NICK pr0n|7c 30 0a|"; distance:0; fast_pattern; content:"USER Pmx|20 22 2a 22 20 22|"; distance:0; content:"|22 20 3a|pr0n|0a|"; reference:md5,4645b7883d5c8fee6579cc79dee5f683; reference:url,thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/; classtype:command-and-control; sid:2022064; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 fb cd cd ff 15 b4 03|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,c493fbc74573c2c125ff57b1bf15e4be; classtype:trojan-activity; sid:2022065; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 fb cd cd ff 15 b4 03|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,c493fbc74573c2c125ff57b1bf15e4be; classtype:domain-c2; sid:2022065; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|systruster.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; reference:url,sslbl.abuse.ch; reference:md5,efa5ea2c511b08d0f8259a10a49b27ad; classtype:trojan-activity; sid:2022066; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|systruster.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; reference:md5,efa5ea2c511b08d0f8259a10a49b27ad; classtype:domain-c2; sid:2022066; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|retsback.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; reference:url,sslbl.abuse.ch; reference:md5,e5b7fd7eed59340027625ac39bae7c81; classtype:trojan-activity; sid:2022067; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|retsback.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; reference:md5,e5b7fd7eed59340027625ac39bae7c81; classtype:domain-c2; sid:2022067; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Info Checkin"; flow:from_server,established; content:"inf|7c 4b 69 6c 65 72 7c|"; fast_pattern; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022069; rev:1; metadata:created_at 2015_11_10, former_category MALWARE, updated_at 2015_11_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Info Checkin"; flow:from_server,established; content:"inf|7c 4b 69 6c 65 72 7c|"; fast_pattern; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022069; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)"; flow:established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|00|CAP|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00cap\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019214; rev:2; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00mic\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019215; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK September 04 2015"; flow:established,from_server; content:"Set-Cookie|3a 20|_PHP_SESSION_PHP="; fast_pattern:9,20; pcre:"/^\d+\x3b/R"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2021746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_04, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Possible Chimera Ransomware - Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:md5,b66a864255ad796cf1e82f973f67f556; reference:url,reaqta.com/2015/11/diving-into-chimera-ransomware/; classtype:policy-violation; sid:2022075; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2015_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Possible Chimera Ransomware - Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:md5,b66a864255ad796cf1e82f973f67f556; reference:url,reaqta.com/2015/11/diving-into-chimera-ransomware/; classtype:policy-violation; sid:2022075; rev:1; metadata:created_at 2015_11_11, updated_at 2015_11_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|rozmatis.com"; distance:1; within:13; reference:md5,58b38122ac12b84989914623efe833be; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022076; rev:1; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|rozmatis.com"; distance:1; within:13; reference:md5,58b38122ac12b84989914623efe833be; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022076; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0d|whoreshop.xyz"; distance:1; within:14; reference:md5,218a9854b7d1ca1f417c59a566b343d9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022077; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0d|whoreshop.xyz"; distance:1; within:14; reference:md5,218a9854b7d1ca1f417c59a566b343d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022077; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Renewal Phish Landing Nov 13"; flow:established,from_server; file_data; content:"<title>Mailbox renewal"; fast_pattern; nocase; content:"autorised email address"; nocase; distance:0; content:"To complete this autorization"; nocase; distance:0; content:"Online MailBox Renewal"; nocase; distance:0; classtype:social-engineering; sid:2022083; rev:2; metadata:created_at 2015_11_13, updated_at 2015_11_13;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"<META HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"Revalidation</title>"; fast_pattern; nocase; distance:0; content:"Account Revalidated"; nocase; distance:0; content:"you have sucessfully revalidated"; nocase; distance:0; classtype:credential-theft; sid:2022085; rev:2; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|lingeriesshop.biz"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022087; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0a|LosAngeles"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|11|speednetlocal.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022088; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|lingeriesshop.biz"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022087; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|02|Ny"; distance:1; within:3; content:"|55 04 03|"; distance:0; content:"|13|securityrealnet.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022089; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0a|LosAngeles"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|11|speednetlocal.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022088; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 9f b1 5c 37 90 8a 2e b7|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022095; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|02|Ny"; distance:1; within:3; content:"|55 04 03|"; distance:0; content:"|13|securityrealnet.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022089; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 81 32 f4 d9 2c 39 c3 06|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022096; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 b4 78 3d 3f bf 60 b9 94|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022097; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:6; metadata:created_at 2015_08_10, former_category CURRENT_EVENTS, updated_at 2015_08_10;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 e9 29 af 96 2b 99 e2|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022098; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c1 3b 57 1a 83 a5 b1 4a|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022099; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|1a|certs_division@sslslf.info"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022100; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.hot-sex-tube.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022101; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|1d|International Security Depart"; distance:1; within:30; content:"|55 04 03|"; distance:0; content:"|0c|www.mgid.org"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022102; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:6; metadata:created_at 2015_08_11, former_category CURRENT_EVENTS, updated_at 2015_08_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015"; urilen:>51; flow:to_server,established; content:"_id="; http_uri; content:"_id="; distance:0; http_uri; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}?&[a-z]{1,40}_id=\d{2,5}&[^&\x3d]+(?<!_id)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo Outlook Web App Phishing Landing Nov 16"; flow:established,from_server; file_data; content:"Outlook"; nocase; content:"jimdo.com"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm Password"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022093; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|support@hsshvpn.net"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022130; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-20"; flow:established,from_server; file_data; content:"<title>Google Drive"; fast_pattern; nocase; content:"For security reasons"; nocase; distance:0; content:"select your email provider"; nocase; distance:0; content:"enter your email and password"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2031701; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Webmail Phishing Landing 2015-11-21"; flow:established,from_server; file_data; content:"login.live.com"; nocase; content:"<title>Sign In"; nocase; distance:0; fast_pattern; content:"Generic Password Error Message"; nocase; distance:0; content:"enter your email address"; nocase; distance:0; content:"Microsoft account"; nocase; distance:0; classtype:social-engineering; sid:2031702; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|06|Zurich"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|06|Zurich"; distance:1; within:7; content:"IT"; distance:0; content:"|55 04 03|"; distance:0; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|12|me@myhost.mydomain"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022129; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Webmail Phishing 2015-11-21"; flow:established,from_server; file_data; content:"<title>Outlook"; fast_pattern; nocase; content:"http-equiv=|22|refresh"; nocase; distance:0; content:"Update successful"; nocase; distance:0; content:"your account verification information"; nocase; distance:0; content:"emailed to you shortly"; nocase; distance:0; classtype:credential-theft; sid:2031703; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|support@hsshvpn.net"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022130; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|06|Zurich"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|06|Zurich"; distance:1; within:7; content:"IT"; distance:0; content:"|55 04 03|"; distance:0; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|12|me@myhost.mydomain"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022129; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Evil EXE download from MSXMLHTTP non-exe extension M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022052; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rincux CnC"; content:"|02 00 00 00|"; fast_pattern; depth:4; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Rs"; content:"|00 00 00 00|"; distance:0; flowbits:isset,ET.Rincux; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022132; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 87 58 1a 93 f4 b1 c2 6b|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022133; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 87 58 1a 93 f4 b1 c2 6b|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022133; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (2)"; flow:established,to_client; file_data; content:"|29 26 9a 62 39 55 b6 0d|"; distance:4; within:8; classtype:trojan-activity; sid:2022139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; content:!"User-Agent"; http_header; nocase; content:!"Accept"; http_header; nocase; content:!"Referer"; nocase; http_header; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; classtype:exploit-kit; sid:2021158; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 29"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9af77f89a565143983fa008bbd8eedee; classtype:command-and-control; sid:2018181; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_26, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 10 2015"; flow:established,from_server; file_data; content:"60*60*24*7*1000|29 3b| document.cookie=|22|PHP_SESSION_PHP="; fast_pattern:31,20; pcre:"/^\d+\x3b/R"; classtype:exploit-kit; sid:2021338; rev:11; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible eDellRoot Rogue Root CA"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|55 04 03|"; distance:0; content:"|09|eDellRoot"; distance:1; within:10; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 6 (SOCKS)"; flow:established,to_server; content:"NOTICE "; content:"|3a|REWRITING|0a|"; fast_pattern; distance:0; content:"|0a|to|0a|"; distance:0; pcre:"/^NOTICE [^\r\n]+? \x3aREWRITING\x0a[^\r\n]+?\x0ato\x0a[^\r\n]+?\x0a/s"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022189; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 6 (SOCKS)"; flow:established,to_server; content:"NOTICE "; content:"|3a|REWRITING|0a|"; fast_pattern; distance:0; content:"|0a|to|0a|"; distance:0; pcre:"/^NOTICE [^\r\n]+? \x3aREWRITING\x0a[^\r\n]+?\x0ato\x0a[^\r\n]+?\x0a/s"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022189; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 7 (bindshell)"; flow:established,from_server; content:"|0a c2 84 c2 9f|muBoT|c2 84 c2 9f|REMOTE|c2 84 c2 9f|SHELL"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022190; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 7 (bindshell)"; flow:established,from_server; content:"|0a c2 84 c2 9f|muBoT|c2 84 c2 9f|REMOTE|c2 84 c2 9f|SHELL"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022190; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022050; rev:3; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 27 2015"; flow:to_server,established; urilen:>55; content:"&cat_no="; http_uri; content:"&no="; http_uri; distance:0; pcre:"/&cat_no=\d{2,5}?&no=\d{2,5}&[^&\x3d]+(?<!_no)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Send-Safe Bulk Mailer SSL Cert - Observed in Spam Campaigns"; flow:established,from_server; content:"|55 04 06|"; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 08|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 0a|"; distance:0; content:"|09|Send-Safe"; fast_pattern; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|09|Send-Safe"; distance:1; within:10; reference:md5,837c7af7f376722a0315cb0a7cb12399; classtype:trojan-activity; sid:2022194; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHP/Mayhem Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"Pragma|3a 20|1337|0d 0a|"; http_header; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:".php HTTP/1.0|0d 0a|"; reference:url,www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox.pdf; classtype:trojan-activity; sid:2022195; rev:2; metadata:created_at 2015_11_30, updated_at 2015_11_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021269; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING cPanel Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"<title>Please wait.."; nocase; fast_pattern; content:"form id=|22|myForm|22|"; nocase; distance:0; content:"name=|22|myForm|22|"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; content:"name=|22|email|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"name=|22|submit|22|"; nocase; distance:0; classtype:social-engineering; sid:2031704; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"id=|22|Anonisma"; fast_pattern; nocase; content:"class=|22|Anonisma"; nocase; distance:0; classtype:social-engineering; sid:2031705; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; file_data; content:"<div style=|22|visibility|3a| hidden|3b 22|><"; depth:120; classtype:bad-unknown; sid:2011355; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|></IFRAME>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, former_category CURRENT_EVENTS, updated_at 2011_09_16;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; content:"code="; content:".jar"; content:"e00oMDD"; fast_pattern; content:"</applet>"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; content:"code="; content:".jar"; content:"e00oMDD"; fast_pattern; content:"</applet>"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:4; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>"; classtype:bad-unknown; sid:2014039; rev:5; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:exploit-kit; sid:2014136; rev:7; metadata:created_at 2012_01_18, updated_at 2012_01_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:exploit-kit; sid:2014136; rev:7; metadata:created_at 2012_01_19, updated_at 2012_01_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; depth:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; depth:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:exploit-kit; sid:2014168; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; depth:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:exploit-kit; sid:2014168; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:exploit-kit; sid:2014243; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; distance:0; classtype:exploit-kit; sid:2014295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:exploit-kit; sid:2014316; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:exploit-kit; sid:2014316; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole qwe123 PDF"; flow:established,from_server; file_data; content:"%PDF-1.6"; depth:8; content:"|20 28|qwe123"; classtype:trojan-activity; sid:2014368; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:exploit-kit; sid:2014665; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4; metadata:created_at 2012_06_21, former_category CURRENT_EVENTS, updated_at 2012_06_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:exploit-kit; sid:2014981; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_28, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3; metadata:created_at 2012_07_02, former_category CURRENT_EVENTS, updated_at 2012_07_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3; metadata:created_at 2012_07_03, former_category CURRENT_EVENTS, updated_at 2012_07_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; classtype:trojan-activity; sid:2015057; rev:4; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015574; rev:5; metadata:created_at 2012_08_03, former_category EXPLOIT_KIT, updated_at 2012_08_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015574; rev:5; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:exploit-kit; sid:2016166; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:exploit-kit; sid:2017476; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_17, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:exploit-kit; sid:2017476; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>|0d 0a|<body>|0d 0a|<applet archive="; content:"width=|22|0|22| height=|22|0|22|></applet>|0d 0a|</body>|0d 0a|</body></html>"; distance:0; classtype:exploit-kit; sid:2013699; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING OpenX BrowserDetect.init Download"; flow:established,to_client; content:"OAID="; http_cookie; file_data; content:"BrowserDetect.init"; classtype:bad-unknown; sid:2014038; rev:6; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33"; flow:to_server,established; dsize:>11; content:"|70 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2acd1b235e12dc9b961e7236f6db8144; classtype:command-and-control; sid:2018486; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34"; flow:to_server,established; dsize:>11; content:"|74 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3063e7406947d00b792cb013ca667a69; classtype:command-and-control; sid:2018487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|licensecheck.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022208; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|licensecheck.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022208; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 81 a8 a0 05 4c c8 8b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022212; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 81 a8 a0 05 4c c8 8b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022212; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Server Banner)"; flow:established,from_server; content:"***|0d 0a|*|20 20 20 20 20 20 20 20|WELCOME TO THE BALL PIT|20 20 20 20 20 20 20 20|*|0d 0a|"; fast_pattern:14,20; content:"*|20 20 20 20 20|Now with|20|"; distance:0; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022214; rev:1; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2015_12_03;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/KDefend Checkin"; flow:established,to_server; content:"c|00|h|00|i|00|n|00|a|00 00 00|"; offset:16; depth:12; fast_pattern; content:"|20|MB|00|"; within:10; content:"/proc/stat|00|cpu|00|"; within:21; reference:url,blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html; classtype:command-and-control; sid:2022219; rev:3; metadata:created_at 2015_12_04, former_category MALWARE, updated_at 2015_12_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.iBryte.B Install"; flow:to_server,established; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern:only; content:"event="; http_uri; content:"_id="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,1497c33eede2a81627c097aad762817f; classtype:trojan-activity; sid:2018194; rev:9; metadata:created_at 2012_02_13, updated_at 2012_02_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:pup-activity; sid:2008066; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|baknsystem.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022078; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|coughweb.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022226; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 f2 66 4a 29 e0 7e c2 78|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022227; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|baknsystem.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022078; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 78 4e 9c a4 ad ab 24|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:trojan-activity; sid:2022228; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|coughweb.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022226; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.gooodlaosadf.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022230; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.gooodlaosadf.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022230; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 41 89 47 37 8f 56 41|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022231; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 41 89 47 37 8f 56 41|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022231; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 f6 da a5 22 b2 8b 91 be|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022232; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|Cyxuzoidv"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022233; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|Cyxuzoidv"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022233; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0b|los Angeles"; distance:1; within:12; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|*.google.com"; distance:1; within:13; content:"@google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022235; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|google.com"; distance:1; within:11; fast_pattern; content:"@google.com"; distance:0; content:"|0a|google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022234; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel Online Phish Landing 2015-12-08"; flow:to_client,established; file_data; content:"id=|22|sfm_excel_body|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|Email|22|"; nocase; distance:0; content:"name=|22|Password|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"Keep me signed in"; nocase; distance:0; classtype:social-engineering; sid:2031692; rev:4; metadata:created_at 2015_12_08, former_category PHISHING, updated_at 2015_12_08;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0b|los Angeles"; distance:1; within:12; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|*.google.com"; distance:1; within:13; content:"@google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022235; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe(?:\?[0-9])?$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; reference:md5,1828f7090d0ad2844d3d665d2f41f911; classtype:trojan-activity; sid:2022239; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_12_08, deployment Datacenter, former_category TROJAN, signature_severity Major, tag Wordpress, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe(?:\?[0-9])?$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; reference:md5,1828f7090d0ad2844d3d665d2f41f911; classtype:trojan-activity; sid:2022239; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_12_09, deployment Datacenter, former_category TROJAN, signature_severity Major, tag Wordpress, updated_at 2018_07_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible CryptoWall encrypted download"; flow:to_client,established; file_data; byte_test:1,<,12,0; content:"|00 00 00|"; distance:1; within:3; byte_test:1,<,127,0,relative; byte_test:1,>,48,0,relative; byte_jump:1,0,from_beginning,post_offset 5; byte_test:1,=,0,0,relative; pcre:"/^[\x00-\x0c]\x00\x00\x00[a-z0-9]{6,12}\x00/s"; classtype:trojan-activity; sid:2018788; rev:3; metadata:created_at 2014_07_28, updated_at 2014_07_28;)
#alert udp $HOME_NET any -> any [5060,5061,5600] (msg:"ET MALWARE Ponmocup plugin #2600 (SIP scanner)"; content:"User-Agent|3a| Zoiper for Windows rev.1812|0d0a|"; threshold: type limit, count 1, seconds 3600, track by_src; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022206; rev:2; metadata:created_at 2015_12_02, updated_at 2015_12_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Redirector Leading to EK Mar 06 2015"; flow:established,to_server; content:"/counter.php?referrer=http"; http_uri; classtype:exploit-kit; sid:2020638; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|25|www.signliquideducationdaughter.final"; distance:1; within:38; fast_pattern:18,20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022247; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Redirector Leading to EK Mar 06 2015"; flow:established,to_server; content:"/counter.php?referrer=http"; http_uri; classtype:exploit-kit; sid:2020638; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.benvenuittopronto.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022248; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.benvenuittopronto.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022248; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca a8 d2 15 e5 c6 b7 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022249; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca a8 d2 15 e5 c6 b7 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022249; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|theliveguard.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022250; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|theliveguard.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022250; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|televcheck.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022251; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|televcheck.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022251; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|welcomefreinds.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022252; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|welcomefreinds.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022252; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M1"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|04|Asia"; distance:1; within:5; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M7"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0a|Antarctica"; distance:1; within:11; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022259; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|checkstat99.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022267; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|checkstat99.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022267; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http [$EXTERNAL_NET,!208.85.44.0/24] $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (3)"; flow:established,to_client; file_data; content:"|dc 18 02|"; distance:4; within:3; pcre:"/^(?:\x62|\x1b)/R"; classtype:trojan-activity; sid:2022140; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 47 00 43 cf a7 86 ee|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,d90c0177437c4cf588de4e60ab233fe1; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022275; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 47 00 43 cf a7 86 ee|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,d90c0177437c4cf588de4e60ab233fe1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022275; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|lililililililili.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022276; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|lililililililili.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022276; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|intelliadsign.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022277; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|intelliadsign.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022277; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|boistey.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022278; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_12_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|boistey.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022278; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CH|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022279; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|ssl-tree.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022286; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|ssl-tree.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022286; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|foenglera.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022287; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|foenglera.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022287; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M8"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0f|Central America"; distance:1; within:16; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022292; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M8"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0f|Central America"; distance:1; within:16; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022292; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|rommen-haft.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022293; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|rommen-haft.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022293; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert ip $HOME_NET any -> [206.72.206.74,206.72.206.75,206.72.206.76,206.72.206.77,206.72.206.78,66.45.241.130,66.45.241.131,66.45.241.132,66.45.241.133,66.45.241.134] any (msg:"ET MALWARE Kelihos CnC Server Activity"; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; reference:url,blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html; classtype:command-and-control; sid:2022294; rev:1; metadata:created_at 2015_12_21, former_category MALWARE, updated_at 2015_12_21;)
+#alert ip $HOME_NET any -> [206.72.206.74,206.72.206.75,206.72.206.76,206.72.206.77,206.72.206.78,66.45.241.130,66.45.241.131,66.45.241.132,66.45.241.133,66.45.241.134] any (msg:"ET MALWARE Kelihos CnC Server Activity"; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; reference:url,blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html; classtype:command-and-control; sid:2022294; rev:1; metadata:created_at 2015_12_22, former_category MALWARE, updated_at 2015_12_22;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ET POLICY FOX-SRT - Juniper ScreenOS SSH World Reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; reference:cve,2015-7755; reference:url,kb.juniper.net/JSA10713; classtype:policy-violation; sid:2022299; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2022290; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|givemyporn.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022301; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|givemyporn.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022301; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|qiqiqiqiqiqi.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022302; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|qiqiqiqiqiqi.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022302; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; nocase; file_data; content:"|3c|svg xmlns="; nocase; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; nocase; distance:0; content:"transform"; nocase; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:9; metadata:created_at 2011_01_12, updated_at 2011_01_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ASCII Executable Inside of MSCOFF File DL Over HTTP"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"|34 64 35 61|"; content:"|35 34 36 38 36 39 37 33 32 30 37 30 37 32 36 66 36 37 37 32 36 31 36 64 32 30|"; distance:38; reference:md5,f4ee917a481e1718ccc749d2d4ceaa0e; classtype:trojan-activity; sid:2022303; rev:3; metadata:created_at 2015_12_23, updated_at 2015_12_23;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 97 ae 20 7e 61 5f 58 15|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022305; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 97 ae 20 7e 61 5f 58 15|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022305; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a6 75 8f 19 30 3e 46 58|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022307; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a6 75 8f 19 30 3e 46 58|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022307; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|monosuflex.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022308; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|monosuflex.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022308; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powersploit Framework Script Downloaded"; flow:to_client,established; file_data; content:"function Invoke-"; depth:16; content:"|0a 7b 0a 3c 23 0a 2e 53 59 4e 4f 50 53 49 53 0a|"; distance:0; content:"|0a|PowerSploit Function|3a 20|"; distance:0; reference:md5,0aa391dc6d9ebec2f5d0ee6b4a4ba1fa; classtype:trojan-activity; sid:2022309; rev:2; metadata:created_at 2015_12_24, updated_at 2015_12_24;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Lets Encrypt Free SSL Cert Observed"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2022218; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_03, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Lets Encrypt Free SSL Cert Observed"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2022218; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:exploit-kit; sid:2022312; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:exploit-kit; sid:2022313; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|1terabitbit.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022321; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Paypal Phishing Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Logging in"; nocase; fast_pattern; content:".php?cmd=_"; nocase; distance:0; content:"Hold a while"; nocase; distance:0; content:"Still loading after a few seconds"; nocase; distance:0; classtype:social-engineering; sid:2031706; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|gatecheck.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022322; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Apple Phish Landing Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>iTunes"; nocase; fast_pattern; content:"Enter Your Password"; nocase; distance:0; content:"<!-- PHOEN!X -->"; nocase; distance:0; classtype:social-engineering; sid:2031693; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:trojan-activity; sid:2022323; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Phish Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Checking Informations"; content:"http-equiv=|22|refresh|22|"; classtype:social-engineering; sid:2031694; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Expected Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,is_ssh_server_banner; flowbits: set,is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022325; rev:2; metadata:created_at 2015_12_31, updated_at 2015_12_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|1terabitbit.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022321; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Unusual Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,is_ssh_server_banner; flowbits: set,is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022326; rev:1; metadata:created_at 2015_12_31, updated_at 2015_12_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|gatecheck.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022322; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 9e 1d 11 4a f9 72 62|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021624; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 9e 1d 11 4a f9 72 62|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021624; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:trojan-activity; sid:2022324; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022324; rev:3; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|09 00 e3 6e 25 fe 3f fa 53 80|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/; classtype:trojan-activity; sid:2022327; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_04, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|09 00 e3 6e 25 fe 3f fa 53 80|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/; classtype:trojan-activity; sid:2022327; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ibsecurity.info"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022328; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_04, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ibsecurity.info"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022328; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ibcsec.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022329; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_04, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ibcsec.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022329; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M2"; itype:8; icode:0; dsize:26<>35; content:"|33|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022330; rev:2; metadata:created_at 2016_01_04, updated_at 2016_01_04;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M2"; itype:8; icode:0; dsize:26<>35; content:"|33|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022330; rev:2; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M1"; itype:8; icode:0; dsize:26<>35; content:"|31|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022331; rev:3; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF.MrBlack DOS.TF Variant"; flow:established,to_server; content:"Linux_"; offset:8; depth:6; content:"TF-"; distance:58; within:3; fast_pattern; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022336; rev:2; metadata:created_at 2016_01_06, updated_at 2016_01_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF.MrBlack DOS.TF Variant"; flow:established,to_server; content:"Linux_"; offset:8; depth:6; content:"TF-"; distance:58; within:3; fast_pattern; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022336; rev:2; metadata:created_at 2016_01_07, updated_at 2016_01_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:exploit-kit; sid:2022338; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:exploit-kit; sid:2022338; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:2; metadata:created_at 2016_01_06, former_category CURRENT_EVENTS, updated_at 2016_01_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:2; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2016_01_07;)
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:4; metadata:created_at 2016_01_06, former_category CURRENT_EVENTS, updated_at 2016_01_06;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:4; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2016_01_07;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:exploit-kit; sid:2022341; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:exploit-kit; sid:2022341; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 07 2015"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?){3,}\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025040; rev:3; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 07 2015"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?){3,}\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025040; rev:3; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M1"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Host\x3a\x20(?P<host>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?Referer\x3a\x20http\x3a\x2f\x2f(?P=host)\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025041; rev:2; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bulta CnC Beacon "; flow:established,to_server; content:"|1f 93 97 d3 94 01 69 49 4d 7b a7 ac f6 7a|"; depth:14; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:command-and-control; sid:2022345; rev:2; metadata:created_at 2016_01_08, former_category MALWARE, updated_at 2016_01_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bulta CnC Beacon"; flow:established,to_server; content:"|1f 93 97 d3 94 01 69 49 4d 7b a7 ac f6 7a|"; depth:14; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:command-and-control; sid:2022345; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_01_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:coin-mining; sid:2022349; rev:1; metadata:created_at 2016_01_11, former_category COINMINER, updated_at 2016_01_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:coin-mining; sid:2022349; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2016_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Loading Gif Inline Image"; flow:established,from_server; content:"background|3a|url(data|3a|image/gif|3b|base64,R0lGODlhEAAQAAAAACH/C05FVFNDQVBFMi4wAwH//"; classtype:trojan-activity; sid:2014842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:command-and-control; sid:2014636; rev:5; metadata:created_at 2012_04_25, former_category MALWARE, updated_at 2012_04_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:command-and-control; sid:2014636; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_04_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.STD.ddos Checkin"; flow:established,to_server; dsize:28; content:"2-1Q3@@4V-9-W$p#=A#9c=#W~,|0d 0a|"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=2747&start=20#p27639; classtype:command-and-control; sid:2022367; rev:2; metadata:created_at 2016_01_14, former_category MALWARE, updated_at 2016_01_14;)
-alert ssh any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:2; metadata:created_at 2016_01_14, updated_at 2016_01_14;)
+alert ssh any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !7680 (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 7680 (msg:"ET P2P MS WUDO Peer Sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq; classtype:policy-violation; sid:2022371; rev:1; metadata:created_at 2016_01_14, updated_at 2016_01_14;)
-
-alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_14, updated_at 2016_01_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 7680 (msg:"ET P2P MS WUDO Peer Sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq; classtype:policy-violation; sid:2022371; rev:1; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|PA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022385; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|relaxsaz.com"; distance:1; within:13; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022386; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|PA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022385; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|contora24.com"; distance:1; within:14; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022387; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|relaxsaz.com"; distance:1; within:13; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022386; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|websecuranalitic.com"; distance:1; within:21; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022388; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|contora24.com"; distance:1; within:14; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022387; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|moneyclass24.com"; distance:1; within:17; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022389; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|websecuranalitic.com"; distance:1; within:21; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022388; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|vle.cli"; distance:1; within:8; reference:md5,678129a67898174fdb7e8c70ebcca6c3; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022390; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|moneyclass24.com"; distance:1; within:17; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022389; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.nonewhateverplanred.juegos"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022391; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|vle.cli"; distance:1; within:8; reference:md5,678129a67898174fdb7e8c70ebcca6c3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022390; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.removenationalstiff.taipei"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022392; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.nonewhateverplanred.juegos"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022391; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|20|www.fightingmotioncertainly.page"; distance:1; within:33; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022393; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.removenationalstiff.taipei"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022392; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|dinuspuka.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022394; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|20|www.fightingmotioncertainly.page"; distance:1; within:33; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022393; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|popredrak.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022395; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|dinuspuka.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022394; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|vorlager.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022396; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|popredrak.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022395; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|IR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022397; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|vorlager.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022396; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kuklovodw.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022404; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|IR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022397; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !5938 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 104"; flow:established,to_server; dsize:>11; content:"|78 9c|"; offset:9; depth:21; fast_pattern; byte_test:4,<,65535,-14,relative,little; byte_test:4,<,65535,-10,relative,little; byte_jump:4,-10,relative,little,post_offset 3; isdataat:!2,relative; pcre:"/^.{9,28}\x78\x9c/s"; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2022401; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kuklovodw.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022404; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|BW|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022408; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|BW|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022408; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS User Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|IDOSJNDX|0d 0a|"; fast_pattern; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022468; rev:2; metadata:created_at 2016_01_28, updated_at 2019_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS User Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|IDOSJNDX|0d 0a|"; fast_pattern; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022468; rev:2; metadata:created_at 2016_01_29, updated_at 2019_10_23;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|buhzgalter.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022474; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|buhzgalter.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022474; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0f|docknetwork.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022475; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0f|docknetwork.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022475; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (4)"; flow:established,to_client; file_data; content:"|05 9d 45|"; distance:4; within:4; pcre:"/^(?:\x76|\x0f)/R"; classtype:exploit-kit; sid:2021973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|macroflex.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022476; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|macroflex.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022476; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response"; flow:established,from_server; flowbits:isset,ET.XMLRPC.PHP; file_data; content:"<name>faultCode</name>"; content:"<int>403</int>"; content:"<string>Incorrect username or password.</string>"; threshold:type both, track by_src, count 5, seconds 120; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018755; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|ashirimi-critism.kz"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022478; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022480; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_10;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern:2,20; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|ashirimi-critism.kz"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022478; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ 2.0 DDoS Bot Checkin 3"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; within:7; content:"MB|00 00 00 00|"; distance:0; content:"|28|null|29 00 00 00 00|"; fast_pattern; distance:0; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021526; rev:2; metadata:created_at 2015_07_23, former_category MALWARE, updated_at 2015_07_23;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|KM|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022489; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_04, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|KM|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022489; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED APT.Fexel Checkin"; flow:established,to_server; content:"agtid="; http_header; content:"08x"; http_client_body; reference:md5,70e87b2898333e11344b16a72183f8e9; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2019469; rev:6; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:exploit-kit; sid:2022496; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:exploit-kit; sid:2022496; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
#alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; classtype:protocol-command-decode; sid:2003287; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
#alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; classtype:protocol-command-decode; sid:2003286; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M4"; flow:established,to_server; urilen:40<>65; content:"4"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])4(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020999; rev:4; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; classtype:attempted-dos; sid:2003379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CO|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022508; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful WZ-REKLAMA Phish 2016-01-08"; flow:to_client,established; file_data; content:"<!--WZ-REKLAMA"; nocase; fast_pattern; content:"http-equiv="; nocase; distance:0; content:"refresh"; nocase; distance:1; within:8; classtype:credential-theft; sid:2031952; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022509; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CO|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022508; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|susana24.com"; distance:1; within:13; reference:md5,23cfdb9896cadd54f935ed4e2df2e0a4; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022510; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022509; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|wartan24.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022511; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|susana24.com"; distance:1; within:13; reference:md5,23cfdb9896cadd54f935ed4e2df2e0a4; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022510; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kitoboyka.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022512; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|wartan24.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022511; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|vestostnord.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022513; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kitoboyka.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022512; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 bf f2 e1 26 c5 4c 2c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022514; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|vestostnord.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022513; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 bf f2 e1 26 c5 4c 2c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022514; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:exploit-kit; sid:2017649; rev:6; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$/U"; content:"WinHttp.WinHttpRequest"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2019752; rev:9; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2014_11_20;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|YU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022521; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|YU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022521; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|SA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022522; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|SA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022522; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)"; flow:established,to_client; file_data; content:"prototype"; nocase; content:"DOMImplementation"; fast_pattern; pcre:"/^\s*\([^\)]*\)\s*\.\s*prototype\s*\.\s*(?:hasFeature|isPrototypeOf)/Rsi"; reference:cve,2016-0063; classtype:trojan-activity; sid:2022523; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_02_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022488; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|02|NY"; distance:1; within:3; fast_pattern; content:"|55 04 03|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"admin@"; distance:2; within:6; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022534; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022488; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|tatar28.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022536; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|tatar28.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022536; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|giviklorted.at"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022537; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|giviklorted.at"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022537; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8|3a|announce"; within:11; content:!"mapfactor.com"; classtype:policy-violation; sid:2014734; rev:5; metadata:created_at 2012_05_10, updated_at 2012_05_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8|3a|announce"; within:11; content:!"mapfactor.com"; classtype:policy-violation; sid:2014734; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLotus Time Check to Microsoft.com"; flow:to_server,established; content:"GET|20 20|HTTP/1.0|0d 0a|"; depth:15; content:"www.microsoft.com"; distance:6; within:23; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:targeted-activity; sid:2022539; rev:2; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FrameworkPOS CnC Server Reporting IP Address To Agent"; flow:established,to_client; file_data; content:"=="; depth:2; content:"=="; within:17; fast_pattern; file_data; content:"=="; depth:2; pcre:"/^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:={2})/R"; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022552; rev:2; metadata:created_at 2016_02_22, former_category MALWARE, updated_at 2016_02_22;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 85 d0 ad 8b ad f1 59|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022553; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 85 d0 ad 8b ad f1 59|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022553; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016320; rev:6; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2013_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016320; rev:6; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016371; rev:5; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016402; rev:4; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016402; rev:4; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016495; rev:8; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2013_02_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016495; rev:8; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016506; rev:6; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2013_02_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016506; rev:6; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (4)"; flow:established,to_client; file_data; content:"|f4 ec 9a|"; distance:4; within:4; pcre:"/^(?:\x8b|\xf2)/R"; classtype:trojan-activity; sid:2022141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (1)"; flow:established,to_client; file_data; content:"|01 d2 02 8b e7 98 09 18|"; distance:4; within:8; classtype:trojan-activity; sid:2022138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:exploit-kit; sid:2022565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:exploit-kit; sid:2022565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:exploit-kit; sid:2022567; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:exploit-kit; sid:2022567; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|09 00 a7 ed 6e 63 0f d0 e1 f9|"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022571; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|09 00 a7 ed 6e 63 0f d0 e1 f9|"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022571; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Download (set)"; flow:to_server,established; content:"GET"; http_method; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/\/\?[A-Z]{10,}$/U"; flowbits:set,ET.andromeda; flowbits:noalert; classtype:trojan-activity; sid:2022572; rev:2; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2016_02_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andromeda Download"; flow:from_server,established; flowbits:isset,ET.andromeda; content:"200"; http_stat_code; content:"Server|3a 20|nginx"; http_header; content:"Content-Description|3a 20|File Transfer|0d 0a|"; http_header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; content:"Content-Transfer-Encoding|3a| binary|0d 0a|"; fast_pattern:20,15; pcre:"/filename=[a-f0-9]{32}v\.(?:docm|zip)\x0d\x0a/Hmi"; classtype:trojan-activity; sid:2022573; rev:2; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2016_02_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M1"; flow:established,from_server; dsize:17; content:"|0c 00 00 00 00|info=command"; reference:md5,50eb7ae1d3c075dfc9c9e82a9fa9caf5; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:command-and-control; sid:2035903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2015_10_07;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputerhave"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:social-engineering; sid:2022577; rev:1; metadata:created_at 2016_02_29, updated_at 2016_02_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (dirs list)"; flow:established,from_server; content:"dirs=list"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036283; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (folders list)"; flow:established,from_server; content:"fldr="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036284; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (files list)"; flow:established,from_server; content:"fles="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036285; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (ping) M1"; flow:established,from_server; content:"clping=Ping"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:trojan-activity; sid:2035904; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2016_02_17;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputerhave"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:social-engineering; sid:2022577; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_03_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spam/Phish Campaign Feb 25 2016"; flow:established,to_server; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/\/[a-z]\/\?[A-Z]{10}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.pw\r?$/Hmi"; classtype:trojan-activity; sid:2022570; rev:3; metadata:created_at 2016_02_26, updated_at 2016_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spam/Phish Campaign Feb 25 2016"; flow:established,to_server; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/\/[a-z]\/\?[A-Z]{10}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.pw\r?$/Hmi"; classtype:trojan-activity; sid:2022570; rev:3; metadata:created_at 2016_02_27, updated_at 2016_02_27;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Server Hello"; flow:from_server,established; content:"|04 00 01 00 02|"; offset:2; depth:5; byte_test:2,>,15,4,relative; byte_test:2,<,33,4,relative; flowbits:set,SSlv2.ServerHello; flowbits:noalert; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022583; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 03 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022585; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 04 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url, drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022586; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 04 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022586; rev:1; metadata:created_at 2016_03_02, former_category POLICY, updated_at 2016_03_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress ClientMaster Key SSL2_IDEA_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|0205 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022587; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_DES_64_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 06 00 40|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022588; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:8; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:8; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:4; metadata:created_at 2014_02_14, former_category CURRENT_EVENTS, updated_at 2014_02_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:4; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2014_02_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:exploit-kit; sid:2022479; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"&authpass="; distance:0; http_uri; content:"&hostname="; distance:0; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2014795; rev:3; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"&authpass="; distance:0; http_uri; content:"&hostname="; distance:0; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2014795; rev:3; metadata:created_at 2012_05_21, updated_at 2012_05_21;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|dolbyfck.com"; distance:1; within:13; classtype:domain-c2; sid:2022613; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|dolbyfck.com"; distance:1; within:13; classtype:trojan-activity; sid:2022613; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:exploit-kit; sid:2022620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:exploit-kit; sid:2022620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:exploit-kit; sid:2022621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:exploit-kit; sid:2022621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|marinova.am"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022623; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|marinova.am"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022623; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 62 fd fd 41 2d 9c a4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022624; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 62 fd fd 41 2d 9c a4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022624; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3A|"; content:"|22|mining."; within:9; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017871; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3A|"; content:"|22|mining."; within:9; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017871; rev:7; metadata:created_at 2013_12_16, former_category COINMINER, updated_at 2013_12_16;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:exploit-kit; sid:2022628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_18, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:exploit-kit; sid:2022628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:exploit-kit; sid:2022629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:exploit-kit; sid:2022635; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 ASCII"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".locky|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022638; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 ASCII"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".locky|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022638; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text M2"; flow:established,from_server; file_data; content:"4D5A"; nocase; within:4; content:"50450000"; distance:0; content:"21546869732070726f6772616d"; nocase; fast_pattern; classtype:trojan-activity; sid:2022640; rev:2; metadata:created_at 2016_03_23, updated_at 2016_03_23;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 Unicode"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022637; rev:3; metadata:created_at 2016_03_23, updated_at 2016_03_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 Unicode"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022637; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2016_03_24;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE IrcBot Downloading Files via FTP"; flow:established,to_server; content:"RETR scrypt13"; depth:13; content:".cl"; distance:2; within:6; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022656; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8eaf3b7b72a9af5a85d01b674653ccac; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; classtype:pup-activity; sid:2014117; rev:4; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; reference:md5,8eaf3b7b72a9af5a85d01b674653ccac; classtype:pup-activity; sid:2014117; rev:4; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:exploit-kit; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:exploit-kit; sid:2022682; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|Wureuzisen"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022684; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|whaovxeynxctdrvzn.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022685; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|whaovxeynxctdrvzn.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022685; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|32kl2rwsjvqjeui7"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022659; rev:2; metadata:created_at 2016_03_25, updated_at 2016_03_25;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|32kl2rwsjvqjeui7"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022659; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_03_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:2; metadata:created_at 2016_03_31, updated_at 2016_03_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,465,587] (msg:"ET MALWARE HOMEUNIX/9002 CnC Beacon"; flow:established,to_server; dsize:48; content:!"|00 00 00|"; offset:1; depth:3; byte_extract:3,1,xor_key; byte_test:3,=,xor_key,9; byte_test:3,=,xor_key,13; byte_extract:1,1,same_test; byte_test:1,!=,same_test,8; byte_test:1,!=,same_test,33; pcre:!"/^[\x20-\x7e\r\n]+$/"; reference:md5,256438747bae78c9101c9a0d4efe5572; classtype:command-and-control; sid:2020714; rev:8; metadata:created_at 2015_03_19, former_category MALWARE, updated_at 2015_03_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,465,587] (msg:"ET MALWARE HOMEUNIX/9002 CnC Beacon"; flow:established,to_server; dsize:48; content:!"|00 00 00|"; offset:1; depth:3; byte_extract:3,1,xor_key; byte_test:3,=,xor_key,9; byte_test:3,=,xor_key,13; byte_extract:1,1,same_test; byte_test:1,!=,same_test,8; byte_test:1,!=,same_test,33; pcre:!"/^[\x20-\x7e\r\n]+$/"; reference:md5,256438747bae78c9101c9a0d4efe5572; classtype:command-and-control; sid:2020714; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, updated_at 2016_04_06;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|velodrivve|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x08velodrivve\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, signature_severity Major, updated_at 2020_08_20;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|velodrivve|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x08velodrivve\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 9d a8 74 c5 50 98 dd 09|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022306; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; content:"|09 00 e6 7b 40 4f 24 b8 2a f9|"; reference:url,sslbl.abuse.ch; reference:md5,3d8d1a65ce53c6ac2e43523e82a6d471; classtype:trojan-activity; sid:2022713; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_04_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; content:"|09 00 e6 7b 40 4f 24 b8 2a f9|"; reference:url,sslbl.abuse.ch; reference:md5,3d8d1a65ce53c6ac2e43523e82a6d471; classtype:domain-c2; sid:2022713; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flow:to_server; flags:S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; reference:url,doc.emergingthreats.net/2001689; classtype:trojan-activity; sid:2001689; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky JS Downloading Payload"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; fast_pattern; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; flowbits:set,ET.Locky; flowbits:noalert; reference:md5,c6896184db5c07ebadf40115138b2f4c; reference:md5,cb8f78317622f8ae855ac25ef4cf3688; classtype:trojan-activity; sid:2026460; rev:3; metadata:created_at 2016_03_16, former_category MALWARE, updated_at 2018_10_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:exploit-kit; sid:2022724; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:exploit-kit; sid:2022724; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:exploit-kit; sid:2022725; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:exploit-kit; sid:2022725; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
#alert tcp $HOME_NET any -> [64.34.106.33,64.94.18.67] 12975 (msg:"ET POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; flow:to_server; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.hamachi.cc; reference:url,doc.emergingthreats.net/2002729; classtype:policy-violation; sid:2002729; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|1b|Realtek Semiconductor Corp."; distance:1; within:28; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022714; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|1b|Realtek Semiconductor Corp."; distance:1; within:28; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022714; rev:3; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.huevo.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022733; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.huevo.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022733; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c4 2f d3 44 ed 20 a4 ab|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022734; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c4 2f d3 44 ed 20 a4 ab|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022734; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 dd b5 a0 63 d6 36 a8 89|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022735; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 dd b5 a0 63 d6 36 a8 89|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022735; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:50<>151; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/RHmi"; classtype:exploit-kit; sid:2020300; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:"Set-Cookie|3a| news=1"; http_raw_header; classtype:exploit-kit; sid:2014438; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:"Connection|3a 20|close|0d 0a|Cookie|3a 20|"; http_raw_header; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:4; metadata:created_at 2012_07_26, updated_at 2012_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:"Connection|3a 20|close|0d 0a|Cookie|3a 20|"; http_raw_header; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN - 302 Redirect"; flow:established,from_server; content:"Cookie|3a| Hello-friend="; http_raw_header; classtype:bad-unknown; sid:2011920; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:3; metadata:created_at 2012_08_28, updated_at 2016_04_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:3; metadata:created_at 2012_08_29, updated_at 2016_04_29;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blizzard Downloader"; flow: established,to_server; content: "User-Agent|3a| Blizzard Downloader"; nocase; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002855; classtype:policy-violation; sid:2002855; rev:8; metadata:created_at 2010_07_30, updated_at 2016_04_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 105"; flow:to_server,established; dsize:>11; content:"|4a ae|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xae/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ba6eaf301344de6fe1e079fa960bc698; classtype:command-and-control; sid:2022773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED String Replace in PDF File, Likely Hostile"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:".replace|28|"; nocase; reference:url,www.w3schools.com/jsref/jsref_replace.asp; classtype:bad-unknown; sid:2011504; rev:6; metadata:created_at 2010_09_27, updated_at 2016_05_03;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern:17,20; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:exploit-kit; sid:2022779; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A| -"; nocase; http_header; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:13; metadata:created_at 2010_09_23, updated_at 2016_05_04;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED FedEX Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|FedEX_"; nocase; classtype:trojan-activity; sid:2011979; rev:3; metadata:created_at 2010_11_24, updated_at 2016_05_04;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 0b|"; content:"|16|SomeOrganizationalUnit"; distance:1; within:23; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0c|root@ua7.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022795; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 0b|"; content:"|16|SomeOrganizationalUnit"; distance:1; within:23; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0c|root@ua7.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022795; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|microurl.bit"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022796; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|microurl.bit"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022796; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|16|allowherebarbclient.me"; distance:1; within:23; classtype:trojan-activity; sid:2022799; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_09, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|16|allowherebarbclient.me"; distance:1; within:23; classtype:domain-c2; sid:2022799; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020896; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:exploit-kit; sid:2022805; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)"; flow:from_server,established; content:"|60 89 e5 31|"; content:"|64 8b|"; distance:1; within:2; content:"|30 8b|"; distance:1; within:2; content:"|0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff|"; distance:1; within:13; content:"|ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2|"; within:15; content:"|52 57 8b 52 10|"; distance:1; within:5; classtype:trojan-activity; sid:2025644; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_05_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category TROJAN, signature_severity Critical, tag Metasploit, updated_at 2018_07_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)"; flow:from_server,established; content:"|60 89 e5 31|"; content:"|64 8b|"; distance:1; within:2; content:"|30 8b|"; distance:1; within:2; content:"|0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff|"; distance:1; within:13; content:"|ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2|"; within:15; content:"|52 57 8b 52 10|"; distance:1; within:5; classtype:trojan-activity; sid:2025644; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_05_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category TROJAN, signature_severity Critical, tag Metasploit, updated_at 2018_07_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Status Messages"; flow:established,to_server; content:".php?context="; fast_pattern; http_uri; content:"&status="; http_uri; distance:0; content:"&sesid="; http_uri; distance:0; content:"&iid="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022808; rev:2; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre SSL Cert venturesonsite.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|venturesonsite.com"; distance:1; within:19; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|17|private@sysprivpop.lkdd"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022736; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|17|private@sysprivpop.lkdd"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022736; rev:4; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode"; flow:to_server; content:"|ff ff ff|tcp/CONNECT/3/"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\/\d+\x00$/Ri"; reference:url,raw.githubusercontent.com/exodusintel/disclosures/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022819; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|basey.ru"; distance:1; within:10; classtype:command-and-control; sid:2022833; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|basey.ru"; distance:1; within:10; classtype:domain-c2; sid:2022833; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Variant Covert Channel (VERSONEX)"; flow:established,to_server; content:"VERSONEX|3a|"; depth:9; fast_pattern; byte_test:1,>=,0x30,0,relative; byte_test:1,<=,0x39,0,relative; content:"|7c|"; distance:1; within:1; reference:md5,f80af2735fdad5fe14defc4f1df1cc30; classtype:trojan-activity; sid:2020978; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 Unicode"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022838; rev:1; metadata:created_at 2016_05_25, updated_at 2016_05_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 Unicode"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022838; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 ASCII"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".crypt|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022839; rev:1; metadata:created_at 2016_05_25, updated_at 2016_05_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 ASCII"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".crypt|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022839; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Hawkeye Keylogger SMTP Beacon"; flow:established,to_server; content:"Subject|3a 20|"; content:"SGF3a0V5ZSBLZXlsb2dnZXIg"; within:45; reference:md5,dfc2c23663122ac9fc25b708f278c147; classtype:trojan-activity; sid:2021871; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Hawkeye Keylogger SMTP Beacon"; flow:established,to_server; content:"Subject|3a 20|"; content:"SGF3a0V5ZSBLZXlsb2dnZXIg"; within:45; reference:md5,dfc2c23663122ac9fc25b708f278c147; classtype:trojan-activity; sid:2021871; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing May 31 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025043; rev:2; metadata:created_at 2016_05_31, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kovter Client CnC Traffic"; flow:established,to_server; dsize:4<>256; content:!"HTTP"; content:"|00 00 00|"; offset:1; depth:3; pcre:"/^[\x11\x21-\x26\x41\x45\x70-\x79]/R"; content:!"|00 00|"; distance:0; byte_jump:1,0,from_beginning,post_offset 3; isdataat:!2,relative; pcre:!"/\x00$/"; reference:url,symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update; classtype:command-and-control; sid:2022861; rev:1; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2016_06_06;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern:77,20; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:exploit-kit; sid:2022869; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_08_20;)
-
alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_07;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|tda-au.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022877; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|tda-au.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022877; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|forevery0ung.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022878; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|forevery0ung.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022878; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9e 99 a3 02 bc 7d 3f 4e|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|10|www.undernet.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022879; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9e 99 a3 02 bc 7d 3f 4e|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|10|www.undernet.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022879; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 06|"; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 08|"; distance:0; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x20[A-Z][a-z]+)?[01]/Rs"; content:"|55 04 09|"; fast_pattern; distance:0; pcre:"/^.{2}\d{2,3}(?:\x20[A-Z][a-z]+\.?){1,3}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|55 04 03|"; distance:0; pcre:"/^.(.[a-z]{4,12}\.(?:us|org|net|biz|info|mobi|com)[01]).*?\x55\x04\x03.\1/Rs"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022868; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 06|"; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 08|"; distance:0; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x20[A-Z][a-z]+)?[01]/Rs"; content:"|55 04 09|"; fast_pattern; distance:0; pcre:"/^.{2}\d{2,3}(?:\x20[A-Z][a-z]+\.?){1,3}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|55 04 03|"; distance:0; pcre:"/^.(.[a-z]{4,12}\.(?:us|org|net|biz|info|mobi|com)[01]).*?\x55\x04\x03.\1/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022868; rev:4; metadata:attack_target Client_and_Server, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 51 a8 51 66 e3 5c 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022880; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 51 a8 51 66 e3 5c 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022880; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1714 (msg:"ET MALWARE Qarallax RAT Keepalive C2 (set)"; flow:to_server,established; content:"|00 00 09 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; flowbits:set,ET.qarallax; flowbits:noalert; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022882; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"|3c 2f 73 63 72 69 70 74 3e 0a 3c 6f 62 6a 65 63 74|"; within:150; pcre:"/^(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025045; rev:2; metadata:created_at 2016_06_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|brutus.neuronio.pt"; distance:1; within:19; content:"|0c|sampo@iki.fi"; distance:0; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021521; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|brutus.neuronio.pt"; distance:1; within:19; content:"|0c|sampo@iki.fi"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021521; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Pdfium JPEG2000 Heap Overflow"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"stream"; content:"|00 00 00 0c 6a 50 20 20 0d 0a 87 0a|"; distance:0; content:"|00 00 00 00 6a 70 32 63 ff 4f|"; distance:0; content:"|ff 51|"; within:200; content:"|00 00 ff|"; distance:36; within:3; byte_test:1,>,0x51,0,relative; byte_test:1,<,0x94,0,relative; pcre:"/^[\x52\x5c\x64\x65\x90\x93]/R"; classtype:bad-unknown; sid:2022890; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Botnet Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:!"Referer|3a|"; http_header; content:"data="; nocase; http_client_body; depth:5; content:"ew0KCSJhZGRyZXNzIiA6"; fast_pattern; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:command-and-control; sid:2022891; rev:2; metadata:created_at 2016_06_13, former_category MALWARE, updated_at 2016_06_13;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; dsize:>11; content:"kuroro"; depth:6; byte_jump:4,0,relative,little,from_beginning; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:command-and-control; sid:2022885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_14;)
-#alert tcp any any -> any [139,445] (msg:"ET NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; classtype:protocol-command-decode; sid:2025090; rev:1; metadata:created_at 2016_06_14, former_category NETBIOS, updated_at 2020_08_20;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL DELETED WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:2103017; rev:8; metadata:created_at 2010_09_23, updated_at 2016_06_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:social-engineering; sid:2022905; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:social-engineering; sid:2022905; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE JKDDOS Bot CnC Phone Home Message"; dsize:<510; flow:established,to_server; content:"|10 00 00 00|Windows|20|"; depth:12; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/; reference:url,www.threatexpert.com/report.aspx?md5=d6b3baae9fb476f0cf3196e556cab348; classtype:command-and-control; sid:2012892; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 60 fe ed 86 b8 81 83|"; within:35; content:"|55 04 0a|"; content:"|0b|Sinkhole.Ru"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|01 2a|"; distance:1; within:2; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022907; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0e|Sinkhole Party"; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|08|sinkhole"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022908; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE JKDDOS Bot CnC Phone Home Message"; dsize:<510; flow:established,to_server; content:"|10 00 00 00|Windows|20|"; depth:12; reference:md5,d6b3baae9fb476f0cf3196e556cab348; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/; classtype:command-and-control; sid:2012892; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
#alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4; metadata:created_at 2014_10_15, updated_at 2016_06_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:pup-activity; sid:2018617; rev:6; metadata:created_at 2014_01_13, former_category ADWARE_PUP, updated_at 2016_06_22;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LoadMoney User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader 18.7|0d 0a|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022911; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category MALWARE, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"<script>"; within:500; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>\s*<object(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025046; rev:2; metadata:created_at 2016_06_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
alert udp any 67 -> any 68 (msg:"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel"; content:"|02|"; depth:1; content:"|fc|"; byte_jump:1,0,relative,post_offset -9; content:"/wpad.dat"; within:9; fast_pattern; classtype:protocol-command-decode; sid:2022915; rev:1; metadata:created_at 2016_06_24, updated_at 2016_06_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|4b7gf8bngf877"; fast_pattern; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022919; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 d9 0c 85 30 1c bb ac a0|"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022920; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 d9 0c 85 30 1c bb ac a0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022920; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|lobemaintaty.space"; fast_pattern; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022921; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|lobemaintaty.space"; fast_pattern; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022921; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf 74 72 c9 4e 72 20 e4|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022943; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf 74 72 c9 4e 72 20 e4|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022943; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|09 00 f8 f1 74 46 04 c2 a4 42|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022944; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|09 00 f8 f1 74 46 04 c2 a4 42|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022944; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Rockloader)"; flow:established,from_server; content:"|55 04 03|"; content:"|55 04 03|"; content:"|08|server29"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Rockloader)"; flow:established,from_server; content:"|55 04 03|"; content:"|55 04 03|"; content:"|08|server29"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Zeus C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|7yh0mdze6ztr7erew835im3w8.info"; fast_pattern; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022946; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Zeus C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|7yh0mdze6ztr7erew835im3w8.info"; fast_pattern; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022946; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|62 5f 39 34 38 38 33 66 36 34 35 33 31 65 65 37 62 31 37 61 37 33 62 38 32 33 66 5f 63 31 61 36 63 63 36 36 37 65|"; fast_pattern; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025049; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/[^\x22\x27]*\.html\.swf[\x22\x27]/R"; content:".html.swf"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025051; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|WIN-K462BJ3GEEC"; fast_pattern; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2016_07_05;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"<object"; content:" <param"; distance:0; pcre:"/^[^>]*name\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025047; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 C2 or Zeus Panda C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|huhu.com"; fast_pattern; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022922; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_06;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (OSX/Keydnap CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|g5wcesdfjzne7255.onion.to"; distance:1; within:26; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022953; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2016_07_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 C2 or Zeus Panda C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|huhu.com"; fast_pattern; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022922; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:social-engineering; sid:2022954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Bancos C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|US"; distance:1; within:4; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:4; content:"|55 04 07|"; content:"|05|Miami"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; content:"|08|Business"; distance:1; within:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:command-and-control; sid:2022888; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_10, deployment Perimeter, former_category MALWARE, malware_family Bancos, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Bancos C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|US"; distance:1; within:4; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:4; content:"|55 04 07|"; content:"|05|Miami"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; content:"|08|Business"; distance:1; within:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:domain-c2; sid:2022888; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_10, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zb-hb)"; flow:to_server,established; content:"zb-hb-"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+zb-hb-/Hi"; reference:url,doc.emergingthreats.net/2003223; classtype:trojan-activity; sid:2003223; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022957; rev:2; metadata:created_at 2016_07_11, updated_at 2016_07_11;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 CnC)"; flow:established,from_server; content:"|09 00 cc e5 16 49 2c 1e 96 57|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 CnC)"; flow:established,from_server; content:"|09 00 cc e5 16 49 2c 1e 96 57|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Ixeshe CnC)"; flow:established,from_server; content:"|09 00 b5 c7 52 c9 87 81 b5 03|"; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_05_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Account Exceeded Quota Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>WebMail"; nocase; fast_pattern; content:"E-Mail account has exceeded"; nocase; distance:0; content:"upgrade your mailbox"; nocase; distance:0; content:"avoid disrupt and lost"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2031954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"18,0,0,366|0d 0a|"; distance:0; within:12; http_header; content:!"22,0,0,209|0d 0a|"; distance:0; within:12; http_header; content:"Macintosh"; http_user_agent; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:60; metadata:created_at 2012_05_09, updated_at 2020_08_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"// stop for sometime if needed"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019541; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_12;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|www.__RANDOM_STR_.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022961; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|www.__RANDOM_STR_.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022961; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Downloader.Win32.Small.hkp Checkin via HTTP"; flow:established,to_server; dsize:96; content:"GET /"; depth:5; pcre:"/^[^\r\n]*\/[0-9a-f]{78}\sHTTP/Ri"; reference:url,doc.emergingthreats.net/2007755; classtype:trojan-activity; sid:2007755; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:exploit-kit; sid:2022964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_13;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:5; metadata:created_at 2014_02_06, former_category CURRENT_EVENTS, updated_at 2016_07_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:5; metadata:created_at 2014_02_07, former_category CURRENT_EVENTS, updated_at 2016_07_13;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Bart .onion Payment Domain (khh5cmzh5q7yp7th)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|khh5cmzh5q7yp7th"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, malware_family Ransomware, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2016_07_13;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Bart .onion Payment Domain (khh5cmzh5q7yp7th)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|khh5cmzh5q7yp7th"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:to_server; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp any 68 -> any 67 (msg:"ET POLICY Possible Kali Linux hostname in DHCP Request Packet"; content:"|63 82 53 63 35 01 03|"; content:"|0c 04|kali"; distance:0; nocase; reference:url,www.kali.org; classtype:policy-violation; sid:2022973; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2017_10_12;)
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:social-engineering; sid:2022974; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:social-engineering; sid:2022974; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"POST"; http_method; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r?$/Hi"; reference:md5,64482895a11d120a9f17ded96aa43cd3; reference:md5,a108ae58850e8f48428070d3193e5c11; classtype:pup-activity; sid:2020422; rev:15; metadata:created_at 2015_02_13, former_category ADWARE_PUP, updated_at 2016_07_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:exploit-kit; sid:2022984; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_26;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|svr2"; distance:1; within:5; tls.fingerprint:"0e:03:44:08:34:6e:2c:66:fa:ec:a8:f8:97:24:ea:1f:f6:c7:5a:5e"; reference:md5,87223f535afd8b11dd79c6f39fc059d9; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018600; rev:12; metadata:attack_target Client_Endpoint, created_at 2014_06_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|20|kpai7ycr7jxqkilp.torexplorer.com"; tls.fingerprint:"0e:dd:72:24:52:c1:2c:68:6f:16:a7:ee:7b:e7:4b:56:e8:9a:6d:b5"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018693; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1b|corporati-sdfs222222you.com"; fast_pattern:8,20; tls.fingerprint:"19:56:b7:ff:84:f6:f8:41:f5:b5:8d:63:76:88:59:b6:d5:f0:3d:3c"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018694; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|svr2"; distance:1; within:5; tls.fingerprint:"0e:03:44:08:34:6e:2c:66:fa:ec:a8:f8:97:24:ea:1f:f6:c7:5a:5e"; reference:md5,87223f535afd8b11dd79c6f39fc059d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018600; rev:12; metadata:attack_target Client_and_Server, created_at 2014_06_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|11|evergreen.kiev.ua"; fast_pattern:only; tls.fingerprint:"1a:3f:a8:f8:56:d4:da:64:83:f0:7b:29:40:41:cf:84:2e:b4:e9:b5"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018695; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|20|kpai7ycr7jxqkilp.torexplorer.com"; tls.fingerprint:"0e:dd:72:24:52:c1:2c:68:6f:16:a7:ee:7b:e7:4b:56:e8:9a:6d:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018693; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|kilomenter.com"; tls.fingerprint:"25:c3:39:6d:47:d5:df:12:fa:af:dd:06:68:7e:7e:69:f8:fc:6f:e8"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018697; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1b|corporati-sdfs222222you.com"; fast_pattern:8,20; tls.fingerprint:"19:56:b7:ff:84:f6:f8:41:f5:b5:8d:63:76:88:59:b6:d5:f0:3d:3c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018694; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|21|worldwidetrading-compaanny2you.su"; fast_pattern:9,20; tls.fingerprint:"28:49:e8:47:e0:d5:ba:85:bf:59:18:2a:92:e5:35:41:d5:5f:a8:dc"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018698; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|11|evergreen.kiev.ua"; fast_pattern:only; tls.fingerprint:"1a:3f:a8:f8:56:d4:da:64:83:f0:7b:29:40:41:cf:84:2e:b4:e9:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018695; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.net"; fast_pattern:only; tls.fingerprint:"34:8e:8f:a3:05:d8:b1:e5:fe:d5:3c:07:1e:dd:58:e7:a0:c9:d9:d4"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018699; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|kilomenter.com"; tls.fingerprint:"25:c3:39:6d:47:d5:df:12:fa:af:dd:06:68:7e:7e:69:f8:fc:6f:e8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018697; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2)"; flow:established,from_server; content:"|0e|jpyjcy0qmd.gov"; fast_pattern:only; tls.fingerprint:"36:ae:19:7c:21:ca:c2:56:0f:6d:6e:dc:a5:0c:46:3e:a0:49:f1:52"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018700; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|21|worldwidetrading-compaanny2you.su"; fast_pattern:9,20; tls.fingerprint:"28:49:e8:47:e0:d5:ba:85:bf:59:18:2a:92:e5:35:41:d5:5f:a8:dc"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018698; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0d|riffpedia.net"; fast_pattern:only; tls.fingerprint:"46:de:ba:70:b2:f5:e1:7b:a8:54:cf:02:26:ec:5b:df:8f:b0:06:7b"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018701; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.net"; fast_pattern:only; tls.fingerprint:"34:8e:8f:a3:05:d8:b1:e5:fe:d5:3c:07:1e:dd:58:e7:a0:c9:d9:d4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018699; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0f|slksecurity.com"; fast_pattern:only; tls.fingerprint:"4b:1d:64:c1:63:7a:ae:42:7a:a0:7d:6c:75:6c:13:b9:77:71:56:03"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018702; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2)"; flow:established,from_server; content:"|0e|jpyjcy0qmd.gov"; fast_pattern:only; tls.fingerprint:"36:ae:19:7c:21:ca:c2:56:0f:6d:6e:dc:a5:0c:46:3e:a0:49:f1:52"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018700; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|12|billing-service.ru"; fast_pattern:only; tls.fingerprint:"4e:ac:f7:ce:46:3d:ff:ae:b2:40:cb:d9:7a:09:f0:dd:42:08:e7:48"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018704; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0d|riffpedia.net"; fast_pattern:only; tls.fingerprint:"46:de:ba:70:b2:f5:e1:7b:a8:54:cf:02:26:ec:5b:df:8f:b0:06:7b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018701; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|ckytiqfles.com"; fast_pattern:only; tls.fingerprint:"4f:b4:c8:1e:f5:c1:bf:0e:2e:53:3d:8c:46:63:40:67:a1:5f:25:fe"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018705; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0f|slksecurity.com"; fast_pattern:only; tls.fingerprint:"4b:1d:64:c1:63:7a:ae:42:7a:a0:7d:6c:75:6c:13:b9:77:71:56:03"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018702; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|web-names1.com"; fast_pattern:only; tls.fingerprint:"59:c1:d3:55:1c:d5:43:55:39:10:72:03:0d:21:57:7a:c6:5a:49:83"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018706; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|12|billing-service.ru"; fast_pattern:only; tls.fingerprint:"4e:ac:f7:ce:46:3d:ff:ae:b2:40:cb:d9:7a:09:f0:dd:42:08:e7:48"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018704; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|09|server265"; fast_pattern:only; tls.fingerprint:"65:a7:7d:36:d1:b5:36:65:f6:0d:19:71:89:24:50:4f:7d:3f:95:08"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018707; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|ckytiqfles.com"; fast_pattern:only; tls.fingerprint:"4f:b4:c8:1e:f5:c1:bf:0e:2e:53:3d:8c:46:63:40:67:a1:5f:25:fe"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018705; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|13|statistic4he2om.com"; fast_pattern:only; tls.fingerprint:"69:c6:78:70:7b:fd:48:36:29:15:71:fb:ae:40:04:59:c9:0b:9e:ed"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018708; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|web-names1.com"; fast_pattern:only; tls.fingerprint:"59:c1:d3:55:1c:d5:43:55:39:10:72:03:0d:21:57:7a:c6:5a:49:83"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018706; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.com"; tls.fingerprint:"72:ce:ed:55:39:c6:0f:e7:ef:db:c8:7e:77:7f:73:1c:75:d3:ff:ea"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018711; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|09|server265"; fast_pattern:only; tls.fingerprint:"65:a7:7d:36:d1:b5:36:65:f6:0d:19:71:89:24:50:4f:7d:3f:95:08"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018707; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|secureonesee.com"; fast_pattern:only; tls.fingerprint:"74:06:45:7d:94:2e:bc:79:e4:91:45:4c:d5:7d:fc:f9:bc:c8:95:af"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018712; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|13|statistic4he2om.com"; fast_pattern:only; tls.fingerprint:"69:c6:78:70:7b:fd:48:36:29:15:71:fb:ae:40:04:59:c9:0b:9e:ed"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018708; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|bitcoin-send.ru"; fast_pattern:only; tls.fingerprint:"78:0e:3b:97:7f:c1:19:e7:a0:e1:cd:51:92:90:9b:a0:ba:95:c8:c7"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018714; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.com"; tls.fingerprint:"72:ce:ed:55:39:c6:0f:e7:ef:db:c8:7e:77:7f:73:1c:75:d3:ff:ea"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018711; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2)"; flow:established,from_server; content:"|06|lzx.su"; fast_pattern:only; tls.fingerprint:"79:67:bb:dd:e9:c1:17:46:8d:26:cd:de:db:20:e2:1c:46:63:bd:d7"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018715; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|secureonesee.com"; fast_pattern:only; tls.fingerprint:"74:06:45:7d:94:2e:bc:79:e4:91:45:4c:d5:7d:fc:f9:bc:c8:95:af"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018712; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server8"; fast_pattern:only; tls.fingerprint:"9d:5f:4b:bd:00:81:77:0e:67:43:31:e9:a0:db:e7:45:c9:85:e8:50"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018716; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|bitcoin-send.ru"; fast_pattern:only; tls.fingerprint:"78:0e:3b:97:7f:c1:19:e7:a0:e1:cd:51:92:90:9b:a0:ba:95:c8:c7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018714; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|1c|kpai7ycr7jxqkilp.tor2www.com"; tls.fingerprint:"a7:da:82:eb:15:e9:87:09:ba:62:5c:84:3d:bb:e7:ad:d3:24:6a:c9"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018717; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2)"; flow:established,from_server; content:"|06|lzx.su"; fast_pattern:only; tls.fingerprint:"79:67:bb:dd:e9:c1:17:46:8d:26:cd:de:db:20:e2:1c:46:63:bd:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018715; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1a|root@localhost.localdomain"; tls.fingerprint:"a8:c7:79:04:f3:e6:1e:6d:18:2d:7a:69:15:25:c4:09:ff:12:ef:86"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018718; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server8"; fast_pattern:only; tls.fingerprint:"9d:5f:4b:bd:00:81:77:0e:67:43:31:e9:a0:db:e7:45:c9:85:e8:50"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018716; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|10|Internet Banking"; fast_pattern:only; tls.fingerprint:"b0:03:44:3e:f1:2b:5f:f4:4b:5a:00:a2:68:d2:09:5b:43:d2:a8:6f"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018720; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|1c|kpai7ycr7jxqkilp.tor2www.com"; tls.fingerprint:"a7:da:82:eb:15:e9:87:09:ba:62:5c:84:3d:bb:e7:ad:d3:24:6a:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018717; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|15|futuredynamicteam.com"; tls.fingerprint:"b6:02:85:17:c1:0f:e9:e3:10:48:f0:2e:58:53:e5:c1:74:1f:ef:b8"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018721; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1a|root@localhost.localdomain"; tls.fingerprint:"a8:c7:79:04:f3:e6:1e:6d:18:2d:7a:69:15:25:c4:09:ff:12:ef:86"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018718; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2)"; flow:established,from_server; content:"|0f|security256.com"; fast_pattern:only; tls.fingerprint:"ba:e6:e4:56:b7:23:9d:2e:01:cd:2a:bb:6a:10:13:9d:96:3c:73:14"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018722; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|10|Internet Banking"; fast_pattern:only; tls.fingerprint:"b0:03:44:3e:f1:2b:5f:f4:4b:5a:00:a2:68:d2:09:5b:43:d2:a8:6f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018720; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|sec-picture.net"; fast_pattern:only; tls.fingerprint:"c8:7e:eb:70:75:75:e5:23:8d:77:73:10:2d:f1:73:07:2a:bb:bf:0b"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018723; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|15|futuredynamicteam.com"; tls.fingerprint:"b6:02:85:17:c1:0f:e9:e3:10:48:f0:2e:58:53:e5:c1:74:1f:ef:b8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018721; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1d|planet2wideg2yandex-corti.com"; tls.fingerprint:"c9:b0:97:d6:2d:6f:7b:36:5f:88:fc:ec:1d:a9:4d:ed:5e:d9:32:1f"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018724; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2)"; flow:established,from_server; content:"|0f|security256.com"; fast_pattern:only; tls.fingerprint:"ba:e6:e4:56:b7:23:9d:2e:01:cd:2a:bb:6a:10:13:9d:96:3c:73:14"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018722; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0c|kin.pgsox.cc"; fast_pattern:only; tls.fingerprint:"cb:f6:8e:89:9c:14:cd:be:d2:5b:20:d3:98:ce:67:24:d6:0d:e0:a6"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018725; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|sec-picture.net"; fast_pattern:only; tls.fingerprint:"c8:7e:eb:70:75:75:e5:23:8d:77:73:10:2d:f1:73:07:2a:bb:bf:0b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018723; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|bitcoin-beta.com"; fast_pattern:only; tls.fingerprint:"d4:fa:65:54:b5:f6:24:3a:50:eb:14:53:e4:40:bb:a5:8d:a5:6f:61"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018726; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1d|planet2wideg2yandex-corti.com"; tls.fingerprint:"c9:b0:97:d6:2d:6f:7b:36:5f:88:fc:ec:1d:a9:4d:ed:5e:d9:32:1f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018724; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|invoice-maker.ru"; fast_pattern:only; tls.fingerprint:"d7:b1:19:96:6c:5b:41:dd:99:b2:e1:e1:c8:74:5f:cb:65:f8:09:de"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018727; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0c|kin.pgsox.cc"; fast_pattern:only; tls.fingerprint:"cb:f6:8e:89:9c:14:cd:be:d2:5b:20:d3:98:ce:67:24:d6:0d:e0:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018725; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|poppperdropper.com"; fast_pattern:only; tls.fingerprint:"dd:bd:80:27:40:3b:bd:f2:17:e6:34:53:0b:ee:72:40:ce:d6:8a:8e"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018728; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|bitcoin-beta.com"; fast_pattern:only; tls.fingerprint:"d4:fa:65:54:b5:f6:24:3a:50:eb:14:53:e4:40:bb:a5:8d:a5:6f:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018726; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|www.total4me.org"; fast_pattern:only; tls.fingerprint:"df:4b:2f:32:9f:19:f8:a5:02:33:e4:f5:1e:e1:61:6e:b8:0d:c7:f1"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018729; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|invoice-maker.ru"; fast_pattern:only; tls.fingerprint:"d7:b1:19:96:6c:5b:41:dd:99:b2:e1:e1:c8:74:5f:cb:65:f8:09:de"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018727; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|06|0bg.ru"; fast_pattern:only; tls.fingerprint:"df:9c:32:dd:ba:0b:e9:6f:08:52:bc:59:3d:a3:d7:82:12:b1:d5:45"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018730; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|poppperdropper.com"; fast_pattern:only; tls.fingerprint:"dd:bd:80:27:40:3b:bd:f2:17:e6:34:53:0b:ee:72:40:ce:d6:8a:8e"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018728; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|greengarden1.com"; fast_pattern:only; tls.fingerprint:"e8:52:a3:e8:cd:0b:eb:2d:28:df:62:2e:2c:a4:d5:4d:f4:3c:cc:9f"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018731; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|www.total4me.org"; fast_pattern:only; tls.fingerprint:"df:4b:2f:32:9f:19:f8:a5:02:33:e4:f5:1e:e1:61:6e:b8:0d:c7:f1"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018729; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server9"; fast_pattern:only; tls.fingerprint:"f5:e2:b6:7a:1e:92:49:ab:ac:d0:4f:68:36:9b:2a:0d:fb:0b:4f:d7"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018732; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|06|0bg.ru"; fast_pattern:only; tls.fingerprint:"df:9c:32:dd:ba:0b:e9:6f:08:52:bc:59:3d:a3:d7:82:12:b1:d5:45"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018730; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|fileprofes.com"; fast_pattern:only; tls.fingerprint:"f9:86:e8:fa:b5:55:bb:db:96:9f:f2:4c:48:8c:d9:66:09:43:5e:ec"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018733; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|greengarden1.com"; fast_pattern:only; tls.fingerprint:"e8:52:a3:e8:cd:0b:eb:2d:28:df:62:2e:2c:a4:d5:4d:f4:3c:cc:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018731; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0b|gorms4tu.be"; fast_pattern:only; tls.fingerprint:"ff:15:52:d1:df:5c:d0:0e:c5:69:00:31:9e:9f:24:80:4a:e6:0c:63"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018734; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server9"; fast_pattern:only; tls.fingerprint:"f5:e2:b6:7a:1e:92:49:ab:ac:d0:4f:68:36:9b:2a:0d:fb:0b:4f:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018732; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"47:46:41:98:fc:47:5a:2e:a1:76:18:38:b1:f8:0d:ea:e7:99:d0:5f"; classtype:command-and-control; sid:2018736; rev:8; metadata:attack_target Client_Endpoint, created_at 2014_06_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|fileprofes.com"; fast_pattern:only; tls.fingerprint:"f9:86:e8:fa:b5:55:bb:db:96:9f:f2:4c:48:8c:d9:66:09:43:5e:ec"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018733; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|pistofon.ru"; distance:1; within:12; content:"|13|someone@pistofon.ru"; fast_pattern:only; tls.fingerprint:"43:cb:f3:ff:69:9b:3d:dc:58:29:17:bd:ff:41:ed:59:13:c7:39:8a"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018746; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0b|gorms4tu.be"; fast_pattern:only; tls.fingerprint:"ff:15:52:d1:df:5c:d0:0e:c5:69:00:31:9e:9f:24:80:4a:e6:0c:63"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018734; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|trustasia.asia"; distance:1; within:15; tls.fingerprint:"09:f0:c1:86:37:73:63:98:2c:19:7a:ed:2a:ca:60:2d:ce:4f:cf:16"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018747; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"47:46:41:98:fc:47:5a:2e:a1:76:18:38:b1:f8:0d:ea:e7:99:d0:5f"; classtype:domain-c2; sid:2018736; rev:8; metadata:attack_target Client_and_Server, created_at 2014_06_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|do.tntcentral.mobi"; fast_pattern:only; tls.fingerprint:"75:02:e5:5d:eb:4d:19:b9:6e:a9:61:26:34:82:4b:2f:b6:ad:96:6d"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018760; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|pistofon.ru"; distance:1; within:12; content:"|13|someone@pistofon.ru"; fast_pattern:only; tls.fingerprint:"43:cb:f3:ff:69:9b:3d:dc:58:29:17:bd:ff:41:ed:59:13:c7:39:8a"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018746; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|daznukhurebkolsek.net"; distance:1; within:22; tls.fingerprint:"b6:d7:85:2a:e1:ca:32:5f:77:28:d4:64:12:44:8b:01:41:94:0b:c9"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018807; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|trustasia.asia"; distance:1; within:15; tls.fingerprint:"09:f0:c1:86:37:73:63:98:2c:19:7a:ed:2a:ca:60:2d:ce:4f:cf:16"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018747; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nagchampa.in"; distance:1; within:13; tls.fingerprint:"cd:bc:8b:c2:e9:63:ee:6c:e5:18:e0:6a:92:42:a5:4a:28:19:eb:7f"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018851; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nagchampa.in"; distance:1; within:13; tls.fingerprint:"cd:bc:8b:c2:e9:63:ee:6c:e5:18:e0:6a:92:42:a5:4a:28:19:eb:7f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018851; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"1e:0f:3d:14:42:f9:52:2b:24:25:15:cb:69:68:a1:0b:08:f4:85:7c"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018858; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"1e:0f:3d:14:42:f9:52:2b:24:25:15:cb:69:68:a1:0b:08:f4:85:7c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018858; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ac 31 2f c6 b3 12 c1 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"be:1a:58:4a:85:c8:79:f8:55:5d:98:4f:c3:6b:ef:69:db:6d:8a:d5"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018859; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ac 31 2f c6 b3 12 c1 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"be:1a:58:4a:85:c8:79:f8:55:5d:98:4f:c3:6b:ef:69:db:6d:8a:d5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018859; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 dd 04 88 42 80 63 7d af|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"80:ac:8f:7c:a8:c6:dd:1b:5b:23:17:63:e9:09:50:52:40:a9:d1:a6"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018860; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 dd 04 88 42 80 63 7d af|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"80:ac:8f:7c:a8:c6:dd:1b:5b:23:17:63:e9:09:50:52:40:a9:d1:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018860; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"4d:0f:1f:0f:96:85:ef:f1:24:e5:6a:31:19:2a:2b:ea:e7:88:d8:8b"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018861; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"4d:0f:1f:0f:96:85:ef:f1:24:e5:6a:31:19:2a:2b:ea:e7:88:d8:8b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018861; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"ab:92:db:cc:12:05:45:36:1d:3a:cc:c5:50:d4:e5:79:67:d4:85:71"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018862; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"ab:92:db:cc:12:05:45:36:1d:3a:cc:c5:50:d4:e5:79:67:d4:85:71"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018862; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"f7:41:76:2e:a8:09:4a:8d:95:ad:84:ba:ea:0d:42:e8:0c:e5:84:d0"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018863; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"f7:41:76:2e:a8:09:4a:8d:95:ad:84:ba:ea:0d:42:e8:0c:e5:84:d0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018863; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ab 62 ca a2 20 83 75 2d|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"bc:08:3e:da:9c:3a:84:fa:bf:6d:39:23:7e:bb:7a:d8:65:54:0b:56"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018864; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ab 62 ca a2 20 83 75 2d|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"bc:08:3e:da:9c:3a:84:fa:bf:6d:39:23:7e:bb:7a:d8:65:54:0b:56"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018864; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 f6 57 75 bc c6 71 7c 74|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"0b:b0:85:d5:61:df:07:c8:89:e5:ba:d5:1c:84:63:71:d4:fc:fd:61"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018865; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 f6 57 75 bc c6 71 7c 74|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"0b:b0:85:d5:61:df:07:c8:89:e5:ba:d5:1c:84:63:71:d4:fc:fd:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018865; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 cf 22 8c cf e7 2c 1b 1f|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"a9:24:0e:12:4a:b9:4f:16:74:4d:54:c2:50:f2:df:46:1d:dc:39:2b"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018866; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_31, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 cf 22 8c cf e7 2c 1b 1f|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"a9:24:0e:12:4a:b9:4f:16:74:4d:54:c2:50:f2:df:46:1d:dc:39:2b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018866; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|msvsprot.com"; distance:1; within:13; tls.fingerprint:"ea:ab:3c:a3:76:94:c8:9d:57:b9:21:b4:f3:93:0b:af:de:02:2d:e0"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018910; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|msvsprot.com"; distance:1; within:13; tls.fingerprint:"ea:ab:3c:a3:76:94:c8:9d:57:b9:21:b4:f3:93:0b:af:de:02:2d:e0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018910; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|local.domain"; distance:1; within:13; tls.fingerprint:"8f:37:76:15:40:99:b6:c2:dc:34:b8:c3:7f:f5:21:17:21:44:a9:a4"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018911; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|local.domain"; distance:1; within:13; tls.fingerprint:"8f:37:76:15:40:99:b6:c2:dc:34:b8:c3:7f:f5:21:17:21:44:a9:a4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018911; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|expert-256bitssl.com"; distance:1; within:21; tls.fingerprint:"ca:2e:43:5b:b8:83:60:81:ff:a6:1c:90:2d:b0:5a:4e:0e:11:c7:8f"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018913; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e5:0e:e9:90:a3:12:b9:e2:e6:8c:46:d1:89:e1:e9:23:81:74:1b:f9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018915; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e5:0e:e9:90:a3:12:b9:e2:e6:8c:46:d1:89:e1:e9:23:81:74:1b:f9"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018915; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e6:d3:0c:d0:41:d1:9d:3a:3e:9c:82:e0:b9:e3:e1:67:ad:0f:ee:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018916; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e6:d3:0c:d0:41:d1:9d:3a:3e:9c:82:e0:b9:e3:e1:67:ad:0f:ee:9f"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018916; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|siefrra1967ga@outlook.com"; distance:1; within:26; tls.fingerprint:"b5:ff:48:e0:d2:15:2e:04:83:f1:8d:50:60:41:46:7a:55:d1:fb:a8"; reference:url,sslbl.abuse.ch; reference:md5,7832ac3ad8275695b8051ab70432e161; classtype:command-and-control; sid:2018917; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"35:66:21:93:91:b9:56:61:88:b4:c8:02:1e:a3:eb:c6:1c:97:35:c3"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018937; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_27;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; tls.fingerprint:"b2:ca:f5:a1:82:79:c1:cb:10:da:17:4c:58:1a:71:38:ff:8b:0c:f2"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018940; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"35:66:21:93:91:b9:56:61:88:b4:c8:02:1e:a3:eb:c6:1c:97:35:c3"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018937; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:social-engineering; sid:2022991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern:34,20; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:social-engineering; sid:2022993; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:social-engineering; sid:2022994; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:social-engineering; sid:2022955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 Data URI Javascript Refresh - Possible Phishing Landing"; flow:from_server,established; file_data; content:"<script"; nocase; content:"window.location="; distance:0; content:"data|3a|text/html|3b|base64,"; distance:1; within:22; fast_pattern; classtype:social-engineering; sid:2031955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO QUIC UDP Internet Connections Protocol Client Hello (OUTBOUND)"; flow:to_server; content:"|80 01|CHLO"; content:"PAD"; content:"SNI"; content:"CCS"; content:"PDMD"; content:"VERS"; nocase;flowbits:set,ET.QUIC.FirstClientHello; reference:url,tools.ietf.org/html/draft-tsvwg-quic-protocol-00; classtype:protocol-command-decode; sid:2022996; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:exploit-kit; sid:2022998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_01;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|taxreclaim.am"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Zeus_SSL, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|taxreclaim.am"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Zeus_SSL, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 08|"; content:"|04|Atak"; distance:1; within:5; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023006; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 08|"; content:"|04|Atak"; distance:1; within:5; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023006; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 95 9d ed 5e 9f 95 7f b4|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023007; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 95 9d ed 5e 9f 95 7f b4|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023007; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9c 26 67 04 e7 9a e0 56|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023008; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9c 26 67 04 e7 9a e0 56|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023008; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|secureit.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023009; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|secureit.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023009; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 da e8 83 5e e4 0a d0 5c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023010; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 da e8 83 5e e4 0a d0 5c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023010; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader.Pony CnC)"; flow:from_server,established; content:"|09 00 a7 26 cd 4c 62 32 35 26|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023011; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader.Pony CnC)"; flow:from_server,established; content:"|09 00 a7 26 cd 4c 62 32 35 26|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023011; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|09 00 b8 a4 f2 db af 86 f7 53|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023012; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|09 00 b8 a4 f2 db af 86 f7 53|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023012; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|04 26 98 61 57|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|25|ASA Temporary Self Signed Certificate"; distance:1; within:38; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023013; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|04 26 98 61 57|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|25|ASA Temporary Self Signed Certificate"; distance:1; within:38; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023013; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain (zjfq4lnfbs7pncr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zjfq4lnfbs7pncr5"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2016_08_03;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain (zjfq4lnfbs7pncr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zjfq4lnfbs7pncr5"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1; metadata:created_at 2016_08_04, updated_at 2016_08_04;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Safe/CritX/FlashPack URI with Windows Plugin-Detect Data"; flow:established,to_server; content:"/pd.php?id="; http_uri; fast_pattern:only; pcre:"/\/pd\.php\?id=[a-f0-9]+$/U"; classtype:exploit-kit; sid:2017812; rev:5; metadata:created_at 2013_12_06, updated_at 2016_08_05;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS Path to BusyBox"; flow:to_server,established; content:"/bin/busybox"; flowbits:set,ET.telnet.busybox;threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:suspicious-filename-detect; sid:2023016; rev:1; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_08;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M1"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 44 72 6f 70 50 61 74 68|"; nocase; content:"|57 53 48 73 68 65 6c 6c 2e 52 75 6e 20 44 72 6f 70 50 61 74 68 2c 20 30|"; nocase; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, malware_family Ramnit, performance_impact Moderate, signature_severity Major, updated_at 2016_08_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M2"; flow:established,from_server; file_data; content:"|6c 61 6e 67 75 61 67 65 3d 56 42 53 63 72 69 70 74|"; nocase; content:"|57 72 69 74 65 44 61 74 61 20 3d|"; nocase; content:"|22 34 44 35 41 39 30 30|"; nocase; distance:0; content:"|44 72 6f 70 46 69 6c 65 4e 61 6d 65 20 3d 20|"; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2016_08_09;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|www.endeverllcandjohns13.com"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023030; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M2"; flow:established,from_server; file_data; content:"|6c 61 6e 67 75 61 67 65 3d 56 42 53 63 72 69 70 74|"; nocase; content:"|57 72 69 74 65 44 61 74 61 20 3d|"; nocase; content:"|22 34 44 35 41 39 30 30|"; nocase; distance:0; content:"|44 72 6f 70 46 69 6c 65 4e 61 6d 65 20 3d 20|"; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2016_08_09;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16 03 01 00|"; depth:4; content:"|09 00 8e b6 50 28 b2 eb aa d8|"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023031; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|www.endeverllcandjohns13.com"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023030; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProjectSauron Remsec CnC Beacon (hardcoded HTTP headers)"; flow:established,to_server; content:"|41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 74 65 78 74 2F 70 6C 61 69 6E 2C 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 2A 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43 61 63 68 65|"; fast_pattern:10,20; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:command-and-control; sid:2023032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2016_08_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16 03 01 00|"; depth:4; content:"|09 00 8e b6 50 28 b2 eb aa d8|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023031; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3; metadata:created_at 2011_10_25, updated_at 2016_08_09;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4; metadata:created_at 2011_10_25, updated_at 2016_08_09;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern:4,20; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:social-engineering; sid:2023037; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:social-engineering; sid:2023038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx (2)"; flow:established,to_server; content:"q.php"; fast_pattern; nocase; http_uri; content:!".chartbeat.net"; nocase; http_header; content:"&p="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&o="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006406; classtype:trojan-activity; sid:2006406; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern:26,20; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:social-engineering; sid:2023051; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:social-engineering; sid:2023052; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_12;)
alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023072; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern:19,20; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:exploit-kit; sid:2023074; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023072; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:social-engineering; sid:2023079; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 14 2016"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R";content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:exploit-kit; sid:2022898; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_08_19;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Mirrored Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- Mirrored from "; content:"by HTTrack Website Copier/"; distance:0; classtype:trojan-activity; sid:2018302; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_24;)
-
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET EXPLOIT CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)"; content:"|06 01 04 01 09 09 83 6B|"; pcre:"/^(?:\x01(?:(?:\x01(?:(?:\x04(?:(?:\x03(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x04(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?|\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?))?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|\x02(?:[\x01\x02\x03\x04])?|\x03(?:[\x01\x02])?))?|\x03(?:(?:\x03(?:\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e])?)?)?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13])?|\x02(?:[\x01\x02])?))?|\x05(?:(?:\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07])?)?|\x01(?:[\x01\x02\x03])?))?|\x02(?:(?:[\x01\x02]|\x03(?:\x01(?:[\x01\x02\x03])?)?))?|\x06(?:\x01(?:[\x01\x02\x03\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x07(?:[\x01\x02])?|\x04))?|\x02(?:(?:\x02(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|(?:\x01)?\x01))?)/Rsi"; content:"|81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10|"; within:160; fast_pattern; reference:cve,2016-6366; classtype:misc-attack; sid:2023086; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_25, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_25;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\d+$/"; reference:md5,d4f949f268d00522cfbae5d18cbce933; classtype:trojan-activity; sid:2023091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:social-engineering; sid:2022574; rev:3; metadata:created_at 2016_02_29, former_category CURRENT_EVENTS, updated_at 2016_08_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:social-engineering; sid:2022574; rev:3; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_08_26;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:4; metadata:created_at 2011_07_06, updated_at 2016_08_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Renaming File via SMB"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|z|00|e|00|p|00|t|00|o|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2017_04_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Renaming File via SMB"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|z|00|e|00|p|00|t|00|o|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Writing Instructions via SMB"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"_|00|H|00|E|00|L|00|P|00|_|00|i|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|s|00|.|00|h|00|t|00|m|00|l"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2017_04_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Writing Instructions via SMB"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"_|00|H|00|E|00|L|00|P|00|_|00|i|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|s|00|.|00|h|00|t|00|m|00|l"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp $HOME_NET any -> $HOME_NET [445,139] (msg:"ET MALWARE Zlader Ransomware Worm Propagating Over SMB v1 ASCII"; flow:to_server,established; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|24|RECYCLE|2E|BIN|2E 7B|"; nocase; distance:0; fast_pattern; pcre:"/\x24RECYCLE\.BIN\.\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\x5C\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\.(?:scr|pif|cmd)/i"; threshold:type limit, track by_src, count 10, seconds 60; reference:url,www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_zlader.b; classtype:trojan-activity; sid:2023149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
+alert tcp $HOME_NET any -> $HOME_NET [445,139] (msg:"ET MALWARE Zlader Ransomware Worm Propagating Over SMB v1 ASCII"; flow:to_server,established; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|24|RECYCLE|2E|BIN|2E 7B|"; nocase; distance:0; fast_pattern; pcre:"/\x24RECYCLE\.BIN\.\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\x5C\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\.(?:scr|pif|cmd)/i"; threshold:type limit, track by_src, count 10, seconds 60; reference:url,www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_zlader.b; classtype:trojan-activity; sid:2023149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:exploit-kit; sid:2023151; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:exploit-kit; sid:2023153; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon Response"; flow:established,from_server; file_data; content:"script|7c|"; within:7; content:"|7c|endscript"; distance:0; fast_pattern; content:"script|7c|"; distance:0; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023156; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, performance_impact Low, updated_at 2016_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon Response"; flow:established,from_server; file_data; content:"script|7c|"; within:7; content:"|7c|endscript"; distance:0; fast_pattern; content:"script|7c|"; distance:0; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023156; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, signature_severity Major, tag c2, updated_at 2016_09_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_06;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|vuinuzhz.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|certificatestatistic.com"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|vuinuzhz.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|careersnetworks.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|certificatestatistic.com"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|microsoftstore.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|careersnetworks.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|jmfbrtbsmth.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023161; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|microsoftstore.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fxpsjcklcqf.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fxpsjcklcqf.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ywxozojqmcd.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ywxozojqmcd.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|fwafdw"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023164; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|fwafdw"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023164; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business-swiss.online"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business-swiss.online"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|pro-access.cn"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|pro-access.cn"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|securefreeonly.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|securefreeonly.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Hancitor CnC)"; flow:established,from_server; content:"|09 00 ce 75 ce f8 84 a5 7e e5|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Hancitor CnC)"; flow:established,from_server; content:"|09 00 ce 75 ce f8 84 a5 7e e5|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|ntracking.sys-optimatic.cloud"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|ntracking.sys-optimatic.cloud"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|secureinishman.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|secureinishman.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|systemresystem.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023171; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|systemresystem.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023171; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|secureinterrr100.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|secureinterrr100.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|supergoodvin888.pw"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|supergoodvin888.pw"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|statuscheck.online"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|statuscheck.online"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|Otakkibigytu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023175; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|Otakkibigytu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023175; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (RockLoader CnC)"; flow:established,from_server; content:"|09 00 cb 68 d8 f0 41 2b 87 4c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (RockLoader CnC)"; flow:established,from_server; content:"|09 00 cb 68 d8 f0 41 2b 87 4c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|host-ui.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|host-ui.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023181; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"unhex"; nocase; distance:0; content:"67656e6572616c5f6c6f675f66696c65"; distance:0; nocase; content:"2e636e66"; nocase; content:"6e6d616c6c6f635f6c6962"; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023201; rev:1; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2016_09_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2015681; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2016_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2015681; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"<DIR>"; content:"File(s)"; distance:0; content:"Dir(s)"; content:"bytes free"; fast_pattern; distance:0; classtype:trojan-activity; sid:2023205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_09_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:social-engineering; sid:2023238; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2016_09_15;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; distance:0; within:40; classtype:social-engineering; sid:2023239; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
+#alert tcp any any -> any any (msg:"ET DELETED LuminosityLink - Data Channel Server Response 2"; flow:established,to_client; content:"8_=_8"; isdataat:!1,relative; dsize:<25; classtype:trojan-activity; sid:2022708; rev:2; metadata:created_at 2016_04_06, updated_at 2016_09_15;)
-#alert tcp any any -> any any (msg:"ET DELETED LuminosityLink - Data Channel Server Response 2"; flow:established,to_client; content:"8_=_8"; isdataat:!1,relative; dsize:<25; classtype:trojan-activity; sid:2022708; rev:2; metadata:created_at 2016_04_05, updated_at 2016_09_15;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|curenasriense.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|curenasriense.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|transadvert.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|transadvert.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|glob-marketing.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023245; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|glob-marketing.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023245; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012088; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2016_09_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M8"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 2"; flow:established,to_server; content:"/search/?"; http_uri; depth:10; pcre:"/^\x2Fsearch\x2F\x3F[a-z]{2,5}\x3D/U"; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019391; rev:3; metadata:created_at 2014_10_13, updated_at 2016_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 2"; flow:established,to_server; content:"/search/?"; http_uri; depth:10; pcre:"/^\x2Fsearch\x2F\x3F[a-z]{2,5}\x3D/U"; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019391; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/results/?text="; http_uri; depth:15; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019392; rev:3; metadata:created_at 2014_10_13, updated_at 2016_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/results/?text="; http_uri; depth:15; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019392; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 4"; flow:established,to_server; content:"GET"; http_method; content:"/find/?utm="; http_uri; depth:11; content:"&oprnd="; http_uri; content:"&channel="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019393; rev:3; metadata:created_at 2014_10_13, updated_at 2016_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 4"; flow:established,to_server; content:"GET"; http_method; content:"/find/?utm="; http_uri; depth:11; content:"&oprnd="; http_uri; content:"&channel="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019393; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/watch/?"; http_uri; depth:8; content:"channel="; http_uri; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; reference:md5,ee64d3273f9b4d80020c24edcbbf961e; classtype:command-and-control; sid:2019394; rev:3; metadata:created_at 2014_10_13, updated_at 2016_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/watch/?"; http_uri; depth:8; content:"channel="; http_uri; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; reference:md5,ee64d3273f9b4d80020c24edcbbf961e; classtype:command-and-control; sid:2019394; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/close/?channel="; http_uri; depth:16; content:"&ags="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019390; rev:3; metadata:created_at 2014_10_13, updated_at 2016_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/close/?channel="; http_uri; depth:16; content:"&ags="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019390; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2015-2419 As observed in Magnitude EK"; flow:established,from_server; file_data; content:"|5b 30 78 35 33 2c 20 30 78 35 35 2c 20 30 78 35 36 2c 20 30 78 65 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 65 2c 20 30 78 35 64 2c 20 30 78 35 62 2c 20 30 78 38 62 2c 20 30 78 36 33 2c 20 30 78 30 63 2c 20 30 78 63 32 2c 20 30 78 30 63 2c 20 30 78 30 30 2c 20 30 78 39 30 5d|"; nocase; content:"|30 78 31 32 38 65 30 30 32 30|"; nocase; content:"|4a 53 4f 4e|"; nocase; content:"|73 74 72 69 6e 67 69 66 79|"; nocase; classtype:exploit-kit; sid:2023253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_21, deployment Perimeter, former_category EXPLOIT, malware_family Magnitude, signature_severity Major, tag Magnitude_EK, updated_at 2016_09_21;)
#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:social-engineering; sid:2023180; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2017_07_12;)
-alert tcp any any -> $SMTP_SERVERS [25,587] (msg:"ET SMTP Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)"; flow:to_server,established; content:"|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"; fast_pattern:12,20; content:"|0d 0a 2d 2d|"; distance:0; pcre:"/^(?P<boundary>[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{0,69}?[^\x2d])--(?:\x0d\x0a(?!--|\x2e|RSET)[^\r\n]*?)*\x0d\x0a--(?P=boundary)\x0d\x0a/R"; reference:url,www.certego.local/en/news/badepilogue-the-perfect-evasion/; classtype:bad-unknown; sid:2023255; rev:1; metadata:attack_target SMTP_Server, created_at 2016_09_22, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_22;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ns-cheap.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023262; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|gl-markt.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023263; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|hoonietospeed.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnbcheck.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023265; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|statway.online"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ns-cheap.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023262; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|petetongtt.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|gl-markt.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023263; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00 e4 52 b4 b2 9e 40 bd 86|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|hoonietospeed.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|verifybyamexcards.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnbcheck.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023265; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF";flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|statway.online"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX";flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023272; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|petetongtt.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"x7soyTdaNq94NWpdLGZ4NWpd";flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023274; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00 e4 52 b4 b2 9e 40 bd 86|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023283; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023284; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|verifybyamexcards.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|dnbcheck.site"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|dnbcheck.site"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mainmar.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mainmar.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK Payload Request"; flow:to_server,established; content:"GET"; http_method; content:".php?e="; http_uri; fast_pattern; content:"&h="; content:!"Referer|3a|"; http_header; pcre:"/\.php\?e=\d{4}\-\d{4}&h=[a-f0-9]{32}$/Ui"; flowbits:set,ET.BleedingLife.Payload; classtype:exploit-kit; sid:2023290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2016_09_23;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BleedingLife EK Payload Delivered"; flow:from_server,established; flowbits:isset,ET.BleedingLife.Payload; content:"200"; http_stat_code; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; fast_pattern:22,20; content:"Content-Type|3a 20|application/"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2023291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2016_09_23;)
-
alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MIRAI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MIRAI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023019; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_26;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|secursitenot.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|secursitenot.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gtldsfs.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gtldsfs.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|cdnfastnetwork.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|cdnfastnetwork.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:exploit-kit; sid:2023303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_27;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox ECCHI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"ECCHI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023304; rev:1; metadata:attack_target Server, created_at 2016_09_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:exploit-kit; sid:2023307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_08_20;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|arcnetcdn.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|arcnetcdn.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|sdpvss.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023309; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|sdpvss.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023309; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:exploit-kit; sid:2023252; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:pup-activity; sid:2009785; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2016_09_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6; metadata:created_at 2013_05_01, former_category CURRENT_EVENTS, updated_at 2013_05_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6; metadata:created_at 2013_05_02, former_category CURRENT_EVENTS, updated_at 2013_05_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:exploit-kit; sid:2023313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:exploit-kit; sid:2023314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern:37,20; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;)
alert udp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT BIND9 msg->reserved Assertion DoS Packet Inbound (CVE-2016-2776)"; dsize:>512; content:"|00 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|00 00 01 00 01|"; distance:0; content:"|00 00 FA|"; distance:0; reference:cve,cve-2016-2776; reference:url,blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html; classtype:attempted-dos; sid:2023317; rev:3; metadata:affected_product BIND, attack_target Server, created_at 2016_10_04, deployment Datacenter, signature_severity Major, updated_at 2016_10_05;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|allenia.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|allenia.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|ssltrustcontrol.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023320; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|ssltrustcontrol.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023320; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|usgivememoney.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|usgivememoney.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|p.scgreencharter.org"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|p.scgreencharter.org"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|fastsvpsd.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|fastsvpsd.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|csos.brycepeterson.net"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|csos.brycepeterson.net"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mgudoor.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mgudoor.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|zigerds.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|zigerds.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:exploit-kit; sid:2023312; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:yndns\.[a-z]{2,3}|esi)|c(?:ricket|a?fe?)|(?:lin|wor)k|s(?:u|pace)|accountant|t(?:k|op)|g[aq]|xyz|ml|pw)(?:\x3a\d{1,5})?\r$/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2021752; rev:13; metadata:created_at 2015_09_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|geernabys.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:yndns\.[a-z]{2,3}|esi)|c(?:ricket|a?fe?)|(?:lin|wor)k|s(?:u|pace)|accountant|t(?:k|op)|g[aq]|xyz|ml|pw)(?:\x3a\d{1,5})?\r$/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2021752; rev:13; metadata:created_at 2015_09_09, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 52"; flow:to_server,established; dsize:>11; content:"|7f 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,61c03cdd39f0618d1643af15594da3e4; classtype:command-and-control; sid:2020611; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_10_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|geernabys.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c7 b5 8a 8d d7 e8 44 b0|"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c7 b5 8a 8d d7 e8 44 b0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|facenoplays.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|facenoplays.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Potentially Malicious Traffic 1"; flow:established,to_server; content:"285d7b6cf94d8fdc657edaa73c2f07f3"; classtype:trojan-activity; sid:2023339; rev:3; metadata:created_at 2016_10_18, updated_at 2016_10_18;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 97 21 dd 62 8b bc 65 25|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_19;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 97 21 dd 62 8b bc 65 25|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:exploit-kit; sid:2023352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:exploit-kit; sid:2023353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bitter RAT TCP CnC Beacon"; flow:established,from_server; content:"BITTER1234"; depth:10; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,6e855944d171a3acbb64635dbe7a9c62; classtype:command-and-control; sid:2023399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, updated_at 2016_10_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bitter RAT TCP CnC Beacon"; flow:established,from_server; content:"BITTER1234"; depth:10; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,6e855944d171a3acbb64635dbe7a9c62; classtype:command-and-control; sid:2023399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2016_10_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|hlaprise.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|hlaprise.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|calmiinity.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|calmiinity.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|rootenplay.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|rootenplay.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 89 f7 85 18 43 70 17 d1|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 89 f7 85 18 43 70 17 d1|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|statuscheck.site"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023406; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|statuscheck.site"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023406; rev:2; metadata:attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT28/Sednit SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|09|ngefqevwe"; distance:1; within:10; fast_pattern; reference:md5,f7ee38ca49cd4ae35824ce5738b6e587; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25;)
-
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Cerber Checkin 2"; dsize:<11; content:"hi"; depth:2; fast_pattern; pcre:"/^[a-f0-9]{7,}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,ac4d7fb5739862e9914556ed5d50f84f; classtype:command-and-control; sid:2023453; rev:5; metadata:created_at 2016_03_28, former_category MALWARE, updated_at 2016_10_27;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Cerber Checkin 2"; dsize:<11; content:"hi"; depth:2; fast_pattern; pcre:"/^[a-f0-9]{7,}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,ac4d7fb5739862e9914556ed5d50f84f; classtype:command-and-control; sid:2023453; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,ET.SuspExeTLDs; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023464; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2017_10_12;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024: (msg:"ET P2P Vuze BT UDP Connection"; dsize:<80; content:!"|00 22 02 00|"; depth: 4; content:"|00 00 04|"; distance:8; within:3; content:"|00 00 00 00 00|"; distance:6; within:5; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010140; classtype:policy-violation; sid:2010140; rev:7; metadata:created_at 2010_07_30, updated_at 2016_11_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:exploit-kit; sid:2023473; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, malware_family DNSEK, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:exploit-kit; sid:2023474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cookie|3a| cid="; http_raw_header; pcre:"/^\d{4}\r$/RDm"; content:!"mowersdirect.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014198; rev:13; metadata:created_at 2012_02_06, former_category TROJAN, updated_at 2017_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cookie|3a| cid="; http_raw_header; pcre:"/^\d{4}\r$/RDm"; content:!"mowersdirect.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014198; rev:13; metadata:created_at 2012_02_07, former_category TROJAN, updated_at 2017_09_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?!www)\d?[A-Z]?(?:[a-z]{3,20}\.)?[a-z]{5,}(?:\d[a-z]{5,})?\.[a-z]{2,5}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022535; rev:11; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_02;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern:12,20; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:exploit-kit; sid:2023480; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, malware_family SunDown, signature_severity Major, updated_at 2016_11_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?!www)\d?[A-Z]?(?:[a-z]{3,20}\.)?[a-z]{5,}(?:\d[a-z]{5,})?\.[a-z]{2,5}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022535; rev:11; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|ff fe 3f 10 00 00|"; distance:0; byte_test:4,>,100,4,relative,little; byte_extract:4,4,config_len,relative,little; content:!"|00|"; within:config_len; pcre:"/^[^\x00]+(\xff\xd9)?$/R"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021382; rev:11; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (Zte521)"; flow:to_server,established; content:"Zte521|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023452; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023487; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_07_17;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|heeriekupman.com"; distance:1; within:17; classtype:trojan-activity; sid:2023489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023487; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|sni237731.cloudflaressl.com"; distance:1; within:28; classtype:trojan-activity; sid:2023490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|heeriekupman.com"; distance:1; within:17; classtype:domain-c2; sid:2023489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|infosec256bit.com"; distance:1; within:18; classtype:trojan-activity; sid:2023491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|infosec256bit.com"; distance:1; within:18; classtype:domain-c2; sid:2023491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslsecure777.com"; distance:1; within:17; classtype:trojan-activity; sid:2023492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslsecure777.com"; distance:1; within:17; classtype:domain-c2; sid:2023492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|dodstersystem.com"; distance:1; within:18; classtype:trojan-activity; sid:2023493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|dodstersystem.com"; distance:1; within:18; classtype:domain-c2; sid:2023493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|whatissslnow.com"; distance:1; within:17; classtype:trojan-activity; sid:2023494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|whatissslnow.com"; distance:1; within:17; classtype:domain-c2; sid:2023494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|getifourl.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|getifourl.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 d1 c2 e8 fc aa 20 b5 6d|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 d1 c2 e8 fc aa 20 b5 6d|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:from_server,established; content:"|16|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:11; content:"|09 00 ff 41 25 0a bf 95 6d 71|"; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0b|domzino org"; distance:1; within:13; reference:md5,f6e81ae634bbcc309a4a5e01f20e4136; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 HTTP URL Refresh - Common Phish Landing Obfuscation 2016-01-01"; flow:to_client,established; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; nocase; content:"data|3a|text/html|3b|base64,"; distance:0; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x22|\x27/Rsi"; content:!"cGFnZV9ub3RfZm91bmQuaHRtb"; classtype:social-engineering; sid:2031695; rev:3; metadata:created_at 2016_01_01, former_category PHISHING, updated_at 2016_11_11;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:from_server,established; content:"|16|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:11; content:"|09 00 ff 41 25 0a bf 95 6d 71|"; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0b|domzino org"; distance:1; within:13; reference:md5,f6e81ae634bbcc309a4a5e01f20e4136; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attempted SSH Key Upload"; flow:established,to_server; content:"*"; depth:1; content:"|0D 0A|set|0D 0A|"; content:"ssh-rsa "; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023512; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern:47,20; classtype:exploit-kit; sid:2023513; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_15;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 eb 14 76 ac 55 37 6b 52|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 eb 14 76 ac 55 37 6b 52|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 82 eb e4 e6 d5 39 9c 05|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 82 eb e4 e6 d5 39 9c 05|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy CnC Beacon"; flow:established,to_server; content:"|8a 00 d1 00 8a 00 6a 00|"; depth:8; reference:url,citizenlab.org/2016/11/parliament-keyboy/; reference:md5,8846d109b457a2ee44ddbf54d1cf7944; classtype:command-and-control; sid:2023527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, malware_family KeyBoy, performance_impact Low, signature_severity Major, updated_at 2016_11_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy CnC Beacon"; flow:established,to_server; content:"|8a 00 d1 00 8a 00 6a 00|"; depth:8; reference:url,citizenlab.org/2016/11/parliament-keyboy/; reference:md5,8846d109b457a2ee44ddbf54d1cf7944; classtype:command-and-control; sid:2023527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, malware_family KeyBoy, signature_severity Major, tag c2, updated_at 2016_11_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|res1allenia.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023528; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|res1allenia.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023528; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|digtheromb.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023530; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|digtheromb.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023530; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sweatmeat.pw"; distance:1; within:13; classtype:command-and-control; sid:2023537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sweatmeat.pw"; distance:1; within:13; classtype:domain-c2; sid:2023537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,from_server; content:"|09 00 b8 d7 6d 5b 44 1a 9f 0a|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,from_server; content:"|09 00 b8 d7 6d 5b 44 1a 9f 0a|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Tuhkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|biszweater.pw"; distance:1; within:14; classtype:command-and-control; sid:2023538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Tuhkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|biszweater.pw"; distance:1; within:14; classtype:domain-c2; sid:2023538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|coinf333.info"; distance:1; within:14; classtype:trojan-activity; sid:2023539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|coinf333.info"; distance:1; within:14; classtype:domain-c2; sid:2023539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 bc 7c af f0 e8 ee 0f e8|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 bc 7c af f0 e8 ee 0f e8|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 e7 1f b0 eb b2 ae 21 70|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 e7 1f b0 eb b2 ae 21 70|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![445,139] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND)"; flow:to_server,established; content:"|18 18|"; offset:2; depth:2; content:!"|18 18|"; within:2; content:"|18 18|"; distance:2; within:2; content:!"|18 18|"; within:2; content:"|18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18|"; pcre:"/[^\x18][^\x44\x32\x33\x25\x64\x22\x23\x3a\x27\x24\x26\x34\x3b\x12][\x20\x21\x28-\x2f\x70-\x77\x79-\x7f\x60-\x63\x65\x66\x67-\x6f\x50-\x5f\x40-\x42\x46-\x4f\x30\x31\x35\x36\x38\x3e\x39\x3b]{1,14}\x18/R"; reference:md5,16549f8a09fd5724f2107a8f18dca10b; classtype:command-and-control; sid:2019204; rev:10; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2016_11_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FlokiBot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; content:"|55 04 03|"; distance:0; content:"|08|uspal.cf"; distance:1; within:9; reference:md5,3ddf657800e60a57b884b87e1e8a987c; classtype:domain-c2; sid:2023536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FlokiBot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; content:"|55 04 03|"; distance:0; content:"|08|uspal.cf"; distance:1; within:9; reference:md5,3ddf657800e60a57b884b87e1e8a987c; classtype:command-and-control; sid:2023536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 a7 15 36 3b e0 82 35 9b|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:from_server,established; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; pcre:"/^(?P<letter>[a-z])(?P=letter)[01]/R"; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; content:!"|55 04 03|"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023496; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.SDB CnC Beacon"; flow:established,to_server; content:"Auth"; depth:4; content:"|20 40 20|"; distance:0; content:"|5c 23 2f|Microsoft|20|"; distance:0; fast_pattern; reference:md5,5a9a8502b87ce1a6a608debd10761957; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 a7 15 36 3b e0 82 35 9b|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Gootkit CnC)"; flow:from_server,established; content:"|09 00 c7 52 05 4b 9d 0e f6 96|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:10; reference:md5,fa224c69088cc331a6b30bc5069fa9d5; classtype:domain-c2; sid:2023550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.SDB CnC Beacon"; flow:established,to_server; content:"Auth"; depth:4; content:"|20 40 20|"; distance:0; content:"|5c 23 2f|Microsoft|20|"; distance:0; fast_pattern; reference:md5,5a9a8502b87ce1a6a608debd10761957; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2016_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M5"; flow:to_server,established; content:"POST"; http_method; content:"/wp-"; http_uri; depth:4; content:".php"; http_uri; content:"usr="; nocase; depth:4; http_client_body; fast_pattern; content:"&pss="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2031561; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Gootkit CnC)"; flow:from_server,established; content:"|09 00 c7 52 05 4b 9d 0e f6 96|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:10; reference:md5,fa224c69088cc331a6b30bc5069fa9d5; classtype:command-and-control; sid:2023550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC)"; flow:from_server,established; content:"|09 00 9c 56 80 8c 3d 64 03 c6|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Flokibot, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103"; flow:established,to_server; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9c/s"; reference:md5,b0c2a5a3cfef4e759979b7d0869b7612; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2021753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_11_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnsapis.net"; distance:1; within:12; classtype:domain-c2; sid:2023555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|server.domain.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022229; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC)"; flow:from_server,established; content:"|09 00 9c 56 80 8c 3d 64 03 c6|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Flokibot, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnsapis.net"; distance:1; within:12; classtype:trojan-activity; sid:2023555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|msg.capital"; distance:1; within:12; classtype:trojan-activity; sid:2023556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, malware_family Gozi, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; distance:0; within:50; classtype:social-engineering; sid:2023557; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|msg.capital"; distance:1; within:12; classtype:domain-c2; sid:2023556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_server; dsize:69; content:"|41 00 00 00 83|"; depth:5; flowbits:set,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf dd b8 9f 9d 14 26 ad|"; content:"|55 04 03|"; distance:0; content:"|15|localhost.localdomain"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023572; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a0 c9 ee 35 a4 1c 6f 74|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:md5,a8139f8c2547f11522c3d7d58b90c422; classtype:domain-c2; sid:2023590; rev:2; metadata:attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a0 c9 ee 35 a4 1c 6f 74|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:md5,a8139f8c2547f11522c3d7d58b90c422; classtype:trojan-activity; sid:2023590; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:from_server,established; content:"|55 04 03|"; content:"|0B|fleil42.com"; distance:1; within:12; reference:md5,50ede75eb74a0a795500cc7b8c6c9f54; classtype:domain-c2; sid:2023591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:from_server,established; content:"|55 04 03|"; content:"|0B|fleil42.com"; distance:1; within:12; reference:md5,50ede75eb74a0a795500cc7b8c6c9f54; classtype:trojan-activity; sid:2023591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; reference:md5,6e715fe727f927bc76e923d2e524d1e3; classtype:command-and-control; sid:2018415; rev:3; metadata:created_at 2014_04_23, updated_at 2016_12_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; reference:md5,6e715fe727f927bc76e923d2e524d1e3; classtype:command-and-control; sid:2018415; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_24, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; content:" MyApp|0d 0a|"; http_header; fast_pattern:only; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001492; classtype:trojan-activity; sid:2001492; rev:39; metadata:created_at 2010_07_30, updated_at 2016_12_07;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|izaberiauto.com"; distance:1; within:16; classtype:trojan-activity; sid:2023593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M2"; flow:from_server,established; file_data; content:"|76 7e 72 20 7e 20 3d 20 22 22 3b 20 7e 20 2b 3d|"; within:17; content:"0."; distance:0; pcre:"/^\d+[\x22\x27]/R"; content:"|27 3b 20 7e 20 2b 3d 20 27|"; distance:0; within:500; content:"|27 3b 20 7e 20 2b 3d 20 27|"; distance:0; within:500; classtype:trojan-activity; sid:2023598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|izaberiauto.com"; distance:1; within:16; classtype:domain-c2; sid:2023593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_08, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve/Rsi"; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text\/vbscript[\x22\x27])/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019706; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_12_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve/Rsi"; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text\/vbscript[\x22\x27])/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019706; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_12_12;)
alert tcp any 443 -> any any (msg:"ET MALWARE Potential Sefnit C2 traffic (from server)"; flow: from_server,established; content:"SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1"; classtype:command-and-control; sid:2018449; rev:8; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2016_12_12;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 98 ea a6 c4 99 a7 b3 f7|"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023639; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 98 ea a6 c4 99 a7 b3 f7|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023639; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 33434 (msg:"ET INFO Noction IRP Probe"; flow:stateless; flags:SP; content:"|4E 4F 43 54 49 4F 4E 20 49 52 50|"; reference:url,www.noction.com/faq; classtype:bad-unknown; sid:2023640; rev:1; metadata:created_at 2016_12_14, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2016_12_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:social-engineering; sid:2023657; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, malware_family Tech_Support_Scam, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_12_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9; metadata:created_at 2010_09_28, updated_at 2016_12_20;)
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9; metadata:created_at 2010_09_28, updated_at 2016_12_19;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x27[a-z]+|(?:\x20[A-Z][a-z]+){1,2})?[01]/Rs"; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+)\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?!(?:com|net|org)[01])[a-z]{2,}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022627; rev:12; metadata:attack_target Client_Endpoint, created_at 2016_03_17, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x27[a-z]+|(?:\x20[A-Z][a-z]+){1,2})?[01]/Rs"; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+)\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?!(?:com|net|org)[01])[a-z]{2,}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022627; rev:12; metadata:attack_target Client_and_Server, created_at 2016_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [6789] (msg:"ET MALWARE Possible Linux.Mirai DaHua Default Credentials Login"; flow:to_server,established; content:"888888|0d 0a|888888"; depth:14; content:"busybox telnetd -p"; distance:0; reference:url,isc.sans.edu/diary/21833; classtype:attempted-admin; sid:2023674; rev:1; metadata:attack_target IoT, created_at 2016_12_20, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_12_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M5"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|text/javascript"; file_data; pcre:"/^(?P<v1>\S{1,100})\s+(?P<v2>\S{1,100})\s+=\s+\x22\x22\x3b\s+(?P=v2)\s+\+\=\s+\x27(?P=v1).+?(?P=v1)\x27\x3b.+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27]/R"; classtype:trojan-activity; sid:2023673; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2016_12_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent|3a| "; http_header; content:"application/octet-stream|0d 0a 0d 0a|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:3; metadata:created_at 2013_01_11, updated_at 2016_12_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent|3a| "; http_header; content:"application/octet-stream|0d 0a 0d 0a|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_12_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; content:!"|08|sophosxl|03|"; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 b9 dc 45 b2 1c 85 40 25|"; content:"|55 04 03|"; distance:0; content:"|04|host"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023689; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2016_12_29;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 b9 dc 45 b2 1c 85 40 25|"; content:"|55 04 03|"; distance:0; content:"|04|host"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023689; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,587,6666:7000,8076] (msg:"ET POLICY IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:15; metadata:created_at 2010_07_30, updated_at 2017_01_03;)
-#alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET MALWARE W32/Cerber.Ransomware CnC Checkin M4"; dsize:14; pcre:"/^[a-f0-9]{14}$/"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,1f41be13d5d19e1a5c76b6d7256a8df4; reference:md5,6707e861e377409bd1037452c7c5fa74; classtype:command-and-control; sid:2023695; rev:2; metadata:created_at 2017_01_05, former_category MALWARE, malware_family Cerber, tag Ransomware_Cerber, updated_at 2017_01_05;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET MALWARE W32/Cerber.Ransomware CnC Checkin M4"; dsize:14; pcre:"/^[a-f0-9]{14}$/"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,1f41be13d5d19e1a5c76b6d7256a8df4; reference:md5,6707e861e377409bd1037452c7c5fa74; classtype:command-and-control; sid:2023695; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category MALWARE, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_01_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoreFlooder.Q Data Posting"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/upload"; nocase; http_uri; content:"file="; nocase; http_uri; content:"&id="; http_uri; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008352; classtype:trojan-activity; sid:2008352; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_05;)
alert udp $HOME_NET 5351 -> [!224.0.0.1,$EXTERNAL_NET] any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:3; metadata:created_at 2014_10_22, updated_at 2017_01_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag DriveBy, updated_at 2017_01_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag DriveBy, updated_at 2017_01_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 3"; flow:established,from_server; file_data; content:"|66 75 6e 63 74 69 6f 6e 20 54 72 69 67 67 65 72 46 69 6c 6c 46 72 6f 6d 50 72 6f 74 6f 74 79 70 65 73 42 75 67 28 6c 6f 2c 20 68 69 29|"; nocase; content:"|63 68 61 6b 72 61 42 61 73 65 2e 61 64 64|"; nocase; content:"|73 68 63 6f 64 65 41 64 64 72 2e 61 6e 64|"; nocase; classtype:exploit-kit; sid:2023699; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe FDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%FDF-"; within:5; flowbits:set,ET.fdf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023715; rev:2; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_01_10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v2"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022639; rev:5; metadata:created_at 2016_03_23, updated_at 2017_01_10;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible IE/SilverLight GoonEK Payload Download"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\x3frnd\x3d\d+$/U"; classtype:exploit-kit; sid:2017998; rev:8; metadata:created_at 2014_01_22, updated_at 2017_01_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v2"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022639; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_01_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Venom CnC Beacon"; flow:established,to_server; content:"|9e ab 49 31 08 53 b5 d4|"; depth:8; reference:url,security.web.cern.ch/security/venom.shtml; classtype:command-and-control; sid:2023716; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_Venom, performance_impact Low, signature_severity Major, updated_at 2017_01_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible IE/SilverLight GoonEK Payload Download"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\x3frnd\x3d\d+$/U"; classtype:exploit-kit; sid:2017998; rev:8; metadata:created_at 2014_01_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|specadv.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023717; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Venom CnC Beacon"; flow:established,to_server; content:"|9e ab 49 31 08 53 b5 d4|"; depth:8; reference:url,security.web.cern.ch/security/venom.shtml; classtype:command-and-control; sid:2023716; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_Venom, signature_severity Major, tag c2, updated_at 2017_01_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|p.fmsacademy.it"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023718; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|specadv.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023717; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|sc.jacksburgershack.com"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023719; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|p.fmsacademy.it"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023718; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|m.williamdegel.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023720; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|sc.jacksburgershack.com"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023719; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|cdn.ui-data.cc"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023721; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|m.williamdegel.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023720; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|baikalsecret.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|cdn.ui-data.cc"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023721; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|disaaxpalallow.me"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|baikalsecret.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|aucom.pw"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|disaaxpalallow.me"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|aucom.pw"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Chthonic CnC)"; flow:established,from_server; content:"|09 00 e6 0c cf da 58 8f a7 b2|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023726; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 ac 80 a0 72 11 64 df 3f|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|15|localhost.localdomain"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023727; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Chthonic CnC)"; flow:established,from_server; content:"|09 00 e6 0c cf da 58 8f a7 b2|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023726; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_12;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic.KD.291903/Win32.TrojanClicker.Agent.NII Nconfirm Checkin"; flow:to_server,established; content:"/nconfirm.php?rev="; http_uri; content:"&code="; http_uri; content:"¶m="; http_uri; content:"&num="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014398; rev:4; metadata:created_at 2011_08_04, updated_at 2017_01_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil JS Ransomware"; flow:from_server,established; file_data; content:"|5c|u006d|5c|u0065|5c|u0073|5c|u0073|5c|u0061|5c|u0067|5c|u0065"; content:"<html><body|20|bgcolor=|22|#F78181|22|>"; nocase; within:100; content:"Hello.|20|Your|20|UID|3a|"; within:100; content:"|65 76 69 6c 20 72 61 6e 73 6f 6d 77 61 72 65|"; fast_pattern; within:100; content:"|75 6e 69 71 75 65 20 73 74 72 6f 6e 67 65 73 74 20 41 45 53 20 6b 65 79|"; distance:0; content:"|73 65 6e 64 20 6d 65 20 79 6f 75 72 20 55 49 44 20 74 6f|"; distance:0; content:"|4c 69 73 74 20 6f 66 20 65 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73|"; distance:0; reference:md5,b9d81c51c10abd64107edc5e73a26aea; reference:url,www.cert.pl/en/news/single/evil-a-poor-mans-ransomware-in-javascript/; classtype:trojan-activity; sid:2023747; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_18, deployment Perimeter, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2017_01_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil JS Ransomware"; flow:from_server,established; file_data; content:"|5c|u006d|5c|u0065|5c|u0073|5c|u0073|5c|u0061|5c|u0067|5c|u0065"; content:"<html><body|20|bgcolor=|22|#F78181|22|>"; nocase; within:100; content:"Hello.|20|Your|20|UID|3a|"; within:100; content:"|65 76 69 6c 20 72 61 6e 73 6f 6d 77 61 72 65|"; fast_pattern; within:100; content:"|75 6e 69 71 75 65 20 73 74 72 6f 6e 67 65 73 74 20 41 45 53 20 6b 65 79|"; distance:0; content:"|73 65 6e 64 20 6d 65 20 79 6f 75 72 20 55 49 44 20 74 6f|"; distance:0; content:"|4c 69 73 74 20 6f 66 20 65 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73|"; distance:0; reference:md5,b9d81c51c10abd64107edc5e73a26aea; reference:url,www.cert.pl/en/news/single/evil-a-poor-mans-ransomware-in-javascript/; classtype:trojan-activity; sid:2023747; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_01_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M3"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/png"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2023750; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern:3,20; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:social-engineering; sid:2023752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_20, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2017_01_20;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Nemucod Downloader Oct 04"; flow:established,to_server; content:"/log.php?f="; http_uri; depth:11; fast_pattern; pcre:"/^\/log\.php\?f=[0-1](?:\.[a-z]+)?$/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a 20|"; classtype:trojan-activity; sid:2023318; rev:3; metadata:created_at 2016_10_05, updated_at 2017_01_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_01_24;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:social-engineering; sid:2023757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2017_01_24;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j24ojpexpgaorlxj"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023738; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag dupe, updated_at 2017_01_24;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j24ojpexpgaorlxj"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023738; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, tag dupe, updated_at 2017_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Write Request"; content:"|00 02|"; depth:2; reference:url,doc.emergingthreats.net/2008116; classtype:policy-violation; sid:2008116; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_25;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:credential-theft; sid:2023772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023773; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023773; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023774; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023774; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DustySky PoisonIvy CnC Beacon"; flow:established,to_server; dsize:48; content:"|75 f0 01 ef 23 bf db 30 19 9f 56 74 01 f7 30 a0|"; offset:16; depth:16; reference:md5,2cd8c27bdc88ebba3e36114a1b55cef6; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, updated_at 2017_01_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DustySky PoisonIvy CnC Beacon"; flow:established,to_server; dsize:48; content:"|75 f0 01 ef 23 bf db 30 19 9f 56 74 01 f7 30 a0|"; offset:16; depth:16; reference:md5,2cd8c27bdc88ebba3e36114a1b55cef6; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DustySky QuasarRAT CnC Beacon"; flow:established,from_server; content:"|10 00 00 00 99 9a c7 b8|"; depth:8; reference:md5,a19d4ff89a3f699a6f8237a7905e80e1; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, updated_at 2017_01_31;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DustySky QuasarRAT CnC Beacon"; flow:established,from_server; content:"|10 00 00 00 99 9a c7 b8|"; depth:8; reference:md5,a19d4ff89a3f699a6f8237a7905e80e1; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:3; metadata:created_at 2014_10_03, updated_at 2017_02_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download Over HTTP"; flow:established; flowbits:isnotset,ET.ELFDownload; file_data; content:"|7F|ELF"; within:4; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2019240; rev:14; metadata:created_at 2014_09_25, updated_at 2017_02_03;)
-alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; content:"|7F|ELF"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2000418; rev:16; metadata:created_at 2010_07_30, updated_at 2017_02_03;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"User-Agent|3a| SogouIME"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:pup-activity; sid:2008500; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2017_04_04;)
#alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel (aqsatv .ps)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aqsatv|02|ps|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2023873; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_06, cve url_nctc_gov_site_groups_hamas_html, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2018_01_25;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2017_02_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023891; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023891; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|66 74 79 70 6D|"; offset:4; depth:5; content:"mp4"; within:12; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023713; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023881; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, tag Phishing, tag dupe, updated_at 2017_02_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023529; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, tag dupe, updated_at 2017_02_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023529; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag dupe, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MEMES Hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MEMES"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023901; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_14, deployment Perimeter, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2017_02_14;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 1"; flow:established,from_server; content:"|55 04 03|"; content:"|14|giftshop.mefound.com"; distance:1; within:21; classtype:trojan-activity; sid:2023902; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 1"; flow:established,from_server; content:"|55 04 03|"; content:"|14|giftshop.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023902; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|14|estimate.mefound.com"; distance:1; within:21; classtype:trojan-activity; sid:2023903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|14|estimate.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 3"; flow:established,from_server; content:"|55 04 03|"; content:"|16|tradeboard.mefound.com"; distance:1; within:23; classtype:trojan-activity; sid:2023904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 3"; flow:established,from_server; content:"|55 04 03|"; content:"|16|tradeboard.mefound.com"; distance:1; within:23; classtype:domain-c2; sid:2023904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|referenceblog.ignorelist.com"; distance:1; within:29; classtype:trojan-activity; sid:2023905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|referenceblog.ignorelist.com"; distance:1; within:29; classtype:domain-c2; sid:2023905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 5"; flow:established,from_server; content:"|07|Makeups"; content:"|55 04 03|"; distance:0; content:"|12|www.ignorelist.com"; distance:1; within:19; classtype:trojan-activity; sid:2023906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 5"; flow:established,from_server; content:"|07|Makeups"; content:"|55 04 03|"; distance:0; content:"|12|www.ignorelist.com"; distance:1; within:19; classtype:domain-c2; sid:2023906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|15|latest.ignorelist.com"; distance:1; within:22; classtype:trojan-activity; sid:2023907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|15|latest.ignorelist.com"; distance:1; within:22; classtype:domain-c2; sid:2023907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|15|tipnews.longmusic.com"; distance:1; within:22; classtype:trojan-activity; sid:2023908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|15|tipnews.longmusic.com"; distance:1; within:22; classtype:domain-c2; sid:2023908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_1)"; flow:established,to_server; content:"IUgyYll"; content:"t"; within:3; content:"L"; within:3; content:"l"; within:3; content:"N"; within:3; content:"3"; within:3; content:"Q"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_1)"; flow:established,to_server; content:"IUgyYll"; content:"t"; within:3; content:"L"; within:3; content:"l"; within:3; content:"N"; within:3; content:"3"; within:3; content:"Q"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_2)"; flow:established,to_server; content:"I"; content:"U"; within:3; content:"g"; within:3; content:"y"; within:3; content:"Y"; within:3; content:"l"; within:3; content:"ltLlN3Q"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_2)"; flow:established,to_server; content:"I"; content:"U"; within:3; content:"g"; within:3; content:"y"; within:3; content:"Y"; within:3; content:"l"; within:3; content:"ltLlN3Q"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_1)"; flow:established,to_server; content:"FIMmJZ"; content:"b"; within:3; content:"S"; within:3; content:"5"; within:3; content:"T"; within:3; content:"d"; within:3; content:"0"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_1)"; flow:established,to_server; content:"FIMmJZ"; content:"b"; within:3; content:"S"; within:3; content:"5"; within:3; content:"T"; within:3; content:"d"; within:3; content:"0"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_2)"; flow:established,to_server; content:"F"; content:"I"; within:3; content:"M"; within:3; content:"m"; within:3; content:"J"; within:3; content:"Z"; within:3; content:"bS5Td0"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_2)"; flow:established,to_server; content:"F"; content:"I"; within:3; content:"M"; within:3; content:"m"; within:3; content:"J"; within:3; content:"Z"; within:3; content:"bS5Td0"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_1)"; flow:established,to_server; content:"hSDJiWW"; content:"0"; within:3; content:"u"; within:3; content:"U"; within:3; content:"3"; within:3; content:"d"; within:3; content:"A"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_1)"; flow:established,to_server; content:"hSDJiWW"; content:"0"; within:3; content:"u"; within:3; content:"U"; within:3; content:"3"; within:3; content:"d"; within:3; content:"A"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_2)"; flow:established,to_server; content:"h"; content:"S"; within:3; content:"D"; within:3; content:"J"; within:3; content:"i"; within:3; content:"W"; within:3; content:"W0uU3dA"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_2)"; flow:established,to_server; content:"h"; content:"S"; within:3; content:"D"; within:3; content:"J"; within:3; content:"i"; within:3; content:"W"; within:3; content:"W0uU3dA"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_1)"; flow:established,to_server; content:"QDM0Zlo"; content:"3"; within:3; content:"R"; within:3; content:"V"; within:3; content:"t"; within:3; content:"w"; within:3; content:"X"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_1)"; flow:established,to_server; content:"QDM0Zlo"; content:"3"; within:3; content:"R"; within:3; content:"V"; within:3; content:"t"; within:3; content:"w"; within:3; content:"X"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_2)"; flow:established,to_server; content:"Q"; content:"D"; within:3; content:"M"; within:3; content:"0"; within:3; content:"Z"; within:3; content:"l"; within:3; content:"o3RVtwX"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_2)"; flow:established,to_server; content:"Q"; content:"D"; within:3; content:"M"; within:3; content:"0"; within:3; content:"Z"; within:3; content:"l"; within:3; content:"o3RVtwX"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_1)"; flow:established,to_server; content:"AzNGZa"; content:"N"; within:3; content:"0"; within:3; content:"V"; within:3; content:"b"; within:3; content:"c"; within:3; content:"F"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_1)"; flow:established,to_server; content:"AzNGZa"; content:"N"; within:3; content:"0"; within:3; content:"V"; within:3; content:"b"; within:3; content:"c"; within:3; content:"F"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_2)"; flow:established,to_server; content:"A"; content:"z"; within:3; content:"N"; within:3; content:"G"; within:3; content:"Z"; within:3; content:"a"; within:3; content:"N0VbcF"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_2)"; flow:established,to_server; content:"A"; content:"z"; within:3; content:"N"; within:3; content:"G"; within:3; content:"Z"; within:3; content:"a"; within:3; content:"N0VbcF"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_1)"; flow:established,to_server; content:"AMzRmWj"; content:"d"; within:3; content:"F"; within:3; content:"W"; within:3; content:"3"; within:3; content:"B"; within:3; content:"c"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_1)"; flow:established,to_server; content:"AMzRmWj"; content:"d"; within:3; content:"F"; within:3; content:"W"; within:3; content:"3"; within:3; content:"B"; within:3; content:"c"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_2)"; flow:established,to_server; content:"A"; content:"M"; within:3; content:"z"; within:3; content:"R"; within:3; content:"m"; within:3; content:"W"; within:3; content:"jdFW3Bc"; within:10; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, updated_at 2017_02_16;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE APT29 Cache_DLL SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|private.directinvesting.com"; distance:1; within:28; reference:md5,8f154d23ac2071d7f179959aaba37ad5; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023931; rev:2; metadata:created_at 2017_02_16, former_category MALWARE, malware_family APT29_Cache_DLL, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_2)"; flow:established,to_server; content:"A"; content:"M"; within:3; content:"z"; within:3; content:"R"; within:3; content:"m"; within:3; content:"W"; within:3; content:"jdFW3Bc"; within:10; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE MAGICHOUND.MPK Activity via IRC"; flow:established,to_server; content:"PRIVMSG mpk|20 3a|"; content:"!MpkPing|20|<<mpk>>"; fast_pattern; distance:0; pcre:"/^\d{5}/R"; content:"<<mpk>>|20|<<mpk>>"; distance:0; pcre:"/^\d/R"; content:"<<mpk>>"; distance:0; reference:md5,ece5b62a4ed4e88dab4f1b5451f54794; classtype:trojan-activity; sid:2023940; rev:2; metadata:created_at 2015_10_14, cve url_researchcenter_paloaltonetworks_com_2017_02_unit42_magic_hound_campaign_attacks_saudi_targets_, updated_at 2017_02_16;)
#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MAGICHOUND.FETCH SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|service.chrome-up.date"; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023952; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_related, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_16;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.LEASH IRC CnC Beacon"; flow:established,to_server; content:"USER AS_a # # |3a|des|0d 0a|"; depth:20; reference:md5,3c8a142d2e3b84fb0d210250af77cc9b; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_LEASH, performance_impact Low, signature_severity Major, updated_at 2017_02_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.LEASH IRC CnC Beacon"; flow:established,to_server; content:"USER AS_a # # |3a|des|0d 0a|"; depth:20; reference:md5,3c8a142d2e3b84fb0d210250af77cc9b; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_LEASH, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:credential-theft; sid:2024000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_11_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:credential-theft; sid:2024000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, tag Phishing, updated_at 2017_02_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; classtype:social-engineering; sid:2025688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"ET SCAN MS Terminal Server Traffic on Non-standard Port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; classtype:attempted-recon; sid:2023753; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2017_01_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024011; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024011; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024012; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024012; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024013; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024013; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024014; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024014; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:social-engineering; sid:2024017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2017_02_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)"; flow:established,from_server; file_data; content:"%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f"; content:"javascript%253aeval"; fast_pattern; content:"help|3a 2f 2f|"; pcre:"/document\s*\.\s*location\s*?\x3d\s*?[\x27\x22]help\x3a\/\/\/[^\x3b]+?\%25252f\.\.\%25252f\.\.\%25252f\.\.\%25252f/"; reference:url,exploit-db.com/exploits/41443/; classtype:attempted-user; sid:2024034; rev:2; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_03_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern:70,20; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:exploit-kit; sid:2024037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_03_08;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M3"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}(?:\x3a\d{1,5})?\r$/Hmi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021271; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M2"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"|2e 72 65 73 75 6c 74 73 70 61 67 65 2e 63 6f 6d 0d 0a|"; http_header; classtype:exploit-kit; sid:2021270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; classtype:command-and-control; sid:2015581; rev:2; metadata:created_at 2012_08_07, former_category TROJAN, updated_at 2018_05_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language|3A| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:command-and-control; sid:2015019; rev:2; metadata:created_at 2012_07_03, former_category MALWARE, updated_at 2012_07_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language|3A| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:command-and-control; sid:2015019; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Gimemo/Aldibot CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"ukashcode="; http_client_body; depth:10; content:"&euro="; http_client_body; distance:0; content:"&submitukash="; http_client_body; distance:0; reference:url,www.evild3ad.com/?p=1693; classtype:command-and-control; sid:2014864; rev:2; metadata:created_at 2012_06_06, former_category MALWARE, updated_at 2012_06_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014843; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage"; flow:established,to_server; content:"/SubmitWTF.asmx"; http_uri; content:"codeSubmission"; reference:url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx; reference:url,code.google.com/p/submittotdwtf/source/browse/trunk/; classtype:policy-violation; sid:2011871; rev:2; metadata:created_at 2010_10_29, former_category POLICY, updated_at 2010_10_29;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; classtype:trojan-activity; sid:2011769; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Spora Ransomware SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|08|spora.bz"; distance:1; within:9; classtype:trojan-activity; sid:2024043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category TROJAN, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2017_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011769; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; byte_test:3,<,1200,0,relative; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,13,1,relative; content:!"www."; distance:2; within:4; pcre:"/^.{2}(?P<CN>(?:(?:\d?[A-Z]?|[A-Z]?\d?)(?:[a-z]{3,20}|[a-z]{3,6}[0-9_][a-z]{3,6})\.){0,2}?(?:\d?[A-Z]?|[A-Z]?\d?)[a-z]{3,}(?:[0-9_-][a-z]{3,})?\.(?!com|org|net|tv)[a-z]{2,9})[01].*?(?P=CN)[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; content:!"GoDaddy"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_02, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; byte_test:3,<,1200,0,relative; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,13,1,relative; content:!"www."; distance:2; within:4; pcre:"/^.{2}(?P<CN>(?:(?:\d?[A-Z]?|[A-Z]?\d?)(?:[a-z]{3,20}|[a-z]{3,6}[0-9_][a-z]{3,6})\.){0,2}?(?:\d?[A-Z]?|[A-Z]?\d?)[a-z]{3,}(?:[0-9_-][a-z]{3,})?\.(?!com|org|net|tv)[a-z]{2,9})[01].*?(?P=CN)[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; content:!"GoDaddy"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_03_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024050; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:exploit-kit; sid:2024054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:credential-theft; sid:2024059; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_03_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:credential-theft; sid:2024059; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:to_server,established; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:2; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, created_at 2017_03_15, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_03_15;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nopassworddomaine.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|asdallls.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
-
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|treesaboutword.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nopassworddomaine.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|randfservices.co.uk"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2024071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|asdallls.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|radomir.tk"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|treesaboutword.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ui-images.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|randfservices.co.uk"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|sopelnas.co"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|radomir.tk"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|nesiron.co"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ui-images.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|securityupdate.at"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|sopelnas.co"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|Anyverizozovali"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|nesiron.co"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0e\x0f](?!(?:www|ns))[a-z0-9]{2,3}/R"; content:".faisrl.net"; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|securityupdate.at"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0a\x0b](?!(?:www|ns))[a-z0-9]{1,2}/R"; content:".kjaro.it"; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024079; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|Anyverizozovali"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|24brb.tk"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0e\x0f](?!(?:www|ns))[a-z0-9]{2,3}/R"; content:".faisrl.net"; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|interface-ui.ru"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0a\x0b](?!(?:www|ns))[a-z0-9]{1,2}/R"; content:".kjaro.it"; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024079; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|24brb.tk"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_06_13;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|interface-ui.ru"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|kmeses.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sklaaaor.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|kmeses.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|securessl.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sklaaaor.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|gamagrjoba.at"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|securessl.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|c.beccaccechepassione.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|gamagrjoba.at"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|shanycuusenetscape.xyz"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|c.beccaccechepassione.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|userlicensenon.club"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|shanycuusenetscape.xyz"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|w4ait0.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|userlicensenon.club"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017 M2"; flow:established,from_server; file_data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri";content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:exploit-kit; sid:2024093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_03_17;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|w4ait0.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M1"; flow:to_server,established; content:"Content-Length|3a|"; nocase; content:"{"; content:"}"; content:"java|2e|"; nocase; content:"|2e|ognl"; fast_pattern:only; pcre:"/^Content-Length\x3a[^\r\n]*?\{(?=[^\r\n]*java\.)[^\r\n]*\.ognl[^\r\n]*\}/mi"; classtype:web-application-attack; sid:2024094; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M2"; flow:to_server,established; content:"Content-Disposition|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024097; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101777; rev:12; metadata:created_at 2010_09_23, former_category FTP, updated_at 2020_08_20;)
-alert tcp any ![21,25,110,143,443,465,587,636,989:995,5061,5222,8443] -> any any (msg:"ET POLICY TLS possible TOR SSL traffic"; flow:established,from_server; content:"|06 03 55 04 03|"; pcre:"/^.{2}www\.[0-9a-z]{8,20}\.com[01]/Rs"; content:"|06 03 55 04 03|"; distance:0; pcre:"/^.{2}www\.[0-9a-z]{8,20}\.net/Rs"; classtype:misc-activity; sid:2018789; rev:3; metadata:created_at 2014_07_28, former_category POLICY, updated_at 2017_03_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2017_01_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024102; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024102; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024103; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024103; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84"; flow:to_server,established; dsize:>11; content:"|4a d5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xd5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,096fd620508d929b3422c6dca836e718; classtype:command-and-control; sid:2020785; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2017_03_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; classtype:exploit-kit; sid:2017824; rev:3; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78"; flow:to_server,established; dsize:>11; content:"|3b d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,844ddc8d762f94e8cf04bbc6eb483121; classtype:command-and-control; sid:2020779; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016868; rev:14; metadata:created_at 2013_05_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82"; flow:to_server,established; dsize:>11; content:"|40 d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x40\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2978e52da3503e33c65cd286a322bd2; classtype:command-and-control; sid:2020783; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2017_03_28;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90"; flow:to_server,established; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1fa6460563cddcb165511c6b17ff4637; classtype:command-and-control; sid:2020791; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2017_03_28;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80"; flow:to_server,established; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,132c66e47afb0c1b969140713b09d625; classtype:command-and-control; sid:2020781; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; classtype:exploit-kit; sid:2017824; rev:3; metadata:created_at 2013_12_09, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Landing Landing URI Struct (fb set)"; flow:to_server,established; content:!"Cookie|3a|"; content:"Windows NT"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^User-agent\x3a\x20[^\r\n]*?(?:MSIE|rv\x3a11|Edge\/)/Hmi"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; content:!"Cookie|3a|"; flowbits:set,Neutrino.URI.Primer; flowbits:noalert; classtype:exploit-kit; sid:2025064; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, tag Neutrino, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016868; rev:14; metadata:created_at 2013_05_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017267; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/b"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017594; rev:8; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Redirect to Neutrino EK goi.php Nov 4 2013"; flow:established,to_server; urilen:8; content:"/goi.php"; http_uri; classtype:exploit-kit; sid:2017661; rev:3; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:exploit-kit; sid:2017963; rev:3; metadata:created_at 2014_01_13, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:exploit-kit; sid:2017963; rev:3; metadata:created_at 2014_01_14, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK IE/Silverlight Payload Download"; flow:established,to_server; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/^\/[a-z]+?\?[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017971; rev:10; metadata:created_at 2014_01_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018226; rev:3; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018226; rev:3; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M2 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"CWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021588; rev:3; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; http_header; content:!"autodesk.com"; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_04_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024167; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024167; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:exploit-kit; sid:2024169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)"; flow:from_server,established; file_data; content:"/form2WlanBasicSetup.cgi"; fast_pattern; nocase; content:"method"; nocase; distance:0; pcre:"/^\s*=\s*[\x27\x22]\s*POST/Rsi"; content:"ssid"; nocase; content:"save"; nocase; content:"Apply"; nocase; distance:0; reference:cve,CVE-2017-7398; classtype:attempted-user; sid:2024181; rev:2; metadata:affected_product D_Link_DIR_615, attack_target Client_Endpoint, created_at 2017_04_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_04_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024186; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024186; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024187; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024187; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024188; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024188; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/Kegotip CnC Beacon"; flow:established,to_server; content:"QXNka"; depth:5; reference:url,www.soleranetworks.com/blogs/cryptolocker-kegotip-medfos-malware-triple-threat/; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FKegotip.C; classtype:command-and-control; sid:2017627; rev:3; metadata:created_at 2013_10_22, former_category MALWARE, updated_at 2017_04_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/Kegotip CnC Beacon"; flow:established,to_server; content:"QXNka"; depth:5; reference:url,www.soleranetworks.com/blogs/cryptolocker-kegotip-medfos-malware-triple-threat/; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FKegotip.C; classtype:command-and-control; sid:2017627; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_10_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_04_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"; flow:to_server,established; content:"|ff fa 24 00 03|CISCO_KITS"; content:"|3a|"; distance:2; within:1; isdataat:160,relative; content:!"|3a|"; within:160; reference:url,artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/; classtype:attempted-user; sid:2024194; rev:1; metadata:affected_product CISCO_Catalyst, attack_target IoT, created_at 2017_04_10, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_04_10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_21, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_04_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_04_10;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:social-engineering; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:exploit-kit; sid:2015946; rev:3; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2017_04_12;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (11)"; dsize:13<>32; content:"a"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (11)"; dsize:13<>32; content:"a"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (1)"; dsize:13<>32; content:"0"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (1)"; dsize:13<>32; content:"0"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (10)"; dsize:13<>32; content:"9"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (10)"; dsize:13<>32; content:"9"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (12)"; dsize:13<>32; content:"b"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (12)"; dsize:13<>32; content:"b"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (13)"; dsize:13<>32; content:"c"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (13)"; dsize:13<>32; content:"c"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (14)"; dsize:13<>32; content:"d"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (14)"; dsize:13<>32; content:"d"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (15)"; dsize:13<>32; content:"e"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (15)"; dsize:13<>32; content:"e"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (16)"; dsize:13<>32; content:"f"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (16)"; dsize:13<>32; content:"f"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (2)"; dsize:13<>32; content:"1"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (2)"; dsize:13<>32; content:"1"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (3)"; dsize:13<>32; content:"2"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (3)"; dsize:13<>32; content:"2"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (4)"; dsize:13<>32; content:"3"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (4)"; dsize:13<>32; content:"3"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (5)"; dsize:13<>32; content:"4"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023616; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (5)"; dsize:13<>32; content:"4"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023616; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (6)"; dsize:13<>32; content:"5"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (6)"; dsize:13<>32; content:"5"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (7)"; dsize:13<>32; content:"6"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023618; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (7)"; dsize:13<>32; content:"6"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023618; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (8)"; dsize:13<>32; content:"7"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (8)"; dsize:13<>32; content:"7"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (9)"; dsize:13<>32; content:"8"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware_Cerber, updated_at 2017_04_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (9)"; dsize:13<>32; content:"8"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:3; metadata:created_at 2010_12_30, former_category CURRENT_EVENTS, updated_at 2017_04_14;)
alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010"; flow:from_server,established; content:"|FF|SMB|25 05 00 00 80|"; offset:4; depth:9; content:"LSbfLScnLSepLSlfLSmf"; distance:0; fast_pattern; content:"LSrfLSsrLSscLSblLSss"; within:20; content:"LSshLStrLStcLSopLScd"; within:20; flowbits:set,ETPRO.ETERNALROMANCE; classtype:trojan-activity; sid:2024208; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Successful ETERNALROMANCE MS17-010 - Windows Executable Observed"; flow:to_server,established; flowbits:isset,ETPRO.ETERNALROMANCE; content:"|FF|SMB|26 00 00 00 00|"; offset:4; depth:9; content:"|4d 5a|"; distance:0; content:"This program cannot be run"; nocase; distance:0; fast_pattern:6,20; classtype:trojan-activity; sid:2024207; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
-
alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; classtype:trojan-activity; sid:2024215; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Request (set)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; content:"|00 00 00 00 ff ff ff ff 00 00|"; distance:17; within:10; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 4c 00 41 00 4e 00 4d 00 41 00 4e 00 00 00|"; distance:13; within:26; content:"|82 00|zb12g12DWrLehig24"; within:19; fast_pattern; flowbits:set,ET.ETERNALCHAMPIONsync; flowbits:noalert; classtype:trojan-activity; sid:2024212; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024231; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024231; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024232; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024232; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; classtype:not-suspicious; sid:2003481; rev:5; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; classtype:not-suspicious; sid:2003482; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
-alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2021_12_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:exploit-kit; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2017_04_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ARM Binary Downloaded via WGET Containing GoAhead and Multiple Camera RCE 0Day Vulnerabilities"; flow:from_server,established; flowbits:isset,ET.armwget; content:"/set_ftp.cgi"; fast_pattern; content:"&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr="; distance:0; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:trojan-activity; sid:2024242; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_04_25;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL cert (pyteHole Ransomware)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|services.pasmik.net"; distance:1; within:20; reference:md5,f652968bfe0861b56c8bdc111d902512; classtype:trojan-activity; sid:2024246; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, malware_family pyteHole, performance_impact Low, signature_severity Major, updated_at 2017_04_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL cert (pyteHole Ransomware)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|services.pasmik.net"; distance:1; within:20; reference:md5,f652968bfe0861b56c8bdc111d902512; classtype:trojan-activity; sid:2024246; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, malware_family pyteHole, signature_severity Major, tag Ransomware, updated_at 2017_04_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CozyDuke APT HTTP Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\.php\?$/U"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020962; rev:3; metadata:created_at 2015_04_22, former_category TROJAN, updated_at 2018_12_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_04_28;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_11, former_category EXPLOIT, updated_at 2017_05_02;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M2 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/alert.php?h="; depth:13; http_uri; fast_pattern; nocase; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024267; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE SuperCMD CnC Beacon"; flow:established,to_server; content:"windows update "; depth:15; pcre:"/^[A-F0-9]+\x00/R"; reference:md5,816db8a1916201309d2a24b4a745305b; reference:url,blogs.rsa.com/supercmd-rat/; classtype:command-and-control; sid:2024273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, deployment Internal, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2017_05_04;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE SuperCMD CnC Beacon"; flow:established,to_server; content:"windows update "; depth:15; pcre:"/^[A-F0-9]+\x00/R"; reference:md5,816db8a1916201309d2a24b4a745305b; reference:url,blogs.rsa.com/supercmd-rat/; classtype:command-and-control; sid:2024273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M1"; flow:to_server,established; content:"Host|3a|"; http_header; nocase; content:"("; http_header; nocase; content:")"; http_header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/Hmi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024277; rev:2; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_05_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 3"; flow:to_client, established; flowbits:isset,winhlp32; file_data; content:".HHClick|2829|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; classtype:web-application-attack; sid:2001624; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_08_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_08_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:exploit-kit; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2017_05_08;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access cookie and HTTP POST"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a|Cookie\: "; nocase; content:"admin-access="; content:"e107language_"; pcre:"/Cookie: .*admin-access=/i"; reference:url,seclists.org/fulldisclosure/2010/Jan/480; reference:url,www.e107.org/news.php; reference:url,doc.emergingthreats.net/2010719; classtype:attempted-admin; sid:2010719; rev:3; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2017_05_11;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MSIL/May Ransomware SSL Cert Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|13|mayofware.solutions"; distance:1; within:20; reference:md5,9bee9fbe8c87f491ed31e94bb0c2e06f; classtype:trojan-activity; sid:2024304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family May, performance_impact Low, signature_severity Major, updated_at 2017_05_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MSIL/May Ransomware SSL Cert Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|13|mayofware.solutions"; distance:1; within:20; reference:md5,9bee9fbe8c87f491ed31e94bb0c2e06f; classtype:trojan-activity; sid:2024304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family May, signature_severity Major, tag Ransomware, updated_at 2017_05_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-01 - Unauthed RCE via bprd"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; pcre:"/^.*?[\x24\x60]/R"; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024308; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"BPCD_WHITELIST_PATH"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024310; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent Tesla Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| "; nocase; content:"|5b|Agent Tesla"; fast_pattern; nocase; classtype:trojan-activity; sid:2022006; rev:3; metadata:created_at 2015_10_27, former_category TROJAN, updated_at 2017_05_18;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent Tesla Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| "; nocase; content:"|5b|Agent Tesla"; fast_pattern; nocase; classtype:trojan-activity; sid:2022006; rev:3; metadata:created_at 2015_10_28, former_category TROJAN, updated_at 2017_05_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024299; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Low, signature_severity Critical, tag Ransomware, updated_at 2017_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024299; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024301; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Low, signature_severity Critical, tag Ransomware, updated_at 2017_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024301; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Low, signature_severity Critical, tag Ransomware, updated_at 2017_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm attempt"; flow:to_client,established; file_data; content:"smdm|3a|//"; nocase; distance:0; reference:url,blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html; reference:url,cxsecurity.com/issue/WLB-2014110124; classtype:web-application-activity; sid:2019750; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_05_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_05_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible $MFT NTFS Device Access in HTTP Response"; flow:from_server,established; content:"file://"; content:"/$MFT/"; distance:0; fast_pattern; content:"src"; pcre:"/^\s*=\s*[^>]*file\x3a[^>]*\/\x24MFT\//Ris"; reference:url,www.securitytracker.com/id/1038575; classtype:trojan-activity; sid:2024337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_30, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Common Multiple JS Unescape May 25 2017"; flow:from_server,established; file_data; content:"<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|"; nocase; content:"document.write(unescape(|27|"; nocase; fast_pattern:5,20; within:25; content:"|27 29 29 3b 0d 0a|//-->|0d 0a|</script>"; nocase; distance:0; content:"<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|"; nocase; distance:0; content:"document.write(unescape(|27|"; nocase; within:25; content:"|27 29 29 3b 0d 0a|//-->|0d 0a|</script>"; nocase; distance:0; classtype:social-engineering; sid:2025227; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v2"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00|"; nocase; distance:0; fast_pattern; pcre:"/^[^A-Za-z0-9]/R"; classtype:trojan-activity; sid:2022840; rev:2; metadata:created_at 2016_05_25, updated_at 2016_05_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v2"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00|"; nocase; distance:0; fast_pattern; pcre:"/^[^A-Za-z0-9]/R"; classtype:trojan-activity; sid:2022840; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; classtype:exploit-kit; sid:2024343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M2"; flow:established,from_server; file_data; content:"|25 37 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 45 25 36 35 25 37 38 25 36 35|"; content:"|2e 53 74 61 72 74 52 65 6d 6f 74 65 44 65 73 6b 74 6f 70|"; classtype:exploit-kit; sid:2024347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,2525,587] (msg:"ET MALWARE Executioner Ransomware Reporting Infection via SMTP "; flow:established,to_server; dsize:<40; content:"DECRYPT CODE|20 3a 20 20 20 20 20 20 20|"; fast_pattern; depth:21; reference:md5,eec4f84d12139add6d6ebf3b8c72fff7; classtype:trojan-activity; sid:2024351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Executioner, performance_impact Moderate, signature_severity Major, updated_at 2017_06_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,2525,587] (msg:"ET MALWARE Executioner Ransomware Reporting Infection via SMTP"; flow:established,to_server; dsize:<40; content:"DECRYPT CODE|20 3a 20 20 20 20 20 20 20|"; fast_pattern; depth:21; reference:md5,eec4f84d12139add6d6ebf3b8c72fff7; classtype:trojan-activity; sid:2024351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Executioner, signature_severity Major, tag Ransomware, updated_at 2017_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data; content:"|4a694270626e525562314e30636968685a4752794b|"; classtype:exploit-kit; sid:2024353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iTunes Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect</TITLE>"; classtype:social-engineering; sid:2018303; rev:4; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Sign in</title>"; classtype:social-engineering; sid:2020332; rev:3; metadata:created_at 2015_01_29, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Chase Online - Identification</title>"; fast_pattern:24,20; nocase; classtype:social-engineering; sid:2025674; rev:3; metadata:created_at 2015_12_01, former_category CURRENT_EVENTS, updated_at 2018_07_12;)
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Docs</title>"; nocase; classtype:social-engineering; sid:2024386; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Meet Google Drive - One Place For All Your Files</title>"; nocase; classtype:social-engineering; sid:2024388; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Sign in</title>"; classtype:social-engineering; sid:2020332; rev:3; metadata:created_at 2015_01_30, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Alibaba Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Alibaba |3b|Manufacturer |3b|Directory"; nocase; classtype:social-engineering; sid:2024389; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DragonOK KHRAT Downloader Receiving Payload"; flow:established,from_server; file_data; content:".DAT,K1|22 0d 0a|fso"; reference:md5,404518f469a0ca85017136b6b5166ae3; classtype:trojan-activity; sid:2024418; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_20, deployment Perimeter, former_category TROJAN, malware_family DragonOK, malware_family KHRAT, performance_impact Low, signature_severity Major, tag Targeted, tag APT, tag CNAPT, updated_at 2017_06_20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 85"; flow:to_server,established; dsize:>11; content:"|7f 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9f/s"; content:!"POST /"; content:!"microsoft.com"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6bc0070240a714175e44dd2d6bf98481; classtype:command-and-control; sid:2020786; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2017_04_24;)
-
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Contents Exfil Request"; flow:established,from_server; dsize:9; content:"DLOAD|0c|1|0c|1"; depth:9; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024423; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Info Request"; flow:established,from_server; dsize:8; content:"REQF|0c|1|0c|1"; depth:8; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024424; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX OceanLotus Checkin"; flow:established,to_server; content:"|41 61 54 03|"; offset:1; depth:4; fast_pattern; content:"|63 63 63 63 63 63 63 63|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/; classtype:targeted-activity; sid:2024425; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, tag Targeted, tag APT, tag OceanLotus, tag OSX, updated_at 2017_06_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus / ELF/RotaJakario CnC Checkin"; flow:established,to_server; content:"|41 61 54 03|"; offset:1; depth:4; fast_pattern; content:"|63 63 63 63 63 63 63 63|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/; reference:url,blog.netlab.360.com/stealth_rotajakiro_backdoor_en; classtype:targeted-activity; sid:2024425; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, tag Targeted, tag APT, tag OceanLotus, tag OSX, updated_at 2017_06_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Watering Hole Redirect Inject Jun 28 2017"; flow:established,from_server; file_data; content:"REMOTE_URL"; content:"C_TIMEOUT"; distance:0; content:"apply_payload"; distance:0; fast_pattern; content:"execute_request"; distance:0; classtype:trojan-activity; sid:2024431; rev:2; metadata:created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_28;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (HiddenTear Variant CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|wwecuador.com"; distance:1; within:14; reference:md5,02c1da1c668ac71995f56c2c198d7d73; classtype:command-and-control; sid:2024433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Low, signature_severity Major, updated_at 2017_06_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (HiddenTear Variant CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|wwecuador.com"; distance:1; within:14; reference:md5,02c1da1c668ac71995f56c2c198d7d73; classtype:domain-c2; sid:2024433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_06_28, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_06_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"ET EXPLOIT Possible WINS Server Remote Memory Corruption Vulnerability"; flow:to_server,established; dsize:48; content:"|00 00 78 00|"; offset:4; depth:4; content:"|00 00 00 05|"; offset:16; depth:4; fast_pattern; threshold: type both, count 3, seconds 1, track by_src; reference:url,blog.fortinet.com/2017/06/14/wins-server-remote-memory-corruption-vulnerability-in-microsoft-windows-server; classtype:attempted-user; sid:2024435; rev:1; metadata:affected_product Windows_DNS_server, attack_target DNS_Server, created_at 2017_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_06_29;)
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_16, former_category NETBIOS, updated_at 2017_06_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_17, former_category NETBIOS, updated_at 2017_06_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:7; content:"tinba/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0|28|compatible|3b| MSIE 10.0|3b| Windows NT 6.1|3b| Trident|2f|6.0|29|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; reference:md5,d360ee49950e7da3978379494667260c; classtype:command-and-control; sid:2024441; rev:2; metadata:created_at 2017_07_05, former_category MALWARE, updated_at 2019_10_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:7; content:"tinba/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0|28|compatible|3b| MSIE 10.0|3b| Windows NT 6.1|3b| Trident|2f|6.0|29|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; reference:md5,d360ee49950e7da3978379494667260c; classtype:command-and-control; sid:2024441; rev:2; metadata:created_at 2017_07_05, former_category MALWARE, updated_at 2019_10_25;)
alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_07_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023758; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern:9,20; classtype:credential-theft; sid:2023888; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic 107 Phish Jul 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"-login.id-107sbtd9cbhsbt"; nocase; http_header; fast_pattern:4,20; pcre:"/^Host\x3a\x20[^\r\n]+\-login\.id\-107sbtd9cbhsbt[^\r]+$/Hmi"; classtype:credential-theft; sid:2024463; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023488; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023488; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023771; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Striked Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|User-Agent|3a 20|python"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|crid="; distance:0; content:"&dta="; distance:0; content:!"Referer|3a|"; reference:md5,80317e3194d8f7fd495b0bf06cae2295; classtype:command-and-control; sid:2024465; rev:1; metadata:created_at 2017_07_13, former_category MALWARE, updated_at 2017_07_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Striked Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|User-Agent|3a 20|python"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|crid="; distance:0; content:"&dta="; distance:0; content:!"Referer|3a|"; reference:md5,80317e3194d8f7fd495b0bf06cae2295; classtype:command-and-control; sid:2024465; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Excel Online Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Excel Online"; nocase; content:!"Training"; nocase; within:25; classtype:social-engineering; sid:2024392; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_17;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinMiner Known Malicious Stratum Authline (2017-07-11 1)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|slavf1@yandex.ru|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:coin-mining; sid:2024454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Moderate, signature_severity Major, updated_at 2017_07_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-11 1)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|slavf1@yandex.ru|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:coin-mining; sid:2024454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Parite.B Checkin 3"; flow:to_server,established; dsize:>1000; content:"|00 00 00 00 9c 00 00 00 06 00 00 00 01 00 00 00|"; offset:0; depth:16; content:"|b1 1d 00 00 02 00 00 00|"; distance:0; reference:md5,d10d6d2a29dd27b44e015dd6bf4cb346; classtype:command-and-control; sid:2024429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family Parite, performance_impact Moderate, signature_severity Major, updated_at 2017_07_17;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinMiner Known Malicious Stratum Authline (2017-07-17 7)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|ownyaga@gmail.com|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,3b24a327e60ee77668d09e5b96e27dc8; classtype:coin-mining; sid:2024471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Internet, former_category MALWARE, malware_family CoinMiner, performance_impact Moderate, signature_severity Major, updated_at 2017_07_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-17 7)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|ownyaga@gmail.com|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,3b24a327e60ee77668d09e5b96e27dc8; classtype:coin-mining; sid:2024471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore Variant CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; content:"|7c|"; http_client_body; depth:40; content:"POST|20|/|20|HTTP/1.1|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|Host|3a|"; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x7c/P"; reference:md5,42374945061c7941d6690793ae393d3a; classtype:pup-activity; sid:2024428; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2017_09_01;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 20|version|20|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:5; metadata:created_at 2012_10_31, former_category TFTP, updated_at 2017_07_19;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 20|version|20|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:5; metadata:created_at 2012_11_01, former_category TFTP, updated_at 2017_07_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer With Cisco Config 2"; content:"|00 03|"; depth:2; content:"NVRAM config last update"; distance:0; classtype:policy-violation; sid:2024481; rev:2; metadata:affected_product Cisco_ASA, affected_product Cisco_PIX, affected_product CISCO_Catalyst, attack_target Networking_Equipment, created_at 2017_07_19, deployment Perimeter, former_category TFTP, performance_impact Moderate, signature_severity Major, updated_at 2017_07_19;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [442,443,446,447,8001] (msg:"ET MALWARE Win32/Ramnit Checkin"; flow:established,to_server; dsize:6; content:"|00 ff|"; depth:2; content:"|00 00|"; distance:1; within:2; reference:md5,3fc81e102825a74b27faabbcd9408993; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; reference:md5,5740a73856128270b37ec4afae870d12; classtype:command-and-control; sid:2018558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2017_07_19;)
-
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain SSL Cert in SNI (RansomBlocker CnC)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; content:"|00 00 1b|4fp2u2ue4pyqdpfu"; fast_pattern; reference:md5,2067d1cb1a25c6d6d371339fad9123ba; classtype:command-and-control; sid:2024485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shifr Ransomware Malicious Domain in SNI Observed"; flow:to_server,established; content:"|00 00 19|v5t5z6a55ksmt3oh.onion"; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category TROJAN, malware_family Shifr, performance_impact Moderate, signature_severity Major, updated_at 2017_07_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [442,443,446,447,8001] (msg:"ET MALWARE Win32/Ramnit Checkin"; flow:established,to_server; dsize:6; content:"|00 ff|"; depth:2; content:"|00 00|"; distance:1; within:2; reference:md5,3fc81e102825a74b27faabbcd9408993; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; reference:md5,5740a73856128270b37ec4afae870d12; classtype:command-and-control; sid:2018558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2017_07_19;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EITest Keitaro Evil Redirect Leading to SocENG July 25 2017"; flow:established,to_server; content:"/?nbVykj"; pcre:"/\/\?nbVykj$/U"; classtype:social-engineering; sid:2024494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishery Phishing Tool - Default SSL Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|go-phish"; fast_pattern; distance:1; within:9; reference:url,github.com/ryhanson/phishery; classtype:trojan-activity; sid:2024505; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2017_07_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ISMAgent Receiving Commands from CnC Server "; flow:from_server,established; content:"|23|command|23 23|systeminfo"; offset:36; fast_pattern; content:"&&"; distance:0; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:command-and-control; sid:2024503; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2017_07_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ISMAgent Receiving Commands from CnC Server"; flow:from_server,established; content:"|23|command|23 23|systeminfo"; offset:36; fast_pattern; content:"&&"; distance:0; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:command-and-control; sid:2024503; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2017_07_31;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022484; rev:3; metadata:created_at 2016_02_02, former_category CURRENT_EVENTS, updated_at 2017_08_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022484; rev:3; metadata:created_at 2016_02_03, former_category CURRENT_EVENTS, updated_at 2017_08_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:exploit-kit; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag RigEK, updated_at 2017_08_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199"; flow:established,to_client; flowbits:isset,et.http.hta; content:"Wscript.Shell"; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html; reference:url,securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/; classtype:attempted-user; sid:2024196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_08_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBk"; fast_pattern; classtype:trojan-activity; sid:2024534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"oACwAJAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnAC"; classtype:trojan-activity; sid:2024540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; classtype:credential-theft; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; classtype:credential-theft; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"ERROR! PLEASE CLICK BACK"; nocase; depth:24; fast_pattern; classtype:credential-theft; sid:2024542; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2019_09_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"ERROR! PLEASE CLICK BACK"; nocase; depth:24; fast_pattern; classtype:credential-theft; sid:2024542; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Paypal Phish M1 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"_csrf="; depth:6; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&rememberProfile="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&showTryPasswordlessButton="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024544; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024546; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024546; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish M1 Aug 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"<title>"; nocase; content:"Chase Online"; nocase; within:50; fast_pattern; classtype:credential-theft; sid:2031575; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2017_08_15;)
alert tcp [$EXTERNAL_NET,!199.30.201.192/29] any -> $HOME_NET any (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Server Hello"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021977; rev:6; metadata:created_at 2015_10_20, former_category TROJAN, updated_at 2017_08_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID"; distance:0; content:"document.other.email"; distance:0; fast_pattern; content:"emailPASS"; distance:0; content:"document.other.phone"; distance:0; classtype:social-engineering; sid:2031712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:".php|22 20|method=|22|POST|22|"; fast_pattern; content:"Sign in with Gmail"; distance:0; content:"Sign in with Yahoo"; distance:0; content:"Sign in with Hotmail"; distance:0; content:"Sign in with AOL"; distance:0; content:"Sign in with Others"; distance:0; classtype:social-engineering; sid:2025683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive/Dropbox Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:social-engineering; sid:2021400; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
-alert http $EXTERNAL_NET !2095 -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:credential-theft; sid:2021761; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_17;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern:8,20; classtype:social-engineering; sid:2021537; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern:10,20; classtype:social-engineering; sid:2021538; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern:8,20; classtype:social-engineering; sid:2021539; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert http $EXTERNAL_NET !2095 -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:credential-theft; sid:2021761; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern:8,20; classtype:social-engineering; sid:2021540; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive Phishing Landing 2015-07-13"; flow:to_client,established; file_data; content:"UPLOADED FILE"; fast_pattern; content:"Sign in with your existing Email Service"; distance:0; content:"Email Service Provider"; distance:0; content:"select.com"; distance:0; content:"VIEW DOCUMENT"; distance:0; classtype:social-engineering; sid:2031707; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 12 2013"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern:6,20; classtype:social-engineering; sid:2017135; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID.value"; distance:0; content:"emailPASS.value"; distance:0; classtype:social-engineering; sid:2031713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE LURK Trojan Communication Protocol detected"; flow:established,to_server; content:"LURK|30|"; depth:5; content:"|78 9c|"; distance:8; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014225; rev:3; metadata:created_at 2012_02_14, former_category TROJAN, updated_at 2017_08_21;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX.Pwnet.A Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|vlone.cc"; distance:1; within:9; reference:url,sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/; classtype:trojan-activity; sid:2024613; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking</title>"; nocase; classtype:social-engineering; sid:2024622; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking</title>"; nocase; classtype:social-engineering; sid:2024622; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Pin and Password - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024623; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Pin and Password - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024623; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Security Details - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Security Details - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Bitstamp Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://www.bitstamp.net"; http_header; classtype:credential-theft; sid:2024639; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Bot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&os="; http_uri; distance:0; content:"&build="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:command-and-control; sid:2024679; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2017_09_08;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.svx2id6wmwgfxela.net"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Low, signature_severity Major, updated_at 2017_09_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.svx2id6wmwgfxela.net"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Adwind, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|dicco.at"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024681; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category TROJAN, malware_family URLZone, performance_impact Low, signature_severity Major, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|dicco.at"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024681; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslstatsita.info"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category TROJAN, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, updated_at 2017_09_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslstatsita.info"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|fiftyflorston.win"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category TROJAN, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, updated_at 2017_09_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|fiftyflorston.win"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|lio.party"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024684; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category TROJAN, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, updated_at 2017_09_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|lio.party"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024684; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|115f697a1698.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024686; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category TROJAN, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, updated_at 2017_09_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|115f697a1698.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024686; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|7193a37d9d98.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024687; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category TROJAN, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, updated_at 2017_09_08;)
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of Multimedia Content flowbit set"; flow:established,to_client; file_data; content:"|00 00 00|"; depth:3; content:"|66 74 79 70|"; distance:1; within:4; fast_pattern; flowbits:noalert; flowbits:set,ET.Multimedia.Download; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024689; rev:1; metadata:created_at 2017_09_08, former_category WEB_CLIENT, tag noalert, updated_at 2017_09_08;)
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of .MOV Content flowbit set"; flow:established,to_client; file_data; content:"|6D 6F 6F 76|"; distance:4; within:4; flowbits:noalert; flowbits:set,ET.MP4.Download; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024690; rev:1; metadata:created_at 2017_09_08, former_category WEB_CLIENT, tag noalert, updated_at 2017_09_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|7193a37d9d98.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024687; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 0"; flow:established, to_server; dsize:200<>513; stream_size:client,>,0; stream_size:server,=,1; stream_size:client, <,513; flowbits:noalert; flowbits:set,FB180732_0; classtype:trojan-activity; sid:2024694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 1"; flow:established, to_client; dsize:30<>33; stream_size:server,<,35; stream_size:client,<,513; stream_size:server,>,0; stream_size:client,>,30; flowbits:noalert; flowbits:isset,FB180732_0; flowbits:unset, FB180732_0; flowbits:set,FB180732_1; classtype:trojan-activity; sid:2024695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 2"; flow:established, to_server; dsize:50<>93; stream_size:server, <,35; stream_size:client, <,610; stream_size:server, >,0; stream_size:client, >,30; flowbits:noalert; flowbits:isset, FB180732_1; flowbits:unset,FB180732_1; flowbits:set,FB180732_2; classtype:trojan-activity; sid:2024696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Significant, signature_severity Major, updated_at 2017_10_02;)
-
#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 3"; flow:established, to_client; dsize:30<>33; stream_size:server, <,70; stream_size:client, <,610; stream_size:client, >,0; stream_size:server, >,35; flowbits:noalert; flowbits:isset, FB180732_2; flowbits:unset, FB180732_2; flowbits:set, FB180732_3; classtype:trojan-activity; sid:2024697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT pkt checker 4"; flow:established, to_server; dsize:81<>93; stream_size:server,<,70; stream_size:client,<,696; stream_size:client,>,0; stream_size:server,>,35; flowbits:isset,FB180732_3; flowbits:unset,FB180732_3; threshold:type limit,track by_src,count 1, seconds 30; reference:url,blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2; classtype:trojan-activity; sid:2024698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2020_11_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT pkt checker 4"; flow:established, to_server; stream_size:server,<,70; stream_size:client,<,696; stream_size:client,>,0; stream_size:server,>,35; flowbits:isset,FB180732_3; flowbits:unset,FB180732_3; threshold:type limit,track by_src,count 1, seconds 30; reference:url,blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2; classtype:trojan-activity; sid:2024698; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2020_11_06;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 2"; flow:established, to_server; dsize:50<>101; stream_size:server, <,35; stream_size:client, <,610; stream_size:server, >,0; stream_size:client, >,30; flowbits:noalert; flowbits:isset, FB180732_1; flowbits:unset,FB180732_1; flowbits:set,FB180732_2; classtype:trojan-activity; sid:2024696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Significant, signature_severity Major, updated_at 2017_10_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 1"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024238; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2017_09_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK encrypted payload Sept 11 (1)"; flow:established,to_client; file_data; content:"|8d b1 8a d0 36 8d 5d bf|"; within:8; classtype:exploit-kit; sid:2024691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_09_12;)
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|308204|"; depth:300; content:"|308203|"; distance:1; within:3; content:"|a0030201020204|"; distance:1; within:7; content:"|300d06092a864886f70d01010b05003081|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Emotet Post Drop C2 Comms"; flow:established,from_server; file_data; content:"|502163174a9069e5f28277c59da7fb141ee82f8e|"; classtype:command-and-control; sid:2035042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2017_09_19;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow:established, to_server; content:"|1703|"; depth:2; content:"|0040|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server, <,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_; flowbits:set, FB332502_0; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024752; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|30 82 04|"; depth:300; content:"|30 82 03|"; distance:1; within:3; content:"|a0 03 02 01 02 02 04|"; distance:1; within:7; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0040|"; distance:1;within:2; fast_pattern; stream_size:server, >,1789; stream_size:server,<,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_0; flowbits:unset, FB332502_0; flowbits:set, FB332502_1;flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024753; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow:established, to_server; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server, <,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_; flowbits:set, FB332502_0; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow:established,to_server; content:"|1703|"; depth:2; byte_test:2, >=,1024, 1, relative; byte_test:2, <=,1100, 1, relative; stream_size:server, >,1889;stream_size:server, <,2124; stream_size:client, >,1476; stream_size:client, <,1722; flowbits:isset, FB332502_1; flowbits:unset, FB332502_1;flowbits:set, FB332502_2; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
-
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0050|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2224; stream_size:client, >,1476; stream_size:client, <,8722; flowbits:isset, FB332502_2; flowbits:unset, FB332502_2; flowbits:set, FB332502_3; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024755; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2224; stream_size:client, >,1476; stream_size:client, <,8722; flowbits:isset, FB332502_2; flowbits:unset, FB332502_2; flowbits:set, FB332502_3; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024755; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu"; flow:established, to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2436; stream_size:client, >,1476; stream_size:client, <,8834; flowbits:isset, FB332502_3; flowbits:unset, FB332502_3; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024756; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|vinci-energie.co"; distance:1; within:17; reference:md5,69f8181bfe4a53d9e0b73c81a4ae4587; classtype:trojan-activity; sid:2024757; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Maldoc, performance_impact Moderate, signature_severity Major, tag MalDoc, updated_at 2017_09_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|vinci-energie.co"; distance:1; within:17; reference:md5,69f8181bfe4a53d9e0b73c81a4ae4587; classtype:domain-c2; sid:2024757; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_and_Server, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag MalDoc, updated_at 2017_09_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible OptionsBleed (CVE-2017-9798)"; flow:established,to_server; content:"OPTIONS"; http_method; flowbits:set,ET.2017-9798; threshold: type both, count 30, seconds 30, track by_src; classtype:misc-activity; sid:2024759; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, cve 2017_9798, deployment Perimeter, former_category WEB_SERVER, performance_impact Moderate, signature_severity Major, updated_at 2019_12_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adilbo HTML Encoder Observed"; flow:established,to_client; file_data; content:"|2f 2a 20 61 64 69 6c 62 6f 20 48 54 4d 4c 20 45 6e 63 6f 64 65 72|"; fast_pattern:2,20; content:"*|20 20|Checksum|3a 20|927c770095e0daa48298343b8fd14624"; within:200; classtype:policy-violation; sid:2024763; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2017_09_23;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Darkwave Popads Pop Under Redirect"; flow:established,to_client; file_data; content:"|2f 2a 20 50 72 69 76 65 74 20 64 61 72 6b 76 2e 20 45 61 63 68 20 64 6f 6d 61 69 6e 20 69 73 20 32 68 20 66 6f 78 20 64 65 61 64 20 2a 2f|"; classtype:policy-violation; sid:2024764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2017_09_23;)
#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2017_09_25, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_09_28;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible Zip DL containing single VBS script"; flow:established,from_server; file_data; content:"|50 4b 01 02|"; content:".vbs"; nocase; distance:0; pcre:"/^(?:(?!PK).)*?\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00/Rs"; classtype:bad-unknown; sid:2024769; rev:2; metadata:created_at 2017_09_26, former_category WEB_CLIENT, updated_at 2017_09_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Raiffeisen Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Raiffeisen ELBA-internet</title>"; fast_pattern:19,20; nocase; classtype:social-engineering; sid:2024770; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_09_27;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Nov 6 2015 M1"; flow:established,from_server; file_data; content:"<title>Google Docs</title>"; nocase; distance:0; fast_pattern:6,20; content:"input[type=email]"; nocase; distance:0; content:"input[type=number]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; content:"input[type=tel]"; nocase; distance:0; content:"signin-card #Email"; nocase; distance:0; content:"signin-card #Pass"; nocase; distance:0; classtype:social-engineering; sid:2025681; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Nov 6 2015 M2"; flow:established,from_server; file_data; content:"Welcome to Google Docs"; nocase; fast_pattern:2,20; content:"Upload and Share Your Documents Securely"; nocase; distance:0; content:"Enter your email"; nocase; distance:0; content:"Enter a valid email"; nocase; distance:0; content:"Enter your password"; nocase; distance:0; content:"Sign in to view attachment"; nocase; distance:0; content:"Access your documents securely"; nocase; distance:0; classtype:social-engineering; sid:2025680; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-06"; flow:established,from_server; file_data; content:"Sign in with your email address"; nocase; content:"view or download attachment"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; content:"Sign in with Gmail"; nocase; distance:0; fast_pattern; content:"Sign in with Yahoo"; nocase; distance:0; content:"Sign in with Hotmail"; nocase; distance:0; content:"Sign in with AOL"; nocase; distance:0; content:"Sign in with Others"; nocase; distance:0; classtype:social-engineering; sid:2031736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_09_27;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 1"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 b0|"; distance:1; within:2; fast_pattern; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:set,FB346039_2; flowbits:noalert; classtype:command-and-control; sid:2024774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 1"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 b0|"; distance:1; within:2; fast_pattern; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:set,FB346039_2; flowbits:noalert; classtype:command-and-control; sid:2024774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 0"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 a0|"; distance:1; within:2; fast_pattern; stream_size:server,>,4868; stream_size:server,<,5949; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:noalert; classtype:command-and-control; sid:2024773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 0"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 a0|"; distance:1; within:2; fast_pattern; stream_size:server,>,4868; stream_size:server,<,5949; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:noalert; classtype:command-and-control; sid:2024773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 2"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0140|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_1; flowbits:unset,FB346039_1; flowbits:unset,FB346039_2; flowbits:set,FB346039_3; flowbits:noalert; classtype:command-and-control; sid:2024775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 2"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0140|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_1; flowbits:unset,FB346039_1; flowbits:unset,FB346039_2; flowbits:set,FB346039_3; flowbits:noalert; classtype:command-and-control; sid:2024775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|04A0|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_3; flowbits:unset,FB346039_3; flowbits:set,FB346039_4; classtype:command-and-control; sid:2024776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|04A0|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_3; flowbits:unset,FB346039_3; flowbits:set,FB346039_4; classtype:command-and-control; sid:2024776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 5"; flow:established,to_client; content:"|1503|"; depth:2; content:"|0020|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_4; flowbits:unset,FB346039_4; classtype:command-and-control; sid:2024778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 5"; flow:established,to_client; content:"|1503|"; depth:2; content:"|0020|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_4; flowbits:unset,FB346039_4; classtype:command-and-control; sid:2024778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 4"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|02 00|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,6500; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_2; flowbits:unset,FB346039_2; classtype:command-and-control; sid:2024777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_29;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 4"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|02 00|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,6500; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_2; flowbits:unset,FB346039_2; classtype:command-and-control; sid:2024777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_29;)
#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4"; flow:established,to_server; urilen:>6; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox"; http_user_agent; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2018_10_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Scotiabank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Sign in to Scotiabank"; nocase; classtype:social-engineering; sid:2024795; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Scotiabank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Sign in to Scotiabank"; nocase; classtype:social-engineering; sid:2024795; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Desjardins Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Log on|20 7c 20|Desjardins"; nocase; classtype:social-engineering; sid:2024796; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible BMO Bank of Montreal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>BMO Bank of Montreal Online Banking</title>"; nocase; classtype:social-engineering; sid:2024798; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"as_cpf="; depth:7; nocase; http_client_body; content:"&as_pass="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&as_continue="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024801; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"as_cpf="; depth:7; nocase; http_client_body; content:"&as_pass="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&as_continue="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024801; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PayPal Phishing Landing Nov 24 2014"; flow:established,to_client; file_data; content:"<title>Login - PayPal</title>"; classtype:social-engineering; sid:2019785; rev:4; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2017_10_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; classtype:credential-theft; sid:2021892; rev:3; metadata:created_at 2015_10_01, former_category PHISHING, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; classtype:credential-theft; sid:2021892; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023042; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023042; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Landing Uri Nov 25 2015"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:social-engineering; sid:2022187; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Landing Uri Nov 25 2015"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:social-engineering; sid:2022187; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Jimdo Outlook Web App Phishing Nov 16 2105"; flow:to_server,established; content:"POST"; http_method; content:"|2f 66 6f 72 6d 2f 73 75 62 6d 69 74 2f|"; http_uri; content:"|6a 69 6d 64 6f 2e 63 6f 6d 0d 0a|"; http_header; fast_pattern; content:"|6d 6f 64 75 6c 65 49 64 3d|"; nocase; http_client_body; depth:9; content:"|26 64 61 74 61 3b 3d|"; nocase; distance:0; http_client_body; content:"|45 6d 61 69 6c|"; nocase; distance:0; http_client_body; content:"|50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; content:"|43 6f 6e 66 69 72 6d 2b 50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; pcre:"/\/form\/submit\/$/U"; classtype:credential-theft; sid:2022094; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Jan 30 2014"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; classtype:social-engineering; sid:2018042; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2015-07-27"; flow:to_client,established; file_data; content:"<title>Secure Login</title>"; content:"action=|22|emsg1.php|22|"; fast_pattern; distance:0; content:"valid Apple ID"; distance:0; content:"valid Password"; distance:0; classtype:social-engineering; sid:2031708; rev:3; metadata:created_at 2015_07_27, former_category PHISHING, updated_at 2017_10_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M1 July 24 2015"; flow:to_client,established; file_data; content:"<title>Document Shared</title>"; nocase; fast_pattern:10,20; content:"name=|22|GENERATOR|22 22|>"; nocase; distance:0; content:"name=|22|HOSTING|22 22|>"; nocase; distance:0; content:"Login with your email"; nocase; distance:0; content:"Choose your email provider"; nocase; distance:0; classtype:social-engineering; sid:2021535; rev:3; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2017_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Jan 30 2014"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; classtype:social-engineering; sid:2018042; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M2 July 24 2015"; flow:to_client,established; file_data; content:"invoicetoptables"; nocase; fast_pattern; content:"invoicecontent"; nocase; distance:0; content:"displayTextgmail"; nocase; distance:0; content:"displayTexthotmail"; nocase; distance:0; content:"displayTextaol"; nocase; distance:0; classtype:social-engineering; sid:2021536; rev:3; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2017_10_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHISH Generic Webmail - Landing Page Sept 11"; flow:established,to_client; file_data; content:"<title>Webmail Login"; fast_pattern; content:"For Webmail to function properly"; distance:0; content:"you must enable JavaScript"; distance:0; content:"You have logged out"; distance:0; content:"Please select a locale"; distance:0; content:"Email Address"; distance:0; classtype:social-engineering; sid:2021760; rev:3; metadata:created_at 2015_09_11, updated_at 2015_09_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PHISH Generic Webmail - Landing Page Sept 11"; flow:established,to_client; file_data; content:"<title>Webmail Login"; fast_pattern; content:"For Webmail to function properly"; distance:0; content:"you must enable JavaScript"; distance:0; content:"You have logged out"; distance:0; content:"Please select a locale"; distance:0; content:"Email Address"; distance:0; classtype:social-engineering; sid:2021760; rev:3; metadata:created_at 2015_09_11, former_category PHISHING, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Data URI Phishing Oct 02 2015"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"window.location="; nocase; within:17; content:"PCFET0NUWVBFIGh0bWw+DQo"; fast_pattern; distance:0; reference:url,blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish; classtype:social-engineering; sid:2021893; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE DNSMessenger Payload (TXT base64 gzip header)"; content:"|00 10 00 01|"; content:"H4sIA"; distance:7; within:5; fast_pattern; reference:url,blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html; classtype:trojan-activity; sid:2024840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category TROJAN, malware_family DNSMessenger, performance_impact Moderate, signature_severity Major, updated_at 2017_10_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:credential-theft; sid:2022604; rev:4; metadata:created_at 2016_03_08, former_category CURRENT_EVENTS, updated_at 2017_10_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:credential-theft; sid:2022604; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg2.php|22|"; distance:0; fast_pattern; content:"Adress Line"; distance:0; content:"Zip/Postal Code"; distance:0; classtype:credential-theft; sid:2031709; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"Question Of Security"; fast_pattern; content:"nom de votre meilleur"; distance:0; content:"What is your mother maiden name ?"; distance:0; content:"rue avez-vous grandi"; distance:0; content:"What is your favourite show ?"; distance:0; classtype:credential-theft; sid:2031710; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg1.php|22|"; fast_pattern; distance:0; content:"Cardholder's Name"; distance:0; content:"Credit Card Number"; distance:0; content:"CVC (CVV)"; distance:0; content:"3D Secure/VBV"; distance:0; classtype:credential-theft; sid:2031711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"<title>Apple Store - Verification</title>"; nocase; content:"/* VODKA */"; nocase; fast_pattern; classtype:social-engineering; sid:2031716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"fancyConfirm|28|"; nocase; fast_pattern; content:"checkcvv|28 29|"; nocase; distance:0; content:"checkexm|28 29|"; nocase; distance:0; content:"isvalidcc|28 29|"; nocase; distance:0; content:"imready|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2031717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"Verification</title>"; nocase; fast_pattern; content:"chosed your country."; nocase; content:"chosed an expiration month."; nocase; distance:0; content:"chosed an expiration year."; nocase; distance:0; classtype:social-engineering; sid:2031718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Secure Docs</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024842; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !5800 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21"; flow:to_server,established; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}\x70\x94[\x20-\x7e]/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3ae76f6b76e743fd8063e1831236ce24; classtype:command-and-control; sid:2018057; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloud Drive Phish Landing 2015-08-12"; flow:to_client,established; file_data; content:"<title>Cloud Drive</title>"; nocase; fast_pattern; content:"reqired to view this document"; nocase; distance:0; classtype:social-engineering; sid:2031721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma AES Crypto Observed in Javascript - Possible Phishing Landing 2015-12-29"; flow:established,from_server; file_data; content:"Encriptado por Anonisma"; nocase; fast_pattern; content:"Aes.cipher"; nocase; distance:0; content:"Aes.keyExpansion"; nocase; distance:0; classtype:social-engineering; sid:2031741; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>DHL GLOBAL"; nocase; fast_pattern; content:"MM_validateForm"; nocase; distance:0; content:"E-mail Address or Member ID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Phone Number"; nocase; distance:0; classtype:social-engineering; sid:2031998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_17;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitytactics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024868; rev:2; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2018_05_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024896; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, updated_at 2017_10_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024896; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2017_10_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp any any -> any 445 (msg:"ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting"; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024898; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_10_23;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|salegrutboy.eu"; distance:1; within:15; reference:md5,3b79f06be1f6909149bcadfaacfad2d0; classtype:command-and-control; sid:2024902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Moderate, signature_severity Major, updated_at 2017_10_23;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lookmans.eu"; distance:1; within:12; reference:md5,aa50e2ce1fc07ccfbc6b916ccdbfd19b; classtype:command-and-control; sid:2024903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Moderate, signature_severity Major, updated_at 2017_10_23;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Lets Encrypt Free SSL Cert Observed in Possible Coinhive Javascript Cryptocurrency Mining"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; fast_pattern; content:"|55 04 03|"; distance:0; content:"coin-hive"; within:50; nocase; pcre:!"/#http:\/\/cert.*coinhive/i"; reference:url,coin-hive.com; classtype:policy-violation; sid:2024720; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|salegrutboy.eu"; distance:1; within:15; reference:md5,3b79f06be1f6909149bcadfaacfad2d0; classtype:domain-c2; sid:2024902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic AES Phish M1 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern:40,20; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:credential-theft; sid:2024997; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_11_16;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lookmans.eu"; distance:1; within:12; reference:md5,aa50e2ce1fc07ccfbc6b916ccdbfd19b; classtype:domain-c2; sid:2024903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|1a 3d d0 28 82 1a 6f 08|"; depth:8; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M2 Oct 24 2017"; flow:established,from_server; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern; content:"InjectionString"; nocase; distance:0; content:"hasOwnProperty"; nocase; distance:0; content:"navigator"; nocase; distance:0; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"!!document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; classtype:trojan-activity; sid:2024912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2017_10_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !5800,!445 (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:command-and-control; sid:2020215; rev:5; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2017_10_25;)
-
#alert tcp $HOME_NET any -> $EXTERNAL_NET [!9997,1024:] (msg:"ET MALWARE Dropper-497 (Yumato) Initial Checkin"; flow:established,to_server; dsize:5; content:"|30 30 30 0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:command-and-control; sid:2007917; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Download"; flow:established,from_server; flowbits:isset,ET.iotreaper; file_data; content:"|7f 45 4c 46|"; depth:4; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024929; rev:1; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_10_25;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; classtype:protocol-command-decode; sid:2003280; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple ID Phishing Landing 2015-08-19"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"My Apple ID"; fast_pattern; nocase; within:35; classtype:social-engineering; sid:2031723; rev:3; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2017_10_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN BankSnif/Nethelper User-Agent (nethelper)"; flow:to_server,established; content:"nethelper"; http_user_agent; fast_pattern:only; pcre:"/\bnethelper\b/Vi"; reference:url,doc.emergingthreats.net/2002877; classtype:trojan-activity; sid:2002877; rev:16; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_20;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"User-Agent|3a| inetinst|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007808; classtype:trojan-activity; sid:2007808; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"User-Agent|3a| okcpmgr|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007810; classtype:trojan-activity; sid:2007810; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun)"; flow:established,to_server; content:"User-Agent|3a| ElectroSun "; http_header; reference:url,doc.emergingthreats.net/2008608; classtype:trojan-activity; sid:2008608; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent i am ddos"; flow: established,to_server; content:"User-Agent|3A| i am ddos"; nocase; depth:300; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011484; rev:5; metadata:created_at 2010_09_28, former_category USER_AGENTS, updated_at 2017_10_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent i am ddos"; flow: established,to_server; content:"User-Agent|3A| i am ddos"; nocase; depth:300; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011484; rev:5; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2017_10_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,ET.asproxfakeav; flow:established,to_client; file_data; content:"http|3A|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:3; metadata:created_at 2013_03_04, former_category TROJAN, updated_at 2017_11_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,ET.asproxfakeav; flow:established,to_client; file_data; content:"http|3A|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:3; metadata:created_at 2013_03_05, former_category TROJAN, updated_at 2017_11_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct June 19 2015"; flow:established,to_server; content:"?time="; http_uri; fast_pattern; content:"&stamp="; distance:0; http_uri; content:"."; distance:0; http_uri; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.[a-z]+\?time=[^&]+&stamp=[a-z]*\d+(?:\.[a-z]*\d+)+$/U"; classtype:exploit-kit; sid:2021307; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,ET.BE.Radmin.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; classtype:not-suspicious; sid:2003479; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,ET.BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,ET.is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:8; metadata:created_at 2010_07_30, updated_at 2017_02_01;)
+
+#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,ET.is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:6; metadata:created_at 2011_11_21, updated_at 2011_11_21;)
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Expected Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022325; rev:3; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
+
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Unusual Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022326; rev:2; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
+
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001975; classtype:misc-activity; sid:2001975; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001976; classtype:misc-activity; sid:2001976; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001981; classtype:misc-activity; sid:2001981; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox shell"; flow:to_server,established; content:"shell"; fast_pattern:only; pcre:"/\bshell\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023017; rev:3; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox enable"; flow:to_server,established; content:"enable"; fast_pattern:only; pcre:"/\benable\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023018; rev:4; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus System Profiling JavaScript (linkStorage.x00SOCKET)"; flow:to_client,established; file_data; content:"linkStorage.x00SOCKET"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024968; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_11_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel/Adobe Online Phishing Landing Nov 25 2015"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"Online - 09KSJDJR4843984NF98738UNFD843"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025686; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel/Adobe Online Phishing Landing Nov 25 2015"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"Online - 09KSJDJR4843984NF98738UNFD843"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025686; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon"; flow:established,to_server; dsize:<30; content:"myversion|7C|"; depth:10; pcre:"/^\d/R"; reference:md5,dd6a13ba9177a18a8cf16b52ff643abc; classtype:command-and-control; sid:2018101; rev:5; metadata:created_at 2014_02_10, former_category MALWARE, updated_at 2017_11_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon"; flow:established,to_server; dsize:<30; content:"myversion|7C|"; depth:10; pcre:"/^\d/R"; reference:md5,dd6a13ba9177a18a8cf16b52ff643abc; classtype:command-and-control; sid:2018101; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_11_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 1"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"cnVuZGxsMz"; content:"VXNlckluaXRNcHJMb2dvblNjcmlwd"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 3"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"ydW5kbGwzM"; content:"Vc2VySW5pdE1wckxvZ29uU2NyaXB0"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 4"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"RG93bmxvYWRGaWxl"; content:"V2ViQ2xpZW50"; content:"aW8uRmlsZ"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 4"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"RG93bmxvYWRGaWxl"; content:"V2ViQ2xpZW50"; content:"aW8uRmlsZ"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 5"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"Rvd25sb2FkRmlsZ"; content:"dlYkNsaWVud"; content:"lvLkZpbG"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Nov 10 2017"; flow:established,to_client; file_data; content:"<label class=|22|MobMenHol"; nocase; fast_pattern; content:"<span class=|22|MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; classtype:social-engineering; sid:2025693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:established,from_server; content:"|09 00 b9 5a 68 02 24 e5 3e 2e|"; fast_pattern; content:"|55 04 03|"; content:"|06|Server"; distance:1; within:7; reference:url,securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research; reference:md5,de4ef2e24306b35d29891b45c1e3fbfd; classtype:command-and-control; sid:2024979; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2017_11_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:established,from_server; content:"|09 00 b9 5a 68 02 24 e5 3e 2e|"; fast_pattern; content:"|55 04 03|"; content:"|06|Server"; distance:1; within:7; reference:url,securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research; reference:md5,de4ef2e24306b35d29891b45c1e3fbfd; classtype:domain-c2; sid:2024979; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SocEng Fake Font Download Template Nov 14 2017"; flow:established,from_server; file_data; content:"|63 6c 69 63 6b 5f 75 70 64|"; nocase; content:"|46 6f 6e 74 20 50 61 63 6b|"; nocase; content:"|2e 6a 73 20 66 69 6c 65 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 70 72 6f 63 65 73 73 2e|"; nocase; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; classtype:social-engineering; sid:2024985; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family SocEng, performance_impact Low, signature_severity Major, updated_at 2017_11_14;)
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Possible NanoCore C2 60B"; flow:established,to_server; dsize:60; content:"|38 00 00 00|"; depth:5; pcre:"/^(?!.{0,56}\x00.{0,55}\x00.{0,54}\x00.{0,53}\x00)(?!.{0,54}\x00{2})(?!.{0,50}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,53}(?P=b1).{0,52}(?P=b1).{0,51}(?P=b1).{0,50}(?P=b1))(?!.(?P<b2>.).{0,52}(?P=b2).{0,51}(?P=b2).{0,50}(?P=b2).{0,49}(?P=b2))(?!..(?P<b3>.).{0,51}(?P=b3).{0,50}(?P=b3).{0,49}(?P=b3).{0,48}(?P=b3))(?!...(?P<b4>.).{0,50}(?P=b4).{0,49}(?P=b4).{0,48}(?P=b4).{0,47}(?P=b4))(?!....(?P<b5>.).{0,49}(?P=b5).{0,48}(?P=b5).{0,47}(?P=b5).{0,46}(?P=b5))(?!.....(?P<b6>.).{0,48}(?P=b6).{0,47}(?P=b6).{0,46}(?P=b6).{0,45}(?P=b6))(?!......(?P<b7>.).{0,47}(?P=b7).{0,46}(?P=b7).{0,45}(?P=b7).{0,44}(?P=b7))(?!.......(?P<b8>.).{0,46}(?P=b8).{0,45}(?P=b8).{0,44}(?P=b8).{0,43}(?P=b8))(?!........(?P<b9>.).{0,45}(?P=b9).{0,44}(?P=b9).{0,43}(?P=b9).{0,42}(?P=b9))(?!.........(?P<b10>.).{0,44}(?P=b10).{0,43}(?P=b10).{0,42}(?P=b10).{0,41}(?P=b10))/Rs"; classtype:command-and-control; sid:2025019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2017_11_22;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Email Attachment Possibly Related to Mydoom.L@mm"; flow:established,to_server; content:"Subject|3a 20|"; nocase; content:"mail"; nocase; within:34; content:"name|3d 22|"; pcre:"/name\x3d\x22(message|letter|.*lebanon\x2donline\x2ecom\x2elb)?\x2ezip\x22\x0d\x0a/"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=28110a8ea5c13859ddf026db5a8a864a; classtype:trojan-activity; sid:2012932; rev:8; metadata:created_at 2011_06_06, updated_at 2011_06_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:44; fast_pattern; content:!"Mozilla"; within:7; http_header; content:"|0d 0a|Host|3a 20|"; distance:0; http_header; content:!"Taitus"; http_header; content:!"Sling/"; http_header; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:Connection\x3a Keep-Alive\r\n)?(?:\r\n)?$/H"; classtype:trojan-activity; sid:2018394; rev:8; metadata:created_at 2014_04_16, former_category TROJAN, updated_at 2022_03_17;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Possible VirLock Connectivity Check"; flow:established,to_server; dsize:36; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; fast_pattern; threshold:type both,track by_src,count 2,seconds 10; reference:md5,94c9c2fddc99217e310d5c687adfc2f7; classtype:trojan-activity; sid:2020022; rev:3; metadata:created_at 2014_12_23, former_category TROJAN, updated_at 2022_03_17;)
+
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Email Attachment Possibly Related to Mydoom.L@mm"; flow:established,to_server; content:"Subject|3a 20|"; nocase; content:"mail"; nocase; within:34; content:"name|3d 22|"; pcre:"/name\x3d\x22(message|letter|.*lebanon\x2donline\x2ecom\x2elb)?\x2ezip\x22\x0d\x0a/"; reference:md5,28110a8ea5c13859ddf026db5a8a864a; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2; classtype:trojan-activity; sid:2012932; rev:8; metadata:created_at 2011_06_06, updated_at 2011_06_06;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:3; metadata:created_at 2012_09_07, updated_at 2012_09_07;)
alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ET.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,ET.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; classtype:exploit-kit; sid:2022465; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2022464; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2022464; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025038; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025038; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025039; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025039; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)"; flow:established,to_server; content:"BDAT"; depth:5; pcre:"/^\s*\d*[^\x20-\x7e\r\n\t]/R"; reference:url,lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html; classtype:attempted-admin; sid:2025063; rev:3; metadata:attack_target SMTP_Server, created_at 2017_11_27, deployment Internal, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Brazilian Banker SSL Cert"; flow:established,from_server; tls_cert_subject; content:"CN=robervalmotores.com.br"; fast_pattern; nocase; classtype:trojan-activity; sid:2025076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_28;)
+#alert tcp any any -> any [139,445] (msg:"ET NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; classtype:protocol-command-decode; sid:2025090; rev:2; metadata:created_at 2016_06_14, former_category NETBIOS, updated_at 2020_08_20;)
+
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (Dd19271927)"; flow:established,to_server; content:"|00|llDd19271927"; fast_pattern; offset:2; depth:14; dsize:<512; reference:md5,18fcc5f04f74737ca8a3fcf65a45629c; classtype:trojan-activity; sid:2025077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ET.MalDocEXEPrimer; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:3; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2015_04_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:"<GetDeviceSettingsResponse>"; content:"<GetDeviceSettingsResult>"; content:"<ModelName>"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:"<GetDeviceSettingsResponse>"; content:"<GetDeviceSettingsResult>"; content:"<ModelName>"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:3; metadata:created_at 2014_02_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M1"; flow:established,to_server; content:"QwestM0dem"; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2025080; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2017_11_29;)
alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Spamcop.net Block Message"; flow:established,from_server; content:"spamcop.net"; classtype:not-suspicious; sid:2012983; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:created_at 2016_02_18, updated_at 2019_08_28;)
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:social-engineering; sid:2024199; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Pseudo Random Domain for Web Malware (.mynumber.org)"; dns_query; content:".mynumber.org"; nocase; isdataat:!1,relative; pcre:"/^[acdefghijlmopqrtwz]{16}\.mynumber\.org$/"; reference:url,blog.lab69.com/2012/12/another-implementation-of-pseudo-random.html; classtype:bad-unknown; sid:2018766; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UBoatRAT CnC Check-in"; flow:established,to_server; dsize:>48; content:"|bc b0 b0 88 88 88 88 88 88 88 88 88|"; depth:12; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/; classtype:command-and-control; sid:2025093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Perimeter, former_category MALWARE, malware_family UBoatRAT, performance_impact Low, signature_severity Major, updated_at 2017_12_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Visa Phishing Landing Jan 30 2014"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; http_referer; content:!"http|3a 2f 2f|www.crdbbank.com"; nocase; isdataat:!1,relative; classtype:social-engineering; sid:2018045; rev:5; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2018_12_20;)
-
alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; ssh_proto; content:"PUTTY"; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:6; metadata:created_at 2014_12_05, former_category SCAN, updated_at 2017_12_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyEtherWallet Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"MyEtherWallet.com"; within:30; nocase; fast_pattern; classtype:social-engineering; sid:2025140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Fake JS Lib Inject"; flow:established,from_server; file_data; content:".min.php"; nocase; pcre:"/^(?P<q>[\x22\x27])\+(?P=q)\?(?P=q)\+(?P=q)/R"; content:"default_keyword="; within:2500; fast_pattern; content:"<"; within:2500; content:!"/script>"; within:8; pcre:"/^[\x22\x27+\s]*\/[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[\x22\x27+\s]*>/Rsi"; classtype:trojan-activity; sid:2025151; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_12_15;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls_cert_subject; content:"C=AU, ST=f2tee4, L=gf23et65adt, O=tg4r6tds, OU=rst, CN=rvgvtfdf"; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2025155; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, updated_at 2017_12_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls_cert_subject; content:"C=AU, ST=f2tee4, L=gf23et65adt, O=tg4r6tds, OU=rst, CN=rvgvtfdf"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2025155; rev:1; metadata:attack_target Client_and_Server, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_12_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trickbot/Dyre Serial Number in SSL Cert"; flow:established,to_client; tls_cert_serial; content:"89:BF:80:13:42:0A:2E:F5"; classtype:trojan-activity; sid:2025156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Trickbot, updated_at 2017_12_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trickbot/Dyre Serial Number in SSL Cert"; flow:established,to_client; tls_cert_serial; content:"89:BF:80:13:42:0A:2E:F5"; classtype:trojan-activity; sid:2025156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2017_12_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Fedex Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>FEDEX|20 7c 20|Tracking</TITLE>"; fast_pattern; nocase; classtype:social-engineering; sid:2025158; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-03"; flow:from_server,established; file_data; content:"Lο|3b|g|20|in|20|tο|3b 20|yο|3b|ur|20|&Rho|3b|ay&Rho|3b|aI|20|accο|3b|unt"; nocase; depth:300; classtype:social-engineering; sid:2025181; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_03;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:coin-mining; sid:2025186; rev:1; metadata:attack_target Web_Server, created_at 2018_01_04, deployment Datacenter, former_category COINMINER, malware_family CoinMiner, performance_impact Low, signature_severity Major, updated_at 2018_01_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:coin-mining; sid:2025186; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, deployment Datacenter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2018_01_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET MALWARE Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, former_category TROJAN, updated_at 2018_01_08;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|groupdive|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021659; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing 2018-01-12"; flow:from_server,established; file_data; content:"var ListEntries"; nocase; content:"|27 2e 2a 66 75 63 6b 2e 2a 27 2c|"; within:50; content:"|27 2e 2a 70 75 73 73 79 2e 2a 27 2c|"; distance:0; content:"|27 2e 2a 6e 69 63 65 2e 2a 74 72 79 2e 2a 27|"; distance:0; classtype:social-engineering; sid:2025685; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing 2018-01-12"; flow:from_server,established; file_data; content:"var ListEntries"; nocase; content:"|27 2e 2a 66 75 63 6b 2e 2a 27 2c|"; within:50; content:"|27 2e 2a 70 75 73 73 79 2e 2a 27 2c|"; distance:0; content:"|27 2e 2a 6e 69 63 65 2e 2a 74 72 79 2e 2a 27|"; distance:0; classtype:social-engineering; sid:2025685; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert dns $HOME_NET any -> [82.163.143.135,82.163.142.137] any (msg:"ET MALWARE OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2018_01_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; fast_pattern; content:"function LoginErrors(){this.userNameFormatError"; nocase; within:300; classtype:social-engineering; sid:2025250; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SchwSonne CnC Beacon M2"; flow:established,to_server; content:"C|7c|P-UID-"; depth:8; fast_pattern; content:"|7c|Microsoft"; distance:0; content:"|7c|["; distance:0; content:"]|7c|"; distance:0; classtype:command-and-control; sid:2025252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, malware_family SchwartzSonnne, performance_impact Moderate, signature_severity Major, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2012401; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body>"; within:500; content:"<script>|0d 0a 09 09 09|"; fast_pattern; within:500; pcre:"/([a-z$+-]{0,4}[0-9.*]+[a-z$+-]{0,4},){24}/R"; classtype:exploit-kit; sid:2013313; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013652; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013664; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013665; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013666; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013788; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"|0d 0a 0d 0a|%PDF-"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013960; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09|<field qwe=|22|213123|22| name=|22|qwe123|22|"; distance:0; content:"application/x-javascript"; distance:0; classtype:exploit-kit; sid:2013990; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt"; flow:established,to_client; content:"document.createElement('applet'"; nocase; content:"setAttribute('code"; nocase; distance:0; content:"setAttribute('archive"; nocase; distance:0; content:".jar"; nocase; distance:0; content:"document.createElement('param"; nocase; distance:0; content:"setAttribute('name"; nocase; distance:0; content:"setAttribute('value"; nocase; distance:0; reference:url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye; reference:bid,50218; reference:cve,2011-3544; classtype:exploit-kit; sid:2014048; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript dotted quad hostile applet"; flow:established,from_server; content:"<html><body><applet"; fast_pattern; content:"archive="; distance:0; content:"code="; pcre:"/archive=[^\x3e]+?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014415; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe|0d 0a|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.*[a-f].*$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2014725; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; within:12; classtype:trojan-activity; sid:2014921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:exploit-kit; sid:2014981; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_28, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:exploit-kit; sid:2015056; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2015670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:exploit-kit; sid:2016024; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:exploit-kit; sid:2016166; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:exploit-kit; sid:2016524; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific - 4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:exploit-kit; sid:2016525; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch False Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:exploit-kit; sid:2016526; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; reference:cve,2011-3402; classtype:exploit-kit; sid:2017340; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description|3A| File Transfer"; http_header; content:"Content-Disposition|3A| attachment|3B| filename=font.eot"; http_header; fast_pattern:33,17; reference:cve,2011-3402; classtype:exploit-kit; sid:2017341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SchwSonne CnC Beacon M2"; flow:established,to_server; content:"C|7c|P-UID-"; depth:8; fast_pattern; content:"|7c|Microsoft"; distance:0; content:"|7c|["; distance:0; content:"]|7c|"; distance:0; classtype:command-and-control; sid:2025252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, malware_family SchwartzSonnne, signature_severity Major, tag c2, updated_at 2018_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"document.write(unescape"; nocase; fast_pattern; content:"3C%74%69%74%6C%65%3E%26%23%33%37%30%33%38%3B%26%23%32%30%32%31%34%3B%26%23%33%35%37%37%34%3B%26%23%33%32%36%32%32%3B"; nocase; distance:0; classtype:social-engineering; sid:2025255; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-01-29 M1"; flow:established,to_client; file_data; content:"Apple ID|20 3a|"; within:100; content:"<title>Apple (Switzerland)"; nocase; fast_pattern; classtype:social-engineering; sid:2025260; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-01-29 M2"; flow:established,to_client; file_data; content:"background|3a 20|#3baee7|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3baee7, #08c)"; nocase; distance:0; content:"text-shadow|3a 20|1px 1px 3px #666666"; nocase; distance:0; content:"background|3a 20|#3cb0fd|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3cb0fd, #3498db)"; nocase; distance:0; content:".dark {"; nocase; distance:0; content:"color|3a 20|#525252|3b|"; nocase; distance:0; content:".dark-select {"; nocase; distance:0; content:"background|3a 20|#DFDFDF url('down-arrow.png')"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025261; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing M2 2018-01-29"; flow:established,to_client; file_data; content:"background|3a 20|#3baee7|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3baee7, #08c)"; nocase; distance:0; content:"text-shadow|3a 20|1px 1px 3px #666666"; nocase; distance:0; content:"background|3a 20|#3cb0fd|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3cb0fd, #3498db)"; nocase; distance:0; content:".dark {"; nocase; distance:0; content:"color|3a 20|#525252|3b|"; nocase; distance:0; content:".dark-select {"; nocase; distance:0; content:"background|3a 20|#DFDFDF url('down-arrow.png')"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025261; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"Dear <b id=|22|accessreturn|22|>User</b>,"; nocase; fast_pattern; content:"<b>Ticket|20 3a 20|#"; nocase; distance:0; content:"<b>For This Reason|20 3a 20|"; nocase; distance:0; classtype:social-engineering; sid:2025262; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; content:"Office 365"; nocase; within:25; content:"function LoginErrors(){this.userNameFormatError"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025263; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Onedrive Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; nocase; content:"OneDrive Online Security"; nocase; within:50; classtype:social-engineering; sid:2025264; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Onedrive Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; nocase; content:"OneDrive Online Security"; nocase; within:50; classtype:social-engineering; sid:2025264; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartsheet Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title>Log In|20 7c 20|Smartsheet</title>"; nocase; fast_pattern; content:"<form action="; nocase; distance:0; content:".php|22 20|class=|22|clsJspOuterForm|22 20|id="; nocase; distance:0; content:"method=|22|POST|22 20|name=|22|ctlForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025265; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect 2018-01-30"; flow:established,to_client; file_data; content:"<html>|0d 0a|<body>|0d 0a|<script type=|22|text/JavaScript|22|>|0d 0a|<!--|0d 0a|"; nocase; depth:55; content:"setTimeout(|22|location.href|20|=|20 27|redirection.php?"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9_]{50,}/Ri"; content:"|27 3b 22|,0)|3b 0d 0a|-->|0d 0a|</script>|0d 0a|</body>"; nocase; within:100; classtype:bad-unknown; sid:2025267; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect 2018-01-30"; flow:established,to_client; file_data; content:"<html>|0d 0a|<body>|0d 0a|<script type=|22|text/JavaScript|22|>|0d 0a|<!--|0d 0a|"; nocase; depth:55; content:"setTimeout(|22|location.href|20|=|20 27|redirection.php?"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9_]{50,}/Ri"; content:"|27 3b 22|,0)|3b 0d 0a|-->|0d 0a|</script>|0d 0a|</body>"; nocase; within:100; classtype:bad-unknown; sid:2025267; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots.gouv.fr Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Particulier|20 7c 20|impots.gouv.fr"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2025268; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Login Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Sign In</title>"; nocase; content:"Outlook.com is a free, personal email service from Microsoft."; nocase; within:150; fast_pattern; classtype:social-engineering; sid:2025284; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TSB Bank / Lloyds Bank Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Online Personal Verification"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2025285; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TSB Bank / Lloyds Bank Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Online Personal Verification"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2025285; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online|c2 ae 20|Verification</title>"; nocase; classtype:social-engineering; sid:2025286; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Response"; flow:established,to_client; dsize:517; content:"|45 36 27 18|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_02_05;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Beacon"; flow:established,to_server; dsize:170; content:"|45 36 27 18 08 20|"; depth:6; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_02_05;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Windows Binary Observed in SSL/TLS Certificate"; flow:established,from_server; dsize:>768; content:"|16|"; content:"|0b|"; within:8; content:"This program cannot be run in DOS mode"; nocase; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025315; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Beacon"; flow:established,to_server; dsize:170; content:"|45 36 27 18 08 20|"; depth:6; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_02_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based)"; flow:established,from_server; file_data; content:"<script"; content:"|3c 20|simpleByteArray.length|29|"; distance:0; content:"simpleByteArray|5b|"; within:50; content:"|2a 20|TABLE1_STRIDE|29 7c 30 29 20 26 20 28|TABLE1_BYTES-1|29|"; distance:0; fast_pattern; content:"|5e 3d 20|probeTable|5b|"; distance:0; content:"|7c 30 5d 7c 30 3b|"; distance:0; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,spectreattack.com/spectre.pdf; classtype:attempted-user; sid:2025184; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_02_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Admin|20 7c 20|Upgrade|3b|</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025329; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M2"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|https://online.asb.co.nz/auth/img/logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|autocomplete=|22|off|22 20|aria-autocomplete=|22|none|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025336; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M2"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|https://online.asb.co.nz/auth/img/logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|autocomplete=|22|off|22 20|aria-autocomplete=|22|none|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025336; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|id=|22|login|22 20|autocomplete=|22|off|22|"; nocase; distance:0; classtype:social-engineering; sid:2025334; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|id=|22|login|22 20|autocomplete=|22|off|22|"; nocase; distance:0; classtype:social-engineering; sid:2025334; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online</title>"; nocase; fast_pattern; content:"View Your Accounts"; nocase; distance:0; content:"placeholder=|22|Personal ID"; nocase; distance:0; content:"Connection Secured"; nocase; distance:0; classtype:social-engineering; sid:2025337; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Revalidation Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Re-Validate Your Mailbox</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025340; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"hackgallo10k.png"; within:500; nocase; fast_pattern; content:"Facebook application"; nocase; distance:0; classtype:social-engineering; sid:2025341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_10;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive Cloud Document"; nocase; within:40; fast_pattern; content:"function popupwnd(url,"; nocase; distance:0; classtype:social-engineering; sid:2025342; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"hackgallo10k.png"; within:500; nocase; fast_pattern; content:"Facebook application"; nocase; distance:0; classtype:social-engineering; sid:2025341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo"; nocase; distance:0; content:"if(user.length<6){alert("; nocase; distance:0; content:"if(pass.length<6){alert("; nocase; distance:0; classtype:social-engineering; sid:2025343; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive Cloud Document"; nocase; within:40; fast_pattern; content:"function popupwnd(url,"; nocase; distance:0; classtype:social-engineering; sid:2025342; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"; flow:to_server,established; content:"|16|"; depth:1; content:"|00 00 09|ipinfo.io"; distance:0; classtype:external-ip-check; sid:2025331; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2018_02_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo"; nocase; distance:0; content:"if(user.length<6){alert("; nocase; distance:0; content:"if(pass.length<6){alert("; nocase; distance:0; classtype:social-engineering; sid:2025343; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook Application"; nocase; within:30; fast_pattern; content:"placeholder=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025347; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook"; nocase; within:20; content:"k7LsZ6Kzebp.css"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox/OneDrive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Place For All Your Files"; within:60; nocase; content:"function popupwnd(url, toolbar"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox/OneDrive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Place For All Your Files"; within:60; nocase; content:"function popupwnd(url, toolbar"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn"; nocase; fast_pattern; content:"<title>Sign Up</title>"; nocase; distance:0; classtype:social-engineering; sid:2025349; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Square Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"/* VODKA */"; fast_pattern; content:"<form action=|22|--WEBBOT-SELF--"; nocase; distance:0; classtype:social-engineering; sid:2025367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Multi-Account Phish 2018-02-16"; flowbits:isset,ET.genericphish; file_data; content:"<input id=|22|login-username|22 20|name=|22|username|22 20|value=|22|"; nocase; content:"<input name=|22|password|22 20|value="; nocase; distance:0; content:"autocomplete=|22|current-password|22|"; nocase; distance:0; content:"Wrong password. Try again or click Forgot password"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_02_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Multi-Account Phish 2018-02-16"; flowbits:isset,ET.genericphish; file_data; content:"<input id=|22|login-username|22 20|name=|22|username|22 20|value=|22|"; nocase; content:"<input name=|22|password|22 20|value="; nocase; distance:0; content:"autocomplete=|22|current-password|22|"; nocase; distance:0; content:"Wrong password. Try again or click Forgot password"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spotify Phishing Landing 2018-02-19"; flow:established,to_client; file_data; content:"<title>Login - Spotify</title>"; nocase; fast_pattern; content:"LOGIN WITH FACEBOOK"; nocase; distance:0; content:"spotify.com"; nocase; distance:0; classtype:social-engineering; sid:2025369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spotify Phishing Landing 2018-02-19"; flow:established,to_client; file_data; content:"<title>Login - Spotify</title>"; nocase; fast_pattern; content:"LOGIN WITH FACEBOOK"; nocase; distance:0; content:"spotify.com"; nocase; distance:0; classtype:social-engineering; sid:2025369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartermail Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; content:"SmarterMail"; nocase; within:20; fast_pattern; content:"<form method=|22|post|22 20|action=|22|login.php|22 20|id=|22|aspnetForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Please confirm your identity"; fast_pattern; within:50; nocase; content:"For security reasons"; nocase; distance:0; content:".php|22 20|novalidate=|22 22|"; nocase; distance:0; classtype:social-engineering; sid:2025380; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SteamStealer Domain in SNI"; flow:to_server,established; content:"|16|"; depth:1; content:"|00 00 29|steamdesktopauthenticator.com"; distance:0; fast_pattern; nocase; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025387; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2018_02_26;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SteamStealer Malicious SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|29|steamdesktopauthenticator.com"; distance:1; within:32; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025388; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2018_02_26;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Craigslist Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"craigslist - account log in"; nocase; fast_pattern; within:30; content:".php|22 20|method=|22|POST|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025394; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Mobile Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title>Login</title>"; nocase; content:"mbasic.facebook.com"; nocase; distance:0; content:"name=|22|username|22 20|autocomplete=|22|off|22 20|placeholder=|22|E-mail|22|"; nocase; distance:0; fast_pattern; content:"name=|22|password|22 20|autocomplete=|22|off|22 20|placeholder=|22|Password|22|"; nocase; distance:0; classtype:social-engineering; sid:2025396; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
#alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"ET CURRENT_EVENTS CERTEGO Possible JScript Coming Over SMB v2"; flow:established,from_server; content:"|FE|SMB"; offset:4; depth:8; content:"|08 00|"; distance:8; within:10; content:"var"; distance:48; fast_pattern; content:"="; distance:0; isdataat:2,relative; reference:url,twitter.com/SettiDavide89/status/970965983228723201; reference:url,www.certego.net/it/news/quant-url/; classtype:trojan-activity; sid:2025409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_03_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-03-08"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"function popupwnd(url"; nocase; distance:0; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025410; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-03-08"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"function popupwnd(url"; nocase; distance:0; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025410; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"p="; distance:0; content:!"spf2.0/"; content:!"spf1"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:command-and-control; sid:2013935; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2011_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_03_05;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"document.forms[|22|chalbhai|22|][|22|password|22|]"; nocase; classtype:social-engineering; sid:2025418; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE StrongPity APT SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|17|mevlut.oncu.example.com"; distance:1; within:24; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:targeted-activity; sid:2025416; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2018_03_12;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Email Account Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Secure Login|20 7c 20|E-Mail Administrator"; within:40; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; classtype:social-engineering; sid:2025421; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Retrieve Pending Emails Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Retrieve Pending Emails"; within:30; nocase; fast_pattern; content:"receive any pending mails on server after login"; nocase; distance:0; classtype:social-engineering; sid:2025422; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET [!37018,!37039,1024:65535] (msg:"ET DELETED Possible NanoCore C2 64B"; flow:established,to_server; dsize:68; content:"|40 00 00 00|"; depth:5; pcre:"/^(?!.{0,63}\x00.{0,62}\x00.{0,61}\x00.{0,60}\x00)(?!.{0,62}\x00{2})(?!.{0,59}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,63}(?P=b1).{0,62}(?P=b1).{0,61}(?P=b1).{0,60}(?P=b1))(?!.(?P<b2>.).{0,62}(?P=b2).{0,61}(?P=b2).{0,60}(?P=b2).{0,59}(?P=b2))(?!..(?P<b3>.).{0,61}(?P=b3).{0,60}(?P=b3).{0,59}(?P=b3).{0,58}(?P=b3))(?!...(?P<b4>.).{0,60}(?P=b4).{0,59}(?P=b4).{0,58}(?P=b4).{0,57}(?P=b4))(?!....(?P<b5>.).{0,59}(?P=b5).{0,58}(?P=b5).{0,57}(?P=b5).{0,56}(?P=b5))(?!.....(?P<b6>.).{0,58}(?P=b6).{0,57}(?P=b6).{0,56}(?P=b6).{0,55}(?P=b6))(?!......(?P<b7>.).{0,57}(?P=b7).{0,56}(?P=b7).{0,55}(?P=b7).{0,54}(?P=b7))(?!.......(?P<b8>.).{0,56}(?P=b8).{0,55}(?P=b8).{0,54}(?P=b8).{0,53}(?P=b8))(?!........(?P<b9>.).{0,55}(?P=b9).{0,54}(?P=b9).{0,53}(?P=b9).{0,52}(?P=b9))(?!.........(?P<b10>.).{0,54}(?P=b10).{0,53}(?P=b10).{0,52}(?P=b10).{0,51}(?P=b10))/Rs"; classtype:command-and-control; sid:2025018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2019_10_04;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Group SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dns-verifon.com"; distance:1; within:16; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:targeted-activity; sid:2025438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_26, deployment Perimeter, former_category TROJAN, malware_family Cobalt_Group, performance_impact Low, signature_severity Major, updated_at 2018_03_26;)
-
alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET SCAN Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-03-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; fast_pattern; within:300; content:")https://"; within:15; pcre:"/^[^/]+(?:xfinity|comcast)\.(?:com|net)/Ri"; classtype:social-engineering; sid:2025450; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Zero Content-Length HTTP POST with data (outbound)"; flow:established,to_server; content:"POST"; nocase; http_method; http_content_len; content:"0"; fast_pattern; pcre:"/^./P"; classtype:bad-unknown; sid:2011819; rev:2; metadata:created_at 2010_10_15, updated_at 2010_10_15;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTML Script Tag in 401 Unauthorized Response (External Source)"; flow:from_server,established; content:"HTTP/1.1 401 Unauthorized|0d 0a|"; depth:27; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010514; classtype:web-application-activity; sid:2010514; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_04_04;)
alert tcp any any -> $HOME_NET 4786 (msg:"ET EXPLOIT Possible CVE-2018-0171 Exploit (PoC based)"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 07|"; depth:12; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:12; within:36; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; distance:4; within:44; reference:cve,2018-0171; reference:url,embedi.com/blog/cisco-smart-install-remote-code-execution/; classtype:attempted-admin; sid:2025472; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_04_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title id=|22|pagetitle|22|>facebook - log in or sign up</title>"; nocase; content:"<form id=|22|login_form|22 20|action=|22|post.php|22 20|method=|22|post|22 20|onsubmit=|22|return window.event"; nocase; distance:0; classtype:social-engineering; sid:2025479; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>share file|20 7c 20|one drive</title>"; nocase; content:"file is waiting"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onedrive protected file"; nocase; distance:0; classtype:social-engineering; sid:2025480; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>share file|20 7c 20|one drive</title>"; nocase; content:"file is waiting"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onedrive protected file"; nocase; distance:0; classtype:social-engineering; sid:2025480; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>apple - my apple id</title>"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:"id=|22|donnee"; nocase; distance:0; fast_pattern; content:"name=|22|donnee"; nocase; distance:0; classtype:social-engineering; sid:2025481; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Popupwnd Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:",'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_11, updated_at 2015_02_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_20;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY WebRTC IP tracking Javascript"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:successful-recon-limited; sid:2021089; rev:3; metadata:created_at 2015_05_12, former_category POLICY, updated_at 2018_04_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY WebRTC IP tracking Javascript"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:successful-recon-limited; sid:2021089; rev:3; metadata:created_at 2015_05_13, former_category POLICY, updated_at 2018_04_26;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded"; flow:to_client,established; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; pcre:"/@\x00i\x00m\x00p\x00o\x00r\x00t\x00\x20.{4,20}[^\x00\w\s.]/sG"; reference:cve,CVE-2010-3971; reference:url,breakingpointsystems.com/community/blog/ie-vulnerability/; reference:bid,45246; classtype:attempted-admin; sid:2012149; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2011_01_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category WEB_CLIENT, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2018_04_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"bank of america"; nocase; within:30; content:"<form name=|22|b0a|22|"; nocase; distance:0; fast_pattern; content:".php?session=$pmd$pmd|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025549; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive"; nocase; within:25; content:"function popupwnd(url"; nocase; distance:0; content:"choose your email provider"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; fast_pattern; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025550; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive"; nocase; within:25; content:"function popupwnd(url"; nocase; distance:0; content:"choose your email provider"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; fast_pattern; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025550; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title> DocuSlgn </title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025551; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Variant Checkin"; flow:established,to_server; dsize:9; content:"|00 07|nemesis"; classtype:command-and-control; sid:2025552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_05_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; content:!"_VIEWSTATE"; classtype:trojan-activity; sid:2017134; rev:5; metadata:created_at 2013_07_11, updated_at 2013_07_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; content:!"_VIEWSTATE"; classtype:trojan-activity; sid:2017134; rev:5; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"|23 20 4e 65 77 20 53 63 61 6d 61 20 4e 65 74 66 6c 69 78 20 32 30 31 38 20 42 79 20 58 2d 59 61 63 20 23|"; within:500; classtype:social-engineering; sid:2025555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:6; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:10; metadata:created_at 2010_09_25, updated_at 2010_09_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Ixeshe CnC)"; flow:established,from_server; content:"|09 00 b5 c7 52 c9 87 81 b5 03|"; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022960; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-05-07"; flow:established,to_client; file_data; content:"<title>mytax portal</title>"; nocase; fast_pattern; content:"id=|22|form1|22 20|name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"name=|22|pww|22 20|type=|22|password|22 20|id=|22|pww|22|"; nocase; distance:0; classtype:social-engineering; sid:2025561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER CoinHive In-Browser Miner Detected"; flow:established,from_server; file_data; content:"coinhive.min.js"; nocase; fast_pattern; content:"start"; nocase; distance:0; content:"script"; content:"var"; distance:0; pcre:"/^\s*(?P<var>[a-zA-Z0-9]{3,20})\s*=\s*new\s*CoinHive\s*\.\s*[^\(]+\(\s*[\x22\x27][A-Za-z0-9]+\s*[\x22\x27]\s*(?:\x2c\s*\x7b\s*\w+\x3a\s*\d\.\d\x7d)?\)\s*\x3b\s+(?P=var)\s*\.\s*start/Ri"; classtype:coin-mining; sid:2024721; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category COINMINER, performance_impact Moderate, signature_severity Minor, updated_at 2018_05_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chalbhai (Multibrand) Phishing Landing 2018-05-10"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; fast_pattern; content:"bodyElems"; distance:0; pcre:"/^\s*=\s*document\s*\.\s*getElementsByTagName\s*\(\s*[\x22\x27]body[\x22\x27]/Ri"; content:"bodyElems[0]"; distance:0; pcre:"/^\s*\.\s*style\s*\.\s*visibility\s*=\s*[\x22\x27]visible[\x22\x27]/Ri"; content:"style=|22|visibility:hidden|22 20|onload=|22|unhideBody()|22|"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position|3a|absolute|3b 20|overflow|3a|hidden|3b 20|left|3a|"; nocase; distance:0; classtype:social-engineering; sid:2025653; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_12_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_12_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code"; flow:established,to_client; content:"PDF-"; depth:300; content:"app.setTimeOut("; nocase; distance:0; reference:url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4; reference:url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4; reference:cve,2018-4980; reference:cve,2018-4961; classtype:bad-unknown; sid:2011868; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0d|IT Department"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|0b|example."; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021013; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_05_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0d|IT Department"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|0b|example."; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021013; rev:7; metadata:attack_target Client_and_Server, created_at 2015_04_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family TrickBot, malware_family Dridex, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_05_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:command-and-control; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2018_05_18;)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; content:"|22|pass|22 3a 22|"; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; classtype:policy-violation; sid:2024792; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_06_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"x-flash-version|3a|"; fast_pattern:only; http_header; pcre:"/^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,3}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/Hm"; classtype:exploit-kit; sid:2019763; rev:9; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016853; rev:16; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Landing Landing URI Struct (fb set)"; flow:to_server,established; content:!"Cookie|3a|"; content:"Windows NT"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^User-agent\x3a\x20[^\r\n]*?(?:MSIE|rv\x3a11|Edge\/)/Hmi"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; content:!"Cookie|3a|"; flowbits:set,Neutrino.URI.Primer; flowbits:noalert; classtype:exploit-kit; sid:2025064; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, tag Neutrino, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>"; content:"soft apple."; fast_pattern; distance:0; content:"</title>"; distance:0; content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; classtype:exploit-kit; sid:2017729; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Oct 22 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00"; http_header; fast_pattern:15,20; classtype:exploit-kit; sid:2019488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ecessa WANWorx WVR-30 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"user_username"; content:"user_passwd"; content:"checked"; content:"savecrtcfg"; fast_pattern; classtype:web-application-attack; sid:2025737; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_07_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Intex Router N-150 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"PPW"; content:"submit"; content:"SSID"; content:"isp"; content:"WAN"; content:"wirelesspassword"; fast_pattern; content:"name"; content:"value"; classtype:web-application-attack; sid:2025739; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Wells Fargo Phishing Landing 2018-06-20"; flow:established,to_client; file_data; content:"<title>Wells Fargo |3a| Banking|2c|"; nocase; fast_pattern; content:"content=|22|WELLS FARGO BANK|22|"; nocase; distance:0; classtype:social-engineering; sid:2025624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] OneDrive Phishing Landing 2018-06-15"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"Select with email provider below"; nocase; distance:0; content:"Login with Office 365"; nocase; distance:0; classtype:social-engineering; sid:2025625; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] OneDrive Phishing Landing 2018-06-15"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"Select with email provider below"; nocase; distance:0; content:"Login with Office 365"; nocase; distance:0; classtype:social-engineering; sid:2025625; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2018_07_18;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, created_at 2018_06_29, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, created_at 2018_06_29, cve CVE_2018_6892, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DAMICMS Cross-Site Request Forgery (Add Admin)"; flow:from_server,established; file_data; content:"history.pushState"; content:"/admin.php?s=/Admin/doadd|22| method=|22|POST|22|>"; nocase; fast_pattern; content:"name=|22|username|22|"; content:"name=|22|password|22|"; reference:url,exploit-db.com/exploits/44960/; classtype:web-application-attack; sid:2025771; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_02, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"this.addAnnot"; nocase; content:"this.addField"; nocase; content:".popupRect"; nocase; content:".setAction("; nocase; content:"OnFocus"; nocase; content:"setFocus"; nocase; pcre:"/\s+?(?P<var1>[^\s\x3d]+?)\s*?=\s*?this\.addAnnot.+?(?P=var1)\s*\x2epopupRect\s*?=\s*?0x4000/si"; pcre:"/\s+?(?P<var2>[^\s\x3d]+?)\s*?=\s*?this\.addField.+?(?P=var2)\s*\x2e\s*setAction\s*?\x28\s*?[\x22\x27]\s*?OnFocus[^\x29]+popupOpen\s*?=\s*?true/si"; reference:cve,2017-16393; classtype:attempted-user; sid:2025091; rev:3; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_29;)
-alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB ASCII"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,!&,0x80,7,relative; content:"puiframeworkproresenu|2E|dll"; nocase; distance:0; fast_pattern; reference:url, exploit-db.com/exploits/44985/; reference:cve,2018-12589; classtype:attempted-user; sid:2025790; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category NETBIOS, updated_at 2018_07_18;)
-
-alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB Unicode"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,&,0x80,7,relative; content:"p|00|u|00|i|00|f|00|r|00|a|00|m|00|e|00|w|00|o|00|r|00|k|00|p|00|r|00|o|00|r|00|e|00|s|00|e|00|n|00|u|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; reference:url, exploit-db.com/exploits/44985/; reference:cve,2018-12589; classtype:attempted-user; sid:2025791; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category NETBIOS, updated_at 2018_07_18;)
-
alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exim Internet Mailer Remote Code Execution"; flow:established,to_server; content:"JHtydW57L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3Av"; reference:cve,2018-6789; reference:url,exploit-db.com/exploits/44571/; classtype:attempted-user; sid:2025793; rev:2; metadata:attack_target SMTP_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution "; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution"; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vYmluL2Jhc2"; classtype:attempted-user; sid:2025806; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution"; flow:established,to_server; content:"|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|"; reference:cve,2017-11885; reference:url,exploit-db.com/exploits/44616/; classtype:attempted-user; sid:2025824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_11, deployment Perimeter, deployment Datacenter, former_category NETBIOS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; offset:4; depth:30; fast_pattern:10,20; content:"|00 09 00 00 00 10|"; distance:1; within:6; content:"|00 00 00 00 00 00 00 10|"; within:8; content:"|00 00 00 10|"; distance:4; within:4; pcre:"/^[a-zA-Z0-9+/]{1000,}/R"; threshold: type both, track by_src, count 3, seconds 30; classtype:trojan-activity; sid:2024217; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_05_13;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [eSentire] Win32/Spy.Banker.ADIO CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:command-and-control; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2018_07_11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 1"; flow:established,to_server; content:"Y21kIC9jIHBvd2Vyc2hlbGwuZXhl"; classtype:attempted-user; sid:2025827; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"temp\\"; nocase; distance:0; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025702; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
-
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"t|00|e|00|m|00|p|00|\\|00|"; nocase; distance:0; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|ps1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 Remote AT Scheduled Job Create Request"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00|a|00|t|00|s|00|v|00|c|00|"; distance:0; classtype:bad-unknown; sid:2025713; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
-
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 1"; flow:established,to_server; content:"base64"; fast_pattern; content:"f0VM"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025716; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 2"; flow:established,to_server; content:"base64"; fast_pattern; content:"9FT"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025717; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge 2"; flow:from_server,established; content:"OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025888; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_24, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, updated_at 2018_07_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GoldenRat, signature_severity Critical, tag Android, updated_at 2018_07_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GoldenRat, tag Android, updated_at 2018_07_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK IE Exploit"; flow:established,to_client; file_data; content:"IE=EmulateIE9"; nocase; content:"</head"; nocase; within:200; content:"<body"; nocase; within:200; content:"<script"; nocase; within:200; content:"!!window.ActiveXObject"; nocase; within:200; content:"try"; within:200; content:"parent.parent.setLocalStoreUserData"; nocase; distance:0; pcre:"/^\s*\([\x22\x27][A-F0-9a-f]{32}[\x22\x27]\s*\)\s*\x3b\s*}\s*catch\s*\(e\)\s*\{\s*\}\s*\}\s*<\/script>\s*<\/body>/Rsi"; classtype:exploit-kit; sid:2025911; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account</title>"; nocase; content:"onerror=|22|$loader.on(this,true)|22 20|onload=|22|$loader.on(this)"; nocase; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; classtype:social-engineering; sid:2025981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (getavs)"; flow:established,to_client; content:"|00 00 00 00|getavs="; offset:1; depth:11; fast_pattern; reference:md5,0f0f6f48c3ee5f8e7cd3697c40002bc7; classtype:trojan-activity; sid:2036286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Perimeter, former_category MALWARE, malware_family MSIL_Crimson, performance_impact Moderate, signature_severity Major, updated_at 2018_08_08;)
+
alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:from_server,established; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Internal, former_category EXPLOIT, signature_severity Minor, updated_at 2018_08_08;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDX in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDX-"; within:5; flowbits:set,ET.pdx.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025985; rev:2; metadata:affected_product Adobe_Reader, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe Flash Uncompressed in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; classtype:not-suspicious; sid:2016394; rev:7; metadata:created_at 2013_02_08, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe Flash Uncompressed in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; classtype:not-suspicious; sid:2016394; rev:7; metadata:created_at 2013_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO MP3 with ID3 in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"ID3"; within:3; content:"|FB FF|"; distance:0; flowbits:set,ET.mp3.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025986; rev:1; metadata:affected_product Adobe_Flash, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:exploit-kit; sid:2016522; rev:3; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Associated with Lazarus Downloader (JEUSD)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|celasllc.com"; distance:1; within:13; fast_pattern; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,blogs.360.cn/blog/apt-c-26/; classtype:trojan-activity; sid:2025990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category TROJAN, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2018_08_15;)
-
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Rallovs.A CnC Beacon"; flow:established,to_server; dsize:>1000; content:"|00 00 00 00|2|00|0|00|"; fast_pattern; pcre:"/^[1-9]\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 20 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; pcre:"/^\d\x00\d/R"; content:"|00 00|2|00|0|00|"; distance:0; content:"|00|-|00|"; distance:3; within:3; reference:md5,67a039a3139c6ef1bf42424acf658d01; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; classtype:command-and-control; sid:2021117; rev:2; metadata:created_at 2015_05_19, former_category TROJAN, updated_at 2018_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Rallovs.A CnC Beacon"; flow:established,to_server; dsize:>1000; content:"|00 00 00 00|2|00|0|00|"; fast_pattern; pcre:"/^[1-9]\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 20 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; pcre:"/^\d\x00\d/R"; content:"|00 00|2|00|0|00|"; distance:0; content:"|00|-|00|"; distance:3; within:3; reference:md5,67a039a3139c6ef1bf42424acf658d01; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; classtype:command-and-control; sid:2021117; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag c2, updated_at 2018_08_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp any any -> $HOME_NET 12397 (msg:"ET SCADA SEIG SYSTEM 9 - Remote Code Execution"; flow:established,to_server; content:"|14 60 00 00 66 66 07 00 10 00 00 00 19 00 00 00 00 00 04 00 00 00 60 00|"; depth:24; content:!"|0d|"; distance:0; content:!"|0a|"; distance:0; content:!"|ff|"; content:!"|00|"; distance:0; reference:url,exploit-db.com/exploits/45218/; reference:cve,2013-0657; classtype:attempted-user; sid:2026003; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
alert tcp any any -> $HOME_NET 27700 (msg:"ET SCADA SEIG Modbus 3.4 - Remote Code Execution"; flow:established,to_server; content:"|42 42 ff ff 07 03 44 00 64|"; fast_pattern; content:"|90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/45220/; reference:cve,2013-0662; classtype:attempted-user; sid:2026005; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|27|Agency Protocols Management of Internet"; distance:1; within:40; content:"|55 04 03|"; distance:0; content:"|0d|bestylish.com"; distance:1; within:14; fast_pattern; reference:md5,ecda8c6613fb458102fcb6f70b1cd594; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022209; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, malware_family Bancos, malware_family DarkTequila, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_08_23;)
-
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|27|Agency Protocols Management of Internet"; distance:1; within:40; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0d|info@apmi.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2022211; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, malware_family Bancos, malware_family DarkTequila, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_08_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-27"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026038; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-27"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026038; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !139 (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:command-and-control; sid:2019202; rev:4; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Sign In|20 7c 20|LinkedIn"; nocase; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22 20|action=|22|login.php|22|>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026059; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M1 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 32 6b 31 37 20 70 72 69 76 38 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M1 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 32 6b 31 37 20 70 72 69 76 38 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M2 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 61 6d 61 7a 6f 6e 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M2 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 61 6d 61 7a 6f 6e 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M3 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 69 74 75 6e 65 73 20 62 79 20 68 61 69 74 68 65 6d 20 62 61 74 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026063; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M3 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 69 74 75 6e 65 73 20 62 79 20 68 61 69 74 68 65 6d 20 62 61 74 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026063; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M4 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 73 63 61 6d 20 70 72 6f 20 62 79 20 74 68 75 67 2d 6e 65 74 2d 65 76 65 72 20 26 20 70 75 6e 69 73 68 65 72 2d 6f 75 6a 64 69|"; classtype:social-engineering; sid:2026064; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M4 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 73 63 61 6d 20 70 72 6f 20 62 79 20 74 68 75 67 2d 6e 65 74 2d 65 76 65 72 20 26 20 70 75 6e 69 73 68 65 72 2d 6f 75 6a 64 69|"; classtype:social-engineering; sid:2026064; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M5 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 74 61 6b 72 69 7a 20 26 20 32 30 31 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2026065; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M5 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 74 61 6b 72 69 7a 20 26 20 32 30 31 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2026065; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M6 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 78 62 6f 6f 6d 62 65 72 20 26 20 78 68 61 74 20 2d 2d 3e|"; classtype:social-engineering; sid:2026066; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M6 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 78 62 6f 6f 6d 62 65 72 20 26 20 78 68 61 74 20 2d 2d 3e|"; classtype:social-engineering; sid:2026066; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M7 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 2d 20 63 72 65 61 74 65 64 20 62 79 20 6c 65 67 7a 79 20 2d 2d 2d 20 69 63 71 20 3a 20 36 39 32 35 36 31 38 32 34 20 2d 2d 2d 2d 3e|"; classtype:social-engineering; sid:2026067; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M7 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 2d 20 63 72 65 61 74 65 64 20 62 79 20 6c 65 67 7a 79 20 2d 2d 2d 20 69 63 71 20 3a 20 36 39 32 35 36 31 38 32 34 20 2d 2d 2d 2d 3e|"; classtype:social-engineering; sid:2026067; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M8 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 6d 6f 64 65 64 20 62 79 20 61 6e 74 68 72 61 78 2d 2d 3e|"; classtype:social-engineering; sid:2026068; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M8 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 6d 6f 64 65 64 20 62 79 20 61 6e 74 68 72 61 78 2d 2d 3e|"; classtype:social-engineering; sid:2026068; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M9 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 61 6c 69 62 6f 62 6f 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M9 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 61 6c 69 62 6f 62 6f 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M10 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 6f 6c 64 6c 65 67 65 6e 64 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M10 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 6f 6c 64 6c 65 67 65 6e 64 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>AT&"; nocase; content:"href=|22|https://home.secureapp.att.net/"; nocase; distance:0; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22|"; nocase; distance:0; content:"|22|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|"; nocase; distance:0; classtype:social-engineering; sid:2026060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)"; flow:established,to_server; content:"|680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f73746f72652f757365722e6461740200ff88020000000000080000000100ff8802000200000002000000|"; offset:0; reference:url,github.com/mrmtwoj/0day-mikrotik; reference:url,www.helpnetsecurity.com/2018/08/03/mikrotik-cryptojacking-campaign; reference:cve,2018-14847; classtype:attempted-admin; sid:2025972; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_08_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon"; flow:established,to_server; dsize:12; content:"RFB 003.008|0a|"; depth:12; reference:md5,27741793672d8b69803f3d2434743731; reference:md5,076fd584d2fcdf5110f41bcbbd9f2c62; reference:md5,49749ee8fb2a2dab83494ab0e6cf5e7b; classtype:command-and-control; sid:2035893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family PowerSniff, malware_family Punchbuggy_VNC_Module, malware_family Gamaredon, signature_severity Major, tag c2, updated_at 2018_09_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)"; flow:established,to_server; dsize:<500; content:"|00 6c 6c|"; depth:6; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/i"; flowbits:set,ETPRO.njratgeneric; reference:md5,d68eaf3b43ba1d26b9067489bbf7ee44; classtype:command-and-control; sid:2033132; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category MALWARE, malware_family Bladabindi, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_03_22;)
+
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|09a0aa1091460d23e5a68550826b359b|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|098f6bcd4621d373cade4e832627b4f6|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic MRxJoker Phishing Landing 2018-09-27"; flow:established,to_client; file_data; content:"content=|22|@importmrxjokercss|22|"; nocase; fast_pattern; content:"name=|22|mrxjokercard|22|"; nocase; distance:0; classtype:social-engineering; sid:2026419; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_09_27;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server;stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:command-and-control; sid:2026433; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2018_10_02;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VBScript Redirect Style Exe File Download"; flow:to_client,established; flowbits:isset,ET.Locky; file_data; content:"MZ"; depth:2; fast_pattern; content:"This program"; within:100; classtype:trojan-activity; sid:2026434; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_12, deployment Perimeter, former_category MALWARE, malware_family Locky, malware_family Emotet, signature_severity Major, updated_at 2018_10_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VBScript Redirect Style Exe File Download"; flow:to_client,established; flowbits:isset,ET.Locky; file_data; content:"MZ"; depth:2; fast_pattern; content:"This program"; within:100; classtype:trojan-activity; sid:2026434; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, malware_family Locky, malware_family Emotet, signature_severity Major, updated_at 2018_10_04;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent Beacon"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*"; content:!"Host|3a| yandex.ru"; pcre:"/^(?:GET|POST)\/(?:watch|search|find|results|open|search|close)\/\?(?:text=|from=|aq=|ai=|ags=|oe=|btnG=|oprnd=|utm=|channel=|itwm=)/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026437; rev:1; metadata:created_at 2018_10_04, updated_at 2018_10_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent Beacon"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*"; content:!"Host|3a| yandex.ru"; pcre:"/^(?:GET|POST)\/(?:watch|search|find|results|open|search|close)\/\?(?:text=|from=|aq=|ai=|ags=|oe=|btnG=|oprnd=|utm=|channel=|itwm=)/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026437; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v1"; flow:established,to_server; content:"/?itwm"; fast_pattern; pcre:"/itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026438; rev:1; metadata:created_at 2018_10_04, updated_at 2018_10_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v1"; flow:established,to_server; content:"/?itwm"; fast_pattern; pcre:"/itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026438; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v2"; flow:established,to_server; content:"&itwm"; fast_pattern; pcre:"/&itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026439; rev:1; metadata:created_at 2018_10_04, updated_at 2018_10_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v2"; flow:established,to_server; content:"&itwm"; fast_pattern; pcre:"/&itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026439; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tcp any any <> any any (msg:"ET MALWARE NCSC APT28 - CompuTrace_Beacon_UserAgent"; flow:established; content:"|0d0a|TagId|3a|"; fast_pattern; content: "POST / "; content:!"namequery.com"; content:!"Host: 209.53.113."; content:!"dnssearch.org"; content:!"Cookie:"; content:!"fnbcorporate.co.za"; content:!"207.6.98."; pcre:"/Mozilla\/[0-9]{1,2}.[0-9]{1,2}\(compatible\; MSIE [0-9]{1,2}.[0-9]{1,2}\;\)\x0d\x0a/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026440; rev:1; metadata:created_at 2018_10_04, former_category MALWARE, updated_at 2018_10_17;)
+#alert tcp any any <> any any (msg:"ET MALWARE NCSC APT28 - CompuTrace_Beacon_UserAgent"; flow:established; content:"|0d0a|TagId|3a|"; fast_pattern; content: "POST / "; content:!"namequery.com"; content:!"Host: 209.53.113."; content:!"dnssearch.org"; content:!"Cookie:"; content:!"fnbcorporate.co.za"; content:!"207.6.98."; pcre:"/Mozilla\/[0-9]{1,2}.[0-9]{1,2}\(compatible\; MSIE [0-9]{1,2}.[0-9]{1,2}\;\)\x0d\x0a/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026440; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC APT28 - Web/request -FILE- contenttype"; flow:established,from_client; content:"-FILE-"; pcre:"/[A-Z0-9\-]{16}-FILE-[^\r\n]+.tmp/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026441; rev:2; metadata:created_at 2018_10_04, former_category MALWARE, updated_at 2018_10_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Containing Executable Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2018_10_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026465; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026465; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN StarDotStar HELO, suspected AUTH LOGIN botnet"; flow:established,to_server; content:"HELO|20 2a 2e 2a 0d 0a|"; depth:11; classtype:bad-unknown; sid:2026463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_10_12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 73"; flow:established,to_server; content:"|2e 11 6e fe 1c 00 92 21 3c ce 31|"; depth:11; reference:md5,9e31ee4bb378d3cf6f80f9f30e9f810f; classtype:command-and-control; sid:2026513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FlawedGrace CnC Activity"; flow:to_server,established; dsize:14; content:"|47 43 52 47|"; offset:4; depth:4; threshold: type both, track by_src, count 10, seconds 60; reference:md5,2b1215fb65d33fc6206ab227a3b7e75a; classtype:command-and-control; sid:2026773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2018_10_16;)
-
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/BlackCarat Response from CnC"; flow:established,from_server; dsize:13; content:"|72 50 bf 9e|"; offset:9; depth:4; fast_pattern; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family CaratRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_18;)
alert tcp $EXTERNAL_NET $SSH_PORTS -> any any (msg:"ET POLICY Potentially Vulnerable LibSSH Server Observed - Possible Authentication Bypass (CVE-2018-10933)"; flow:from_server,established; content:"SSH-2.0-libssh-0."; depth:17; pcre:"/^[67]\.[01235]/R"; reference:url,www.libssh.org/security/advisories/CVE-2018-10933.txt; reference:url,github.com/blacknbunny/libSSH-Authentication-Bypass; reference:cve,2018-10933; classtype:bad-unknown; sid:2026526; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_19, deployment Perimeter, former_category POLICY, signature_severity Major, tag CVE_2018_10933, updated_at 2018_10_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perl/Shellbot.SM IRC CnC Checkin"; flow:established,to_server; content:"JOIN"; depth:4; content:"Procesor - model name"; distance:0; content:"Numar Procesoare"; distance:0; fast_pattern; content:"|3a|uid="; distance:0; content:"gid="; distance:0; content:"groups="; distance:0; reference:md5,ca42fda581175fd85ba7dab8243204e4; classtype:command-and-control; sid:2026579; rev:1; metadata:attack_target Client_and_Server, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, malware_family Shellbot_SM, performance_impact Low, signature_severity Major, tag Perl, updated_at 2018_11_05;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_06, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2018_11_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2018_11_07;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mylobot Receiving XOR Encrypted Config (0xde)"; flow:established,from_server; content:"|00 00 00 00|"; depth:4; content:"|b6 aa aa ae e4 f1 f1|"; distance:1; within:7; fast_pattern; content:"|de 00 00 00 00|"; distance:0; reference:url,www.netformation.com/our-pov/mylobot-continues-global-infections/; classtype:trojan-activity; sid:2026613; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category TROJAN, malware_family Mylobot, performance_impact Low, signature_severity Major, updated_at 2018_11_15;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=driversearch.site"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2026644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_11_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=driversearch.site"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_11_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Xbalti Phishing Landing 2018-11-26"; flow:established,from_server; file_data; content:"|2d 2d 7e 28 20 20 5c 20 7e 29 29 29 29 29 29 29 29 29 29 29 29 0d 0a 20 20 20 20 2f 20 20 20 20 20 5c 20 20 60 5c 2d 28 28 28 28 28 28 28 28 28|"; within:400; content:"|5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f|"; fast_pattern; classtype:social-engineering; sid:2026650; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_11_26;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=kortusops.icu"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2026659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Loader, updated_at 2018_11_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=kortusops.icu"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_27, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Loader, updated_at 2018_11_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Inbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013491; rev:3; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M1"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; depth:29; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026649; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2018_11_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) Config"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"md5"; depth:3; fast_pattern; content:"nnnn"; distance:12; within:4; content:"z"; distance:28; within:1; content:"z"; distance:32; within:1; content:"z"; distance:35; within:1; reference:url,thehackernews.com/2018/12/china-ransomware-wechat.html; classtype:trojan-activity; sid:2026687; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Stealer, signature_severity Major, updated_at 2018_12_05;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET !5938,!1433 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 107"; flow:to_server,established; dsize:>11; content:"|14 24|"; offset:8; fast_pattern; content:!"|00 00|"; distance:-10; within:2; content:"|00 00|"; distance:-4; within:2; byte_jump:4,-8,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2023611; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Low, signature_severity Major, tag Gh0st, updated_at 2018_12_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) Config"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"md5"; depth:3; fast_pattern; content:"nnnn"; distance:12; within:4; content:"z"; distance:28; within:1; content:"z"; distance:32; within:1; content:"z"; distance:35; within:1; reference:url,thehackernews.com/2018/12/china-ransomware-wechat.html; classtype:trojan-activity; sid:2026687; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Stealer, signature_severity Major, tag Ransomware, updated_at 2018_12_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27 (msg:"ET MALWARE ELF/Samba CnC Checkin"; flow:established,to_server; dsize:8; content:"|11 10 10 01 22 32 21 52|"; fast_pattern; reference:url,www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution; classtype:command-and-control; sid:2026717; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category MALWARE, malware_family Samba, performance_impact Low, signature_severity Major, updated_at 2018_12_10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AveMaria Initial CnC Checkin"; flow:established,to_server; dsize:12; content:"|29 bb 66 e4 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,app.any.run/tasks/67362469-76df-4b19-bfda-5d95a2b4d179; classtype:command-and-control; sid:2026736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_15, deployment Perimeter, former_category MALWARE, malware_family AveMaria, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2018_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Visa Phishing Landing Jan 30 2014"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; http_referer; content:!"http|3a 2f 2f|www.crdbbank.com"; nocase; isdataat:!1,relative; classtype:social-engineering; sid:2018045; rev:6; metadata:created_at 2014_01_30, former_category PHISHING, updated_at 2021_06_23;)
+
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Orion Stealer Exfil via FTP"; flow:established,to_server; content:"STOR PC|3a 20|"; depth:9; content:"/Orion Logger - System Details|3a 20|"; distance:0; fast_pattern; reference:md5,007c4edc6e1ca963a9b2e05e136142f2; classtype:trojan-activity; sid:2026741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_21, former_category TROJAN, updated_at 2018_12_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Redirect 2019-01-02"; flow:from_server,established; file_data; content:"<!--"; depth:4; content:"window.top.location='account/?view=login&appIdKey="; nocase; within:150; isdataat:!50,relative; classtype:social-engineering; sid:2026748; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_01_02;)
#alert tls $HOME_NET any -> $EXTERNAL_NET 853 (msg:"ET INFO DNS Over TLS Request Outbound"; flow:established,to_server; content:"|16 03 01 01|"; depth:4; reference:url,www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls; classtype:trojan-activity; sid:2026774; rev:2; metadata:created_at 2019_01_10, former_category INFO, updated_at 2019_01_10;)
-alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|*.dropbox.com"; distance:1; within:14; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:5; metadata:created_at 2011_04_07, updated_at 2019_01_16;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AtomLogger Exfil via FTP"; flow:established,to_server; content:"Username|3a 20|"; content:"|0d 0a|Machine Name|3a 20|"; distance:0; content:"|0d 0a|Operating System|3a 20|"; distance:0; content:"|0d 0a|IP Address|3a 20|"; distance:0; content:"|0d 0a|Country|3a 20|"; distance:0; content:"|0d 0a|RAM|3a 20|"; distance:0; content:"|0d 0a|Online since|3a 20|"; distance:0; content:"|0d 0a 0d 0a 0d 0a 0d 0a|================================|0d 0a|Keystrokes and Window Log|0d 0a|"; distance:0; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026824; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2019_01_17;)
alert udp $HOME_NET [!3389,1024:65535] -> $EXTERNAL_NET [!3389,1024:65535] (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003319; classtype:policy-violation; sid:2003319; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_18;)
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009149; classtype:web-application-activity; sid:2009149; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:established,from_server; content:"traderserviceinfo.info"; fast_pattern; tls_cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some|20|Company"; classtype:command-and-control; sid:2026899; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_12, former_category MALWARE, malware_family BrushaLoader, tag SSL_Malicious_Cert, updated_at 2019_02_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:established,from_server; content:"traderserviceinfo.info"; fast_pattern; tls_cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some|20|Company"; classtype:domain-c2; sid:2026899; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_02_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:to_server,established; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:1; metadata:created_at 2019_02_18, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_02_18;)
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|e|00|n|00|c|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025721; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DirectsX Checkin Response"; flow:established,from_server; dsize:25; content:"|19 00 00 00|"; offset:17; depth:4; content:!"|00 00|"; within:2; content:!"|ff ff|"; within:2; content:!"_loc"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019633; rev:2; metadata:created_at 2014_11_03, former_category MALWARE, updated_at 2019_02_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DirectsX Checkin Response"; flow:established,from_server; dsize:25; content:"|19 00 00 00|"; offset:17; depth:4; content:!"|00 00|"; within:2; content:!"|ff ff|"; within:2; content:!"_loc"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019633; rev:2; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2019_02_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated Script"; flow:established,to_client; file_data; content:"rc4=function|28|key,str|29|"; nocase; content:"key.charCodeAt|28|i%key.length|29|"; fast_pattern; nocase; distance:0; content:"String.fromCharCode|28|str.charCodeAt|28|"; content:"decodeBase64=function"; nocase; distance:0; content:"b64block="; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_02_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"|20|-e"; nocase; distance:0; pcre:"/^(?:nc)?\s*(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=)/Ri"; classtype:trojan-activity; sid:2026992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_03_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Directory Change Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A6469726563746F7279206368616E6765642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Directory Change Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A6469726563746F7279206368616E6765642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Sleep Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A72756E74696D65206368616E67656420746F2072756E74696D65"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Sleep Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A72756E74696D65206368616E67656420746F2072756E74696D65"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_07;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [AV] EarthWorm/Termite IoT Agent Reporting Infection"; dsize:<500; flow:established,to_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:trojan-activity; sid:2027064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant CnC Checkin"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00 00 00 00 00 ff 01|"; distance:1; within:9; content:"|ff ff ff ff ff ff ff ff|"; distance:0; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:0; fast_pattern; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:command-and-control; sid:2027083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - EXE SMTP Attachment"; flow:established; content:"|0D 0A 0D 0A|TV"; content:"AAAAAAAAAAAAAAAA"; within:200; classtype:bad-unknown; sid:2017886; rev:3; metadata:created_at 2013_12_19, former_category INFO, updated_at 2019_03_27;)
+alert tcp $EXTERNAL_NET [19400:19500] -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.POX Variant CnC"; flow:established,to_client; dsize:4; content:"|6c 69 73 74|"; reference:md5,bb15e442a527a83939d9ff1b835f99dd; classtype:command-and-control; sid:2035057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_03_22;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.Initdz.Coinminer C2 Systeminfo (D2)"; flow:established,to_server; content:"D2|7c|System|20|Information&"; fast_pattern; depth:22; content:"Manufacturer|3a|"; distance:0; content:"Product|20|Name|3a|"; distance:0; content:"Version|3a 20|"; distance:0; content:"|0a|D3|7c|MemTotal|3a 20|"; distance:0; reference:md5,8438f4abf3bc5844af493d60ea8eb8f6; classtype:coin-mining; sid:2027150; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2019_04_03;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - EXE SMTP Attachment"; flow:established; content:"|0D 0A 0D 0A|TV"; content:"AAAAAAAAAAAAAAAA"; within:200; classtype:bad-unknown; sid:2017886; rev:3; metadata:created_at 2013_12_20, former_category INFO, updated_at 2019_03_27;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound SMTP NTLM Authentication Observed"; flow:established,to_server; content:"AUTH|20|ntlm|20|"; depth:10; nocase; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:policy-violation; sid:2027152; rev:1; metadata:attack_target Client_and_Server, created_at 2019_04_03, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2019_04_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.Initdz.Coinminer C2 Systeminfo (D2)"; flow:established,to_server; content:"D2|7c|System|20|Information&"; fast_pattern; depth:22; content:"Manufacturer|3a|"; distance:0; content:"Product|20|Name|3a|"; distance:0; content:"Version|3a 20|"; distance:0; content:"|0a|D3|7c|MemTotal|3a 20|"; distance:0; reference:md5,8438f4abf3bc5844af493d60ea8eb8f6; classtype:coin-mining; sid:2027150; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2019_04_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound SMTP NTLM Authentication Observed"; flow:established,to_server; content:"AUTH|20|ntlm|20|"; depth:10; nocase; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:policy-violation; sid:2027152; rev:1; metadata:attack_target Client_and_Server, created_at 2019_04_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2019_04_04;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"ET ATTACK_RESPONSE LaZagne Artifact Outbound in FTP"; flow:established,to_server; content:"The LaZagne Project"; fast_pattern; reference:url,github.com/AlessandroZ/LaZagne; classtype:trojan-activity; sid:2027151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family Stealer, malware_family LaZange, signature_severity Major, updated_at 2019_04_04;)
#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0; fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19; classtype:bad-unknown; sid:2027188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
-alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement"; flow:established,to_server; content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027189; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2019_04_11;)
-
#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement"; flow:established,to_server; content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027190; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2019_04_11;)
#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer in SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2027191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".ps1"; nocase; distance:0; classtype:bad-unknown; sid:2027203; rev:2; metadata:created_at 2019_04_16, updated_at 2019_04_16;)
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
+alert smb any any -> $HOME_NET 445 (msg:"ET HUNTING Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".mof"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET MALWARE Suspected ExtraPulsar Backdoor"; flow:established,to_server; content:"ExPu"; depth:11; offset:4; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,github.com/zerosum0x0/smbdoor; classtype:trojan-activity; sid:2027370; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_21, deployment Internal, former_category TROJAN, malware_family ExtraPulsar, signature_severity Major, updated_at 2019_05_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern; content:"length"; pcre:"/^\s*?\<\s*?10/Rs"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_08_20;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M3"; flow:established,to_server; urilen:>6; content:"MSIE"; http_user_agent; fast_pattern; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; http_header_names; content:!"Referer"; content:!"Cookie"; http_start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026461; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Moderate, signature_severity Major, updated_at 2019_05_22;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Sleep"; flow:established,from_server; dsize:8; content:"|16 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021151; rev:2; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2019_05_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Sleep"; flow:established,from_server; dsize:8; content:"|16 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021151; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Multiple Tunnel"; flow:established,from_server; dsize:8; content:"|17 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021152; rev:2; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2019_05_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Multiple Tunnel"; flow:established,from_server; dsize:8; content:"|17 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021152; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert udp $HOME_NET any -> any 57621 (msg:"ET POLICY Spotify P2P Client"; flow:to_server; dsize:44; content:"|53 70 6f 74 55 64 70 30|"; depth:8; threshold:type limit, count 1, track by_src, seconds 300; classtype:not-suspicious; sid:2027397; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_30, deployment Internal, performance_impact Low, signature_severity Minor, updated_at 2019_05_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) 2019-05-30"; flow:established,to_client; tls_cert_subject; content:"CN=halatest.info"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:command-and-control; sid:2027414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2019_05_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) 2019-05-30"; flow:established,to_client; tls_cert_subject; content:"CN=halatest.info"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:domain-c2; sid:2027414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_05_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Brushaloader Domain in DNS Lookup 2019-05-30"; dns_query; content:"canasikos.info"; nocase; isdataat:!1,relative; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:trojan-activity; sid:2027415; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2019_05_31;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 32bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027436; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 3 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Your|20|computer|20|was|20|infected|20|with|20|my|20|private|20|malware"; fast_pattern; content:"malware|20|gave|20|me|20|full"; distance:0; content:"accounts|20 28|see|20|password|20|above|29|"; distance:0; content:"MANY|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_05, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_05;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 3 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Your|20|computer|20|was|20|infected|20|with|20|my|20|private|20|malware"; fast_pattern; content:"malware|20|gave|20|me|20|full"; distance:0; content:"accounts|20 28|see|20|password|20|above|29|"; distance:0; content:"MANY|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 4 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"infected|20|you|20|with|20|a|20|malware"; content:"malware|20|gave|20|me|20|full"; distance:0; content:"collected|20|everything|20|private|20|from|20|you"; distance:0; content:"FEW|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535,![3389]] (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; reference:url,doc.emergingthreats.net/2003006; classtype:unusual-client-port-connection; sid:2003006; rev:9; metadata:created_at 2010_07_30, updated_at 2019_06_06;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"|20|MSIE|20|"; http_user_agent; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[03478]+)?/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_protocol; content:"HTTP/1."; http_content_len; byte_test:0,>,150,0,string,dec; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; classtype:command-and-control; sid:2035048; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2019_06_14;)
+
alert dns any any -> $HOME_NET any (msg:"ET HUNTING Suspicious Registrar Nameservers in DNS Response (carbon2u)"; content:"|00 02 00 01|"; content:"|03|ns1|08|carbon2u|03|com|00|"; distance:14; within:18; fast_pattern; classtype:bad-unknown; sid:2027471; rev:1; metadata:created_at 2019_06_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2019_06_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (WAIT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|WAIT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027508; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CERT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CERT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027511; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<!-- saved from url=("; within:500; content:")https://idm.east.cox.net/"; distance:4; within:26; fast_pattern; classtype:social-engineering; sid:2027535; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2019_06_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<!-- saved from url=("; within:500; content:")https://idm.east.cox.net/"; distance:4; within:26; fast_pattern; classtype:social-engineering; sid:2027535; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Miarroba Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3c 21 2d 2d 20 49 6e 73 65 72 74 65 64 20 62 79 20 6d 69 61 72 72 6f 62 61 20 2d 2d 3e|"; classtype:social-engineering; sid:2027561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2019_06_26;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Successful Server Response"; flow:established,from_server; flowbits:isset,ET.QNAPCrypt.DetailReq; content:"HTTP/1.1 200 OK|0d 0a|"; depth:17; content:"Content-Type|3a 20|application/json"; distance:0; content:"|7b 22|RsaPublicKey|22 3a 22|-----BEGIN RSA PUBLIC KEY"; content:"|22 7d 2c 7b 22|BtcPublicKey|22 3a 22|"; fast_pattern; content:"|22 7d 2c 7b 22|Readme|22 3a 22|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027705; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_07_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Miarroba Phish 2019-07-11"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<!-- Inserted by miarroba -->"; fast_pattern; nocase; classtype:credential-theft; sid:2027699; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2019_07_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Miarroba Phish 2019-07-11"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<!-- Inserted by miarroba -->"; fast_pattern; nocase; classtype:credential-theft; sid:2027699; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in (set)"; flow:established,to_server; dsize:>65; content:"|41 00 00 00 99|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; reference:md5,3c4a93154378e17e71830ff164bb54c4; classtype:trojan-activity; sid:2029477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Netwire, updated_at 2019_07_16;)
#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027730; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 3"; flow:established,to_server; content:"|20|MSIE|20|"; http_user_agent; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_request_line; content:"POST / HTTP/1."; depth:14; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; http_content_len; byte_test:0,<=,999,0,string,dec; byte_test:0,>,99,0,string,dec; classtype:command-and-control; sid:2035050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2022_04_18;)
+
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH Remote Shell Banner"; flow:established,to_server; dsize:>100; content:"|2a 20|SUPER|20|REMOTE|20|SHELL|20|v2|2e|2|20|SSL"; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:targeted-activity; sid:2027751; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category TROJAN, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH CnC Checkin"; flow:established,to_server; dsize:64; content:"-SH"; offset:44; depth:3; pcre:"/(?:[0-9A-F]{8}\-){5}\-SH/"; content:"|02 09 01|"; offset:52; depth:3; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027752; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for .co TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|co|00|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2027759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2019_07_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Adobe Phish 2019-07-29"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<title>Adobe Document Cloud"; fast_pattern; nocase; classtype:credential-theft; sid:2027764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2019_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Adobe Phish 2019-07-29"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<title>Adobe Document Cloud"; fast_pattern; nocase; classtype:credential-theft; sid:2027764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert icmp any any -> any any (msg:"ET MALWARE Possible ICMP Backdoor Tunnel Command - whoami"; itype:8; icode:0; content:"whoami"; depth:6; nocase; reference:url,www.hackingarticles.in/command-and-control-tunnelling-via-icmp; classtype:trojan-activity; sid:2027763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_29;)
alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 5 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"one|20|of|20|your|20|passwords|20|is|3a|"; content:"infected|20|with|20|my|20|private|20|malware"; distance:0; content:"I|20|RECORDED|20|YOU|20 28|through|20|your|20|webcam"; distance:0; fast_pattern; content:"bitcoin|20|wallet|20|is|3a|"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_07_31;)
-#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag"; flags:SUF+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027770; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_08_01;)
+#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag"; flags:SUF+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027770; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_08_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Covenant Framework HTTP Hello World Server Response"; flow:established,to_client; file_data; content:"Hello World! eyJHVUlEIjoi"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt MSBuild Stager HTTP Download"; flow:established,to_client; file_data; content:"System.IO.Compression.CompressionMode.Decompress"; content:"System.Reflection.Assembly.Load("; distance:0; content:".EntryPoint.Invoke("; distance:0; fast_pattern; content:"|3c 2f|UsingTask|3e|"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
-alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!5721,!5938] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"PWHDR"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:command-and-control; sid:2016922; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_23, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_08_06;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; content:!"trust.zscaler.com"; pcre:"/(?:www\.(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|espa)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:antander(?:banespa|net)?|erasa(?:experian)?)|uolhost)\.com\.br|c(?:(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov))\.br|redicard\.com(?:\.br)?)|itau(?:p(?:ersonnalite|rivatebank)|uniclass)?\.com\.br,|ame(?:ricanexpress\.com(?:\.br)?|x\.com\.br))|(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|risul)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:erasa(?:experian)?|antander)|uolhost)\.com|c(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov)|redicard\.com))\.br|itau(?:(?:p(?:ersonnalite|rivatebank)|uniclass)\.com\.br|\.com\.br,)|ame(?:ricanexpress.com(?:\.br)?|x\.com\.br)|\*(?:linhadefensiva*|hsbc*))/"; reference:md5,3baae632d2476cbd3646c5e1b245d9be; reference:md5,ace343a70fbd26e79358db4c27de73db; classtype:trojan-activity; sid:2014435; rev:15; metadata:created_at 2012_02_28, updated_at 2019_08_06;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M2"; flow:established,to_server; dsize:16; content:"|49 42 d4 b5 38 70 fe 86 2a 4e d2 73 0d 95 79 e5|"; reference:md5,5c12015ebeb755c0b6029468a13e59a9; classtype:command-and-control; sid:2027813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M1"; flow:established,to_server; dsize:16; content:"|73 08 e2 bc 6d 8c 9d b5 85 52 b1 e1 5d 5a 9a 8e|"; reference:md5,d6db3ac5a8022184f03a34fbfdcb926d; classtype:command-and-control; sid:2027812; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; classtype:pup-activity; sid:2000587; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (downloads)"; flow: to_server,established; content:"/external/builds/downloads2/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:pup-activity; sid:2000589; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (common)"; flow: to_server,established; content:"/external/builds/common/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:pup-activity; sid:2000590; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Keenvalue Update Engine"; flow: to_server,established; content:"Host|3a|secure.keenvalue.com"; http_header; content:"|0d0a|Extension|3a|Remote-Passphrase"; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; classtype:pup-activity; sid:2000932; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:pup-activity; sid:2001317; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Receiving Config"; flow:established,to_server; http.uri; content:"/config/?"; nocase; content:"v=5"; nocase; content:"n=mm2"; nocase; content:"i="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:pup-activity; sid:2001417; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host|3a| download.overpro.com"; nocase; http_header; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; classtype:pup-activity; sid:2001444; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Games"; flow: to_server,established; content:"/blocks/blasterblocks"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; classtype:pup-activity; sid:2001459; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:pup-activity; sid:2001533; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; content:"/cgi-bin/PopupV"; http_uri; nocase; content:"?ID={"; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:pup-activity; sid:2001730; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; content:".scr"; nocase; http_uri; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; classtype:pup-activity; sid:2001850; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Install"; flow: to_server,established; content:"/downloads/installers/"; http_uri; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:pup-activity; sid:2002003; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Install Report"; flow: to_server,established; content:"/processInstall.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; classtype:pup-activity; sid:2002017; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Defs Download"; flow: to_server,established; content:"/geodefs/gdf"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:pup-activity; sid:2002048; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; content:".exe"; nocase; http_uri; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; classtype:pup-activity; sid:2002093; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware config Download"; flow: to_server,established; content:"/config.aspx?did="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:pup-activity; sid:2002099; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware versionconfig POST"; flow:to_server,established; content:"/versionconfig.aspx?"; http_uri; content:"&ver="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:pup-activity; sid:2002354; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Actionlibs Download"; flow:to_server,established; content:"/actionurls/ActionUrlb"; http_uri; nocase; content:"partnerid="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:pup-activity; sid:2003057; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; content:"/ZangoTBInstaller.exe"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:pup-activity; sid:2003059; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; content:"/php/uci.php"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:pup-activity; sid:2003061; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Data Upload"; flow:established,to_server; content:"/objects/ocget.dll"; nocase; http_uri; content:"mybest"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; classtype:pup-activity; sid:2003154; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:pup-activity; sid:2003336; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_20;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:pup-activity; sid:2003496; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:pup-activity; sid:2003606; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP Zango Spyware (tbrequest data post)"; flow: to_server,established; content:"/tbrequest"; http_uri; nocase; content:"&q="; http_uri; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:pup-activity; sid:2003610; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 51yes.com Spyware Reporting User Activity"; flow:established,to_server; content:"/sa.aspx?id="; http_uri; nocase; content:"&refe=http"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:pup-activity; sid:2003620; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; http.uri; content:"?proto="; nocase; content:"&rc="; nocase; content:"&v="; nocase; content:"&abbr="; nocase; content:"&platform="; nocase; content:"&os_version="; nocase; content:"&ac="; nocase; content:"&appid="; nocase; content:"&em="; nocase; content:"&pcid="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:pup-activity; sid:2007664; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopcenter.co .kr Spyware Install Report"; flow:established,to_server; http.uri; content:"/RewardInstall.php?mac=0"; content:"&hdd="; content:"&ver="; content:"&ie="; content:"&win="; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:pup-activity; sid:2008370; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET ADWARE_PUP Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:pup-activity; sid:2008402; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:pup-activity; sid:2009438; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2010904; classtype:pup-activity; sid:2010904; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011517; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011518; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
+
alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET ADWARE_PUP W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; classtype:pup-activity; sid:2013956; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2017_09_21;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:pup-activity; sid:2014286; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_27, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:pup-activity; sid:2014287; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; content:"BitcoinPlusMiner("; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:coin-mining; sid:2014535; rev:4; metadata:created_at 2012_04_10, former_category ADWARE_PUP, updated_at 2012_04_10;)
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:pup-activity; sid:2014287; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_27, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> 54.218.7.114 any (msg:"ET ADWARE_PUP DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:pup-activity; sid:2018458; rev:4; metadata:created_at 2014_05_09, former_category ADWARE_PUP, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; content:"BitcoinPlusMiner("; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:coin-mining; sid:2014535; rev:4; metadata:created_at 2012_04_09, former_category ADWARE_PUP, updated_at 2012_04_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:pup-activity; sid:2018617; rev:7; metadata:created_at 2014_01_14, former_category ADWARE_PUP, updated_at 2016_06_22;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"CN=*.tr553.com"; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:pup-activity; sid:2020712; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:4; metadata:created_at 2015_02_11, former_category CURRENT_EVENTS, updated_at 2015_02_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:4; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2015_02_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u000"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:trojan-activity; sid:2019181; rev:9; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 87 8f 35 b4 aa 08 d1|"; within:35; fast_pattern; content:"|55 04 07|"; content:"|06|Taipei"; distance:1; within:7; classtype:trojan-activity; sid:2020289; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre or Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02 43 4e|"; distance:0; content:"|06 03 55 04 08 0c 02|ST"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x55\x04\x07.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2020290; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M1 (L O)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M2 (L CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M3 (O CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 2 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:3; metadata:created_at 2015_03_31, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gamut Spambot Checkin Response"; flow:established,from_server; file_data; content:"count_threads|09 09 09 3d 09|"; depth:18; fast_pattern; content:"|0a|efficiency_limit|09 09 3d 09|"; distance:1; within:22; flowbits:isset,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018246; rev:3; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2014_03_11;)
-#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET DELETED Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; classtype:attempted-dos; sid:2027890; rev:1; metadata:created_at 2019_08_15, former_category SNMP, updated_at 2020_08_20;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:3; metadata:created_at 2014_11_26, former_category CURRENT_EVENTS, updated_at 2014_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:3; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2014_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:3; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2014_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:3; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2014_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:3; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2014_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:3; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2014_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:3; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2014_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern:14,20; content:"META-INF/services/java.lang.Object"; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:4; metadata:created_at 2013_10_03, former_category CURRENT_EVENTS, updated_at 2013_10_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:3; metadata:created_at 2013_11_26, former_category CURRENT_EVENTS, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:3; metadata:created_at 2013_11_25, former_category CURRENT_EVENTS, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:3; metadata:created_at 2013_11_26, former_category CURRENT_EVENTS, updated_at 2013_11_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:3; metadata:created_at 2013_11_25, former_category CURRENT_EVENTS, updated_at 2013_11_25;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET DELETED Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; classtype:attempted-dos; sid:2027890; rev:2; metadata:created_at 2019_08_15, former_category SNMP, updated_at 2020_08_20;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 1"; flow:established,to_server; content:"STOR|20|FIREPERF.zip"; depth:17; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027888; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 2"; flow:established,to_server; content:"STOR|20|CRHOMEPER.zip"; depth:18; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027889; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:9; metadata:created_at 2014_03_24, former_category CURRENT_EVENTS, updated_at 2014_03_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:9; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:8; metadata:created_at 2014_03_24, former_category CURRENT_EVENTS, updated_at 2014_03_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:8; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:6; metadata:created_at 2014_03_24, former_category CURRENT_EVENTS, updated_at 2014_03_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:6; metadata:created_at 2014_03_24, former_category CURRENT_EVENTS, updated_at 2014_03_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:5; metadata:created_at 2014_03_24, former_category CURRENT_EVENTS, updated_at 2014_03_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:5; metadata:created_at 2014_03_24, former_category CURRENT_EVENTS, updated_at 2014_03_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:3; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2014_04_08;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)"; flow:established,from_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018383; rev:9; metadata:created_at 2014_04_11, former_category CURRENT_EVENTS, updated_at 2014_04_11;)
-alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:3; metadata:created_at 2014_04_14, former_category CURRENT_EVENTS, updated_at 2014_04_14;)
+alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:3; metadata:created_at 2014_04_15, former_category CURRENT_EVENTS, updated_at 2014_04_15;)
-alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:4; metadata:created_at 2014_04_14, former_category CURRENT_EVENTS, updated_at 2014_04_14;)
+alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:4; metadata:created_at 2014_04_15, former_category CURRENT_EVENTS, updated_at 2014_04_15;)
alert tcp $HOME_NET [443,465,993,995,25] -> $EXTERNAL_NET any (msg:"ET EXPLOIT SSL excessive fatal alerts (possible POODLE attack against server)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_src, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:attempted-recon; sid:2019418; rev:6; metadata:created_at 2014_10_15, former_category CURRENT_EVENTS, updated_at 2014_10_15;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeUpdate - URI - Payload Requested"; flow:established,to_server; content:"DDL Java Installer.php?dv1="; http_uri; classtype:trojan-activity; sid:2017846; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Windows Firewall Warning"; flow:established,to_client; file_data; content:"<title>Windows Firewall warning!</title>"; nocase; classtype:trojan-activity; sid:2019597; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Windows Firewall Warning"; flow:established,to_client; file_data; content:"<title>Windows Firewall warning!</title>"; nocase; classtype:trojan-activity; sid:2019597; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Operating System Check"; flow:established,to_client; file_data; content:"<title>Operating System Check</title>"; classtype:trojan-activity; sid:2019599; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Operating System Check"; flow:established,to_client; file_data; content:"<title>Operating System Check</title>"; classtype:trojan-activity; sid:2019599; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING! Your PC may not be protected!"; content:"remove malicious malware and adware"; distance:0; classtype:social-engineering; sid:2020588; rev:3; metadata:created_at 2015_03_03, former_category WEB_CLIENT, updated_at 2015_03_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"<title>Advised System Support!</title>"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:social-engineering; sid:2021183; rev:3; metadata:created_at 2015_06_04, former_category WEB_CLIENT, updated_at 2015_06_04;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"<title>INTERNET BROWSER PROCESS WARNING ERROR</title>"; nocase; fast_pattern:33,20; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:social-engineering; sid:2021206; rev:3; metadata:created_at 2015_06_08, former_category WEB_CLIENT, updated_at 2015_06_08;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"<title>Norton Firewall Warning</title>"; fast_pattern:18,20; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:social-engineering; sid:2021207; rev:3; metadata:created_at 2015_06_08, former_category WEB_CLIENT, updated_at 2015_06_08;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M2"; flow:established,to_client; file_data; content:"<title>Firewall Alert!</title>"; nocase; fast_pattern:10,20; content:"myFunction|28 29|"; nocase; distance:0; content:"warning_message.png"; nocase; distance:0; classtype:social-engineering; sid:2021256; rev:3; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2015_06_11;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M3"; flow:established,to_client; file_data; content:"<title>VIRUS WARNING!</title>"; nocase; fast_pattern:9,20; content:"myFunction|28 29|"; nocase; distance:0; content:"gp-msg.mp3"; nocase; distance:0; classtype:social-engineering; sid:2021258; rev:3; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2015_06_11;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M1"; flow:established,to_client; file_data; content:"<title>WINDOWS WARNING ERROR</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; classtype:social-engineering; sid:2021285; rev:3; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2015_06_17;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M2"; flow:established,to_client; file_data; content:"<title>Security Error</title>"; nocase; content:"myFunction|28 29|"; content:"setInterval"; content:"WARNING"; nocase; classtype:social-engineering; sid:2021286; rev:4; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2015_06_17;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M4"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; content:"onmouseover=|22|myFunction|28 29 3b 22|"; distance:1; content:"onclick=|22|myFunction|28 29 3b 22|"; distance:1; content:"onkeydown=|22|myFunction|28 29 3b 22|"; distance:1; content:"onunload=|22|myFunction|28 29 3b 22|"; distance:1; classtype:social-engineering; sid:2021288; rev:3; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2015_06_17;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M3"; flow:established,to_client; file_data; content:"e.ctrlKey &&"; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"IP has been Registed"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2021359; rev:3; metadata:created_at 2015_06_26, former_category WEB_CLIENT, updated_at 2015_06_26;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M4"; flow:established,to_client; file_data; content:"div class=|22|what-to-do|22|"; content:"div class=|22|more-about-the-virus|22|"; fast_pattern:11,20; distance:0; content:"div class=|22|service|22|"; distance:0; content:"div class=|22|windows-logo|22|"; distance:0; classtype:social-engineering; sid:2021365; rev:3; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2015_06_29;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Stylesheet June 26 2015"; flow:established,to_client; content:"Content-Type|3a 20|text/css"; http_header; file_data; content:".header-warning"; content:".what-to-do"; distance:0; content:"more-about-the-virus"; distance:0; fast_pattern; classtype:social-engineering; sid:2021366; rev:3; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2015_06_29;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M6"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING|3a|"; nocase; fast_pattern; content:"onbeforeunload"; nocase; distance:0; content:"function|28 29|"; nocase; distance:0; content:"virus"; nocase; distance:0; classtype:social-engineering; sid:2021368; rev:4; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2015_06_29;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:".html?a="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2021963; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M2"; flow:established,from_server; file_data; content:"<!-- saved from url="; content:"<title>WARNING-ERROR</title>"; fast_pattern:8,20; distance:0; classtype:social-engineering; sid:2021964; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M3"; flow:established,from_server; file_data; content:".net frame work file missing"; fast_pattern:8,20; nocase; content:"Debug malware error"; nocase; distance:0; content:"Please do not open"; nocase; distance:0; content:"avoid data corruption"; nocase; distance:0; content:"PLEASE DO NOT SHUT DOWN"; nocase; distance:0; content:"RESTART YOUR COMPUTER"; nocase; distance:0; classtype:social-engineering; sid:2021965; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M4"; flow:established,to_server; content:"GET"; http_method; content:"WINDOWS HEALTH IS CRITICAL"; http_uri; fast_pattern:6,20; classtype:social-engineering; sid:2021966; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
-
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:"/scan"; depth:5; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/scan[A-Z][a-z]?\/?$/U"; classtype:social-engineering; sid:2021967; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M3"; flow:established,to_server; content:"GET"; http_method; content:"/eyJscCI6InRlc3Q"; depth:16; fast_pattern; http_uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\/$/U"; classtype:social-engineering; sid:2021974; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M3"; flow:established,to_server; content:"GET"; http_method; content:"/eyJscCI6InRlc3Q"; depth:16; fast_pattern; http_uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\/$/U"; classtype:social-engineering; sid:2021974; rev:3; metadata:created_at 2015_10_20, former_category WEB_CLIENT, updated_at 2015_10_20;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M5"; flow:established,from_server; file_data; content:"<title>SECURITY WARNING</title>"; nocase; content:"dontdisplaycheckbox()"; distance:0; nocase; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"Infection ID"; distance:0; nocase; classtype:social-engineering; sid:2021975; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M5"; flow:established,from_server; file_data; content:"<title>SECURITY WARNING</title>"; nocase; content:"dontdisplaycheckbox()"; distance:0; nocase; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"Infection ID"; distance:0; nocase; classtype:social-engineering; sid:2021975; rev:3; metadata:created_at 2015_10_20, former_category WEB_CLIENT, updated_at 2015_10_20;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Oct 29"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING! Windows Update Required"; nocase; fast_pattern; content:"Call US Toll Free|20 3a 20|1-877"; nocase; distance:0; content:"System connected with OVERSEAS IP Address"; nocase; distance:0; content:"YOUR COMPUTER HAS BEEN LOCKED!!"; nocase; distance:0; reference:url,threatglass.com/malicious_urls/funu-info; classtype:social-engineering; sid:2022010; rev:3; metadata:created_at 2015_10_29, former_category WEB_CLIENT, updated_at 2015_10_29;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 30"; flow:established,from_server; file_data; content:"<title>*** Security Error Code"; fast_pattern:10,20; content:"Suspicious Connection Was Trying"; nocase; distance:0; content:"Your Accounts May be Suspended"; nocase; distance:0; classtype:social-engineering; sid:2022011; rev:3; metadata:created_at 2015_10_30, former_category WEB_CLIENT, updated_at 2015_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Audio Oct 30"; flow:established,from_server; file_data; content:"<audio"; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"audio/mpeg"; distance:0; nocase; content:"</audio>"; distance:0; nocase; classtype:social-engineering; sid:2022012; rev:3; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2015_10_31;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Audio Oct 30"; flow:established,from_server; file_data; content:"<audio"; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"audio/mpeg"; distance:0; nocase; content:"</audio>"; distance:0; nocase; classtype:social-engineering; sid:2022012; rev:3; metadata:created_at 2015_10_30, former_category WEB_CLIENT, updated_at 2015_10_30;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Video Player Update Scam Oct 30"; flow:established,from_server; file_data; content:"<title>Please Update"; nocase; fast_pattern; content:"downloadUrl"; nocase; distance:0; content:"update your video player"; nocase; distance:0; content:"please send a message <a href=|22|#|22|>here</a>"; nocase; distance:0; classtype:social-engineering; sid:2022013; rev:3; metadata:created_at 2015_10_30, former_category WEB_CLIENT, updated_at 2015_10_30;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M2"; flow:established,from_server; file_data; content:"<title>SYSTEM ERROR WARNING"; nocase; fast_pattern:7,20; content:"Window's Defender"; nocase; distance:0; content:"right-click has been disabled"; nocase; distance:0; classtype:social-engineering; sid:2022030; rev:3; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2015_11_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Video Player Update Scam Oct 30"; flow:established,from_server; file_data; content:"<title>Please Update"; nocase; fast_pattern; content:"downloadUrl"; nocase; distance:0; content:"update your video player"; nocase; distance:0; content:"please send a message <a href=|22|#|22|>here</a>"; nocase; distance:0; classtype:social-engineering; sid:2022013; rev:3; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2015_10_31;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam JS Landing Nov 4"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; content:"Content-Encoding|3a 20|gzip"; http_header; file_data; content:"tfnnumber"; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"msgencoded"; content:"returnmsgencoded"; distance:0; content:"Base64"; pcre:"/^\s*?\.\s*?decode\s*?\(\s*?msgencoded\s*?\)\s*?\.\s*?replace/Rsi"; classtype:social-engineering; sid:2022031; rev:5; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2015_11_04;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam GET Nov 4"; flow:to_server,established; content:"GET"; http_method; content:".html?cid="; nocase; http_uri; fast_pattern; content:"&caid="; http_uri; nocase; distance:0; content:"&oid="; http_uri; nocase; distance:0; content:"&zid="; http_uri; nocase; distance:0; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; content:!"www.google-analytics.com|0d 0a|"; http_header; classtype:social-engineering; sid:2022032; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2015_11_04;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M1"; flow:established,from_server; file_data; content:"<title>Microsoft Official Support</title>"; nocase; fast_pattern:21,20; content:"function myFunction()"; nocase; distance:0; content:"setInterval(function(){alert"; nocase; distance:0; classtype:social-engineering; sid:2022033; rev:3; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2015_11_04;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 11"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 22|"; fast_pattern; content:"onclick=|22|myFunction|28 29 22|"; distance:0; content:"onkeydown=|22|myFunction|28 29 22|"; distance:0; content:"onunload=|22|myFunction|28 29 22|"; distance:0; classtype:social-engineering; sid:2022079; rev:3; metadata:created_at 2015_11_12, former_category WEB_CLIENT, updated_at 2015_11_12;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,from_server; file_data; content:"Windows Browser"; fast_pattern; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]country[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]isp[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]ip[\x22\x27]/Rsi"; content:"Hello China"; nocase; distance:0; classtype:social-engineering; sid:2022092; rev:3; metadata:created_at 2015_11_16, former_category WEB_CLIENT, updated_at 2015_11_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,to_server; content:"GET"; http_method; content:".html?os="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2022103; rev:3; metadata:created_at 2015_11_16, former_category WEB_CLIENT, updated_at 2015_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,to_server; content:"GET"; http_method; content:".html?os="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2022103; rev:3; metadata:created_at 2015_11_17, former_category WEB_CLIENT, updated_at 2015_11_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 20"; flow:established,from_server; file_data; content:"<title>VIRUS WARNING"; fast_pattern; nocase; content:"onload=|22|myFunction()|22|"; nocase; content:"YOUR COMPUTER HAS BEEN BLOCKED"; nocase; content:"CALL IMMEDIATLY"; nocase; content:"|5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e|"; nocase; classtype:social-engineering; sid:2022125; rev:3; metadata:created_at 2015_11_20, former_category WEB_CLIENT, updated_at 2015_11_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 20"; flow:established,from_server; file_data; content:"<title>VIRUS WARNING"; fast_pattern; nocase; content:"onload=|22|myFunction()|22|"; nocase; content:"YOUR COMPUTER HAS BEEN BLOCKED"; nocase; content:"CALL IMMEDIATLY"; nocase; content:"|5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e|"; nocase; classtype:social-engineering; sid:2022125; rev:3; metadata:created_at 2015_11_21, former_category WEB_CLIENT, updated_at 2015_11_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M1"; flow:to_client,established; file_data; content:"/windowslogo.jpg"; fast_pattern; nocase; content:"/winborder.html"; nocase; distance:0; content:"bug1.html"; nocase; distance:0; content:"infected your system"; nocase; distance:0; content:"TCP connection already exists"; nocase; distance:0; content:"TOLL FREE"; nocase; distance:0; classtype:social-engineering; sid:2022319; rev:3; metadata:created_at 2015_12_30, former_category WEB_CLIENT, updated_at 2015_12_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M2"; flow:to_client,established; file_data; content:"/sound.mp3"; fast_pattern; nocase; content:"function goodbye"; nocase; distance:0; content:"DetectMobile()"; nocase; distance:0; content:"stopPropagation"; nocase; distance:0; content:"preventDefault"; nocase; distance:0; classtype:social-engineering; sid:2022320; rev:3; metadata:created_at 2015_12_30, former_category WEB_CLIENT, updated_at 2015_12_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SECURITY WARNING"; fast_pattern:3,20; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:social-engineering; sid:2022364; rev:3; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2016_01_14;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern:6,20; distance:0; content:"myFunction()|3b|"; classtype:social-engineering; sid:2022365; rev:6; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2016_01_14;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern:5,20; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:social-engineering; sid:2022366; rev:3; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2016_01_14;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern:7,20; content:"contact Microsoft Support"; nocase; distance:0; classtype:social-engineering; sid:2022409; rev:3; metadata:created_at 2016_01_26, former_category WEB_CLIENT, updated_at 2016_01_26;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:social-engineering; sid:2022410; rev:3; metadata:created_at 2016_01_26, former_category WEB_CLIENT, updated_at 2016_01_26;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern:5,20; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:social-engineering; sid:2022525; rev:3; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2016_02_16;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern:6,20; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:social-engineering; sid:2022526; rev:3; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2016_02_16;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern:3,20; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:social-engineering; sid:2022527; rev:3; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2016_02_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:social-engineering; sid:2022410; rev:3; metadata:created_at 2016_01_27, former_category WEB_CLIENT, updated_at 2016_01_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; classtype:social-engineering; sid:2022528; rev:3; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2016_02_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022602; rev:3; metadata:created_at 2016_03_07, former_category WEB_CLIENT, updated_at 2016_03_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:social-engineering; sid:2022603; rev:3; metadata:created_at 2016_03_08, former_category WEB_CLIENT, updated_at 2016_03_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:social-engineering; sid:2022603; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:social-engineering; sid:2022605; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2022607; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:social-engineering; sid:2022619; rev:3; metadata:created_at 2016_03_15, former_category WEB_CLIENT, updated_at 2016_03_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:social-engineering; sid:2022619; rev:3; metadata:created_at 2016_03_16, former_category WEB_CLIENT, updated_at 2016_03_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:social-engineering; sid:2022649; rev:3; metadata:created_at 2016_03_23, former_category WEB_CLIENT, updated_at 2016_03_23;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022802; rev:3; metadata:created_at 2016_05_11, former_category WEB_CLIENT, updated_at 2016_05_11;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern:2,20; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:social-engineering; sid:2022853; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
-
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; classtype:social-engineering; sid:2022855; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; classtype:social-engineering; sid:2022856; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024124; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024125; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024126; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
-
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024127; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024128; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024129; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024130; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024131; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024132; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Multibrowser Resource Exhaustion observed in Tech Support Scam"; flow:from_server,established; file_data; content:"var|20|total|20|=|20 22 22 3b|"; nocase; content:"total|20|=|20|total"; nocase; distance:0; content:"history.pushState"; nocase; fast_pattern; distance:0; pcre:"/^\s*\(\s*0\s*,\s*0\s*,\s*total\s*\)/Ri"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1246773; classtype:social-engineering; sid:2024305; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_05_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe - Update Adobe Flash Player</title>"; nocase; classtype:bad-unknown; sid:2024643; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>flash player might be outdated</title>"; nocase; classtype:bad-unknown; sid:2024649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Sep 08 2017"; flow:established,to_client; file_data; content:"background-color|3a|#CE3426|3b|"; nocase; fast_pattern:5,20; content:"=window[|22|eval|22|](|22|eval|22|)|3b|"; nocase; distance:0; content:"charCodeAt"; distance:0; content:"fromCharCode"; distance:0; classtype:social-engineering; sid:2024688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2017_09_08;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam Landing M1 Oct 13 2017"; flow:established,to_client; file_data; content:"<title>Windows Defender</title>"; nocase; fast_pattern; content:"background-color|3a 20|#659e1d"; nocase; distance:0; classtype:social-engineering; sid:2024841; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2017_10_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016"; flow:from_server,established;file_data; content:"Windows Defender Alert"; nocase; fast_pattern; content:"Virus Detected"; nocase; distance:0; content:"Reset Your Computer"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2024845; rev:3; metadata:created_at 2017_10_16, former_category WEB_CLIENT, updated_at 2017_10_16;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2018-01-10"; flow:from_server,established; file_data; content:"<title>Security Warning"; nocase; fast_pattern; content:"background-color:#d70000"; nocase; distance:0; classtype:social-engineering; sid:2025197; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_01_10;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Feb 12"; flow:from_server,established; file_data; content:"|57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 41 6c 65 72 74 20 3a 20 5a 65 75 73 20 56 69 72 75 73 20 44 65 74 65 63 74 65 64 20 49 6e 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 20 21 21 3c 2f 68 31 3e|"; fast_pattern; nocase; content:"|3e 50 6c 65 61 73 65 20 44 6f 20 4e 6f 74 20 53 68 75 74 20 44 6f 77 6e 20 6f 72 20 52 65 73 65 74 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 2e 3c 2f 68 33 3e|"; nocase; distance:0; classtype:social-engineering; sid:2025345; rev:3; metadata:created_at 2018_02_12, former_category WEB_CLIENT, updated_at 2018_02_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC Activity"; content:"|af 7d a7 38 eb f9 f7 47|"; depth:8; fast_pattern; content:"|00|"; distance:4; within:1; content:"|10 00|"; distance:1; within:2; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.fortinet.com/blog/threat-research/chinese-targeted-trojan-analysis.html; classtype:command-and-control; sid:2027892; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_08_19;)
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2011911; rev:3; metadata:created_at 2010_11_09, former_category DNS, updated_at 2019_08_29;)
+#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Launch Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/exploit.php?id="; http_uri; nocase; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2009586; classtype:misc-activity; sid:2009586; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Request for Zaletelly CnC Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"|02|be|00|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:command-and-control; sid:2014513; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2019_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; content:"/ISALogin.dll?"; http_uri; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002406; classtype:attempted-recon; sid:2002406; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Win32/Pift DNS TXT CnC Lookup ppidn.net"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|ppidn|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2017312; rev:5; metadata:created_at 2013_08_12, former_category MALWARE, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET "; depth:4; content:".m3u"; http_uri; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Possible Hiloti DNS Checkin Message explorer_exe"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"explorer_exe"; nocase; distance:0; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2012781; rev:3; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2019_08_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Ad Report"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/ad_report.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"protocol="; http_uri; content:"author="; http_uri; content:"login="; http_uri; content:"zone="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011758; classtype:policy-violation; sid:2011758; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:7; metadata:created_at 2010_12_30, former_category HUNTING, updated_at 2019_08_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (agtray)"; flow: to_server,established; content:"/pr/agtray.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000569; classtype:policy-violation; sid:2000569; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Large DNS Query possible covert channel"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; classtype:bad-unknown; sid:2013075; rev:9; metadata:created_at 2011_06_21, updated_at 2019_08_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (autray)"; flow: to_server,established; content:"/pr/autray.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000570; classtype:policy-violation; sid:2000570; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query Gauss Domain *.dotnetadvisor.info"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|dotnetadvisor|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015600; rev:5; metadata:created_at 2012_08_09, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> 76.74.9.19 $HTTP_PORTS (msg:"ET DELETED Packetstormsecurity Exploits Of The Month Download"; content:"GET /"; content:"-exploits.tgz"; http_uri; depth:70; flow:to_server,established; reference:url,www.packetstormsecurity.org; reference:url,doc.emergingthreats.net/2008525; classtype:misc-activity; sid:2008525; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Beacon 1"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"dc"; nocase; distance:7; content:"|06|beacon"; nocase; offset:12; fast_pattern; pcre:"/^[\x0e-\x1e](?:[a-f0-9]{2}){1,3}(?:dc(?:[a-f0-9]{2}){1,3}){3}.[a-f0-9]{2}/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:command-and-control; sid:2019454; rev:2; metadata:created_at 2014_10_16, former_category MALWARE, updated_at 2019_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid"; flow:established,to_server; content:"/news.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004585; classtype:web-application-attack; sid:2004585; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Beacon 2"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"dc978a97"; nocase; distance:6; content:"|05|alert"; nocase; offset:12; fast_pattern; pcre:"/^[\x08-\xFF](?:[a-f0-9]{2})*?dc978a97/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:command-and-control; sid:2019455; rev:2; metadata:created_at 2014_10_16, former_category MALWARE, updated_at 2019_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/pathwirte.php?"; http_uri; nocase; content:"FSPHP_LIB="; http_uri; nocase; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58317; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010361; classtype:web-application-attack; sid:2010361; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE ELF.MrBlack DOS.TF Malformed Lookup (/lib32/libc.so.6)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|/lib32/libc|02|so|01|6|00|"; fast_pattern; distance:0; nocase; reference:md5,312fa52a7992e58359cb68bb0f029ea7; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022335; rev:3; metadata:created_at 2016_01_06, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ch_readalso.php?"; http_uri; nocase; content:"read_xml_include="; http_uri; nocase; pcre:"/read_xml_include=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29251; reference:url,xforce.iss.net/xforce/xfdb/42459; reference:url,milw0rm.com/exploits/5624; reference:url,doc.emergingthreats.net/2010099; classtype:web-application-attack; sid:2010099; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2016-12-15 to 2017-05-04)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:gdqg|hdqh|idqi|jdqj|kdqk|ldql|mdqm|ndqn|odqo|pdqp|qdqq|rdqr|sdqs|tdqt|udqu|vdqv|wdqw|xdqx|ydqy|zdqz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, signature_severity Major, updated_at 2019_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/common.php?"; http_uri; nocase; content:"root="; http_uri; nocase; pcre:"/root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/29904; reference:url,milw0rm.com/exploits/7218; reference:url,doc.emergingthreats.net/2008922; classtype:web-application-attack; sid:2008922; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2017-05-04 to 2017-11-02)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:adra|bdrb|cdrc|ddrd|edre|fdrf|gdrg|hdrh|idri|jdrj|kdrk|ldrl|mdrm|ndrn|odro|pdrp|qdrq|rdrr|sdrs|tdrt|udru|vdrv|wdrw|xdrx|ydry|zdrz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, signature_severity Major, updated_at 2019_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls"; flow:established,to_server; content:"/modules/noevents/templates/mfa_theme.php?"; http_uri; nocase; content:"tpls["; http_uri; nocase; reference:cve,CVE-2007-2572; reference:url,www.milw0rm.com/exploits/3861; reference:url,doc.emergingthreats.net/2003694; classtype:web-application-attack; sid:2003694; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS Checkin"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; fast_pattern; pcre:"/^(?!0+30)[0-9A-Z]+30[^0-9]/R"; content:"|00|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022836; rev:4; metadata:created_at 2016_05_24, former_category MALWARE, updated_at 2019_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username"; flow:established,to_server; content:"/de/pda/dev_logon.asp?"; http_uri; nocase; content:"username="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003894; classtype:web-application-attack; sid:2003894; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET ADWARE_PUP All Numerical .cn Domain Likely Malware Related"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:pup-activity; sid:2012327; rev:6; metadata:created_at 2011_02_21, former_category ADWARE_PUP, updated_at 2019_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp"; flow:established,to_server; content:"/usrmgr/registerAccount.asp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003895; classtype:web-application-attack; sid:2003895; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp $HOME_NET any -> any 53 (msg:"ET ADWARE_PUP All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:pup-activity; sid:2012328; rev:8; metadata:created_at 2011_02_21, former_category ADWARE_PUP, updated_at 2019_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp"; flow:established,to_server; content:"/de/create_account.asp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003896; classtype:web-application-attack; sid:2003896; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain peocity.com"; dns_query; content:"peocity.com"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016600; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/resource_categories_view.php?"; http_uri; nocase; content:"CLASSES_ROOT="; http_uri; nocase; pcre:"/CLASSES_ROOT=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/30784/; reference:url,milw0rm.com/exploits/5906; reference:url,doc.emergingthreats.net/2009333; classtype:web-application-attack; sid:2009333; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain skyruss.net"; dns_query; content:"skyruss.net"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016602; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSTicket Remote Code Execution Attempt"; flow: established,from_client; content:"/osticket/include"; http_uri; nocase; pcre:"/.*\[.*\].*\;/U"; reference:url,secunia.com/advisories/15216; reference:url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438; reference:cve,CAN-2005-1439; reference:url,doc.emergingthreats.net/bin/view/Main/2002702; classtype:web-application-attack; sid:2002702; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain commanal.net"; dns_query; content:"commanal.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016603; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home"; flow:established,to_server; content:"/skins/header.php?"; http_uri; nocase; content:"ote_home="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003741; classtype:web-application-attack; sid:2003741; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain natareport.com"; dns_query; content:"natareport.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016604; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home"; flow:established,to_server; content:"/skins/header.php?"; http_uri; nocase; content:"ote_home="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003878; classtype:web-application-attack; sid:2003878; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogellrey.com"; dns_query; content:"photogellrey.com"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016605; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/filepool.php?"; http_uri; nocase; content:"oe_classpath="; http_uri; nocase; pcre:"/oe_classpath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31423; reference:url,milw0rm.com/exploits/6585; reference:url,doc.emergingthreats.net/2009164; classtype:web-application-attack; sid:2009164; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain creditrept.com"; dns_query; content:"creditrept.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016608; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/modules/core/logger/init.php?"; http_uri; nocase; content:"GLOBALS[preloc]="; http_uri; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009459; classtype:web-application-attack; sid:2009459; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain pollingvoter.org"; dns_query; content:"pollingvoter.org"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016609; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/newscat.php?"; http_uri; nocase; content:"GLOBALS[preloc]="; http_uri; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009460; classtype:web-application-attack; sid:2009460; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dfasonline.com"; dns_query; content:"dfasonline.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016610; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006528; classtype:web-application-attack; sid:2006528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hudsoninst.com"; dns_query; content:"hudsoninst.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016611; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006529; classtype:web-application-attack; sid:2006529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain wsurveymaster.com"; dns_query; content:"wsurveymaster.com"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016612; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006530; classtype:web-application-attack; sid:2006530; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain nhrasurvey.org"; dns_query; content:"nhrasurvey.org"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016613; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006531; classtype:web-application-attack; sid:2006531; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain pdi2012.org"; dns_query; content:"pdi2012.org"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016614; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006532; classtype:web-application-attack; sid:2006532; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain nceba.org"; dns_query; content:"nceba.org"; depth:9; nocase; fast_pattern; classtype:trojan-activity; sid:2016615; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006533; classtype:web-application-attack; sid:2006533; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain linkedin-blog.com"; dns_query; content:"linkedin-blog.com"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016616; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006534; classtype:web-application-attack; sid:2006534; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain aafbonus.com"; dns_query; content:"aafbonus.com"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016617; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006535; classtype:web-application-attack; sid:2006535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain milstars.org"; dns_query; content:"milstars.org"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016618; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006536; classtype:web-application-attack; sid:2006536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain vatdex.com"; dns_query; content:"vatdex.com"; depth:10; nocase; fast_pattern; classtype:trojan-activity; sid:2016619; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006537; classtype:web-application-attack; sid:2006537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain applesea.net"; dns_query; content:"applesea.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016621; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006538; classtype:web-application-attack; sid:2006538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appledmg.net"; dns_query; content:"appledmg.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016622; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006539; classtype:web-application-attack; sid:2006539; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appleintouch.net"; dns_query; content:"appleintouch.net"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016623; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006540; classtype:web-application-attack; sid:2006540; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appledns.net"; dns_query; content:"appledns.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016625; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006541; classtype:web-application-attack; sid:2006541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain emailserverctr.com"; dns_query; content:"emailserverctr.com"; depth:18; nocase; fast_pattern; classtype:trojan-activity; sid:2016626; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006542; classtype:web-application-attack; sid:2006542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain slashdoc.org"; dns_query; content:"slashdoc.org"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016629; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006543; classtype:web-application-attack; sid:2006543; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photosmagnum.com"; dns_query; content:"photosmagnum.com"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016630; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006544; classtype:web-application-attack; sid:2006544; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain resume4jobs.net"; dns_query; content:"resume4jobs.net"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2016631; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006545; classtype:web-application-attack; sid:2006545; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain searching-job.net"; dns_query; content:"searching-job.net"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016632; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/converter.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009871; classtype:web-application-attack; sid:2009871; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain servagency.com"; dns_query; content:"servagency.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016633; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/messages.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009872; classtype:web-application-attack; sid:2009872; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain gsasmartpay.org"; dns_query; content:"gsasmartpay.org"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2016634; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/settings.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009873; classtype:web-application-attack; sid:2009873; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain tech-att.com"; dns_query; content:"tech-att.com"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016635; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB Remote Code Execution Attempt"; flow:established,to_server; content:"/viewtopic.php?"; http_uri; pcre:"/highlight=.*?(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})/Ui"; reference:url,secunia.com/advisories/15845/; reference:bugtraq,14086; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; reference:url,doc.emergingthreats.net/2002070; classtype:web-application-attack; sid:2002070; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Synolocker .onion DNS lookup"; dns_query; content:"cypherxffttr7hho"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2018948; rev:3; metadata:created_at 2014_08_18, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"phpbb_root_path="; http_uri; nocase; pcre:"/phpbb_root_path=(ftps?|https?|php)/Ui"; reference:url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path; reference:url,doc.emergingthreats.net/2002731; classtype:web-application-attack; sid:2002731; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.co.cc"; dns_query; content:"jifr.co.cc"; depth:10; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013483; rev:4; metadata:created_at 2011_08_29, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage1; flowbits:noalert; reference:url,doc.emergingthreats.net/2010890; classtype:attempted-user; sid:2010890; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.be"; dns_query; content:"qfsl.co.be"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013493; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"agreed=I+agree+to+these+terms"; content:"change_lang="; content:"creation_time"; content:"form_token"; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage1; flowbits:set,ET.phpBB3_register_stage2; flowbits:noalert; reference:url,doc.emergingthreats.net/2010891; classtype:attempted-user; sid:2010891; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.cc"; dns_query; content:"qfsl.co.cc"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013494; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=confirm"; http_uri; content:"confirm_id="; http_uri; content:"type="; http_uri; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage3; flowbits:noalert; reference:url,doc.emergingthreats.net/2010892; classtype:attempted-user; sid:2010892; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.co.be"; dns_query; content:"jifr.co.be"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013496; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"email_confirm="; content:"new_password"; content:"password_confirm"; content:"lang="; content:"tz="; content:"confirm_code="; content:"refresh_vc="; content:"confirm_id="; content:"agreed="; content:"change_lang="; content:"confirm_id="; content:"creation_time="; content:"form_token="; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage3; flowbits:set,ET.phpBB3_register_stage4; flowbits:noalert; reference:url,doc.emergingthreats.net/2010893; classtype:attempted-user; sid:2010893; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Chanitor.A DNS Lookup "; dns_query; content:"svcz25e3m4mwlauz"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2019519; rev:3; metadata:created_at 2014_10_27, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^Y$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010894; classtype:web-application-attack; sid:2010894; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain"; dns_query; content:"r2bv3u64ytfi2ssf"; depth:16; fast_pattern; nocase; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019979; rev:4; metadata:created_at 2014_12_19, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^YYY$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010895; classtype:web-application-attack; sid:2010895; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"qtrudrukmurps7tc"; depth:16; nocase; fast_pattern; reference:md5,35a7f70c5e0cd4814224c96e3c62fa42; classtype:trojan-activity; sid:2020206; rev:3; metadata:created_at 2015_01_19, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Bogus Stage3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=confirm"; http_uri; content:"id="; http_uri; pcre:"/(\?|&)id=/Ui"; content:"type="; http_uri; reference:url,doc.emergingthreats.net/2010898; classtype:web-application-attack; sid:2010898; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"tzsvejrzduo52siy"; depth:16; nocase; fast_pattern; reference:md5,49e988b04144b478e3f52b2abe8a5572; classtype:trojan-activity; sid:2020210; rev:3; metadata:created_at 2015_01_19, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 multiple login attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=login"; http_uri; threshold: type threshold, track by_src, count 2, seconds 60; reference:url,doc.emergingthreats.net/2010899; classtype:attempted-user; sid:2010899; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"ohmva4gbywokzqso"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020226; rev:3; metadata:created_at 2015_01_21, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 possible spammer posting attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/posting.php"; http_uri; nocase; content:"mode=post"; http_uri; threshold: type threshold, track by_src, count 2, seconds 30; reference:url,doc.emergingthreats.net/2010900; classtype:web-application-attack; sid:2010900; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptarv4hcu24ijv Domain - CryptoWall Domains"; dns_query; content:"crptarv4hcu24ijv"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020280; rev:3; metadata:created_at 2015_01_22, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible PHP-Calendar configfile Remote .PHP File Inclusion Arbitrary Code Execution Attempt"; flow:established,to_server; content:"/php-calendar-1.1/update"; http_uri; nocase; content:"configfile="; http_uri; nocase; content:".php"; nocase; pcre:"/\x2Fphp-calendar-1.1\x2Fupdate(08|10)\x2Ephp(\x3F|.*(\x26|\x3B))configfile=[^\x26\x3B]*[^a-zA-Z0-9_]/Ui"; reference:url,securitytracker.com/alerts/2009/Dec/1023375.html; reference:cve,2009-3702; reference:url,doc.emergingthreats.net/2010531; classtype:web-application-attack; sid:2010531; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptbfoi5i54ubez Domain - CryptoWall Domains"; dns_query; content:"crptbfoi5i54ubez"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020281; rev:3; metadata:created_at 2015_01_22, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid"; flow:established,to_server; content:"/settings.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003879; classtype:web-application-attack; sid:2003879; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptcj7wd4oaafdl Domain - CryptoWall Domains"; dns_query; content:"crptcj7wd4oaafdl"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020282; rev:3; metadata:created_at 2015_01_22, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid"; flow:established,to_server; content:"/cat.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003880; classtype:web-application-attack; sid:2003880; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Critroni Tor DNS Proxy lookup"; dns_query; content:"23bteufi2kcqza2l"; depth:16; nocase; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019909; rev:5; metadata:created_at 2014_12_10, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config"; flow:established,to_server; content:"/includes/language.php?"; http_uri; nocase; content:"config="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003742; classtype:web-application-attack; sid:2003742; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"sgqjml3dstgmarn3"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020357; rev:3; metadata:created_at 2015_02_04, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path"; flow:established,to_server; content:"/layout_admin_cfg.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003743; classtype:web-application-attack; sid:2003743; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor .onion Proxy Domain"; dns_query; content:"brk7tda32wtkxjpa"; depth:16; nocase; fast_pattern; reference:md5,34ad24860495397c994f8ae168d0e639; classtype:trojan-activity; sid:2020581; rev:3; metadata:created_at 2015_02_27, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path"; flow:established,to_server; content:"/layout_cfg.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003744; classtype:web-application-attack; sid:2003744; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (h63rbx7gkd3gygag)"; dns_query; content:"h63rbx7gkd3gygag"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020616; rev:3; metadata:created_at 2015_03_04, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path"; flow:established,to_server; content:"/skins/phpchess/layout_t_top.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003745; classtype:web-application-attack; sid:2003745; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (juf5pjk4sl7uojh4)"; dns_query; content:"juf5pjk4sl7uojh4"; depth:16; fast_pattern; nocase; reference:md5,499a46c23afe23de49346adf1b4f3a4f; reference:url,www.mogozobo.com/?p=2371; classtype:trojan-activity; sid:2020670; rev:3; metadata:created_at 2015_03_11, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEventMan remote file include"; flow:established,to_server; content:"/controller/"; http_uri; nocase; pcre:"/(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22358; reference:url,doc.emergingthreats.net/2003372; classtype:web-application-attack; sid:2003372; rev:6; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (4elcqmis624seeo7)"; dns_query; content:"4elcqmis624seeo7"; depth:16; fast_pattern; nocase; reference:url,teknoseyir.com/durum/291421; classtype:trojan-activity; sid:2020685; rev:3; metadata:created_at 2015_03_12, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include"; flow:established,to_server; content:"/block.php?"; http_uri; nocase; content:"Include="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2665; reference:url,www.milw0rm.com/exploits/3906; reference:url,doc.emergingthreats.net/2003740; classtype:web-application-attack; sid:2003740; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (erhitnwfvpgajfbu)"; dns_query; content:"erhitnwfvpgajfbu"; depth:16; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019123; rev:5; metadata:created_at 2014_09_05, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/CoupleDB.php?"; http_uri; nocase; content:"DataDirectory="; http_uri; nocase; pcre:"/DataDirectory=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9155; reference:url,packetstormsecurity.org/0907-exploits/phpgenealogy-rfi.txt; reference:url,doc.emergingthreats.net/2010095; classtype:web-application-attack; sid:2010095; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy Domain (3bjpwsf3fjcwtnwx)"; dns_query; content:"3bjpwsf3fjcwtnwx"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020727; rev:3; metadata:created_at 2015_03_23, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003805; classtype:web-application-attack; sid:2003805; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (otsaa35gxbcwvrqs)"; dns_query; content:"otsaa35gxbcwvrqs"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020759; rev:3; metadata:created_at 2015_03_26, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UNION SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003806; classtype:web-application-attack; sid:2003806; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (4bpthx5z4e7n6gnb)"; dns_query; content:"4bpthx5z4e7n6gnb"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020760; rev:3; metadata:created_at 2015_03_26, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER INSERT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003807; classtype:web-application-attack; sid:2003807; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (bc3ywvif4m3lnw4o)"; dns_query; content:"bc3ywvif4m3lnw4o"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020761; rev:3; metadata:created_at 2015_03_26, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER DELETE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003808; classtype:web-application-attack; sid:2003808; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (33p5mqkaj22irv4z)"; dns_query; content:"33p5mqkaj22irv4z"; depth:16; fast_pattern; nocase; reference:md5,1c6269fe48cba5f830a64a50bdf4ffe5; reference:url,www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/page-13; classtype:trojan-activity; sid:2020915; rev:3; metadata:created_at 2015_04_15, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER ASCII"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003809; classtype:web-application-attack; sid:2003809; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (pf3tlgkpks7pu7yr)"; dns_query; content:"pf3tlgkpks7pu7yr"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020952; rev:3; metadata:created_at 2015_04_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003810; classtype:web-application-attack; sid:2003810; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; dns_query; content:"cld7vqwcvn2bii67"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:3; metadata:created_at 2015_04_30, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003811; classtype:web-application-attack; sid:2003811; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (is6xsotjdy4qtgur)"; dns_query; content:"is6xsotjdy4qtgur"; depth:16; fast_pattern; nocase; reference:url,www.malware-traffic-analysis.net/2015/05/06/index.html; reference:url,www.hybrid-analysis.com/sample/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29?environmentId=1; reference:md5,a08784f5691a0a8ce6249e1981dea82c; classtype:trojan-activity; sid:2021077; rev:3; metadata:created_at 2015_05_08, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UNION SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003812; classtype:web-application-attack; sid:2003812; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz)"; dns_query; content:"tlunjscxn5n76iyz"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3aed0cac4a7f3053e324276c72bbf3aead783da2eb8b53bf99134a0adbcd3267?environmentId=2; reference:md5,2df314974722ef6b5a66d81292679cb4; classtype:trojan-activity; sid:2021115; rev:3; metadata:created_at 2015_05_18, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS INSERT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003813; classtype:web-application-attack; sid:2003813; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (wdthvb6jut2rupu4)"; dns_query; content:"wdthvb6jut2rupu4"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021163; rev:3; metadata:created_at 2015_05_28, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS DELETE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003814; classtype:web-application-attack; sid:2003814; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (xwxwninkssujglja)"; dns_query; content:"xwxwninkssujglja"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021164; rev:3; metadata:created_at 2015_05_28, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS ASCII"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003815; classtype:web-application-attack; sid:2003815; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (7fa6gldxg64t5wnt)"; dns_query; content:"7fa6gldxg64t5wnt"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021165; rev:3; metadata:created_at 2015_05_28, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003816; classtype:web-application-attack; sid:2003816; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (bpq4dub4rlivvswu)"; dns_query; content:"bpq4dub4rlivvswu"; depth:16; fast_pattern; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; reference:url,www.threatexpert.com/report.aspx?md5=0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021302; rev:3; metadata:created_at 2015_06_18, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib"; flow:established,to_server; content:"/examples/widget8.php?"; http_uri; nocase; content:"phphtmllib="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2614; reference:url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded; reference:url,doc.emergingthreats.net/2003730; classtype:web-application-attack; sid:2003730; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (gzc7lj4rvmkg25dm)"; dns_query; content:"gzc7lj4rvmkg25dm"; depth:16; fast_pattern; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; reference:url,www.threatexpert.com/report.aspx?md5=0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021303; rev:3; metadata:created_at 2015_06_18, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local"; flow:established,to_server; content:"/ftp.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003731; classtype:web-application-attack; sid:2003731; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Variant .onion proxy Domain (kurrmpfx6kgmsopm)"; dns_query; content:"kurrmpfx6kgmsopm"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021318; rev:3; metadata:created_at 2015_06_22, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local"; flow:established,to_server; content:"/libs/db.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003732; classtype:web-application-attack; sid:2003732; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlphaCrypt .onion proxy Domain (tkjthigtqlvohs7z)"; dns_query; content:"tkjthigtqlvohs7z"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021319; rev:3; metadata:created_at 2015_06_22, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local"; flow:established,to_server; content:"/libs/ftp.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003733; classtype:web-application-attack; sid:2003733; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (xvha2ctkacx2ug3b)"; dns_query; content:"xvha2ctkacx2ug3b"; depth:16; fast_pattern; nocase; reference:url,www.dropboxforum.com/hc/communities/public/questions/203834265-virus; classtype:trojan-activity; sid:2021325; rev:3; metadata:created_at 2015_06_23, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/_conf/core/common-tpl-vars.php?"; http_uri; nocase; content:"confdir="; http_uri; nocase; pcre:"/confdir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; reference:url,doc.emergingthreats.net/2008962; classtype:web-application-attack; sid:2008962; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)"; dns_query; content:"hlvumvvclxy2nw7j"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021534; rev:3; metadata:created_at 2015_07_27, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPOutsourcing Zorum prod.php Remote Command Execution Attempt"; flow:to_server,established; content:"/prod.php?"; http_uri; nocase; pcre:"/(argv[1]=\|.+)/"; reference:bugtraq,14601; reference:url,doc.emergingthreats.net/2002314; classtype:web-application-attack; sid:2002314; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (vacdgwaw5djp5hmu)"; dns_query; content:"vacdgwaw5djp5hmu"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021549; rev:3; metadata:created_at 2015_07_29, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH"; flow:established,to_server; content:"/include/logout.php?"; http_uri; nocase; content:"PSA_PATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2628; reference:url,www.securityfocus.com/bid/23801; reference:url,doc.emergingthreats.net/2003735; classtype:web-application-attack; sid:2003735; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni .onion Proxy Domain"; dns_query; content:"des7siw5vfkznjhi"; depth:16; fast_pattern; nocase; reference:md5,ca57b9de1cae18bda994aa4bd093c571; reference:url,www.file-analyzer.net/analysis/4825; classtype:trojan-activity; sid:2021551; rev:3; metadata:created_at 2015_07_29, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPStore Yahoo Answers id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"cmd=4"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32717/; reference:url,milw0rm.com/exploits/7131; reference:url,doc.emergingthreats.net/2008874; classtype:web-application-attack; sid:2008874; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain (613cb6owitcouepv)"; dns_query; content:"613cb6owitcouepv"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021561; rev:3; metadata:created_at 2015_07_30, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt"; flow: to_server,established; content:"/modules.php?"; http_uri; content:"name="; http_uri; content:"SCRIPT"; http_uri; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,doc.emergingthreats.net/2001218; classtype:web-application-attack; sid:2001218; rev:12; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"7n4p5o6vlkdiqiee"; depth:16; nocase; fast_pattern; reference:md5,18dfcf3479bbd3878c0f19b80a01e813; classtype:trojan-activity; sid:2020213; rev:4; metadata:created_at 2015_01_19, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt"; flow:established,to_server; content:"/iframe.php"; http_uri; nocase; content:"file="; http_uri; nocase; pcre:"/file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.zone-h.org/en/advisories/read/id=8694/; reference:url,doc.emergingthreats.net/2002800; classtype:web-application-attack; sid:2002800; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; dns_query; content:"h36fhvsupe4mi7mm"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2021849; rev:3; metadata:created_at 2015_09_30, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt"; flow:established,to_server; content:"/send_reminders.php"; http_uri; nocase; pcre:"/includedir=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,14651; reference:cve,2005-2717; reference:url,doc.emergingthreats.net/2002898; classtype:web-application-attack; sid:2002898; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni .onion Proxy Domain (tmclybfqzgkaeilm)"; dns_query; content:"tmclybfqzgkaeilm"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022145; rev:3; metadata:created_at 2015_11_24, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir"; flow:established,to_server; content:"/plugin/HP_DEV/cms2.php?"; http_uri; nocase; content:"s_dir="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2573; reference:url,www.milw0rm.com/exploits/3860; reference:url,doc.emergingthreats.net/2003693; classtype:web-application-attack; sid:2003693; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt .onion Proxy Domain (tw7kaqthui5ojcez)"; dns_query; content:"tw7kaqthui5ojcez"; depth:16; fast_pattern; nocase; reference:md5,45683c29a36ef8a15f216d7c4b2af822; classtype:trojan-activity; sid:2022191; rev:3; metadata:created_at 2015_11_30, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PmWiki Globals Variables Overwrite Attempt"; flow:to_server,established; content:"/pmwiki.php"; http_uri; nocase; content:"GLOBALS[FarmD]="; nocase; pcre:"/GLOBALS\x5bFarmD\x5d\x3d/i"; reference:cve,CVE-2006-0479; reference:bugtraq,16421; reference:nessus,20891; reference:url,doc.emergingthreats.net/2002837; classtype:web-application-attack; sid:2002837; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Domain (75nzutdjjtnpgscz)"; dns_query; content:"75nzutdjjtnpgscz"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022236; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004606; classtype:web-application-attack; sid:2004606; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Domain"; dns_query; content:"vf4xdqg4mp3hnw5g"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2022237; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004607; classtype:web-application-attack; sid:2004607; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Domain"; dns_query; content:"wv55abv6bde65ek6"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2022238; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004608; classtype:web-application-attack; sid:2004608; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (czc57cr2pn3zfn4b)"; dns_query; content:"czc57cr2pn3zfn4b"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022314; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004609; classtype:web-application-attack; sid:2004609; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (o7zeip6us33igmgw)"; dns_query; content:"o7zeip6us33igmgw"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022315; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004610; classtype:web-application-attack; sid:2004610; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (vr6g2curb2kcidou)"; dns_query; content:"vr6g2curb2kcidou"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022316; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004611; classtype:web-application-attack; sid:2004611; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; dns_query; content:"pc35hiptpcwqezgs"; depth:16; nocase; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"order="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2962; reference:url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded; reference:url,doc.emergingthreats.net/2004582; classtype:web-application-attack; sid:2004582; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xlowfznrg4wf7dli)"; dns_query; content:"xlowfznrg4wf7dli"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022561; rev:3; metadata:created_at 2016_02_23, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System"; flow:established,to_server; content:"/blocks/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003660; classtype:web-application-attack; sid:2003660; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; dns_query; content:"yuwurw46taaep6ip"; depth:16; nocase; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System"; flow:established,to_server; content:"/files/blocks/latest_files.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003661; classtype:web-application-attack; sid:2003661; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; dns_query; content:"voooxrrw2wxnoyew"; depth:16; nocase; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System"; flow:established,to_server; content:"/forums/blocks/latest_posts.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003662; classtype:web-application-attack; sid:2003662; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PadCrypt .onion Payment Domain"; dns_query; content:"gnkltbsaeq35rejl"; depth:16; fast_pattern; nocase; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022569; rev:3; metadata:created_at 2016_02_25, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System"; flow:established,to_server; content:"/groups/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003663; classtype:web-application-attack; sid:2003663; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maktub Locker Payment Domain"; dns_query; content:"bs7aygotd2rnjl4o"; depth:16; fast_pattern; nocase; reference:md5,74add6536cdcfb8b77d10a1e7be6b9ef; classtype:trojan-activity; sid:2022634; rev:3; metadata:created_at 2016_03_21, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System"; flow:established,to_server; content:"/filters/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003664; classtype:web-application-attack; sid:2003664; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky Payment)"; dns_query; content:"twbers4hmi6dc65f"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022663; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_25, deployment Perimeter, signature_severity Major, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System"; flow:established,to_server; content:"/links/blocks/links.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003665; classtype:web-application-attack; sid:2003665; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Coverton Onion Domain Lookup"; dns_query; content:"lnc57humvaxpqfv3"; depth:16; nocase; fast_pattern; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022675; rev:3; metadata:created_at 2016_03_28, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System"; flow:established,to_server; content:"/menu/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003666; classtype:web-application-attack; sid:2003666; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xzjvzkgjxebzreap)"; dns_query; content:"xzjvzkgjxebzreap"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022711; rev:3; metadata:created_at 2016_04_05, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System"; flow:established,to_server; content:"/news/blocks/latest_news.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003667; classtype:web-application-attack; sid:2003667; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"5qgerbbyhdz5bwca"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022764; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System"; flow:established,to_server; content:"/settings/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003668; classtype:web-application-attack; sid:2003668; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"yycqx6ay5oedto5f"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022765; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System"; flow:established,to_server; content:"/modules/users/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003681; classtype:web-application-attack; sid:2003681; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"j2pjkgrlaopysagn"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022766; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004089; classtype:web-application-attack; sid:2004089; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"i3e5y4ml7ru76n5e"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022767; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004090; classtype:web-application-attack; sid:2004090; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"iabni66w5xvwawbe"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022768; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004091; classtype:web-application-attack; sid:2004091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (hw5qrh6fxv2tnaqn)"; dns_query; content:"hw5qrh6fxv2tnaqn"; depth:16; fast_pattern; nocase; reference:url,nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/; classtype:trojan-activity; sid:2022806; rev:3; metadata:created_at 2016_05_16, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004092; classtype:web-application-attack; sid:2004092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (eqrvbczir5ua2emd)"; dns_query; content:"eqrvbczir5ua2emd"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022817; rev:3; metadata:created_at 2016_05_18, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004093; classtype:web-application-attack; sid:2004093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns_query; content:"ajj3a7gfmgwmhhoz"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022843; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004094; classtype:web-application-attack; sid:2004094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"gccxqpuuylioxoip"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/basicfogfactory.class.php?"; http_uri; nocase; content:"PATH_TO_CODE="; http_uri; nocase; pcre:"/PATH_TO_CODE=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,28588; reference:url,milw0rm.com/exploits/5348; reference:url,doc.emergingthreats.net/2009415; classtype:web-application-attack; sid:2009415; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"yuysikankhqvdwdv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023003; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/init.php?"; http_uri; nocase; content:"includepath="; http_uri; nocase; pcre:"/includepath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32335; reference:url,milw0rm.com/exploits/7143; reference:url,doc.emergingthreats.net/2008871; classtype:web-application-attack; sid:2008871; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (f5xraa2y2ybtrefz)"; dns_query; content:"f5xraa2y2ybtrefz"; depth:16; fast_pattern; nocase; reference:md5,5eeeeb093ee02d3769886880f8a58a90; classtype:trojan-activity; sid:2023247; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family Ransomware, malware_family Locky, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/lib/action/rss.php?"; http_uri; nocase; content:"lib="; http_uri; nocase; pcre:"/lib=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32465; reference:url,milw0rm.com/exploits/7225; reference:url,doc.emergingthreats.net/2008899; classtype:web-application-attack; sid:2008899; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH TorrenLocker Payment Domain Detected"; dns_query; content:"anbqjdoyw6wkmpeu"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023328; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piranha default passwd attempt"; flow:to_server,established; content:"/piranha/secure/control.php3"; http_uri; content:"Authorization\: Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; reference:url,doc.emergingthreats.net/2002331; classtype:attempted-recon; sid:2002331; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain"; dns_query; content:"6kaqkavhpu5dln6x"; depth:16; nocase; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023503; rev:3; metadata:created_at 2016_11_14, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt"; flow:to_server,established; content:"/prepend.php"; http_uri; nocase; content:"_px_config[manager_path]="; nocase; pcre:"/_px_config\x5bmanager_path\x5d=(https?|ftps?|php)\:/i"; reference:cve,CVE-2006-0725; reference:bugtraq,16662; reference:nessus,20972; reference:url,doc.emergingthreats.net/2002815; classtype:web-application-attack; sid:2002815; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain"; dns_query; content:"mvy3kbqc4adhosdy"; depth:16; nocase; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023504; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, malware_family Ransomware, malware_family XRatLocker, malware_family AiraCrop, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id"; flow:established,to_server; content:"/Default.aspx?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2555; reference:url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded; reference:url,doc.emergingthreats.net/2003914; classtype:web-application-attack; sid:2003914; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:"27c73bq66y4xqoh7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023578; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/cms/modules/form.lib.php?"; http_uri; nocase; content:"sourceFolder="; http_uri; nocase; pcre:"/sourceFolder=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,30235; reference:url,juniper.net/security/auto/vulnerabilities/vuln30235.html; reference:url,milw0rm.com/exploits/6078; reference:url,doc.emergingthreats.net/2009898; classtype:web-application-attack; sid:2009898; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Goldeneye .onion Payment Domain (goldenhjnqvc2lld)"; dns_query; content:"goldenhjnqvc2lld"; depth:16; fast_pattern; nocase; classtype:command-and-control; sid:2023584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS select_image.php dir Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; content:"/imagelibrary/select_image.php?"; http_uri; nocase; content:"dir="; http_uri; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009736; classtype:web-application-attack; sid:2009736; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Goldeneye .onion Payment Domain (golden2uqpiqcs6j)"; dns_query; content:"golden2uqpiqcs6j"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS admin_theme_remove.php file Parameter Remote Directory Delete"; flow:to_server,established; content:"GET "; depth:4; content:"/admin_includes/admin_theme_remove.php?"; http_uri; nocase; content:"file="; http_uri; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009737; classtype:web-application-attack; sid:2009737; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Popcorn-Time .onion Payment Domain (3hnuhydu4pd247qb)"; dns_query; content:"3hnuhydu4pd247qb"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023589; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, malware_family Ransomware, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php"; flow:established,to_server; content:"/awards.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004587; classtype:web-application-attack; sid:2004587; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Maktub .onion Payment Domain (maktubebz6z6cgtw)"; dns_query; content:"maktubebz6z6cgtw"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023655; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, malware_family Ransomware, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php"; flow:established,to_server; content:"/login.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004588; classtype:web-application-attack; sid:2004588; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE SHUJIN .onion Payment Page"; dns_query; content:"eqlc75eumpb77ced"; depth:16; fast_pattern; nocase; reference:md5,d59a27b1e0a46cc185f1937ca42f300a; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/; classtype:trojan-activity; sid:2022798; rev:4; metadata:created_at 2016_05_06, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php"; flow:established,to_server; content:"/register.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004589; classtype:web-application-attack; sid:2004589; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"fmwdvmk2ejgbl5pi"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php"; flow:established,to_server; content:"/weapons.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004590; classtype:web-application-attack; sid:2004590; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"hctppfblwfot6ces"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/server_request.php?"; http_uri; nocase; content:"CONFIG[gameroot]="; http_uri; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009502; classtype:web-application-attack; sid:2009502; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"j24ojpexpgaorlxj"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/qlib/smarty.inc.php?"; http_uri; nocase; content:"CONFIG[gameroot]="; http_uri; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009504; classtype:web-application-attack; sid:2009504; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"lmhrmbouhkffosig"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023731; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/qte_web.php?"; http_uri; nocase; content:"qte_web_path="; http_uri; nocase; pcre:"/qte_web_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009723; classtype:web-application-attack; sid:2009723; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"neo73ruk6mprlmww"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023732; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d"; flow:established,to_server; content:"cp/ps/Main/login/Login"; http_uri; nocase; content:"d="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2802; reference:url,www.secunia.com/advisories/25326; reference:url,doc.emergingthreats.net/2004571; classtype:web-application-attack; sid:2004571; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"padcrympj5rvgwed"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023733; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/display.php?"; http_uri; nocase; content:"path="; http_uri; nocase; pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,29873; reference:url,milw0rm.com/exploits/5900; reference:url,doc.emergingthreats.net/2009788; classtype:web-application-attack; sid:2009788; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"qli26fihoid5qwo5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023734; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/define.php?"; http_uri; nocase; content:"INC_DIR="; http_uri; nocase; pcre:"/INC_DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33227; reference:url,milw0rm.com/exploits/7743; reference:url,doc.emergingthreats.net/2009101; classtype:web-application-attack; sid:2009101; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"r4i3izmyccncfrsr"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023735; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/add_tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009059; classtype:web-application-attack; sid:2009059; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CryptoWall .onion Proxy Domain"; dns_query; content:"rq5w3yn6qgbu4mo5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/edit_tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009060; classtype:web-application-attack; sid:2009060; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker .onion Proxy Domain (zbqxpjfvltb6d62m)"; dns_query; content:"zbqxpjfvltb6d62m"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021252; rev:4; metadata:created_at 2015_06_11, former_category TROJAN, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009062; classtype:web-application-attack; sid:2009062; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"mjs2bcdrttpmm7pp"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/competitions/add.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009466; classtype:web-application-attack; sid:2009466; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"sloryvugp4abxnfu"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024111; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/competitions/competitions.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009467; classtype:web-application-attack; sid:2009467; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"u73tcilcw2cw2by5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024112; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/settings/settings.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009468; classtype:web-application-attack; sid:2009468; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"xijymvzq4zkyubfe"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024113; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s"; flow:established,to_server; content:"/wp-content/themes/redoable/searchloop.php?"; http_uri; nocase; content:"s="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003872; classtype:web-application-attack; sid:2003872; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain "; dns_query; content:"zmsr22fviy7kxihf"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024114; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s"; flow:established,to_server; content:"/wp-content/themes/redoable/header.php?"; http_uri; nocase; content:"s="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003873; classtype:web-application-attack; sid:2003873; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zuotmsnm7vh2jx77"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024115; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv SELECT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003829; classtype:web-application-attack; sid:2003829; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zxungms47m6ecj7t"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024116; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UNION SELECT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003830; classtype:web-application-attack; sid:2003830; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"cze2agbxnpkc5hdk"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024117; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv INSERT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003831; classtype:web-application-attack; sid:2003831; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Cradle Ransomware Onion Domain"; dns_query; content:"pn6fsogszhqlxz4n"; depth:16; nocase; fast_pattern; reference:md5,53f6f9a0d0867c10841b815a1eea1468; classtype:trojan-activity; sid:2024205; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_14, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Cradle, performance_impact Low, signature_severity Major, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv DELETE"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003832; classtype:web-application-attack; sid:2003832; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tor based locker .onion Proxy DNS lookup July 31 2014"; dns_query; content:"iet7v4dciocgxhdv"; depth:16; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018874; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv ASCII"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003833; classtype:web-application-attack; sid:2003833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".velodrivve.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.velodrivve\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022704; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003834; classtype:web-application-attack; sid:2003834; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".bedrifg.org"; fast_pattern; pcre:"/[a-z]{4,10}\.bedrifg\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022705; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure"; flow:established,to_server; content:"GET "; depth:4; content:"/download.php?"; http_uri; nocase; content:"filename="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,securityfocus.com/bid/32968; reference:url,milw0rm.com/exploits/7542; reference:url,doc.emergingthreats.net/2009018; classtype:web-application-attack; sid:2009018; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".fedbook.org"; fast_pattern; pcre:"/[a-z]{4,10}\.fedbook\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022715; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004660; classtype:web-application-attack; sid:2004660; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".goodbird.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.goodbird\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022731; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004661; classtype:web-application-attack; sid:2004661; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".verekt.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.verekt\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004662; classtype:web-application-attack; sid:2004662; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".barrout.org"; fast_pattern; pcre:"/[a-z]{4,10}\.barrout\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004663; classtype:web-application-attack; sid:2004663; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".biojart.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.biojart\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022762; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004664; classtype:web-application-attack; sid:2004664; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".benefin.org"; fast_pattern; pcre:"/[a-z]{4,10}\.benefin\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004665; classtype:web-application-attack; sid:2004665; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Fake AV Phone Scam Long Domain Sept 15 2016"; dns_query; content:"issuefound"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2023237; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost"; flow:established,to_server; content:"/contact/index.php?"; http_uri; nocase; content:"ripeformpost="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2206; reference:url,www.securityfocus.com/bid/23597; reference:url,doc.emergingthreats.net/2003871; classtype:web-application-attack; sid:2003871; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M2 Feb 29"; dns_query; content:"errorcode"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022576; rev:4; metadata:created_at 2016_02_29, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries SELECT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003817; classtype:web-application-attack; sid:2003817; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 15"; dns_query; content:"suspiciousactivity"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022625; rev:4; metadata:created_at 2016_03_16, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UNION SELECT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003818; classtype:web-application-attack; sid:2003818; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M1"; dns_query; content:"errorunauthorized"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022631; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries INSERT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003819; classtype:web-application-attack; sid:2003819; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M2"; dns_query; content:"drivercrashed"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022632; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries DELETE"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003820; classtype:web-application-attack; sid:2003820; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M3"; dns_query; content:"computer-is-locked"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022633; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries ASCII"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003821; classtype:web-application-attack; sid:2003821; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 23"; dns_query; content:"unauthorized-transaction"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022648; rev:4; metadata:created_at 2016_03_23, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003822; classtype:web-application-attack; sid:2003822; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M1"; dns_query; content:"diskissue"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022690; rev:4; metadata:created_at 2016_03_30, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003858; classtype:web-application-attack; sid:2003858; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M3 Feb 29"; dns_query; content:"yourcomputer"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022739; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003859; classtype:web-application-attack; sid:2003859; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M1"; dns_query; content:"unusualactivity"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022740; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003860; classtype:web-application-attack; sid:2003860; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M2"; dns_query; content:"yoursystem"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022741; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003861; classtype:web-application-attack; sid:2003861; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M3"; dns_query; content:"howcanwehelp"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022742; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003862; classtype:web-application-attack; sid:2003862; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M4"; dns_query; content:"bluescreen"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022743; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003863; classtype:web-application-attack; sid:2003863; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M5"; dns_query; content:"cloud-on"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022744; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_css="; http_uri; nocase; pcre:"/_page_css=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009653; classtype:web-application-attack; sid:2009653; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M6"; dns_query; content:"call-now"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022745; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_javascript="; http_uri; nocase; pcre:"/_page_javascript=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009654; classtype:web-application-attack; sid:2009654; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:6; metadata:created_at 2010_10_12, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_content="; http_uri; nocase; pcre:"/_page_content=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009656; classtype:web-application-attack; sid:2009656; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (v7lfogalalzc2c4d)"; dns_query; content:"v7lfogalalzc2c4d"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020953; rev:4; metadata:created_at 2015_04_20, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004116; classtype:web-application-attack; sid:2004116; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish (set) 2016-09-12"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Email="; depth:6; nocase; http_client_body; content:"&Next=Next"; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.GmailPhish_1; flowbits:noalert; classtype:credential-theft; sid:2027956; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004117; classtype:web-application-attack; sid:2004117; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic XBALTI Phishing Landing"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 7c 20 20 20 20 5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f 20 2d 2d 3e|"; fast_pattern; classtype:social-engineering; sid:2027966; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004118; classtype:web-application-attack; sid:2004118; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound"; flow:established,to_server; content:"xc3511"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027973; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_09_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004119; classtype:web-application-attack; sid:2004119; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [554,9527] (msg:"ET EXPLOIT HiSilicon DVR - Default Application Backdoor Password"; flow:established,to_server; content:"I0TO5Wv9"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027974; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_09_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004120; classtype:web-application-attack; sid:2004120; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AcroCEF"; ja3_hash; content:"61d50e7771aee7f2f4b89a7200b4d45e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027975; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004121; classtype:web-application-attack; sid:2004121; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, former_category EXPLOIT, performance_impact Significant, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form"; flow:established,to_server; content:"/sendcard.php?"; http_uri; nocase; content:"form="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2472; reference:url,www.secunia.com/advisories/25085; reference:url,doc.emergingthreats.net/2003922; classtype:web-application-attack; sid:2003922; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (b)"; ja3_hash; content:"e4adf57bf4a7a2dc08e9495f1b05c0ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027977; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/SezHooTabsAndActions.php?"; http_uri; nocase; content:"IP="; http_uri; nocase; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31756; reference:url,www.milw0rm.com/exploits/6751; reference:url,doc.emergingthreats.net/2009123; classtype:web-application-attack; sid:2009123; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AIM"; ja3_hash; content:"49a6cf42956937669a01438f26e7c609"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027978; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr SELECT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003852; classtype:web-application-attack; sid:2003852; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"0bb402a703d08a608bf82763b1b63313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027979; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UNION SELECT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003853; classtype:web-application-attack; sid:2003853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"d5169d6e19447685bf6f1af8c055d94d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027980; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr INSERT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003854; classtype:web-application-attack; sid:2003854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Airmail 3"; ja3_hash; content:"561145462cfc7de1d6a97e93d3264786"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027981; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr DELETE"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003855; classtype:web-application-attack; sid:2003855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Alation Compose"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027982; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr ASCII"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003856; classtype:web-application-attack; sid:2003856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music"; ja3_hash; content:"6003b52942a2e1e1ea72d802d153ec08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027983; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003857; classtype:web-application-attack; sid:2003857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music,Dreamweaver,Spotify"; ja3_hash; content:"eb149984fc9c44d85ed7f12c90d818be"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027984; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gallery="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2679; reference:url,www.securityfocus.com/bid/23534; reference:url,doc.emergingthreats.net/2003746; classtype:web-application-attack; sid:2003746; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android App"; ja3_hash; content:"662fdc668dd6af994a0f903dbcf25d66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027985; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/slogin_lib.inc.php?"; http_uri; nocase; content:"slogin_path="; http_uri; nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32811; reference:url,milw0rm.com/exploits/7444; reference:url,doc.emergingthreats.net/2008996; classtype:web-application-attack; sid:2008996; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Google API Access"; ja3_hash; content:"515601c4141e718865697050a7a1765f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027986; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005518; classtype:web-application-attack; sid:2005518; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"1aab4c2c84b6979c707ed052f724734b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027987; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005519; classtype:web-application-attack; sid:2005519; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"25b72c88f837567856118febcca761e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027988; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005520; classtype:web-application-attack; sid:2005520; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"5331a12866e19199b363f6e903381498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027989; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005521; classtype:web-application-attack; sid:2005521; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"855953256ecc8e2b6d2360aff8e5d337"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027990; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005522; classtype:web-application-attack; sid:2005522; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (a)"; ja3_hash; content:"93948924e733e9df15a3bb44404cd909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027976; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005523; classtype:web-application-attack; sid:2005523; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"85bb8aa8e5ba373906348831bdbed41a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027991; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005524; classtype:web-application-attack; sid:2005524; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"99d8afeec9a4422120336ad720a5d692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027992; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005525; classtype:web-application-attack; sid:2005525; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AnypointStudio"; ja3_hash; content:"8e3f1bf87bc652a20de63bfd4952b16a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027993; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005527; classtype:web-application-attack; sid:2005527; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Push Notification System, apple.WebKit.Networking,CalendarAgent,Go for Gmail"; ja3_hash; content:"d4693422c5ce1565377aca25940ad80c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027994; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005528; classtype:web-application-attack; sid:2005528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight Search (OSX)"; ja3_hash; content:"3e404f1e1b5a79e614d7543a79f3a1da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027995; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005529; classtype:web-application-attack; sid:2005529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"69b2859aec70e8934229873fe53902fd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027996; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005530; classtype:web-application-attack; sid:2005530; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"6b9b64bbe95ea112d02c8812fc2e7ef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027997; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005531; classtype:web-application-attack; sid:2005531; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"e5e4c0eeb02fdcf30af8235b4de07780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027998; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005532; classtype:web-application-attack; sid:2005532; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple SpotlightNetHelper (OSX)"; ja3_hash; content:"97827640b0c15c83379b7d71a3c2c5b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027999; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005533; classtype:web-application-attack; sid:2005533; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple usbmuxd iOS socket multiplexer"; ja3_hash; content:"47e42b00af27b87721e526ff85fd2310"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028000; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005534; classtype:web-application-attack; sid:2005534; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"5507277945374659a5b4572e1b6d9b9f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028001; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005535; classtype:web-application-attack; sid:2005535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"f753495f2eab5155c61b760c838018f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028002; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005536; classtype:web-application-attack; sid:2005536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod/parsecd,apple.photomoments"; ja3_hash; content:"ba40fea2b2638908a3b3b482ac78d729"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028003; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005537; classtype:web-application-attack; sid:2005537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"474e73aea21d1e0910f25c3e6c178535"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028004; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005538; classtype:web-application-attack; sid:2005538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"eeeb5e7485f5e10cbc39db4cfb69b264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028005; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005539; classtype:web-application-attack; sid:2005539; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Chatter/FieldServiceApp/socialstudio"; ja3_hash; content:"63de2b6188d5694e79b678f585b13264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028006; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005540; classtype:web-application-attack; sid:2005540; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/itunesstored"; ja3_hash; content:"7b343af1092863fdd822d6f10645abfb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028007; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005541; classtype:web-application-attack; sid:2005541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Spotify/WhatsApp/Skype/iTunes"; ja3_hash; content:"a312f9162a08eeedf7feb7a13cd7e9bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028008; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/pcltar.lib.php?"; http_uri; nocase; content:"g_pcltar_lib_dir="; http_uri; pcre:"/g_pcltar_lib_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009180; classtype:web-application-attack; sid:2009180; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"1a6ef47ab8325fbb42c447048cea9167"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028009; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"part="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1903; reference:url,www.netvigilance.com/advisory0020; reference:url,doc.emergingthreats.net/2003881; classtype:web-application-attack; sid:2003881; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"b677934e592ece9e09805bf36cd68d8a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028010; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004379; classtype:web-application-attack; sid:2004379; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30 (KHTML like Gecko) Version/4.0 Safari & Safari Mobile/534.30, AppleWebKit/534.30"; ja3_hash; content:"ef323f542a99ab12d6b5348bf039b7b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028011; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004380; classtype:web-application-attack; sid:2004380; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30"; ja3_hash; content:"e1e03b911a28815836d79c5cdd900a20"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028012; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004381; classtype:web-application-attack; sid:2004381; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46 Mobile/9A334"; ja3_hash; content:"04e1f90d8719caabafb76d4a7b13c984"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028013; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004382; classtype:web-application-attack; sid:2004382; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46, iOS AppleWebKit/534.46"; ja3_hash; content:"dc08cf4510f70bf16d4106ee22f89197"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028014; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004383; classtype:web-application-attack; sid:2004383; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/535 & Ubuntu Product Search"; ja3_hash; content:"4049550d5f57eae67d958440bdc133e4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028015; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004384; classtype:web-application-attack; sid:2004384; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12 or 600.1.4"; ja3_hash; content:"ef75a13be2ed7a82f16eefe6e84bc375"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028016; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe"; flow:established,to_server; content:"/site_conf.php?"; http_uri; nocase; content:"ordnertiefe="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003705; classtype:web-application-attack; sid:2003705; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12"; ja3_hash; content:"eaa8a172289b09a6789a415d1faac4c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028017; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot"; flow:established,to_server; content:"/class.csv.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003706; classtype:web-application-attack; sid:2003706; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - AT&T Connect"; ja3_hash; content:"c5c11e6105c56fd29cc72c3ac7a2b78b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028018; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot"; flow:established,to_server; content:"/produkte_nach_serie.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003707; classtype:web-application-attack; sid:2003707; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (git library?) (Tested v1.6.21.0)"; ja3_hash; content:"42215ee83bbf3a857a72ef42213cfbd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028019; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; content:"/functionen/ref_kd_rubrik.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003708; classtype:web-application-attack; sid:2003708; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (Tested v1.6.21.0)"; ja3_hash; content:"1c8a17e58c20b49e3786fc61e0533e50"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028020; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot"; flow:established,to_server; content:"/hg_referenz_jobgalerie.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003709; classtype:web-application-attack; sid:2003709; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #1"; ja3_hash; content:"4e5e5d9fbc43697be755696191fe649a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028021; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot"; flow:established,to_server; content:"/surfer_anmeldung_NWL.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003710; classtype:web-application-attack; sid:2003710; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #2"; ja3_hash; content:"c94858c6eb06de179493b3fac847143e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028022; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot"; flow:established,to_server; content:"/produkte_nach_serie_alle.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003711; classtype:web-application-attack; sid:2003711; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator (Mystery 3rd) (37.0.2062.99) (OS X)"; ja3_hash; content:"58360f4f663a0f5657f415ac2f47fe1b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028023; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot"; flow:established,to_server; content:"/surfer_aendern.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003712; classtype:web-application-attack; sid:2003712; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator Updates"; ja3_hash; content:"5149f53b5554a31116f9d86237552ee3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028024; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; content:"/ref_kd_rubrik.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003715; classtype:web-application-attack; sid:2003715; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Battle.net/Dropbox"; ja3_hash; content:"fa030dbcb2e3c7141d3c2803780ee8db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028025; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot"; flow:established,to_server; content:"/module/referenz.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003713; classtype:web-application-attack; sid:2003713; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - bitgo/ShapeShift"; ja3_hash; content:"0ef9ca1c10d3f186f5786e1ef3461a46"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028026; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot"; flow:established,to_server; content:"/standard/1/lay.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003714; classtype:web-application-attack; sid:2003714; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Browser (Tested BB10)"; ja3_hash; content:"add211c763889c665ae4ab675165cbc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028027; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot"; flow:established,to_server; content:"/standard/3/lay.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003867; classtype:web-application-attack; sid:2003867; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Mail Client"; ja3_hash; content:"a921515f014005af03fc1e2c4c9e66ce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028028; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005567; classtype:web-application-attack; sid:2005567; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry Messenger (Android) 2"; ja3_hash; content:"4692263d4130929ae222ef50816527ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028029; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005568; classtype:web-application-attack; sid:2005568; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry"; ja3_hash; content:"b5d42ca0e68a39d5c0a294134a21f020"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028030; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005569; classtype:web-application-attack; sid:2005569; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackbery Messenger (Android)"; ja3_hash; content:"32b0ae286d1612c82cad93b4880ee512"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028031; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005571; classtype:web-application-attack; sid:2005571; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlueCoat Proxy"; ja3_hash; content:"5182f54f9c6e99d117d9dde3fa2b4cff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028032; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005572; classtype:web-application-attack; sid:2005572; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlueJeans,CEPHtmlEngine"; ja3_hash; content:"cdec81515ccc75a5aa41eb3db22226e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028033; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp"; flow:established,to_server; content:"/implicit-objects.jsp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2006-7195; reference:url,www.frsirt.com/english/advisories/2007/1729; reference:url,doc.emergingthreats.net/2003902; classtype:web-application-attack; sid:2003902; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Ahrefs, hola_svc"; ja3_hash; content:"5c1c89f930122bccc7a97d52f73bea2c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028034; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test"; flow:established,to_server; content:"/appdev/sample/web/hello.jsp?"; http_uri; nocase; content:"test="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-1355; reference:url,www.securityfocus.com/bid/24058; reference:url,doc.emergingthreats.net/2004575; classtype:web-application-attack; sid:2004575; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: GoogleBot"; ja3_hash; content:"a1cb2295baf199acf82d11ba4553b4a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028035; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file"; flow:established,to_server; content:"/templates/default/tpl_message.php?"; http_uri; nocase; content:"right_file="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2544; reference:url,www.milw0rm.com/exploits/3854; reference:url,doc.emergingthreats.net/2003669; classtype:web-application-attack; sid:2003669; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Qwant"; ja3_hash; content:"706567223fbf37d112fba2d95b8ecac3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028036; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/config.php?"; http_uri; nocase; content:"inc_dir="; http_uri; nocase; pcre:"/inc_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-attack; sid:2009663; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BrowserShots Script"; ja3_hash; content:"01aead19a1b1780978f732e056b183a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028037; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId"; flow:established,to_server; content:"/reportItem.do?"; http_uri; nocase; content:"projId="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2819; reference:url,www.securityfocus.com/bid/24060; reference:url,doc.emergingthreats.net/2004558; classtype:web-application-attack; sid:2004558; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Browsershots"; ja3_hash; content:"a4dc1c39a68bffec1cc7767472ac85a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028038; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH"; flow:established,to_server; content:"/dosearch.php?"; http_uri; nocase; content:"RESPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2530; reference:url,www.milw0rm.com/exploits/3865; reference:url,doc.emergingthreats.net/2003678; classtype:web-application-attack; sid:2003678; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"93fbcdadc1bf98ff0e3c03e7f921edd1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028039; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turnkey Arcade Script id parameter SQL injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"action=play"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32890/; reference:url,milw0rm.com/exploits/7256; reference:url,doc.emergingthreats.net/2008934; classtype:web-application-attack; sid:2008934; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"c3ca411515180e79c765dc2c3c8cea88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028040; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path"; flow:established,to_server; content:"/include/payment/payflow_pro.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003687; classtype:web-application-attack; sid:2003687; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"15617351d807aa3145547d0ad0c976cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028041; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path"; flow:established,to_server; content:"/global.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003688; classtype:web-application-attack; sid:2003688; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"34f8cac266d07bfc6bd3966e99b54d00"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028042; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path"; flow:established,to_server; content:"/libsecure.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003689; classtype:web-application-attack; sid:2003689; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (Tested: 1.7.03 on Windows 10), eclipse,JavaApplicationStub,idea"; ja3_hash; content:"8c5a50f1e833ed581e9cfc690814719a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028043; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"l="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2547; reference:url,www.securityfocus.com/bid/23856; reference:url,doc.emergingthreats.net/2003917; classtype:web-application-attack; sid:2003917; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Candy Crush (testing iOS 8.3)"; ja3_hash; content:"17a40616b856ec472714cd144471e0e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028044; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile"; flow:established,to_server; content:"/browseCat.php?"; http_uri; nocase; content:"catFile="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003888; classtype:web-application-attack; sid:2003888; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Charles/java/eclipse"; ja3_hash; content:"424008725394c634a4616b8b1f2828a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028045; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile"; flow:established,to_server; content:"/browseSubCat.php?"; http_uri; nocase; content:"catFile="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003889; classtype:web-application-attack; sid:2003889; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Choqok 1.5 (KDE 4.14.18 Qt 4.8.6 on OpenSUSE 42.1)"; ja3_hash; content:"64bb259b446fe13f66bcd62d1f0d33df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028046; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id"; flow:established,to_server; content:"/openTutorial.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003890; classtype:web-application-attack; sid:2003890; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (iOS)"; ja3_hash; content:"bec8267042d5885aa3acc07b4409cafc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028047; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id"; flow:established,to_server; content:"/topFrame.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003891; classtype:web-application-attack; sid:2003891; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Possible 41.x)"; ja3_hash; content:"d54a0979516e607a1166e6efd157301c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028048; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id"; flow:established,to_server; content:"/admin/editListing.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003892; classtype:web-application-attack; sid:2003892; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #1"; ja3_hash; content:"ac67a2d0e3bd59459c32c996b5985979"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028049; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003893; classtype:web-application-attack; sid:2003893; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #2"; ja3_hash; content:"34dfce2bb848da7c5dafa4d475f0ba41"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028050; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TWiki INCLUDE remote command execution attempt"; flow:to_server,established; content:"INCLUDE"; http_uri; nocase; pcre:"/%INCLUDE\s*{.*rev=\"\d+\|.+\".*}\s*%/i"; reference:bugtraq,14960; reference:url,doc.emergingthreats.net/2002662; classtype:web-application-attack; sid:2002662; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #3"; ja3_hash; content:"937edefedb6fe13f26d1a425ef1c15a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028051; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED TxtBlog index.php m Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?m="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32498; reference:url,milw0rm.com/exploits/7241; reference:url,doc.emergingthreats.net/2008923; classtype:web-application-attack; sid:2008923; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #4"; ja3_hash; content:"a342d14afad3a448029ec808295ccce9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028052; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrastats serverid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"serverid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32340; reference:url,milw0rm.com/exploits/7148; reference:url,doc.emergingthreats.net/2008872; classtype:web-application-attack; sid:2008872; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #5"; ja3_hash; content:"71e74faaed87acd177bd3b47a543f476"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028053; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/include/timesheet.php?"; http_uri; nocase; content:"config[include_dir]="; http_uri; pcre:"/config\[include_dir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010126; classtype:web-application-attack; sid:2010126; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"1d64ab25ad6f7258581d43077147b9b1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028054; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR"; flow:established,to_server; content:"/watermark.php?"; http_uri; nocase; content:"GALLERY_BASEDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2575; reference:url,www.milw0rm.com/exploits/3857; reference:url,doc.emergingthreats.net/2003692; classtype:web-application-attack; sid:2003692; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"230018e44608686b64907360b6def678"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028055; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type"; flow:established,to_server; content:"/shopcontent.asp?"; http_uri; nocase; content:"type="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2790; reference:url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded; reference:url,doc.emergingthreats.net/2004573; classtype:web-application-attack; sid:2004573; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"dea05e8c68dfeb28003f21d22efc0aba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028056; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php"; flow:established,to_server; content:"/get_header.php"; http_uri; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/1632; reference:cve,2006-1636; reference:bugtraq,17358; reference:url,doc.emergingthreats.net/2002899; classtype:web-application-attack; sid:2002899; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 10, Chrome 10.0.648.82 (Chromium Portable 9.0)"; ja3_hash; content:"62351d5ea3cd4f21f697965b10a9bbbe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028057; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php"; flow:established,to_server; content:"/functions_install.php"; http_uri; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:cve,2006-1503; reference:bugtraq,17290; reference:url,doc.emergingthreats.net/2002902; classtype:web-application-attack; sid:2002902; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 11 - 18, Chrome 11.0.696.16 - 18.0.1025.33 Chrome 11.0.696.16 (Chromium Portable 9.2)"; ja3_hash; content:"a9da823fe77cd3df081644249edbf395"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028058; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo"; flow:established,to_server; content:"/includes/ajax_listado.php?"; http_uri; nocase; content:"urlModulo="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2541; reference:url,www.milw0rm.com/exploits/3847; reference:url,doc.emergingthreats.net/2003671; classtype:web-application-attack; sid:2003671; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 19 - 20, Chrome 19.0.1084.15 - 20.0.1132.57, Chrome 21.0.1180.89, Chrome 22.0.1229.96 - 23.0.1271.64 Safari/537.11"; ja3_hash; content:"df4a50323dfcaf1789f72e4946a7be44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028059; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/admin.googlebase.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32098; reference:url,milw0rm.com/exploits/6975; reference:url,doc.emergingthreats.net/2009877; classtype:web-application-attack; sid:2009877; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 22.0.1201.0, Chrome/22.0.1229.96"; ja3_hash; content:"3c8cb61208e191af38b1fbef4eacd502"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028060; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003993; classtype:web-application-attack; sid:2003993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 24.0.1312.57 - 28.0.1500.72 Safari/537.36"; ja3_hash; content:"1ef061c02d85b7e2654e11a9959096f4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028061; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003994; classtype:web-application-attack; sid:2003994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 26.0.1410.43-27.0.1453.110 Safari/537.31"; ja3_hash; content:"89d37026246d4888e78e69af4f8d1147"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028062; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003995; classtype:web-application-attack; sid:2003995; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.0"; ja3_hash; content:"206ee819879457f7536d2614695a5029"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028063; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003996; classtype:web-application-attack; sid:2003996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"76d36fc79db002baa1b5e741fcd863bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028064; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003997; classtype:web-application-attack; sid:2003997; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"bbc3992faa92affc0d835717ea557e99"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028065; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior crea.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"crea.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008825; classtype:web-application-attack; sid:2008825; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.0.0"; ja3_hash; content:"dc3eaee99a9221345698f8a8b2f4fc3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028066; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"crea.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/plancia=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008826; classtype:web-application-attack; sid:2008826; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.1599.101"; ja3_hash; content:"53c7ed581cbaf36951559878fcec4559"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028067; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/cron.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009307; classtype:web-application-attack; sid:2009307; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.57 & 32.0.1700.76 Safari/537.36"; ja3_hash; content:"fb8a6d2441ee9eaee8b560d48a8f59df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028068; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_browsers.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009309; classtype:web-application-attack; sid:2009309; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.63"; ja3_hash; content:"f7c4dc1d9595c27369a183a5df9f7b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028069; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_countries.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009311; classtype:web-application-attack; sid:2009311; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"16d7ebc398d772ef9969d2ed2a15f4c0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028070; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_platforms.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009313; classtype:web-application-attack; sid:2009313; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"f3136cf565acf70dd2f98ca652f43780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028071; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webCalendar Remote File include"; flow: to_server,established; content:"includedir="; http_uri; pcre:"/\/ws\/(login|get_reminders|get_events)\.php/"; reference:url,www.securityfocus.com/archive/1/462957; reference:url,doc.emergingthreats.net/2003520; classtype:web-application-attack; sid:2003520; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.154"; ja3_hash; content:"af0ae1083ab10ac957e394c2e7ec4634"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028072; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004754; classtype:web-application-attack; sid:2004754; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"4807d61f519249470ebed0b633e707cf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028073; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004755; classtype:web-application-attack; sid:2004755; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"ef3364da4d76c98a669cb828f2e5283a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028074; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004756; classtype:web-application-attack; sid:2004756; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 & 37.0.2062.102 Safari/537.36"; ja3_hash; content:"5b348680dec77f585cfe82513213ac3a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028075; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004757; classtype:web-application-attack; sid:2004757; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 - 40.0.2214.93 Safari/537.36"; ja3_hash; content:"52be6e88840d2211a243d9356550c4a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028076; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004758; classtype:web-application-attack; sid:2004758; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0 Safari & Mobile Safari/537.36"; ja3_hash; content:"5f775bbfc50459e900d464ca1cecd136"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028077; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004759; classtype:web-application-attack; sid:2004759; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0"; ja3_hash; content:"a167568462b993d5787488ece82a439a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028078; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Framework/EmailTemplates.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010092; classtype:web-application-attack; sid:2010092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.2062.120"; ja3_hash; content:"98652faa7e0a4d85f91e37aa6b8c0135"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028079; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Customers/PDPEmailReplaceConstants.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010093; classtype:web-application-attack; sid:2010093; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 41.0.2272.89"; ja3_hash; content:"8b8322bad90e8bfbd66e664839b7a037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028080; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Admin/ResellersManager.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010094; classtype:web-application-attack; sid:2010094; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"aa9074aa1ff31c65d01c35b9764762b6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028081; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/include/header.php?"; http_uri; nocase; content:"config_path="; http_uri; nocase; pcre:"/config_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32472; reference:url,milw0rm.com/exploits/7229; reference:url,doc.emergingthreats.net/2008935; classtype:web-application-attack; sid:2008935; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"de0963bc1f3a0f70096232b272774025"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028082; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep"; flow:established,to_server; content:"/handlers/page/show.php?"; http_uri; nocase; content:"sous_rep="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2570; reference:url,www.milw0rm.com/exploits/3863; reference:url,doc.emergingthreats.net/2003696; classtype:web-application-attack; sid:2003696; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 43.0.2357.132 & 45.02454.94"; ja3_hash; content:"3bb36ec17fef5d3da04ceeb6287314c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028083; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name"; flow:established,to_server; content:"/usersettings.php?"; http_uri; nocase; content:"name="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2551; reference:url,www.securityfocus.com/bid/23894; reference:url,doc.emergingthreats.net/2003916; classtype:web-application-attack; sid:2003916; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.116"; ja3_hash; content:"cd3f72760dfd5575b91213a8016c596b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028084; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php"; flow:established,to_server; content:"/include/sessionRegister.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2781; reference:url,www.secunia.com/advisories/25308; reference:url,doc.emergingthreats.net/2004574; classtype:web-application-attack; sid:2004574; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.97"; ja3_hash; content:"5406c4a87aa6cbcb7fc469fee526a206"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028085; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; content:"/wp-login.php"; http_uri; nocase; content:"redirect_to"; http_uri; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; classtype:web-application-attack; sid:2003508; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 49.0.2623.75"; ja3_hash; content:"503fe06db7ef09b2cbd771c4e784c686"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028086; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH"; flow:established,to_server; content:"/js/wptable-button.php?"; http_uri; nocase; content:"wpPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2484; reference:url,www.milw0rm.com/exploits/3824; reference:url,doc.emergingthreats.net/2003685; classtype:web-application-attack; sid:2003685; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 1"; ja3_hash; content:"bd4267e1672f9df843ada7c963490a0d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028087; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH"; flow:established,to_server; content:"/wordtube-button.php?"; http_uri; nocase; content:"wpPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2481; reference:url,www.milw0rm.com/exploits/3825; reference:url,doc.emergingthreats.net/2003686; classtype:web-application-attack; sid:2003686; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 2"; ja3_hash; content:"caeb3b546fc7469776d51f1f54a792ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028088; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php"; flow:established,to_server; content:"/sidebar.php?"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2627; reference:url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded; reference:url,doc.emergingthreats.net/2003885; classtype:web-application-attack; sid:2003885; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.106 (test)"; ja3_hash; content:"aa84deda2a937ad225ef94161887b0cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028089; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/function_core.php?"; http_uri; nocase; content:"web_root="; http_uri; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009925; classtype:web-application-attack; sid:2009925; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 1"; ja3_hash; content:"473e8bad0e8e1572197be80faa1795c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028090; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/templates/layout_lyrics.php?"; http_uri; nocase; content:"web_root="; http_uri; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009927; classtype:web-application-attack; sid:2009927; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 2"; ja3_hash; content:"e0b0e6c934c686fd18a5727648b3ed4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028091; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops Articles modules print.php SQL injection attempt"; flow:to_server,established; content:"/print.php?"; http_uri; nocase; content:"id="; http_uri; nocase; pcre:"/id=-?\d+.+UNION.+SELECT/Ui"; reference:bugtraq,23160; reference:url,doc.emergingthreats.net/2003516; classtype:web-application-attack; sid:2003516; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 3"; ja3_hash; content:"7ddfe8d6f8b51a90d10ab3fe2587c581"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028092; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include"; flow:established,to_server; content:"/header.php?"; http_uri; nocase; content:"set_menu="; http_uri; nocase; pcre:"/set_menu=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,23189; reference:url,doc.emergingthreats.net/2003517; classtype:web-application-attack; sid:2003517; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 4"; ja3_hash; content:"bc76a4185cc9bd4c72471620e552618c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028093; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/update_trailer.php?"; http_uri; nocase; content:"context[path_to_root]="; http_uri; nocase; pcre:"/context\[path_to_root\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8066; reference:url,secunia.com/advisories/33959/; reference:url,doc.emergingthreats.net/2009190; classtype:web-application-attack; sid:2009190; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 5"; ja3_hash; content:"8e3eea71cb5a932031d90cc0fba581bc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028094; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path"; flow:established,to_server; content:"/includes/common.php?"; http_uri; nocase; content:"root_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2664; reference:url,www.milw0rm.com/exploits/3908; reference:url,doc.emergingthreats.net/2003739; classtype:web-application-attack; sid:2003739; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 6"; ja3_hash; content:"653924bcb1d6fd09a048a4978574e2c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028095; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler SELECT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003981; classtype:web-application-attack; sid:2003981; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 7"; ja3_hash; content:"1ef652ecfb8e60e771a4710166afc262"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028096; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UNION SELECT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003982; classtype:web-application-attack; sid:2003982; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"8a8159e6abf9fe493ca87efc38855149"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028097; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler INSERT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003983; classtype:web-application-attack; sid:2003983; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"a7f2d0376cdcfde3117bf6a8359b2ab8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028098; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler DELETE"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003984; classtype:web-application-attack; sid:2003984; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"d551fafc4f40f1dec2bb45980bfa9492"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028099; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler ASCII"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003985; classtype:web-application-attack; sid:2003985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"e330bca99c8a5256ae126a55c4c725c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028100; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003986; classtype:web-application-attack; sid:2003986; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"94c485bca29d5392be53f2b8cf7f4304"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028101; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php"; flow:established,to_server; content:"/ReadMsg.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2825; reference:url,xforce.iss.net/xforce/xfdb/34376; reference:url,doc.emergingthreats.net/2004557; classtype:web-application-attack; sid:2004557; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"bc6c386f480ee97b9d9e52d472b772d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028102; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008966; classtype:web-application-attack; sid:2008966; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 61.0.3163,100(64-bit) Win10"; ja3_hash; content:"d3b972883dfbd24fd20fc200ad8ab22a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028103; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/handle/proxy.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008967; classtype:web-application-attack; sid:2008967; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx) - also TextSecure Desktop"; ja3_hash; content:"cafd1f84716def1a414c688943b99faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028104; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/header.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008968; classtype:web-application-attack; sid:2008968; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx)"; ja3_hash; content:"62d8823f52dd8e1ba75a9a83e8748313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028105; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/include.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008969; classtype:web-application-attack; sid:2008969; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/30.0.1599.101"; ja3_hash; content:"c405bbbe31c0e53ac4c8448355b2af5b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028106; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/workspace.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008970; classtype:web-application-attack; sid:2008970; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/41.0.2272.89"; ja3_hash; content:"2c3221f495d5e4debbb34935e1717703"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028107; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/lib.module.php?"; http_uri; nocase; content:"mod_root"; http_uri; nocase; pcre:"/mod_root=\s*(https?|ftps?|php)/Ui"; reference:url,milw0rm.com/exploits/5921; reference:bugtraq,29914; reference:url,doc.emergingthreats.net/2009367; classtype:web-application-attack; sid:2009367; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/49.0.2623.112 WinXP"; ja3_hash; content:"248bdbc3873396b05198a7e001fbd49a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028108; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/_functions.php?"; http_uri; nocase; content:"GLOBALS[prefix]="; http_uri; nocase; pcre:"/GLOBALS\[prefix\]=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009874; classtype:web-application-attack; sid:2009874; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/56.0.2924.87 Linux/Charles/Google Play Music Desktop Player/Postman/Slack/other desktop programs"; ja3_hash; content:"83e04bc58d402f9633983cbf22724b02"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028109; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006951; classtype:web-application-attack; sid:2006951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/59.0.3071.115 Win10, node.js"; ja3_hash; content:"9811c1bb9f0f6835d5c13a831cca4173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028110; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006952; classtype:web-application-attack; sid:2006952; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/60.0.3112.113 Win10, Chromium"; ja3_hash; content:"def8761e4bcaaf91d99801a22ac6f6d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028111; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006953; classtype:web-application-attack; sid:2006953; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"be9f1360cf52dc1f61ae025252f192a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028112; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006954; classtype:web-application-attack; sid:2006954; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"fc5cb0985a5f5e295163cc8ffff8a6e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028113; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006955; classtype:web-application-attack; sid:2006955; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client (3.1.09013)"; ja3_hash; content:"7f340e6caa1fa4c979df919227160ff6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028114; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006956; classtype:web-application-attack; sid:2006956; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"e7d46c98b078477c4324031e0d3b22f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028115; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006957; classtype:web-application-attack; sid:2006957; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"ed36017db541879619c399c95e22067d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028116; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006958; classtype:web-application-attack; sid:2006958; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Receiver 4.4.0.8014"; ja3_hash; content:"203157ed9f587f0cfd265061bf309823"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028117; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006960; classtype:web-application-attack; sid:2006960; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Viewer"; ja3_hash; content:"5ee1a653fb824db7182714897fd3b5df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028118; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006961; classtype:web-application-attack; sid:2006961; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Covenant Eyes"; ja3_hash; content:"a9d17f74e55dd53fcf7c234f8a240919"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028119; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006962; classtype:web-application-attack; sid:2006962; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - CRAWLER: facebookexternalhit/1.1"; ja3_hash; content:"111da7c75fee7fe934b35a8d88eb350a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028120; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006963; classtype:web-application-attack; sid:2006963; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Creative Cloud"; ja3_hash; content:"c882d9444412c00e71b643f3f54145ff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028121; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006964; classtype:web-application-attack; sid:2006964; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - cscan"; ja3_hash; content:"bc0608d33dc64506b42f7f5f87958f37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028122; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006965; classtype:web-application-attack; sid:2006965; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.22.0 on Linux)"; ja3_hash; content:"764b8952983230b0ac23dbd3741d2bb0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028123; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006966; classtype:web-application-attack; sid:2006966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.43.0 OS X)"; ja3_hash; content:"9f198208a855994e1b8ec82c892b7d37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028124; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006967; classtype:web-application-attack; sid:2006967; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.35.0 (tested Ubuntu 14.x openssl 1.0.1f)"; ja3_hash; content:"c458ae71119005c8bc26d38a215af68f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028125; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006968; classtype:web-application-attack; sid:2006968; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.37.0 / links 2.8 / git 2.6.6 (openSUSE Leap 42.1)"; ja3_hash; content:"e14d427fab707af91e4bbd0bf03076f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028126; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/123flashchat.php?"; http_uri; nocase; content:"e107path="; http_uri; nocase; pcre:"/e107path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/41867; reference:url,secunia.com/advisories/29870; reference:url,milw0rm.com/exploits/5459; reference:url,doc.emergingthreats.net/2009435; classtype:web-application-attack; sid:2009435; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl"; ja3_hash; content:"f672d8f0e827ca1e704a9489b14dd316"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028127; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index_inc.php?"; http_uri; nocase; content:"inc_ordner="; http_uri; nocase; pcre:"/inc_ordner=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; reference:url,doc.emergingthreats.net/2009225; classtype:web-application-attack; sid:2009225; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"; ja3_hash; content:"e3891da2a758d67ba921e5eec0b9707d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028128; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user"; flow:established,to_server; content:"/all_photos.html?"; http_uri; nocase; content:"user="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2724; reference:url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded; reference:url,doc.emergingthreats.net/2003875; classtype:web-application-attack; sid:2003875; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Customised Postfix - Damnit Matt"; ja3_hash; content:"f865de0807a17e9cb797e618162356db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028129; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/toolbar.php?"; http_uri; nocase; content:"dirDepth="; http_uri; nocase; pcre:"/dirDepth=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2008/2059; reference:url,milw0rm.com/exploits/6036; reference:url,doc.emergingthreats.net/2009188; classtype:web-application-attack; sid:2009188; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dashlane"; ja3_hash; content:"0217dc3bd88c696cc15374db0d848de4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028130; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; content:"/libs/lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003718; classtype:web-application-attack; sid:2003718; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.15)"; ja3_hash; content:"f7baf7d9da27449e823a4003e14cd623"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028131; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR"; flow:established,to_server; content:"/lom_update.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003719; classtype:web-application-attack; sid:2003719; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.20+)"; ja3_hash; content:"ec2e8760003621ca668b5f03e616cd57"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028132; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR"; flow:established,to_server; content:"/scripts/check-lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003720; classtype:web-application-attack; sid:2003720; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Deezer"; ja3_hash; content:"4fcd1770545298cc119865aeba81daba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028133; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR"; flow:established,to_server; content:"/scripts/weigh_keywords.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003721; classtype:web-application-attack; sid:2003721; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (installer?)"; ja3_hash; content:"ede63467191e9a12300e252c41ca9004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028134; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR"; flow:established,to_server; content:"/logout.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003722; classtype:web-application-attack; sid:2003722; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - DropBox (tested: 3.12.5 - Ubuntu 14.04TS & Win 10)"; ja3_hash; content:"653d342bee5001569662198a672746af"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028135; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR"; flow:established,to_server; content:"/help.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003723; classtype:web-application-attack; sid:2003723; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (Win 8.1)"; ja3_hash; content:"482a11a20da1629b77aaadf640478d13"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028136; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003724; classtype:web-application-attack; sid:2003724; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"21ed4c7ee1daeb84c72199ceaf119b24"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028137; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR"; flow:established,to_server; content:"/login.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003725; classtype:web-application-attack; sid:2003725; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"30b168d81e38d9a55c474c1e30eaf9f9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028138; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; content:"/web/lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003747; classtype:web-application-attack; sid:2003747; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"f8e42933ba5b3990858ba621489047e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028139; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/test/pages/contact.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010191; classtype:web-application-attack; sid:2010191; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Setup (tested: 3.10.11 on Win 8.x)"; ja3_hash; content:"2f8363419a9fb80ad46b380778d8eaf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028140; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/system/pageTemplate.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010192; classtype:web-application-attack; sid:2010192; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Splash Pages (Win 10)"; ja3_hash; content:"c1e8322501b4d56d484b50bd7273e798"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028141; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/system/utilities.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010193; classtype:web-application-attack; sid:2010193; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Windows"; ja3_hash; content:"6c141f98cd79d8b505123e555c1c3119"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028142; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path"; flow:established,to_server; content:"/faq.php?"; http_uri; nocase; content:"module_root_path="; http_uri; nocase; content:"cmd="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2493; reference:url,www.milw0rm.com/exploits/3833; reference:url,doc.emergingthreats.net/2003684; classtype:web-application-attack; sid:2003684; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"054c9f9d304b7a2add3d6fa75bc20ae4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028143; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004469; classtype:web-application-attack; sid:2004469; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"36bc8c7e10647bbfea3f740e7f05c0f1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028144; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004470; classtype:web-application-attack; sid:2004470; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dynalist/Postman/Google Chrome/Franz/GOG Galaxy"; ja3_hash; content:"4c40bf8baa7c301c5dba8a20bc4119e2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028145; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004471; classtype:web-application-attack; sid:2004471; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"0411bbb5ff27ad46e1874a7a8beedacb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028146; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004472; classtype:web-application-attack; sid:2004472; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"4990c9da08f44a01ecd7ddc3837caf25"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028147; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004473; classtype:web-application-attack; sid:2004473; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"fa106fe5beec443af7e211ef8902e7e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028148; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004474; classtype:web-application-attack; sid:2004474; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse/java"; ja3_hash; content:"d74778f454e2b047e030b291b94dd698"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028149; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004475; classtype:web-application-attack; sid:2004475; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Facebook iOS"; ja3_hash; content:"576a1288426703ae0008c42f95499690"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028150; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004476; classtype:web-application-attack; sid:2004476; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Feedly/1.0, java,eclipse,Cyberduck"; ja3_hash; content:"f22bdd57e3a52de86cda40da2d84e83b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028151; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004477; classtype:web-application-attack; sid:2004477; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - fetchmail 6.3.26 (openSUSE Leap 42.1)"; ja3_hash; content:"a698fe6c52d210e3376bb6667729d4d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028152; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004478; classtype:web-application-attack; sid:2004478; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - FieldServiceApp/socialstudio"; ja3_hash; content:"1fbe5382f9d8430fe921df747c46d95f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028153; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004479; classtype:web-application-attack; sid:2004479; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 24.0 Iceweasel24.3.0"; ja3_hash; content:"3d99dda4f6992b35fdb16d7ce1b6ccba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028154; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS nweb2fax viewrq.php var_filename Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; content:"/viewrq.php?"; http_uri; nocase; content:"format=ps"; http_uri; nocase; content:"var_filename="; http_uri; content:"../"; reference:bugtraq,29804; reference:url,milw0rm.com/exploits/5856; reference:url,doc.emergingthreats.net/2009501; classtype:web-application-attack; sid:2009501; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 25.0"; ja3_hash; content:"c57914fadb301a73e712378023b4b177"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028155; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003698; classtype:web-application-attack; sid:2003698; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 26.0, Firefox/26.0"; ja3_hash; content:"755cdaa3496eb8728247a639dee17aad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028156; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path"; flow:established,to_server; content:"/checkout.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003699; classtype:web-application-attack; sid:2003699; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 27.0"; ja3_hash; content:"ff9223b5c9a5d44a8a423833751fa158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028157; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path"; flow:established,to_server; content:"/libsecure.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003700; classtype:web-application-attack; sid:2003700; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.0.19"; ja3_hash; content:"df9bedd5713fe0cc2e9184d7c16a5913"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028158; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"repinc="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2558; reference:url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded; reference:url,doc.emergingthreats.net/2003701; classtype:web-application-attack; sid:2003701; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.5 - 3.6, Firefox 3.5.19 3.6.27 SeaMonkey 2.0.14"; ja3_hash; content:"4a9bd55341e1ffe6fedb06ad4d3010a0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028159; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server"; flow:established,to_server; content:"/sqledit.php?"; http_uri; nocase; content:"server="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2865; reference:url,www.securityfocus.com/bid/24115; reference:url,doc.emergingthreats.net/2004552; classtype:web-application-attack; sid:2004552; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 40.0.3 (tested Windows 8), Firefox/37.0"; ja3_hash; content:"2872afed8370401ec6fe92acb53e5301"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028160; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/body_comm.inc.php?"; http_uri; nocase; content:"content="; http_uri; nocase; pcre:"/content=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,27952; reference:url,milw0rm.com/exploits/5175; reference:url,doc.emergingthreats.net/2009397; classtype:web-application-attack; sid:2009397; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"46129449560e5731dc9c5106f111a3db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028161; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003782; classtype:web-application-attack; sid:2003782; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"d06b3234356cb3df0983fc8dd02ece68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028162; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003783; classtype:web-application-attack; sid:2003783; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.0 2"; ja3_hash; content:"05ece02fb23acf2efbfff54ce4099a45"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028163; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003784; classtype:web-application-attack; sid:2003784; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.x 1 / FireFox 47.x (Windows 7SP1)"; ja3_hash; content:"aa907c2c4720b6f54cd8b67a14cef0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028164; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003785; classtype:web-application-attack; sid:2003785; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (dev edition)"; ja3_hash; content:"f586111542f330901d9a3885a9c821b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028165; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003786; classtype:web-application-attack; sid:2003786; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled - I think websockets)"; ja3_hash; content:"1996e434b11323df4e87f8fe0e702209"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028166; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003787; classtype:web-application-attack; sid:2003787; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled)"; ja3_hash; content:"8ed0a2cdcad81fc29313910eb94941d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028167; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/footer.php?"; http_uri; nocase; content:"_path[counter]="; http_uri; nocase; pcre:"/_path\[counter\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009321; classtype:web-application-attack; sid:2009321; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 49.0a2 Developer TLS 1.3 enabled"; ja3_hash; content:"8b18c5b0c54cba1ffb2438fe24792b63"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028168; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt"; flow:to_server,established; content:"/tiki-featured_link.php?type="; http_uri; nocase; content:"/iframe>"; http_uri; nocase; reference:url,www.securityfocus.com/archive/1/450268/30/0; reference:url,doc.emergingthreats.net/2003167; classtype:web-application-attack; sid:2003167; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 63.0"; ja3_hash; content:"b20b44b18b853ef29ab773e921b03422"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028169; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/startup.php?"; http_uri; nocase; content:"CFG[txtsql][class]="; http_uri; nocase; pcre:"/CFG\[txtsql\]\[class\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,30625; reference:url,milw0rm.com/exploits/6224; reference:url,doc.emergingthreats.net/2009416; classtype:web-application-attack; sid:2009416; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0a81538cf247c104edb677bdb8902ed5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028170; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl"; flow:established,to_server; content:"/printcal.pl?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2745; reference:url,www.securityfocus.com/bid/24022; reference:url,doc.emergingthreats.net/2003874; classtype:web-application-attack; sid:2003874; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0b6592fd91d4843c823b75e49b43838d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028171; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004881; classtype:web-application-attack; sid:2004881; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"1c15aca4a38bad90f9c40678f6aface9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028172; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004882; classtype:web-application-attack; sid:2004882; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"5163bc7c08f57077bc652ec370459c2f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028173; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004883; classtype:web-application-attack; sid:2004883; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"a88f1426c4603f2a8cd8bb41e875cb75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028174; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004884; classtype:web-application-attack; sid:2004884; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"b03910cc6de801d2fcfa0c3b9f397df4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028175; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004885; classtype:web-application-attack; sid:2004885; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"bfcc1a3891601edb4f137ab7ab25b840"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028176; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004886; classtype:web-application-attack; sid:2004886; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"f15797a734d0b4f171a86fd35c9a5e43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028177; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path"; flow:established,to_server; content:"/header.php?"; http_uri; nocase; content:"path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2542; reference:url,www.milw0rm.com/exploits/3848; reference:url,doc.emergingthreats.net/2003670; classtype:web-application-attack; sid:2003670; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/10.0.11esrpre Iceape/2.7.12"; ja3_hash; content:"55f2bd38d462d74fb6bb72d3630aae16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028178; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Launch"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/launcher_init.php?"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011748; classtype:policy-violation; sid:2011748; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/13.0-25.0"; ja3_hash; content:"85c420ab089dac5025034444789a8fb5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028179; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Check for Patch"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/patch.php?"; http_uri; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011749; classtype:policy-violation; sid:2011749; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/14.0.1 Linux"; ja3_hash; content:"847b0c334fd0f6f85457054fabff3145"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028180; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetConnectionAndGameParams"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetConnectionAndGameParams</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011750; classtype:policy-violation; sid:2011750; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/25.0"; ja3_hash; content:"e98db583389531a37f2fe8d251f0f7ae"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028181; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request OpenSession"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>OpenSession</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011751; classtype:policy-violation; sid:2011751; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/27.0-32.0, IceWeasel 31.8.0"; ja3_hash; content:"cc9bcf019b339c01d200515d1cb39092"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028182; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Disconnect"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>Disconnect</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011753; classtype:policy-violation; sid:2011753; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/28.0-30.0"; ja3_hash; content:"45d22e6403f053bfb2cc223755588533"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028183; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetOnlineProfile"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetOnlineProfile</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011754; classtype:policy-violation; sid:2011754; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/31 Linux, firefox"; ja3_hash; content:"ce694315cbb81ce95e6ae4ae8cbafde6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028184; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetBuddies"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetBuddies</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011755; classtype:policy-violation; sid:2011755; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/32.0"; ja3_hash; content:"8df37d4e7430e2d9a291ae9ee500a1a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028185; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request SearchNew"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>SearchNew</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011756; classtype:policy-violation; sid:2011756; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"5ba6ed04b246c96c6839e0268a8b826f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028186; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request LiveUpdate"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>LiveUpdate</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011757; classtype:policy-violation; sid:2011757; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"c5392af25feaf95cfefe858abd01c86b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028187; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INAPPROPRIATE Google Image Search, Safe Mode Off"; flow:established,to_server; content:"&safe=off"; http_uri; content:"|0d 0a|Host|3a| images.google.com|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002925; classtype:policy-violation; sid:2002925; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"9250f97ba65d86e7b0e60164c820d91a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028188; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Activity"; flow:to_server,established; content:"/banman/banman.asp?ZoneID="; http_uri; nocase; content:"&Task="; http_uri; nocase; content:"&X="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; classtype:trojan-activity; sid:2003170; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"ab834ac5135f2204d473878821979cea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028189; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater.net Spyware Checkin"; flow:established,to_server; content:"/popsetarray.php?&country="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; classtype:trojan-activity; sid:2002094; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/37.0, Google Chrome 45.0.2454.85 or FireFox 41-42"; ja3_hash; content:"514058a66606ae870bcc670e95ca7e68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028190; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; content:"/progs_traff/"; http_uri; nocase; reference:url,research.sunbelt-software.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; classtype:trojan-activity; sid:2003034; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/38 Linux"; ja3_hash; content:"edf844351bc867631b5ebceda318669b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028191; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; http_uri; nocase; content:"?ZipCode="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; classtype:trojan-activity; sid:2003423; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/40.1 Windows 7"; ja3_hash; content:"05af1f5ca1b87cc9cc9b25185115607d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028192; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Crewbox Proxy Scan"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"crewbox.by.ru/crew/"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003156; classtype:attempted-recon; sid:2003156; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/45.0 Linux, firefox,thunderbird"; ja3_hash; content:"07b4162d4db57554961824a21c4a0fde"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028193; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/g"; http_uri; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; reference:url,doc.emergingthreats.net/bin/view/Main/2003329; reference:cve,2007-0528; classtype:attempted-user; sid:2003329; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/51.0 Windows 10, firefox,thunderbird"; ja3_hash; content:"61d0d709fe7ac199ef4b2c52bc8cef75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028194; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CGI AWstats Migrate Command Attempt"; flow:established,to_server; content:"/awstats.pl?"; http_uri; nocase; content:"/migrate"; http_uri; pcre:"/migrate\s*=\s*\|/Ui"; reference:bugtraq,17844; reference:url,doc.emergingthreats.net/2002900; classtype:web-application-attack; sid:2002900; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52 Linux"; ja3_hash; content:"4e66f5ad78f3d9ad8d5c7c88d138db43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028195; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; http_uri; nocase; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; reference:url,doc.emergingthreats.net/2002362; classtype:web-application-attack; sid:2002362; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52"; ja3_hash; content:"ca0f3f4c08cbd372720beb1af7d2721f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028196; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; http_uri; nocase; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; reference:url,doc.emergingthreats.net/2002685; classtype:web-application-attack; sid:2002685; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55 Windows 10"; ja3_hash; content:"1885aa9927f99ed538ed895d9335995c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028197; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; http_uri; nocase; pcre:"/file=.*\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003086; classtype:web-application-attack; sid:2003086; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55/56 Mac/Win/Linux"; ja3_hash; content:"0ffee3ba8e615ad22535e7f771690a28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028198; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; http_uri; nocase; pcre:"/file=.+\.\..+\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003087; classtype:web-application-attack; sid:2003087; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/56.0 Windows 10"; ja3_hash; content:"be1a7de97ea176604a3c70622189d78d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028199; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP set enable password attack"; flow:established,to_server; content:"/configure/"; http_uri; content:"/enable/"; http_uri; reference:cve,2005-3921; reference:bugtraq,15602; reference:url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html; reference:url,doc.emergingthreats.net/2002721; classtype:web-application-attack; sid:2002721; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/6.0.1 - 12.0"; ja3_hash; content:"2aef69b4ba1938c3a400de4188743185"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028200; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern"; flow:established,to_server; content:"/CCMAdmin/serverlist.asp?"; http_uri; nocase; content:"pattern="; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2832; reference:url,www.secunia.com/advisories/25377; reference:url,doc.emergingthreats.net/2004556; classtype:web-application-attack; sid:2004556; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Flux"; ja3_hash; content:"504ecb2d3e5e83a179316f098dadbaeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028201; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure"; flow:to_server,established; content:"GET "; depth:4; content:"lastvist.html?"; http_uri; nocase; content:"domain="; http_uri; nocase; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9039; reference:bugtraq,35518; reference:url,doc.emergingthreats.net/2009484; classtype:web-application-attack; sid:2009484; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Franz/Google Chrome/Kiwi/Spotify/nwjs/Slack"; ja3_hash; content:"8498fe4268764dbf926a38283e9d3d8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028202; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; content:"OpenForm"; http_uri; nocase; pcre:"/BaseTarget=.*?\"/iU"; reference:bugtraq,14845; reference:url,doc.emergingthreats.net/2002376; classtype:web-application-attack; sid:2002376; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) #1"; ja3_hash; content:"a6090977601dc1345948f101e46d5759"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028203; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino Src XSS attempt"; flow:to_server,established; content:"OpenFrameSet"; http_uri; nocase; pcre:"/src=.*\"><\/FRAMESET>.*<script>.*<\/script>/iU"; reference:bugtraq,14846; reference:url,doc.emergingthreats.net/2002377; classtype:web-application-attack; sid:2002377; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) or DropBox"; ja3_hash; content:"f1b9f86645cb839bd6992e848d943898"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028204; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/OvCgi/OvWebHelp.exe"; http_uri; nocase; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2009-4178; reference:url,doc.emergingthreats.net/2010970; classtype:web-application-attack; sid:2010970; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Fuze"; ja3_hash; content:"900c1fa84b4ea86537e1d148ee16eae8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028205; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow: to_server,established; content:".aspx"; http_uri; nocase; content:"GET"; nocase; depth: 3; content:"%5C"; depth: 200; nocase; content:"aspx"; within:100; reference:url,doc.emergingthreats.net/2001343; classtype:web-application-attack; sid:2001343; rev:23; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"107144b88827da5da9ed42d8776ccdc5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028206; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER osCommerce extras/update.php disclosure"; flow:to_server,established; content:"extras/update.php"; http_uri; nocase; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002864; classtype:attempted-recon; sid:2002864; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"c46941d4de99445aef6b497679474cf4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028207; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"CUSTOMIZE=/"; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; reference:url,doc.emergingthreats.net/2002131; classtype:web-application-activity; sid:2002131; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - git commandline (tested: 1.9. Linux)"; ja3_hash; content:"3e765b7a69050906e5e48d020921b98e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028208; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"destype=file"; http_uri; nocase; content:"desformat="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html; reference:url,doc.emergingthreats.net/2002132; classtype:web-application-activity; sid:2002132; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Git-Bash (Tested v2.6.0) / curl 7.47.1 (cygwin)"; ja3_hash; content:"d0df7f7c9ca173059b2cd17ce5c2e5cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028209; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"report="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; reference:url,doc.emergingthreats.net/2002133; classtype:web-application-activity; sid:2002133; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - GitHub Desktop (tested build 216 on OSX)"; ja3_hash; content:"f8c50bbee59c526ca66da05f3dc4b735"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028210; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED PHP remote file include exploit attempt"; flow: to_server,established; content:"GET "; nocase; depth:4; content:".php?"; http_uri; nocase; content:"cmd="; http_uri; nocase; pcre:"/=(https?|ftps?|php)\:\/.{0,100}cmd=/Ui"; reference:url,doc.emergingthreats.net/2001810; classtype:attempted-admin; sid:2001810; rev:29; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Glympse Location Tracking??"; ja3_hash; content:"c5cbafbbcf53dfbfc2a803ca3833fce2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028211; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED PacketShaper DoS attempt"; flow:to_server,established; content:"/rpttop.htm"; http_uri; pcre:"/MEAS\.TYPE=(?!(link|class)&)/U"; reference:url,doc.emergingthreats.net/2004449; classtype:denial-of-service; sid:2004449; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - GMail SMTP Relay"; ja3_hash; content:"a3b2fe29619fdcb7a9422b8fddb37a67"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028212; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)"; flow:to_server,established; content:".php"; http_uri; nocase; content:"=http|3a|/"; http_uri; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009151; classtype:web-application-attack; sid:2009151; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - GNU Wget 1.16.1 built on darwin14.0.0"; ja3_hash; content:"94b94048a438e77122fc4eee3a6a4a26"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028213; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED RSA Web Auth Exploit Attempt - Long URL"; flow:to_server,established; content:"/WebID/IISWebAgentIF.dll"; http_uri; content:"?Redirect?"; http_uri; nocase; pcre:"/url=.{8000}/iU"; reference:url,secunia.com/advisories/17281; reference:url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm; reference:url,doc.emergingthreats.net/2002660; reference:url,doc.emergingthreats.net/2002660; classtype:web-application-activity; sid:2002660; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - GNUTLS Commandline"; ja3_hash; content:"0267b752d6a8b5fd195096b41ea5839c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028214; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection"; flow:established,to_server; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/\x2F\x2A.+\x2A\x2F/U"; reference:url,dev.mysql.com/doc/refman/5.0/en/comments.html; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2011040; classtype:web-application-attack; sid:2011040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - golang (tested: 1.4.1)"; ja3_hash; content:"f11b0fca6c063aa69d8d39e0d68b6178"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028215; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx"; flow:established,to_server; content:"/default.aspx?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2581; reference:url,www.securityfocus.com/bid/23832; reference:url,doc.emergingthreats.net/2003903; classtype:web-application-attack; sid:2003903; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Calendar Agent (Tested on OSX)"; ja3_hash; content:"07ef3a7f5f8ffef08affb186284f2af4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028216; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail"; flow:established,to_server; content:"/contact/contact/index.php?"; http_uri; nocase; content:"form[mail]="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003904; classtype:web-application-attack; sid:2003904; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (43.0.2357.130 64-bit OSX)"; ja3_hash; content:"abe568de919448adcd756aea9a136aea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028217; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Poison Null Byte"; flow:established,to_server; content:"|00|"; http_uri; depth:2400; reference:cve,2006-4542; reference:cve,2006-4458; reference:cve,2006-3602; reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf; reference:url,doc.emergingthreats.net/2003099; classtype:web-application-activity; sid:2003099; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (Android)"; ja3_hash; content:"400961c8161ba7661a7029d3f7e8bb95"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028218; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/axis2/services/Version?"; http_uri; nocase; content:"xsd="; http_uri; nocase; content:"../"; depth:200; reference:bugtraq,40343; reference:url,doc.emergingthreats.net/2011160; classtype:web-application-attack; sid:2011160; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"072c0469aa4f2f597bb38bcc17095c51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028219; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/softwarefortubeview.40009.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010058; classtype:trojan-activity; sid:2010058; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"696cd0c8c241e19e3d6336c3d3d9e2e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028220; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; content:"/ssp/loadjavad.php"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010446; classtype:bad-unknown; sid:2010446; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"c40b51e2a59425b6a2b500d569962a60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028221; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; content:"/kav"; http_uri; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; classtype:exploit-kit; sid:2010870; rev:7; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 45.0.2454.101"; ja3_hash; content:"e8aabc4fe1fc8d47c648d37b2df7485f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028222; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely FAKEAV scanner page encountered - i1000000.gif"; flow:established,to_server; content:"/i1000000.gif"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011760; classtype:bad-unknown; sid:2011760; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71 m"; ja3_hash; content:"7ea3e17d09294aee8425ae05588f0c66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028223; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iPhone Bot iKee.B Contacting C&C"; flow:to_server,established; content:"/xml/p.php?id="; http_uri; nocase; pcre:"/\/xml\/p\.php\?id=\d{2,}/Ui"; reference:url,mtc.sri.com/iPhone/; reference:url,doc.emergingthreats.net/2010551; classtype:trojan-activity; sid:2010551; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71"; ja3_hash; content:"a9030ea4837810ce89fb8a3d39ca12ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028224; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; content:"/ngg.js"; http_uri; nocase; content:!"nextgen-gallery"; nocase; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; classtype:trojan-activity; sid:2008373; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"0e46737668fe75092919ee047a0b5945"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028225; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/nmap.php?"; http_uri; nocase; content:"target="; http_uri; nocase; pcre:"/target=\w*\;/Ui"; reference:url,osvdb.org/show/osvdb/67739; classtype:web-application-attack; sid:2011555; rev:2; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"39fa85654105398ee7ef6a3a1c81d685"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028226; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006609; classtype:web-application-attack; sid:2006609; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"4ba7b7022f5f5e1e500bb19199d8b1a4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028227; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006611; classtype:web-application-attack; sid:2006611; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"002205d0f96c37c5e660b9f041363c11"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028228; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"D="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006612; classtype:web-application-attack; sid:2006612; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"073eede15b2a5a0302d823ecbd5ad15b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028229; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003764; classtype:web-application-attack; sid:2003764; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"0b61c673ee71fe9ee725bd687c455809"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028230; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (action url reported)"; flow: to_server,established; content:"/actionurls/ActionUrl"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001399; classtype:trojan-activity; sid:2001399; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"6cd1b944f5885e2cfbe98a840b75eeb8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028231; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system)"; flow:established,to_server; content:"POST"; http_method; content:"/scripts/setup.php"; http_uri; nocase; content:"token="; http_client_body; depth:6; content:"host"; http_client_body; content:"system|28 24 5F|"; nocase; http_client_body; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009710; classtype:web-application-attack; sid:2009710; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b4f4e6164f938870486578536fc1ffce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028232; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo)"; flow:established,to_server; content:"POST "; depth:5; content:"/scripts/setup.php"; http_uri; nocase; content:"|0D 0A 0D 0A|token="; content:"host"; content:"phpinfo|25|28|25|29|25|3b"; nocase; within:64; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009709; classtype:web-application-attack; sid:2009709; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b8f81673c0e1d29908346f3bab892b9b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028233; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003838; classtype:web-application-attack; sid:2003838; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"baaac9b6bf25ad098115c71c59d29e51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028234; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES"; flow:established,to_server; content:"/inc/articles.inc.php?"; http_uri; nocase; content:"GLOBALS[CHEMINMODULES]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2594; reference:url,www.milw0rm.com/exploits/3879; reference:url,doc.emergingthreats.net/2003703; classtype:web-application-attack; sid:2003703; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"da949afd9bd6df820730f8f171584a71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028235; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore"; flow:established,to_server; content:"/user/turbulence.php?"; http_uri; nocase; content:"GLOBALS[tcore]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2504; reference:url,www.securityfocus.com/bid/23580; reference:url,doc.emergingthreats.net/2003683; classtype:web-application-attack; sid:2003683; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"fd6314b03413399e4f23d1524d206692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028237; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod"; flow:established,to_server; content:"/mod/image/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003672; classtype:web-application-attack; sid:2003672; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome/Slack"; ja3_hash; content:"5498cef2cca704eb01cf2041cc1089c1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028238; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod"; flow:established,to_server; content:"/mod/liens/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003673; classtype:web-application-attack; sid:2003673; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive (tested: 1.26.0707.2863 - Win 8.x & Win 10)"; ja3_hash; content:"c1741dd3d2eec548df0bcd89e08fa431"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028239; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod"; flow:established,to_server; content:"/mod/liste/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003674; classtype:web-application-attack; sid:2003674; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive File Stream"; ja3_hash; content:"d27fb8deca6e3b9739db3fda2b229fe3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028240; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod"; flow:established,to_server; content:"/mod/special/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003675; classtype:web-application-attack; sid:2003675; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth Linux 7.1.4.1529"; ja3_hash; content:"b16614e71d26ba348c94bfc8e33b1767"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028241; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod"; flow:established,to_server; content:"/mod/texte/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003676; classtype:web-application-attack; sid:2003676; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth"; ja3_hash; content:"ae340571b4fd0755c4a0821b18d8fa93"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028242; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path"; flow:established,to_server; content:"/psg.smarty.lib.php?"; http_uri; nocase; content:"cfg[sys][base_path]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2458; reference:url,www.frsirt.com/english/advisories/2007/1390; reference:url,doc.emergingthreats.net/2003691; classtype:web-application-attack; sid:2003691; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Mail server starttls connection"; ja3_hash; content:"9af622c65a17a0bf90d6e9504be96a43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028243; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path"; flow:established,to_server; content:"/resources/includes/class.Smarty.php?"; http_uri; nocase; content:"cfg[sys][base_path]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2457; reference:url,www.milw0rm.com/exploits/3733; reference:url,doc.emergingthreats.net/2003702; classtype:web-application-attack; sid:2003702; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Photos Backup"; ja3_hash; content:"f059212ce3de94b1e8253a7522cb1b44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028244; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/subscription.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009061; classtype:web-application-attack; sid:2009061; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - GoogleBot"; ja3_hash; content:"50dfee94717e9640b1c384e5bd78e61e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028245; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/plugin/themes/default/init.php?"; http_uri; nocase; content:"apps_path[themes]="; http_uri; nocase; pcre:"/apps_path\[themes\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009086; classtype:web-application-attack; sid:2009086; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - gramblr"; ja3_hash; content:"fd10cc8cce9493a966c57249e074755f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028246; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/lib/function.php?"; http_uri; nocase; content:"apps_path[libs]="; http_uri; nocase; pcre:"/apps_path\[libs\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009088; classtype:web-application-attack; sid:2009088; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Great Firewall of China Probe (via pcaps from https://nymity.ch/active-probing/)"; ja3_hash; content:"e76ac6872939f6ebfdf75f1ea73b4daf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028247; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003998; classtype:web-application-attack; sid:2003998; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - HipChat"; ja3_hash; content:"d9b07b9095590f4ff910ceee7b6af88a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028248; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot Request to CnC"; flow:established,to_server; content:".bin"; http_uri; content:"GET"; depth:3; http_method; content:".bin HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; content:!"|0d 0a|Referer|3a|"; nocase; reference:url,doc.emergingthreats.net/2010861; classtype:command-and-control; sid:2010861; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"3e860202fc555b939e83e7a7ab518c38"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028249; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:6; metadata:created_at 2010_09_25, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"54328bd36c14bd82ddaa0c04b25ed9ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028250; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Buzus Posting Data"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/fdsupdate"; http_uri; nocase; content:"|0d 0a 0d 0a|PUTF"; reference:url,doc.emergingthreats.net/2010064; classtype:trojan-activity; sid:2010064; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"56ac3a0bef0824c49e4b569941937088"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028251; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Exploit Suspected PHP Injection Attack (name=)"; flow:to_server,established; content:"GET "; nocase; depth:4; content:".php?"; http_uri; nocase; content:"name="; http_uri; nocase; pcre:"/name=(https?|ftps?|php)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2001621; classtype:web-application-attack; sid:2001621; rev:36; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"8bd59c4b7f3193db80fd64318429bcec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028252; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Metarewards Disclaimer Access"; flow: to_server,established; content:"/www.metareward.com/mailimg/disclaimer/"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; classtype:policy-violation; sid:2002309; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"d1f9f9b224387d2597f02095fcec96d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028253; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; content:"/access.php?"; http_uri; nocase; content:"w="; http_uri; nocase; content:"&a="; http_uri; nocase; content:"|0d 0a|Host|3a| "; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; content:!"|0d 0a|User-Agent|3a| "; reference:url,doc.emergingthreats.net/2008174; classtype:trojan-activity; sid:2008174; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"ff1040ba1e3d235855ef0d7cd9237fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028254; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED IISProtect globaladmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/GlobalAdmin.asp"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102157; rev:4; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - HTTRack"; ja3_hash; content:"a1ec6fd012b9ee6f84c50339c4205270"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028255; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include"; flow:established,to_server; content:"/includes/includes.php"; http_uri; content:"site_path"; http_uri; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22361; reference:url,doc.emergingthreats.net/2003371; classtype:web-application-attack; sid:2003371; rev:8; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - IDSyncDaemon"; ja3_hash; content:"5af143afdbf58ec11ab3b3d53dd4e5e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028256; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7; metadata:created_at 2010_09_25, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11 Win10"; ja3_hash; content:"fee8ec956f324c71e58a8c0baf7223ef"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028257; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/jmx-console/HtmlAdaptor"; http_uri; nocase; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"4cafc7a0acf83a49317ca199b2f25c82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028258; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Trojan Web Update"; flow:to_server,established; content:"/new_array2.php?speed="; http_uri; nocase; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"78273d33877a36c0c30e3fb7578ee9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028259; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure"; flow:established,to_server; content:"GET "; depth:4; content:"main.php?action=download"; http_uri; nocase; content:"&id="; http_uri; nocase; pcre:"/(\.\.\/){1}/"; reference:url,www.milw0rm.com/exploits/6715; reference:url,secunia.com/Advisories/32210/; reference:url,doc.emergingthreats.net/2008652; classtype:web-application-attack; sid:2008652; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - In all the malware samples - Java updater perhaps, java"; ja3_hash; content:"a61299f9b501adcf680b9275d79d4ac6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028260; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/passwiki.php?site_id="; http_uri; nocase; pcre:"/(\.\.\/){1}/U"; reference:bugtraq,29455; reference:url,doc.emergingthreats.net/2008687; classtype:web-application-attack; sid:2008687; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Inbox OSX"; ja3_hash; content:"d06acbe8ac31e753f40600a9d6717cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028261; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mindset Interactive Ad Retrieval"; flow: to_server,established; content:"/mindset5"; http_uri; nocase; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; classtype:trojan-activity; sid:2000594; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - inoreader.com-like FeedFetcher-Google, inoreader.com "; ja3_hash; content:"3ca5d63fa122552463772d3e87d276f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028262; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; content:"/error.php?"; http_uri; nocase; content:"err="; http_uri; nocase; content:"_SERVER[REMOTE_ADDR]="; http_uri; nocase; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2002703; classtype:web-application-attack; sid:2002703; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11 .0.9600.1731.(Win 8.1)"; ja3_hash; content:"a6776199188c09f5124b46b895772fa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028263; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.U Reporting"; flow: to_server,established; content:"/index.php?id="; http_uri; nocase; content:"cnt="; http_uri; nocase; content:"&scn="; http_uri; nocase; content:"&inf="; http_uri; nocase; content:"&ver="; http_uri; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; reference:url,doc.emergingthreats.net/2003070; classtype:trojan-activity; sid:2003070; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.17959"; ja3_hash; content:"a264c0bb146b2fade4410bcd61744b69"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028264; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.P Reporting"; flow: to_server,established; content:"/index.php?id="; http_uri; nocase; content:"?cnt="; http_uri; nocase; content:"?scn="; http_uri; nocase; content:"?inf="; http_uri; nocase; content:"?ver="; http_uri; nocase; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2008192; classtype:trojan-activity; sid:2008192; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.18349 / TeamViewer 10.0.47484P / Notepad++ Update Check / Softperfect Network Scanner Update Check / Wireshark 2.0.4 Update Check"; ja3_hash; content:"d54b3eb800cbeccf99fd5d5cdcd7b5b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028265; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download Setup_103s1 or Setup_207 variant"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/Setup_"; http_uri; nocase; content:".exe"; http_uri; nocase; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/Setup_[0-9]{3}([A-Z][0-9])?\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010867; classtype:trojan-activity; sid:2010867; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - iOS AppleWebKit/536.26"; ja3_hash; content:"06d930b072bf052b10d0a9eea1554f60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028266; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/codec/197.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010056; classtype:trojan-activity; sid:2010056; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - iOS Mail App (tested: iOS 9.3.3)"; ja3_hash; content:"99204897b101b15f87e9b07f67453f4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028267; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Psyb0t Code Download"; flow:established,to_server; content:"/udhcpc.env"; http_uri; nocase; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; classtype:trojan-activity; sid:2009170; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - iPad CPU OS 9_3_5 Safari 601.1 Used by many programs - apple.WebKit.Networking"; ja3_hash; content:"a9aecaa66ad9c6cfe1c361da31768506"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028268; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 2"; flow:established,to_server; content:"GET "; depth:4; content:"/werber/"; http_uri; nocase; content:"/217.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; classtype:trojan-activity; sid:2010232; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - iPhone OS 10_3_3 Safari 602.1, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7e72698146290dd68239f788a452e7d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028269; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 3"; flow:established,to_server; content:"GET "; depth:4; content:"/item/"; http_uri; nocase; content:"/titem.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; classtype:trojan-activity; sid:2010233; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #1"; ja3_hash; content:"c6ecc5ba2a6ab724a7430fa4890d957d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028270; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OS Commerce 2.2 RC2 Potential Anonymous Remote Code Execution"; flow:established,to_server; content:"POST "; depth:5; content:".php/"; http_uri; pcre:"/\/[a-z_]+\.php\/[a-z_]+\.php/U"; reference:url,seclists.org/fulldisclosure/2009/Nov/169; reference:url,seclists.org/fulldisclosure/2009/Nov/170; reference:url,doc.emergingthreats.net/2010341; classtype:web-application-attack; sid:2010341; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #2"; ja3_hash; content:"c07295da5465d5705a38f044e53ef7c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028271; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2011911; rev:3; metadata:created_at 2010_11_09, former_category DNS, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Java 8U91 Update Check, Windows Java Plugin (tested: v8 Update 60), BurpSuite Free (Tested: 1.7.03 on Windows 10), java,studio,eclipse"; ja3_hash; content:"2db6873021f2a95daa7de0d93a1d1bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028272; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Request for Zaletelly CnC Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"|02|be|00|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:command-and-control; sid:2014513; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"093081b45872912be9a1f2a8163fe041"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028273; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Win32/Pift DNS TXT CnC Lookup ppidn.net"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|ppidn|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2017312; rev:5; metadata:created_at 2013_08_12, former_category MALWARE, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"2080bf56cb87e64303e27fcd781e7efd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028274; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Possible Hiloti DNS Checkin Message explorer_exe"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"explorer_exe"; nocase; distance:0; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2012781; rev:3; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"225a24b45f0f1adbc2e245d4624c6e08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028275; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:7; metadata:created_at 2010_12_30, former_category HUNTING, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3afe1fb5976d0999abe833b14b7d6485"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028276; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Large DNS Query possible covert channel"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; classtype:bad-unknown; sid:2013075; rev:9; metadata:created_at 2011_06_21, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3b844830bfbb12eb5d2f8dc281d349a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028277; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query Gauss Domain *.dotnetadvisor.info"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|dotnetadvisor|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015600; rev:5; metadata:created_at 2012_08_10, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"550628650380ff418de25d3d890e836e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028278; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Beacon 1"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"dc"; nocase; distance:7; content:"|06|beacon"; nocase; offset:12; fast_pattern; pcre:"/^[\x0e-\x1e](?:[a-f0-9]{2}){1,3}(?:dc(?:[a-f0-9]{2}){1,3}){3}.[a-f0-9]{2}/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:command-and-control; sid:2019454; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_08_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5b270b309ad8c6478586a15dece20a88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028279; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Beacon 2"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"dc978a97"; nocase; distance:6; content:"|05|alert"; nocase; offset:12; fast_pattern; pcre:"/^[\x08-\xFF](?:[a-f0-9]{2})*?dc978a97/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:command-and-control; sid:2019455; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_08_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5d7abe53ae15b4272a34f10431e06bf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028280; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE ELF.MrBlack DOS.TF Malformed Lookup (/lib32/libc.so.6)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|/lib32/libc|02|so|01|6|00|"; fast_pattern; distance:0; nocase; reference:md5,312fa52a7992e58359cb68bb0f029ea7; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022335; rev:3; metadata:created_at 2016_01_07, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"7c7a68b96d2aab15d678497a12119f4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028281; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2016-12-15 to 2017-05-04)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:gdqg|hdqh|idqi|jdqj|kdqk|ldql|mdqm|ndqn|odqo|pdqp|qdqq|rdqr|sdqs|tdqt|udqu|vdqv|wdqw|xdqx|ydqy|zdqz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, signature_severity Major, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"88afa0dea1608e28f50acbad32d7f195"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028282; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2017-05-04 to 2017-11-02)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:adra|bdrb|cdrc|ddrd|edre|fdrf|gdrg|hdrh|idri|jdrj|kdrk|ldrl|mdrm|ndrn|odro|pdrp|qdrq|rdrr|sdrs|tdrt|udru|vdrv|wdrw|xdrx|ydry|zdrz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, signature_severity Major, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"8ce6933b8c12ce931ca238e9420cc5dd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028283; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS Checkin"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; fast_pattern; pcre:"/^(?!0+30)[0-9A-Z]+30[^0-9]/R"; content:"|00|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022836; rev:4; metadata:created_at 2016_05_24, former_category MALWARE, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"a9fead344bf3ac09f62df3cd9b22c268"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028284; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET ADWARE_PUP All Numerical .cn Domain Likely Malware Related"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:pup-activity; sid:2012327; rev:6; metadata:created_at 2011_02_21, former_category ADWARE_PUP, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java/eclipse/STS"; ja3_hash; content:"028563cffc7a3a2e32090aee0294d636"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028285; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET ADWARE_PUP All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:pup-activity; sid:2012328; rev:8; metadata:created_at 2011_02_21, former_category ADWARE_PUP, updated_at 2019_08_29;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - java/JavaApplicationStub"; ja3_hash; content:"5f9b53f0d39dc9d940a3b5568fe5f0bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028286; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain peocity.com"; dns_query; content:"peocity.com"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016600; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - JavaApplicationStub"; ja3_hash; content:"c376061f96329e1020865a1dc726927d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028287; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain skyruss.net"; dns_query; content:"skyruss.net"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016602; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - K9 Mail (Android)"; ja3_hash; content:"ced7418dee422dd70d2a6f42bb042432"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028288; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain commanal.net"; dns_query; content:"commanal.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016603; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Kindle/stack/nextcloud"; ja3_hash; content:"e516ad69a423f8e0407307aa7bfd6344"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028289; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain natareport.com"; dns_query; content:"natareport.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016604; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 (openSUSE Leap 42.1) 2"; ja3_hash; content:"8194818a46f5533268472f2167ffec70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028290; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogellrey.com"; dns_query; content:"photogellrey.com"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016605; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 / Kmail 4.14.18 (openSUSE Leap 42.1) 1"; ja3_hash; content:"78253eb48a1431a4bbbe6bb4358464ac"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028291; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain creditrept.com"; dns_query; content:"creditrept.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016608; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.8, OpenSSL s_client (tested: 1.0.1f - Ubuntu 14.04TS)"; ja3_hash; content:"0e0b798d0208ad365eec733b29da92a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028292; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain pollingvoter.org"; dns_query; content:"pollingvoter.org"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016609; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - LeagueClientUx"; ja3_hash; content:"3959d0a1344896e9fb5c0564ca0a2956"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028293; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dfasonline.com"; dns_query; content:"dfasonline.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016610; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"0fe51fa93812c2ebb50a655222a57bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028294; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hudsoninst.com"; dns_query; content:"hudsoninst.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016611; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"2e094913d88f0ad8dc69447cb7d2ce65"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028295; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain wsurveymaster.com"; dns_query; content:"wsurveymaster.com"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016612; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - LogMeIn Client"; ja3_hash; content:"193349d34561d1d5d1a270172eb2d97e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028296; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain nhrasurvey.org"; dns_query; content:"nhrasurvey.org"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016613; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mail app iOS"; ja3_hash; content:"0cbbafcdaf63cbf1e490c4a2d903f24b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028297; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain pdi2012.org"; dns_query; content:"pdi2012.org"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016614; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Marble (KDE 5.21.0 QT 5.5.1 openSUSE Leap 42.1)"; ja3_hash; content:"fc5574de96793b73355ca9e555748225"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028298; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain nceba.org"; dns_query; content:"nceba.org"; depth:9; nocase; fast_pattern; classtype:trojan-activity; sid:2016615; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Maxthon"; ja3_hash; content:"d732ca39155f38942f90e9fc2b0f97f7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028299; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain linkedin-blog.com"; dns_query; content:"linkedin-blog.com"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016616; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Messenger/Jumpshare"; ja3_hash; content:"c9dbeed362a32f9a50a26f4d9b32bbd8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028300; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain aafbonus.com"; dns_query; content:"aafbonus.com"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016617; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Smartscreen"; ja3_hash; content:"bedb7e0ff43a24272eb0a41993c65faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028305; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain milstars.org"; dns_query; content:"milstars.org"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016618; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Updater (Windows 7SP1) / TeamViewer 11.0.56083P"; ja3_hash; content:"bff2c7b5c666331bfe9afacefd1bdb51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028306; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain vatdex.com"; dns_query; content:"vatdex.com"; depth:10; nocase; fast_pattern; classtype:trojan-activity; sid:2016619; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Windows Socket (Tested: Windows 10)"; ja3_hash; content:"48cf5fb702315efbfc88ee3c8c94c6cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028307; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain applesea.net"; dns_query; content:"applesea.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016621; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - mj12bot.com"; ja3_hash; content:"11e1137464a4343105031631d470cd92"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028310; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appledmg.net"; dns_query; content:"appledmg.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016622; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mobile Safari/537.35+ BB10"; ja3_hash; content:"87c6dda19108d68e526a72d9ae09fb9e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028311; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appleintouch.net"; dns_query; content:"appleintouch.net"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016623; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - mono-sgen/Syncplicity/Axure RP 8/Amazon Drive"; ja3_hash; content:"6acb250ada693067812c3335705dae79"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028312; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appledns.net"; dns_query; content:"appledns.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016625; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Sync Services (Android)"; ja3_hash; content:"d65ddade944f9acfe4052b2c9435eb85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028313; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain emailserverctr.com"; dns_query; content:"emailserverctr.com"; depth:18; nocase; fast_pattern; classtype:trojan-activity; sid:2016626; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 31.5.0)"; ja3_hash; content:"c2116e5bb14394aafbefe12ade9bd8ab"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028314; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain slashdoc.org"; dns_query; content:"slashdoc.org"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016629; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 38.3.0), ThunderBird (v38.0.1 OS X)"; ja3_hash; content:"6fd163150b060dd7d07add280f42f4ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028315; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photosmagnum.com"; dns_query; content:"photosmagnum.com"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016630; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla/4.0 MSIE 6.0 or MSIE 7.0 User-Agent"; ja3_hash; content:"de350869b8c85de67a350c8d186f11e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028316; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain resume4jobs.net"; dns_query; content:"resume4jobs.net"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2016631; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"5bf43fbca3454853c26df6d996954aca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028317; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain searching-job.net"; dns_query; content:"searching-job.net"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016632; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"888ecd3b5821a497195932b0338f2f12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028318; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain servagency.com"; dns_query; content:"servagency.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016633; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"8d2e46c9e2b1ee9b1503cab4905cb3e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028319; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain gsasmartpay.org"; dns_query; content:"gsasmartpay.org"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2016634; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Office Components"; ja3_hash; content:"f66b0314f269695fe3528ef39a27c158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028320; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain tech-att.com"; dns_query; content:"tech-att.com"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016635; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0"; ja3_hash; content:"2201d8e006f8f005a6b415f61e677532"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028321; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Synolocker .onion DNS lookup"; dns_query; content:"cypherxffttr7hho"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2018948; rev:3; metadata:created_at 2014_08_18, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0)"; ja3_hash; content:"7b3b37883b5e80065b35f27888ed2b04"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028322; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.co.cc"; dns_query; content:"jifr.co.cc"; depth:10; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013483; rev:4; metadata:created_at 2011_08_29, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 8.0 & 9.0 Trident/5.0)"; ja3_hash; content:"2baf01616e930d378df97576e2686df3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028323; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.be"; dns_query; content:"qfsl.co.be"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013493; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - mutt (tested: 1.5.23 OSX)"; ja3_hash; content:"dc7c914e1817944435dd6b82a8495fbb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028324; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.cc"; dns_query; content:"qfsl.co.cc"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013494; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - mutt"; ja3_hash; content:"6761a36cfa692fcd3bc7d570b23cc168"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028325; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.co.be"; dns_query; content:"jifr.co.be"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013496; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - NetFlix App on AppleTV (possibly others also)"; ja3_hash; content:"146c6a6537ba4cc22d874bf8ff346144"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028326; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Chanitor.A DNS Lookup"; dns_query; content:"svcz25e3m4mwlauz"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2019519; rev:3; metadata:created_at 2014_10_27, former_category MALWARE, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - node-webkit/Kindle"; ja3_hash; content:"3ee4aaac7147ff2b80ada31686db660c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028330; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain"; dns_query; content:"r2bv3u64ytfi2ssf"; depth:16; fast_pattern; nocase; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019979; rev:4; metadata:created_at 2014_12_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - node.js"; ja3_hash; content:"641df9d6dbe7fdb74f70c8ad93def8cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028331; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"qtrudrukmurps7tc"; depth:16; nocase; fast_pattern; reference:md5,35a7f70c5e0cd4814224c96e3c62fa42; classtype:trojan-activity; sid:2020206; rev:3; metadata:created_at 2015_01_19, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - node.js/Postman/WhatsApp"; ja3_hash; content:"106ecbd3d14b4dc6e413494263720afe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028332; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"tzsvejrzduo52siy"; depth:16; nocase; fast_pattern; reference:md5,49e988b04144b478e3f52b2abe8a5572; classtype:trojan-activity; sid:2020210; rev:3; metadata:created_at 2015_01_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Non-Specific Microsoft Socket"; ja3_hash; content:"1d095e68489d3c535297cd8dffb06cb9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028333; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"ohmva4gbywokzqso"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020226; rev:3; metadata:created_at 2015_01_21, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - NVIDEA GeForce Experience, Windows Diagnostic and Telemetry (also Security Essentials and Microsoft Defender) (Tested Win7)"; ja3_hash; content:"4025f224557638ee81afc4f272fd7577"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028334; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptarv4hcu24ijv Domain - CryptoWall Domains"; dns_query; content:"crptarv4hcu24ijv"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020280; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - nwjs/Chromium"; ja3_hash; content:"49de9b1c7e60bd3b8e1d4f7a49ba362e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028335; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptbfoi5i54ubez Domain - CryptoWall Domains"; dns_query; content:"crptbfoi5i54ubez"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020281; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - One Drive"; ja3_hash; content:"388a4049af7e631f8d36eb0f909de65a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028336; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptcj7wd4oaafdl Domain - CryptoWall Domains"; dns_query; content:"crptcj7wd4oaafdl"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020282; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.01"; ja3_hash; content:"a35c1457421bcfaf5edaccb910bfea1d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028337; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Critroni Tor DNS Proxy lookup"; dns_query; content:"23bteufi2kcqza2l"; depth:16; nocase; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019909; rev:5; metadata:created_at 2014_12_11, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.06 / wget 1.17.1-1 (cygwin)"; ja3_hash; content:"07aa6d7cac645c8845d6e96503f7d985"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028338; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"sgqjml3dstgmarn3"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020357; rev:3; metadata:created_at 2015_02_04, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - openssl s_client / msmtp 1.6.2 (openSUSE Leap 42.1)"; ja3_hash; content:"6fffa2be612102d25dbed5f433b8238c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028339; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor .onion Proxy Domain"; dns_query; content:"brk7tda32wtkxjpa"; depth:16; nocase; fast_pattern; reference:md5,34ad24860495397c994f8ae168d0e639; classtype:trojan-activity; sid:2020581; rev:3; metadata:created_at 2015_02_27, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 10.53 10.60 11.61 11.64 12.02, Presto 2.5.24 2.6.30 2.10.229 2.10.289"; ja3_hash; content:"4e6f7f036fb2b05a50ee8a686b1176a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028340; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (h63rbx7gkd3gygag)"; dns_query; content:"h63rbx7gkd3gygag"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020616; rev:3; metadata:created_at 2015_03_04, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 11.11 11.52, Presto 2.8.131 2.9.168"; ja3_hash; content:"ceee08c3603b53be80c8afdc98babdd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028341; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (juf5pjk4sl7uojh4)"; dns_query; content:"juf5pjk4sl7uojh4"; depth:16; fast_pattern; nocase; reference:md5,499a46c23afe23de49346adf1b4f3a4f; reference:url,www.mogozobo.com/?p=2371; classtype:trojan-activity; sid:2020670; rev:3; metadata:created_at 2015_03_11, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 12.14 - 12.16, Presto 2.12.388"; ja3_hash; content:"561271bdcbfe68504ce78b38c957eef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028342; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (4elcqmis624seeo7)"; dns_query; content:"4elcqmis624seeo7"; depth:16; fast_pattern; nocase; reference:url,teknoseyir.com/durum/291421; classtype:trojan-activity; sid:2020685; rev:3; metadata:created_at 2015_03_12, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 (X11 Linux x86_64 U en) Presto/2.6.30 Version/10.60"; ja3_hash; content:"8b475d6105c72827a234fbd47e25b0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028343; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (erhitnwfvpgajfbu)"; dns_query; content:"erhitnwfvpgajfbu"; depth:16; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019123; rev:5; metadata:created_at 2014_09_05, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.229 Version/11.62"; ja3_hash; content:"44f37c3ceccb551271bfe0ba6d39426c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028344; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy Domain (3bjpwsf3fjcwtnwx)"; dns_query; content:"3bjpwsf3fjcwtnwx"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020727; rev:3; metadata:created_at 2015_03_23, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 & Presto/2.10.229"; ja3_hash; content:"a16170ff03466c8ee703dd71feda9bfe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028345; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (otsaa35gxbcwvrqs)"; dns_query; content:"otsaa35gxbcwvrqs"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020759; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 Version/12.00"; ja3_hash; content:"b237ac4bcc16c142168df03a871677bd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028346; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (4bpthx5z4e7n6gnb)"; dns_query; content:"4bpthx5z4e7n6gnb"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020760; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"07715901e2c6fe4c45e7c42587847d5d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028347; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (bc3ywvif4m3lnw4o)"; dns_query; content:"bc3ywvif4m3lnw4o"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020761; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"329ff4616732b84de926caa7fd6777b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028348; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (33p5mqkaj22irv4z)"; dns_query; content:"33p5mqkaj22irv4z"; depth:16; fast_pattern; nocase; reference:md5,1c6269fe48cba5f830a64a50bdf4ffe5; reference:url,www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/page-13; classtype:trojan-activity; sid:2020915; rev:3; metadata:created_at 2015_04_15, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - OS X WebSockets"; ja3_hash; content:"43bb6a18756587426681e4964e5ea4bf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028349; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (pf3tlgkpks7pu7yr)"; dns_query; content:"pf3tlgkpks7pu7yr"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020952; rev:3; metadata:created_at 2015_04_21, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 1"; ja3_hash; content:"3b6da2971936ac24457616e8ad46f362"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028350; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; dns_query; content:"cld7vqwcvn2bii67"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:3; metadata:created_at 2015_05_01, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 2"; ja3_hash; content:"95baa3d2068d8c8da71990a353cf8453"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028351; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (is6xsotjdy4qtgur)"; dns_query; content:"is6xsotjdy4qtgur"; depth:16; fast_pattern; nocase; reference:url,www.malware-traffic-analysis.net/2015/05/06/index.html; reference:url,www.hybrid-analysis.com/sample/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29?environmentId=1; reference:md5,a08784f5691a0a8ce6249e1981dea82c; classtype:trojan-activity; sid:2021077; rev:3; metadata:created_at 2015_05_08, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Outlook 2007 (Win 8.1)"; ja3_hash; content:"53eb89fe6147474039c1162e4d9d3dc0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028352; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz)"; dns_query; content:"tlunjscxn5n76iyz"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3aed0cac4a7f3053e324276c72bbf3aead783da2eb8b53bf99134a0adbcd3267?environmentId=2; reference:md5,2df314974722ef6b5a66d81292679cb4; classtype:trojan-activity; sid:2021115; rev:3; metadata:created_at 2015_05_19, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - p4v/owncloud"; ja3_hash; content:"38cbe70b308f42da7c9980c0e1c89656"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028353; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (wdthvb6jut2rupu4)"; dns_query; content:"wdthvb6jut2rupu4"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021163; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - PaleMoon Browser"; ja3_hash; content:"d82cbe0b93f2b02d490a14f6bc1d421a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028354; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (xwxwninkssujglja)"; dns_query; content:"xwxwninkssujglja"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021164; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - parsecd/apple.geod/apple.photomoments/photoanalysisd/FreedomProxy"; ja3_hash; content:"62448833d8230241227c03b7d441e31b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028355; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (7fa6gldxg64t5wnt)"; dns_query; content:"7fa6gldxg64t5wnt"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021165; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - php script (tested 5.5.27)"; ja3_hash; content:"16765fe48127809dc0ca406769c9391e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028356; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (bpq4dub4rlivvswu)"; dns_query; content:"bpq4dub4rlivvswu"; depth:16; fast_pattern; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021302; rev:3; metadata:created_at 2015_06_19, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pidgin (tested 2.10.11)"; ja3_hash; content:"b74f9ecf158e0575101c16c5265a85b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028357; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (gzc7lj4rvmkg25dm)"; dns_query; content:"gzc7lj4rvmkg25dm"; depth:16; fast_pattern; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021303; rev:3; metadata:created_at 2015_06_19, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pocket/Slack/Duo (Android)"; ja3_hash; content:"6ea7cfa450ce959818178b420f59fec4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028358; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Variant .onion proxy Domain (kurrmpfx6kgmsopm)"; dns_query; content:"kurrmpfx6kgmsopm"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021318; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Polycom IP Phone Directory Lookup"; ja3_hash; content:"9e41b6bf545347abccf0dc8fd76083a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028359; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlphaCrypt .onion proxy Domain (tkjthigtqlvohs7z)"; dns_query; content:"tkjthigtqlvohs7z"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021319; rev:3; metadata:created_at 2015_06_22, updated_at 2019_09_03;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin"; flow:established,to_server; content:"Clientx|2c 20|Version="; fast_pattern; content:"ProClient.Data"; distance:0; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (xvha2ctkacx2ug3b)"; dns_query; content:"xvha2ctkacx2ug3b"; depth:16; fast_pattern; nocase; reference:url,www.dropboxforum.com/hc/communities/public/questions/203834265-virus; classtype:trojan-activity; sid:2021325; rev:3; metadata:created_at 2015_06_23, updated_at 2019_09_03;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin Response"; flow:established,to_client; content:"|2c 20|Version="; content:"BlackRAT.Data"; distance:0; fast_pattern; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)"; dns_query; content:"hlvumvvclxy2nw7j"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021534; rev:3; metadata:created_at 2015_07_27, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - postbox-bin"; ja3_hash; content:"e846898acc767ebeb2b4388e58a968d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028404; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (vacdgwaw5djp5hmu)"; dns_query; content:"vacdgwaw5djp5hmu"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021549; rev:3; metadata:created_at 2015_07_29, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Postfix with StartTLS"; ja3_hash; content:"26fa3da4032424ab61dc9be62c8e3ed0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028405; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni .onion Proxy Domain"; dns_query; content:"des7siw5vfkznjhi"; depth:16; fast_pattern; nocase; reference:md5,ca57b9de1cae18bda994aa4bd093c571; reference:url,www.file-analyzer.net/analysis/4825; classtype:trojan-activity; sid:2021551; rev:3; metadata:created_at 2015_07_30, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #1 & Apteligent"; ja3_hash; content:"ef48bf8b2ccaab35642fd0a9f1bbe831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028406; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain (613cb6owitcouepv)"; dns_query; content:"613cb6owitcouepv"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021561; rev:3; metadata:created_at 2015_07_31, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #2"; ja3_hash; content:"8cc24a6ff485c62e3eb213d2ca61cf12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028407; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"7n4p5o6vlkdiqiee"; depth:16; nocase; fast_pattern; reference:md5,18dfcf3479bbd3878c0f19b80a01e813; classtype:trojan-activity; sid:2020213; rev:4; metadata:created_at 2015_01_20, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pusherapp API"; ja3_hash; content:"12ad03cb3faa2748e92c9a38faab949f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028408; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; dns_query; content:"h36fhvsupe4mi7mm"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2021849; rev:3; metadata:created_at 2015_09_30, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - py2app application (including box.net & google drive clients)"; ja3_hash; content:"ba502b2f5d64ac3d1d54646c0d6dd4dc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028409; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni .onion Proxy Domain (tmclybfqzgkaeilm)"; dns_query; content:"tmclybfqzgkaeilm"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022145; rev:3; metadata:created_at 2015_11_25, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Python Requests Library 2.4.3"; ja3_hash; content:"c398c55518355639c5a866c15784f969"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028410; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt .onion Proxy Domain (tw7kaqthui5ojcez)"; dns_query; content:"tw7kaqthui5ojcez"; depth:16; fast_pattern; nocase; reference:md5,45683c29a36ef8a15f216d7c4b2af822; classtype:trojan-activity; sid:2022191; rev:3; metadata:created_at 2015_11_30, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - python-requests/2.7.0 CPython/2.6.6 Linux/2.6.32-504.23.4.el6.x86_64"; ja3_hash; content:"1a9fb04aa1b4439666672be8661f9386"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028411; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Domain (75nzutdjjtnpgscz)"; dns_query; content:"75nzutdjjtnpgscz"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022236; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Qsync Client"; ja3_hash; content:"a7823092705a5e91ce2b7f561b6e5b98"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028412; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Domain"; dns_query; content:"vf4xdqg4mp3hnw5g"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2022237; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Reported as -"; ja3_hash; content:"4b06b445e3e12cdae777cec815ab90f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028414; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Domain"; dns_query; content:"wv55abv6bde65ek6"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2022238; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - RescueTime/Plantronics Hub"; ja3_hash; content:"c048d9f26a79e11ca7276499ef24daf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028415; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (czc57cr2pn3zfn4b)"; dns_query; content:"czc57cr2pn3zfn4b"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022314; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App #2"; ja3_hash; content:"90f755509cba37094eb66be02335b932"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028416; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (o7zeip6us33igmgw)"; dns_query; content:"o7zeip6us33igmgw"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022315; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App"; ja3_hash; content:"7743db23afb26f18d632420e6c36e076"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028417; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (vr6g2curb2kcidou)"; dns_query; content:"vr6g2curb2kcidou"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022316; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - RSiteAuditor"; ja3_hash; content:"35c0a31c481927f022a3b530255ac080"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028418; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; dns_query; content:"pc35hiptpcwqezgs"; depth:16; nocase; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_13, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - ruby script (tested: 2.0.0p481)"; ja3_hash; content:"688b34ca00a291ece0bc07b264b1344c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028419; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xlowfznrg4wf7dli)"; dns_query; content:"xlowfznrg4wf7dli"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022561; rev:3; metadata:created_at 2016_02_23, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - ruby"; ja3_hash; content:"d219efd07cbb8fbe547e6a5335843f0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028420; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; dns_query; content:"yuwurw46taaep6ip"; depth:16; nocase; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 525 - 533 534.57.2, Safari 525.21 525.29 531.22.7 533.21.1 534.57.2 / Adobe Reader DC 15.x Updater"; ja3_hash; content:"cbcd1d81f242de31fd683d5acbc70dca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028421; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; dns_query; content:"voooxrrw2wxnoyew"; depth:16; nocase; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34"; ja3_hash; content:"4c551900711d12c864cfe2f95e1c98c2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028422; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PadCrypt .onion Payment Domain"; dns_query; content:"gnkltbsaeq35rejl"; depth:16; fast_pattern; nocase; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022569; rev:3; metadata:created_at 2016_02_26, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, rekonq1.1 Arora0.11.0"; ja3_hash; content:"30701f5050d504c31805594fb5c083b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028423; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maktub Locker Payment Domain"; dns_query; content:"bs7aygotd2rnjl4o"; depth:16; fast_pattern; nocase; reference:md5,74add6536cdcfb8b77d10a1e7be6b9ef; classtype:trojan-activity; sid:2022634; rev:3; metadata:created_at 2016_03_21, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, Safari/537.21"; ja3_hash; content:"41ba55231de6643721fbe2ae25fab85d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028424; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky Payment)"; dns_query; content:"twbers4hmi6dc65f"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022663; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.59.8"; ja3_hash; content:"fb1d89e16f4dd558ad99011070785cce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028425; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Coverton Onion Domain Lookup"; dns_query; content:"lnc57humvaxpqfv3"; depth:16; nocase; fast_pattern; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022675; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 536.30.1"; ja3_hash; content:"e2a482fbb281f7662f12ff6cc871cfe7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028426; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xzjvzkgjxebzreap)"; dns_query; content:"xzjvzkgjxebzreap"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022711; rev:3; metadata:created_at 2016_04_06, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.71"; ja3_hash; content:"cc5925c4720edb550491a12a35c15d4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028427; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"5qgerbbyhdz5bwca"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022764; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.78.2"; ja3_hash; content:"88770e3ad9e9d85b2e463be2b5c5a026"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028428; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"yycqx6ay5oedto5f"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022765; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari"; ja3_hash; content:"c36fb08942cf19508c08d96af22d4ffc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028429; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"j2pjkgrlaopysagn"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022766; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/534.57.2, hola_svc"; ja3_hash; content:"77310efe11f1943306ee317cf02150b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028430; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"i3e5y4ml7ru76n5e"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022767; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.1.38 Macintosh, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c07cb55f88702033a8f52c046d23e0b2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028431; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"iabni66w5xvwawbe"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022768; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.3.1 Macintosh/apple.WebKit.Networking,itunesstored"; ja3_hash; content:"3e4e87dda5a3162306609b7e330441d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028432; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (hw5qrh6fxv2tnaqn)"; dns_query; content:"hw5qrh6fxv2tnaqn"; depth:16; fast_pattern; nocase; reference:url,nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/; classtype:trojan-activity; sid:2022806; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Salesforce Files"; ja3_hash; content:"844166382cc98d98595e6778c470f5d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028433; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (eqrvbczir5ua2emd)"; dns_query; content:"eqrvbczir5ua2emd"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022817; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: hoax Firefox/40.1"; ja3_hash; content:"9a35e493f961ac377f948690b5334a9c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028434; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns_query; content:"ajj3a7gfmgwmhhoz"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022843; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: wordpress wp-login Firefox/40.1"; ja3_hash; content:"ce5f3254611a8c095a3d821d44539877"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028435; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"gccxqpuuylioxoip"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCRAPER: DotBot"; ja3_hash; content:"d8844f000e5571807e9094e0fcd795fe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028436; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"yuysikankhqvdwdv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023003; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SeznamBot/3.2"; ja3_hash; content:"6cc3c7debc31952d05ecaacb6021925f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028438; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (f5xraa2y2ybtrefz)"; dns_query; content:"f5xraa2y2ybtrefz"; depth:16; fast_pattern; nocase; reference:md5,5eeeeb093ee02d3769886880f8a58a90; classtype:trojan-activity; sid:2023247; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 1"; ja3_hash; content:"fa8b8ed07b1dd0e4a262bd44d31251ec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028439; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH TorrenLocker Payment Domain Detected"; dns_query; content:"anbqjdoyw6wkmpeu"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023328; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 2"; ja3_hash; content:"c05809230e9f7a6bf627a48b72dc4e1c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028440; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain"; dns_query; content:"6kaqkavhpu5dln6x"; depth:16; nocase; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023503; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 3"; ja3_hash; content:"0ad94fcb7d3a2c56679fbd004f6b12cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028441; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain"; dns_query; content:"mvy3kbqc4adhosdy"; depth:16; nocase; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023504; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family XRatLocker, malware_family AiraCrop, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0add6ceb611a7613f97329af3b6828d9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028442; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:"27c73bq66y4xqoh7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023578; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0b63812a99e66c82a20d30c3b9ba6e06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028443; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Goldeneye .onion Payment Domain (goldenhjnqvc2lld)"; dns_query; content:"goldenhjnqvc2lld"; depth:16; fast_pattern; nocase; classtype:command-and-control; sid:2023584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"109dbd9238634b21363c3d62793c029c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028444; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Goldeneye .onion Payment Domain (golden2uqpiqcs6j)"; dns_query; content:"golden2uqpiqcs6j"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"11e49581344c117df2c9ceb46e5594c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028445; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Popcorn-Time .onion Payment Domain (3hnuhydu4pd247qb)"; dns_query; content:"3hnuhydu4pd247qb"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023589; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"302579fd4ba13eca27932664f66725ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028446; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Maktub .onion Payment Domain (maktubebz6z6cgtw)"; dns_query; content:"maktubebz6z6cgtw"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023655; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"badc09d74edf43c0204c4827a038c2fa"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028447; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE SHUJIN .onion Payment Page"; dns_query; content:"eqlc75eumpb77ced"; depth:16; fast_pattern; nocase; reference:md5,d59a27b1e0a46cc185f1937ca42f300a; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/; classtype:trojan-activity; sid:2022798; rev:4; metadata:created_at 2016_05_06, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f59a024cf47fdb835053ebf144189a47"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028448; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"fmwdvmk2ejgbl5pi"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f8f522671d2d2eba5803e6c002760c05"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028449; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"hctppfblwfot6ces"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.5.23 - OS X)"; ja3_hash; content:"9d5869f950eeca2e39196c61fdf510c8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028450; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"j24ojpexpgaorlxj"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.6.2 OS X)"; ja3_hash; content:"3fcc12d9ee1f75a0212d1d16f7b9f8ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028451; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"lmhrmbouhkffosig"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023731; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Signal (tested: 3.16.0 - Android)"; ja3_hash; content:"7dde4e4f0dceb29f711fb34b4bdbf420"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028452; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"neo73ruk6mprlmww"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023732; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Signal Chrome App"; ja3_hash; content:"07931ada5b9dd93ec706e772ee60782d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028453; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"padcrympj5rvgwed"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023733; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SkipFish (tested: v2.10b kali)"; ja3_hash; content:"cfb6d1c72d09d4eaa4c7d2c0b1ecbce7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028454; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"qli26fihoid5qwo5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023734; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (additional Win 10)"; ja3_hash; content:"7a75198d3e18354a6763860d331ff46a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028455; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"r4i3izmyccncfrsr"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023735; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (multiple platforms)"; ja3_hash; content:"06207a1730b5deeb207b0556e102ded2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028456; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CryptoWall .onion Proxy Domain"; dns_query; content:"rq5w3yn6qgbu4mo5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (tested 7.18(341) on OSX)"; ja3_hash; content:"5ef08bc989a9fcc18d5011f07d953c14"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028457; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker .onion Proxy Domain (zbqxpjfvltb6d62m)"; dns_query; content:"zbqxpjfvltb6d62m"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021252; rev:4; metadata:created_at 2015_06_11, former_category TROJAN, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype"; ja3_hash; content:"49a341a21f4fd4ac63b027ff2b1a331f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028458; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"mjs2bcdrttpmm7pp"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack Desktop App"; ja3_hash; content:"c8ada45922a3e7857e4bfd4fc13e8f64"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028459; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"sloryvugp4abxnfu"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024111; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"3d72e4827837391cd5b6f5c6b2d5b1e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028460; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"u73tcilcw2cw2by5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024112; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"a5aa6e939e4770e3b8ac38ce414fd0d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028461; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"xijymvzq4zkyubfe"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024113; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"cdd8179dc9c0e4802f557b62bae73d43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028462; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zmsr22fviy7kxihf"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024114; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slackbot Link Expander"; ja3_hash; content:"22cca8ed59288f4984724f0ee03484ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028463; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zuotmsnm7vh2jx77"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024115; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Spark"; ja3_hash; content:"116ffc8889873efad60457cd55eaf543"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028464; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zxungms47m6ecj7t"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024116; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SpiderOak (tested: 6.0.1)"; ja3_hash; content:"f51156bcd5033603e750c8bd4db254e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028465; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"cze2agbxnpkc5hdk"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024117; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SpotlightNetHelper/Safari"; ja3_hash; content:"8db4b0f8e9dd8f2fff38ee7c5a1e4496"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028466; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Cradle Ransomware Onion Domain"; dns_query; content:"pn6fsogszhqlxz4n"; depth:16; nocase; fast_pattern; reference:md5,53f6f9a0d0867c10841b815a1eea1468; classtype:trojan-activity; sid:2024205; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cradle, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 1"; ja3_hash; content:"24339ea346521d98a8c50fd3713090c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028469; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tor based locker .onion Proxy DNS lookup July 31 2014"; dns_query; content:"iet7v4dciocgxhdv"; depth:16; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018874; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 2"; ja3_hash; content:"ad5d6f490f3819dc60b2a2fbe5bd1cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028470; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".velodrivve.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.velodrivve\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022704; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 3"; ja3_hash; content:"1e9557c377f8ff50b80b7f87b60b1054"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028471; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".bedrifg.org"; fast_pattern; pcre:"/[a-z]{4,10}\.bedrifg\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022705; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 4"; ja3_hash; content:"c3c59ec21835721c92571e7742fadb88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028472; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".fedbook.org"; fast_pattern; pcre:"/[a-z]{4,10}\.fedbook\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022715; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Steam OSX"; ja3_hash; content:"39cf5b7a13a764494de562add874f016"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028473; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".goodbird.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.goodbird\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022731; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Synology DDNS Beacon"; ja3_hash; content:"cab4a6a0c7ac91c2bd9e93cb0507ad4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028474; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".verekt.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.verekt\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"2d3854d1cbcdceece83eabd85bdcc056"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028475; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".barrout.org"; fast_pattern; pcre:"/[a-z]{4,10}\.barrout\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"a585c632a2b49be1256881fb0c16c864"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028476; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".biojart.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.biojart\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022762; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"cd7c06b9459c9cfd4af2dba5696ea930"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028477; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".benefin.org"; fast_pattern; pcre:"/[a-z]{4,10}\.benefin\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tenable Passive Vulnerability Scanner Plugin Updater"; ja3_hash; content:"24993abb75ddda7eaf0709395e47ab4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028478; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Fake AV Phone Scam Long Domain Sept 15 2016"; dns_query; content:"issuefound"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2023237; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - TextSecure Name Lookup (Tested: Android)"; ja3_hash; content:"97d3b9036d5a4d7f1fe33fe730f38231"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028479; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M2 Feb 29"; dns_query; content:"errorcode"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022576; rev:4; metadata:created_at 2016_03_01, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v17.0 OS X)"; ja3_hash; content:"207409c2b30e670ca50e1eac016a4831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028480; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 15"; dns_query; content:"suspiciousactivity"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022625; rev:4; metadata:created_at 2016_03_16, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v38.0.1 OS X), Thunderbird 38.7.0 (openSUSE Leap 42.1)"; ja3_hash; content:"4623da8b4586a8a4b86e31d689aa0c15"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028481; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M1"; dns_query; content:"errorunauthorized"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022631; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (tested: 5.0.1f - May clash with FF38)"; ja3_hash; content:"0ed768d6e3bc66af60d31315afd423f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028482; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M2"; dns_query; content:"drivercrashed"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022632; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (v4.5.3 OS X - based on FF 31.8.0)"; ja3_hash; content:"8c9a7fe81ba61dab1454e08f42f0a004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028483; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M3"; dns_query; content:"computer-is-locked"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022633; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6)"; ja3_hash; content:"5b3eee2766b876e623ba05508d269830"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028484; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 23"; dns_query; content:"unauthorized-transaction"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022648; rev:4; metadata:created_at 2016_03_23, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6), Tor Uplink (via Tails distro)"; ja3_hash; content:"79f0842a32b359d1b683c569bd07f23b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028485; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M1"; dns_query; content:"diskissue"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022690; rev:4; metadata:created_at 2016_03_30, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - tor uplink (tested 0.2.2.35)"; ja3_hash; content:"3b8f3ace50a7c7cd5205af210f17bb70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028486; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M3 Feb 29"; dns_query; content:"yourcomputer"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022739; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor uplink (tested: 0.2.6.10)"; ja3_hash; content:"659007d8bae74d1053f6ca4a329d25a7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028487; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M1"; dns_query; content:"unusualactivity"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022740; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tracking something (noted with Dropbox Installer & Skype - Win 10)"; ja3_hash; content:"bc329d2a71e749067424502f1f72e13a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028488; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M2"; dns_query; content:"yoursystem"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022741; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"2a458dd9c65afbcf591cd8c2a194b804"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028489; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M3"; dns_query; content:"howcanwehelp"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022742; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"aea96546ac042f29fed1e2203a9b4c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028490; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M4"; dns_query; content:"bluescreen"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022743; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - True Key"; ja3_hash; content:"df65746370dcabc9b4f370c6e14a8156"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028491; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M5"; dns_query; content:"cloud-on"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022744; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Twitterbot/1.0"; ja3_hash; content:"edcf2fd479271286879efebd22bc8d16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028492; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M6"; dns_query; content:"call-now"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022745; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"633e9558d4b25b46e8b1c49e10faaff4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028493; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:6; metadata:created_at 2010_10_13, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"b9b4d1f7283b5ddc59d0b8d15e386106"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028494; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (v7lfogalalzc2c4d)"; dns_query; content:"v7lfogalalzc2c4d"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020953; rev:4; metadata:created_at 2015_04_21, updated_at 2019_09_03;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #1"; ja3_hash; content:"ac206b75530d569a0a64cec378eb4b66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028495; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish (set) 2016-09-12"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Email="; depth:6; nocase; http_client_body; content:"&Next=Next"; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.GmailPhish_1; flowbits:noalert; classtype:credential-theft; sid:2027956; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #2"; ja3_hash; content:"94feb9008aeb393e76bac31b30af6ad0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028496; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:credential-theft; sid:2020224; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #3"; ja3_hash; content:"f1b7bbeb8b79cecd728c72bba350d173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028497; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic XBALTI Phishing Landing"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 7c 20 20 20 20 5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f 20 2d 2d 3e|"; fast_pattern; classtype:social-engineering; sid:2027966; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_09;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #4"; ja3_hash; content:"3f00755c412442e642f5572ed4f2eaf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028498; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound"; flow:established,to_server; content:"xc3511"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027973; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_09_09;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"0e580f864235348848418123f96bbaa0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028499; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [554,9527] (msg:"ET EXPLOIT HiSilicon DVR - Default Application Backdoor Password"; flow:established,to_server; content:"I0TO5Wv9"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027974; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_09_09;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"9a1c3fed39b016b8d81cc77dae70f60f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028500; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AcroCEF"; ja3_hash; content:"61d50e7771aee7f2f4b89a7200b4d45e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027975; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"dc76bc3a4e3bc38939dfd90d8b7214b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028501; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, former_category EXPLOIT, performance_impact Significant, updated_at 2019_09_10;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unidentified attack tool"; ja3_hash; content:"90f6c4b0577fb24a31bea0acc1fcc27d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028502; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (b)"; ja3_hash; content:"e4adf57bf4a7a2dc08e9495f1b05c0ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027977; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown BrowserStack timeframe SMTP STARTLS"; ja3_hash; content:"7bc3475b771c44c764614397da069d28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028503; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AIM"; ja3_hash; content:"49a6cf42956937669a01438f26e7c609"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027978; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP server (207.46.100.103)"; ja3_hash; content:"23a9b0eb3584e358816a123c208a2c8b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028504; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"0bb402a703d08a608bf82763b1b63313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027979; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP Server (used by Facebook)"; ja3_hash; content:"26cdef14ec70c2d6ebd943fe8069c4da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028505; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"d5169d6e19447685bf6f1af8c055d94d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027980; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown Something on Android that talks to Google Analytics"; ja3_hash; content:"335ec05b3ddb3800a8df47641c2d8e33"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028506; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Airmail 3"; ja3_hash; content:"561145462cfc7de1d6a97e93d3264786"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027981; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown TLS Scanner"; ja3_hash; content:"18e9afaf91db6f8a2470e7435c2a1d6b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028507; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Alation Compose"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027982; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - UNVERIFIED: May be BlueCoat proxy"; ja3_hash; content:"f6bae8bacf93b5e97e80b594ffeba859"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028508; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music"; ja3_hash; content:"6003b52942a2e1e1ea72d802d153ec08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027983; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - urlgrabber/3.10 yum/3.4.3"; ja3_hash; content:"37f691b063c10372135db21579643bf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028509; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music,Dreamweaver,Spotify"; ja3_hash; content:"eb149984fc9c44d85ed7f12c90d818be"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027984; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many desktop apps,Quip,Spotify,GitHub Desktop"; ja3_hash; content:"84071ea96fc8a60c55fc8a405e214c0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028510; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android App"; ja3_hash; content:"662fdc668dd6af994a0f903dbcf25d66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027985; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"40fd0a5e81ebdcf0ec82a4710a12dec1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028511; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Google API Access"; ja3_hash; content:"515601c4141e718865697050a7a1765f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027986; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"618ee2509ef52bf0b8216e1564eea909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028512; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"1aab4c2c84b6979c707ed052f724734b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027987; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"799135475da362592a4be9199d258726"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028513; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"25b72c88f837567856118febcca761e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027988; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7b530a25af9016a9d12de5abc54d9e74"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028514; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"5331a12866e19199b363f6e903381498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027989; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c05de18b01a054f2f6900ffe96b3da7a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028515; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"855953256ecc8e2b6d2360aff8e5d337"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027990; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"e4d448cdfe06dc1243c1eb026c74ac9a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028516; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (a)"; ja3_hash; content:"93948924e733e9df15a3bb44404cd909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027976; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"f1c5cf087b959cec31bd6285407f689a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028517; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"85bb8aa8e5ba373906348831bdbed41a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027991; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Python/PHP/Git/dotnet/Adobe"; ja3_hash; content:"488b6b601cb141b062d4da7f524b4b22"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028518; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"99d8afeec9a4422120336ad720a5d692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027992; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Aura/Spotify/Chatty"; ja3_hash; content:"f28d34ce9e732f644de2350027d74c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028519; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AnypointStudio"; ja3_hash; content:"8e3f1bf87bc652a20de63bfd4952b16a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027993; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Spotify/Dropbox/GitHub Desktop/etc"; ja3_hash; content:"190dfb280fe3b541acc6a2e5f00690e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028520; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Push Notification System, apple.WebKit.Networking,CalendarAgent,Go for Gmail"; ja3_hash; content:"d4693422c5ce1565377aca25940ad80c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027994; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Slack/Postman/Spotify/Google Chrome"; ja3_hash; content:"20dd18bdd3209ea718989030a6f93364"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028521; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight Search (OSX)"; ja3_hash; content:"3e404f1e1b5a79e614d7543a79f3a1da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027995; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #1"; ja3_hash; content:"2d96ffb535c7c7a30cad924b9b9f2b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028522; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"69b2859aec70e8934229873fe53902fd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027996; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #2"; ja3_hash; content:"ab1fa6468096ab057291aa381d5de2b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028523; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"6b9b64bbe95ea112d02c8812fc2e7ef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027997; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Viber"; ja3_hash; content:"e0224fc1c33658f2d3d963bfb0a76a85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028524; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"e5e4c0eeb02fdcf30af8235b4de07780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027998; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - VirtualBox Update Poll (tested 5.0.8 r103449)"; ja3_hash; content:"41e3681b7c8c915e33b1f80d275c19d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028525; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple SpotlightNetHelper (OSX)"; ja3_hash; content:"97827640b0c15c83379b7d71a3c2c5b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027999; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - VLC"; ja3_hash; content:"81fb3e51bf3f18c5755146c28d07431b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028526; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple usbmuxd iOS socket multiplexer"; ja3_hash; content:"47e42b00af27b87721e526ff85fd2310"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028000; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Fusion / Workstation / Player Update Check 8.x-12.x"; ja3_hash; content:"cff90930827e8b0f4e5a6fcc17319954"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028527; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"5507277945374659a5b4572e1b6d9b9f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028001; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Update Check 6.x"; ja3_hash; content:"a50a861119aceb0ccc74902e8fddb618"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028528; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"f753495f2eab5155c61b760c838018f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028002; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMware vSphere Client (Tested v4.1.0)"; ja3_hash; content:"48e69b57de145720885af2894f2ab9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028529; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod/parsecd,apple.photomoments"; ja3_hash; content:"ba40fea2b2638908a3b3b482ac78d729"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028003; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - vpnkit"; ja3_hash; content:"01319090aea981dde6fc8d6ae71ead54"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028530; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"474e73aea21d1e0910f25c3e6c178535"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028004; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 1)"; ja3_hash; content:"10a686de1c41107df06c21df245e24cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028531; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"eeeb5e7485f5e10cbc39db4cfb69b264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028005; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 2)"; ja3_hash; content:"f13e6d84b915e17f76fdf4ea8c959b4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028532; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Chatter/FieldServiceApp/socialstudio"; ja3_hash; content:"63de2b6188d5694e79b678f585b13264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028006; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 3)"; ja3_hash; content:"345b5717dae9006a8bcd4cb1a5f09891"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028533; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/itunesstored"; ja3_hash; content:"7b343af1092863fdd822d6f10645abfb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028007; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator"; ja3_hash; content:"74ebac04b642a0cab032dd46e8099fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028534; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Spotify/WhatsApp/Skype/iTunes"; ja3_hash; content:"a312f9162a08eeedf7feb7a13cd7e9bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028008; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator, java,eclipse"; ja3_hash; content:"4056657a50a8a4e5cfac40ba48becfa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028535; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"1a6ef47ab8325fbb42c447048cea9167"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028009; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m (tested: 0.5.3 OS X)"; ja3_hash; content:"975ef0826e8485f2335db71873cb34c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028536; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"b677934e592ece9e09805bf36cd68d8a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028010; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 (OS X version)"; ja3_hash; content:"6b4b535249a1dcd95e3b4b6e9e572e5e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028537; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30 (KHTML like Gecko) Version/4.0 Safari & Safari Mobile/534.30, AppleWebKit/534.30"; ja3_hash; content:"ef323f542a99ab12d6b5348bf039b7b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028011; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 / lynx 3.2 / svn 1.8.10 (openSUSE Leap 42.1)"; ja3_hash; content:"575771dbc723df24b764ac0303c19d10"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028538; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30"; ja3_hash; content:"e1e03b911a28815836d79c5cdd900a20"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028012; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Web"; ja3_hash; content:"0172e9e41a8940e6a809967e4835214a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028539; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46 Mobile/9A334"; ja3_hash; content:"04e1f90d8719caabafb76d4a7b13c984"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028013; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"58d97971a14d0520c5c56caa75470948"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028540; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46, iOS AppleWebKit/534.46"; ja3_hash; content:"dc08cf4510f70bf16d4106ee22f89197"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028014; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"9ef7a86952e78eeb83590ff4d82a5538"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028541; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/535 & Ubuntu Product Search"; ja3_hash; content:"4049550d5f57eae67d958440bdc133e4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028015; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - WeeChat"; ja3_hash; content:"8e1172bd5dcc4698928c7eb454a2c3de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028542; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12 or 600.1.4"; ja3_hash; content:"ef75a13be2ed7a82f16eefe6e84bc375"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028016; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - wget (tested GNU Wget 1.16.1 & 1.17 on OS X)"; ja3_hash; content:"5f1d4c631ddedf942033c9ae919158b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028543; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12"; ja3_hash; content:"eaa8a172289b09a6789a415d1faac4c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028017; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - wget 1.14 (openSUSE Leap 42.1)"; ja3_hash; content:"70663c6da28b3b9ac281d7b31d6b97c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028544; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AT&T Connect"; ja3_hash; content:"c5c11e6105c56fd29cc72c3ac7a2b78b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028018; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Wii-U"; ja3_hash; content:"444434ebe3f52b8453c3803bff077ebd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028545; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (git library?) (Tested v1.6.21.0)"; ja3_hash; content:"42215ee83bbf3a857a72ef42213cfbd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028019; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Win default thing a la webkit"; ja3_hash; content:"c8d1364bba308db5a4a20c65c58ffde1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028546; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (Tested v1.6.21.0)"; ja3_hash; content:"1c8a17e58c20b49e3786fc61e0533e50"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028020; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Win10 Mail Client"; ja3_hash; content:"123b8f4705d525caffa3f2b36447f481"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028547; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #1"; ja3_hash; content:"4e5e5d9fbc43697be755696191fe649a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028021; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 Native Connection"; ja3_hash; content:"aee020803d10a4d39072817184c8eedc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028548; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #2"; ja3_hash; content:"c94858c6eb06de179493b3fac847143e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028022; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #1"; ja3_hash; content:"205200cdaac61b110838556b834070d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028549; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator (Mystery 3rd) (37.0.2062.99) (OS X)"; ja3_hash; content:"58360f4f663a0f5657f415ac2f47fe1b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028023; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #2"; ja3_hash; content:"5a0fa8873e5ffe7d9385647adc8912d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028550; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator Updates"; ja3_hash; content:"5149f53b5554a31116f9d86237552ee3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028024; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Apps Store thing (unconfirmed)"; ja3_hash; content:"a7b2f0639f58f97aec151e015be1f684"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028551; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Battle.net/Dropbox"; ja3_hash; content:"fa030dbcb2e3c7141d3c2803780ee8db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028025; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Builtin Mail Client"; ja3_hash; content:"0d15924fe8f8950a3ec3a916e97c8498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028552; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - bitgo/ShapeShift"; ja3_hash; content:"0ef9ca1c10d3f186f5786e1ef3461a46"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028026; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x TLS Socket"; ja3_hash; content:"a8ee937cf82bb0972fecc23d63c9cd82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028553; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Browser (Tested BB10)"; ja3_hash; content:"add211c763889c665ae4ab675165cbc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028027; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows Watson WCEI Telemetry Gather"; ja3_hash; content:"2c14bfb3f8a2067fbc88d8345e9f97f3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028554; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Mail Client"; ja3_hash; content:"a921515f014005af03fc1e2c4c9e66ce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028028; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - wineserver"; ja3_hash; content:"84607748f3887541dd60fe974a042c71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028555; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry Messenger (Android) 2"; ja3_hash; content:"4692263d4130929ae222ef50816527ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028029; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"1202a58b454f54a47d2c216567ebd4fb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028557; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry"; ja3_hash; content:"b5d42ca0e68a39d5c0a294134a21f020"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028030; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"de364c46b0dfc283b5e38c79ceae3f8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028558; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackbery Messenger (Android)"; ja3_hash; content:"32b0ae286d1612c82cad93b4880ee512"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028031; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yandex Bot, wget 1.18"; ja3_hash; content:"d83881675de3f6aacbcc0b2bae6f8923"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028559; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlueCoat Proxy"; ja3_hash; content:"5182f54f9c6e99d117d9dde3fa2b4cff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028032; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - youtube-dl 2016.06.03 (openSUSE Leap 42.1)"; ja3_hash; content:"11404429d240670cc018bed04e918b6f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028560; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlueJeans,CEPHtmlEngine"; ja3_hash; content:"cdec81515ccc75a5aa41eb3db22226e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028033; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 1 - May collide with Chrome"; ja3_hash; content:"f8f5b71e02603b283e55b50d17ede861"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028561; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Ahrefs, hola_svc"; ja3_hash; content:"5c1c89f930122bccc7a97d52f73bea2c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028034; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 2 - May collide with Chome"; ja3_hash; content:"5ae88f37a16f1b054f2edff1c8730471"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028562; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: GoogleBot"; ja3_hash; content:"a1cb2295baf199acf82d11ba4553b4a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028035; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - ZwiftApp"; ja3_hash; content:"c2b4710c6888a5d47befe865c8e6fb19"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028563; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Qwant"; ja3_hash; content:"706567223fbf37d112fba2d95b8ecac3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028036; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2"; flow:established,to_client; http.header; content:"16723708fc9|0d 0a|X-CalculatedBETarget|3a 20|BY2PR06MB549.namprd06.prod.outlook.com"; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BrowserShots Script"; ja3_hash; content:"01aead19a1b1780978f732e056b183a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028037; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (YouTube Profile)"; flow:established,to_client; http.header; content:"Frontend Proxy|0d 0a|Set-Cookie|3a 20|YSC=LT4ZGGSgKoE|3b|"; fast_pattern; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Browsershots"; ja3_hash; content:"a4dc1c39a68bffec1cc7767472ac85a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028038; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http any any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible GhostMiner CCBOT Component - CnC Checkin"; flow:established,to_server; content:"/Update/CC/CC.php"; startswith; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/; classtype:command-and-control; sid:2028604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family GhostMiner, performance_impact Low, signature_severity Major, updated_at 2019_09_19;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"93fbcdadc1bf98ff0e3c03e7f921edd1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028039; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHPStudy Remote Code Execution Backdoor "; flow:established,to_server; http.method; content:"GET"; http.header; content:"Accept-Charset|3a 20|"; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0d\x0a/R"; reference:url,www.cnblogs.com/-qing-/p/11575622.html; reference:url,www.uedbox.com/post/59265/; classtype:attempted-admin; sid:2028629; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Significant, signature_severity Major, updated_at 2019_09_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"c3ca411515180e79c765dc2c3c8cea88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028040; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"15617351d807aa3145547d0ad0c976cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028041; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"34f8cac266d07bfc6bd3966e99b54d00"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028042; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (Tested: 1.7.03 on Windows 10), eclipse,JavaApplicationStub,idea"; ja3_hash; content:"8c5a50f1e833ed581e9cfc690814719a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028043; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Candy Crush (testing iOS 8.3)"; ja3_hash; content:"17a40616b856ec472714cd144471e0e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028044; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:social-engineering; sid:2023039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Charles/java/eclipse"; ja3_hash; content:"424008725394c634a4616b8b1f2828a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028045; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:social-engineering; sid:2024198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Choqok 1.5 (KDE 4.14.18 Qt 4.8.6 on OpenSUSE 42.1)"; ja3_hash; content:"64bb259b446fe13f66bcd62d1f0d33df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028046; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET EXPLOIT_KIT EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (iOS)"; ja3_hash; content:"bec8267042d5885aa3acc07b4409cafc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028047; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Possible 41.x)"; ja3_hash; content:"d54a0979516e607a1166e6efd157301c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028048; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #1"; ja3_hash; content:"ac67a2d0e3bd59459c32c996b5985979"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028049; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; classtype:web-application-attack; sid:2009643; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #2"; ja3_hash; content:"34dfce2bb848da7c5dafa4d475f0ba41"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028050; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=131; reference:url,doc.emergingthreats.net/2009644; classtype:web-application-attack; sid:2009644; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #3"; ja3_hash; content:"937edefedb6fe13f26d1a425ef1c15a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028051; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic 2"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; fast_pattern:27,20; content:!"|0d 0a|Accept|3a|"; content:!"|0d 0a|Referer|3a|"; content:"GET "; depth:4; pcre:"/^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443|8080|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/R"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2017784; rev:4; metadata:created_at 2013_11_27, former_category MALWARE, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #4"; ja3_hash; content:"a342d14afad3a448029ec808295ccce9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028052; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.iBryte.BO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do/?event="; depth:22; fast_pattern; content:"&user_id="; distance:0; http.user_agent; content:"download manager"; reference:md5,be6363e960d9a40b8e8c5825b13645c7; classtype:pup-activity; sid:2028633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_09_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #5"; ja3_hash; content:"71e74faaed87acd177bd3b47a543f476"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028053; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"f58966d34ff9488a83797b55c804724d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028236; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"1d64ab25ad6f7258581d43077147b9b1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028054; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent|3a| pcsafe"; reference:url,doc.emergingthreats.net/2006420; classtype:pup-activity; sid:2006420; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"230018e44608686b64907360b6def678"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028055; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; classtype:policy-violation; sid:2001188; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"dea05e8c68dfeb28003f21d22efc0aba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028056; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 10, Chrome 10.0.648.82 (Chromium Portable 9.0)"; ja3_hash; content:"62351d5ea3cd4f21f697965b10a9bbbe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028057; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| pymills-spider/"; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 11 - 18, Chrome 11.0.696.16 - 18.0.1025.33 Chrome 11.0.696.16 (Chromium Portable 9.2)"; ja3_hash; content:"a9da823fe77cd3df081644249edbf395"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028058; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLBrute SQL Scan Detected"; flow:to_server,established; content:"AND not exists (select * from master..sysdatabases)"; offset:60; depth:60; reference:url,www.justinclarke.com/archives/2006/03/sqlbrute.html; reference:url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/; reference:url,doc.emergingthreats.net/2009477; classtype:attempted-recon; sid:2009477; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 19 - 20, Chrome 19.0.1084.15 - 20.0.1132.57, Chrome 21.0.1180.89, Chrome 22.0.1229.96 - 23.0.1271.64 Safari/537.11"; ja3_hash; content:"df4a50323dfcaf1789f72e4946a7be44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028059; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; distance:2; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 22.0.1201.0, Chrome/22.0.1229.96"; ja3_hash; content:"3c8cb61208e191af38b1fbef4eacd502"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028060; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Database User Rights Scan"; flow:to_server,established; content:"?param=a"; content:"if%20is%5Fsrvrolemember%28%27sysadmin"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009041; classtype:attempted-recon; sid:2009041; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 24.0.1312.57 - 28.0.1500.72 Safari/537.36"; ja3_hash; content:"1ef061c02d85b7e2654e11a9959096f4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028061; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28%27IsIntegratedSecurityOnly"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009042; classtype:attempted-recon; sid:2009042; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 26.0.1410.43-27.0.1453.110 Safari/537.31"; ja3_hash; content:"89d37026246d4888e78e69af4f8d1147"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028062; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Esp%5Fconfigure%20%27show%20advanced%20options"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009043; classtype:attempted-admin; sid:2009043; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.0"; ja3_hash; content:"206ee819879457f7536d2614695a5029"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028063; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Create xp_cmdshell Session"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell%20%27cmd%20%2FC%20%25TEMP"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009044; classtype:attempted-admin; sid:2009044; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"76d36fc79db002baa1b5e741fcd863bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028064; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"bbc3992faa92affc0d835717ea557e99"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028065; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.0.0"; ja3_hash; content:"dc3eaee99a9221345698f8a8b2f4fc3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028066; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| WhatWeb/"; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.1599.101"; ja3_hash; content:"53c7ed581cbaf36951559878fcec4559"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028067; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"SendCommand"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011200; classtype:attempted-user; sid:2011200; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.57 & 32.0.1700.76 Safari/537.36"; ja3_hash; content:"fb8a6d2441ee9eaee8b560d48a8f59df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028068; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Login"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011201; classtype:attempted-user; sid:2011201; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.63"; ja3_hash; content:"f7c4dc1d9595c27369a183a5df9f7b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028069; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBOpen"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011203; classtype:attempted-user; sid:2011203; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"16d7ebc398d772ef9969d2ed2a15f4c0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028070; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBClose"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011204; classtype:attempted-user; sid:2011204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"f3136cf565acf70dd2f98ca652f43780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028071; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Snapshot"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011202; classtype:attempted-user; sid:2011202; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.154"; ja3_hash; content:"af0ae1083ab10ac957e394c2e7ec4634"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028072; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBControl"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011205; classtype:attempted-user; sid:2011205; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"4807d61f519249470ebed0b633e707cf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028073; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/i"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"ef3364da4d76c98a669cb828f2e5283a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028074; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 & 37.0.2062.102 Safari/537.36"; ja3_hash; content:"5b348680dec77f585cfe82513213ac3a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028075; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 - 40.0.2214.93 Safari/537.36"; ja3_hash; content:"52be6e88840d2211a243d9356550c4a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028076; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0 Safari & Mobile Safari/537.36"; ja3_hash; content:"5f775bbfc50459e900d464ca1cecd136"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028077; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011244; classtype:web-application-attack; sid:2011244; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0"; ja3_hash; content:"a167568462b993d5787488ece82a439a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028078; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa "; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011286; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.2062.120"; ja3_hash; content:"98652faa7e0a4d85f91e37aa6b8c0135"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028079; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; classtype:attempted-dos; sid:2010229; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 41.0.2272.89"; ja3_hash; content:"8b8322bad90e8bfbd66e664839b7a037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028080; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; content:"CSCO_WebVPN"; nocase; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; classtype:web-application-attack; sid:2010730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"aa9074aa1ff31c65d01c35b9764762b6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028081; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010519; classtype:web-application-attack; sid:2010519; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"de0963bc1f3a0f70096232b272774025"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028082; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010521; classtype:web-application-attack; sid:2010521; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 43.0.2357.132 & 45.02454.94"; ja3_hash; content:"3bb36ec17fef5d3da04ceeb6287314c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028083; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010524; classtype:web-application-attack; sid:2010524; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.116"; ja3_hash; content:"cd3f72760dfd5575b91213a8016c596b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028084; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010526; classtype:web-application-attack; sid:2010526; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.97"; ja3_hash; content:"5406c4a87aa6cbcb7fc469fee526a206"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028085; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; reference:url,doc.emergingthreats.net/2000105; classtype:attempted-user; sid:2000105; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 49.0.2623.75"; ja3_hash; content:"503fe06db7ef09b2cbd771c4e784c686"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028086; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 1"; ja3_hash; content:"bd4267e1672f9df843ada7c963490a0d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028087; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 2"; ja3_hash; content:"caeb3b546fc7469776d51f1f54a792ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028088; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.106 (test)"; ja3_hash; content:"aa84deda2a937ad225ef94161887b0cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028089; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 1"; ja3_hash; content:"473e8bad0e8e1572197be80faa1795c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028090; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 2"; ja3_hash; content:"e0b0e6c934c686fd18a5727648b3ed4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028091; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 3"; ja3_hash; content:"7ddfe8d6f8b51a90d10ab3fe2587c581"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028092; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 4"; ja3_hash; content:"bc76a4185cc9bd4c72471620e552618c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028093; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; content:"Microsoft OLE DB Provider for SQL Server error"; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; reference:url,doc.emergingthreats.net/2001768; classtype:web-application-activity; sid:2001768; rev:12; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 5"; ja3_hash; content:"8e3eea71cb5a932031d90cc0fba581bc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028094; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; content:"%PDF-"; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 6"; ja3_hash; content:"653924bcb1d6fd09a048a4978574e2c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028095; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010522; classtype:web-application-attack; sid:2010522; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 7"; ja3_hash; content:"1ef652ecfb8e60e771a4710166afc262"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028096; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010525; classtype:web-application-attack; sid:2010525; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"8a8159e6abf9fe493ca87efc38855149"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028097; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010527; classtype:web-application-attack; sid:2010527; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"a7f2d0376cdcfde3117bf6a8359b2ab8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028098; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"d551fafc4f40f1dec2bb45980bfa9492"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028099; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"e330bca99c8a5256ae126a55c4c725c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028100; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"94c485bca29d5392be53f2b8cf7f4304"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028101; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"bc6c386f480ee97b9d9e52d472b772d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028102; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:exploit-kit; sid:2011281; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 61.0.3163,100(64-bit) Win10"; ja3_hash; content:"d3b972883dfbd24fd20fc200ad8ab22a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028103; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx) - also TextSecure Desktop"; ja3_hash; content:"cafd1f84716def1a414c688943b99faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028104; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; classtype:web-application-attack; sid:2011287; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx)"; ja3_hash; content:"62d8823f52dd8e1ba75a9a83e8748313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028105; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011289; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/30.0.1599.101"; ja3_hash; content:"c405bbbe31c0e53ac4c8448355b2af5b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028106; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/41.0.2272.89"; ja3_hash; content:"2c3221f495d5e4debbb34935e1717703"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028107; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; content:"SceneURL"; nocase; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/49.0.2623.112 WinXP"; ja3_hash; content:"248bdbc3873396b05198a7e001fbd49a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028108; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/56.0.2924.87 Linux/Charles/Google Play Music Desktop Player/Postman/Slack/other desktop programs"; ja3_hash; content:"83e04bc58d402f9633983cbf22724b02"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028109; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; classtype:web-application-attack; sid:2008683; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/59.0.3071.115 Win10, node.js"; ja3_hash; content:"9811c1bb9f0f6835d5c13a831cca4173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028110; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:trojan-activity; sid:2011585; rev:4; metadata:created_at 2010_09_29, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/60.0.3112.113 Win10, Chromium"; ja3_hash; content:"def8761e4bcaaf91d99801a22ac6f6d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028111; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"7F14A9EE-6989-11D5-8152-00C04F191FCA"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/10767; classtype:attempted-user; sid:2011692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"be9f1360cf52dc1f61ae025252f192a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028112; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"fc5cb0985a5f5e295163cc8ffff8a6e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028113; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"DE625294-70E6-45ED-B895-CFFA13AEB044"; nocase; distance:0; content:"SetImage"; nocase; reference:bugtraq,41078; reference:url,doc.emergingthreats.net/2011722; classtype:attempted-user; sid:2011722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client (3.1.09013)"; ja3_hash; content:"7f340e6caa1fa4c979df919227160ff6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028114; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; reference:url,doc.emergingthreats.net/2008790; classtype:web-application-attack; sid:2008790; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"e7d46c98b078477c4324031e0d3b22f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028115; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"ed36017db541879619c399c95e22067d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028116; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_12, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Receiver 4.4.0.8014"; ja3_hash; content:"203157ed9f587f0cfd265061bf309823"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028117; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Viewer"; ja3_hash; content:"5ee1a653fb824db7182714897fd3b5df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028118; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Covenant Eyes"; ja3_hash; content:"a9d17f74e55dd53fcf7c234f8a240919"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028119; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"11E7DA45-B56D-4078-89F6-D3D651EC4CD6"; nocase; distance:0; content:".DebugTraceFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - CRAWLER: facebookexternalhit/1.1"; ja3_hash; content:"111da7c75fee7fe934b35a8d88eb350a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028120; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Creative Cloud"; ja3_hash; content:"c882d9444412c00e71b643f3f54145ff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028121; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - cscan"; ja3_hash; content:"bc0608d33dc64506b42f7f5f87958f37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028122; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"952E3F80-0C34-48CD-829B-A45913B29670"; nocase; distance:0; content:"isRegistered"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670/si"; reference:url,www.exploit-db.com/exploits/11059; reference:url,secunia.com/advisories/38081/; reference:url,doc.emergingthreats.net/2010976; classtype:attempted-user; sid:2010976; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.22.0 on Linux)"; ja3_hash; content:"764b8952983230b0ac23dbd3741d2bb0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028123; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.43.0 OS X)"; ja3_hash; content:"9f198208a855994e1b8ec82c892b7d37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028124; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.35.0 (tested Ubuntu 14.x openssl 1.0.1f)"; ja3_hash; content:"c458ae71119005c8bc26d38a215af68f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028125; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.37.0 / links 2.8 / git 2.6.6 (openSUSE Leap 42.1)"; ja3_hash; content:"e14d427fab707af91e4bbd0bf03076f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028126; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:4; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl"; ja3_hash; content:"f672d8f0e827ca1e704a9489b14dd316"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028127; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:5; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"; ja3_hash; content:"e3891da2a758d67ba921e5eec0b9707d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028128; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:4; metadata:created_at 2011_01_27, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Customised Postfix - Damnit Matt"; ja3_hash; content:"f865de0807a17e9cb797e618162356db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028129; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dashlane"; ja3_hash; content:"0217dc3bd88c696cc15374db0d848de4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028130; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:4; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.15)"; ja3_hash; content:"f7baf7d9da27449e823a4003e14cd623"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028131; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.20+)"; ja3_hash; content:"ec2e8760003621ca668b5f03e616cd57"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028132; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Deezer"; ja3_hash; content:"4fcd1770545298cc119865aeba81daba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028133; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (installer?)"; ja3_hash; content:"ede63467191e9a12300e252c41ca9004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028134; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - DropBox (tested: 3.12.5 - Ubuntu 14.04TS & Win 10)"; ja3_hash; content:"653d342bee5001569662198a672746af"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028135; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_02, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (Win 8.1)"; ja3_hash; content:"482a11a20da1629b77aaadf640478d13"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028136; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_02, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"21ed4c7ee1daeb84c72199ceaf119b24"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028137; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"30b168d81e38d9a55c474c1e30eaf9f9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028138; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"f8e42933ba5b3990858ba621489047e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028139; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Setup (tested: 3.10.11 on Win 8.x)"; ja3_hash; content:"2f8363419a9fb80ad46b380778d8eaf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028140; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Splash Pages (Win 10)"; ja3_hash; content:"c1e8322501b4d56d484b50bd7273e798"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028141; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Windows"; ja3_hash; content:"6c141f98cd79d8b505123e555c1c3119"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028142; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"054c9f9d304b7a2add3d6fa75bc20ae4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028143; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"36bc8c7e10647bbfea3f740e7f05c0f1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028144; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dynalist/Postman/Google Chrome/Franz/GOG Galaxy"; ja3_hash; content:"4c40bf8baa7c301c5dba8a20bc4119e2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028145; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"0411bbb5ff27ad46e1874a7a8beedacb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028146; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:4; metadata:created_at 2011_02_02, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"4990c9da08f44a01ecd7ddc3837caf25"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028147; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:4; metadata:created_at 2011_02_02, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"fa106fe5beec443af7e211ef8902e7e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028148; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:4; metadata:created_at 2011_02_02, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse/java"; ja3_hash; content:"d74778f454e2b047e030b291b94dd698"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028149; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:4; metadata:created_at 2011_02_02, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Facebook iOS"; ja3_hash; content:"576a1288426703ae0008c42f95499690"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028150; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:4; metadata:created_at 2011_02_02, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Feedly/1.0, java,eclipse,Cyberduck"; ja3_hash; content:"f22bdd57e3a52de86cda40da2d84e83b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028151; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - fetchmail 6.3.26 (openSUSE Leap 42.1)"; ja3_hash; content:"a698fe6c52d210e3376bb6667729d4d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028152; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:6; metadata:created_at 2012_08_07, former_category POLICY, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FieldServiceApp/socialstudio"; ja3_hash; content:"1fbe5382f9d8430fe921df747c46d95f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028153; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 24.0 Iceweasel24.3.0"; ja3_hash; content:"3d99dda4f6992b35fdb16d7ce1b6ccba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028154; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 25.0"; ja3_hash; content:"c57914fadb301a73e712378023b4b177"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028155; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; classtype:attempted-recon; sid:2010162; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 26.0, Firefox/26.0"; ja3_hash; content:"755cdaa3496eb8728247a639dee17aad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028156; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Eclipse.DDOSBot CnC Beacon Response"; flow:established,to_client; file_data; content:"<base>PGNtZD"; within:12; reference:url,www.arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising/; classtype:command-and-control; sid:2018423; rev:3; metadata:created_at 2014_04_28, former_category MALWARE, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 27.0"; ja3_hash; content:"ff9223b5c9a5d44a8a423833751fa158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028157; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL XPCmdShell Scan"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; classtype:attempted-recon; sid:2009039; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.0.19"; ja3_hash; content:"df9bedd5713fe0cc2e9184d7c16a5913"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028158; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M2"; flow:established,from_server; file_data; content:"pQGLlxyasMGLhxCco42bpR3YuVnZowWY2V"; classtype:exploit-kit; sid:2020427; rev:3; metadata:created_at 2015_02_16, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.5 - 3.6, Firefox 3.5.19 3.6.27 SeaMonkey 2.0.14"; ja3_hash; content:"4a9bd55341e1ffe6fedb06ad4d3010a0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028159; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Deobfuscation function"; flow:established,from_server; file_data; content:"Chr(CInt(ns(i)) Xor n)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020563; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 40.0.3 (tested Windows 8), Firefox/37.0"; ja3_hash; content:"2872afed8370401ec6fe92acb53e5301"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028160; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; nocase; http_uri; content:"hl="; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:5; metadata:created_at 2011_02_21, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"46129449560e5731dc9c5106f111a3db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028161; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; file_data; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"d06b3234356cb3df0983fc8dd02ece68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028162; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:exploit-kit; sid:2022962; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family PsuedoDarkLeech, signature_severity Major, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.0 2"; ja3_hash; content:"05ece02fb23acf2efbfff54ce4099a45"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028163; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"This program cannot be run in DOS mode"; nocase; classtype:bad-unknown; sid:2011865; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.x 1 / FireFox 47.x (Windows 7SP1)"; ja3_hash; content:"aa907c2c4720b6f54cd8b67a14cef0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028164; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (dev edition)"; ja3_hash; content:"f586111542f330901d9a3885a9c821b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028165; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:9; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled - I think websockets)"; ja3_hash; content:"1996e434b11323df4e87f8fe0e702209"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028166; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phishing Landing Aug 11 2015"; flow:to_client,established; file_data; content:"<title>Email Service Provider</title>"; nocase; fast_pattern:17,20; content:"<title>Signin</title>"; nocase; distance:0; classtype:social-engineering; sid:2025665; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled)"; ja3_hash; content:"8ed0a2cdcad81fc29313910eb94941d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028167; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/vulnerabilities---threats/heap-spraying-attackers-latest-weapon-of-choice/d/d-id/1132487; classtype:shellcode-detect; sid:2012252; rev:5; metadata:created_at 2011_02_02, former_category SHELLCODE, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 49.0a2 Developer TLS 1.3 enabled"; ja3_hash; content:"8b18c5b0c54cba1ffb2438fe24792b63"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028168; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 63.0"; ja3_hash; content:"b20b44b18b853ef29ab773e921b03422"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028169; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Galock Ransomware Command"; flow:established,from_server; file_data; content:"[LOCK]"; within:6; endswith; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:3; metadata:created_at 2013_03_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0a81538cf247c104edb677bdb8902ed5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028170; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"|3a|some_magic_code1"; distance:9; within:29; endswith; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:3; metadata:created_at 2013_04_18, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0b6592fd91d4843c823b75e49b43838d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028171; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; distance:0; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:3; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"1c15aca4a38bad90f9c40678f6aface9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028172; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE njRAT Variant Outbound CnC Beacon"; flow:established,to_server; content:"|7c|nj-q8"; endswith; classtype:command-and-control; sid:2021057; rev:2; metadata:created_at 2015_05_05, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"5163bc7c08f57077bc652ec370459c2f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028173; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request 2"; flow:established,to_server; content:"CONNECT="; depth:8; content:"8_=_8"; distance:0; endswith; classtype:trojan-activity; sid:2022707; rev:2; metadata:created_at 2016_04_05, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"a88f1426c4603f2a8cd8bb41e875cb75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028174; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC Password Exfil"; flow:established,to_server; content:"PASSWORDS="; depth:10; content:"8_=_8"; distance:0; endswith; classtype:command-and-control; sid:2022709; rev:2; metadata:created_at 2016_04_05, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"b03910cc6de801d2fcfa0c3b9f397df4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028175; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC"; flow:established,to_server; content:"ACT="; depth:4; content:"8_=_8"; distance:0; endswith; classtype:command-and-control; sid:2022710; rev:2; metadata:created_at 2016_04_05, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"bfcc1a3891601edb4f137ab7ab25b840"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028176; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE LuminosityLink - Inbound Data Channel CnC Delimiter"; flow:established,to_client; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"f15797a734d0b4f171a86fd35c9a5e43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028177; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE LuminosityLink - Outbound Data Channel CnC Delimiter"; flow:established,to_server; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/10.0.11esrpre Iceape/2.7.12"; ja3_hash; content:"55f2bd38d462d74fb6bb72d3630aae16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028178; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Houdini/Hworm CnC Checkin M1"; flow:established,to_server; content:"new_houdini|0d 0a|"; fast_pattern; offset:4; depth:13; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; endswith; reference:md5,45009c70d362dcd253112c9cf1924f57; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance; classtype:command-and-control; sid:2023429; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family Hworm, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/13.0-25.0"; ja3_hash; content:"85c420ab089dac5025034444789a8fb5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028179; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; endswith; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/14.0.1 Linux"; ja3_hash; content:"847b0c334fd0f6f85457054fabff3145"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028180; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern:4,20; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; endswith; classtype:trojan-activity; sid:2024213; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/25.0"; ja3_hash; content:"e98db583389531a37f2fe8d251f0f7ae"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028181; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; endswith; threshold: type threshold, track by_src, count 20, seconds 1; classtype:trojan-activity; sid:2024219; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/27.0-32.0, IceWeasel 31.8.0"; ja3_hash; content:"cc9bcf019b339c01d200515d1cb39092"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028182; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; distance:0; fast_pattern; endswith; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2017_06_16, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/28.0-30.0"; ja3_hash; content:"45d22e6403f053bfb2cc223755588533"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028183; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil System Info"; flow:established,to_server; content: "|2b 20 2b 20 2b 20 5b 20|VicTim Info|20 5d 20 2b 20 2b 20 2b|"; depth:120; nocase; fast_pattern; content:"End Stealer|20 3d 20 3d 20 3d 20 3d 20 3d 20 3d|"; distance:0; nocase; endswith; classtype:trojan-activity; sid:2024790; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, malware_family BlackStealer, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/31 Linux, firefox"; ja3_hash; content:"ce694315cbb81ce95e6ae4ae8cbafde6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028184; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"zugzwang.me"; nocase; endswith; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023599; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/32.0"; ja3_hash; content:"8df37d4e7430e2d9a291ae9ee500a1a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028185; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; endswith; threshold: type both, track by_src, count 10, seconds 30; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"5ba6ed04b246c96c6839e0268a8b826f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028186; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern; content:"Connection: close|0a 0a|"; distance:0; endswith; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:2; metadata:attack_target Client_and_Server, created_at 2018_03_13, deployment Datacenter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"c5392af25feaf95cfefe858abd01c86b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028187; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"9250f97ba65d86e7b0e60164c820d91a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028188; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01|"; offset:4; depth:11; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:3; within:10; content:"|00 00 00|"; distance:8; within:3; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"ab834ac5135f2204d473878821979cea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028189; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:5; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category EXPLOIT, malware_family ETERNALBLUE, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/37.0, Google Chrome 45.0.2454.85 or FireFox 41-42"; ja3_hash; content:"514058a66606ae870bcc670e95ca7e68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028190; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_06, deployment Perimeter, former_category MALWARE, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/38 Linux"; ja3_hash; content:"edf844351bc867631b5ebceda318669b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028191; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; distance:0; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026581; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_06, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/40.1 Windows 7"; ja3_hash; content:"05af1f5ca1b87cc9cc9b25185115607d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028192; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_06, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/45.0 Linux, firefox,thunderbird"; ja3_hash; content:"07b4162d4db57554961824a21c4a0fde"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028193; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_06, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/51.0 Windows 10, firefox,thunderbird"; ja3_hash; content:"61d0d709fe7ac199ef4b2c52bc8cef75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028194; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; distance:0; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_06, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52 Linux"; ja3_hash; content:"4e66f5ad78f3d9ad8d5c7c88d138db43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028195; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; distance:0; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_06, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52"; ja3_hash; content:"ca0f3f4c08cbd372720beb1af7d2721f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028196; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_06, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55 Windows 10"; ja3_hash; content:"1885aa9927f99ed538ed895d9335995c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028197; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Winnti Payload - XORed Check-in to Infected System (0xd4413890)"; flow:established,to_server; dsize:<300; content:"|b0 1c 03 d4 90 38 41 d4 2a b4 80 7f|"; depth:12; content:"|04 00|"; distance:0; endswith; reference:url,medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a; classtype:trojan-activity; sid:2027361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag APT, tag Winnti, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55/56 Mac/Win/Linux"; ja3_hash; content:"0ffee3ba8e615ad22535e7f771690a28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028198; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Mirai Variant Checkin Response"; flow:established,to_client; content:"|21 2a 20|LOLNOBYE"; endswith; reference:url,www.stratosphereips.org/blog/2019/5/17/iot-malware-analysis-series-a-mirai-variant-in-ctu-iot-malware-capture-49-1; classtype:command-and-control; sid:2027366; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/56.0 Windows 10"; ja3_hash; content:"be1a7de97ea176604a3c70622189d78d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028199; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC USR Init Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 12 01 00 00 2d 55 53 52|"; depth:16; content:"|00|"; distance:0; endswith;metadata:created_at 2019_08_09; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027831; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/6.0.1 - 12.0"; ja3_hash; content:"2aef69b4ba1938c3a400de4188743185"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028200; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC BOT Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 13 01 00 00 2d 42 4f 54|"; depth:16; content:"|00|"; distance:0; endswith;metadata:created_at 2019_08_09; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027832; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Flux"; ja3_hash; content:"504ecb2d3e5e83a179316f098dadbaeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028201; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1 CnC Checkin"; flow:established,to_server; dsize:7; content:"ilove26"; depth:7; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027834; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Franz/Google Chrome/Kiwi/Spotify/nwjs/Slack"; ja3_hash; content:"8498fe4268764dbf926a38283e9d3d8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028202; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 CnC Checkin"; flow:established,to_server; dsize:12; content:"aWxvdmUyNg=="; depth:12; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027835; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) #1"; ja3_hash; content:"a6090977601dc1345948f101e46d5759"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028203; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR (b2bb01039307baa2) CnC Checkin"; flow:established,to_server; dsize:24; content:"d3ec7975f76aefdbfcdc3c3e"; depth:24; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027836; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) or DropBox"; ja3_hash; content:"f1b9f86645cb839bd6992e848d943898"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028204; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|q|00 00 05 00 01|"; distance:0; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022780; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Fuze"; ja3_hash; content:"900c1fa84b4ea86537e1d148ee16eae8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028205; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|q|00 00 05 00 01|"; distance:0; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022781; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"107144b88827da5da9ed42d8776ccdc5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028206; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|q|00 00 05 00 01|"; distance:0; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022782; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"c46941d4de99445aef6b497679474cf4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028207; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|r|00 00 05 00 01|"; distance:0; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022783; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - git commandline (tested: 1.9. Linux)"; ja3_hash; content:"3e765b7a69050906e5e48d020921b98e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028208; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|r|00 00 05 00 01|"; distance:0; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022784; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Git-Bash (Tested v2.6.0) / curl 7.47.1 (cygwin)"; ja3_hash; content:"d0df7f7c9ca173059b2cd17ce5c2e5cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028209; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|r|00 00 05 00 01|"; distance:0; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022785; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GitHub Desktop (tested build 216 on OSX)"; ja3_hash; content:"f8c50bbee59c526ca66da05f3dc4b735"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028210; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|g|01|r|00 00 05 00 01|"; distance:0; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022786; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Glympse Location Tracking??"; ja3_hash; content:"c5cbafbbcf53dfbfc2a803ca3833fce2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028211; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|v|00 00 05 00 01|"; distance:0; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022787; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GMail SMTP Relay"; ja3_hash; content:"a3b2fe29619fdcb7a9422b8fddb37a67"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028212; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogalaxyzone.com"; dns_query; content:"photogalaxyzone.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016606; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GNU Wget 1.16.1 built on darwin14.0.0"; ja3_hash; content:"94b94048a438e77122fc4eee3a6a4a26"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028213; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insightpublicaffairs.org"; dns_query; content:"insightpublicaffairs.org"; depth:24; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016620; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GNUTLS Commandline"; ja3_hash; content:"0267b752d6a8b5fd195096b41ea5839c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028214; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain seyuieyahooapis.com"; dns_query; content:"seyuieyahooapis.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016624; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - golang (tested: 1.4.1)"; ja3_hash; content:"f11b0fca6c063aa69d8d39e0d68b6178"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028215; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dailynewsjustin.com"; dns_query; content:"dailynewsjustin.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016627; rev:4; metadata:created_at 2013_03_20, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Calendar Agent (Tested on OSX)"; ja3_hash; content:"07ef3a7f5f8ffef08affb186284f2af4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028216; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hi-tecsolutions.org"; dns_query; content:"hi-tecsolutions.org"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016628; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (43.0.2357.130 64-bit OSX)"; ja3_hash; content:"abe568de919448adcd756aea9a136aea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028217; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"njdyqrbioh.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018270; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (Android)"; ja3_hash; content:"400961c8161ba7661a7029d3f7e8bb95"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028218; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"vqvsaergek.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018265; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"072c0469aa4f2f597bb38bcc17095c51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028219; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"pbcgmmympm.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018266; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"696cd0c8c241e19e3d6336c3d3d9e2e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028220; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"tyixfhsfax.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018268; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"c40b51e2a59425b6a2b500d569962a60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028221; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qgjhmerjec.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018269; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 45.0.2454.101"; ja3_hash; content:"e8aabc4fe1fc8d47c648d37b2df7485f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028222; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"btloxcyrok.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018271; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71 m"; ja3_hash; content:"7ea3e17d09294aee8425ae05588f0c66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028223; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"afwyhvinmw.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018272; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71"; ja3_hash; content:"a9030ea4837810ce89fb8a3d39ca12ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028224; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"wyfxanxjeu.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018273; rev:11; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"0e46737668fe75092919ee047a0b5945"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028225; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qemyxsdigi.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018274; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"39fa85654105398ee7ef6a3a1c81d685"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028226; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (regicsgf.net)"; dns_query; content:"regicsgf.net"; depth:12; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014572; rev:7; metadata:created_at 2012_04_16, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"4ba7b7022f5f5e1e500bb19199d8b1a4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028227; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.gowin7.com"; dns_query; content:".gowin7.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:6; metadata:created_at 2012_08_09, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"002205d0f96c37c5e660b9f041363c11"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028228; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.secuurity.net"; dns_query; content:".secuurity.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:6; metadata:created_at 2012_08_09, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"073eede15b2a5a0302d823ecbd5ad15b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028229; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.dataspotlight.net"; dns_query; content:".dataspotlight.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:7; metadata:created_at 2012_08_09, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"0b61c673ee71fe9ee725bd687c455809"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028230; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.datajunction.org"; dns_query; content:".datajunction.org"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:6; metadata:created_at 2012_08_13, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"6cd1b944f5885e2cfbe98a840b75eeb8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028231; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup hotfix-update.com"; dns_query; content:"hotfix-update.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019570; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b4f4e6164f938870486578536fc1ffce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028232; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas haarmannsi.cz"; dns_query; content:"haarmannsi.cz"; depth:13; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019910; rev:4; metadata:created_at 2014_12_10, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b8f81673c0e1d29908346f3bab892b9b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028233; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas sanygroup.co.uk"; dns_query; content:"sanygroup.co.uk"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019911; rev:5; metadata:created_at 2014_12_10, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"baaac9b6bf25ad098115c71c59d29e51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028234; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (casinoroyal7.ru)"; dns_query; content:"casinoroyal7.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020045; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"da949afd9bd6df820730f8f171584a71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028235; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (cryptdomain.dp.ua)"; dns_query; content:"cryptdomain.dp.ua"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020046; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"fd6314b03413399e4f23d1524d206692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028237; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (it-newsblog.ru)"; dns_query; content:"it-newsblog.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020049; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome/Slack"; ja3_hash; content:"5498cef2cca704eb01cf2041cc1089c1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028238; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (js-static.ru)"; dns_query; content:"js-static.ru"; depth:12; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020050; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive (tested: 1.26.0707.2863 - Win 8.x & Win 10)"; ja3_hash; content:"c1741dd3d2eec548df0bcd89e08fa431"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028239; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lagosadventures.com)"; dns_query; content:"lagosadventures.com"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020051; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive File Stream"; ja3_hash; content:"d27fb8deca6e3b9739db3fda2b229fe3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028240; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lebanonwarrior.ru)"; dns_query; content:"lebanonwarrior.ru"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020052; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth Linux 7.1.4.1529"; ja3_hash; content:"b16614e71d26ba348c94bfc8e33b1767"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028241; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (nigerianbrothers.net)"; dns_query; content:"nigerianbrothers.net"; depth:20; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020053; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth"; ja3_hash; content:"ae340571b4fd0755c4a0821b18d8fa93"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028242; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (princeofnigeria.net)"; dns_query; content:"princeofnigeria.net"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020055; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Mail server starttls connection"; ja3_hash; content:"9af622c65a17a0bf90d6e9504be96a43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028243; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (royalgourp.org)"; dns_query; content:"royalgourp.org"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020056; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Photos Backup"; ja3_hash; content:"f059212ce3de94b1e8253a7522cb1b44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028244; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeter-stat.ru)"; dns_query; content:"tweeter-stat.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020060; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GoogleBot"; ja3_hash; content:"50dfee94717e9640b1c384e5bd78e61e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028245; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy1-1-1.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy1-1-1.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020228; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - gramblr"; ja3_hash; content:"fd10cc8cce9493a966c57249e074755f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028246; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy2-2-2.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy2-2-2.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020229; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Great Firewall of China Probe (via pcaps from https://nymity.ch/active-probing/)"; ja3_hash; content:"e76ac6872939f6ebfdf75f1ea73b4daf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028247; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy3-3-3.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy3-3-3.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020230; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - HipChat"; ja3_hash; content:"d9b07b9095590f4ff910ceee7b6af88a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028248; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy4-4-4.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy4-4-4.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020231; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"3e860202fc555b939e83e7a7ab518c38"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028249; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy5-5-5.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy5-5-5.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020232; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"54328bd36c14bd82ddaa0c04b25ed9ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028250; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (blackblog.chatnook.com)"; dns_query; content:"blackblog.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020246; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"56ac3a0bef0824c49e4b569941937088"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028251; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (bulldog.toh.info)"; dns_query; content:"bulldog.toh.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020247; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"8bd59c4b7f3193db80fd64318429bcec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028252; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (cew58e.xxxy.info)"; dns_query; content:"cew58e.xxxy.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020248; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"d1f9f9b224387d2597f02095fcec96d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028253; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (dynamic.ddns.mobi)"; dns_query; content:"dynamic.ddns.mobi"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020251; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"ff1040ba1e3d235855ef0d7cd9237fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028254; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (football.mrbasic.com)"; dns_query; content:"football.mrbasic.com"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020253; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - HTTRack"; ja3_hash; content:"a1ec6fd012b9ee6f84c50339c4205270"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028255; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (gjjb.flnet.org)"; dns_query; content:"gjjb.flnet.org"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020254; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IDSyncDaemon"; ja3_hash; content:"5af143afdbf58ec11ab3b3d53dd4e5e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028256; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (imirnov.ddns.info)"; dns_query; content:"imirnov.ddns.info"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020255; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11 Win10"; ja3_hash; content:"fee8ec956f324c71e58a8c0baf7223ef"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028257; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (jingnan88.chatnook.com)"; dns_query; content:"jingnan88.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020256; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"4cafc7a0acf83a49317ca199b2f25c82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028258; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (lehnjb.epac.to)"; dns_query; content:"lehnjb.epac.to"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020257; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"78273d33877a36c0c30e3fb7578ee9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028259; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.25u.com)"; dns_query; content:"logoff.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020258; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - In all the malware samples - Java updater perhaps, java"; ja3_hash; content:"a61299f9b501adcf680b9275d79d4ac6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028260; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ls910329.my03.com)"; dns_query; content:"ls910329.my03.com"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020260; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Inbox OSX"; ja3_hash; content:"d06acbe8ac31e753f40600a9d6717cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028261; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mailru.25u.com)"; dns_query; content:"mailru.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020261; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - inoreader.com-like FeedFetcher-Google, inoreader.com"; ja3_hash; content:"3ca5d63fa122552463772d3e87d276f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028262; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (Markshell.etowns.net)"; dns_query; content:"Markshell.etowns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020262; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11 .0.9600.1731.(Win 8.1)"; ja3_hash; content:"a6776199188c09f5124b46b895772fa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028263; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mydear.ddns.info)"; dns_query; content:"mydear.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020263; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.17959"; ja3_hash; content:"a264c0bb146b2fade4410bcd61744b69"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028264; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (nazgul.zyns.com)"; dns_query; content:"nazgul.zyns.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020264; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.18349 / TeamViewer 10.0.47484P / Notepad++ Update Check / Softperfect Network Scanner Update Check / Wireshark 2.0.4 Update Check"; ja3_hash; content:"d54b3eb800cbeccf99fd5d5cdcd7b5b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028265; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newdyndns.scieron.com)"; dns_query; content:"newdyndns.scieron.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020265; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iOS AppleWebKit/536.26"; ja3_hash; content:"06d930b072bf052b10d0a9eea1554f60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028266; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newoutlook.darktech.org)"; dns_query; content:"newoutlook.darktech.org"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iOS Mail App (tested: iOS 9.3.3)"; ja3_hash; content:"99204897b101b15f87e9b07f67453f4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028267; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (photocard.4irc.com)"; dns_query; content:"photocard.4irc.com"; depth:18; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020267; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iPad CPU OS 9_3_5 Safari 601.1 Used by many programs - apple.WebKit.Networking"; ja3_hash; content:"a9aecaa66ad9c6cfe1c361da31768506"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028268; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (pricetag.deaftone.com)"; dns_query; content:"pricetag.deaftone.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020268; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iPhone OS 10_3_3 Safari 602.1, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7e72698146290dd68239f788a452e7d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028269; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (rubberduck.gotgeeks.com)"; dns_query; content:"rubberduck.gotgeeks.com"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020269; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #1"; ja3_hash; content:"c6ecc5ba2a6ab724a7430fa4890d957d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028270; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (shutdown.25u.com)"; dns_query; content:"shutdown.25u.com"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020270; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #2"; ja3_hash; content:"c07295da5465d5705a38f044e53ef7c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028271; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sorry.ns2.name)"; dns_query; content:"sorry.ns2.name"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020271; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Java 8U91 Update Check, Windows Java Plugin (tested: v8 Update 60), BurpSuite Free (Tested: 1.7.03 on Windows 10), java,studio,eclipse"; ja3_hash; content:"2db6873021f2a95daa7de0d93a1d1bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028272; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sskill.b0ne.com)"; dns_query; content:"sskill.b0ne.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020272; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"093081b45872912be9a1f2a8163fe041"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028273; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-First.flnet.org)"; dns_query; content:"text-First.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020273; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"2080bf56cb87e64303e27fcd781e7efd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028274; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (uudog.4pu.com)"; dns_query; content:"uudog.4pu.com"; depth:13; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020274; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"225a24b45f0f1adbc2e245d4624c6e08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028275; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (will-smith.dtdns.net)"; dns_query; content:"will-smith.dtdns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020275; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3afe1fb5976d0999abe833b14b7d6485"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028276; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ndcinformation.acmetoy.com)"; dns_query; content:"ndcinformation.acmetoy.com"; depth:26; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020276; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3b844830bfbb12eb5d2f8dc281d349a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028277; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (service.authorizeddns.net)"; dns_query; content:"service.authorizeddns.net"; depth:25; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020277; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"550628650380ff418de25d3d890e836e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028278; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-first.trickip.org)"; dns_query; content:"text-first.trickip.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020278; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5b270b309ad8c6478586a15dece20a88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028279; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious boltotor.com Domain - Possible CryptoWall Activity"; dns_query; content:"boltotor.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020285; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5d7abe53ae15b4272a34f10431e06bf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028280; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious bonytor2.com Domain -Possible CryptoWall Activity"; dns_query; content:"bonytor2.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020286; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"7c7a68b96d2aab15d678497a12119f4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028281; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious speecostor.com Domain -Possible CryptoWall Activity"; dns_query; content:"speecostor.com"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020287; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"88afa0dea1608e28f50acbad32d7f195"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028282; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (expert.4irc.com)"; dns_query; content:"expert.4irc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020252; rev:5; metadata:created_at 2015_01_22, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"8ce6933b8c12ce931ca238e9420cc5dd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028283; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (msupdate.ath.cx)"; dns_query; content:"msupdate.ath.cx"; depth:15; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"a9fead344bf3ac09f62df3cd9b22c268"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028284; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (karpeskmon.dyndns.org)"; dns_query; content:"karpeskmon.dyndns.org"; depth:21; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021714; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java/eclipse/STS"; ja3_hash; content:"028563cffc7a3a2e32090aee0294d636"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028285; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (isaserver.minrex.gov.cu)"; dns_query; content:"isaserver.minrex.gov.cu"; depth:23; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021715; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java/JavaApplicationStub"; ja3_hash; content:"5f9b53f0d39dc9d940a3b5568fe5f0bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028286; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (operaa.net)"; dns_query; content:"operaa.net"; depth:10; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021936; rev:4; metadata:created_at 2015_10_08, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - JavaApplicationStub"; ja3_hash; content:"c376061f96329e1020865a1dc726927d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028287; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (appeur.gnway.cc)"; dns_query; content:"appeur.gnway.cc"; depth:15; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021961; rev:4; metadata:created_at 2015_10_16, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - K9 Mail (Android)"; ja3_hash; content:"ced7418dee422dd70d2a6f42bb042432"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028288; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (mail.cbppnews.com)"; dns_query; content:"mail.cbppnews.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022272; rev:4; metadata:created_at 2015_12_17, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Kindle/stack/nextcloud"; ja3_hash; content:"e516ad69a423f8e0407307aa7bfd6344"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028289; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (kugo.f3322.net)"; dns_query; content:"kugo.f3322.net"; depth:14; nocase; endswith; fast_pattern; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022346; rev:5; metadata:created_at 2016_01_08, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 (openSUSE Leap 42.1) 2"; ja3_hash; content:"8194818a46f5533268472f2167ffec70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028290; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (yk.ftwxw.com)"; dns_query; content:"yk.ftwxw.com"; depth:12; nocase; endswith; fast_pattern; reference:md5,5b9a9e363f46f09e7f40c5cde2c90361; classtype:trojan-activity; sid:2022347; rev:5; metadata:created_at 2016_01_08, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 / Kmail 4.14.18 (openSUSE Leap 42.1) 1"; ja3_hash; content:"78253eb48a1431a4bbbe6bb4358464ac"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028291; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 2"; dns_query; content:"aaa123.spdns.de"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022412; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.8, OpenSSL s_client (tested: 1.0.1f - Ubuntu 14.04TS)"; ja3_hash; content:"0e0b798d0208ad365eec733b29da92a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028292; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 3"; dns_query; content:"accounts.yourturbe.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022413; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LeagueClientUx"; ja3_hash; content:"3959d0a1344896e9fb5c0564ca0a2956"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028293; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 4"; dns_query; content:"account.websurprisemail.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022414; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"0fe51fa93812c2ebb50a655222a57bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028294; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 5"; dns_query; content:"addi.apple.cloudns.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022415; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"2e094913d88f0ad8dc69447cb7d2ce65"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028295; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 7"; dns_query; content:"apple.lenovositegroup.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022417; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LogMeIn Client"; ja3_hash; content:"193349d34561d1d5d1a270172eb2d97e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028296; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 8"; dns_query; content:"bailee.alanna.cloudns.biz"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022418; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mail app iOS"; ja3_hash; content:"0cbbafcdaf63cbf1e490c4a2d903f24b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028297; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 9"; dns_query; content:"bee.aoto.cloudns.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022419; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Marble (KDE 5.21.0 QT 5.5.1 openSUSE Leap 42.1)"; ja3_hash; content:"fc5574de96793b73355ca9e555748225"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028298; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 10"; dns_query; content:"bits.githubs.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022420; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Maxthon"; ja3_hash; content:"d732ca39155f38942f90e9fc2b0f97f7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028299; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 11"; dns_query; content:"book.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022421; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Messenger/Jumpshare"; ja3_hash; content:"c9dbeed362a32f9a50a26f4d9b32bbd8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028300; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 12"; dns_query; content:"clean.popqueen.cloudns.org"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022422; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Smartscreen"; ja3_hash; content:"bedb7e0ff43a24272eb0a41993c65faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028305; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 13"; dns_query; content:"desk.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022423; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Updater (Windows 7SP1) / TeamViewer 11.0.56083P"; ja3_hash; content:"bff2c7b5c666331bfe9afacefd1bdb51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028306; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 14"; dns_query; content:"detail43.myfirewall.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022424; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Windows Socket (Tested: Windows 10)"; ja3_hash; content:"48cf5fb702315efbfc88ee3c8c94c6cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028307; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 18"; dns_query; content:"economy.spdns.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022428; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mj12bot.com"; ja3_hash; content:"11e1137464a4343105031631d470cd92"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028310; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 19"; dns_query; content:"eemete.freetcp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022429; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mobile Safari/537.35+ BB10"; ja3_hash; content:"87c6dda19108d68e526a72d9ae09fb9e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028311; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 21"; dns_query; content:"firewallupdate.firewall-gateway.net"; depth:35; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022431; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mono-sgen/Syncplicity/Axure RP 8/Amazon Drive"; ja3_hash; content:"6acb250ada693067812c3335705dae79"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028312; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 22"; dns_query; content:"fish.seafood.cloudns.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022432; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Sync Services (Android)"; ja3_hash; content:"d65ddade944f9acfe4052b2c9435eb85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028313; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 23"; dns_query; content:"ftp112.lenta.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022433; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 31.5.0)"; ja3_hash; content:"c2116e5bb14394aafbefe12ade9bd8ab"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028314; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 28"; dns_query; content:"mail.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022438; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 38.3.0), ThunderBird (v38.0.1 OS X)"; ja3_hash; content:"6fd163150b060dd7d07add280f42f4ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028315; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 29"; dns_query; content:"mareva.catherine.cloudns.us"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022439; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla/4.0 MSIE 6.0 or MSIE 7.0 User-Agent"; ja3_hash; content:"de350869b8c85de67a350c8d186f11e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028316; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 30"; dns_query; content:"mm.lenovositegroup.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022440; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"5bf43fbca3454853c26df6d996954aca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028317; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 31"; dns_query; content:"muslim.islamhood.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022441; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"888ecd3b5821a497195932b0338f2f12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028318; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 32"; dns_query; content:"news.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022442; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"8d2e46c9e2b1ee9b1503cab4905cb3e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028319; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 35"; dns_query; content:"p.klark.cloudns.in"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022445; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Office Components"; ja3_hash; content:"f66b0314f269695fe3528ef39a27c158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028320; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 36"; dns_query; content:"ppcc.vasilevich.cloudns.info"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022446; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0"; ja3_hash; content:"2201d8e006f8f005a6b415f61e677532"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028321; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 37"; dns_query; content:"press.ufoneconference.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022447; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0)"; ja3_hash; content:"7b3b37883b5e80065b35f27888ed2b04"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028322; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 38"; dns_query; content:"qq.yourturbe.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022448; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 8.0 & 9.0 Trident/5.0)"; ja3_hash; content:"2baf01616e930d378df97576e2686df3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028323; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 39"; dns_query; content:"sys.firewall-gateway.net"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022449; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mutt (tested: 1.5.23 OSX)"; ja3_hash; content:"dc7c914e1817944435dd6b82a8495fbb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028324; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 40"; dns_query; content:"vip.yahoo.cloudns.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022450; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mutt"; ja3_hash; content:"6761a36cfa692fcd3bc7d570b23cc168"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028325; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 43"; dns_query; content:"www.angleegg.xxxy.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022453; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - NetFlix App on AppleTV (possibly others also)"; ja3_hash; content:"146c6a6537ba4cc22d874bf8ff346144"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028326; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 48"; dns_query; content:"www.uyghuri.MrFace.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022458; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node-webkit/Kindle"; ja3_hash; content:"3ee4aaac7147ff2b80ada31686db660c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028330; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 49"; dns_query; content:"youturbe.co.cc"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022459; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node.js"; ja3_hash; content:"641df9d6dbe7fdb74f70c8ad93def8cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028331; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 50"; dns_query; content:"yycc.mrbonus.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022460; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node.js/Postman/WhatsApp"; ja3_hash; content:"106ecbd3d14b4dc6e413494263720afe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028332; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns_query; content:"tally.myfirewall.org"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022610; rev:4; metadata:created_at 2016_03_10, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Non-Specific Microsoft Socket"; ja3_hash; content:"1d095e68489d3c535297cd8dffb06cb9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028333; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns_query; content:"accountgoogle.firewall-gateway.com"; depth:34; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022611; rev:5; metadata:created_at 2016_03_10, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - NVIDEA GeForce Experience, Windows Diagnostic and Telemetry (also Security Essentials and Microsoft Defender) (Tested Win7)"; ja3_hash; content:"4025f224557638ee81afc4f272fd7577"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028334; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns_query; content:"filegoogle.firewall-gateway.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022612; rev:5; metadata:created_at 2016_03_10, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - nwjs/Chromium"; ja3_hash; content:"49de9b1c7e60bd3b8e1d4f7a49ba362e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028335; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown PowerShell Loader DNS Lookup (spl.noip.me)"; dns_query; content:"spl.noip.me"; depth:11; nocase; endswith; fast_pattern; reference:url,fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html; classtype:trojan-activity; sid:2022747; rev:4; metadata:created_at 2016_04_19, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - One Drive"; ja3_hash; content:"388a4049af7e631f8d36eb0f909de65a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028336; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoisonIvy SPIVY DNS Lookup (leeh0m.org)"; dns_query; content:"leeh0m.org"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/; classtype:trojan-activity; sid:2022753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.01"; ja3_hash; content:"a35c1457421bcfaf5edaccb910bfea1d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028337; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain"; dns_query; content:"ur232dkkwpdkwp.xyz"; depth:18; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/; reference:md5,e586f208a724ba84369b72bc43d92057; classtype:command-and-control; sid:2022831; rev:4; metadata:created_at 2016_05_19, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.06 / wget 1.17.1-1 (cygwin)"; ja3_hash; content:"07aa6d7cac645c8845d6e96503f7d985"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028338; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (way2tor)"; dns_query; content:".way2tor"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019982; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_19, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - openssl s_client / msmtp 1.6.2 (openSUSE Leap 42.1)"; ja3_hash; content:"6fffa2be612102d25dbed5f433b8238c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028339; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4life.com)"; dns_query; content:".tor4life.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020125; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 10.53 10.60 11.61 11.64 12.02, Presto 2.5.24 2.6.30 2.10.229 2.10.289"; ja3_hash; content:"4e6f7f036fb2b05a50ee8a686b1176a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028340; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (adjust-local-settings .com)"; dns_query; content:"adjust-local-settings.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023095; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 11.11 11.52, Presto 2.8.131 2.9.168"; ja3_hash; content:"ceee08c3603b53be80c8afdc98babdd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028341; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bbc-africa .com)"; dns_query; content:"bbc-africa.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023102; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 12.14 - 12.16, Presto 2.12.388"; ja3_hash; content:"561271bdcbfe68504ce78b38c957eef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028342; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (checkinonlinehere .com)"; dns_query; content:"checkinonlinehere.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:command-and-control; sid:2023104; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category MALWARE, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 (X11 Linux x86_64 U en) Presto/2.6.30 Version/10.60"; ja3_hash; content:"8b475d6105c72827a234fbd47e25b0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028343; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (googleplay-store .com)"; dns_query; content:"googleplay-store.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023109; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.229 Version/11.62"; ja3_hash; content:"44f37c3ceccb551271bfe0ba6d39426c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028344; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkeynewsupdates .com)"; dns_query; content:"turkeynewsupdates.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023124; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 & Presto/2.10.229"; ja3_hash; content:"a16170ff03466c8ee703dd71feda9bfe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028345; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (unonoticias .net)"; dns_query; content:"unonoticias.net"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023128; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 Version/12.00"; ja3_hash; content:"b237ac4bcc16c142168df03a871677bd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028346; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (s3clm4lufbmfhmeb)"; dns_query; content:".s3clm4lufbmfhmeb"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2023154; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"07715901e2c6fe4c45e7c42587847d5d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028347; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (winmeif .myq-see.com)"; dns_query; content:"winmeif.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023256; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"329ff4616732b84de926caa7fd6777b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028348; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (samsung .ddns.me)"; dns_query; content:"samsung.ddns.me"; depth:15; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023259; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OS X WebSockets"; ja3_hash; content:"43bb6a18756587426681e4964e5ea4bf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028349; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (gtldsfs .com )"; dns_query; content:"gtldsfs.com "; depth:12; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023297; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 1"; ja3_hash; content:"3b6da2971936ac24457616e8ad46f362"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028350; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (cdnfastnetwork .com)"; dns_query; content:"cdnfastnetwork.com"; depth:18; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 2"; ja3_hash; content:"95baa3d2068d8c8da71990a353cf8453"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028351; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (sdpvss .com)"; dns_query; content:"sdpvss.com"; depth:10; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023310; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Outlook 2007 (Win 8.1)"; ja3_hash; content:"53eb89fe6147474039c1162e4d9d3dc0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028352; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns_query; content:"aterdunst.com"; depth:13; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023330; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - p4v/owncloud"; ja3_hash; content:"38cbe70b308f42da7c9980c0e1c89656"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028353; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown AutoIt Bot DNS Lookup (webmail .duia.in)"; dns_query; content:"webmail.duia.in"; depth:15; nocase; endswith; fast_pattern; reference:url,cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/; classtype:trojan-activity; sid:2023573; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, malware_family Ceatrg, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PaleMoon Browser"; ja3_hash; content:"d82cbe0b93f2b02d490a14f6bc1d421a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028354; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"vmdefmnsndoj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - parsecd/apple.geod/apple.photomoments/photoanalysisd/FreedomProxy"; ja3_hash; content:"62448833d8230241227c03b7d441e31b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028355; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"lvfjcwwobycj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023602; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - php script (tested 5.5.27)"; ja3_hash; content:"16765fe48127809dc0ca406769c9391e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028356; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"qjqubpciajoc.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023606; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pidgin (tested 2.10.11)"; ja3_hash; content:"b74f9ecf158e0575101c16c5265a85b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028357; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"exvdaajegjur.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023607; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pocket/Slack/Duo (Android)"; ja3_hash; content:"6ea7cfa450ce959818178b420f59fec4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028358; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.online"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023608; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Polycom IP Phone Directory Lookup"; ja3_hash; content:"9e41b6bf545347abccf0dc8fd76083a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028359; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023609; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin"; flow:established,to_server; content:"Clientx|2c 20|Version="; fast_pattern; content:"ProClient.Data"; distance:0; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.support"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023610; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin Response"; flow:established,to_client; content:"|2c 20|Version="; content:"BlackRAT.Data"; distance:0; fast_pattern; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"nympompksmfx.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023630; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - postbox-bin"; ja3_hash; content:"e846898acc767ebeb2b4388e58a968d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028404; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"xpknpxmywqsrhe.online"; depth:21; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023631; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Postfix with StartTLS"; ja3_hash; content:"26fa3da4032424ab61dc9be62c8e3ed0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028405; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"binpt.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023634; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #1 & Apteligent"; ja3_hash; content:"ef48bf8b2ccaab35642fd0a9f1bbe831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028406; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv601 .ddns.net)"; dns_query; content:"srv601.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023641; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #2"; ja3_hash; content:"8cc24a6ff485c62e3eb213d2ca61cf12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028407; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns_query; content:"storegoogle.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pusherapp API"; ja3_hash; content:"12ad03cb3faa2748e92c9a38faab949f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028408; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (hostgatero .ddns.net)"; dns_query; content:"hostgatero.ddns.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - py2app application (including box.net & google drive clients)"; ja3_hash; content:"ba502b2f5d64ac3d1d54646c0d6dd4dc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028409; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 01"; dns_query; content:"account-google.serveftp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023833; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Python Requests Library 2.4.3"; ja3_hash; content:"c398c55518355639c5a866c15784f969"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028410; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 02"; dns_query; content:"aramex-shipping.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - python-requests/2.7.0 CPython/2.6.6 Linux/2.6.32-504.23.4.el6.x86_64"; ja3_hash; content:"1a9fb04aa1b4439666672be8661f9386"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028411; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 03"; dns_query; content:"device-activation.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023835; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Qsync Client"; ja3_hash; content:"a7823092705a5e91ce2b7f561b6e5b98"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028412; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 04"; dns_query; content:"dropbox-service.serveftp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023836; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Reported as -"; ja3_hash; content:"4b06b445e3e12cdae777cec815ab90f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028414; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 05"; dns_query; content:"dropbox-sign.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023837; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RescueTime/Plantronics Hub"; ja3_hash; content:"c048d9f26a79e11ca7276499ef24daf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028415; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 06"; dns_query; content:"dropboxsupport.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023838; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App #2"; ja3_hash; content:"90f755509cba37094eb66be02335b932"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028416; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 07"; dns_query; content:"fedex-mail.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023839; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App"; ja3_hash; content:"7743db23afb26f18d632420e6c36e076"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028417; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 08"; dns_query; content:"fedex-shipping.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023840; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RSiteAuditor"; ja3_hash; content:"35c0a31c481927f022a3b530255ac080"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028418; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 09"; dns_query; content:"fedex-sign.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ruby script (tested: 2.0.0p481)"; ja3_hash; content:"688b34ca00a291ece0bc07b264b1344c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028419; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 10"; dns_query; content:"googledriver-sign.ddns.net"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023842; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ruby"; ja3_hash; content:"d219efd07cbb8fbe547e6a5335843f0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028420; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 11"; dns_query; content:"googledrive-sign.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023843; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 525 - 533 534.57.2, Safari 525.21 525.29 531.22.7 533.21.1 534.57.2 / Adobe Reader DC 15.x Updater"; ja3_hash; content:"cbcd1d81f242de31fd683d5acbc70dca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028421; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 12"; dns_query; content:"google-maps.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023844; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34"; ja3_hash; content:"4c551900711d12c864cfe2f95e1c98c2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028422; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 13"; dns_query; content:"googlesecure-serv.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023845; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, rekonq1.1 Arora0.11.0"; ja3_hash; content:"30701f5050d504c31805594fb5c083b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028423; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 14"; dns_query; content:"googlesignin.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023846; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, Safari/537.21"; ja3_hash; content:"41ba55231de6643721fbe2ae25fab85d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028424; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 15"; dns_query; content:"googleverify-signin.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023847; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.59.8"; ja3_hash; content:"fb1d89e16f4dd558ad99011070785cce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028425; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 16"; dns_query; content:"mailgooglesign.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023848; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 536.30.1"; ja3_hash; content:"e2a482fbb281f7662f12ff6cc871cfe7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028426; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 17"; dns_query; content:"myaccount.servehttp.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023849; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.71"; ja3_hash; content:"cc5925c4720edb550491a12a35c15d4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028427; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 18"; dns_query; content:"secure-team.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023850; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.78.2"; ja3_hash; content:"88770e3ad9e9d85b2e463be2b5c5a026"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028428; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 19"; dns_query; content:"security-myaccount.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023851; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari"; ja3_hash; content:"c36fb08942cf19508c08d96af22d4ffc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028429; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 20"; dns_query; content:"verification-acc.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023852; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/534.57.2, hola_svc"; ja3_hash; content:"77310efe11f1943306ee317cf02150b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028430; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 21"; dns_query; content:"dropbox-verfy.servehttp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023853; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.1.38 Macintosh, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c07cb55f88702033a8f52c046d23e0b2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028431; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 22"; dns_query; content:"fedex-s.servehttp.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023854; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.3.1 Macintosh/apple.WebKit.Networking,itunesstored"; ja3_hash; content:"3e4e87dda5a3162306609b7e330441d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028432; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 23"; dns_query; content:"watchyoutube.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023855; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Salesforce Files"; ja3_hash; content:"844166382cc98d98595e6778c470f5d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028433; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 24"; dns_query; content:"verification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023856; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: hoax Firefox/40.1"; ja3_hash; content:"9a35e493f961ac377f948690b5334a9c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028434; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 25"; dns_query; content:"securityteam-notify.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023857; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: wordpress wp-login Firefox/40.1"; ja3_hash; content:"ce5f3254611a8c095a3d821d44539877"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028435; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 26"; dns_query; content:"secure-alert.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023858; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCRAPER: DotBot"; ja3_hash; content:"d8844f000e5571807e9094e0fcd795fe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028436; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 27"; dns_query; content:"quota-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023859; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SeznamBot/3.2"; ja3_hash; content:"6cc3c7debc31952d05ecaacb6021925f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028438; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 28"; dns_query; content:"notification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023860; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 1"; ja3_hash; content:"fa8b8ed07b1dd0e4a262bd44d31251ec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028439; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 29"; dns_query; content:"fedex-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023861; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 2"; ja3_hash; content:"c05809230e9f7a6bf627a48b72dc4e1c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028440; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 30"; dns_query; content:"docs-mails.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023862; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 3"; ja3_hash; content:"0ad94fcb7d3a2c56679fbd004f6b12cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028441; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 31"; dns_query; content:"restricted-videos.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023863; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0add6ceb611a7613f97329af3b6828d9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028442; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 32"; dns_query; content:"dropboxnotification.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023864; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0b63812a99e66c82a20d30c3b9ba6e06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028443; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 33"; dns_query; content:"moi-gov.serveftp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023865; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"109dbd9238634b21363c3d62793c029c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028444; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 34"; dns_query; content:"activate-google.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023866; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"11e49581344c117df2c9ceb46e5594c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028445; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 35"; dns_query; content:"googlemaps.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023867; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"302579fd4ba13eca27932664f66725ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028446; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (tradeboard .mefound .com)"; dns_query; content:"tradeboard.mefound.com"; depth:22; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023884; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"badc09d74edf43c0204c4827a038c2fa"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028447; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (movis-es .ignorelist .com)"; dns_query; content:"movis-es.ignorelist.com"; depth:23; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023885; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f59a024cf47fdb835053ebf144189a47"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028448; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (exbonus .mrbasic .com)"; dns_query; content:"exbonus.mrbasic.com"; depth:19; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f8f522671d2d2eba5803e6c002760c05"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028449; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (bst2bgxin81a.org)"; dns_query; content:"bst2bgxin81a.org"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.5.23 - OS X)"; ja3_hash; content:"9d5869f950eeca2e39196c61fdf510c8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028450; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"siteanalysto.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.6.2 OS X)"; ja3_hash; content:"3fcc12d9ee1f75a0212d1d16f7b9f8ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028451; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns_query; content:"load.gtpnet.ir"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024245; rev:4; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Signal (tested: 3.16.0 - Android)"; ja3_hash; content:"7dde4e4f0dceb29f711fb34b4bdbf420"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028452; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns_query; content:"spora.li"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,906c51a18073112c4479b3fe4ea329ca; classtype:trojan-activity; sid:2024324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Signal Chrome App"; ja3_hash; content:"07931ada5b9dd93ec706e772ee60782d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028453; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:trojan-activity; sid:2028598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SkipFish (tested: v2.10b kali)"; ja3_hash; content:"cfb6d1c72d09d4eaa4c7d2c0b1ecbce7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028454; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (comboratiogferrdto . com)"; dns_query; content:"comboratiogferrdto.com"; depth:22; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (additional Win 10)"; ja3_hash; content:"7a75198d3e18354a6763860d331ff46a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028455; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns_query; content:"epochatimes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024478; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (multiple platforms)"; ja3_hash; content:"06207a1730b5deeb207b0556e102ded2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028456; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns_query; content:"strangelol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024852; rev:4; metadata:created_at 2017_10_18, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (tested 7.18(341) on OSX)"; ja3_hash; content:"5ef08bc989a9fcc18d5011f07d953c14"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028457; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; dns_query; content:"go.querymo.com"; depth:14; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype"; ja3_hash; content:"49a341a21f4fd4ac63b027ff2b1a331f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028458; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert tls any any -> any any (msg:"ET DELETED Hash - Scraper: yandex.ru based Mozilla 4.0"; ja3_hash; content:"05e15a226e00230c416a8cdefeb483c7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:misc-activity; sid:2028437; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack Desktop App"; ja3_hash; content:"c8ada45922a3e7857e4bfd4fc13e8f64"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028459; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Get2 Downloader Activity"; flow:established,to_server; http.user_agent; content:"CIBA|3b 20|MS-RTC LM 8|29|"; endswith; classtype:trojan-activity; sid:2028642; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"3d72e4827837391cd5b6f5c6b2d5b1e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028460; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)"; flow:established,to_server; content:"EHLO "; depth:5; isdataat:5000,relative; content:!"|0a|"; within:500; reference:cve,2019-16928; reference:url,bugs.exim.org/show_bug.cgi?id=2449; reference:url,git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f; classtype:attempted-admin; sid:2028636; rev:3; metadata:attack_target SMTP_Server, created_at 2019_09_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_10_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"a5aa6e939e4770e3b8ac38ce414fd0d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028461; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Passwords"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|PSWD|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"cdd8179dc9c0e4802f557b62bae73d43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028462; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger Exfil via SMTP - Generic"; flow:established,to_server; content:"-- Client Info --"; fast_pattern; nocase; content:"IP|3a 20|"; content:"HWID|3a 20|"; content:"OS Platform|3a 20|"; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slackbot Link Expander"; ja3_hash; content:"22cca8ed59288f4984724f0ee03484ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028463; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Logs"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Logs|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Spark"; ja3_hash; content:"116ffc8889873efad60457cd55eaf543"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028464; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Clipboard"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Clipboard|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SpiderOak (tested: 6.0.1)"; ja3_hash; content:"f51156bcd5033603e750c8bd4db254e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028465; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Screenshot"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Screenshot|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SpotlightNetHelper/Safari"; ja3_hash; content:"8db4b0f8e9dd8f2fff38ee7c5a1e4496"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028466; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP klm123.com Spyware User Agent"; flow:established,to_server; http.user_agent; content:"{"; depth:1; fast_pattern; pcre:"/\{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/i"; http.host; content:!"directory.gladinet.com"; content:!"ff.avast.com"; content:!"ispringsolutions.com"; content:!"cdn.download.comodo.com"; content:!"liveupdate.symantec.com"; reference:url,doc.emergingthreats.net/2007616; classtype:pup-activity; sid:2007616; rev:16; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2019_10_03;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 1"; ja3_hash; content:"24339ea346521d98a8c50fd3713090c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028469; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemours/Proyecto RAT CnC Checkin"; flow:established,to_server; content:"0|7c|New|20|-|20|"; depth:8; fast_pattern; content:"|7c|"; distance:0; content:"|7c|Windows"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; reference:md5,50a9218c891453c00b498029315ac680; classtype:command-and-control; sid:2028648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category MALWARE, malware_family Nemours, performance_impact Moderate, signature_severity Major, updated_at 2019_10_04;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 2"; ja3_hash; content:"ad5d6f490f3819dc60b2a2fbe5bd1cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028470; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:23; content:"CN=worldmasterclass.com"; fast_pattern; reference:md5,fe9caf2568d7bbf2bb0e20b8e7dc8971; reference:md5,c5a460fd87ffd50c114fffa684688d01; classtype:domain-c2; sid:2028653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 3"; ja3_hash; content:"1e9557c377f8ff50b80b7f87b60b1054"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028471; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-07"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=mailfueler.com"; fast_pattern; reference:md5,c189cdadd96c148e64912c55c5129d3e; classtype:domain-c2; sid:2028652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category TROJAN, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 4"; ja3_hash; content:"c3c59ec21835721c92571e7742fadb88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028472; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=corpcougar.com"; fast_pattern; reference:md5,73fad17f8054d01488c3ddd67e355bf1; reference:md5,a25591dbf57ac687e2a03f94dcccc35a; classtype:domain-c2; sid:2028654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Steam OSX"; ja3_hash; content:"39cf5b7a13a764494de562add874f016"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028473; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-02"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=adityebirla.com"; fast_pattern; reference:md5,61b34d02bb09e5a547251a625ce81f9c; reference:md5,cab127c5b8582c1e3ea8860a239a060b; classtype:domain-c2; sid:2028655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Synology DDNS Beacon"; ja3_hash; content:"cab4a6a0c7ac91c2bd9e93cb0507ad4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028474; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category JA3, signature_severity Major, tag c2, updated_at 2019_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-01"; flow:established,to_client; tls.cert_subject; bsize:63; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=www.livdecor.pt"; fast_pattern; reference:md5,7baca517af0b93bd3f94910c7b8f10db; reference:md5,efb4951e11baf306f5680a041c214e5b; classtype:domain-c2; sid:2028656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"2d3854d1cbcdceece83eabd85bdcc056"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028475; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-09-30"; flow:established,to_client; tls.cert_subject; bsize:12; content:"CN=flozzy.uk"; fast_pattern; reference:md5,6a333c3f54d7fb6efb276cf6e33315c0; reference:md5,ab578cff6c06157aadd5f324a3413973; classtype:domain-c2; sid:2028657; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category TROJAN, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"a585c632a2b49be1256881fb0c16c864"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028476; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult Cnc Server) 2019-09-27"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=evershinebd.net"; fast_pattern; reference:md5,c93a2d16dd0cf8dd3afa5ecba111e7c4; reference:md5,23aff33025681263adcdcb480d0e9a95; classtype:domain-c2; sid:2028658; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"cd7c06b9459c9cfd4af2dba5696ea930"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028477; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) in SNI 2019-09-27"; flow:established,to_server; tls.sni; bsize:11; content:"techxim.com"; reference:md5,5c4e395fc545b5e0c03f960a4145f4ea; classtype:domain-c2; sid:2028659; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category TROJAN, malware_family AZORult, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tenable Passive Vulnerability Scanner Plugin Updater"; ja3_hash; content:"24993abb75ddda7eaf0709395e47ab4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028478; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_24, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - TextSecure Name Lookup (Tested: Android)"; ja3_hash; content:"97d3b9036d5a4d7f1fe33fe730f38231"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028479; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern; classtype:shellcode-detect; sid:2013145; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v17.0 OS X)"; ja3_hash; content:"207409c2b30e670ca50e1eac016a4831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028480; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013146; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v38.0.1 OS X), Thunderbird 38.7.0 (openSUSE Leap 42.1)"; ja3_hash; content:"4623da8b4586a8a4b86e31d689aa0c15"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028481; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013147; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (tested: 5.0.1f - May clash with FF38)"; ja3_hash; content:"0ed768d6e3bc66af60d31315afd423f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028482; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (v4.5.3 OS X - based on FF 31.8.0)"; ja3_hash; content:"8c9a7fe81ba61dab1454e08f42f0a004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028483; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6)"; ja3_hash; content:"5b3eee2766b876e623ba05508d269830"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028484; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6), Tor Uplink (via Tails distro)"; ja3_hash; content:"79f0842a32b359d1b683c569bd07f23b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028485; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - tor uplink (tested 0.2.2.35)"; ja3_hash; content:"3b8f3ace50a7c7cd5205af210f17bb70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028486; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor uplink (tested: 0.2.6.10)"; ja3_hash; content:"659007d8bae74d1053f6ca4a329d25a7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028487; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tracking something (noted with Dropbox Installer & Skype - Win 10)"; ja3_hash; content:"bc329d2a71e749067424502f1f72e13a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028488; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"2a458dd9c65afbcf591cd8c2a194b804"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028489; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"aea96546ac042f29fed1e2203a9b4c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028490; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - True Key"; ja3_hash; content:"df65746370dcabc9b4f370c6e14a8156"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028491; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Twitterbot/1.0"; ja3_hash; content:"edcf2fd479271286879efebd22bc8d16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028492; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"633e9558d4b25b46e8b1c49e10faaff4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028493; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sality Executable Pack Digital Signature ASCII Marker"; flow:established,from_server; content:"e#o203kjl,!"; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf; classtype:trojan-activity; sid:2013381; rev:3; metadata:created_at 2011_08_08, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"b9b4d1f7283b5ddc59d0b8d15e386106"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028494; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 2"; flow:established,to_server; content:"/images/img.php?id="; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; reference:url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php; classtype:command-and-control; sid:2013382; rev:4; metadata:created_at 2011_08_08, former_category MALWARE, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #1"; ja3_hash; content:"ac206b75530d569a0a64cec378eb4b66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028495; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot update/download via ftp command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"ftp|3a|//"; fast_pattern; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2011162; classtype:trojan-activity; sid:2011162; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #2"; ja3_hash; content:"94feb9008aeb393e76bac31b30af6ad0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028496; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC Channel join"; flow:to_server,established; content:"JOIN |3a 20||23|"; fast_pattern; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101729; rev:11; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #3"; ja3_hash; content:"f1b7bbeb8b79cecd728c72bba350d173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028497; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern; reference:arachnids,331; classtype:suspicious-login; sid:2100354; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #4"; ja3_hash; content:"3f00755c412442e642f5572ed4f2eaf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028498; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; fast_pattern; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"0e580f864235348848418123f96bbaa0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028499; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern; classtype:suspicious-login; sid:2100357; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"9a1c3fed39b016b8d81cc77dae70f60f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028500; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern; reference:arachnids,330; classtype:suspicious-login; sid:2100358; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"dc76bc3a4e3bc38939dfd90d8b7214b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028501; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern; reference:arachnids,329; classtype:suspicious-login; sid:2100359; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unidentified attack tool"; ja3_hash; content:"90f6c4b0577fb24a31bea0acc1fcc27d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028502; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; fast_pattern; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:15; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown BrowserStack timeframe SMTP STARTLS"; ja3_hash; content:"7bc3475b771c44c764614397da069d28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028503; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP server (207.46.100.103)"; ja3_hash; content:"23a9b0eb3584e358816a123c208a2c8b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028504; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP Server (used by Facebook)"; ja3_hash; content:"26cdef14ec70c2d6ebd943fe8069c4da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028505; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown Something on Android that talks to Google Analytics"; ja3_hash; content:"335ec05b3ddb3800a8df47641c2d8e33"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028506; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown TLS Scanner"; ja3_hash; content:"18e9afaf91db6f8a2470e7435c2a1d6b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028507; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Dadong Exploit Kit Downloaded"; flow:established,from_server; flowbits:set,et.exploitkitlanding; content:"indexOf(|22|dadong=|22|)=="; fast_pattern; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:exploit-kit; sid:2025037; rev:3; metadata:created_at 2012_03_01, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - UNVERIFIED: May be BlueCoat proxy"; ja3_hash; content:"f6bae8bacf93b5e97e80b594ffeba859"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028508; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:from_server,established; flowbits:set,ETPRO.RTF; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - urlgrabber/3.10 yum/3.4.3"; ja3_hash; content:"37f691b063c10372135db21579643bf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028509; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many desktop apps,Quip,Spotify,GitHub Desktop"; ja3_hash; content:"84071ea96fc8a60c55fc8a405e214c0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028510; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:13; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"40fd0a5e81ebdcf0ec82a4710a12dec1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028511; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"618ee2509ef52bf0b8216e1564eea909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028512; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"799135475da362592a4be9199d258726"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028513; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7b530a25af9016a9d12de5abc54d9e74"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028514; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c05de18b01a054f2f6900ffe96b3da7a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028515; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015573; rev:3; metadata:created_at 2012_08_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"e4d448cdfe06dc1243c1eb026c74ac9a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028516; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015479; rev:4; metadata:created_at 2012_07_16, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"f1c5cf087b959cec31bd6285407f689a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028517; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:exploit-kit; sid:2015604; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Python/PHP/Git/dotnet/Adobe"; ja3_hash; content:"488b6b601cb141b062d4da7f524b4b22"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028518; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Aura/Spotify/Chatty"; ja3_hash; content:"f28d34ce9e732f644de2350027d74c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028519; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:7; metadata:created_at 2010_07_30, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Spotify/Dropbox/GitHub Desktop/etc"; ja3_hash; content:"190dfb280fe3b541acc6a2e5f00690e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028520; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2015678; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Slack/Postman/Spotify/Google Chrome"; ja3_hash; content:"20dd18bdd3209ea718989030a6f93364"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028521; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:exploit-kit; sid:2015689; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #1"; ja3_hash; content:"2d96ffb535c7c7a30cad924b9b9f2b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028522; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:exploit-kit; sid:2015690; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #2"; ja3_hash; content:"ab1fa6468096ab057291aa381d5de2b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028523; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:exploit-kit; sid:2015691; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Viber"; ja3_hash; content:"e0224fc1c33658f2d3d963bfb0a76a85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028524; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:exploit-kit; sid:2015694; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VirtualBox Update Poll (tested 5.0.8 r103449)"; ja3_hash; content:"41e3681b7c8c915e33b1f80d275c19d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028525; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern; classtype:shellcode-detect; sid:2100691; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VLC"; ja3_hash; content:"81fb3e51bf3f18c5755146c28d07431b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028526; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Fusion / Workstation / Player Update Check 8.x-12.x"; ja3_hash; content:"cff90930827e8b0f4e5a6fcc17319954"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028527; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3a 20|root"; fast_pattern; classtype:suspicious-login; sid:2100719; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Update Check 6.x"; ja3_hash; content:"a50a861119aceb0ccc74902e8fddb618"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028528; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern; classtype:shellcode-detect; sid:2101424; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMware vSphere Client (Tested v4.1.0)"; ja3_hash; content:"48e69b57de145720885af2894f2ab9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028529; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - vpnkit"; ja3_hash; content:"01319090aea981dde6fc8d6ae71ead54"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028530; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 1)"; ja3_hash; content:"10a686de1c41107df06c21df245e24cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028531; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 2)"; ja3_hash; content:"f13e6d84b915e17f76fdf4ea8c959b4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028532; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 3)"; ja3_hash; content:"345b5717dae9006a8bcd4cb1a5f09891"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028533; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator"; ja3_hash; content:"74ebac04b642a0cab032dd46e8099fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028534; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator, java,eclipse"; ja3_hash; content:"4056657a50a8a4e5cfac40ba48becfa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028535; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m (tested: 0.5.3 OS X)"; ja3_hash; content:"975ef0826e8485f2335db71873cb34c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028536; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 (OS X version)"; ja3_hash; content:"6b4b535249a1dcd95e3b4b6e9e572e5e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028537; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 / lynx 3.2 / svn 1.8.10 (openSUSE Leap 42.1)"; ja3_hash; content:"575771dbc723df24b764ac0303c19d10"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028538; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Web"; ja3_hash; content:"0172e9e41a8940e6a809967e4835214a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028539; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"58d97971a14d0520c5c56caa75470948"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028540; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"9ef7a86952e78eeb83590ff4d82a5538"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028541; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - WeeChat"; ja3_hash; content:"8e1172bd5dcc4698928c7eb454a2c3de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028542; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - wget (tested GNU Wget 1.16.1 & 1.17 on OS X)"; ja3_hash; content:"5f1d4c631ddedf942033c9ae919158b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028543; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - wget 1.14 (openSUSE Leap 42.1)"; ja3_hash; content:"70663c6da28b3b9ac281d7b31d6b97c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028544; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Wii-U"; ja3_hash; content:"444434ebe3f52b8453c3803bff077ebd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028545; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Win default thing a la webkit"; ja3_hash; content:"c8d1364bba308db5a4a20c65c58ffde1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028546; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Win10 Mail Client"; ja3_hash; content:"123b8f4705d525caffa3f2b36447f481"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028547; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 Native Connection"; ja3_hash; content:"aee020803d10a4d39072817184c8eedc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028548; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #1"; ja3_hash; content:"205200cdaac61b110838556b834070d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028549; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #2"; ja3_hash; content:"5a0fa8873e5ffe7d9385647adc8912d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028550; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Apps Store thing (unconfirmed)"; ja3_hash; content:"a7b2f0639f58f97aec151e015be1f684"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028551; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Builtin Mail Client"; ja3_hash; content:"0d15924fe8f8950a3ec3a916e97c8498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028552; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x TLS Socket"; ja3_hash; content:"a8ee937cf82bb0972fecc23d63c9cd82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028553; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows Watson WCEI Telemetry Gather"; ja3_hash; content:"2c14bfb3f8a2067fbc88d8345e9f97f3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028554; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - wineserver"; ja3_hash; content:"84607748f3887541dd60fe974a042c71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028555; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"1202a58b454f54a47d2c216567ebd4fb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028557; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"de364c46b0dfc283b5e38c79ceae3f8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028558; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yandex Bot, wget 1.18"; ja3_hash; content:"d83881675de3f6aacbcc0b2bae6f8923"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028559; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - youtube-dl 2016.06.03 (openSUSE Leap 42.1)"; ja3_hash; content:"11404429d240670cc018bed04e918b6f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028560; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 1 - May collide with Chrome"; ja3_hash; content:"f8f5b71e02603b283e55b50d17ede861"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028561; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 2 - May collide with Chome"; ja3_hash; content:"5ae88f37a16f1b054f2edff1c8730471"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028562; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ZwiftApp"; ja3_hash; content:"c2b4710c6888a5d47befe865c8e6fb19"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028563; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Lets Encrypt Free SSL Cert Observed in Possible Coinhive Javascript Cryptocurrency Mining"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; fast_pattern; content:"|55 04 03|"; distance:0; content:"coin-hive"; within:50; nocase; pcre:!"/#http:\/\/cert.*coinhive/i"; reference:url,coin-hive.com; classtype:policy-violation; sid:2024720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_20;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2"; flow:established,to_client; http.header; content:"16723708fc9|0d 0a|X-CalculatedBETarget|3a 20|BY2PR06MB549.namprd06.prod.outlook.com"; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (YouTube Profile)"; flow:established,to_client; http.header; content:"Frontend Proxy|0d 0a|Set-Cookie|3a 20|YSC=LT4ZGGSgKoE|3b|"; fast_pattern; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http any any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible GhostMiner CCBOT Component - CnC Checkin"; flow:established,to_server; content:"/Update/CC/CC.php"; startswith; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/; classtype:command-and-control; sid:2028604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family GhostMiner, performance_impact Low, signature_severity Major, updated_at 2019_09_19;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHPStudy Remote Code Execution Backdoor"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Accept-Charset|3a 20|"; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0d\x0a/R"; reference:url,www.cnblogs.com/-qing-/p/11575622.html; reference:url,www.uedbox.com/post/59265/; classtype:attempted-admin; sid:2028629; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Significant, signature_severity Major, updated_at 2019_09_25;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:social-engineering; sid:2023039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:social-engineering; sid:2024198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET EXPLOIT_KIT EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; classtype:web-application-attack; sid:2009643; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=131; reference:url,doc.emergingthreats.net/2009644; classtype:web-application-attack; sid:2009644; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.iBryte.BO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do/?event="; depth:22; fast_pattern; content:"&user_id="; distance:0; http.user_agent; content:"download manager"; reference:md5,be6363e960d9a40b8e8c5825b13645c7; classtype:pup-activity; sid:2028633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_09_26;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"f58966d34ff9488a83797b55c804724d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028236; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent|3a| pcsafe"; reference:url,doc.emergingthreats.net/2006420; classtype:pup-activity; sid:2006420; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; classtype:policy-violation; sid:2001188; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| pymills-spider/"; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLBrute SQL Scan Detected"; flow:to_server,established; content:"AND not exists (select * from master..sysdatabases)"; offset:60; depth:60; reference:url,www.justinclarke.com/archives/2006/03/sqlbrute.html; reference:url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/; reference:url,doc.emergingthreats.net/2009477; classtype:attempted-recon; sid:2009477; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; distance:2; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Database User Rights Scan"; flow:to_server,established; content:"?param=a"; content:"if%20is%5Fsrvrolemember%28%27sysadmin"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009041; classtype:attempted-recon; sid:2009041; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28%27IsIntegratedSecurityOnly"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009042; classtype:attempted-recon; sid:2009042; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Esp%5Fconfigure%20%27show%20advanced%20options"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009043; classtype:attempted-admin; sid:2009043; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Create xp_cmdshell Session"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell%20%27cmd%20%2FC%20%25TEMP"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009044; classtype:attempted-admin; sid:2009044; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| WhatWeb/"; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"SendCommand"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011200; classtype:attempted-user; sid:2011200; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Login"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011201; classtype:attempted-user; sid:2011201; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBOpen"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011203; classtype:attempted-user; sid:2011203; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBClose"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011204; classtype:attempted-user; sid:2011204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Snapshot"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011202; classtype:attempted-user; sid:2011202; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBControl"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011205; classtype:attempted-user; sid:2011205; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/i"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011244; classtype:web-application-attack; sid:2011244; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa "; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011286; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; classtype:attempted-dos; sid:2010229; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; content:"CSCO_WebVPN"; nocase; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; classtype:web-application-attack; sid:2010730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010519; classtype:web-application-attack; sid:2010519; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010521; classtype:web-application-attack; sid:2010521; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010524; classtype:web-application-attack; sid:2010524; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010526; classtype:web-application-attack; sid:2010526; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; reference:url,doc.emergingthreats.net/2000105; classtype:attempted-user; sid:2000105; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; content:"Microsoft OLE DB Provider for SQL Server error"; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; reference:url,doc.emergingthreats.net/2001768; classtype:web-application-activity; sid:2001768; rev:12; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; content:"%PDF-"; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010522; classtype:web-application-attack; sid:2010522; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010525; classtype:web-application-attack; sid:2010525; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010527; classtype:web-application-attack; sid:2010527; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:exploit-kit; sid:2011281; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; classtype:web-application-attack; sid:2011287; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011289; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; content:"SceneURL"; nocase; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; classtype:web-application-attack; sid:2008683; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:trojan-activity; sid:2011585; rev:4; metadata:created_at 2010_09_29, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"7F14A9EE-6989-11D5-8152-00C04F191FCA"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/10767; classtype:attempted-user; sid:2011692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"DE625294-70E6-45ED-B895-CFFA13AEB044"; nocase; distance:0; content:"SetImage"; nocase; reference:bugtraq,41078; reference:url,doc.emergingthreats.net/2011722; classtype:attempted-user; sid:2011722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; reference:url,doc.emergingthreats.net/2008790; classtype:web-application-attack; sid:2008790; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"11E7DA45-B56D-4078-89F6-D3D651EC4CD6"; nocase; distance:0; content:".DebugTraceFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"952E3F80-0C34-48CD-829B-A45913B29670"; nocase; distance:0; content:"isRegistered"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670/si"; reference:url,www.exploit-db.com/exploits/11059; reference:url,secunia.com/advisories/38081/; reference:url,doc.emergingthreats.net/2010976; classtype:attempted-user; sid:2010976; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:4; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:5; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:4; metadata:created_at 2011_01_27, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:4; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; fast_pattern; classtype:bad-unknown; sid:2101251; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern; classtype:exploit-kit; sid:2015548; rev:8; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:3; metadata:created_at 2012_10_01, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015818; rev:4; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015819; rev:4; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
-alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"|2b 06 01 04 01 09 09 60 01 01 01 01|"; fast_pattern; classtype:policy-violation; sid:2015856; rev:6; metadata:created_at 2012_10_31, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015873; rev:6; metadata:created_at 2012_11_08, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Excel file download - SET 1"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; file_data; content:"|09 08 10 00 00 06 05 00|"; distance:512; content:"|57006F0072006B0062006F006F006B00|"; fast_pattern; flowbits:set,ETPRO.Microsoft.Excel; flowbits:noalert; reference:cve,2012-0185; classtype:attempted-user; sid:2025086; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015929; rev:4; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015928; rev:4; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015939; rev:4; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:exploit-kit; sid:2015950; rev:3; metadata:created_at 2012_11_27, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:6; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2019_09_27;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:3; metadata:created_at 2012_11_28, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:5; metadata:created_at 2012_11_29, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:exploit-kit; sid:2015981; rev:3; metadata:created_at 2012_12_03, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; classtype:attempted-recon; sid:2010162; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern; content:"|22|bhjwfffiorjwe|22|"; classtype:exploit-kit; sid:2015991; rev:5; metadata:created_at 2012_12_05, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Eclipse.DDOSBot CnC Beacon Response"; flow:established,to_client; file_data; content:"<base>PGNtZD"; within:12; reference:url,www.arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising/; classtype:command-and-control; sid:2018423; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:3; metadata:created_at 2012_12_05, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL XPCmdShell Scan"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; classtype:attempted-recon; sid:2009039; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:exploit-kit; sid:2016012; rev:5; metadata:created_at 2012_12_07, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M2"; flow:established,from_server; file_data; content:"pQGLlxyasMGLhxCco42bpR3YuVnZowWY2V"; classtype:exploit-kit; sid:2020427; rev:3; metadata:created_at 2015_02_16, updated_at 2019_09_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:4; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Deobfuscation function"; flow:established,from_server; file_data; content:"Chr(CInt(ns(i)) Xor n)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020563; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_09_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016027; rev:6; metadata:created_at 2012_12_12, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; nocase; http_uri; content:"hl="; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:5; metadata:created_at 2011_02_21, updated_at 2019_09_27;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:2; metadata:created_at 2013_01_04, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; file_data; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:exploit-kit; sid:2016306; rev:3; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:exploit-kit; sid:2022962; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family PsuedoDarkLeech, signature_severity Major, updated_at 2019_09_27;)
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 1"; content:"miniupnpd/1."; fast_pattern; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:successful-recon-limited; sid:2016302; rev:6; metadata:created_at 2013_01_29, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"This program cannot be run in DOS mode"; nocase; classtype:bad-unknown; sid:2011865; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, updated_at 2019_09_27;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016319; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2019_09_27;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:9; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2019_09_27;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/vulnerabilities---threats/heap-spraying-attackers-latest-weapon-of-choice/d/d-id/1132487; classtype:shellcode-detect; sid:2012252; rev:5; metadata:created_at 2011_02_03, former_category SHELLCODE, updated_at 2019_09_27;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Galock Ransomware Command"; flow:established,from_server; file_data; content:"[LOCK]"; within:6; endswith; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET MALWARE W32/Jabberbot.A Trednet XMPP CnC Beacon"; flow:established,to_server; content:"trednet@jabber.ru"; fast_pattern; reference:url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc; classtype:command-and-control; sid:2016331; rev:2; metadata:created_at 2013_01_31, former_category MALWARE, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"|3a|some_magic_code1"; distance:9; within:29; endswith; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:3; metadata:created_at 2013_04_19, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern; content:"&token="; http_uri; classtype:exploit-kit; sid:2015962; rev:12; metadata:created_at 2012_11_28, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE njRAT Variant Outbound CnC Beacon"; flow:established,to_server; content:"|7c|nj-q8"; endswith; classtype:command-and-control; sid:2021057; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:exploit-kit; sid:2016412; rev:3; metadata:created_at 2013_02_14, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE LuminosityLink - Inbound Data Channel CnC Delimiter"; flow:established,to_client; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<embed"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; content:"application/x-java-"; fast_pattern; classtype:exploit-kit; sid:2016510; rev:5; metadata:created_at 2013_02_26, former_category INFO, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE LuminosityLink - Outbound Data Channel CnC Delimiter"; flow:established,to_server; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016542; rev:4; metadata:created_at 2013_03_05, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Houdini/Hworm CnC Checkin M1"; flow:established,to_server; content:"new_houdini|0d 0a|"; fast_pattern; offset:4; depth:13; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; endswith; reference:md5,45009c70d362dcd253112c9cf1924f57; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance; classtype:command-and-control; sid:2023429; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family Hworm, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016543; rev:3; metadata:created_at 2013_03_05, updated_at 2019_10_07;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; endswith; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016569; rev:4; metadata:created_at 2013_03_13, former_category DNS, updated_at 2019_10_07;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; endswith; threshold: type threshold, track by_src, count 20, seconds 1; classtype:trojan-activity; sid:2024219; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_09_28;)
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016571; rev:2; metadata:created_at 2013_03_13, former_category DNS, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"zugzwang.me"; nocase; endswith; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023599; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016570; rev:3; metadata:created_at 2013_03_13, former_category DNS, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; endswith; threshold: type both, track by_src, count 10, seconds 30; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016026; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016718; rev:5; metadata:created_at 2013_04_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01|"; offset:4; depth:11; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:3; within:10; content:"|00 00 00|"; distance:8; within:3; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016716; rev:6; metadata:created_at 2013_04_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:5; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category EXPLOIT, malware_family ETERNALBLUE, signature_severity Major, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016717; rev:5; metadata:created_at 2013_04_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016719; rev:5; metadata:created_at 2013_04_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_28, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_28, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:exploit-kit; sid:2015000; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_02, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Mirai Variant Checkin Response"; flow:established,to_client; content:"|21 2a 20|LOLNOBYE"; endswith; reference:url,www.stratosphereips.org/blog/2019/5/17/iot-malware-analysis-series-a-mirai-variant-in-ctu-iot-malware-capture-49-1; classtype:command-and-control; sid:2027366; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern; classtype:exploit-kit; sid:2016805; rev:4; metadata:created_at 2013_04_30, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1 CnC Checkin"; flow:established,to_server; dsize:7; content:"ilove26"; depth:7; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027834; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:exploit-kit; sid:2015974; rev:15; metadata:created_at 2012_11_30, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 CnC Checkin"; flow:established,to_server; dsize:12; content:"aWxvdmUyNg=="; depth:12; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027835; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Greencat SSL Certificate"; flow:established,from_server; content:"|55 04 08 13 05|Ocean"; fast_pattern; classtype:trojan-activity; sid:2016812; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR (b2bb01039307baa2) CnC Checkin"; flow:established,to_server; dsize:24; content:"d3ec7975f76aefdbfcdc3c3e"; depth:24; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027836; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogalaxyzone.com"; dns_query; content:"photogalaxyzone.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016606; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:exploit-kit; sid:2016833; rev:6; metadata:created_at 2013_05_08, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insightpublicaffairs.org"; dns_query; content:"insightpublicaffairs.org"; depth:24; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016620; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain seyuieyahooapis.com"; dns_query; content:"seyuieyahooapis.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016624; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016924; rev:12; metadata:created_at 2013_05_24, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dailynewsjustin.com"; dns_query; content:"dailynewsjustin.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016627; rev:4; metadata:created_at 2013_03_20, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:exploit-kit; sid:2016928; rev:3; metadata:created_at 2013_05_24, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hi-tecsolutions.org"; dns_query; content:"hi-tecsolutions.org"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016628; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:exploit-kit; sid:2016929; rev:12; metadata:created_at 2013_05_24, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"njdyqrbioh.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018270; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016926; rev:3; metadata:created_at 2013_05_24, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"vqvsaergek.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018265; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:exploit-kit; sid:2016787; rev:4; metadata:created_at 2013_04_26, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"pbcgmmympm.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018266; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:exploit-kit; sid:2016964; rev:3; metadata:created_at 2013_06_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"tyixfhsfax.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018268; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern; classtype:attempted-user; sid:2017008; rev:6; metadata:created_at 2013_06_12, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qgjhmerjec.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018269; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:exploit-kit; sid:2016840; rev:6; metadata:created_at 2013_05_09, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"btloxcyrok.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018271; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:3; metadata:created_at 2013_06_13, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"afwyhvinmw.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018272; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017019; rev:3; metadata:created_at 2013_06_14, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"wyfxanxjeu.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018273; rev:11; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST"; http_method; content:"/rootpassword.php?"; http_uri; fast_pattern; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:4; metadata:created_at 2013_06_24, former_category EXPLOIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qemyxsdigi.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018274; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
-alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"solusvmc-node"; fast_pattern; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:4; metadata:created_at 2013_06_24, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (regicsgf.net)"; dns_query; content:"regicsgf.net"; depth:12; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014572; rev:7; metadata:created_at 2012_04_16, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017069; rev:3; metadata:created_at 2013_06_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.gowin7.com"; dns_query; content:".gowin7.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern; content:"<|22|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:exploit-kit; sid:2017070; rev:3; metadata:created_at 2013_06_27, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.secuurity.net"; dns_query; content:".secuurity.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_uri; pcre:"/\?(s|page|id)=\d+&text=\d+$/U"; classtype:exploit-kit; sid:2017079; rev:4; metadata:created_at 2013_07_01, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.dataspotlight.net"; dns_query; content:".dataspotlight.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:7; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017092; rev:3; metadata:created_at 2013_07_02, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.datajunction.org"; dns_query; content:".datajunction.org"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:6; metadata:created_at 2012_08_13, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017023; rev:6; metadata:created_at 2013_06_17, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup hotfix-update.com"; dns_query; content:"hotfix-update.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019570; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017093; rev:3; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas haarmannsi.cz"; dns_query; content:"haarmannsi.cz"; depth:13; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019910; rev:4; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:exploit-kit; sid:2017099; rev:3; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas sanygroup.co.uk"; dns_query; content:"sanygroup.co.uk"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019911; rev:5; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (casinoroyal7.ru)"; dns_query; content:"casinoroyal7.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020045; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2017138; rev:4; metadata:created_at 2013_07_12, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (cryptdomain.dp.ua)"; dns_query; content:"cryptdomain.dp.ua"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020046; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:exploit-kit; sid:2017139; rev:3; metadata:created_at 2013_07_12, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (it-newsblog.ru)"; dns_query; content:"it-newsblog.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020049; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:exploit-kit; sid:2017151; rev:13; metadata:created_at 2013_07_15, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (js-static.ru)"; dns_query; content:"js-static.ru"; depth:12; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020050; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:exploit-kit; sid:2017150; rev:13; metadata:created_at 2013_07_15, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lagosadventures.com)"; dns_query; content:"lagosadventures.com"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020051; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern; content:"|3b|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:exploit-kit; sid:2017106; rev:4; metadata:created_at 2013_07_05, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lebanonwarrior.ru)"; dns_query; content:"lebanonwarrior.ru"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020052; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:exploit-kit; sid:2017153; rev:3; metadata:created_at 2013_07_16, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (nigerianbrothers.net)"; dns_query; content:"nigerianbrothers.net"; depth:20; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020053; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:2; metadata:created_at 2013_07_17, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (princeofnigeria.net)"; dns_query; content:"princeofnigeria.net"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020055; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (royalgourp.org)"; dns_query; content:"royalgourp.org"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020056; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:exploit-kit; sid:2016427; rev:8; metadata:created_at 2013_02_18, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeter-stat.ru)"; dns_query; content:"tweeter-stat.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020060; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016013; rev:7; metadata:created_at 2012_12_07, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy1-1-1.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy1-1-1.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020228; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016299; rev:11; metadata:created_at 2013_01_28, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy2-2-2.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy2-2-2.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020229; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:exploit-kit; sid:2016350; rev:5; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy3-3-3.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy3-3-3.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020230; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/^\/search\/[0-9]{64}/U"; classtype:exploit-kit; sid:2016593; rev:9; metadata:created_at 2013_03_18, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy4-4-4.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy4-4-4.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020231; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\/m1[1-6]\.jar$/U"; classtype:exploit-kit; sid:2016708; rev:9; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy5-5-5.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy5-5-5.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020232; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016709; rev:9; metadata:created_at 2013_04_02, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (blackblog.chatnook.com)"; dns_query; content:"blackblog.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020246; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:exploit-kit; sid:2016786; rev:6; metadata:created_at 2013_04_26, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (bulldog.toh.info)"; dns_query; content:"bulldog.toh.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020247; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016804; rev:5; metadata:created_at 2013_04_30, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (cew58e.xxxy.info)"; dns_query; content:"cew58e.xxxy.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020248; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:exploit-kit; sid:2016943; rev:9; metadata:created_at 2013_05_29, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (dynamic.ddns.mobi)"; dns_query; content:"dynamic.ddns.mobi"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020251; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016965; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_06_03, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (football.mrbasic.com)"; dns_query; content:"football.mrbasic.com"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020253; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2017038; rev:5; metadata:created_at 2013_06_20, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (gjjb.flnet.org)"; dns_query; content:"gjjb.flnet.org"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020254; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2017041; rev:5; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (imirnov.ddns.info)"; dns_query; content:"imirnov.ddns.info"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020255; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017042; rev:5; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (jingnan88.chatnook.com)"; dns_query; content:"jingnan88.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020256; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017043; rev:5; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (lehnjb.epac.to)"; dns_query; content:"lehnjb.epac.to"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020257; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017044; rev:5; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.25u.com)"; dns_query; content:"logoff.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020258; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:"Java/1."; nocase; http_user_agent; content:".php?"; http_uri; nocase; fast_pattern; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:exploit-kit; sid:2017119; rev:5; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ls910329.my03.com)"; dns_query; content:"ls910329.my03.com"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020260; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/amor\d{0,2}\.jar/U"; classtype:exploit-kit; sid:2015941; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mailru.25u.com)"; dns_query; content:"mailru.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020261; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2015942; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (Markshell.etowns.net)"; dns_query; content:"Markshell.etowns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020262; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".jar"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:exploit-kit; sid:2017152; rev:6; metadata:created_at 2013_07_16, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mydear.ddns.info)"; dns_query; content:"mydear.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020263; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017272; rev:5; metadata:created_at 2013_08_02, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (nazgul.zyns.com)"; dns_query; content:"nazgul.zyns.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020264; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017273; rev:4; metadata:created_at 2013_08_02, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newdyndns.scieron.com)"; dns_query; content:"newdyndns.scieron.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020265; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017022; rev:4; metadata:created_at 2013_06_17, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newoutlook.darktech.org)"; dns_query; content:"newoutlook.darktech.org"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_08_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (photocard.4irc.com)"; dns_query; content:"photocard.4irc.com"; depth:18; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020267; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017324; rev:3; metadata:created_at 2013_08_13, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (pricetag.deaftone.com)"; dns_query; content:"pricetag.deaftone.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020268; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern; classtype:exploit-kit; sid:2017039; rev:4; metadata:created_at 2013_06_20, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (rubberduck.gotgeeks.com)"; dns_query; content:"rubberduck.gotgeeks.com"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020269; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday|22|"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017372; rev:6; metadata:created_at 2013_08_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (shutdown.25u.com)"; dns_query; content:"shutdown.25u.com"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020270; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sorry.ns2.name)"; dns_query; content:"sorry.ns2.name"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020271; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sskill.b0ne.com)"; dns_query; content:"sskill.b0ne.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020272; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-First.flnet.org)"; dns_query; content:"text-First.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020273; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (uudog.4pu.com)"; dns_query; content:"uudog.4pu.com"; depth:13; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020274; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (will-smith.dtdns.net)"; dns_query; content:"will-smith.dtdns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020275; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017406; rev:6; metadata:created_at 2013_09_03, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ndcinformation.acmetoy.com)"; dns_query; content:"ndcinformation.acmetoy.com"; depth:26; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020276; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017434; rev:3; metadata:created_at 2013_09_06, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (service.authorizeddns.net)"; dns_query; content:"service.authorizeddns.net"; depth:25; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020277; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017433; rev:4; metadata:created_at 2013_09_06, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-first.trickip.org)"; dns_query; content:"text-first.trickip.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020278; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017468; rev:3; metadata:created_at 2013_09_16, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious boltotor.com Domain - Possible CryptoWall Activity"; dns_query; content:"boltotor.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020285; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2015782; rev:6; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious bonytor2.com Domain -Possible CryptoWall Activity"; dns_query; content:"bonytor2.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020286; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2016798; rev:4; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious speecostor.com Domain -Possible CryptoWall Activity"; dns_query; content:"speecostor.com"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020287; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help|3a|//"; nocase; content:"onlosecapture"; nocase; fast_pattern; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (expert.4irc.com)"; dns_query; content:"expert.4irc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020252; rev:5; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:exploit-kit; sid:2016349; rev:6; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (msupdate.ath.cx)"; dns_query; content:"msupdate.ath.cx"; depth:15; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:exploit-kit; sid:2016348; rev:8; metadata:created_at 2013_02_05, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (karpeskmon.dyndns.org)"; dns_query; content:"karpeskmon.dyndns.org"; depth:21; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021714; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern; classtype:attempted-user; sid:2017510; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_09_23, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (isaserver.minrex.gov.cu)"; dns_query; content:"isaserver.minrex.gov.cu"; depth:23; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021715; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (/iam-ready)"; flow:established,to_server; content:"POST"; http_method; content:"/iam-ready"; fast_pattern; nocase; content:"|3c 7c 3e|"; http_header; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017518; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (operaa.net)"; dns_query; content:"operaa.net"; depth:10; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021936; rev:4; metadata:created_at 2015_10_08, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017545; rev:7; metadata:created_at 2013_09_30, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (appeur.gnway.cc)"; dns_query; content:"appeur.gnway.cc"; depth:15; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021961; rev:4; metadata:created_at 2015_10_16, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (mail.cbppnews.com)"; dns_query; content:"mail.cbppnews.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022272; rev:4; metadata:created_at 2015_12_17, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017549; rev:3; metadata:created_at 2013_10_01, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (kugo.f3322.net)"; dns_query; content:"kugo.f3322.net"; depth:14; nocase; endswith; fast_pattern; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022346; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()|3b|"; fast_pattern; content:"java2()|3b|"; content:"pdf()|3b|"; content:"ie()|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017550; rev:3; metadata:created_at 2013_10_01, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (yk.ftwxw.com)"; dns_query; content:"yk.ftwxw.com"; depth:12; nocase; endswith; fast_pattern; reference:md5,5b9a9e363f46f09e7f40c5cde2c90361; classtype:trojan-activity; sid:2022347; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016549; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 2"; dns_query; content:"aaa123.spdns.de"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022412; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 3"; dns_query; content:"accounts.yourturbe.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022413; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer|3a 20|http|3a|//"; http_header; pcre:"/^[^\/\r\n]+/HR"; content:"/?"; http_header; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/HR"; content:" MSIE "; http_user_agent; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017613; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 4"; dns_query; content:"account.websurprisemail.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022414; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 5"; dns_query; content:"addi.apple.cloudns.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022415; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 7"; dns_query; content:"apple.lenovositegroup.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022417; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Login Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/operator/login.php"; fast_pattern; http_uri; pcre:"/\/operator\/login\.php$/U"; content:!"Referer|3a 20|"; content:!"|0d 0a|Accept"; http_header; content:"Mozilla/4.0 (SEObot)"; depth:20; http_user_agent; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017718; rev:5; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 8"; dns_query; content:"bailee.alanna.cloudns.biz"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022418; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017601; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_17, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 9"; dns_query; content:"bee.aoto.cloudns.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022419; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27]/Ri"; classtype:exploit-kit; sid:2017785; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 10"; dns_query; content:"bits.githubs.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022420; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:3; metadata:created_at 2013_11_29, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 11"; dns_query; content:"book.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022421; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017699; rev:4; metadata:created_at 2013_11_08, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 12"; dns_query; content:"clean.popqueen.cloudns.org"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022422; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/java.php?eid="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017863; rev:5; metadata:created_at 2013_12_16, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 13"; dns_query; content:"desk.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022423; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017862; rev:4; metadata:created_at 2013_12_16, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 14"; dns_query; content:"detail43.myfirewall.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022424; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017864; rev:3; metadata:created_at 2013_12_16, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 18"; dns_query; content:"economy.spdns.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022428; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/cp.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017865; rev:4; metadata:created_at 2013_12_16, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 19"; dns_query; content:"eemete.freetcp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022429; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/serial.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017866; rev:4; metadata:created_at 2013_12_16, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 21"; dns_query; content:"firewallupdate.firewall-gateway.net"; depth:35; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022431; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack"; flow:to_server,established; content:"../../"; fast_pattern; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:3; metadata:created_at 2013_12_17, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 22"; dns_query; content:"fish.seafood.cloudns.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022432; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10"; flow:to_server,established; dsize:>11; byte_jump:4,0,from_beginning,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; fast_pattern; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:command-and-control; sid:2017916; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_02, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 23"; dns_query; content:"ftp112.lenta.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022433; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 28"; dns_query; content:"mail.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022438; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 29"; dns_query; content:"mareva.catherine.cloudns.us"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022439; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 30"; dns_query; content:"mm.lenovositegroup.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022440; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 31"; dns_query; content:"muslim.islamhood.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022441; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:5; metadata:created_at 2014_01_29, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 32"; dns_query; content:"news.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022442; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; dsize:>11; content:"|7b 9e|"; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:command-and-control; sid:2017548; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 35"; dns_query; content:"p.klark.cloudns.in"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022445; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Downloading jar over FTP"; flow:to_server,established; flowbits:isset,ET.Java.FTP.Logon; content:".jar"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.jar/Ri"; classtype:misc-activity; sid:2016688; rev:3; metadata:created_at 2013_03_28, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 36"; dns_query; content:"ppcc.vasilevich.cloudns.info"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022446; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF Cookie Outbound"; flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION="; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; reference:url,beefproject.com; classtype:attempted-user; sid:2018088; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 37"; dns_query; content:"press.ufoneconference.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022447; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JoomSocial AvatarUpload RCE"; flow:established,to_server; content:"func="; nocase; content:"photo"; nocase; distance:0; content:"ajaxUploadAvatar"; nocase; fast_pattern; content:"CStringHelper"; nocase; content:"escape"; nocase; distance:0; reference:url,blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulnerability.html; classtype:web-application-attack; sid:2018107; rev:9; metadata:created_at 2014_02_10, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 38"; dns_query; content:"qq.yourturbe.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022448; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; file_data; content:"onpropertychange"; nocase; fast_pattern; content:".outerHTML"; pcre:"/^\s*?=\s*?[^\s]+?\.outerHTML/Rsi"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 39"; dns_query; content:"sys.firewall-gateway.net"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022449; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EMET Detection Via XMLDOM"; flow:established,from_server; file_data; content:"loadXML"; nocase; content:"parseError"; nocase; content:"res:/"; content:"AppPatch"; nocase; distance:0; pcre:"/^.+?\bEMET\.DLL/Rsi"; content:"EMET.DLL"; nocase; fast_pattern; classtype:attempted-user; sid:2018152; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 40"; dns_query; content:"vip.yahoo.cloudns.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022450; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; classtype:exploit-kit; sid:2018172; rev:3; metadata:created_at 2014_02_25, former_category WEB_CLIENT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 43"; dns_query; content:"www.angleegg.xxxy.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022453; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; file_data; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern; content:"decode"; nocase; pcre:"/^\s*?\(\s*?key\s*?,\s*?js\s*?/Rsi"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:5; metadata:created_at 2014_02_25, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 48"; dns_query; content:"www.uyghuri.MrFace.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022458; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER log4jAdmin access from non-local network Page Body (can modify logging levels)"; flow:established,from_server; file_data; content:"<title>Log4J Administration</title>"; fast_pattern; content:"Change Log Level To"; reference:url, gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018203; rev:3; metadata:created_at 2014_03_03, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 49"; dns_query; content:"youturbe.co.cc"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022459; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern; pcre:"/^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017774; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 50"; dns_query; content:"yycc.mrbonus.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022460; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK IE Exploit CVE-2013-2551 March 12 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"|22|f"; nocase; pcre:"/^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27]/Ri"; classtype:exploit-kit; sid:2018262; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns_query; content:"tally.myfirewall.org"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022610; rev:4; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; file_data; content:"createElement(|22|div|22|)"; fast_pattern; content:"for("; pcre:"/^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\]/Rsi"; classtype:trojan-activity; sid:2018299; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns_query; content:"accountgoogle.firewall-gateway.com"; depth:34; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022611; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount"; flow:from_server,established; file_data; content:"|5c|listoverridetable"; distance:0; content:"|5c|listoverride|5c|"; fast_pattern; content:"|5c|listoverridecount"; isdataat:2,relative; pcre:"/^(?:0*?[19]\d|[^190])/R"; reference:cve,2012-2539; classtype:attempted-user; sid:2018315; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns_query; content:"filegoogle.firewall-gateway.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022612; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/13"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}.swf$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018360; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown PowerShell Loader DNS Lookup (spl.noip.me)"; dns_query; content:"spl.noip.me"; depth:11; nocase; endswith; fast_pattern; reference:url,fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html; classtype:trojan-activity; sid:2022747; rev:4; metadata:created_at 2016_04_19, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017078; rev:7; metadata:created_at 2013_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoisonIvy SPIVY DNS Lookup (leeh0m.org)"; dns_query; content:"leeh0m.org"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/; classtype:trojan-activity; sid:2022753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:exploit-kit; sid:2016498; rev:10; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain"; dns_query; content:"ur232dkkwpdkwp.xyz"; depth:18; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/; reference:md5,e586f208a724ba84369b72bc43d92057; classtype:command-and-control; sid:2022831; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EL8 EK Landing"; flow:established,from_server; file_data; content:"lady8vhc"; nocase; fast_pattern; content:"eval(function("; classtype:exploit-kit; sid:2018405; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_21, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (way2tor)"; dns_query; content:".way2tor"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019982; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
-alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup"; content:"|10|grams7enufi7jmdl"; nocase; fast_pattern; classtype:policy-violation; sid:2018406; rev:4; metadata:created_at 2014_04_21, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4life.com)"; dns_query; content:".tor4life.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020125; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ftpchk3.php upload attempted"; flow:to_server,established; content:"STOR ftpchk3.php|0d 0a|"; nocase; fast_pattern; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018416; rev:5; metadata:created_at 2014_04_23, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (adjust-local-settings .com)"; dns_query; content:"adjust-local-settings.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023095; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack 2013-2551 May 13 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"|3a|stroke"; nocase; content:"|3a|oval"; nocase; content:"66"; pcre:"/^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20/Rsi"; classtype:exploit-kit; sid:2018469; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bbc-africa .com)"; dns_query; content:"bbc-africa.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023102; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"/*"; pcre:"/^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)/Rs"; classtype:exploit-kit; sid:2018440; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (checkinonlinehere .com)"; dns_query; content:"checkinonlinehere.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:command-and-control; sid:2023104; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category MALWARE, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern; content:"|0B 00|"; depth:2; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018479; rev:2; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (googleplay-store .com)"; dns_query; content:"googleplay-store.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023109; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:4; metadata:created_at 2014_05_20, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkeynewsupdates .com)"; dns_query; content:"turkeynewsupdates.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023124; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Urausy.C response"; flow:from_server,established; file_data; content:"|0d 0a|<?xml version="; depth:16; content:"<interval>"; distance:0; content:"</interval>"; distance:0; content:"<timeout>"; distance:0; content:"</timeout>"; distance:0; content:"|d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20|c&c -->"; fast_pattern; reference:md5,6213597f40ecb3e7cf2ab3ee5c8b1c70; classtype:trojan-activity; sid:2018499; rev:4; metadata:created_at 2014_05_23, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (unonoticias .net)"; dns_query; content:"unonoticias.net"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023128; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern; classtype:attempted-user; sid:2018500; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_05_27, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (s3clm4lufbmfhmeb)"; dns_query; content:".s3clm4lufbmfhmeb"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2023154; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2019_09_28;)
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Observed with Unkown Trojan (statswas)"; flow:established,from_server; content:"|0c|statswas.com"; nocase; fast_pattern; reference:md5,9c087d528beefd22743666af772465fc; classtype:trojan-activity; sid:2018515; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (winmeif .myq-see.com)"; dns_query; content:"winmeif.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023256; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (samsung .ddns.me)"; dns_query; content:"samsung.ddns.me"; depth:15; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023259; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash0515.php"; flow:established,to_server; content:"/flash0515.php"; fast_pattern; http_uri; nocase; classtype:exploit-kit; sid:2018540; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (gtldsfs .com )"; dns_query; content:"gtldsfs.com "; depth:12; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023297; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:5; metadata:created_at 2014_06_20, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (cdnfastnetwork .com)"; dns_query; content:"cdnfastnetwork.com"; depth:18; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Multiple EKs CVE-2013-3918"; flow:established,from_server; file_data; content:"C|3a 5c|rock.png"; nocase; fast_pattern; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:exploit-kit; sid:2018592; rev:3; metadata:created_at 2014_06_20, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (sdpvss .com)"; dns_query; content:"sdpvss.com"; depth:10; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023310; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Cookie"; flow:to_server,established; content:"c99shcook"; nocase; fast_pattern; pcre:"/c99shcook/Ci"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018602; rev:3; metadata:created_at 2014_06_24, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns_query; content:"aterdunst.com"; depth:13; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023330; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Likely CryptoWall .onion Proxy domain in SNI"; flow:established,to_server; content:"kpai7ycr7jxqkilp."; fast_pattern; classtype:trojan-activity; sid:2018610; rev:2; metadata:created_at 2014_06_26, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown AutoIt Bot DNS Lookup (webmail .duia.in)"; dns_query; content:"webmail.duia.in"; depth:15; nocase; endswith; fast_pattern; reference:url,cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/; classtype:trojan-activity; sid:2023573; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, malware_family Ceatrg, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sharik Checkin"; flow:established,to_server; dsize:10; content:"34feGaeRAd"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018614; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"vmdefmnsndoj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Traffic"; flow:established,from_server; dsize:18; content:"|0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00|"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018615; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"lvfjcwwobycj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023602; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BANKER.WIN32.BANBRA.BEEC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/black/?"; fast_pattern; http_uri; content:"tipo="; depth:5; http_client_body; content:"&cliente="; http_client_body; reference:md5,ceb6684ffce35dcbfae4afde3b6fd4bd; classtype:command-and-control; sid:2018641; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2020_09_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"qjqubpciajoc.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023606; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Checkin via SMTP"; flow:to_server,established; content:"Subject|3a 20|"; content:"Foi Instalado"; nocase; fast_pattern; pcre:"/^Subject\x3a [^\r\n]+?Foi Instalado/mi"; reference:md5,7f5709c924bb1417a180a4fa8311a2e9; classtype:command-and-control; sid:2018646; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"exvdaajegjur.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023607; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS"; flow:established,from_server; content:"callback=CWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018656; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.online"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023608; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS"; flow:established,from_server; content:"callback=FWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018657; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023609; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.support"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023610; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aibatook checkin 2"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/u.html"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/16/win32aibatook/; reference:md5,d5e8adfefbcc3667734b8df4ae066be6; classtype:command-and-control; sid:2018687; rev:3; metadata:created_at 2014_07_17, former_category MALWARE, updated_at 2020_09_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"nympompksmfx.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023630; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz / Asprox checkin"; flow:established,to_server; content:"/api/"; http_uri; fast_pattern; pcre:"/^\/(?:components|wp-content|tmp)/api/[a-zA-Z0-9\/\x20]{43}=\/(?:toll|inv|notice|get_label)$/U"; reference:url,garwarner.blogspot.com/2014/07/e-zpass-spam-leads-to-location-aware.html; reference:url,blog.malcovery.com/blog/more-information-on-this-weeks-e-zpass-scam; classtype:command-and-control; sid:2018739; rev:3; metadata:created_at 2014_07_18, former_category MALWARE, updated_at 2020_09_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"xpknpxmywqsrhe.online"; depth:21; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023631; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win.Trojan.Agent-29225 Checkin"; flow:to_server,established; content:"/proxy.exe"; nocase; fast_pattern; http_uri; content:"Java/1"; nocase; http_user_agent; reference:url,virustotal.com/file/17b1639c08352cc37baac08f23137563546750292131896f37fd8be8c9412407/analysis/; classtype:command-and-control; sid:2018763; rev:5; metadata:created_at 2013_01_21, former_category MALWARE, updated_at 2020_09_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"binpt.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023634; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern; pcre:"/^\/flash\/api\.php\?id=\d/U"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv601 .ddns.net)"; dns_query; content:"srv601.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023641; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns_query; content:"storegoogle.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (hostgatero .ddns.net)"; dns_query; content:"hostgatero.ddns.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2019_09_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY tor4u tor2web .onion Proxy domain in SNI"; flow:established,to_server; content:".tor4u.net"; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018878; rev:2; metadata:created_at 2014_08_01, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 01"; dns_query; content:"account-google.serveftp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023833; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY onion.cab tor2web .onion Proxy domain in SNI"; flow:established,to_server; content:".onion.cab"; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018879; rev:2; metadata:created_at 2014_08_01, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 02"; dns_query; content:"aramex-shipping.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 4"; flow:established,to_server; content:"POST"; http_method; content:"/qsc.asp"; fast_pattern; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b|)|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:command-and-control; sid:2018884; rev:3; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 03"; dns_query; content:"device-activation.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023835; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BITTERBUG Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/vtris"; fast_pattern; http_uri; content:".php?srs="; http_uri; content:!"User-Agent|3a 20|"; http_header; pcre:"/\/vtris\d?\.php\?srs=\d{1,10}$/U"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:command-and-control; sid:2018901; rev:3; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 04"; dns_query; content:"dropbox-service.serveftp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023836; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|kreb"; distance:1; within:5; content:"|0d|kreb|40|kreb.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2018902; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 05"; dns_query; content:"dropbox-sign.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023837; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Malicious Plugin Detect URI struct"; flow:established,to_server; content:"v_ja="; http_uri; nocase; fast_pattern; content:"v_f="; http_uri; nocase; content:"v_m="; http_uri; nocase; content:"v_s="; http_uri; nocase; content:"v_a="; http_uri; nocase; content:"v_q="; http_uri; nocase; content:"js="; nocase; http_uri; content:"ref="; http_uri; nocase; pcre:"/[&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=/Ui"; classtype:exploit-kit; sid:2018920; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 06"; dns_query; content:"dropboxsupport.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023838; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan Dropped By Archie.EK"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; pcre:"/^\/[56]\d{4}\x2c.*?\x2c[A-Z]\x3a[\x2f\x5c].+?\.exe/Ui"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,e6c91ab176887e5c79bb59277c651dfd; classtype:exploit-kit; sid:2018928; rev:4; metadata:created_at 2014_08_13, former_category MALWARE, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 07"; dns_query; content:"fedex-mail.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023839; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious X-mailer Synapse"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:md5,954acc71ffaa7010c603d74e76dfc70b; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2018936; rev:3; metadata:created_at 2014_08_14, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 08"; dns_query; content:"fedex-shipping.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023840; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Steam.NBP Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/data2.php?file="; fast_pattern; http_uri; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; http_user_agent; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,17d2b62f2fa20f407485437de17787fb; reference:md5,bec091077138a1cac49db00495d456e7; classtype:command-and-control; sid:2018949; rev:4; metadata:created_at 2014_08_18, former_category MALWARE, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 09"; dns_query; content:"fedex-sign.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Activity"; flow:established,to_server; content:"/enc/1"; http_uri; fast_pattern; pcre:"/\/enc\/1$/U"; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018962; rev:3; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 10"; dns_query; content:"googledriver-sign.ddns.net"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023842; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename detected"; flow:established,to_client; content:"<applet"; content:"Signed_Update.jar"; fast_pattern; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018970; rev:4; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 11"; dns_query; content:"googledrive-sign.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023843; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xema dropping file"; flow:to_server,established; content:"/pruebas.doc"; http_uri; fast_pattern; content:!"Referer"; http_header; reference:md5,f5fbdb120594f4da7f638122d6635933; classtype:trojan-activity; sid:2018994; rev:3; metadata:created_at 2014_08_25, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 12"; dns_query; content:"google-maps.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023844; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin"; flow:established,to_server; content:"GET"; http_method; content:"_W"; http_uri; content:"|2e|"; distance:6; within:1; http_uri; content:"/publickey/"; http_uri; fast_pattern; content:!"Accept|3a|"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b61145a54698753cecf8748359c9d81e; classtype:command-and-control; sid:2018579; rev:8; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 13"; dns_query; content:"googlesecure-serv.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023845; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 14"; dns_query; content:"googlesignin.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023846; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 15"; dns_query; content:"googleverify-signin.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023847; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:5; metadata:created_at 2014_08_29, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 16"; dns_query; content:"mailgooglesign.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023848; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:4; metadata:created_at 2014_08_29, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 17"; dns_query; content:"myaccount.servehttp.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023849; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 2"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"rebootinfo.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019112; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 18"; dns_query; content:"secure-team.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023850; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:command-and-control; sid:2019125; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 19"; dns_query; content:"security-myaccount.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023851; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecebalPOS Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?&co="; http_uri; fast_pattern; content:"&us="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&tr2="; http_uri; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2019160; rev:3; metadata:created_at 2014_09_11, former_category MALWARE, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 20"; dns_query; content:"verification-acc.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023852; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Silverlight URI Struct"; flow:established,to_server; content:".xap"; http_uri; fast_pattern; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.xap$/U"; classtype:exploit-kit; sid:2019167; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 21"; dns_query; content:"dropbox-verfy.servehttp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023853; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014372; rev:6; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 22"; dns_query; content:"fedex-s.servehttp.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023854; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014376; rev:4; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 23"; dns_query; content:"watchyoutube.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023855; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; content:"/updatesrv.aspx?f=1"; http_uri; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:3; metadata:created_at 2014_09_15, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 24"; dns_query; content:"verification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023856; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; content:"/updatesrv.aspx?f=2&uuid="; http_uri; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:3; metadata:created_at 2014_09_15, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 25"; dns_query; content:"securityteam-notify.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023857; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.RapidStealer.B Checkin"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/key/index.php"; http_uri; fast_pattern; content:"dir="; depth:4; http_client_body; content:"&data="; distance:0; http_client_body; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,c14690b90459744a300a02f45b32168a; reference:url,quequero.org/2014/09/win32-blackberrybbc-malware-analysis/; classtype:command-and-control; sid:2019179; rev:3; metadata:created_at 2014_09_16, former_category MALWARE, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 26"; dns_query; content:"secure-alert.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023858; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?ds="; http_uri; fast_pattern; content:"&dr="; http_uri; pcre:"/&dr=\d+$/U"; reference:url, blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/; classtype:exploit-kit; sid:2019194; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 27"; dns_query; content:"quota-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023859; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?acc="; http_uri; fast_pattern; content:"&nrk="; http_uri; pcre:"/&nrk=\d+$/U"; classtype:exploit-kit; sid:2019195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 28"; dns_query; content:"notification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023860; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2012_09_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 29"; dns_query; content:"fedex-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023861; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Kia.exe Request"; flow:established,to_server; content:"/kia.exe"; http_uri; fast_pattern; classtype:trojan-activity; sid:2018081; rev:4; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 30"; dns_query; content:"docs-mails.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023862; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Unknown Initial CnC Beacon 10/4/2014"; flow:established,to_server; content:"POST"; http_method; content:"/ccc/tab.php"; http_uri; fast_pattern; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:command-and-control; sid:2018384; rev:4; metadata:created_at 2014_04_11, former_category MALWARE, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 31"; dns_query; content:"restricted-videos.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023863; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouderHeader; file_data; content:"MZ"; within:2; content:"PE|00 00|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019103; rev:5; metadata:created_at 2014_09_02, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 32"; dns_query; content:"dropboxnotification.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023864; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; flowbits:isset,et.Nuclear.PDF; content:"Content-Disposition|3a|"; http_header; content:".pdf|0d 0a|"; http_header; fast_pattern; content:"X-Powered-By|3a|"; http_header; content:"nginx"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]+(?<!\W14\d{8})\.pdf\r?$/Hm"; file_data; content:"|25|PDF-1.6"; within:8; classtype:exploit-kit; sid:2019210; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 33"; dns_query; content:"moi-gov.serveftp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023865; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Sep 16 2014"; flow:established,from_server; file_data; content:"16.html"; fast_pattern; content:"etCookie"; content:"document.write(|27|<iframe"; pcre:"/^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"; classtype:exploit-kit; sid:2019185; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 34"; dns_query; content:"activate-google.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023866; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK 2013-3918"; flow:established,from_server; content:"X-Powered-By|3a|"; http_header; file_data; content:"C|3a 5c|Rock.png"; nocase; fast_pattern; content:"|7b|return"; pcre:"/^\s*?[A-Z0-9a-z\+]+?\s*?\x7d/R"; content:"|7d|function"; content:"|3b|function"; classtype:exploit-kit; sid:2019226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 35"; dns_query; content:"googlemaps.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023867; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Boleteiro checking stolen boleto payment information"; flow:to_server,established; content:"Vencimento="; fast_pattern; http_uri; content:"&Valor="; http_uri; content:"&Sacado="; http_uri; content:"&URL="; http_uri; content:"&Browser=Chrome"; http_uri; reference:md5,3cffb955c08f6c1546bfeae37a215787; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-091718-2034-99&tabid=2; classtype:command-and-control; sid:2019243; rev:5; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2020_09_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (tradeboard .mefound .com)"; dns_query; content:"tradeboard.mefound.com"; depth:22; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023884; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Job314 EK JAR URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pack.gz"; http_uri; pcre:"/^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$/U"; classtype:exploit-kit; sid:2019288; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (movis-es .ignorelist .com)"; dns_query; content:"movis-es.ignorelist.com"; depth:23; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023885; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:3; metadata:created_at 2014_09_28, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (exbonus .mrbasic .com)"; dns_query; content:"exbonus.mrbasic.com"; depth:19; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:4; metadata:created_at 2014_09_28, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (bst2bgxin81a.org)"; dns_query; content:"bst2bgxin81a.org"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2019_09_28;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:exploit-kit; sid:2019287; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"siteanalysto.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev udp Inbound to WebServer"; flow:established,to_server; content:"/dev/udp/"; fast_pattern; classtype:bad-unknown; sid:2019314; rev:4; metadata:created_at 2014_09_29, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns_query; content:"load.gtpnet.ir"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024245; rev:4; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2019_09_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer"; flow:established,to_server; content:"/dev/tcp/"; fast_pattern; classtype:bad-unknown; sid:2019285; rev:4; metadata:created_at 2014_09_26, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns_query; content:"spora.li"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,906c51a18073112c4479b3fe4ea329ca; classtype:trojan-activity; sid:2024324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:5; metadata:created_at 2014_09_25, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:trojan-activity; sid:2028598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
-alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_26, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (comboratiogferrdto . com)"; dns_query; content:"comboratiogferrdto.com"; depth:22; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
-alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:3; metadata:created_at 2014_09_26, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns_query; content:"epochatimes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024478; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
-alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:3; metadata:created_at 2014_09_29, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns_query; content:"strangelol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024852; rev:4; metadata:created_at 2017_10_18, updated_at 2019_09_28;)
-alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; dns_query; content:"go.querymo.com"; depth:14; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_09_28;)
-alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Scraper: yandex.ru based Mozilla 4.0"; ja3_hash; content:"05e15a226e00230c416a8cdefeb483c7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:misc-activity; sid:2028437; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
-alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:2; metadata:created_at 2014_10_01, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Get2 Downloader Activity"; flow:established,to_server; http.user_agent; content:"CIBA|3b 20|MS-RTC LM 8|29|"; endswith; classtype:trojan-activity; sid:2028642; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_01;)
-alert smtp any any -> any any (msg:"ET SMTP Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)"; flow:established,to_server; content:"EHLO "; depth:5; isdataat:5000,relative; content:!"|0a|"; within:500; reference:cve,2019-16928; reference:url,bugs.exim.org/show_bug.cgi?id=2449; reference:url,git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f; classtype:attempted-admin; sid:2028636; rev:3; metadata:attack_target SMTP_Server, created_at 2019_09_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_10_01;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Reply Sinkhole - irc-sinkhole.cert.pl"; flow:established,from_server; content:"|3a|irc|2d|sinkhole|2e|cert|2e|pl"; nocase; fast_pattern; content:"|3a|End of MOTD command|2e|"; classtype:trojan-activity; sid:2019354; rev:2; metadata:created_at 2014_10_06, updated_at 2019_10_07;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Passwords"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|PSWD|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/14"; fast_pattern; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018361; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger Exfil via SMTP - Generic"; flow:established,to_server; content:"-- Client Info --"; fast_pattern; nocase; content:"IP|3a 20|"; content:"HWID|3a 20|"; content:"OS Platform|3a 20|"; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF Struct (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\.pdf)?$/U"; flowbits:set,et.Nuclear.PDF; flowbits:noalert; classtype:exploit-kit; sid:2019209; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Logs"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Logs|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpyClicker.ClickFraud CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/feed.dll?pub_id="; http_uri; fast_pattern; content:"&ua="; offset:17; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019355; rev:4; metadata:created_at 2014_10_06, former_category MALWARE, updated_at 2020_09_25;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Clipboard"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Clipboard|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".exe"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.exe/Hm"; classtype:exploit-kit; sid:2019359; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Screenshot"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Screenshot|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,from_server; file_data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019371; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemours/Proyecto RAT CnC Checkin"; flow:established,to_server; content:"0|7c|New|20|-|20|"; depth:8; fast_pattern; content:"|7c|"; distance:0; content:"|7c|Windows"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; reference:md5,50a9218c891453c00b498029315ac680; classtype:command-and-control; sid:2028648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category MALWARE, malware_family Nemours, performance_impact Moderate, signature_severity Major, updated_at 2019_10_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019368; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_08, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:23; content:"CN=worldmasterclass.com"; fast_pattern; reference:md5,fe9caf2568d7bbf2bb0e20b8e7dc8971; reference:md5,c5a460fd87ffd50c114fffa684688d01; classtype:domain-c2; sid:2028653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-07"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=mailfueler.com"; fast_pattern; reference:md5,c189cdadd96c148e64912c55c5129d3e; classtype:domain-c2; sid:2028652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=corpcougar.com"; fast_pattern; reference:md5,73fad17f8054d01488c3ddd67e355bf1; reference:md5,a25591dbf57ac687e2a03f94dcccc35a; classtype:domain-c2; sid:2028654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:to_client,established; flowbits:isset,ET.http.binary; file_data; content:"woqunimalegebi"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-02"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=adityebirla.com"; fast_pattern; reference:md5,61b34d02bb09e5a547251a625ce81f9c; reference:md5,cab127c5b8582c1e3ea8860a239a060b; classtype:domain-c2; sid:2028655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JST Perl IrcBot download"; flow:to_client,established; file_data; content:"JST Perl IrcBot"; fast_pattern; content:!"<html"; reference:url,pastebin.com/HK8riv9Q; reference:url,www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/; reference:md5,77a6c50a06b59df0f3d099b1819a01d9; classtype:trojan-activity; sid:2019509; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-01"; flow:established,to_client; tls.cert_subject; bsize:63; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=www.livdecor.pt"; fast_pattern; reference:md5,7baca517af0b93bd3f94910c7b8f10db; reference:md5,efb4951e11baf306f5680a041c214e5b; classtype:domain-c2; sid:2028656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Chanitor.A Domain in SNI"; flow:established,to_server; content:"svcz25e3m4mwlauz."; fast_pattern; classtype:trojan-activity; sid:2019518; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-09-30"; flow:established,to_client; tls.cert_subject; bsize:12; content:"CN=flozzy.uk"; fast_pattern; reference:md5,6a333c3f54d7fb6efb276cf6e33315c0; reference:md5,ab578cff6c06157aadd5f324a3413973; classtype:domain-c2; sid:2028657; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:2100227; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult Cnc Server) 2019-09-27"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=evershinebd.net"; fast_pattern; reference:md5,c93a2d16dd0cf8dd3afa5ecba111e7c4; reference:md5,23aff33025681263adcdcb480d0e9a95; classtype:domain-c2; sid:2028658; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoBot Downloading Files"; flow:established,to_server; content:"GET"; http_method; content:"btc"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\/[a-z]+\.k(?:ey)?btc$/U"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3563; classtype:trojan-activity; sid:2019607; rev:3; metadata:created_at 2014_10_30, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) in SNI 2019-09-27"; flow:established,to_server; tls.sni; bsize:11; content:"techxim.com"; reference:md5,5c4e395fc545b5e0c03f960a4145f4ea; classtype:domain-c2; sid:2028659; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_24, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hikit Server Authentication Response"; flow:established; content:"ETag|3a 20|"; content:"75BCD15"; fast_pattern; pcre:"/^ETag\x3a\x20\x22\d+75BCD15\d+\x3a[a-f0-9]{1,6}/mi"; reference:url,www.novetta.com/files/9914/1446/8050/Hikit_Analysis-Final.pdf; classtype:trojan-activity; sid:2019621; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern; classtype:shellcode-detect; sid:2013145; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff Variant Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?a=start&id="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&id=[A-F0-9]+$/U"; reference:md5,d8e7983004c5545df6de868bc0c5a947; classtype:command-and-control; sid:2019636; rev:3; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013146; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|09 00 c9 80 9a 85 50 97 cc 97|"; fast_pattern; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019646; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013147; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iOS/WireLurker CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/getversion.php?v="; http_uri; fast_pattern; content:"&adid="; offset:18; http_uri; content:!"Referer|3a|"; http_header; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019664; rev:3; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK Landing"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|i"; content:"Exploit.class"; nocase; fast_pattern; reference:cve,2014-2820; classtype:exploit-kit; sid:2018933; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 1"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"dnsconfig.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019111; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 07 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".dll"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.dll/Hm"; classtype:exploit-kit; sid:2019676; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST"; http_method; content:"integritylvl="; depth:13; http_client_body; content:"&osversion="; distance:0; http_client_body; content:"&iselevated="; distance:0; http_client_body; content:"&iever="; distance:0; http_client_body; content:"&isnet20inst="; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019679; rev:4; metadata:created_at 2014_11_07, former_category MALWARE, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Phishing Page Nov 07 2014"; flow:established,to_server; content:"/cart.php?site="; fast_pattern; http_uri; content:"&p="; http_uri; content:"&nm="; http_uri; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019682; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014 (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$/U"; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019358; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Roficor.A (Darkhotel) Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/txt/read.php"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/txt\/read\.php$/U"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:targeted-activity; sid:2019688; rev:3; metadata:created_at 2014_11_10, former_category MALWARE, updated_at 2020_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/mac_log/?appid="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019661; rev:4; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"shellexecute"; nocase; fast_pattern; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019707; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Autorun.J Checkin"; flow:established,to_server; content:".asp?i=0&v=o10.1"; http_uri; fast_pattern; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FAutorun.J#tab=2; classtype:command-and-control; sid:2019710; rev:3; metadata:created_at 2014_11_14, former_category MALWARE, updated_at 2020_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sality Executable Pack Digital Signature ASCII Marker"; flow:established,from_server; content:"e#o203kjl,!"; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf; classtype:trojan-activity; sid:2013381; rev:3; metadata:created_at 2011_08_09, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC Possible IE Memory Corruption CollectGarbage with DOM Reset"; flow:established,to_client; file_data; content:"unescape"; nocase; content:"%u"; nocase; content:"CollectGarbage"; nocase; fast_pattern; content:"innerHTML"; nocase; pcre:"/^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27)/Rsi"; classtype:attempted-user; sid:2019730; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 2"; flow:established,to_server; content:"/images/img.php?id="; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; reference:url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php; classtype:command-and-control; sid:2013382; rev:4; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Matsnu.Backdoor CnC Beacon"; flow:established,to_server; content:"id="; http_uri; content:"&mynum="; http_uri; content:"&ver="; http_uri; content:"&cvr="; http_uri; content:"&threadid="; http_uri; fast_pattern; content:"&lang="; http_uri; content:"&os="; http_uri; reference:url,www.seculert.com/blog/2014/11/dgas-a-domain-generation-evolution.html; classtype:command-and-control; sid:2019741; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2020_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot update/download via ftp command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"ftp|3a|//"; fast_pattern; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2011162; classtype:trojan-activity; sid:2011162; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 2"; flow:established,from_server; file_data; content:"$$$$"; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>$$$$/i"; classtype:command-and-control; sid:2019758; rev:3; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2019_10_07;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern; reference:arachnids,331; classtype:suspicious-login; sid:2100354; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault POST M1"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"hwid="; depth:5; http_client_body; content:"&func="; http_client_body; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^hwid=[A-F0-9]{4}(?:-[A-F0-9]{4}){7}&func=/P"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019776; rev:3; metadata:created_at 2014_11_24, updated_at 2020_09_28;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; fast_pattern; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.no-ip.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.no-ip.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019789; rev:5; metadata:created_at 2014_11_24, updated_at 2019_10_07;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern; classtype:suspicious-login; sid:2100357; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.ddns.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.ddns.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019791; rev:3; metadata:created_at 2014_11_24, updated_at 2019_10_07;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern; reference:arachnids,330; classtype:suspicious-login; sid:2100358; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/W32.KRBanker.60928.C Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/upload.php"; http_uri; content:"|0d 0a|Accept-Language|3a 20|zh-cn|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|29 0d 0a|"; http_header; content:"name=|22|upload_file1|22 3b 20|"; fast_pattern; http_client_body; content:".zip|22 0d 0a|"; http_client_body; content:"Content-Type|3a 20|application/x-zip-compressed|0d 0a|"; http_client_body; pcre:"/filename=\x22[A-Z]\x3a\\.+?\\[a-f0-9]{32}\.zip\x22\r\n/P"; reference:md5,ec5d7bc9d84551066fff51e36bc41d4d; reference:md5,13bd584bb12ee5dc15c35f5911912b09; classtype:command-and-control; sid:2019828; rev:4; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_09_28;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern; reference:arachnids,329; classtype:suspicious-login; sid:2100359; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sony Breach Wiper Malware Download"; flow:established,to_server; content:"GET"; http_method; content:"/igfxtpers.exe"; http_uri; fast_pattern; reference:url,logfile.packetninjas.net/related-malware-to-sony-breach; classtype:trojan-activity; sid:2019849; rev:3; metadata:created_at 2014_12_03, updated_at 2020_09_28;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; fast_pattern; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:15; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:".php?i="; http_uri; content:"&data="; http_uri; distance:0; content:"&hash="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&hash=[^&]+$/U"; flowbits:set,ET.Vawtrak; reference:md5,13c982c3b9c1ef714770820ffa278d2e; classtype:trojan-activity; sid:2019843; rev:4; metadata:created_at 2014_12_02, updated_at 2020_09_28;)
+alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin"; flow:established,to_server; dsize:4; content:"|94 00 00 00|"; fast_pattern; flowbits:set,ET.VirLock; flowbits:noalert; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019901; rev:2; metadata:created_at 2014_12_09, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin Response"; flow:established,from_server; dsize:4; content:"|74 01 00 00|"; fast_pattern; flowbits:isset,ET.VirLock; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019902; rev:2; metadata:created_at 2014_12_09, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cloud Atlas Request to WebDAV CloudMe"; flow:established,to_server; content:"/CloudDrive/"; nocase; http_uri; content:"webdav.cloudme.com"; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?webdav\.cloudme\.com[^\r\n]*?\r?$/Hmi"; pcre:"/^\/(?:b(?:i(?:llder1405|mm4276)|rowner8674935)|c(?:arter0648|h(?:ak2488|hloe7400)|orn6814)|d(?:aw0996|epp3353)|fr(?:anko7046|ogs6352)|garristone|hurris4124867|james9611|lisa\.walker|parker2339915|sa(?:mantha2064|nmorinostar)|tem5842|young0498814)\/CloudDrive\//Ui"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019915; rev:3; metadata:created_at 2014_12_10, updated_at 2020_09_28;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan.SpamBanker Report via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|Keylogger"; fast_pattern; nocase; content:"X-Library|3a 20|Indy"; pcre:"/^Keylogger\r$/m"; reference:md5,9c1aac05bd3212a3abcd7cce9c6c4c77; classtype:trojan-activity; sid:2019931; rev:2; metadata:created_at 2014_12_12, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Dadong Exploit Kit Downloaded"; flow:established,from_server; flowbits:set,et.exploitkitlanding; content:"indexOf(|22|dadong=|22|)=="; fast_pattern; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:exploit-kit; sid:2025037; rev:3; metadata:created_at 2012_03_01, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Downloader.Fosniw.sap Reporting via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|keylogger(v0."; fast_pattern; nocase; content:"@UserName"; content:"@ComputerName"; reference:md5,e36469241764b8c954a700146ca4c43f; classtype:trojan-activity; sid:2019933; rev:2; metadata:created_at 2014_12_12, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:from_server,established; flowbits:set,ETPRO.RTF; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE SpamBanker message"; flow:to_server,established; content:"NEGOCIO_ONLINE|2e|"; fast_pattern; nocase; content:"|0d 0a|Content-Disposition|3a 20|attachment"; content:"filename|3d|"; nocase; distance:0; pcre:"/^[\x22\x27]NEGOCIO_ONLINE(\.(?:zip|exe))[\x27\x22]\x0d\x0a/Ri"; reference:url,tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=36677; classtype:trojan-activity; sid:2019937; rev:4; metadata:created_at 2014_12_15, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Sending Stolen info SMTP"; flow:to_server,established; content:"X-Library|3a 20|Indy"; content:"BIGFONE TOCOU"; fast_pattern; content:"Nome Comp"; reference:md5,f71c41b816eadf221e188f6618798969; classtype:trojan-activity; sid:2019938; rev:2; metadata:created_at 2014_12_15, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:13; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TinyZBot Checkin (Operation Cleaver)"; flow:established,to_server; content:"POST"; http_method; content:"/checkupdate.asmx"; http_uri; fast_pattern; content:"SOAPAction|3a 20 22|http|3a|//tempuri.org/GetServerTime|22 0d 0a|"; http_header; content:"GetServerTime xmlns=|22|http|3a|//tempuri.org/"; http_client_body; content:!"|0d 0a|Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,68cfc418c72b58b770bdccf19805703e; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019942; rev:4; metadata:created_at 2014_12_15, former_category MALWARE, updated_at 2020_09_28;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Sep 29 2014"; flow:from_server,established; file_data; content:"|28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29|"; fast_pattern; content:"return"; pcre:"/^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28/R"; classtype:exploit-kit; sid:2019315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE ZhCAT.HackTool Operation Cleaver HTTP CnC Beacon"; flow:established,to_server; content:"POST file.php HTTP/1."; depth:21; content:"|20 28 20|compatible"; fast_pattern; reference:url,www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019943; rev:4; metadata:created_at 2014_12_15, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; content:"/dmp/api/"; http_uri; fast_pattern; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"dmp."; http_header; pcre:"/\/dmp\/api\/[a-z]+$/U"; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:command-and-control; sid:2019958; rev:5; metadata:created_at 2014_12_17, former_category MOBILE_MALWARE, updated_at 2020_09_28;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Ransom Page"; flow:established,to_server; content:"/buy.php?user_code="; fast_pattern; http_uri; content:"&user_pass="; http_uri; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019978; rev:3; metadata:created_at 2014_12_19, updated_at 2020_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015573; rev:3; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Video"; flow:established,to_server; content:"/video.php?id="; fast_pattern; http_uri; pcre:"/\/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019989; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015479; rev:4; metadata:created_at 2012_07_17, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Player"; flow:established,to_server; content:"/player.php?pid="; fast_pattern; http_uri; pcre:"/\/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019990; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:exploit-kit; sid:2015604; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Search"; flow:established,to_server; content:"/search.php?pid="; fast_pattern; http_uri; pcre:"/\/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019991; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 6"; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020000; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:7; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 7"; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020001; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2015678; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 1"; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020007; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:exploit-kit; sid:2015689; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
-alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 2"; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020008; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:exploit-kit; sid:2015690; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 4"; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020010; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:exploit-kit; sid:2015691; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
-alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 5"; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020011; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:exploit-kit; sid:2015694; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
-alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 6"; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020012; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern; classtype:shellcode-detect; sid:2100691; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 8"; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020014; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 9"; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020015; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3a 20|root"; fast_pattern; classtype:suspicious-login; sid:2100719; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 1"; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020017; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern; classtype:shellcode-detect; sid:2101424; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 3"; flow:established; content:"|82 f4 de d4 d3 c2 ca f5 c8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020019; rev:2; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 1"; flow:established,to_server; dsize:24; content:"|08 00 1b 00 00 00 1b 00 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|00 00 00 00 |"; offset:20; depth:4; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020024; rev:3; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 1"; flow:established,from_server; content:"Content-Length|3a 20|11|0d 0a|"; http_header; file_data; content:"no commands"; fast_pattern; flowbits:isset,ET.Anunanak.HTTP.1; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020028; rev:3; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 2"; flow:established,from_server; content:"Content-Length|3a 20|9|0d 0a|"; http_header; file_data; content:"no result"; fast_pattern; flowbits:isset,ET.Anunanak.HTTP.2; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020030; rev:3; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropped by RIG EK"; flow:established,to_server; content:"/Prack"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|InetURL/1.0|0d 0a|"; http_header; reference:md5,18fa3ab45c6fa9da218dd4c35688c5f4; classtype:exploit-kit; sid:2020070; rev:4; metadata:created_at 2014_12_26, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:exploit-kit; sid:2020082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection URI Struct Mon Jan 05 2015"; flow:established,to_server; urilen:13; content:"/get_gift.php"; http_uri; fast_pattern; classtype:trojan-activity; sid:2020091; rev:3; metadata:created_at 2015_01_05, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 32 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020150; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 64 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020151; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 9000:10000 (msg:"ET MALWARE Win32/Recslurp.D C2 Request (no alert)"; flow:established,to_server; dsize:4; content:"|e8 03 00 00|"; fast_pattern; flowbits:set,ET.Reslurp.D.Client; flowbits:noalert; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020154; rev:3; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini/Cosmic Duke variant FTP upload"; flow:established,to_server; content:"STOR "; pcre:"/^[A-F0-9]{48}\.bin\r\n/R"; content:".bin|0d 0a|"; fast_pattern; reference:url,f-secure.com/weblog/archives/00002780.html; classtype:targeted-activity; sid:2020158; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable malicious download from e-mail link /1.php"; flow:established,to_server; content:"GET"; http_method; content:"/1.php?r"; http_uri; fast_pattern; content:!"Referer|3a 20|"; http_header; pcre:"/\/1\.php\?r$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019894; rev:4; metadata:created_at 2014_12_08, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exploitpack.com tool checkin"; flow:established,to_server; content:"GET"; http_method; content:"/changelog/"; http_uri; fast_pattern; pcre:"/^\/changelog\/(?:appversion|changelog|help)$/U"; content:"User-Agent|3a 20|Java/1"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,www.exploitpack.com; classtype:bad-unknown; sid:2020195; rev:3; metadata:created_at 2015_01_15, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 19 2014"; flow:established,from_server; file_data; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern; content:"|24 2c|"; pcre:"/^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c/Rsi"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:exploit-kit; sid:2020207; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 21 2014"; flow:established,from_server; file_data; content:"|3d 20 20 20 20 20 20 20 20 20 20|"; fast_pattern; content:".replace|28|"; content:"<script>"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:exploit-kit; sid:2020236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (7)"; flow:established,to_server; content:"/get"; http_uri; fast_pattern; content:".jpg"; http_uri; pcre:"/\/(?:w(?:hite|orld)|step)\/get(?:a+|n+)\.jpg/U"; classtype:exploit-kit; sid:2016559; rev:16; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT connection"; flow:established,to_server; dsize:13; content:"|3c 7c|PRINCIPAL|7c 3e|"; fast_pattern; flowbits:set,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020315; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT response"; flow:established,from_server; dsize:6; content:"|3c 7c|OK|7c 3e|"; fast_pattern; flowbits:isset,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020316; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SilverLight M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"X-Powered-By|3a 20|"; http_header; content:"Server|3a 20|nginx"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020317; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Heimdallbot Attack Tool Inbound"; flow:established,to_server; content:"Heimdallbot"; http_header; nocase; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*?Heimdallbot/Hmi"; threshold: type limit, count 1, seconds 60, track by_src; classtype:web-application-attack; sid:2020323; rev:3; metadata:created_at 2015_01_28, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/action.php?action=get_"; http_uri; fast_pattern; content:"Send Mail"; depth:9; http_user_agent; content:!"Referer|3a|"; http_header; pcre:"/^\/action\.php\?action=get_(?:mails|red)$/U"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020330; rev:3; metadata:created_at 2015_01_29, former_category MALWARE, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Retrieving Update"; flow:established,to_server; content:"GET"; http_method; content:"/data_updater.dat"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/data_updater\.dat$/U"; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020333; rev:3; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Retrieving Config"; flow:established,to_server; content:"GET"; http_method; content:"/data.cfg"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/data\.cfg$/U"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020334; rev:3; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (stat)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/stat\x03\x08\x0c$/R"; content:"/stat|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020336; rev:2; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (control)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/control\x03\x08\x0c$/R"; content:"/control|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020337; rev:2; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?admin="; fast_pattern; content:"&id="; http_uri; content:"&nat="; http_uri; content:"&os="; http_uri; content:"&video="; http_uri; content:"&arch_type="; http_uri; content:"&v="; http_uri; content:"&av_list="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020340; rev:6; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Download"; flow:to_server,established; content:"/bn_versions/"; http_uri; fast_pattern; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/\/bn_versions\/\d+?\.exe$/U"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020341; rev:5; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Xnote Keep-Alive"; flow:established,to_server; dsize:17; content:"|11 00 00 00 01 00 00 00 78 9c 4b 05 00 00 66 00 66|"; fast_pattern; reference:url,deependresearch.org/2015/02/linuxbackdoorxnote1-indicators.html; classtype:trojan-activity; sid:2020389; rev:2; metadata:created_at 2015_02_10, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; file_data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Banner"; flow:established,to_server; content:"/banner.php?sid="; fast_pattern; http_uri; pcre:"/\/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Blog"; flow:established,to_server; content:"/blog.php?id="; fast_pattern; http_uri; pcre:"/\/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:6; metadata:created_at 2014_11_18, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/connector.html|0d 0a|"; http_header; classtype:exploit-kit; sid:2020570; rev:4; metadata:created_at 2015_02_25, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$/U"; classtype:exploit-kit; sid:2020643; rev:4; metadata:created_at 2015_03_06, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 1"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".asia|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.asia\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020654; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 2"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".ru|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.ru\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020655; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing URI Struct March 6 2015"; flow:established,to_server; urilen:>40; content:"GET"; http_method; content:"/tdstest/"; http_uri; fast_pattern; pcre:"/^\/tdstest\/[a-f0-9]{32,}\/?$/U"; classtype:exploit-kit; sid:2020626; rev:4; metadata:created_at 2015_03_06, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 10"; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern; content:"BC435@PRO62384923412!@3!"; nocase; content:!"content|3a 22|BC435@PRO62384923412!@3!|22 3b|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020016; rev:3; metadata:created_at 2014_12_22, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Cryptolocker .onion Proxy Domain in SNI"; flow:established,to_server; content:"erhitnwfvpgajfbu."; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019124; rev:3; metadata:created_at 2014_09_05, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a|ok"; fast_pattern; file_data; content:"ok"; within:2; byte_test:1,<,0x1b,0,relative; content:"|00|"; distance:1; within:1; flowbits:isset,ET.Vawtrak; classtype:trojan-activity; sid:2019499; rev:5; metadata:created_at 2014_10_24, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 2"; flow:from_server,established; file_data; content:"<html><title>"; within:13; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$/R"; content:"</title></html>"; fast_pattern; flowbits:isset,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020749; rev:5; metadata:created_at 2015_03_25, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby MAR 31 2015"; flow:established,to_server; content:"/content/dl.php?sl=vbs"; http_uri; fast_pattern; pcre:"/\/content\/dl\.php\?sl=vbs[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020823; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby Related TDS MAR 31 2015"; flow:established,to_server; content:"/content/getvbslink.php?d="; http_uri; fast_pattern; pcre:"/\/content\/getvbslink\.php\?d=[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020824; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020312; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019917; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_10, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"eval|3b|"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020841; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"return eval"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Cookie Data Theft April 06 2015"; flow:established,to_server; content:".php?type=cookie&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020848; rev:3; metadata:created_at 2015_04_06, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 32|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020849; rev:3; metadata:created_at 2015_04_07, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 86|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020850; rev:2; metadata:created_at 2015_04_07, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin no architecture"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 84|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2020851; rev:2; metadata:created_at 2015_04_07, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Sending Processes"; content:"Sy|5c|"; content:"wininit|5c|"; distance:0; content:"winlogon|5c|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020852; rev:2; metadata:created_at 2015_04_07, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shellshock Worm Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/.c.php?request="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; reference:url,volexity.com/blog/?p=118; classtype:command-and-control; sid:2020887; rev:3; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tls $HOME_NET any -> 195.22.26.192/26 443 (msg:"ET INFO invalid.cab domain in SNI"; flow:established,to_server; content:"|0b|invalid.cab"; fast_pattern; flowbits:set,ET.invalid.cab; flowbits:noalert; classtype:misc-activity; sid:2020888; rev:3; metadata:created_at 2015_04_10, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Buhtrap CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; http_user_agent; content:"id="; depth:3; http_client_body; pcre:"/^[A-F0-9]+$/RP"; pcre:"/\/gate\.php$/U"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:command-and-control; sid:2020890; rev:4; metadata:created_at 2015_04_10, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault Mailer CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/redirect.php?loc=mail"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/redirect\.php\?loc=mail$/U"; reference:md5,af0e5a5df0be279aa517e2fd65cadd5c; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020906; rev:3; metadata:created_at 2015_04_14, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/keylogger.php?id="; http_uri; fast_pattern; content:"&com="; http_uri; content:"&key="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020920; rev:3; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sysget/HelloBridge HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?fn="; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|file|22|"; http_client_body; content:"name=|22|path|22|"; distance:0; http_client_body; content:"name=|22|submit|22|"; distance:0; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020922; rev:3; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bioazih RAT Checkin"; flow:to_server,established; content:"User-Agent|3a 20|Pass|3a|"; http_header; content:"Hostname|3a|"; http_header; content:"Ip|3a|"; http_header; content:"Os|3a|"; http_header; content:"Proxy|3a|"; fast_pattern; http_header; content:"Vm|3a|"; http_header; reference:md5,7bc5451341a684aca80a59a463bad973; reference:md5,5443cf2b6c010c57cf740356c9167b77; reference:url,blogs.technet.com/b/mmpc/archive/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe.aspx; classtype:command-and-control; sid:2020927; rev:4; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/?bit="; http_uri; fast_pattern; content:"&version="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/\?bit=(?:32|64)&version=\d{4}-\d{1,2}-\d{1,2}$/U"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:command-and-control; sid:2020939; rev:3; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 6"; flow:established,to_server; content:"GET"; http_method; content:"/?check"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Example|0d 0a|"; http_header; pcre:"/\/\?check$/U"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:command-and-control; sid:2020940; rev:3; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Graftor Downloading Dridex"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"MSIE"; http_user_agent; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|close|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/\d+\/\d+\.exe$/U"; pcre:"/^Host\x3a[^\r\n]+\r\nAccept-Language\x3a[^\r\n]+\r\nAccept\x3a[^\r\n]+\r\nAccept-Encoding\x3a[^\r\n]+\r\nConnection\x3a\x20close\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2020960; rev:3; metadata:created_at 2015_04_22, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:exploit-kit; sid:2020985; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern; pcre:"/\/street[1-5]\.php$/U"; classtype:exploit-kit; sid:2020988; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern; pcre:"/\/XV-\d+\.exe$/U"; classtype:exploit-kit; sid:2020989; rev:3; metadata:created_at 2015_04_24, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern; classtype:exploit-kit; sid:2020992; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sundown EK Flash Exploit Apr 20 2015"; flow:established,to_server; content:"/bad/"; http_uri; fast_pattern; pcre:"/\/bad\/[A-Z0-9]+\.swf$/U"; classtype:exploit-kit; sid:2020951; rev:4; metadata:created_at 2015_04_20, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Checkin 2"; flow:to_server,established; urilen:>107; content:"GET"; http_method; content:"/setup/"; http_uri; fast_pattern; content:"Host|3a|"; http_header; depth:5; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/setup\/[a-zA-Z0-9!-]{100,}$/U"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:command-and-control; sid:2021029; rev:3; metadata:created_at 2015_04_28, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021045; rev:3; metadata:created_at 2015_04_30, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021042; rev:6; metadata:created_at 2015_04_30, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"<title>some"; fast_pattern; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:exploit-kit; sid:2020980; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:exploit-kit; sid:2020979; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2020983; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbon FormGrabber/Retgate.A/Rombertik Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"name="; http_client_body; content:"&host="; http_client_body; content:"&browser="; http_client_body; content:"&post="; http_client_body; fast_pattern; pcre:"/\.php$/U"; reference:url,symantec.com/connect/blogs/european-automobile-businesses-fall-prey-carbon-grabber; reference:md5,72bab43e406c9e325e49e27b22853b60; reference:url,blogs.cisco.com/security/talos/rombertik; reference:md5,f504ef6e9a269e354de802872dc5e209; classtype:command-and-control; sid:2021055; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:6; content:"/v.vlt"; http_uri; fast_pattern; content:"|0d 0a|UA-CPU|3a 20|"; http_header; reference:md5,d8bd77eebee2e74ea74679bf3f1f7210; classtype:command-and-control; sid:2021091; rev:3; metadata:created_at 2015_05_12, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Uploading Files"; flow:to_server,established; content:"POST"; http_method; urilen:6; content:"/v.php"; http_uri; fast_pattern; content:"|0d 0a|UA-CPU|3a 20|"; http_header; content:"Content-Type|3a 20|application/upload|0d 0a|"; content:"boundary=---------------------------0123456789012"; http_header; content:"name=|22|pf|22 3b|"; http_client_body; reference:url,www.bleepingcomputer.com/forums/t/570390/vaultcrypt-uses-batch-files-and-open-source-gnupg-to-hold-your-files-hostage; classtype:trojan-activity; sid:2020707; rev:4; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putty SSH Credential Stealer"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"=c3NoOi8v"; http_uri; fast_pattern; pcre:"/=c3NoOi8v[A-Za-z0-9+/]+={0,2}$/U"; content:!"Referer|3a|"; http_header; reference:md5,b5c88d5af37afd13f89957150f9311ca; classtype:trojan-activity; sid:2021095; rev:3; metadata:created_at 2015_05_13, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.Jenxcus.H URL Structure"; flow:to_server,established; content:"POST"; http_method; content:"/is-rinoy"; http_uri; fast_pattern; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021122; rev:3; metadata:created_at 2015_05_20, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET HUNTING Suspicious X-mailer Synapse Inbound to SMTP Server"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2021135; rev:2; metadata:created_at 2015_05_21, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:exploit-kit; sid:2021136; rev:3; metadata:created_at 2015_05_21, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon set"; flow:established,to_server; dsize:4; content:"|18 00 00 00|"; fast_pattern; flowbits:set,ET.Linux.Moose; flowbits:noalert; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021150; rev:2; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 7"; flow:established,to_server; content:"GET"; http_method; content:"/?action=getuid"; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021166; rev:3; metadata:created_at 2015_05_28, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 8"; flow:established,to_server; content:"GET"; http_method; content:"/?action="; http_uri; fast_pattern; content:"&uid="; http_uri; content:"&bit="; http_uri; content:"&version="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021167; rev:3; metadata:created_at 2015_05_28, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; content:"/pha?android_version="; fast_pattern; http_uri; content:"&id="; http_uri; content:"&phone_number="; http_uri; content:"&client_version="; http_uri; content:"&imei="; http_uri; content:"&name="; http_uri; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_06_01, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zacom.A CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; fast_pattern; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Windows NT 5.0|3b|"; http_header; pcre:"/^\d{4}/P"; pcre:"/\.asp$/U"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:command-and-control; sid:2021214; rev:3; metadata:created_at 2015_06_08, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:exploit-kit; sid:2020392; rev:6; metadata:created_at 2015_02_10, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:exploit-kit; sid:2021219; rev:5; metadata:created_at 2015_06_09, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp any any -> $HOME_NET 443 (msg:"ET MALWARE Possible Duqu 2.0 Accessing backdoor over 443"; flow:to_server,established; content:"romanian.antihacker"; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021242; rev:2; metadata:created_at 2015_06_10, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Torrentlocker C2 Domain in SNI"; flow:established,to_server; content:"|00 00 0d|krusperon.net"; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021254; rev:3; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern; content:"long2str"; nocase; content:"str2long"; nocase; classtype:exploit-kit; sid:2021218; rev:4; metadata:created_at 2015_06_09, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload"; flow:established,to_server; content:"/lns.txt"; http_uri; fast_pattern; pcre:"/\/lns.txt$/U"; content:"WinHttp.WinHttpRequest"; http_user_agent; reference:md5,0ed66982890ec483c3bc6f883e2424fb; classtype:trojan-activity; sid:2021284; rev:4; metadata:created_at 2015_06_17, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin"; flow:established,to_server; content:"GET"; http_method; content:".ini?"; http_uri; fast_pattern; content:!"|0d 0a|Accept-"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^\/[a-z]+?\.*?ini\?\d+$/Ui"; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021300; rev:3; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:exploit-kit; sid:2021033; rev:4; metadata:created_at 2015_04_29, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:exploit-kit; sid:2021035; rev:4; metadata:created_at 2015_04_29, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:exploit-kit; sid:2021037; rev:4; metadata:created_at 2015_04_29, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:"/|3a|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x3ahttp\x3a\x2f/U"; classtype:exploit-kit; sid:2021305; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"/4/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Hm"; classtype:exploit-kit; sid:2021308; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern; classtype:exploit-kit; sid:2021310; rev:4; metadata:created_at 2015_06_19, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021137; rev:4; metadata:created_at 2015_05_21, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.DES.Downloader Request"; flow:to_server,established; content:"/ad.php?id="; fast_pattern; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b 20|Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10|0d 0a|Accept-Encoding|3a 20|deflate|0d 0a|Accept-Language|3a 20|en-us|0d 0a|HOST|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021352; rev:3; metadata:created_at 2015_06_25, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:exploit-kit; sid:2021364; rev:3; metadata:created_at 2015_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:exploit-kit; sid:2021373; rev:3; metadata:created_at 2015_07_01, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UpDocX Checkin"; flow:established,to_server; content:"/up_docx.php"; fast_pattern; http_uri; content:!"Referer"; http_header; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:command-and-control; sid:2021376; rev:3; metadata:created_at 2015_07_02, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UpDocX Download"; flow:established,to_server; content:"/WINWORD32.exe"; fast_pattern; http_uri; content:!"Referer"; http_header; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:trojan-activity; sid:2021377; rev:4; metadata:created_at 2015_07_02, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; content:"/landing?c="; fast_pattern; http_uri; content:"&g="; http_uri; content:"&a="; http_uri; content:"&s1="; http_uri; content:"&s2="; http_uri; content:"&s3="; http_uri; content:"&s4="; http_uri; content:"&s5="; http_uri; content:"&s6="; http_uri; content:"&s7="; http_uri; content:"&s8="; http_uri; content:"&s9="; http_uri; content:"&s10="; http_uri; content:"&s11="; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:exploit-kit; sid:2021394; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:targeted-activity; sid:2021405; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".dll"; classtype:trojan-activity; sid:2021429; rev:3; metadata:created_at 2015_07_15, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:exploit-kit; sid:2021435; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jiripbot CnC 2"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/checkupdate"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; pcre:"/Host\x3a\x20jdk\.[a-f0-9]{32}\.org/Hmi"; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/Cm"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:command-and-control; sid:2021502; rev:3; metadata:created_at 2015_07_21, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jiripbot CnC 1"; flow:to_server,established; content:"/status"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; content:"Host|3a 20|jdk."; http_header; pcre:"/^[a-f0-9]{32}\.org/RH"; content:"SSID="; http_cookie; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/C"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:command-and-control; sid:2021501; rev:4; metadata:created_at 2015_07_21, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:3; metadata:created_at 2015_07_22, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:exploit-kit; sid:2021036; rev:5; metadata:created_at 2015_04_29, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021542; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021543; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 8"; flow:to_server,established; content:"GET"; http_method; content:"/viewphoto.asp?photoid="; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021571; rev:3; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response abuse.ch"; flow:established,from_server; dsize:22; content:"Sinkholed by abuse.ch|0a|"; fast_pattern; classtype:trojan-activity; sid:2020223; rev:3; metadata:created_at 2015_01_21, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M2"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|22|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021611; rev:4; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M3"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|27|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021612; rev:3; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/gac/"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/gac\/[a-f0-9]{15}$/U"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2021620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; file_data; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern; classtype:exploit-kit; sid:2021637; rev:3; metadata:created_at 2015_08_17, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:exploit-kit; sid:2021698; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:exploit-kit; sid:2021699; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:exploit-kit; sid:2020895; rev:7; metadata:created_at 2015_04_11, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aibatook checkin"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"m="; depth:2; http_client_body; content:"AA=="; http_client_body; fast_pattern; pcre:"/\.asp$/U"; pcre:"/^m=(?:[A-Za-z0-9+/]{4}){11}(?:(?:[A-Za-z0-9+/]{4}){6})?AA==/Pi"; reference:md5,57a0af91f3b35ef1cf54502e77cc2904; reference:url,www.welivesecurity.com/2014/07/16/win32aibatook/; classtype:command-and-control; sid:2018685; rev:4; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; content:"/data.php?table="; fast_pattern; http_uri; content:"&game="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&game=[a-f0-9]{40}$/U"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:3; metadata:created_at 2015_08_31, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cert.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&cert="; http_client_body; content:"&priv="; fast_pattern; http_client_body; content:"&flag="; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:3; metadata:created_at 2015_08_31, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:3; metadata:created_at 2015_09_10, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:exploit-kit; sid:2021764; rev:3; metadata:created_at 2015_09_14, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021787; rev:3; metadata:created_at 2015_09_16, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Iron Tiger Backdoor.GCloud CnC Beacon"; flow:established,to_server; content:"/user?pid="; http_uri; fast_pattern; content:"&data="; http_uri; content:"User-Agent|3a 20|WinHTTP Example/1.0|0d 0a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021790; rev:3; metadata:created_at 2015_09_16, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Passthru/Kshell Port Redirection Initiation"; flow:to_server,established; dsize:11; content:"chkroot2007"; fast_pattern; reference:md5,f7146691adea573548fa040fb182f4fe; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021796; rev:2; metadata:created_at 2015_09_16, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CosmicDuke Exfiltrating Data via FTP STOR"; flow:established,to_server; dsize:55<>65; content:"STOR|20|"; depth:5; pcre:"/^[a-z0-9]{1,10}[A-F0-9]+\.bin\r\n$/R"; content:".bin|0d 0a|"; fast_pattern; reference:md5,5080bc705217c614b9cbf67a679979a8; classtype:targeted-activity; sid:2023910; rev:5; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/upx/"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/U"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021812; rev:3; metadata:created_at 2015_09_22, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; pcre:"/^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+/Rsi"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern; classtype:exploit-kit; sid:2021841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"P"; depth:1; nocase; http_client_body; content:"myPath = "; nocase; http_client_body; content:"iFold = "; nocase; http_client_body; content:"wallPath = "; nocase; http_client_body; fast_pattern; content:"listPath = "; nocase; http_client_body; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021851; rev:5; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Created wallet - "; nocase; http_client_body; fast_pattern; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021855; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; fast_pattern; classtype:bad-unknown; sid:2101251; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 5"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M RecursiveFileSearch"; nocase; http_client_body; fast_pattern; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021856; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern; classtype:exploit-kit; sid:2015548; rev:8; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 6"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Scan folder|3a 20|"; nocase; http_client_body; fast_pattern; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021857; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:3; metadata:created_at 2012_10_01, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 7"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Saved cryptor key - "; nocase; http_client_body; fast_pattern; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021858; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"|2b 06 01 04 01 09 09 60 01 01 01 01|"; fast_pattern; classtype:policy-violation; sid:2015856; rev:6; metadata:created_at 2012_11_01, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 8"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"|29 20|Encrypt|20|"; nocase; http_client_body; fast_pattern; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021859; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015873; rev:6; metadata:created_at 2012_11_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Files encrypted,"; nocase; http_client_body; fast_pattern; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021860; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Excel file download - SET 1"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; file_data; content:"|09 08 10 00 00 06 05 00|"; distance:512; content:"|57006F0072006B0062006F006F006B00|"; fast_pattern; flowbits:set,ETPRO.Microsoft.Excel; flowbits:noalert; reference:cve,2012-0185; classtype:attempted-user; sid:2025086; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 10"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M STATE|3a 20|CRYPTED_"; nocase; http_client_body; fast_pattern; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021861; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015929; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 11"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Free disk space|3a 20|"; nocase; http_client_body; fast_pattern; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021862; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015928; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; content:"GET"; http_method; content:"/itms-services|3a|"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:4; metadata:created_at 2015_10_05, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015939; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; content:"GET"; http_method; content:".plist"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern; pcre:"/\.plist$/U"; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:4; metadata:created_at 2015_10_05, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:exploit-kit; sid:2015950; rev:3; metadata:created_at 2012_11_28, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021905; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:3; metadata:created_at 2012_11_29, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:exploit-kit; sid:2021906; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:5; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021907; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:exploit-kit; sid:2015981; rev:3; metadata:created_at 2012_12_04, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (STOP)"; flow:established,from_server; content:"PRIVMSG"; content:"{STOP} Stop command ->"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021879; rev:4; metadata:created_at 2015_10_01, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern; content:"|22|bhjwfffiorjwe|22|"; classtype:exploit-kit; sid:2015991; rev:5; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021939; rev:6; metadata:created_at 2015_10_09, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:3; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:"</jnlp>"; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:targeted-activity; sid:2021985; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:exploit-kit; sid:2016012; rev:5; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB"; flow:established,from_server; file_data; content:"<script"; content:"=i?php.war/moc.nibetsap"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022014; rev:3; metadata:created_at 2015_11_02, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:4; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malvertising Malicious PE Download"; flow:established,to_server; content:"GET"; http_method; content:"/adobe_flashplayer_7.exe"; http_uri; fast_pattern; reference:md5,d9b91aa8c66c4a701f5558bdca805eec; reference:url,otx.alienvault.com/pulse/5637202b4637f2388aaec61c/; classtype:trojan-activity; sid:2022020; rev:3; metadata:created_at 2015_11_02, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016027; rev:6; metadata:created_at 2012_12_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_03, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:2; metadata:created_at 2013_01_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:exploit-kit; sid:2022040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:exploit-kit; sid:2016306; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Remote Shell"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern; pcre:"/\x7c(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/"; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022068; rev:3; metadata:created_at 2015_11_10, former_category MALWARE, updated_at 2019_10_07;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 1"; content:"miniupnpd/1."; fast_pattern; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:successful-recon-limited; sid:2016302; rev:6; metadata:created_at 2013_01_30, updated_at 2019_10_08;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 BA|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2022072; rev:2; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016319; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO form-data flowbit set (noalert)"; flow:to_server,established; dsize:>0; content:"Content-Type|3a 20|multipart|2f|form-data"; fast_pattern; flowbits:set,ET.formdata; flowbits:noalert; classtype:not-suspicious; sid:2022080; rev:2; metadata:created_at 2015_11_12, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022090; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
-alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 2"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/n"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/n\d+\.png$/U"; content:".png|20|HTTP/1.1|0d 0a|"; fast_pattern; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022147; rev:3; metadata:created_at 2015_11_25, former_category MALWARE, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A Checkin via HTTP POST 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Sony|3b|"; http_header; fast_pattern; pcre:"/^\/\d+$/U"; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,f184c13be617754e394ecb8c972c8861; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:command-and-control; sid:2022188; rev:3; metadata:created_at 2015_11_25, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET MALWARE W32/Jabberbot.A Trednet XMPP CnC Beacon"; flow:established,to_server; content:"trednet@jabber.ru"; fast_pattern; reference:url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc; classtype:command-and-control; sid:2016331; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016923; rev:15; metadata:created_at 2013_05_24, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern; content:"&token="; http_uri; classtype:exploit-kit; sid:2015962; rev:12; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; depth:8; pcre:"/^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr/Rs"; content:"]/g,|27 27|).substr|28|"; fast_pattern; classtype:exploit-kit; sid:2020719; rev:5; metadata:created_at 2015_03_20, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:exploit-kit; sid:2016412; rev:3; metadata:created_at 2013_02_15, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Flooding 1)"; flow:established,to_server; content:"|20|Flooding|20|"; fast_pattern; content:"|20|for|20|"; content:"|20|seconds."; distance:0; pcre:"/(?:JUNK|HOLD) Flooding (?:\d{1,3}\.){3}\d{1,3} for \d+ seconds.\r?\n/"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022213; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<embed"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; content:"application/x-java-"; fast_pattern; classtype:exploit-kit; sid:2016510; rev:5; metadata:created_at 2013_02_27, former_category INFO, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:4; metadata:created_at 2015_12_04, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016542; rev:4; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:exploit-kit; sid:2022242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016543; rev:3; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB 2"; flow:established,from_server; file_data; content:"<script"; content:"ptth|22|=crs tpircs"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022015; rev:4; metadata:created_at 2015_11_02, updated_at 2019_10_07;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016569; rev:4; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Derusbi/Winnti Receiving Configuration"; flow:established,from_server; file_data; content:"$$$--Hello"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})Wrod--\$\$\$/R"; content:"Wrod--$$$"; fast_pattern; reference:url,blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family; classtype:trojan-activity; sid:2022269; rev:3; metadata:created_at 2015_12_16, updated_at 2019_10_07;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016571; rev:2; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ProPoS CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Accept|3a 20|application/octet-stream|0d 0a|"; http_header; content:"User-Agent|3a 20|Pro PoS"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:url,blog.talosintel.com/2015/12/pro-pos.html; classtype:command-and-control; sid:2022282; rev:3; metadata:created_at 2015_12_18, former_category MALWARE, updated_at 2020_10_05;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016570; rev:3; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:exploit-kit; sid:2022304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016026; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".class"; nocase; fast_pattern; classtype:trojan-activity; sid:2014472; rev:8; metadata:created_at 2012_04_04, updated_at 2019_10_07;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016718; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:3; metadata:created_at 2016_01_12, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016716; rev:6; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016717; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 1"; flow:established,to_server; dsize:8; content:"|bf bf af af 7e 00 00 00|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022360; rev:4; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2019_10_07;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016719; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 2"; flow:established,to_server; dsize:13; content:"|07 0d 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022361; rev:3; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Torte Checkin"; flow:established,to_server; content:"/logo.gif?sessd="; http_uri; fast_pattern; content:"&sessc="; http_uri; content:"&sessk="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|"; http_header; pcre:"/^(?:zh-CN|en-US)\x3b rv\x3a1\.7\.6\)\r\n/HR"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:command-and-control; sid:2022358; rev:4; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:3; metadata:created_at 2016_01_19, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:exploit-kit; sid:2015000; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep HTTP POST CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:".php?"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; pcre:"/(?:[a-z]+=\d{3,4}\x3b\x20){4}/C"; content:"Accept|3a 20|text/html, application/xhtml+xml, */*|0d 0a|"; http_header; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/U"; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/P"; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hi"; classtype:command-and-control; sid:2021718; rev:5; metadata:created_at 2015_08_26, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern; classtype:exploit-kit; sid:2016805; rev:4; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:exploit-kit; sid:2015974; rev:15; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Greencat SSL Certificate"; flow:established,from_server; content:"|55 04 08 13 05|Ocean"; fast_pattern; classtype:trojan-activity; sid:2016812; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:5; metadata:created_at 2014_02_14, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)"; flow:established,to_client; file_data; content:"PK"; within:2; content:"PK|01 02|"; distance:0; pcre:"/^.{42}[\x20-\x7f]{1,500}\.jsPK\x05\x06.{4}\x01\x00\x01\x00/Rsi"; content:".jsPK|05 06|"; nocase; fast_pattern; classtype:misc-activity; sid:2022636; rev:4; metadata:created_at 2016_03_22, former_category INFO, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:exploit-kit; sid:2016833; rev:6; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton Checkin"; flow:to_server,established; content:".php?ch="; http_uri; fast_pattern; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-length|3a 20|0|0d 0a|"; http_header; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022676; rev:3; metadata:created_at 2016_03_28, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton CnC 1"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"task=report&id="; http_client_body; fast_pattern; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022677; rev:3; metadata:created_at 2016_03_28, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016924; rev:12; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton CnC 2"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"task=knock&pub="; http_client_body; fast_pattern; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022678; rev:3; metadata:created_at 2016_03_28, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:exploit-kit; sid:2016928; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST Keepalive"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Length|3a 20|2|0d 0a|"; http_header; fast_pattern; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"ok"; http_client_body; depth:2; threshold: type limit, count 1, seconds 60, track by_src; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022363; rev:4; metadata:created_at 2016_01_13, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:exploit-kit; sid:2016929; rev:12; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST/UP007 Keepalive 2"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Length|3a 20|5|0d 0a|"; http_header; fast_pattern; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"READY"; http_client_body; depth:5; threshold: type limit, count 1, seconds 60, track by_src; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:trojan-activity; sid:2022750; rev:3; metadata:created_at 2016_04_20, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016926; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanDownloader.Banload.XDL Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/okok/Notify.php"; fast_pattern; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library|29 0d 0a|"; http_header; reference:md5,70adf5506c767590e11bdc473c91bb38; classtype:command-and-control; sid:2022754; rev:3; metadata:created_at 2016_04_22, former_category MALWARE, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:exploit-kit; sid:2016787; rev:4; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022770; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:exploit-kit; sid:2016964; rev:3; metadata:created_at 2013_06_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:exploit-kit; sid:2022772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern; classtype:attempted-user; sid:2017008; rev:6; metadata:created_at 2013_06_12, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:exploit-kit; sid:2022774; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:exploit-kit; sid:2016840; rev:6; metadata:created_at 2013_05_09, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:3; metadata:created_at 2016_05_06, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:3; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luminosity RAT Possible Module Download M1"; flow:to_server,established; urilen:5; content:"GET"; http_method; content:"/EPWD"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022851; rev:3; metadata:created_at 2016_06_02, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017019; rev:3; metadata:created_at 2013_06_15, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luminosity RAT Possible Module Download M2"; flow:to_server,established; urilen:4; content:"GET"; http_method; content:"/PWD"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022852; rev:3; metadata:created_at 2016_06_02, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST"; http_method; content:"/rootpassword.php?"; http_uri; fast_pattern; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:4; metadata:created_at 2013_06_25, former_category EXPLOIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern; content:"campaigns"; http_cookie; classtype:exploit-kit; sid:2022904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"solusvmc-node"; fast_pattern; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:4; metadata:created_at 2013_06_25, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:exploit-kit; sid:2022909; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017069; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:exploit-kit; sid:2022910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern; content:"<|22|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:exploit-kit; sid:2017070; rev:3; metadata:created_at 2013_06_27, updated_at 2019_10_08;)
-alert udp any any -> $HOME_NET 137 (msg:"ET INFO NBNS Name Query Response Possible WPAD Spoof BadTunnel"; byte_test:1,&,0x80,2; byte_test:1,!&,0x40,2; byte_test:1,!&,0x20,2; byte_test:1,!&,0x10,2; byte_test:1,=,0x00,3; content:"|00 00|"; offset:4; depth:2; content:"|46 48 46 41 45 42 45|"; fast_pattern; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022914; rev:2; metadata:created_at 2016_06_23, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_uri; pcre:"/\?(s|page|id)=\d+&text=\d+$/U"; classtype:exploit-kit; sid:2017079; rev:4; metadata:created_at 2013_07_02, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:3; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017092; rev:3; metadata:created_at 2013_07_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017093; rev:3; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016"; flow:established,from_server; file_data; content:"|65 78 70 6c 6f 69 74 4c 69 73 74 2e 73 70 6c 69 63 65|"; nocase; fast_pattern; content:"|73 65 74 54 69 6d 65 6f 75 74 28 22 6c 6f 61 64 45 78 70 6c 6f 69 74 28 29 22|"; nocase; classtype:attempted-admin; sid:2023014; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:exploit-kit; sid:2017099; rev:3; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:social-engineering; sid:2023080; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Curso Banker.BR Checkin"; flow:established,to_server; content:".asp?m="; http_uri; fast_pattern; pcre:"/\.asp\?m=(?:INS|UAC)(?:&p=&a=)?&i=201\d{11}&/Ui"; content:"&v="; http_uri; content:!"Referer|3a|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,bd389eb9cf03e55013eaf07970288f08; classtype:command-and-control; sid:2023081; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2017138; rev:4; metadata:created_at 2013_07_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET MALWARE PNScan.2 CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/srv_report?ver="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\?ver=\d+$/U"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:command-and-control; sid:2023090; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:exploit-kit; sid:2017139; rev:3; metadata:created_at 2013_07_13, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET MALWARE PNScan.2 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"?ver="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^\/(?:i686|arm|mips(?:el)?)\?ver=\d+$/U"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:command-and-control; sid:2023089; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:exploit-kit; sid:2017151; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 3"; flow:established,to_server; content:"/final111?&nocache="; http_uri; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023133; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:exploit-kit; sid:2017150; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:exploit-kit; sid:2023186; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern; content:"|3b|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:exploit-kit; sid:2017106; rev:4; metadata:created_at 2013_07_05, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020311; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:exploit-kit; sid:2017153; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
-alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:2; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2019_10_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:2; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netsh advfirewall show allprofiles Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Domain Profile Settings|3a|"; fast_pattern; content:"Firewall Policy"; classtype:trojan-activity; sid:2023216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_07;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVICE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AcceptPause"; fast_pattern; content:"AcceptStop"; content:"Caption"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023223; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:exploit-kit; sid:2016427; rev:8; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2014-6332 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 34 2d 36 33 33 32 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023288; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016013; rev:7; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2016-0189 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 36 2d 30 31 38 39 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016299; rev:11; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern; classtype:exploit-kit; sid:2023302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family AfraidGate, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:exploit-kit; sid:2016350; rev:5; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TheTrick Banking Trojan User-Agent"; flow:to_server,established; content:"User-Agent|3a 20 54 72 69 63 6b 4c 6f 61 64 65 72|"; fast_pattern; reference:md5,f26649fc31ede7594b18f8cd7cdbbc15; classtype:trojan-activity; sid:2023338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/^\/search\/[0-9]{64}/U"; classtype:exploit-kit; sid:2016593; rev:9; metadata:created_at 2013_03_19, updated_at 2019_10_08;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Powershell Trojan)"; flow:from_server,established; content:"|16|"; content:"|0b|"; distance:0; within:8; content:"|09 00 d6 e6 05 e6 06 e6 17 3f|"; fast_pattern; reference:url,pastebin.com/7wYupkJL; reference:md5,4c5c9014f2d18f11ca62848876551323; classtype:trojan-activity; sid:2023342; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, malware_family PowerShell, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\/m1[1-6]\.jar$/U"; classtype:exploit-kit; sid:2016708; rev:9; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".sys"; classtype:trojan-activity; sid:2021430; rev:4; metadata:created_at 2015_07_15, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016709; rev:9; metadata:created_at 2013_04_02, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:3; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, created_at 2016_11_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:exploit-kit; sid:2016786; rev:6; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:6; metadata:created_at 2012_09_17, former_category INFO, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016804; rev:5; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:exploit-kit; sid:2016943; rev:9; metadata:created_at 2013_05_29, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016965; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_06_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023482; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2017038; rev:5; metadata:created_at 2013_06_20, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023742; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2017041; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:social-engineering; sid:2023743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017042; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017043; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:social-engineering; sid:2023745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017044; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:exploit-kit; sid:2023547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:"Java/1."; nocase; http_user_agent; content:".php?"; http_uri; nocase; fast_pattern; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:exploit-kit; sid:2017119; rev:5; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Lock Emoji In Title - Possible Social Engineering Attempt"; flow:from_server,established; file_data; content:"<title>"; nocase; pcre:"/^(?:(?!<\/title).)*\x26\x23x1F512/Ri"; content:"|26 23|x1F512"; fast_pattern; classtype:trojan-activity; sid:2023749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/amor\d{0,2}\.jar/U"; classtype:exploit-kit; sid:2015941; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Unknown Trojan Checkin Jan 26 2017"; flow:to_server,established; content:"GET"; http_method; content:"/config.php?id="; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/config\.php\?id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,2ccd95bb2e9d8c6e6b6eb68963461f08; classtype:command-and-control; sid:2023769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2015942; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern; classtype:exploit-kit; sid:2023878; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".jar"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:exploit-kit; sid:2017152; rev:6; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:exploit-kit; sid:2023879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017272; rev:5; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
-alert tls [195.22.26.192/26,195.22.28.192/27,195.38.137.100,195.22.4.21,195.157.15.100,212.61.180.100] 443 -> $HOME_NET any (msg:"ET MALWARE AnubisNetworks Sinkhole SSL Cert lolcat - specific IPs"; flow:established,to_client; content:"|06|lolcat"; fast_pattern; flowbits:isnotset,ET.invalid.cab; classtype:trojan-activity; sid:2019628; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_11_03, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017273; rev:4; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015"; flow:established,to_server; content:".php?type=form&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020847; rev:3; metadata:created_at 2015_04_06, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017022; rev:4; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern; content:" lonly="; http_cookie; classtype:exploit-kit; sid:2014884; rev:3; metadata:created_at 2012_06_08, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_08_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017324; rev:3; metadata:created_at 2013_08_13, updated_at 2019_10_08;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern; classtype:exploit-kit; sid:2017039; rev:4; metadata:created_at 2013_06_20, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a 20||22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:3; metadata:affected_product IBM_Websphere, attack_target Server, created_at 2017_03_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday|22|"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017372; rev:6; metadata:created_at 2013_08_26, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern; classtype:exploit-kit; sid:2024092; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023748; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/adinfo?gi="; fast_pattern; http_uri; content:"&bf="; http_uri; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/Hm"; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:command-and-control; sid:2024172; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_04, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024168; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET INFO SMTP PDF Attachment Flowbit Set"; flow:established,from_server; content:"|0d 0a 0d 0a|JVBERi"; fast_pattern; flowbits:set,ET.pdf.in.smtp.attachment; flowbits:noalert; classtype:bad-unknown; sid:2024236; rev:3; metadata:attack_target SMTP_Server, created_at 2017_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017406; rev:6; metadata:created_at 2013_09_03, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazuar CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:"Referer|3a|"; http_header; content:"AuthToken="; depth:10; http_cookie; pcre:"/^AuthToken=[A-Za-z0-9+/]{43}=$/C"; content:"Cookie|3a 20|AuthToken="; fast_pattern; reference:md5,7a778e076e48ff269e91f17a15ea97d5; reference:url,researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/; classtype:command-and-control; sid:2024270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family Kazuar, performance_impact Low, signature_severity Major, tag APT, tag RUAPT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017434; rev:3; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:exploit-kit; sid:2020605; rev:6; metadata:created_at 2015_03_04, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017433; rev:4; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bingo Exploit Kit Landing May 08 2017"; flow:established,from_server; file_data; content:"+=String.fromCharCode("; pcre:"/^[a-z]\d{3}\[[a-z]\d{3}\]\^[a-z]\d{3}\)\x3breturn [a-z]\d{3}\x3b\}/R"; content:"|29 29 29 5e|"; fast_pattern; content:".text="; pcre:"/^[a-z]\d{3}\x3b[a-z]\d{3}\.getElementsByTagName\([a-z]\d{3}\(new Array\(\d+\,/R"; content:".type="; pcre:"/^[a-z]\d{3}\(new Array\(/R"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:exploit-kit; sid:2025071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_05_10, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017468; rev:3; metadata:created_at 2013_09_17, updated_at 2019_10_08;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker .onion Proxy domain in SNI July 31 2014"; flow:established,to_server; content:"iet7v4dciocgxhdv."; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018872; rev:3; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2015782; rev:6; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker knowledgewiki.info in SNI July 31 2014"; flow:established,to_server; content:"knowledgewiki.info"; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018877; rev:3; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2016798; rev:4; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014"; flow:established,to_server; content:"zxjfcvfvhqfqsrpz."; fast_pattern; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018892; rev:3; metadata:created_at 2014_08_04, former_category TROJAN, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help|3a|//"; nocase; content:"onlosecapture"; nocase; fast_pattern; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"AppleSession"; http_cookie; content:"Cookie|3a 20|AppleSession"; fast_pattern; classtype:credential-theft; sid:2024374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:exploit-kit; sid:2016349; rev:6; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:exploit-kit; sid:2016348; rev:8; metadata:created_at 2013_02_05, updated_at 2019_10_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.B Domain in SNI"; flow:established,to_server; content:"|00 00 0d|handbrake.biz"; fast_pattern; nocase; classtype:trojan-activity; sid:2024285; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern; classtype:attempted-user; sid:2017510; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_09_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:4; metadata:created_at 2014_10_31, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (/iam-ready)"; flow:established,to_server; content:"POST"; http_method; content:"/iam-ready"; fast_pattern; nocase; content:"|3c 7c 3e|"; http_header; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017518; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27]iddqd?\s*=/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017545; rev:7; metadata:created_at 2013_09_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017 M2"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=]*\s*=EB02EB05E8F9FFFFFF/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_13, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017549; rev:3; metadata:created_at 2013_10_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024706; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()|3b|"; fast_pattern; content:"java2()|3b|"; content:"pdf()|3b|"; content:"ie()|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017550; rev:3; metadata:created_at 2013_10_02, updated_at 2019_10_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in TLS SNI)"; flow:established,to_server; content:"formyip.com"; fast_pattern; nocase; classtype:external-ip-check; sid:2024832; rev:3; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016549; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 24 2015"; flow:to_client,established; file_data; content:"GOOGLE.com?</title>"; fast_pattern; content:"view shared document"; content:"ValidateFormYahoo"; distance:0; content:"ValidateFormGmail"; distance:0; content:"ValidateFormHotmail"; distance:0; content:"ValidateFormAol"; distance:0; content:"ValidateFormOther"; distance:0; classtype:social-engineering; sid:2025682; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6"; flow:to_server,established; dsize:>11; content:"|78 9c|"; fast_pattern; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017877; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer|3a 20|http|3a|//"; http_header; pcre:"/^[^\/\r\n]+/HR"; content:"/?"; http_header; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/HR"; content:" MSIE "; http_user_agent; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017613; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5"; flow:to_server,established; dsize:>11; content:"|78 9c|"; fast_pattern; byte_jump:4,0,little,post_offset 1; isdataat:!2,relative; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017876; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024895; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (eltima .in in TLS SNI)"; flow:established,to_server; content:"|00 00 09|eltima.in"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024889; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Login Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/operator/login.php"; fast_pattern; http_uri; pcre:"/\/operator\/login\.php$/U"; content:!"Referer|3a 20|"; content:!"|0d 0a|Accept"; http_header; content:"Mozilla/4.0 (SEObot)"; depth:20; http_user_agent; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017718; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com in TLS SNI)"; flow:established,to_server; content:"|00 00 12|handbrakestore.com"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024891; rev:4; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017601; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_17, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc in TLS SNI)"; flow:established,to_server; content:"|00 00 0c|handbrake.cc"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024893; rev:4; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27]/Ri"; classtype:exploit-kit; sid:2017785; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)"; flow:from_server,established; file_data; content:"parent-tab://"; fast_pattern; content:"open"; pcre:"/\b(?P<varname>[^\s\x3d]+)\s*\x3d\s*open\s*\x28\s*[^\x29]+parent-tab:\/\/.+(?P=varname)\s*\.\s*document\s*\.\s*body\s*.\s*innerHTML\s*=/si"; reference:cve,2017-7089; classtype:attempted-user; sid:2024995; rev:3; metadata:affected_product Safari, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:3; metadata:created_at 2013_11_30, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 1"; flow:established,from_server; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; fast_pattern; classtype:trojan-activity; sid:2025010; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017699; rev:4; metadata:created_at 2013_11_09, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 2"; flow:established,from_server; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; fast_pattern; classtype:trojan-activity; sid:2025011; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/java.php?eid="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017863; rev:5; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 3"; flow:established,from_server; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; fast_pattern; classtype:trojan-activity; sid:2025012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017862; rev:4; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!11000,!11001,!12000] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4"; flow:to_server,established; dsize:>11; content:"|79 9e|"; fast_pattern; pcre:"/^[\x20-\x7e]*?.{8}\x79\x9e/s"; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017707; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017864; rev:3; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; content:"?id="; http_uri; content:"&act="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/U"; flowbits:set,ET.MalDocEXEPrimer; flowbits:noalert; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:6; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/cp.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017865; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GrandSoft EK IE Exploit Jan 30 2018"; flow:established,from_server; file_data; content:"|3d 20 22 2c|&h|22|"; nocase; fast_pattern; content:"4d"; nocase; content:"5a"; nocase; within:20; content:"responseBody"; nocase; content:"Dim "; nocase; content:"Dim "; nocase; distance:0; content:"Win32_OperatingSystem"; nocase; classtype:exploit-kit; sid:2025272; rev:3; metadata:created_at 2018_01_30, updated_at 2019_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/serial.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017866; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Exploit Javascript"; flow:from_server,established; file_data; content:"0x1000000"; fast_pattern; pcre:"/(?<var1>[^=\s]*)\s*=\s*0x1000000.+?\x28\s*\x28\s*\x28\s*\w+\s*<<\s*12\s*\x29\s*\|\s*0\s*\x29\s*\+\s*(?P=var1)\s*\x29\s*\|\s*0/s"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025188; rev:6; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack"; flow:to_server,established; content:"../../"; fast_pattern; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:3; metadata:created_at 2013_12_18, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VBscript UAF (CVE-2018-8373)"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"class_initialize"; nocase; fast_pattern; content:"<script "; nocase; content:"Redim"; nocase; content:"private"; nocase; pcre:"/^\s+sub\s+class_initialize\b(?:(?!end\s*sub).)*?\bReDim\s+array\b/Rsi"; content:"Public"; pcre:"/^\s+Default\s+Property\b(?:(?!end\s*property).)*?\bReDim\s+Preserve\s+array\b/Rsi"; reference:cve,2018-8373; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/; classtype:attempted-user; sid:2026411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2019_10_07;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate"; flow:from_server,established; content:"|A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00|"; fast_pattern; content:"|16 03 03|"; pcre:"/^..\x0B.{9}\x30\x82..\x30\x82..\xA0\x03\x02\x01\x02\x02(?:\x09.{9}|\x08.{8})/Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30|"; within:16; pcre:"/^.\x31.\x30.\x06\x03\x55\x04\x03\x0C.([a-z]{2,9})\x30.\x17\x0D[0-9]{12}Z\x17\x0D[0-9]{12}Z\x30.\x31.\x30.\x06\x03\x55\x04\x03\x0C.\g{1}\x30\x82../Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; pcre:"/^...\x30\x82..\x02\x82...{256,257}/Rs"; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; within:36; content:!"|06|ubuntu"; content:!"|04|mint"; content:!"|a9 d5 73 d2 a0 a5 a1 69|"; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module; classtype:trojan-activity; sid:2021178; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_06_03, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:5; metadata:created_at 2015_02_11, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2019_10_07;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:4; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:5; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:6; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; dsize:>11; content:"|7b 9e|"; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:command-and-control; sid:2017548; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2022_04_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; classtype:social-engineering; sid:2021968; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2019_10_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Downloading jar over FTP"; flow:to_server,established; flowbits:isset,ET.Java.FTP.Logon; content:".jar"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.jar/Ri"; classtype:misc-activity; sid:2016688; rev:3; metadata:created_at 2013_03_29, updated_at 2019_10_08;)
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS File Transfer CnC Beacon"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; pcre:"/^[0-9A-Z]+232A/R"; content:"232A"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022837; rev:3; metadata:created_at 2016_05_24, former_category MALWARE, updated_at 2019_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF Cookie Outbound"; flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION="; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; reference:url,beefproject.com; classtype:attempted-user; sid:2018088; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar|0d 0a|"; http_header; fast_pattern; file_data; content:"PK"; within:2; content:"|CA FE BA BE|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017299; rev:8; metadata:created_at 2013_08_08, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JoomSocial AvatarUpload RCE"; flow:established,to_server; content:"func="; nocase; content:"photo"; nocase; distance:0; content:"ajaxUploadAvatar"; nocase; fast_pattern; content:"CStringHelper"; nocase; content:"escape"; nocase; distance:0; reference:url,blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulnerability.html; classtype:web-application-attack; sid:2018107; rev:9; metadata:created_at 2014_02_11, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; fast_pattern; classtype:web-application-attack; sid:2101334; rev:11; metadata:created_at 2010_09_23, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; file_data; content:"onpropertychange"; nocase; fast_pattern; content:".outerHTML"; pcre:"/^\s*?=\s*?[^\s]+?\.outerHTML/Rsi"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014853; rev:6; metadata:created_at 2012_06_04, former_category EXPLOIT_KIT, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EMET Detection Via XMLDOM"; flow:established,from_server; file_data; content:"loadXML"; nocase; content:"parseError"; nocase; content:"res:/"; content:"AppPatch"; nocase; distance:0; pcre:"/^.+?\bEMET\.DLL/Rsi"; content:"EMET.DLL"; nocase; fast_pattern; classtype:attempted-user; sid:2018152; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern; classtype:exploit-kit; sid:2017014; rev:4; metadata:created_at 2013_06_13, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; classtype:exploit-kit; sid:2018172; rev:3; metadata:created_at 2014_02_25, former_category WEB_CLIENT, updated_at 2019_10_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"<style"; nocase; pcre:"/^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; file_data; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern; content:"decode"; nocase; pcre:"/^\s*?\(\s*?key\s*?,\s*?js\s*?/Rsi"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:5; metadata:created_at 2014_02_26, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Geost CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geost.php?bid="; fast_pattern; classtype:command-and-control; sid:2028661; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_10_08, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Geost, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER log4jAdmin access from non-local network Page Body (can modify logging levels)"; flow:established,from_server; file_data; content:"<title>Log4J Administration</title>"; fast_pattern; content:"Change Log Level To"; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018203; rev:3; metadata:created_at 2014_03_04, former_category WEB_SERVER, updated_at 2019_10_08;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SDBbot CnC Checkin"; flow:established,to_server; content:"|00 00 de c0|"; depth:4; content:"ver="; distance:0; content:"|0a|domain="; distance:0; content:"|0a|pc="; distance:0; content:"|0a|geo="; distance:0; content:"|0a|os="; distance:0; content:"|0a|rights="; distance:0; content:"|0a|proxyenabled="; distance:0; fast_pattern; content:"|0a|"; distance:0; endswith; reference:md5,892be85dc60df6bc82568384e83b9b4c; classtype:command-and-control; sid:2031217; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, malware_family SDBbot, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern; pcre:"/^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017774; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Capfire4 Checkin (update machine status)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/updMaqStatus"; http_uri; content:"Clickteam"; http_user_agent; depth:9; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:command-and-control; sid:2014953; rev:4; metadata:created_at 2012_06_22, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK IE Exploit CVE-2013-2551 March 12 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"|22|f"; nocase; pcre:"/^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27]/Ri"; classtype:exploit-kit; sid:2018262; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shamoon/Wiper/DistTrack Checkin"; flow:to_server,established; content:"/data.asp?mydata="; http_uri; content:"&uid="; http_uri; content:"&state="; http_uri; content:"you"; http_user_agent; depth:3; reference:url,www.symantec.com/connect/blogs/shamoon-attacks; reference:url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf; classtype:command-and-control; sid:2015632; rev:5; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; file_data; content:"createElement(|22|div|22|)"; fast_pattern; content:"for("; pcre:"/^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\]/Rsi"; classtype:trojan-activity; sid:2018299; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"Dalvik/"; http_user_agent; depth:7; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount"; flow:from_server,established; file_data; content:"|5c|listoverridetable"; distance:0; content:"|5c|listoverride|5c|"; fast_pattern; content:"|5c|listoverridecount"; isdataat:2,relative; pcre:"/^(?:0*?[19]\d|[^190])/R"; reference:cve,2012-2539; classtype:attempted-user; sid:2018315; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"Egypack"; nocase; http_user_agent; depth:7; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013176; rev:7; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/13"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}.swf$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018360; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017078; rev:7; metadata:created_at 2013_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EL8 EK Landing"; flow:established,from_server; file_data; content:"lady8vhc"; nocase; fast_pattern; content:"eval(function("; classtype:exploit-kit; sid:2018405; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup"; content:"|10|grams7enufi7jmdl"; nocase; fast_pattern; classtype:policy-violation; sid:2018406; rev:4; metadata:created_at 2014_04_22, updated_at 2019_10_08;)
+
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ftpchk3.php upload attempted"; flow:to_server,established; content:"STOR ftpchk3.php|0d 0a|"; nocase; fast_pattern; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018416; rev:5; metadata:created_at 2014_04_24, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack 2013-2551 May 13 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"|3a|stroke"; nocase; content:"|3a|oval"; nocase; content:"66"; pcre:"/^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20/Rsi"; classtype:exploit-kit; sid:2018469; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"/*"; pcre:"/^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)/Rs"; classtype:exploit-kit; sid:2018440; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:4; metadata:created_at 2014_05_21, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Urausy.C response"; flow:from_server,established; file_data; content:"|0d 0a|<?xml version="; depth:16; content:"<interval>"; distance:0; content:"</interval>"; distance:0; content:"<timeout>"; distance:0; content:"</timeout>"; distance:0; content:"|d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20|c&c -->"; fast_pattern; reference:md5,6213597f40ecb3e7cf2ab3ee5c8b1c70; classtype:trojan-activity; sid:2018499; rev:4; metadata:created_at 2014_05_23, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern; classtype:attempted-user; sid:2018500; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_05_27, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Observed with Unkown Trojan (statswas)"; flow:established,from_server; content:"|0c|statswas.com"; nocase; fast_pattern; reference:md5,9c087d528beefd22743666af772465fc; classtype:trojan-activity; sid:2018515; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash0515.php"; flow:established,to_server; content:"/flash0515.php"; fast_pattern; http_uri; nocase; classtype:exploit-kit; sid:2018540; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:5; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Multiple EKs CVE-2013-3918"; flow:established,from_server; file_data; content:"C|3a 5c|rock.png"; nocase; fast_pattern; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:exploit-kit; sid:2018592; rev:3; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Cookie"; flow:to_server,established; content:"c99shcook"; nocase; fast_pattern; pcre:"/c99shcook/Ci"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018602; rev:3; metadata:created_at 2014_06_24, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sharik Checkin"; flow:established,to_server; dsize:10; content:"34feGaeRAd"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018614; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Traffic"; flow:established,from_server; dsize:18; content:"|0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00|"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018615; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Checkin via SMTP"; flow:to_server,established; content:"Subject|3a 20|"; content:"Foi Instalado"; nocase; fast_pattern; pcre:"/^Subject\x3a [^\r\n]+?Foi Instalado/mi"; reference:md5,7f5709c924bb1417a180a4fa8311a2e9; classtype:command-and-control; sid:2018646; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS"; flow:established,from_server; content:"callback=CWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018656; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS"; flow:established,from_server; content:"callback=FWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018657; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|kreb"; distance:1; within:5; content:"|0d|kreb|40|kreb.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018902; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Malicious Plugin Detect URI struct"; flow:established,to_server; content:"v_ja="; http_uri; nocase; fast_pattern; content:"v_f="; http_uri; nocase; content:"v_m="; http_uri; nocase; content:"v_s="; http_uri; nocase; content:"v_a="; http_uri; nocase; content:"v_q="; http_uri; nocase; content:"js="; nocase; http_uri; content:"ref="; http_uri; nocase; pcre:"/[&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=/Ui"; classtype:exploit-kit; sid:2018920; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan Dropped By Archie.EK"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; pcre:"/^\/[56]\d{4}\x2c.*?\x2c[A-Z]\x3a[\x2f\x5c].+?\.exe/Ui"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,e6c91ab176887e5c79bb59277c651dfd; classtype:exploit-kit; sid:2018928; rev:4; metadata:created_at 2014_08_13, former_category MALWARE, updated_at 2019_10_08;)
+
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious X-mailer Synapse"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:md5,954acc71ffaa7010c603d74e76dfc70b; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2018936; rev:3; metadata:created_at 2014_08_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename detected"; flow:established,to_client; content:"<applet"; content:"Signed_Update.jar"; fast_pattern; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018970; rev:4; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2019_10_08;)
+
+alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:5; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:4; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 2"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"rebootinfo.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019112; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Silverlight URI Struct"; flow:established,to_server; content:".xap"; http_uri; fast_pattern; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.xap$/U"; classtype:exploit-kit; sid:2019167; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014372; rev:6; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014376; rev:4; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?ds="; http_uri; fast_pattern; content:"&dr="; http_uri; pcre:"/&dr=\d+$/U"; reference:url,blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/; classtype:exploit-kit; sid:2019194; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?acc="; http_uri; fast_pattern; content:"&nrk="; http_uri; pcre:"/&nrk=\d+$/U"; classtype:exploit-kit; sid:2019195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2012_09_18, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouderHeader; file_data; content:"MZ"; within:2; content:"PE|00 00|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019103; rev:5; metadata:created_at 2014_09_03, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; flowbits:isset,et.Nuclear.PDF; content:"Content-Disposition|3a|"; http_header; content:".pdf|0d 0a|"; http_header; fast_pattern; content:"X-Powered-By|3a|"; http_header; content:"nginx"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]+(?<!\W14\d{8})\.pdf\r?$/Hm"; file_data; content:"|25|PDF-1.6"; within:8; classtype:exploit-kit; sid:2019210; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Sep 16 2014"; flow:established,from_server; file_data; content:"16.html"; fast_pattern; content:"etCookie"; content:"document.write(|27|<iframe"; pcre:"/^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"; classtype:exploit-kit; sid:2019185; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK 2013-3918"; flow:established,from_server; content:"X-Powered-By|3a|"; http_header; file_data; content:"C|3a 5c|Rock.png"; nocase; fast_pattern; content:"|7b|return"; pcre:"/^\s*?[A-Z0-9a-z\+]+?\s*?\x7d/R"; content:"|7d|function"; content:"|3b|function"; classtype:exploit-kit; sid:2019226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Job314 EK JAR URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pack.gz"; http_uri; pcre:"/^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$/U"; classtype:exploit-kit; sid:2019288; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:3; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:4; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:exploit-kit; sid:2019287; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev udp Inbound to WebServer"; flow:established,to_server; content:"/dev/udp/"; fast_pattern; classtype:bad-unknown; sid:2019314; rev:4; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer"; flow:established,to_server; content:"/dev/tcp/"; fast_pattern; classtype:bad-unknown; sid:2019285; rev:4; metadata:created_at 2014_09_26, updated_at 2019_10_08;)
+
+alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:5; metadata:created_at 2014_09_25, updated_at 2019_10_08;)
+
+alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
+
+alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:3; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
+
+alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:3; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
+
+alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
+
+alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
+
+alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:2; metadata:created_at 2014_10_02, updated_at 2019_10_08;)
+
+alert smtp any any -> any any (msg:"ET SMTP Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Reply Sinkhole - irc-sinkhole.cert.pl"; flow:established,from_server; content:"|3a|irc|2d|sinkhole|2e|cert|2e|pl"; nocase; fast_pattern; content:"|3a|End of MOTD command|2e|"; classtype:trojan-activity; sid:2019354; rev:2; metadata:created_at 2014_10_06, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/14"; fast_pattern; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018361; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF Struct (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\.pdf)?$/U"; flowbits:set,et.Nuclear.PDF; flowbits:noalert; classtype:exploit-kit; sid:2019209; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".exe"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.exe/Hm"; classtype:exploit-kit; sid:2019359; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,from_server; file_data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019371; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019368; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:to_client,established; flowbits:isset,ET.http.binary; file_data; content:"woqunimalegebi"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JST Perl IrcBot download"; flow:to_client,established; file_data; content:"JST Perl IrcBot"; fast_pattern; content:!"<html"; reference:url,pastebin.com/HK8riv9Q; reference:url,www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/; reference:md5,77a6c50a06b59df0f3d099b1819a01d9; classtype:trojan-activity; sid:2019509; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
+
+#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Chanitor.A Domain in SNI"; flow:established,to_server; content:"svcz25e3m4mwlauz."; fast_pattern; classtype:trojan-activity; sid:2019518; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:2100227; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hikit Server Authentication Response"; flow:established; content:"ETag|3a 20|"; content:"75BCD15"; fast_pattern; pcre:"/^ETag\x3a\x20\x22\d+75BCD15\d+\x3a[a-f0-9]{1,6}/mi"; reference:url,www.novetta.com/files/9914/1446/8050/Hikit_Analysis-Final.pdf; classtype:trojan-activity; sid:2019621; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|09 00 c9 80 9a 85 50 97 cc 97|"; fast_pattern; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019646; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK Landing"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|i"; content:"Exploit.class"; nocase; fast_pattern; reference:cve,2014-2820; classtype:exploit-kit; sid:2018933; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 1"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"dnsconfig.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019111; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 07 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".dll"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.dll/Hm"; classtype:exploit-kit; sid:2019676; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST"; http_method; content:"integritylvl="; depth:13; http_client_body; content:"&osversion="; distance:0; http_client_body; content:"&iselevated="; distance:0; http_client_body; content:"&iever="; distance:0; http_client_body; content:"&isnet20inst="; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019679; rev:4; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014 (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$/U"; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019358; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"shellexecute"; nocase; fast_pattern; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019707; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC Possible IE Memory Corruption CollectGarbage with DOM Reset"; flow:established,to_client; file_data; content:"unescape"; nocase; content:"%u"; nocase; content:"CollectGarbage"; nocase; fast_pattern; content:"innerHTML"; nocase; pcre:"/^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27)/Rsi"; classtype:attempted-user; sid:2019730; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 2"; flow:established,from_server; file_data; content:"$$$$"; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>$$$$/i"; classtype:command-and-control; sid:2019758; rev:3; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.no-ip.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.no-ip.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019789; rev:5; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.ddns.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.ddns.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019791; rev:3; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin"; flow:established,to_server; dsize:4; content:"|94 00 00 00|"; fast_pattern; flowbits:set,ET.VirLock; flowbits:noalert; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019901; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin Response"; flow:established,from_server; dsize:4; content:"|74 01 00 00|"; fast_pattern; flowbits:isset,ET.VirLock; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019902; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan.SpamBanker Report via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|Keylogger"; fast_pattern; nocase; content:"X-Library|3a 20|Indy"; pcre:"/^Keylogger\r$/m"; reference:md5,9c1aac05bd3212a3abcd7cce9c6c4c77; classtype:trojan-activity; sid:2019931; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Downloader.Fosniw.sap Reporting via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|keylogger(v0."; fast_pattern; nocase; content:"@UserName"; content:"@ComputerName"; reference:md5,e36469241764b8c954a700146ca4c43f; classtype:trojan-activity; sid:2019933; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE SpamBanker message"; flow:to_server,established; content:"NEGOCIO_ONLINE|2e|"; fast_pattern; nocase; content:"|0d 0a|Content-Disposition|3a 20|attachment"; content:"filename|3d|"; nocase; distance:0; pcre:"/^[\x22\x27]NEGOCIO_ONLINE(\.(?:zip|exe))[\x27\x22]\x0d\x0a/Ri"; reference:url,tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=36677; classtype:trojan-activity; sid:2019937; rev:4; metadata:created_at 2014_12_15, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Sending Stolen info SMTP"; flow:to_server,established; content:"X-Library|3a 20|Indy"; content:"BIGFONE TOCOU"; fast_pattern; content:"Nome Comp"; reference:md5,f71c41b816eadf221e188f6618798969; classtype:trojan-activity; sid:2019938; rev:2; metadata:created_at 2014_12_15, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Sep 29 2014"; flow:from_server,established; file_data; content:"|28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29|"; fast_pattern; content:"return"; pcre:"/^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28/R"; classtype:exploit-kit; sid:2019315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE ZhCAT.HackTool Operation Cleaver HTTP CnC Beacon"; flow:established,to_server; content:"POST file.php HTTP/1."; depth:21; content:"|20 28 20|compatible"; fast_pattern; reference:url,www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019943; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Video"; flow:established,to_server; content:"/video.php?id="; fast_pattern; http_uri; pcre:"/\/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019989; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Player"; flow:established,to_server; content:"/player.php?pid="; fast_pattern; http_uri; pcre:"/\/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019990; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Search"; flow:established,to_server; content:"/search.php?pid="; fast_pattern; http_uri; pcre:"/\/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019991; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 6"; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020000; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 7"; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020001; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 1"; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020007; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 2"; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020008; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 4"; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020010; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 5"; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020011; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 6"; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020012; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 8"; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020014; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 9"; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020015; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 1"; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020017; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 1"; flow:established,to_server; dsize:24; content:"|08 00 1b 00 00 00 1b 00 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|00 00 00 00 |"; offset:20; depth:4; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020024; rev:3; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropped by RIG EK"; flow:established,to_server; content:"/Prack"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|InetURL/1.0|0d 0a|"; http_header; reference:md5,18fa3ab45c6fa9da218dd4c35688c5f4; classtype:exploit-kit; sid:2020070; rev:4; metadata:created_at 2014_12_26, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:exploit-kit; sid:2020082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection URI Struct Mon Jan 05 2015"; flow:established,to_server; urilen:13; content:"/get_gift.php"; http_uri; fast_pattern; classtype:trojan-activity; sid:2020091; rev:3; metadata:created_at 2015_01_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 32 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020150; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 64 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020151; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 9000:10000 (msg:"ET MALWARE Win32/Recslurp.D C2 Request (no alert)"; flow:established,to_server; dsize:4; content:"|e8 03 00 00|"; fast_pattern; flowbits:set,ET.Reslurp.D.Client; flowbits:noalert; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020154; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
+
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini/Cosmic Duke variant FTP upload"; flow:established,to_server; content:"STOR "; pcre:"/^[A-F0-9]{48}\.bin\r\n/R"; content:".bin|0d 0a|"; fast_pattern; reference:url,f-secure.com/weblog/archives/00002780.html; classtype:targeted-activity; sid:2020158; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable malicious download from e-mail link /1.php"; flow:established,to_server; content:"GET"; http_method; content:"/1.php?r"; http_uri; fast_pattern; content:!"Referer|3a 20|"; http_header; pcre:"/\/1\.php\?r$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019894; rev:4; metadata:created_at 2014_12_09, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 19 2014"; flow:established,from_server; file_data; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern; content:"|24 2c|"; pcre:"/^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c/Rsi"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:exploit-kit; sid:2020207; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 21 2014"; flow:established,from_server; file_data; content:"|3d 20 20 20 20 20 20 20 20 20 20|"; fast_pattern; content:".replace|28|"; content:"<script>"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:exploit-kit; sid:2020236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT connection"; flow:established,to_server; dsize:13; content:"|3c 7c|PRINCIPAL|7c 3e|"; fast_pattern; flowbits:set,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020315; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT response"; flow:established,from_server; dsize:6; content:"|3c 7c|OK|7c 3e|"; fast_pattern; flowbits:isset,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020316; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SilverLight M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"X-Powered-By|3a 20|"; http_header; content:"Server|3a 20|nginx"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020317; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (stat)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/stat\x03\x08\x0c$/R"; content:"/stat|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020336; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (control)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/control\x03\x08\x0c$/R"; content:"/control|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020337; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?admin="; fast_pattern; content:"&id="; http_uri; content:"&nat="; http_uri; content:"&os="; http_uri; content:"&video="; http_uri; content:"&arch_type="; http_uri; content:"&v="; http_uri; content:"&av_list="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020340; rev:6; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Xnote Keep-Alive"; flow:established,to_server; dsize:17; content:"|11 00 00 00 01 00 00 00 78 9c 4b 05 00 00 66 00 66|"; fast_pattern; reference:url,deependresearch.org/2015/02/linuxbackdoorxnote1-indicators.html; classtype:trojan-activity; sid:2020389; rev:2; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; file_data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Banner"; flow:established,to_server; content:"/banner.php?sid="; fast_pattern; http_uri; pcre:"/\/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Blog"; flow:established,to_server; content:"/blog.php?id="; fast_pattern; http_uri; pcre:"/\/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:6; metadata:created_at 2014_11_18, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/connector.html|0d 0a|"; http_header; classtype:exploit-kit; sid:2020570; rev:4; metadata:created_at 2015_02_25, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$/U"; classtype:exploit-kit; sid:2020643; rev:4; metadata:created_at 2015_03_07, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 1"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".asia|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.asia\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020654; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 2"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".ru|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.ru\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020655; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing URI Struct March 6 2015"; flow:established,to_server; urilen:>40; content:"GET"; http_method; content:"/tdstest/"; http_uri; fast_pattern; pcre:"/^\/tdstest\/[a-f0-9]{32,}\/?$/U"; classtype:exploit-kit; sid:2020626; rev:4; metadata:created_at 2015_03_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 10"; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern; content:"BC435@PRO62384923412!@3!"; nocase; content:!"content|3a 22|BC435@PRO62384923412!@3!|22 3b|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020016; rev:3; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Cryptolocker .onion Proxy Domain in SNI"; flow:established,to_server; content:"erhitnwfvpgajfbu."; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019124; rev:3; metadata:created_at 2014_09_05, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a|ok"; fast_pattern; file_data; content:"ok"; within:2; byte_test:1,<,0x1b,0,relative; content:"|00|"; distance:1; within:1; flowbits:isset,ET.Vawtrak; classtype:trojan-activity; sid:2019499; rev:5; metadata:created_at 2014_10_24, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 2"; flow:from_server,established; file_data; content:"<html><title>"; within:13; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$/R"; content:"</title></html>"; fast_pattern; flowbits:isset,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020749; rev:5; metadata:created_at 2015_03_26, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby MAR 31 2015"; flow:established,to_server; content:"/content/dl.php?sl=vbs"; http_uri; fast_pattern; pcre:"/\/content\/dl\.php\?sl=vbs[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020823; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot PUT File Response"; flow:established,to_server; content:"GET"; http_method; content:"/docs/name="; fast_pattern; depth:11; http_uri; pcre:"/^\x2fdocs\x2fname\x3d\x2f[A-Za-z0-9+_-]+$/Ui"; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; http_user_agent; depth:63; isdataat:!1,relative; content:"Referer|3a 20|http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018549; rev:4; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby Related TDS MAR 31 2015"; flow:established,to_server; content:"/content/getvbslink.php?d="; http_uri; fast_pattern; pcre:"/\/content\/getvbslink\.php\?d=[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020824; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Command Status Message"; flow:established,to_server; content:"GET"; http_method; content:"/tech/s.asp?m="; fast_pattern; depth:14; http_uri; pcre:"/^\x2ftech\x2fs\x2easp\x3fm\x3d[A-Za-z0-9+_-]+$/Ui"; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; http_user_agent; depth:63; isdataat:!1,relative; content:"Referer|3a 20|http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018548; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020312; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot GET File Initial Response"; flow:established,to_server; content:"GET"; http_method; content:"/manage/asp/item.asp?id="; fast_pattern; depth:24; http_uri; pcre:"/^\x2fmanage\x2fasp\x2fitem\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26mux\x3d[A-Za-z0-9+_-]+$/Ui"; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; http_user_agent; depth:63; isdataat:!1,relative; content:"Referer|3a 20|http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018550; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019917; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot GET File Data Upload"; flow:established,to_server; content:"GET"; http_method; content:"/article/30441/Review.asp?id="; fast_pattern; depth:29; http_uri; pcre:"/^\x2farticle\x2f30441\x2fReview\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26data\x3d[A-Za-z0-9+_-]+$/Ui"; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; http_user_agent; depth:63; isdataat:!1,relative; content:"Referer|3a 20|http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018551; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"eval|3b|"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020841; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible SKyWIper/Win32.Flame UA"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 1.1.2150)"; http_user_agent; depth:69; isdataat:!1,relative; fast_pattern; reference:url,crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:2014818; rev:7; metadata:created_at 2012_05_29, updated_at 2020_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"return eval"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (DownloadNetFile)"; flow:to_server,established; content:"DownloadNetFile"; http_user_agent; depth:15; isdataat:!1,relative; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008344; classtype:trojan-activity; sid:2008344; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Cookie Data Theft April 06 2015"; flow:established,to_server; content:".php?type=cookie&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020848; rev:3; metadata:created_at 2015_04_07, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a 20|http|3a|//mysticnews.ru"; http_header; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; http_user_agent; depth:37; content:"locker_ver="; fast_pattern; http_client_body; content:"&i_firstboot="; http_client_body; distance:0; content:"&harddiskserial="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:command-and-control; sid:2020829; rev:3; metadata:created_at 2015_04_02, former_category MALWARE, updated_at 2020_10_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 32|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020849; rev:3; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 Fake Mozilla UA"; flow:established,to_server; content:"Moziea/"; http_user_agent; depth:7; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020901; rev:3; metadata:created_at 2015_04_13, former_category MALWARE, updated_at 2020_10_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 86|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020850; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FormerFirstRAT HTTP POST CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322)"; http_user_agent; depth:69; isdataat:!1,relative; fast_pattern; content:"|3a|443|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020926; rev:4; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_10_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin no architecture"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 84|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2020851; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+)"; flow:to_server,established; content:"Mozilla/4.0+(compatible|3b|+MSIE+/"; http_user_agent; depth:31; fast_pattern; reference:url,doc.emergingthreats.net/2003530; classtype:trojan-activity; sid:2003530; rev:15; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_10_16;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Sending Processes"; content:"Sy|5c|"; content:"wininit|5c|"; distance:0; content:"winlogon|5c|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020852; rev:2; metadata:created_at 2015_04_08, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WinXP Pro Service Pack 2)"; flow:to_server,established; content:"WinXP Pro Service Pack"; http_user_agent; depth:22; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003586; classtype:trojan-activity; sid:2003586; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:exploit-kit; sid:2020985; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Snatch-System)"; flow:to_server,established; content:"Snatch-System"; nocase; http_user_agent; depth:13; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2003930; classtype:trojan-activity; sid:2003930; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern; pcre:"/\/street[1-5]\.php$/U"; classtype:exploit-kit; sid:2020988; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS KKtone Suspicious User-Agent (KKTone)"; flow:to_server,established; content:"KKTone"; nocase; http_user_agent; depth:6; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2004443; classtype:trojan-activity; sid:2004443; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern; pcre:"/\/XV-\d+\.exe$/U"; classtype:exploit-kit; sid:2020989; rev:3; metadata:created_at 2015_04_24, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Matcash or related downloader User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a 20|x"; http_header; pcre:"/^x\w\wx\w\w\!x\w\wx\w\wx\w\w/V"; reference:url,doc.emergingthreats.net/2006382; classtype:trojan-activity; sid:2006382; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern; classtype:exploit-kit; sid:2020992; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (netcfg)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"netcfg"; http_user_agent; depth:6; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2007758; classtype:trojan-activity; sid:2007758; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sundown EK Flash Exploit Apr 20 2015"; flow:established,to_server; content:"/bad/"; http_uri; fast_pattern; pcre:"/\/bad\/[A-Z0-9]+\.swf$/U"; classtype:exploit-kit; sid:2020951; rev:4; metadata:created_at 2015_04_21, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kpang.com Related Trojan User-Agent (kpangupdate)"; flow:established,to_server; content:"kpangupdate"; http_user_agent; depth:11; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2007779; classtype:pup-activity; sid:2007779; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021045; rev:3; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neonaby.com Related Trojan User-Agent (neonabyupdate)"; flow:established,to_server; content:"neonabyupdate"; http_user_agent; depth:13; isdataat:!1,relative; nocase; reference:url,doc.emergingthreats.net/2007825; classtype:trojan-activity; sid:2007825; rev:6; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021042; rev:6; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)"; flow:established,to_server; content:"Yhrbg"; http_user_agent; depth:5; isdataat:!1,relative; nocase; reference:url,doc.emergingthreats.net/2007912; classtype:trojan-activity; sid:2007912; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"<title>some"; fast_pattern; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:exploit-kit; sid:2020980; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (Digital)"; flow:established,to_server; content:"Digital"; http_user_agent; depth:7; isdataat:!1,relative; nocase; reference:url,doc.emergingthreats.net/2007923; classtype:trojan-activity; sid:2007923; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:exploit-kit; sid:2020979; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (downloaded)"; flow:established,to_server; content:"downloaded"; http_user_agent; depth:10; isdataat:!1,relative; nocase; reference:url,doc.emergingthreats.net/2007924; classtype:trojan-activity; sid:2007924; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2020983; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (wnames)"; flow:established,to_server; content:"wnames"; http_user_agent; depth:6; isdataat:!1,relative; nocase; reference:url,doc.emergingthreats.net/2007925; classtype:trojan-activity; sid:2007925; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla-web)"; flow:to_server,established; content:"Mozilla-web"; http_user_agent; depth:11; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008084; classtype:trojan-activity; sid:2008084; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Uploading Files"; flow:to_server,established; content:"POST"; http_method; urilen:6; content:"/v.php"; http_uri; fast_pattern; content:"|0d 0a|UA-CPU|3a 20|"; http_header; content:"Content-Type|3a 20|application/upload|0d 0a|"; content:"boundary=---------------------------0123456789012"; http_header; content:"name=|22|pf|22 3b|"; http_client_body; reference:url,www.bleepingcomputer.com/forums/t/570390/vaultcrypt-uses-batch-files-and-open-source-gnupg-to-hold-your-files-hostage; classtype:trojan-activity; sid:2020707; rev:4; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (TestAgent)"; flow:to_server,established; content:"TestAgent"; http_user_agent; depth:9; isdataat:!1,relative; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008208; classtype:trojan-activity; sid:2008208; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET HUNTING Suspicious X-mailer Synapse Inbound to SMTP Server"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2021135; rev:2; metadata:created_at 2015_05_21, former_category MALWARE, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla 1.02.45 biz)"; flow:to_server,established; content:"Mozilla "; http_user_agent; depth:8; content:" biz|0d 0a|"; within:15; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008231; classtype:trojan-activity; sid:2008231; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:exploit-kit; sid:2021136; rev:3; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Zilla)"; flow:to_server,established; content:"Zilla"; http_user_agent; depth:5; isdataat:!1,relative; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008266; classtype:trojan-activity; sid:2008266; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon set"; flow:established,to_server; dsize:4; content:"|18 00 00 00|"; fast_pattern; flowbits:set,ET.Linux.Moose; flowbits:noalert; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021150; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keypack.co.kr Related Trojan User-Agent Detected"; flow:established,to_server; content:"keypack"; http_user_agent; depth:7; reference:url,doc.emergingthreats.net/2008339; classtype:trojan-activity; sid:2008339; rev:6; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:exploit-kit; sid:2020392; rev:6; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (PcPcUpdater)"; flow:established,to_server; content:"PcPcUpdater"; http_user_agent; depth:11; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008413; classtype:trojan-activity; sid:2008413; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:exploit-kit; sid:2021219; rev:5; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AdiseExplorer)"; flow:established,to_server; content:"AdiseExplorer"; http_user_agent; depth:13; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008427; classtype:trojan-activity; sid:2008427; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert tcp any any -> $HOME_NET 443 (msg:"ET MALWARE Possible Duqu 2.0 Accessing backdoor over 443"; flow:to_server,established; content:"romanian.antihacker"; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021242; rev:2; metadata:created_at 2015_06_10, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ieguideupdate)"; flow:established,to_server; content:"ieguideupdate"; http_user_agent; depth:13; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008463; classtype:trojan-activity; sid:2008463; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Torrentlocker C2 Domain in SNI"; flow:established,to_server; content:"|00 00 0d|krusperon.net"; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021254; rev:3; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (adsntD)"; flow:established,to_server; content:"adsntD"; http_user_agent; depth:6; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008464; classtype:trojan-activity; sid:2008464; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern; content:"long2str"; nocase; content:"str2long"; nocase; classtype:exploit-kit; sid:2021218; rev:4; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent filled with System Details - GET Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_user_agent; depth:4; nocase; content:"&hdid="; nocase; http_header; content:"&wlid="; nocase; content:"&start="; nocase; content:"&os="; nocase; content:"&mem="; nocase; content:"&alive"; nocase; content:"&ver="; nocase; content:"&mode="; nocase; content:"&guid"; content:"&install="; nocase; content:"&auto="; nocase; content:"&serveid"; nocase; content:"&area="; nocase; depth:400; reference:url,doc.emergingthreats.net/2009541; classtype:trojan-activity; sid:2009541; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_02_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:exploit-kit; sid:2021033; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .net"; dns.query; content:".ddns.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028675; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:exploit-kit; sid:2021035; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddnsking .com"; dns.query; content:".ddnsking.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028676; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:exploit-kit; sid:2021037; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.3utilities .com"; dns.query; content:".3utilities.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028677; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:"/|3a|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x3ahttp\x3a\x2f/U"; classtype:exploit-kit; sid:2021305; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"/4/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Hm"; classtype:exploit-kit; sid:2021308; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern; classtype:exploit-kit; sid:2021310; rev:4; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021137; rev:4; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:exploit-kit; sid:2021364; rev:3; metadata:created_at 2015_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:exploit-kit; sid:2021373; rev:3; metadata:created_at 2015_07_02, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:exploit-kit; sid:2021394; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:targeted-activity; sid:2021405; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".dll"; classtype:trojan-activity; sid:2021429; rev:3; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:exploit-kit; sid:2021435; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:3; metadata:created_at 2015_07_22, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:exploit-kit; sid:2021036; rev:5; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021542; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021543; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 8"; flow:to_server,established; content:"GET"; http_method; content:"/viewphoto.asp?photoid="; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021571; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M2"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|22|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021611; rev:4; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M3"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|27|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021612; rev:3; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2021620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; file_data; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern; classtype:exploit-kit; sid:2021637; rev:3; metadata:created_at 2015_08_17, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:exploit-kit; sid:2021698; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:exploit-kit; sid:2021699; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:exploit-kit; sid:2020895; rev:7; metadata:created_at 2015_04_11, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:3; metadata:created_at 2015_09_10, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:exploit-kit; sid:2021764; rev:3; metadata:created_at 2015_09_14, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021787; rev:3; metadata:created_at 2015_09_16, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Passthru/Kshell Port Redirection Initiation"; flow:to_server,established; dsize:11; content:"chkroot2007"; fast_pattern; reference:md5,f7146691adea573548fa040fb182f4fe; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021796; rev:2; metadata:created_at 2015_09_17, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CosmicDuke Exfiltrating Data via FTP STOR"; flow:established,to_server; dsize:55<>65; content:"STOR|20|"; depth:5; pcre:"/^[a-z0-9]{1,10}[A-F0-9]+\.bin\r\n$/R"; content:".bin|0d 0a|"; fast_pattern; reference:md5,5080bc705217c614b9cbf67a679979a8; classtype:targeted-activity; sid:2023910; rev:5; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; pcre:"/^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+/Rsi"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern; classtype:exploit-kit; sid:2021841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021905; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:exploit-kit; sid:2021906; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021907; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (STOP)"; flow:established,from_server; content:"PRIVMSG"; content:"{STOP} Stop command ->"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021879; rev:4; metadata:created_at 2015_10_01, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021939; rev:6; metadata:created_at 2015_10_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:"</jnlp>"; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:targeted-activity; sid:2021985; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB"; flow:established,from_server; file_data; content:"<script"; content:"=i?php.war/moc.nibetsap"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022014; rev:3; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
+
+alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:exploit-kit; sid:2022040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Remote Shell"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern; pcre:"/\x7c(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/"; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022068; rev:3; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 BA|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2022072; rev:2; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO form-data flowbit set (noalert)"; flow:to_server,established; dsize:>0; content:"Content-Type|3a 20|multipart|2f|form-data"; fast_pattern; flowbits:set,ET.formdata; flowbits:noalert; classtype:not-suspicious; sid:2022080; rev:2; metadata:created_at 2015_11_12, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022090; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 2"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/n"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/n\d+\.png$/U"; content:".png|20|HTTP/1.1|0d 0a|"; fast_pattern; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022147; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016923; rev:15; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; depth:8; pcre:"/^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr/Rs"; content:"]/g,|27 27|).substr|28|"; fast_pattern; classtype:exploit-kit; sid:2020719; rev:5; metadata:created_at 2015_03_20, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Flooding 1)"; flow:established,to_server; content:"|20|Flooding|20|"; fast_pattern; content:"|20|for|20|"; content:"|20|seconds."; distance:0; pcre:"/(?:JUNK|HOLD) Flooding (?:\d{1,3}\.){3}\d{1,3} for \d+ seconds.\r?\n/"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022213; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:4; metadata:created_at 2015_12_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:exploit-kit; sid:2022242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB 2"; flow:established,from_server; file_data; content:"<script"; content:"ptth|22|=crs tpircs"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022015; rev:4; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Derusbi/Winnti Receiving Configuration"; flow:established,from_server; file_data; content:"$$$--Hello"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})Wrod--\$\$\$/R"; content:"Wrod--$$$"; fast_pattern; reference:url,blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family; classtype:trojan-activity; sid:2022269; rev:3; metadata:created_at 2015_12_16, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:exploit-kit; sid:2022304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".class"; nocase; fast_pattern; classtype:trojan-activity; sid:2014472; rev:8; metadata:created_at 2012_04_04, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 1"; flow:established,to_server; dsize:8; content:"|bf bf af af 7e 00 00 00|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022360; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 2"; flow:established,to_server; dsize:13; content:"|07 0d 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022361; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:3; metadata:created_at 2016_01_20, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:5; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)"; flow:established,to_client; file_data; content:"PK"; within:2; content:"PK|01 02|"; distance:0; pcre:"/^.{42}[\x20-\x7f]{1,500}\.jsPK\x05\x06.{4}\x01\x00\x01\x00/Rsi"; content:".jsPK|05 06|"; nocase; fast_pattern; classtype:misc-activity; sid:2022636; rev:4; metadata:created_at 2016_03_22, former_category INFO, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022770; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:exploit-kit; sid:2022772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:exploit-kit; sid:2022774; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:3; metadata:created_at 2016_05_06, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern; content:"campaigns"; http_cookie; classtype:exploit-kit; sid:2022904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:exploit-kit; sid:2022909; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:exploit-kit; sid:2022910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert udp any any -> $HOME_NET 137 (msg:"ET INFO NBNS Name Query Response Possible WPAD Spoof BadTunnel"; byte_test:1,&,0x80,2; byte_test:1,!&,0x40,2; byte_test:1,!&,0x20,2; byte_test:1,!&,0x10,2; byte_test:1,=,0x00,3; content:"|00 00|"; offset:4; depth:2; content:"|46 48 46 41 45 42 45|"; fast_pattern; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022914; rev:2; metadata:created_at 2016_06_23, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:3; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016"; flow:established,from_server; file_data; content:"|65 78 70 6c 6f 69 74 4c 69 73 74 2e 73 70 6c 69 63 65|"; nocase; fast_pattern; content:"|73 65 74 54 69 6d 65 6f 75 74 28 22 6c 6f 61 64 45 78 70 6c 6f 69 74 28 29 22|"; nocase; classtype:attempted-admin; sid:2023014; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:social-engineering; sid:2023080; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:exploit-kit; sid:2023186; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020311; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+
+alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:2; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netsh advfirewall show allprofiles Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Domain Profile Settings|3a|"; fast_pattern; content:"Firewall Policy"; classtype:trojan-activity; sid:2023216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVICE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AcceptPause"; fast_pattern; content:"AcceptStop"; content:"Caption"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023223; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2014-6332 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 34 2d 36 33 33 32 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023288; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2016-0189 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 36 2d 30 31 38 39 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern; classtype:exploit-kit; sid:2023302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family AfraidGate, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TheTrick Banking Trojan User-Agent"; flow:to_server,established; content:"User-Agent|3a 20 54 72 69 63 6b 4c 6f 61 64 65 72|"; fast_pattern; reference:md5,f26649fc31ede7594b18f8cd7cdbbc15; classtype:trojan-activity; sid:2023338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".sys"; classtype:trojan-activity; sid:2021430; rev:4; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:3; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, created_at 2016_11_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:6; metadata:created_at 2012_09_18, former_category INFO, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023482; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:social-engineering; sid:2023743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:social-engineering; sid:2023745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:exploit-kit; sid:2023547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Lock Emoji In Title - Possible Social Engineering Attempt"; flow:from_server,established; file_data; content:"<title>"; nocase; pcre:"/^(?:(?!<\/title).)*\x26\x23x1F512/Ri"; content:"|26 23|x1F512"; fast_pattern; classtype:trojan-activity; sid:2023749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Unknown Trojan Checkin Jan 26 2017"; flow:to_server,established; content:"GET"; http_method; content:"/config.php?id="; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/config\.php\?id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,2ccd95bb2e9d8c6e6b6eb68963461f08; classtype:command-and-control; sid:2023769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern; classtype:exploit-kit; sid:2023878; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:exploit-kit; sid:2023879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015"; flow:established,to_server; content:".php?type=form&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020847; rev:3; metadata:created_at 2015_04_07, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern; content:" lonly="; http_cookie; classtype:exploit-kit; sid:2014884; rev:3; metadata:created_at 2012_06_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a 20||22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:3; metadata:affected_product IBM_Websphere, attack_target Server, created_at 2017_03_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern; classtype:exploit-kit; sid:2024092; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023748; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024168; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET INFO SMTP PDF Attachment Flowbit Set"; flow:established,from_server; content:"|0d 0a 0d 0a|JVBERi"; fast_pattern; flowbits:set,ET.pdf.in.smtp.attachment; flowbits:noalert; classtype:bad-unknown; sid:2024236; rev:3; metadata:attack_target SMTP_Server, created_at 2017_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazuar CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:"Referer|3a|"; http_header; content:"AuthToken="; depth:10; http_cookie; pcre:"/^AuthToken=[A-Za-z0-9+/]{43}=$/C"; content:"Cookie|3a 20|AuthToken="; fast_pattern; reference:md5,7a778e076e48ff269e91f17a15ea97d5; reference:url,researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/; classtype:command-and-control; sid:2024270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family Kazuar, signature_severity Major, tag APT, tag RUAPT, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:exploit-kit; sid:2020605; rev:6; metadata:created_at 2015_03_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bingo Exploit Kit Landing May 08 2017"; flow:established,from_server; file_data; content:"+=String.fromCharCode("; pcre:"/^[a-z]\d{3}\[[a-z]\d{3}\]\^[a-z]\d{3}\)\x3breturn [a-z]\d{3}\x3b\}/R"; content:"|29 29 29 5e|"; fast_pattern; content:".text="; pcre:"/^[a-z]\d{3}\x3b[a-z]\d{3}\.getElementsByTagName\([a-z]\d{3}\(new Array\(\d+\,/R"; content:".type="; pcre:"/^[a-z]\d{3}\(new Array\(/R"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:exploit-kit; sid:2025071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_05_10, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker .onion Proxy domain in SNI July 31 2014"; flow:established,to_server; content:"iet7v4dciocgxhdv."; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018872; rev:3; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"AppleSession"; http_cookie; content:"Cookie|3a 20|AppleSession"; fast_pattern; classtype:credential-theft; sid:2024374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_10_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:4; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27]iddqd?\s*=/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017 M2"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=]*\s*=EB02EB05E8F9FFFFFF/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_13, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024706; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 24 2015"; flow:to_client,established; file_data; content:"GOOGLE.com?</title>"; fast_pattern; content:"view shared document"; content:"ValidateFormYahoo"; distance:0; content:"ValidateFormGmail"; distance:0; content:"ValidateFormHotmail"; distance:0; content:"ValidateFormAol"; distance:0; content:"ValidateFormOther"; distance:0; classtype:social-engineering; sid:2025682; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024895; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)"; flow:from_server,established; file_data; content:"parent-tab://"; fast_pattern; content:"open"; pcre:"/\b(?P<varname>[^\s\x3d]+)\s*\x3d\s*open\s*\x28\s*[^\x29]+parent-tab:\/\/.+(?P=varname)\s*\.\s*document\s*\.\s*body\s*.\s*innerHTML\s*=/si"; reference:cve,2017-7089; classtype:attempted-user; sid:2024995; rev:3; metadata:affected_product Safari, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 1"; flow:established,from_server; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; fast_pattern; classtype:trojan-activity; sid:2025010; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 2"; flow:established,from_server; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; fast_pattern; classtype:trojan-activity; sid:2025011; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 3"; flow:established,from_server; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; fast_pattern; classtype:trojan-activity; sid:2025012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; content:"?id="; http_uri; content:"&act="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/U"; flowbits:set,ET.MalDocEXEPrimer; flowbits:noalert; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:6; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GrandSoft EK IE Exploit Jan 30 2018"; flow:established,from_server; file_data; content:"|3d 20 22 2c|&h|22|"; nocase; fast_pattern; content:"4d"; nocase; content:"5a"; nocase; within:20; content:"responseBody"; nocase; content:"Dim "; nocase; content:"Dim "; nocase; distance:0; content:"Win32_OperatingSystem"; nocase; classtype:exploit-kit; sid:2025272; rev:3; metadata:created_at 2018_01_30, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Exploit Javascript"; flow:from_server,established; file_data; content:"0x1000000"; fast_pattern; pcre:"/(?<var1>[^=\s]*)\s*=\s*0x1000000.+?\x28\s*\x28\s*\x28\s*\w+\s*<<\s*12\s*\x29\s*\|\s*0\s*\x29\s*\+\s*(?P=var1)\s*\x29\s*\|\s*0/s"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025188; rev:6; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VBscript UAF (CVE-2018-8373)"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"class_initialize"; nocase; fast_pattern; content:"<script "; nocase; content:"Redim"; nocase; content:"private"; nocase; pcre:"/^\s+sub\s+class_initialize\b(?:(?!end\s*sub).)*?\bReDim\s+array\b/Rsi"; content:"Public"; pcre:"/^\s+Default\s+Property\b(?:(?!end\s*property).)*?\bReDim\s+Preserve\s+array\b/Rsi"; reference:cve,2018-8373; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/; classtype:attempted-user; sid:2026411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate"; flow:from_server,established; content:"|A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00|"; fast_pattern; content:"|16 03 03|"; pcre:"/^..\x0B.{9}\x30\x82..\x30\x82..\xA0\x03\x02\x01\x02\x02(?:\x09.{9}|\x08.{8})/Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30|"; within:16; pcre:"/^.\x31.\x30.\x06\x03\x55\x04\x03\x0C.([a-z]{2,9})\x30.\x17\x0D[0-9]{12}Z\x17\x0D[0-9]{12}Z\x30.\x31.\x30.\x06\x03\x55\x04\x03\x0C.\g{1}\x30\x82../Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; pcre:"/^...\x30\x82..\x02\x82...{256,257}/Rs"; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; within:36; content:!"|06|ubuntu"; content:!"|04|mint"; content:!"|a9 d5 73 d2 a0 a5 a1 69|"; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module; classtype:trojan-activity; sid:2021178; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_06_03, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:5; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:4; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:6; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; classtype:social-engineering; sid:2021968; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2019_10_08;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS File Transfer CnC Beacon"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; pcre:"/^[0-9A-Z]+232A/R"; content:"232A"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022837; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar|0d 0a|"; http_header; fast_pattern; file_data; content:"PK"; within:2; content:"|CA FE BA BE|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017299; rev:8; metadata:created_at 2013_08_08, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; fast_pattern; classtype:web-application-attack; sid:2101334; rev:11; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014853; rev:6; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern; classtype:exploit-kit; sid:2017014; rev:4; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"<style"; nocase; pcre:"/^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Geost CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geost.php?bid="; fast_pattern; classtype:command-and-control; sid:2028661; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_10_08, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Geost, updated_at 2019_10_08, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022480; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"Egypack"; nocase; http_user_agent; depth:7; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013176; rev:7; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_11;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .net"; dns.query; content:".ddns.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028675; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddnsking .com"; dns.query; content:".ddnsking.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028676; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.3utilities .com"; dns.query; content:".3utilities.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028677; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.bounceme .net"; dns.query; content:".bounceme.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028678; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.workisboring .com"; dns.query; content:".workisboring.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028756; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_10_15;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"649d6810e8392f63dc311eecb6b7098b"; tls.cert_subject; content:!"servicebus.windows.net"; flowbits:isset,ET.cobaltstrike.ja3; classtype:command-and-control; sid:2028832; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_10_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M1 (set)"; flow:established,to_server; ja3.hash; content:"8916410db85077a5460817142dcbc8de"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028828; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"e35df3e00ca4ef31d42b34bebaa2f86e"; flowbits:isset,ET.meterpreter.ja3; classtype:command-and-control; sid:2028829; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hash - Suspected Meterpreter Reverse Shell (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"e35df3e00ca4ef31d42b34bebaa2f86e"; flowbits:isset,ET.meterpreter.ja3; classtype:command-and-control; sid:2028829; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2021_07_26;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M2 (set)"; flow:established,to_server; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028830; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/AppleJeus Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=beastgoc.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x49.html; classtype:domain-c2; sid:2028827; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/AppleJeus Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=beastgoc.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x49.html; classtype:domain-c2; sid:2028827; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirect on ActiveXObject support"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"<script>"; content:"if|20 28|window.ActiveXObject"; distance:0; content:"ActiveXObject|22 20|in window"; within:40; fast_pattern; content:"window|2e|location|2e|href|3d 22|"; within:35; content:"|7d|else|7b|"; within:100; content:"window|2e|location|2e|href|3d 22|"; within:35; classtype:exploit-kit; sid:2028833; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_10_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)"; flow:established,to_server; http.user_agent; content:"MSDW"; depth:4; isdataat:!1,relative; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; classtype:unknown; sid:2027389; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2019_10_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; http.uri; content:"/dns/dnslookup?la=en&host="; fast_pattern; content:"&type=A&submit=Resolve"; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0.1|3b 20|"; depth:37; content:"WININET 5.0)"; isdataat:!1,relative; http.host; content:"www.dnswatch.info"; classtype:trojan-activity; sid:2014359; rev:8; metadata:created_at 2012_03_09, updated_at 2019_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; http.uri; content:"/dns/dnslookup?la=en&host="; fast_pattern; content:"&type=A&submit=Resolve"; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0.1|3b 20|"; depth:37; content:"WININET 5.0)"; isdataat:!1,relative; http.host; content:"www.dnswatch.info"; classtype:trojan-activity; sid:2014359; rev:8; metadata:created_at 2012_03_10, updated_at 2019_10_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (IExplorer 34)"; flow:established,to_server; http.user_agent; content:"IExplorer 34"; bsize:12; classtype:bad-unknown; sid:2028834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2019_10_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (reqwest/)"; flow:established,to_server; http.user_agent; content:"reqwest/"; depth:8; reference:md5,be59ae5fab354d29e53f11a08d805db7; classtype:bad-unknown; sid:2028842; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2019_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dyre Downloading Mailer"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36|0d 0a|Host|3a|"; depth:132; http_header; fast_pattern:50,20; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RH"; pcre:"/\.tar$/U"; classtype:trojan-activity; sid:2020308; rev:4; metadata:created_at 2015_01_26, former_category MALWARE, updated_at 2020_08_20;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoftwareTracking Site - Download Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/pspwebservices/service.asmx"; http.header_names; content:"|0d 0a|SOAPAction|0d 0a|"; http.request_body; content:"DownloadTracKRecord"; content:"<mac>"; distance:0; content:"<prgname>"; distance:0; content:"<cpuid>"; reference:md5,740c2c6573066bf64718ea773f4ad9a7; classtype:pup-activity; sid:2028864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2019_10_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoftwareTracking Site - Install Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/pspwebservices/service.asmx"; http.header_names; content:"|0d 0a|SOAPAction|0d 0a|"; http.request_body; content:"SSCSM_TraceRecord"; content:"<prgname>"; distance:0; content:"<macid>"; distance:0; content:"<cpuid>"; distance:0; content:"<sysname>"; distance:0; reference:md5,740c2c6573066bf64718ea773f4ad9a7; classtype:pup-activity; sid:2028878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2019_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; http.user_agent; content:"Java/"; nocase; pcre:"/^\d\d?\.\d/Ri"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:13; metadata:created_at 2010_07_30, updated_at 2019_10_21;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious UA (Windows)"; flow:established,to_server; http.user_agent; content:"Windows"; bsize:7; http.header; content:"User-Agent|3a 20|Windows|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2028879; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_08_20;)
-
alert smtp $HOME_NET any -> any any (msg:"ET MALWARE Unk Spam Bot Template 1 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|"; pcre:"/^(?:Cek\x20This|miss\x20[A-Za-z0-9]{2,20}|[A-Za-z0-9]{2,20}Porn)\r\n/R"; content:".scr|22 0d 0a 0d 0a|TVqQ"; distance:0; fast_pattern; classtype:trojan-activity; sid:2028892; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_10_21;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:28; content:"CN=cloudcitytechnologies.com"; reference:md5,9a23881abe27dc70ca42597a1e1de354; classtype:command-and-control; sid:2028894; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_10_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:28; content:"CN=cloudcitytechnologies.com"; reference:md5,9a23881abe27dc70ca42597a1e1de354; classtype:domain-c2; sid:2028894; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobInt CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=fraud-bank.host"; nocase; endswith; classtype:domain-c2; sid:2028905; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_23, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, updated_at 2019_10_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobInt CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=fraud-bank.host"; nocase; endswith; classtype:domain-c2; sid:2028905; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_23, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 HTTP Flood Command Inbound"; flow:established,from_server; dsize:<50; content:"Lmh0dHA"; depth:7; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027842; rev:2; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_10_23;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Diezen CnC Checkin M1"; flow:established,to_server; dsize:<400; content:"|40|"; startswith; content:"|40|ID|3a 40|"; distance:0; fast_pattern; content:"|40 20 2d 3e 20|"; distance:0; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:command-and-control; sid:2028908; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, malware_family Sakabota, malware_family Diezen, performance_impact Low, signature_severity Major, updated_at 2019_10_25;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL) 2019-10-24"; flow:established,to_client; tls.cert_subject; bsize:20; content:"CN=www.daftstone.top"; fast_pattern; reference:md5,8868702fb1825a9848eb3dd160a7bea3; classtype:domain-c2; sid:2028911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL) 2019-10-24"; flow:established,to_client; tls.cert_subject; bsize:20; content:"CN=www.daftstone.top"; fast_pattern; reference:md5,8868702fb1825a9848eb3dd160a7bea3; classtype:domain-c2; sid:2028911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TOR Consensus Data Requested"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tor/status-vote/current/consensus"; depth:34; classtype:policy-violation; sid:2028914; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_28;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Gootkit"; ja3_hash; content:"c6e36d272db78ba559429e3d845606d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028374; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Java Based RAT"; ja3_hash; content:"187dfde7edc8ceddccd3deeccc21daeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028375; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Java Based RAT"; ja3_hash; content:"187dfde7edc8ceddccd3deeccc21daeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028375; rev:2; metadata:created_at 2019_09_10, deprecation_reason False_Positive, former_category JA3, updated_at 2019_10_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Malspam"; ja3_hash; content:"243a279e5aaae8841edf46d00c05195e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028376; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - RigEK"; ja3_hash; content:"2d44457ca7a1e0e754664c8469ce62a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028387; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - RigEK"; ja3_hash; content:"bafc6b01eae6f4350f5db6805ace208e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028388; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Malfams"; ja3_hash; content:"bafc6b01eae6f4350f5db6805ace208e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028388; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - TBot / Skynet Tor Botnet"; ja3_hash; content:"b50f81ae37fb467713e167137cf14540"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028389; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Trickbot"; ja3_hash; content:"294b2f1dc22c6e6c3231d2fe311d504b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028390; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Trickbot"; ja3_hash; content:"294b2f1dc22c6e6c3231d2fe311d504b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028390; rev:2; metadata:created_at 2019_09_10, former_category JA3, malware_family TrickBot, updated_at 2019_10_29;)
#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex"; ja3_hash; content:"b9103d9d134e0c59cafbe4ae0a8299a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028391; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - USPS Malspam"; ja3_hash; content:"92579701f145605e9edc0b01a901c6d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028394; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Eitest"; ja3_hash; content:"1074895078955b2db60423ed2bf8ac23"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028395; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Eitest"; ja3_hash; content:"1074895078955b2db60423ed2bf8ac23"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028395; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various EK"; ja3_hash; content:"51a7ad14509fd614c7bb3a50c4982b8c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028396; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Quakbot"; ja3_hash; content:"7dd50e112cd23734a310b90f6f44a7cd"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028759; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Troldesh Ransomware"; ja3_hash; content:"1be3ecebe5aa9d3654e6e703d81f6928"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028760; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Troldesh Ransomware"; ja3_hash; content:"1be3ecebe5aa9d3654e6e703d81f6928"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028760; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category JA3, signature_severity Major, tag Ransomware, updated_at 2019_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Gootkit"; ja3_hash; content:"c5235d3a8b9934b7fbbd204d50bc058d"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028761; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028808; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Ransomware"; ja3_hash; content:"2d8794cb7b52b777bee2695e79c15760"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028809; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Ransomware"; ja3_hash; content:"2d8794cb7b52b777bee2695e79c15760"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028809; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category JA3, signature_severity Major, tag Ransomware, updated_at 2019_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"fd80fa9c6120cdeea8520510f3c644ac"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028810; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID WebSocket Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data3.php?"; startswith; fast_pattern; pcre:"/^[0-9A-F]{16}$/R"; http.header; content:"|0d 0a|Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; http.header_names; content:"|0d 0a|Host|0d 0a|Upgrade|0d 0a|Connection|0d 0a|Sec-WebSocket-Version|0d 0a|Sec-WebSocket-Key|0d 0a 0d 0a|"; reference:md5,977a264f70acf703333f298019c3abd4; classtype:command-and-control; sid:2028955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_08, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
-#alert udp $HOME_NET any -> $HOME_NET 7 (msg:"ET DELETED Ryuk Wake-on-LAN Packet Observed"; dsize:<200; content:"|ff ff ff ff ff ff|"; startswith; fast_pattern; pcre:"/^(?P<mac_addr>[\x00-\xff]{6})(?P=mac_addr){2,}$/R"; reference:url,www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/; classtype:command-and-control; sid:2028943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_05, deployment Internal, former_category MALWARE, malware_family Ryuk, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
+#alert udp $HOME_NET any -> $HOME_NET 7 (msg:"ET DELETED Ryuk Wake-on-LAN Packet Observed"; dsize:<200; content:"|ff ff ff ff ff ff|"; startswith; fast_pattern; pcre:"/^(?P<mac_addr>[\x00-\xff]{6})(?P=mac_addr){2,}$/R"; reference:url,www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/; classtype:command-and-control; sid:2028943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_05, deployment Internal, former_category MALWARE, malware_family Ransomware, malware_family Ryuk, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AHK Downloader Request Structure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/traff.php"; endswith; fast_pattern; http.user_agent; content:"AutoHotkey"; bsize:10; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2028956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Minor, tag Downloader, updated_at 2019_11_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Proxy Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/proxy"; fast_pattern; endswith; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; content:!"Cache-Control"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021128; rev:4; metadata:created_at 2015_05_21, updated_at 2019_11_11;)
-alert smb any any -> $HOME_NET any (msg:"ET MALWARE CobaltStrike SMB P2P Default Msagent Named Pipe Interaction"; flow:established,to_server; content:"SMB"; depth:8; content:"m|00|s|00|a|00|g|00|e|00|n|00|t|00|_|00|"; nocase; distance:0; fast_pattern; content:!"s|00|p|00|_|00|M|00|S|00|a|00|g|00|e|00|n|00|t|00|_|00|"; reference:url,blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/; reference:url,www.cobaltstrike.com/help-malleable-c2; reference:url,posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456; classtype:targeted-activity; sid:2027325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2019_11_12;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Initial Connection and Report"; flow:established,to_server; flowbits:isnotset,BE.Bandook1.35; dsize:<200; content:"|cf 8f 80 9b 9a 9d cf|"; depth:7; content:"|20 26 26 26|"; distance:50; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:command-and-control; sid:2003555; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2019_11_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AnteFrigus Ransomware Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"|20|Gb</br>"; endswith; http.header; content:"|20|Gb</br>|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Cache"; content:!"Referer"; reference:md5,b34f1592bce63de77b87d1e61bce66e5; classtype:command-and-control; sid:2028966; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_11_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AnteFrigus Ransomware Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"|20|Gb</br>"; endswith; http.header; content:"|20|Gb</br>|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Cache"; content:!"Referer"; reference:md5,b34f1592bce63de77b87d1e61bce66e5; classtype:command-and-control; sid:2028966; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_11_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Landing"; flow:established,to_client; file_data; content:"<!DOCTYPE html>|0d 0a|<html>|0d 0a|<head>|0d 0a|<meta charset =|20 22|UTF-8|22|>|0d 0a|<script>|0d 0a|if (window.ActiveXObject|20 7c 7c 20 22|ActiveXObject|22 20|in window){"; within:200; fast_pattern; content:"</html>|0d 0a|<body>|0d 0a|</body>"; distance:0; isdataat:!1,relative; classtype:exploit-kit; sid:2028974; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_11_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Landing - Various Exploits"; flow:established,to_client; file_data; content:"<!DOCTYPE html>|0d 0a|<html>|0d 0a|<head>|0d 0a|<meta charset =|20 22|UTF-8|22|>|0d 0a|<title></title>|0d 0a|<embed src=|22|"; content:".swf|22|></embed>|0d 0a|"; content:"if (window.ActiveXObject|20 7c 7c 20 22|ActiveXObject|22 20|in window){|0d 0a|document.write(unescape("; fast_pattern; classtype:exploit-kit; sid:2028975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2019_11_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M1"; flow:established,to_server; content:"GET"; http_method; content:".swf"; http_uri; isdataat:!1,relative; content:"contype"; http_user_agent; fast_pattern; depth:7; isdataat:!1,relative; content:"__cfduid="; http_cookie; depth:9; content:!".maxmind.com"; http_host; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cookie|0d 0a 0d 0a|"; depth:38; isdataat:!1,relative; classtype:exploit-kit; sid:2028972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_11_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity"; flow:established,to_server; http.method; content:"GET"; urilen:>175; http.uri; content:".php?info=MzE4TZT-"; fast_pattern; http.accept_lang; content:"ko-KR,ko|3b|"; startswith; http.header; content:"upgrade-insecure-requests|3a 20|1|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,12e9b4bbe894ab0bf357182a11d4c535; classtype:command-and-control; sid:2031916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2019_11_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M1"; flow:established,to_server; content:"GET"; http_method; content:".swf"; http_uri; isdataat:!1,relative; content:"contype"; http_user_agent; fast_pattern; depth:7; isdataat:!1,relative; content:"__cfduid="; http_cookie; depth:9; content:!".maxmind.com"; http_host; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cookie|0d 0a 0d 0a|"; depth:38; isdataat:!1,relative; classtype:exploit-kit; sid:2028972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_11_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo Download Payload Landing"; flow:established,to_client; file_data; content:"<title>Please, wait...</title>"; nocase; content:"dgduehue()|3b|"; nocase; distance:0; fast_pattern; content:"catch ("; nocase; distance:0; classtype:trojan-activity; sid:2028866; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Major, updated_at 2019_11_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (system_file/2.0)"; flow:established,to_server; content:"system_file/2.0"; http.user_agent; bsize:15; classtype:bad-unknown; sid:2028983; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2019_11_15;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/1xxbot CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|<EOM>Windows|20|"; startswith; fast_pattern; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOF>"; distance:0; endswith; reference:md5,9eb50c6cdb59d11b01ca9f069e8ba79d; classtype:command-and-control; sid:2028984; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family 1xxbot, signature_severity Major, updated_at 2019_11_15;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-11-15)"; flow:established,to_client; tls.cert_subject; content:"CN=sd1-bin.net"; nocase; endswith; reference:md5,9b1d0537d0734f1ddb53c5567f5d7ab5; classtype:domain-c2; sid:2028985; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2019_11_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-11-15)"; flow:established,to_client; tls.cert_subject; content:"CN=sd1-bin.net"; nocase; endswith; reference:md5,9b1d0537d0734f1ddb53c5567f5d7ab5; classtype:domain-c2; sid:2028985; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=reawk.net"; nocase; endswith; reference:md5,9b1d0537d0734f1ddb53c5567f5d7ab5; classtype:domain-c2; sid:2028986; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, updated_at 2019_11_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=reawk.net"; nocase; endswith; reference:md5,9b1d0537d0734f1ddb53c5567f5d7ab5; classtype:domain-c2; sid:2028986; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobInt CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"adminassistance.info"; bsize:20; classtype:domain-c2; sid:2028987; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, updated_at 2019_11_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperSocialat Plugin Backdoor Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content"; startswith; content:"/plugins/super-socialat/super_socialat.php?dl="; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:command-and-control; sid:2028992; rev:1; metadata:affected_product Wordpress_Plugins, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC) 2019-11-18"; flow:established,to_client; tls.cert_subject; content:"CN=solvents.ru"; bsize:14; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; bsize:79; reference:md5,e54cbf645b0840c0dd1f212f42cd47fd; classtype:command-and-control; sid:2029001; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_11_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC) 2019-11-18"; flow:established,to_client; tls.cert_subject; content:"CN=solvents.ru"; bsize:14; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; bsize:79; reference:md5,e54cbf645b0840c0dd1f212f42cd47fd; classtype:domain-c2; sid:2029001; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent Tesla SMTP Clipboard Exfil"; flow:established,to_server; content:"|0d 0a|Time|3a 20|"; content:"<br>User Name|3a 20|"; distance:0; content:"<br>Computer Name|3a 20|"; distance:0; content:"<br>OSFullName|3a|"; distance:0; fast_pattern; content:"<br>CPU|3a 20|"; distance:0; content:"[clipboard]"; distance:0; reference:md5,1632ccd7936d495534257505c8811ece; classtype:trojan-activity; sid:2029002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2019_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=crabbedly.club"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029005; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, updated_at 2019_11_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=crabbedly.club"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029005; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=craypot.live"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029006; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, updated_at 2019_11_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=craypot.live"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029006; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=indagator.club"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029007; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, updated_at 2019_11_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=indagator.club"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029007; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell - RDP Credential Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/report.json?type=rdp&ip="; startswith; fast_pattern; content:"&pass="; distance:0; content:"&t="; distance:0; reference:url,news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/; classtype:command-and-control; sid:2029014; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_11_20;)
alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 5"; dsize:69; content:"|00 00 00 00 02 B3 E5 B3 D6 E6 DE 7C 7D 79 40 A5 4F D9 B0 AC 7B 2D C6 CE 69 EF F3 C4 58 F2 98 A8 92 DF 92 9E 0E|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029046; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443,9000] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13"; flow:to_server,established; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!8,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; content:"|7c 9e|"; offset:13; depth:8; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7c\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2017938; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_07, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; reference:md5,0398af3218eb6f21195d701a0b001445; classtype:trojan-activity; sid:2012589; rev:5; metadata:created_at 2011_03_28, updated_at 2019_11_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cyborg Ransomware - Downloading Desktop Background"; flow:established,to_client; http.stat_code; content:"200"; http.server; bsize:8; content:"HotCores"; http.content_type; bsize:10; content:"image/jpeg"; http.header; content:"Content-Disposition|3a 20|inline|3b 20|filename=|22|Cyborg_DECRYPT.jpg|22 0d 0a|"; fast_pattern; reference:md5,2505b0efde03f5d3c66984e6f7c5bcc1; classtype:trojan-activity; sid:2029052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cyborg Ransomware - Downloading Desktop Background"; flow:established,to_client; http.stat_code; content:"200"; http.server; bsize:8; content:"HotCores"; http.content_type; bsize:10; content:"image/jpeg"; http.header; content:"Content-Disposition|3a 20|inline|3b 20|filename=|22|Cyborg_DECRYPT.jpg|22 0d 0a|"; fast_pattern; reference:md5,2505b0efde03f5d3c66984e6f7c5bcc1; classtype:trojan-activity; sid:2029052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_11_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Beapy CnC Domain in DNS Lookup"; dns.query; content:"info.beahh.com"; bsize:14; nocase; reference:url,content.connect.symantec.com/sites/default/files/2019-04/Beapy_IOCs.txt; classtype:domain-c2; sid:2029056; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category MALWARE, malware_family Beapy, performance_impact Low, signature_severity Major, updated_at 2019_11_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Bang5mai.BB CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2.gif?m22="; startswith; content:"&m12=&m21="; distance:7; within:10; content:"&m9=&m16=0&m1="; distance:32; within:14; fast_pattern; reference:md5,6b540ba2fc2e606e9e2c8b72818caa28; classtype:pup-activity; sid:2029076; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_11_27;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SSL/TLS Certificate Observed (Buer Loader)"; flow:established,to_client; tls_cert_subject; content:"CN=prioritywireless.club"; fast_pattern; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2029003; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_19, former_category MALWARE, signature_severity Major, updated_at 2019_12_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SSL/TLS Certificate Observed (Buer Loader)"; flow:established,to_client; tls_cert_subject; content:"CN=prioritywireless.club"; fast_pattern; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2029003; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_19, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2019_12_02;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=sarymar.com"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029083; rev:1; metadata:attack_target DNS_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, updated_at 2019_12_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VNCStartServer USR Variant CnC Beacon"; flow:established,to_server; dsize:<100; content:"|00 00 00 19 00 00 00|"; offset:1; depth:7; content:"|01 00 00|"; distance:1; within:3; content:"USR-"; distance:1; within:4; fast_pattern; content:"|00|"; endswith; reference:md5,d66956e0ee70a60e19a4f310339d28a9; classtype:command-and-control; sid:2035523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_12_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=benreat.com"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029084; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, updated_at 2019_12_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=sarymar.com"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029083; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=planlamaison.com"; bsize:19; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029085; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=benreat.com"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029084; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=teamchuan.com"; bsize:16; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029086; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, updated_at 2019_12_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=planlamaison.com"; bsize:19; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029085; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=tedxns.com"; bsize:13; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029087; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, updated_at 2019_12_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=teamchuan.com"; bsize:16; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029086; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=athery.bit"; bsize:13; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029088; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, updated_at 2019_12_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=tedxns.com"; bsize:13; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029087; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=babloom.bit"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029089; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, updated_at 2019_12_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=athery.bit"; bsize:13; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029088; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=floppys.bit"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029090; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, updated_at 2019_12_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=babloom.bit"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029089; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Reporting Error to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=hmo"; distance:0; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029081; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2019_12_02;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Submitting Encrypted Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=A1f"; distance:0; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029082; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2019_12_02;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; distance:0; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_12_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=floppys.bit"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029090; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP Variant CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.request_body; content:"Webcookie="; startswith; pcre:"/^[a-z0-9/%=]{100,}$/Rsi"; http.header_names; content:!"Referer"; reference:md5,c2262e46153ac59a72bcb96a35c262da; classtype:command-and-control; sid:2029097; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, signature_severity Major, updated_at 2019_12_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/GameHack.COG Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mUser.php"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"HWID="; startswith; content:"&USER="; distance:8; within:6; content:"&VER="; distance:0; content:"&TYPE="; distance:0; isdataat:!2,relative; reference:md5,f60c87a80ff2d2fe7e83667a4106e63f; classtype:pup-activity; sid:2029099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_12_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Email Account Phish 2019-12-10"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?yasse="; fast_pattern; content:"&upw="; distance:0; content:"&hidCflag="; distance:0; http.header_names; content:!"Referer"; reference:url,isc.sans.edu/forums/diary/Phishing+with+a+selfcontained+credentialsstealing+webpage/25580/; classtype:credential-theft; sid:2029105; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Email Account Phish 2019-12-10"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?yasse="; fast_pattern; content:"&upw="; distance:0; content:"&hidCflag="; distance:0; http.header_names; content:!"Referer"; reference:url,isc.sans.edu/forums/diary/Phishing+with+a+selfcontained+credentialsstealing+webpage/25580/; classtype:credential-theft; sid:2029105; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Started"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|started|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029103; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, tag Ransomware, updated_at 2019_12_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Started"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|started|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029103; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, updated_at 2019_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JsOutProx CnC Activity - Outbound"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"5f7c5f"; depth:35; content:"5f7c5f"; distance:72; within:6; content:"5f7c5f4d6963726f736f66742057696e646f7773"; distance:0; fast_pattern; http.content_type; content:"x-www-form-urlencoded"; nocase; threshold:type limit, track by_dst, count 1, seconds 30; classtype:command-and-control; sid:2034289; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family jsoutprox, signature_severity Major, tag RAT, updated_at 2019_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Finished"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|finished|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; distance:0; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029104; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, updated_at 2019_12_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JsOutProx CnC Activity - Inbound"; flow:established,from_server; http.stat_code; content:"200"; http.cookie; bsize:<30; content:"5f7c5f"; endswith; fast_pattern; http.content_type; content:"image/jpeg"; bsize:10; threshold:type limit, track by_src, count 1, seconds 30; classtype:command-and-control; sid:2034290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family jsoutprox, signature_severity Major, tag RAT, updated_at 2019_12_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Bundalore Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ioffers.tar.gz?ts="; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c; classtype:pup-activity; sid:2029106; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Bundalore, signature_severity Minor, updated_at 2019_12_11;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Trojan.AndroidOS.Jocker.snt 1"; ja3_hash; content:"2f514a024266e9e8d11f10e779168579"; reference:md5,68841dcaf26d83fc1c2f955e9e363a65; classtype:trojan-activity; sid:2029150; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_12_16, deployment Perimeter, former_category JA3, signature_severity Critical, tag Android, updated_at 2019_12_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ShivaGood Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ip="; startswith; content:"&pcname="; distance:0; content:"&username="; distance:0; content:"&privatekey="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,ee732410b7389a047177b2e730742f8d; classtype:command-and-control; sid:2029177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family ShivaGood, signature_severity Major, updated_at 2019_12_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ShivaGood Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ip="; startswith; content:"&pcname="; distance:0; content:"&username="; distance:0; content:"&privatekey="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,ee732410b7389a047177b2e730742f8d; classtype:command-and-control; sid:2029177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family ShivaGood, signature_severity Major, tag Ransomware, updated_at 2019_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ap1-acl.net"; nocase; endswith; reference:md5,9d71bc8643b0e309ea1d91903aea6555; classtype:domain-c2; sid:2029182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_18, deployment Perimeter, former_category MALWARE, malware_family Sidewinder_APT, signature_severity Major, updated_at 2019_12_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ap1-acl.net"; nocase; endswith; reference:md5,9d71bc8643b0e309ea1d91903aea6555; classtype:domain-c2; sid:2029182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_18, deployment Perimeter, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DiamondFox HTTP Post CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"="; offset:3; depth:1; content:"&q="; distance:0; content:"&proc="; distance:0; content:"&soft="; distance:0; content:"&rt="; distance:0; content:"&er="; distance:0; isdataat:!2,relative; http.header_names; content:!"Referer"; reference:url,twitter.com/ViriBack/status/1203337492386082816; reference:md5,17a1f7e98731df9b74b98accb650d50e; classtype:command-and-control; sid:2029144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family DiamondFox, performance_impact Moderate, signature_severity Major, updated_at 2019_12_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MailerBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.cookie; content:"PHPSESSID="; startswith; isdataat:!35,relative; http.request_body; content:"status=0"; bsize:8; fast_pattern; http.header_names; content:!"Referer"; reference:md5,33ae450f091a57c042e9dd99800ff6c8; classtype:command-and-control; sid:2029183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_18, deployment Perimeter, former_category MALWARE, malware_family MailerBot, signature_severity Major, updated_at 2019_12_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Watchfire AppScan Web App Vulnerability Scanner"; flow:established,to_server; http.uri; content:"/appscan_fingerprint/mac_address"; nocase; reference:url,www.watchfire.com/products/appscan/default.aspx; reference:url,doc.emergingthreats.net/2008311; classtype:attempted-recon; sid:2008311; rev:8; metadata:created_at 2010_07_30, updated_at 2019_12_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Watchfire AppScan Web App Vulnerability Scanner"; flow:established,to_server; http.uri; content:"/appscan_fingerprint/mac_address"; nocase; reference:url,www.watchfire.com/products/appscan/default.aspx; reference:url,doc.emergingthreats.net/2008311; classtype:attempted-recon; sid:2008311; rev:8; metadata:created_at 2010_07_30, updated_at 2019_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - free .ipwhois .io "; flow:established,to_server; http.method; content:"GET"; http.host; content:"free.ipwhois.io"; fast_pattern; classtype:external-ip-check; sid:2029185; rev:2; metadata:created_at 2019_12_20, former_category POLICY, tag IP_address_lookup_website, updated_at 2019_12_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - free .ipwhois .io"; flow:established,to_server; http.method; content:"GET"; http.host; content:"free.ipwhois.io"; fast_pattern; classtype:external-ip-check; sid:2029185; rev:2; metadata:created_at 2019_12_20, former_category POLICY, tag IP_address_lookup_website, updated_at 2019_12_20;)
alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InstallDisck SMTP Checkin"; flow:established,to_server; content:"Subject: PCInfo:"; fast_pattern; content:"<li>User Name:<b>"; content:"PC Name:<b>"; distance:0; content:"<li>Proxy:<b>"; distance:0; content:"Gateway:<b>"; distance:0; reference:md5,b79640ae0cf9f3ad58b14c15c50f3de3; classtype:pup-activity; sid:2029186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_20;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=full.newcontest.xyz"; nocase; endswith; classtype:domain-c2; sid:2029184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_20, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2019_12_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=full.newcontest.xyz"; nocase; endswith; classtype:domain-c2; sid:2029184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_20, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak <v20 Checkin - Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|BODYdmFyIGNvbmZpZyA9IHsNCiA"; startswith; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029194; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak <v20 Checkin - Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|BODYdmFyIGNvbmZpZyA9IHsNCiA"; startswith; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029194; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak <v9 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:"_bm9uY2U9"; fast_pattern; content:"dmVyc2lvbj"; distance:45; content:".html"; endswith; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak <v9 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:"_bm9uY2U9"; fast_pattern; content:"dmVyc2lvbj"; distance:45; content:".html"; endswith; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak - Stage 2 - Response - Task"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|TASK|2d 2d|"; startswith; content:"|2d 2d|TVq"; distance:0; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Possible XServer Backdoor Certificate Observed"; flow:established,to_server; content:"|16|"; depth:1; content:"|55 04 06|"; distance:0; content:"|02|US|31|"; distance:1; within:4; content:"|55 04 08|"; distance:0; content:"|02|BA|31|"; distance:1; within:4; content:"|55 04 0a|"; distance:0; content:"|04|Root|31|"; distance:1; within:6; content:"|55 04 0b|"; distance:0; content:"|04|Root|31|"; distance:1; within:6; fast_pattern; content:"|55 04 03|"; distance:0; content:"|04|Root|30|"; distance:1; within:6; reference:url,resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf; classtype:command-and-control; sid:2029190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, signature_severity Major, updated_at 2019_12_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (jssLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hidrofilms.com"; bsize:17; fast_pattern; reference:url,twitter.com/prsecurity_/status/1209710600994996224; classtype:domain-c2; sid:2029200; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (jssLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hidrofilms.com"; bsize:17; fast_pattern; reference:url,twitter.com/prsecurity_/status/1209710600994996224; classtype:domain-c2; sid:2029200; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_26, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Keep-Alive"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?command="; content:"&vicID="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2019_12_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Requesting Command"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand.php?id="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; content:!"Referer"; threshold:type both, track by_src, count 30, seconds 60; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029180; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2019_12_27;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vicID="; fast_pattern; content:"name="; content:"&os="; content:"&antivirus="; content:"&status="; http.header_names; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2019_12_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Upatre CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=vcomdesign.com"; bsize:17; fast_pattern; reference:md5,f83e76c4e5185e17b23b886b3614379f; classtype:domain-c2; sid:2029201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_27, deployment Perimeter, malware_family Upatre, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Upatre CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=vcomdesign.com"; bsize:17; fast_pattern; reference:md5,f83e76c4e5185e17b23b886b3614379f; classtype:domain-c2; sid:2029201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Upatre CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"poweruphosting.com"; bsize:18; reference:md5,f83e76c4e5185e17b23b886b3614379f; classtype:domain-c2; sid:2029202; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_27, deployment Perimeter, malware_family Upatre, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.G Variant Error Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/1/dg/3/error"; http.request_body; content:"{|22|ApplicationName|22 3a 22|"; startswith; reference:md5,c48e6befa893cb771f0d7b6215240856; classtype:pup-activity; sid:2029211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_12_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Netgear DGN1000/DGN2200 Unauthenticated Command Execution Inbound"; flow:established,to_server; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; http_uri; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029214; rev:1; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_01_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Netgear DGN1000/DGN2200 Unauthenticated Command Execution Inbound"; flow:established,to_server; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; http_uri; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029214; rev:1; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_01_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ViSystem CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; fast_pattern; content:"&pwd="; content:"&cc="; content:"&fz="; content:"&df="; content:"&wlt="; http.header_names; content:!"Referer"; reference:md5,9b0aa282698db89034d254076dd03e26; classtype:command-and-control; sid:2029212; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, former_category MALWARE, malware_family ViSystem, signature_severity Major, updated_at 2019_12_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Operation Blue Estimate CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"_log.txt|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|0010::20"; fast_pattern; distance:12; within:62; reference:url,blog.alyac.co.kr/2645; classtype:command-and-control; sid:2029222; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_01_02;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Init"; flow:established,from_server; dsize:<150; content:"|7b 22 54 79 70 65 22 3a 22 45 6e 63 72 79 70 74 69 6f 6e 53 74 61 74 75 73 22 2c 22 53 74 61 74 75 73 22 3a|"; fast_pattern; depth:80; content:"|7d|"; distance:0; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029217; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2020_01_02;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Checkin"; flow:established,to_server; content:"|7b 22 54 79 70 65 22 3a 22 43 6f 6e 6e 65 63 74 69 6f 6e 54 79 70 65 22 2c 22 43 6f 6e 6e 65 63 74 69 6f 6e 54 79 70 65 22 3a 22 43 6c 69 65 6e 74 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:80; content:"|22 2c 22 42 6f 74 4e 61 6d 65 22 3a 22|"; distance:0; content:"|22 2c 22 42 6f 74 4f 53 22 3a 22|"; distance:0; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_02;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Keep-Alive"; flow:established,from_server; dsize:<100; content:"|7b 22 54 79 70 65 22 3a 22 53 65 73 73 69 6f 6e 49 44 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:50; content:"|7d|"; distance:0; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2020_01_02;)
-
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"googlo-analytics.com"; classtype:domain-c2; sid:2029225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_01_06;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"googlc-analytics.net"; classtype:domain-c2; sid:2029228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_01_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeoticus Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"supersecretstring?babyDontHeartMe="; depth:40; fast_pattern; http.user_agent; bsize:3; content:"DxD"; reference:url,twitter.com/siri_urz/status/1212724059277914112; classtype:command-and-control; sid:2029231; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag Ransomware, updated_at 2020_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeoticus Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"supersecretstring?babyDontHeartMe="; depth:40; fast_pattern; http.user_agent; bsize:3; content:"DxD"; reference:url,twitter.com/siri_urz/status/1212724059277914112; classtype:command-and-control; sid:2029231; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (DxD)"; flow:established,to_server; http.user_agent; bsize:3; content:"DxD"; fast_pattern; classtype:bad-unknown; sid:2029232; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_01_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=1BEF0A57BE110FD467A"; bsize:49; fast_pattern; http.request_body; content:".zip|22 0d 0a|"; content:"|0d 0a|PK"; distance:0; content:"screenshot.jpg"; distance:0; http.header_names; content:!"Referer"; reference:md5,6c8357280b50bb1808ec77b0292eb22b; classtype:command-and-control; sid:2029236; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family Oski, signature_severity Major, updated_at 2020_01_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magician/M461c14n Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup?c="; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; http.protocol; content:"1.0"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,4839223e68ed38639186038f9b07ef67; classtype:command-and-control; sid:2029237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Magician, signature_severity Major, updated_at 2020_01_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magician/M461c14n Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup?c="; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; http.protocol; content:"1.0"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,4839223e68ed38639186038f9b07ef67; classtype:command-and-control; sid:2029237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Magician, signature_severity Major, tag Ransomware, updated_at 2020_01_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Filecoder.NZK Variant"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?info=ID:__"; content:"__Key1:__"; distance:0; content:"__Key2:__"; distance:0; reference:md5,c7bbff934bd89ad39e98e2746c6e8af2; reference:url,twitter.com/GrujaRS/status/1214680560834162690; classtype:command-and-control; sid:2029240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_01_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/TransparentTribe CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"=explorer!"; fast_pattern; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"=Microsoft+Windows+"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,77549b8211c05fdf9114b09d38e88d98; classtype:command-and-control; sid:2029242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2020_01_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=portofino.ug"; bsize:15; fast_pattern; reference:url,twitter.com/lazyactivist192/status/1214662422683885569; reference:md5,49a5cf0633b40d89b139ad3df85778c5; classtype:domain-c2; sid:2029245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=portofino.ug"; bsize:15; fast_pattern; reference:url,twitter.com/lazyactivist192/status/1214662422683885569; reference:md5,49a5cf0633b40d89b139ad3df85778c5; classtype:domain-c2; sid:2029245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"google-download.com"; nocase; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Answer"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p3="; startswith; content:"&p5="; distance:0; content:"&p=a&p1="; distance:0; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029262; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Satan/5ss5c Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:40; within:6; content:"&size="; distance:0; content:"&status="; distance:0; content:"&keyhash="; fast_pattern; reference:md5,853358339279b590fb1c40c3dc0cdb72; reference:url,twitter.com/jishuzhain/status/1216368394485800961; classtype:command-and-control; sid:2029269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, performance_impact Moderate, signature_severity Major, updated_at 2020_01_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Satan/5ss5c Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:40; within:6; content:"&size="; distance:0; content:"&status="; distance:0; content:"&keyhash="; fast_pattern; reference:md5,853358339279b590fb1c40c3dc0cdb72; reference:url,twitter.com/jishuzhain/status/1216368394485800961; classtype:command-and-control; sid:2029269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, signature_severity Major, tag Ransomware, updated_at 2020_01_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL Cert (Office365 Phish Landing Page 2020-01-09)"; flow:established,to_client; tls.cert_subject; content:"CN=*.lakeshoreemployeetestingservices.com"; nocase; endswith; reference:md5,24a4c5f5033d7f399464df05a072012c; classtype:domain-c2; sid:2029256; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_01_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL Cert (Office365 Phish Landing Page 2020-01-09)"; flow:established,to_client; tls.cert_subject; content:"CN=*.lakeshoreemployeetestingservices.com"; nocase; endswith; reference:md5,24a4c5f5033d7f399464df05a072012c; classtype:social-engineering; sid:2029256; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Known Key 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p1=P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M5"; flow:established,to_server; urilen:<20; http.method; content:"GET"; http.uri; content:"/ixlive.php?uid="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data="; pcre:"/^[A-Za-z0-9\/\.=]{250,}$/R"; http.user_agent; content:"Naruto Uzumake"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:command-and-control; sid:2029290; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, updated_at 2020_01_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data="; pcre:"/^[A-Za-z0-9\/\.=]{250,}$/R"; http.user_agent; content:"Naruto Uzumake"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:command-and-control; sid:2029290; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Nemty Ransomware Payment Page"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; file.data; content:"<title>Ransom</title>"; content:">Your files are encrypted?<"; distance:0; content:">Upload NEMTY_"; distance:0; fast_pattern; classtype:trojan-activity; sid:2029291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, updated_at 2020_01_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Nemty Ransomware Payment Page"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; file.data; content:"<title>Ransom</title>"; content:">Your files are encrypted?<"; distance:0; content:">Upload NEMTY_"; distance:0; fast_pattern; classtype:trojan-activity; sid:2029291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware Payment Page ID File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|userfile|22 3b 20|filename=|22|NEMTY_"; fast_pattern; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:trojan-activity; sid:2029292; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, updated_at 2020_01_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware Payment Page ID File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|userfile|22 3b 20|filename=|22|NEMTY_"; fast_pattern; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:trojan-activity; sid:2029292; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=borrdrillling.com"; bsize:20; fast_pattern; reference:md5,0407b500adcaafe09cc3280d6d02794f; classtype:domain-c2; sid:2029295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=borrdrillling.com"; bsize:20; fast_pattern; reference:md5,0407b500adcaafe09cc3280d6d02794f; classtype:domain-c2; sid:2029295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Adzq41ceq52e353512hSfj"; fast_pattern; http.request_body; content:"key|3a|"; startswith; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2020_01_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"python-requests/"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|payload|22 3b 20|filename=|22|payload|22 0d 0a 0d 0a|PK"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029294; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2020_01_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=az.borrdrillling.com"; bsize:23; fast_pattern; reference:md5,7ad0081f61002bf67b852dc5d212f2e4; classtype:domain-c2; sid:2029296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=az.borrdrillling.com"; bsize:23; fast_pattern; reference:md5,7ad0081f61002bf67b852dc5d212f2e4; classtype:domain-c2; sid:2029296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns_query; content:"jqueryextplugin.com"; nocase; endswith; classtype:domain-c2; sid:2029300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_22;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik - IRC CnC Checkin"; flow:established,to_server; dsize:<250; content:"NICK|20|"; startswith; content:"|0a|USER|20|muhstik"; distance:0; content:"|20 3a|muhstik-"; distance:0; fast_pattern; pcre:"/^\d+\x0a$/R"; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:command-and-control; sid:2029319; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family Muhstik, performance_impact Low, signature_severity Major, tag IRC, updated_at 2020_01_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:".php?"; content:"=ID:_"; distance:0; content:"___Key|3a|___"; distance:0; fast_pattern; http.header_names; bsize:22; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; classtype:command-and-control; sid:2029321; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:".php?"; content:"=ID:_"; distance:0; content:"___Key|3a|___"; distance:0; fast_pattern; http.header_names; bsize:22; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; classtype:command-and-control; sid:2029321; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M2"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"data.php?info="; fast_pattern; pcre:"/^[A-Za-z0-9\?=]{25,}$/Rsi"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, updated_at 2020_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M2"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"data.php?info="; fast_pattern; pcre:"/^[A-Za-z0-9\?=]{25,}$/Rsi"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=ID:__"; content:"___Key1|3a|___"; content:"___Key2|3a|___"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=ID:__"; content:"___Key1|3a|___"; content:"___Key2|3a|___"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GeoIP Lookup (nydus.battle.net)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:6; content:"/geoip"; http.host; bsize:16; content:"nydus.battle.net"; fast_pattern; reference:md5,446bed079ec0179e82eab6710d55155f; classtype:policy-violation; sid:2029324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_01_28;)
alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys File Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Executable Download Over HTTP"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|89 71 04 89|"; content:"|30 8d 04 bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1; within:5; content:"|89 01 85 ff 74|"; distance:1; within:5; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Executable Download Over HTTP"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|33 ff|"; content:"|89 37|"; distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4; content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1 e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|"; within:4; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029335; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|a0 00 00 00 24 02 00 00 40 00 00 00|"; distance:0; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
-
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"antivirus-update.top"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/; classtype:domain-c2; sid:2029326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hisoka CnC Domain Observed in DNS Query"; dns.query; content:"google-update.com"; bsize:17; nocase; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:domain-c2; sid:2029328; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.AdWare.iBryte.C Install "; flow:established,to_server; http.uri; content:"/config/"; startswith; content:"/offers.json"; distance:0; content:"version="; content:"pid=installer&ts="; fast_pattern; reference:md5,2fae46d1a71a893834a01ed3106b8036; classtype:pup-activity; sid:2018197; rev:4; metadata:created_at 2014_02_28, former_category ADWARE_PUP, updated_at 2020_01_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.AdWare.iBryte.C Install"; flow:established,to_server; http.uri; content:"/config/"; startswith; content:"/offers.json"; distance:0; content:"version="; content:"pid=installer&ts="; fast_pattern; reference:md5,2fae46d1a71a893834a01ed3106b8036; classtype:pup-activity; sid:2018197; rev:4; metadata:created_at 2014_03_01, former_category ADWARE_PUP, updated_at 2020_01_30;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO TLS Handshake Failure"; flow:established,to_client; dsize:7; content:"|15|"; depth:1; content:"|00 02 02 28|"; distance:2; within:4; fast_pattern; classtype:bad-unknown; sid:2029340; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_30, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_01_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Agent.NPP CnC Activity"; flow:established,to_server; http.request_line; bsize:27; content:"GET /show/push.txt HTTP/1.0"; fast_pattern; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,0bec370f25d557e6dd64d2e9391f23f4; classtype:pup-activity; sid:2029350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_02_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"GET"; http_method; content:"/flow"; fast_pattern; depth:5; http_uri; pcre:"/^\d{1,2}\.php$/UR"; content:".ru"; http_host; isdataat:!1,relative; classtype:exploit-kit; sid:2015897; rev:4; metadata:created_at 2012_11_19, former_category EXPLOIT_KIT, updated_at 2020_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"GET"; http_method; content:"/flow"; fast_pattern; depth:5; http_uri; pcre:"/^\d{1,2}\.php$/UR"; content:".ru"; http_host; isdataat:!1,relative; classtype:exploit-kit; sid:2015897; rev:4; metadata:created_at 2012_11_20, former_category EXPLOIT_KIT, updated_at 2020_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GreatArcadeHits CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reports/install.php?options="; startswith; fast_pattern; http.user_agent; bsize:9; content:"USERAGENT"; reference:md5,15b2b90540f8b47b3773ce7fe80ae96b; classtype:pup-activity; sid:2029351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoPatronum Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; startswith; content:"&username="; distance:0; content:"&pname="; distance:0; content:"&kid="; distance:0; fast_pattern; content:"&ppath="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,429ba4a470eb2f3c0ce6678745bc8d8e; classtype:command-and-control; sid:2029349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoPatronum Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; startswith; content:"&username="; distance:0; content:"&pname="; distance:0; content:"&kid="; distance:0; fast_pattern; content:"&ppath="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,429ba4a470eb2f3c0ce6678745bc8d8e; classtype:command-and-control; sid:2029349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"finance-usbnc.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029354; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"finance-usbnc.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029354; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"system-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029355; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"system-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029355; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"service-issues.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029356; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"service-issues.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029356; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"inztaqram.ga"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029357; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"inztaqram.ga"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029357; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"bahaius.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029358; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"bahaius.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029358; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"malcolmrifkind.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029359; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"malcolmrifkind.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029359; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"instagram-com.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029360; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"instagram-com.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029360; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"recovery-options.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029361; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"recovery-options.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029361; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"accounts-drive.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029362; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"accounts-drive.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029362; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"acconut-verify.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029363; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"acconut-verify.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029363; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"customers-activities.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029364; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"customers-activities.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029364; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"yah00.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029365; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"yah00.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029365; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"service-activity-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029366; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"service-activity-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029366; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"skynevvs.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"skynevvs.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"drive-accounts.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"drive-accounts.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"cpanel-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"cpanel-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"two-step-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029370; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"two-step-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029370; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"seisolarpros.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"seisolarpros.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"phonechallenges-submit.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029372; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"phonechallenges-submit.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029372; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"customers-service.ddns.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029373; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"customers-service.ddns.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029373; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"leslettrespersanes.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029374; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"leslettrespersanes.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029374; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"software-updating-managers.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029375; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"software-updating-managers.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029375; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"niaconucil.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029376; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"niaconucil.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029376; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"w3-schools.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"w3-schools.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"unirsd.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029378; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"unirsd.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029378; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"isis-online.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029379; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"isis-online.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029379; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M6 (set)"; flow:established,to_server; content:"|eb 7d df 9f|"; depth:4; fast_pattern; content:"|32 c3 8a|"; distance:1; within:3; flowbits:set,ET.Parallax-6; flowbits:noalert; reference:md5,7babfff27d7aee0ceec438080e034fa0; classtype:command-and-control; sid:2029352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, signature_severity Major, updated_at 2020_02_05;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M6"; flow:established,to_client; content:"|eb 7d df 9f|"; depth:4; fast_pattern; content:"|32 c3 8a|"; distance:1; within:3; flowbits:isset,ET.Parallax-6; reference:md5,7babfff27d7aee0ceec438080e034fa0; classtype:command-and-control; sid:2029353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, signature_severity Major, updated_at 2020_02_05;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Patchwork CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; reference:url,twitter.com/blackorbird/status/1225002203221393411; classtype:targeted-activity; sid:2029394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Patchwork CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; reference:url,twitter.com/blackorbird/status/1225002203221393411; classtype:domain-c2; sid:2029394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 TONEDEAF 2.0 Requesting Commands from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow?ser="; startswith; fast_pattern; pcre:"/^[a-z0-9]{6}$/RUi"; http.user_agent; content:"Windows|20|Phone|20|OS"; reference:md5,a0324fa4f2d9d2f04ea4edad41160da6; classtype:command-and-control; sid:2029382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family TONEDEAF, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/cnc/register"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 7d|"; distance:36; within:2; endswith; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor - Sending Task Results "; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/cnc/tasks/result"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 2c 22|"; distance:36; within:3; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor - Sending Task Results"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/cnc/tasks/result"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 2c 22|"; distance:36; within:3; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor - Requesting Task"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/cnc/tasks/request"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 7d|"; distance:36; within:2; endswith; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029397; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; distance:0; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016108; rev:4; metadata:created_at 2012_12_28, updated_at 2020_02_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"Cookie"; http.cookie; content:"prov="; startswith; content:"_ga=GA1.2.9924|3b|_gat=1|3b|__qca=P0-214459"; endswith; reference:url,github.com/xx0hcd/Malleable-C2-Profiles; classtype:command-and-control; sid:2029381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"Cookie"; http.cookie; content:"prov="; startswith; content:"_ga=GA1.2.9924|3b|_gat=1|3b|__qca=P0-214459"; endswith; reference:url,github.com/xx0hcd/Malleable-C2-Profiles; classtype:command-and-control; sid:2029381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Satan Cryptor GeoIP Lookup"; flow:established,to_server; content:"GET /json/ HTTP/1.1|0d 0a|Host|3a 20|extreme-ip-lookup.com|0d 0a|User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a 0d 0a|"; depth:107; isdataat:!1,relative; reference:md5,057aad993a3ef50f6b3ca2db37cb928a; classtype:trojan-activity; sid:2029399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Satan Cryptor GeoIP Lookup"; flow:established,to_server; content:"GET /json/ HTTP/1.1|0d 0a|Host|3a 20|extreme-ip-lookup.com|0d 0a|User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a 0d 0a|"; depth:107; isdataat:!1,relative; reference:md5,057aad993a3ef50f6b3ca2db37cb928a; classtype:trojan-activity; sid:2029399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet Wifi Bruter Module Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/230238982BSBYKDDH938473938HDUI33/index.php"; bsize:43; fast_pattern; http.request_body; content:"c="; startswith; content:"|3a|"; distance:0; http.header_names; content:!"Referer"; reference:url,www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader; classtype:command-and-control; sid:2029398; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_02_07;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TinyNuke Variant CnC) 2020-02-09"; flow:established,to_client; tls.cert_subject; content:"C=US, CN=thoughtlibrary.top/L=new york/O=new york/OU=new york/ST=new york/emailAddress=admin@thoughtlibrary.top"; bsize:111; fast_pattern; reference:url,twitter.com/P3pperP0tts/status/1226493807061094406; classtype:domain-c2; sid:2029400; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_10, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_02_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TinyNuke Variant CnC) 2020-02-09"; flow:established,to_client; tls.cert_subject; content:"C=US, CN=thoughtlibrary.top/L=new york/O=new york/OU=new york/ST=new york/emailAddress=admin@thoughtlibrary.top"; bsize:111; fast_pattern; reference:url,twitter.com/P3pperP0tts/status/1226493807061094406; classtype:domain-c2; sid:2029400; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_10, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern; http_request_line; content:"/ HTTP/1."; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015818; rev:5; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern; http_request_line; content:"/ HTTP/1."; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015819; rev:5; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"GET"; http_method; content:"/stat/load"; http_uri; fast_pattern; content:".php"; http_uri; http_start; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:exploit-kit; sid:2021141; rev:4; metadata:created_at 2015_05_22, updated_at 2020_02_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT40/Dadstache Stage 2 Payload Beacon"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; content:".png|22 0d 0a|Content-Type: video/JPEG|0d 0a 0d 0a 89 50 4e 47|"; distance:0; fast_pattern; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; reference:md5,9cf5fb135c3cc29e79b2a1c78233934b; classtype:targeted-activity; sid:2029420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT40/Dadstache Stage 2 Payload Beacon"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; content:".png|22 0d 0a|Content-Type: video/JPEG|0d 0a 0d 0a 89 50 4e 47|"; distance:0; fast_pattern; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; reference:md5,9cf5fb135c3cc29e79b2a1c78233934b; classtype:targeted-activity; sid:2029420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader CnC Checkin (getid)"; flow:to_server; content:"$"; content:"-S-"; distance:0; nocase; content:"|05|getid|00 00 10 00 01|"; distance:0; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029407; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TGI] Possible Cobalt Strike Extra Whitespace HTTP Response"; flow:established,to_client; flowbits:isnotset,ET.entrust_entelligence; http.start; content:"HTTP/1.1|20|200|20|OK|20 0d 0a|Content-Type|3a|"; reference:url,github.com/fox-it/cobaltstrike-extraneous-space; classtype:trojan-activity; sid:2029425; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_02_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MoleRAT/Pierogi CnC Response (Command)"; flow:established,to_client; file.data; content:"dfff0a7fa1a55c8c1a4966c19f6da452|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, signature_severity Major, updated_at 2020_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Command)"; flow:established,to_client; file.data; content:"dfff0a7fa1a55c8c1a4966c19f6da452|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MoleRAT/Pierogi CnC Response (Download)"; flow:established,to_client; file.data; content:"51a7a76a7dd5d9e4651fe3d4c74d16d6|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, signature_severity Major, updated_at 2020_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Download)"; flow:established,to_client; file.data; content:"51a7a76a7dd5d9e4651fe3d4c74d16d6|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MoleRAT/Pierogi CnC Response (Screenshot)"; flow:established,to_client; file.data; content:"62c92ba585f74ecdbef4c4498a438984|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029434; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, signature_severity Major, updated_at 2020_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Screenshot)"; flow:established,to_client; file.data; content:"62c92ba585f74ecdbef4c4498a438984|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029434; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MoleRAT/Pierogi CnC Activity (Upload)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"_multipart_boundary|0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|JkjdaEWQTTTu"; fast_pattern; distance:0; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, signature_severity Major, updated_at 2020_02_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Activity (Upload)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"_multipart_boundary|0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|JkjdaEWQTTTu"; fast_pattern; distance:0; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_02_13;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN7/GRIFFON CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=landscapesboxdesign9.com"; nocase; endswith; classtype:domain-c2; sid:2029449; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family GRIFFON, signature_severity Major, updated_at 2020_02_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN7/GRIFFON CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=landscapesboxdesign9.com"; nocase; endswith; classtype:domain-c2; sid:2029449; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family GRIFFON, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X2000M.Agent Checkin Jan 24 2017"; flow:established,to_server; http.user_agent; content:"v7v7v7v7v7v7v7v7v7v7v7v7"; startswith; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:command-and-control; sid:2023764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AgentTesla CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=effetka.com"; bsize:14; fast_pattern; reference:url,twitter.com/0xCARNAGE/status/1228109444883664896; classtype:domain-c2; sid:2029469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, malware_family AgentTesla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AgentTesla CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=effetka.com"; bsize:14; fast_pattern; reference:url,twitter.com/0xCARNAGE/status/1228109444883664896; classtype:domain-c2; sid:2029469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"indox.php?v="; fast_pattern; pcre:"/^(?:pe|pp|s)$/R"; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029450; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, signature_severity Major, updated_at 2020_02_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"indox.php?v="; fast_pattern; pcre:"/^(?:pe|pp|s)$/R"; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029450; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky Related Exfil"; flow:established,to_server; urilen:25; http.method; content:"POST"; http.uri; content:"/scriptPhpServer.php"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, signature_severity Major, updated_at 2020_02_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky Related Exfil"; flow:established,to_server; urilen:25; http.method; content:"POST"; http.uri; content:"/scriptPhpServer.php"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky Related Download"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/IERinstal.a"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:trojan-activity; sid:2029452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky Related Download"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/IERinstal.a"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:trojan-activity; sid:2029452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/YTDDownloader.F Activity"; flow:established,to_server; http.request_line; content:"GET /offers/offers.php?id="; startswith; fast_pattern; content:" HTTP/1.0"; endswith; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,a53b0c85d4e65e06c59e854b84ad7f17; classtype:pup-activity; sid:2029470; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_02_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sarwent Initial Checkin"; flow:established,to_server; flowbits:set,ET.sarwent.1; http.method; content:"GET"; http.uri; content:"/gate/test"; bsize:10; fast_pattern; http.user_agent; content:"Opera"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; classtype:command-and-control; sid:2029474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, malware_family Sarwent, performance_impact Low, signature_severity Major, updated_at 2020_02_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Adobe Reader/O=Adobe"; bsize:23; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,e4224469bd75b63fa0cebd33c53b4d85; classtype:command-and-control; sid:2029491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_18;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; http.method; content:"POST"; http.uri; content:"/ReportServer/pages/ReportViewer.aspx"; http.request_body; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; startswith; fast_pattern; content:"|26 5f 5f|VIEWSTATE|3d|"; distance:0; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Adobe Reader/O=Adobe"; bsize:23; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,e4224469bd75b63fa0cebd33c53b4d85; classtype:domain-c2; sid:2029491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible NK APT SLICKSHOES Host Checkin"; flow:established,to_server; content:"|41 00 70 00 6f 00 6c 00 6c 00 6f 00 5a 00 65 00 75 00 73 00|"; depth:20; fast_pattern; reference:md5,b57db76cc1c0175c4f18ea059d9e2ab2; reference:url,www.us-cert.gov/ncas/analysis-reports/ar20-045b; classtype:targeted-activity; sid:2029478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Charming Kitten Backdoor Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:19; content:"WinHTTP Example/1.0"; http.request_body; content:"session=Host|20|Name|3a|"; startswith; fast_pattern; content:"|0d 0a|OS Name|3a|"; content:"|0d 0a|Registered|20|Owner|3a|"; reference:md5,3d67ce57aab4f7f917cf87c724ed7dab; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Charming Kitten Backdoor Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:19; content:"WinHTTP Example/1.0"; http.request_body; content:"session=Host|20|Name|3a|"; startswith; fast_pattern; content:"|0d 0a|OS Name|3a|"; content:"|0d 0a|Registered|20|Owner|3a|"; reference:md5,3d67ce57aab4f7f917cf87c724ed7dab; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Charming Kitten Backdoor CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:19; content:"WinHTTP Example/1.0"; http.request_body; content:"server_module_name="; fast_pattern; content:"&server_task"; content:"&systemtype="; reference:md5,3d67ce57aab4f7f917cf87c724ed7dab; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029495; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Charming Kitten Backdoor CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:19; content:"WinHTTP Example/1.0"; http.request_body; content:"server_module_name="; fast_pattern; content:"&server_task"; content:"&systemtype="; reference:md5,3d67ce57aab4f7f917cf87c724ed7dab; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029495; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=ID|3a 20|"; content:"|20 20|Key1|3a 20 20|"; content:"|20 20|Key2|3a 20 20|"; fast_pattern; http.user_agent; bsize:38; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,fc78e6e58352151fb77a4b92f239d381; classtype:command-and-control; sid:2029496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=ID|3a 20|"; content:"|20 20|Key1|3a 20 20|"; content:"|20 20|Key2|3a 20 20|"; fast_pattern; http.user_agent; bsize:38; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,fc78e6e58352151fb77a4b92f239d381; classtype:command-and-control; sid:2029496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_02_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2"; flow:established,to_server; dsize:<50; content:"keepAlivePing"; startswith; content:"|40 23 25 5e 4e 59 41 4e 23 21 40 24|"; fast_pattern; endswith; reference:md5,2d03cfb7357ab919e35546adc9db167a; reference:md5,c25b797d6737751936766cd50e26d725; reference:url,twitter.com/Srujank48668412/status/1509520095068192780; classtype:command-and-control; sid:2035885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, malware_family Revenge_RAT, signature_severity Major, updated_at 2020_02_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage2 CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logs/dolodos.php?url=http://"; startswith; fast_pattern; content:"&ref="; distance:0; content:"&ip="; distance:0; content:"&bot="; distance:0; content:"&pck="; distance:0; content:"&uagent="; distance:0; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029497; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//autoindex.php"; endswith; fast_pattern; http.host; content:".ddns.net"; endswith; http.header_names; content:!"Referer"; reference:url,blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/; classtype:trojan-activity; sid:2029500; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_02_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tdreg.top"; bsize:9; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029510; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tdreg.top"; bsize:9; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029510; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"pervas.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029511; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"pervas.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029511; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tdreg.icu"; bsize:9; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029512; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tdreg.icu"; bsize:9; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029512; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vtoras.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029513; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vtoras.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029513; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"piasuna.gdn"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029514; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"piasuna.gdn"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029514; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tretas.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029515; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tretas.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029515; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"dolodos.top"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029516; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"dolodos.top"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029516; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"medsource.top"; bsize:13; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029517; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"medsource.top"; bsize:13; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029517; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"piastas.gdn"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029518; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"piastas.gdn"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029518; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"semasa.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029519; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"semasa.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029519; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"devata.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029520; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"devata.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029520; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vosmas.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029521; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vosmas.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029521; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?WORD=com_"; fast_pattern; pcre:"/^[0-9A-F]{12,16}/R"; content:"&NOTE="; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; reference:md5,19f24aec5c1017d162e78863cff316fa; classtype:command-and-control; sid:2029453; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, signature_severity Major, updated_at 2020_02_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?WORD=com_"; fast_pattern; pcre:"/^[0-9A-F]{12,16}/R"; content:"&NOTE="; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; reference:md5,19f24aec5c1017d162e78863cff316fa; classtype:command-and-control; sid:2029453; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPNuke general SQL injection attempt"; flow: to_server,established; http.uri; content:"/modules.php?"; content:"name="; distance:0; content:"UNION"; distance:0; nocase; content:"SELECT"; nocase; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,www.waraxe.us/?modname=sa&id=036; reference:url,doc.emergingthreats.net/2001202; classtype:web-application-attack; sid:2001202; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_02_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Download"; flow: established,to_server; http.uri; content:"/requestimpression.aspx?ver="; nocase; content:"host="; distance:0; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; classtype:pup-activity; sid:2001992; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_02_20;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (PHPs Labyrinth Stage1 CnC)"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=www."; startswith; content:"rilns.com"; endswith; fast_pattern; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029522; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, deployment Datacenter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_02_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (PHPs Labyrinth Stage1 CnC)"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=www."; startswith; content:"rilns.com"; endswith; fast_pattern; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029522; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, deployment Datacenter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cnumber="; nocase; content:"cvv="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029685; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_02_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cnumber="; nocase; content:"cvv="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029685; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"num="; nocase; content:"&expm"; nocase; content:"&expy"; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029686; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_02_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"num="; nocase; content:"&expm"; nocase; content:"&expy"; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029686; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cc="; nocase; content:"&mm="; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029687; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_02_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cc="; nocase; content:"&mm="; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029687; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cardnumber="; nocase; content:"&month="; nocase; content:"&year="; nocase; content:"&CVV"; nocase; fast_pattern; classtype:credential-theft; sid:2029688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_02_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cardnumber="; nocase; content:"&month="; nocase; content:"&year="; nocase; content:"&CVV"; nocase; fast_pattern; classtype:credential-theft; sid:2029688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cc="; nocase; content:"&numero_tarjeta="; nocase; content:"&cvv"; nocase; fast_pattern; classtype:credential-theft; sid:2029689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_02_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cc="; nocase; content:"&numero_tarjeta="; nocase; content:"&cvv"; nocase; fast_pattern; classtype:credential-theft; sid:2029689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Card="; nocase; content:"MM="; content:"YY="; content:"CVC="; fast_pattern; classtype:credential-theft; sid:2029690; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_02_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Card="; nocase; content:"MM="; content:"YY="; content:"CVC="; fast_pattern; classtype:credential-theft; sid:2029690; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21)"; flow:established,to_client; tls.cert_subject; content:"CN=merystol.xyz"; nocase; endswith; classtype:domain-c2; sid:2029525; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_02_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21)"; flow:established,to_client; tls.cert_subject; content:"CN=merystol.xyz"; nocase; endswith; classtype:domain-c2; sid:2029525; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 2)"; flow:established,to_client; tls.cert_subject; content:"CN=veqejzkb.xyz"; nocase; endswith; classtype:domain-c2; sid:2029526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_02_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 2)"; flow:established,to_client; tls.cert_subject; content:"CN=veqejzkb.xyz"; nocase; endswith; classtype:domain-c2; sid:2029526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 3)"; flow:established,to_client; tls.cert_subject; content:"CN=doolised.xyz"; nocase; endswith; classtype:domain-c2; sid:2029527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_02_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 3)"; flow:established,to_client; tls.cert_subject; content:"CN=doolised.xyz"; nocase; endswith; classtype:domain-c2; sid:2029527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED HTTP GET Request on port 53 - Very Likely Hostile"; flow:established,to_server; content:"GET"; nocase; depth:4; content:!".newsinc.com"; reference:url,doc.emergingthreats.net/2008420; classtype:trojan-activity; sid:2008420; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_07_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-ware.com"; nocase; endswith; classtype:domain-c2; sid:2029528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_02_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent filled with System Details - GET Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_user_agent; depth:4; nocase; content:"&hdid="; distance:0; nocase; http_user_agent; content:"&wlid="; nocase; distance:0; http_user_agent; content:"&start="; nocase; distance:0; http_user_agent; content:"&os="; nocase; distance:0; http_user_agent; content:"&mem="; nocase; distance:0; http_user_agent; content:"&alive"; nocase; distance:0; http_user_agent; content:"&ver="; nocase; distance:0; http_user_agent; content:"&mode="; nocase; distance:0; http_user_agent; content:"&guid"; distance:0; http_user_agent; content:"&install="; nocase; distance:0; http_user_agent; content:"&auto="; nocase; distance:0; http_user_agent; content:"&serveid"; nocase; distance:0; http_user_agent; content:"&area="; nocase; distance:0; http_user_agent; reference:url,doc.emergingthreats.net/2009541; classtype:trojan-activity; sid:2009541; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_02_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ObliqueRAT CnC Heartbeat Packet"; flow:established,to_server; dsize:4; content:"|61 63 6b 00|"; reference:md5,36903d471c43b5d602aefd791e25c889; reference:url,https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html; classtype:trojan-activity; sid:2029529; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family ObliqueRAT, signature_severity Major, updated_at 2020_02_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-ware.com"; nocase; endswith; classtype:domain-c2; sid:2029528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ObliqueRAT CnC Checkin"; flow:established,to_server; content:"|3e 57 69 6e 64 6f 77 73 20|"; fast_pattern; content:"|3e|"; distance:0; content:"|3e|"; distance:0; content:"|20|bits|3e|"; distance:0; content:"|3e|"; distance:0; content:"|3e 00|"; distance:0; isdataat:!1,relative; reference:md5,36903d471c43b5d602aefd791e25c889; reference:url,https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html; classtype:trojan-activity; sid:2029530; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family ObliqueRAT, signature_severity Major, updated_at 2020_02_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ObliqueRAT CnC Heartbeat Packet"; flow:established,to_server; dsize:4; content:"|61 63 6b 00|"; reference:md5,36903d471c43b5d602aefd791e25c889; reference:url,blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html; classtype:trojan-activity; sid:2029529; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family ObliqueRAT, signature_severity Major, updated_at 2020_02_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ObliqueRAT CnC Checkin"; flow:established,to_server; content:"|3e 57 69 6e 64 6f 77 73 20|"; fast_pattern; content:"|3e|"; distance:0; content:"|3e|"; distance:0; content:"|20|bits|3e|"; distance:0; content:"|3e|"; distance:0; content:"|3e 00|"; distance:0; isdataat:!1,relative; reference:md5,36903d471c43b5d602aefd791e25c889; reference:url,blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html; classtype:trojan-activity; sid:2029530; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family ObliqueRAT, signature_severity Major, updated_at 2020_02_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Bang5mai.BB CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2.gif?x22="; startswith; content:"&x12=&x21="; distance:7; within:10; content:"&x9=&x16=0&x1="; distance:32; within:14; fast_pattern; reference:md5,6b540ba2fc2e606e9e2c8b72818caa28; classtype:pup-activity; sid:2029531; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_02_25;)
alert tcp any any -> $HOME_NET 8009 (msg:"ET EXPLOIT [401TRG] GhostCat LFI Attempt Inbound (CVE-2020-1938)"; flow:established,to_server; content:"|12 34|"; depth:2; content:"|00 08|HTTP/1.1|00|"; distance:0; content:"javax.servlet.include.path_info|00|"; nocase; distance:0; content:"javax.servlet.include.request_uri|00|"; content:"javax.servlet.include.servlet_path|00|"; reference:cve,2020-1938; reference:url,www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487; classtype:attempted-admin; sid:2029533; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2020_02_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-25"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CCnumber="; nocase; fast_pattern; content:"&month="; nocase; content:"&year="; nocase; classtype:credential-theft; sid:2029691; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_02_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-25"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CCnumber="; nocase; fast_pattern; content:"&month="; nocase; content:"&year="; nocase; classtype:credential-theft; sid:2029691; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Base64 Encoded potential malware"; flow:established,from_server; file.data; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern; content:!"<html"; nocase; content:!"<body"; nocase; content:!"<script"; nocase; reference:url,urlhaus.abuse.ch/url/319004/; classtype:misc-activity; sid:2029538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Ostap Maldoc Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?g="; content:"&k="; distance:0; content:"&x="; distance:0; content:"@@"; distance:0; content:"@@"; distance:0; content:"@@*"; fast_pattern; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c53393908f80e993366deec605fe7372; classtype:trojan-activity; sid:2029539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Office Phish 2020-02-26"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&password="; nocase; distance:0; content:"&submit=Extract+File+Now&sendgo="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029692; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_02_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Office Phish 2020-02-26"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&password="; nocase; distance:0; content:"&submit=Extract+File+Now&sendgo="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029692; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mays-ltd.com"; nocase; endswith; classtype:domain-c2; sid:2029537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_02_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/CollectorStealer - Returning Client GeoIP Information"; flow:established,to_client; file_data; content:"IP-address|3a 20|"; depth:12; content:"_=_Country|3a 20|"; distance:0; fast_pattern; content:"_=_City|3a 20|"; distance:0; reference:md5,046dcdb20a8358faadc394e786820dd4; classtype:trojan-activity; sid:2034320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_02_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Roboto - Possible Encrypted Roboto P2P Payload Requested M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roboto."; fast_pattern; pcre:"/^tt[cf]$/R"; http.user_agent; content:!"Windows"; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029040; rev:2; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2020_02_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mays-ltd.com"; nocase; endswith; classtype:domain-c2; sid:2029537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoLang Discord Token Grabber Exfil"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Go-http-client/"; startswith; http.header; content:"|0d 0a|Sharkflow|3a 20|"; fast_pattern; pcre:"/^(?:mfa\.[\w-]{84}|[\w-]{24}\.[\w-]{6}\.[\w-]{27})\x0d\x0a/R"; reference:url,twitter.com/sysopfb/status/1232830899370242048; reference:md5,1d2c1b88d8ae94c3f994d07451f6cc23; classtype:trojan-activity; sid:2029542; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category MALWARE, malware_family Stealer, performance_impact Low, signature_severity Major, updated_at 2020_02_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Bit.do Shortened Link Request to EXE"; flow:established,to_client; flowbits:isset,ET.bit.do.shortener; http.stat_code; content:"30"; depth:2; http.location; content:".exe"; isdataat:!1,relative; classtype:misc-activity; sid:2029550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_02_28;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baraka Ransomware CnC activity email SMTP"; flow:established,to_server; content:"|0d 0a 0d 0a|info=/*****/ Drive|20|"; fast_pattern; content:"&key="; distance:0; content:"&userid="; distance:0; classtype:command-and-control; sid:2029552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_02_28;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baraka Ransomware CnC activity email SMTP"; flow:established,to_server; content:"|0d 0a 0d 0a|info=/*****/ Drive|20|"; fast_pattern; content:"&key="; distance:0; content:"&userid="; distance:0; classtype:command-and-control; sid:2029552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>600; content:"/ecp/"; startswith; content:"__VIEWSTATEGENERATOR="; distance:0; content:"__VIEWSTATE="; distance:0; reference:url,www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keyscve; reference:cve,2020-0688; reference:url,www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/; classtype:attempted-admin; sid:2029540; rev:2; metadata:affected_product Web_Server_Applications, attack_target SMTP_Server, created_at 2020_02_26, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_03_02;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Domain (webscriptly .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"webscriptly.com"; bsize:15; reference:url,twitter.com/felixaime/status/1234111603831910400; classtype:domain-c2; sid:2029567; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=rdmsom.com"; nocase; endswith; classtype:domain-c2; sid:2029555; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_03_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=rdmsom.com"; nocase; endswith; classtype:domain-c2; sid:2029555; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"higamebit.com"; bsize:13; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029561; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"helloking.site"; bsize:14; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2020-03-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uskkes1="; depth:8; nocase; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2029693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_03_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2020-03-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uskkes1="; depth:8; nocase; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2029693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=into-box.com"; nocase; endswith; classtype:domain-c2; sid:2029568; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_03_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=into-box.com"; nocase; endswith; classtype:domain-c2; sid:2029568; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established,to_server; http.user_agent; content:"easyhttp client"; bsize:15; classtype:bad-unknown; sid:2029569; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (avast .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip-info.ff.avast.com"; fast_pattern; classtype:policy-violation; sid:2029575; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hancitor/Tordal Document Request"; flow:established,to_server; content:"GET"; http_method; content:".php?d="; http_uri; fast_pattern; pcre:"/\.php\?d=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; http_header_names; content:!"Referer|0d 0a|"; content:!"Cookie"; flowbits:set,ET.Hancitor; flowbits:noalert; classtype:trojan-activity; sid:2024604; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bitshifter Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?root="; http_uri; fast_pattern; pcre:"/^[a-f0-9]{16}$/URi"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer|0d 0a|"; content:!"Accept-"; http_accept; content:"text/plain"; depth:10; isdataat:!1,relative; http_protocol; content:"HTTP/1.0"; reference:md5,d01229914a6b57387e2c963e3aadbc1f; classtype:command-and-control; sid:2024489; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_21, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Bitshifter, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucifer Loader Requesting Payload"; flow:established,to_server; urilen:15; content:"/demonsgate.php"; fast_pattern; http_uri; http_header_names; content:!"Referer|0d 0a|"; reference:md5,74a3c324a8565d7f567763bee960bcca; classtype:trojan-activity; sid:2024719; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, malware_family Lucifer_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-data/?m="; fast_pattern; startswith; pcre:"/&p=[a-z0-9]{12}(?:&v=[a-z0-9\.-]{1,24})?$/Ri"; http.header_names; content:!"Referer|0d 0a|"; reference:url,https://app.any.run/tasks/103fc941-f115-4731-b6fc-f56a82ed6813/; classtype:trojan-activity; sid:2029583; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-data/?m="; fast_pattern; startswith; pcre:"/&p=[a-z0-9]{12}(?:&v=[a-z0-9\.-]{1,24})?$/Ri"; http.header_names; content:!"Referer|0d 0a|"; reference:url,app.any.run/tasks/103fc941-f115-4731-b6fc-f56a82ed6813/; classtype:trojan-activity; sid:2029583; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2020_03_05;)
alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Polaris Botnet User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris botnet"; fast_pattern; classtype:attempted-admin; sid:2029577; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_05, deployment Perimeter, signature_severity Minor, updated_at 2020_03_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polaris Botnet User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris botnet"; fast_pattern; classtype:web-application-attack; sid:2029578; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_05, deployment Perimeter, signature_severity Major, updated_at 2020_03_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/OzazaLocker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?key="; http_uri; fast_pattern; content:"&value="; http_uri; distance:0; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e8c6d686249fc3c6df3dc88ea2cddf02; classtype:command-and-control; sid:2024276; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family OzazaLocker, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet CnC Beacon 2"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Win32|3b 20|Trident/4.0)|0d 0a|Host|3a|"; http_header; fast_pattern; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})/Ci"; http_header_names; content:"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:command-and-control; sid:2024275; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Magniber Ransomware Retrieving Instructions"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0a 3c|title|3e|My Decryptor|3c 2f|title|3e 0a|"; fast_pattern; content:"MY DECRYPTOR|3c 2f|td|3e|"; distance:0; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:command-and-control; sid:2029579; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, performance_impact Low, signature_severity Major, updated_at 2020_03_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/support.aspx"; http_uri; isdataat:!1,relative; content:"SessionId1|3a 20|"; http_header; content:"SessionId2|3a 20|"; fast_pattern; http_header; content:"|3b 20|Android|20|"; http_user_agent; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http_client_body; http_header_names; content:!"Referer|0d 0a|"; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:command-and-control; sid:2024171; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_04, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_11_05;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK JSE"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-UA-Compatible|3a 20|IE=EmulateIE8|0d 0a|"; file_data; content:"|3c 21|DOCTYPE html|3e 3c|html|3e 3c|head|3e 3c|script language|3d 22|JScript.Encode|22 3e 23 40 7e 5e|"; startswith; fast_pattern; pcre:"/^[^<]+\x0d\x0a<\/script>/R"; content:"|3c 2f|head|3e 3c|body|3e 3c 2f|body|3e 3c 2f|html|3e|"; distance:0; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:exploit-kit; sid:2029582; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2020_03_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Magniber Ransomware Retrieving Instructions"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0a 3c|title|3e|My Decryptor|3c 2f|title|3e 0a|"; fast_pattern; content:"MY DECRYPTOR|3c 2f|td|3e|"; distance:0; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:command-and-control; sid:2029579; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_03_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.myttae User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Gdog|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2029584; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_06, deployment Perimeter, signature_severity Major, updated_at 2020_03_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.uri.raw; content:"&p1="; http.request_line; content:"GET|20|///?m="; fast_pattern; http.user_agent; content:"Mozilla/5|2e|0|20|(Windows|20|NT|20|6|2e|1|3b||20|Trident/7|2e|0|3b 20|rv|3a|11|2e|0)|20|like|20|Gecko"; reference:url,blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/; classtype:trojan-activity; sid:2029586; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_06;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cohhoc RAT CnC Response"; flow:established,from_server; content:"Content-Length|3a 20|64|0d 0a|"; http_header; file_data; content:"gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; offset:1; depth:63; fast_pattern; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019626; rev:6; metadata:created_at 2014_11_03, former_category MALWARE, updated_at 2020_11_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snake rootkit usermode-centric client request"; flow:to_server,established; content:"/1/6b-558694705129b01c0"; http_uri; fast_pattern; http_connection; content:"Keep-Alive"; depth:10; isdataat:!1,relative; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018247; rev:4; metadata:created_at 2014_03_11, former_category TROJAN, updated_at 2020_11_05;)
-
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JS/Skimmer (likely Magecart) Domain in TLS SNI (imprintcenter .com)"; flow:established,to_server; tls.sni; content:"imprintcenter.com"; bsize:17; reference:url,twitter.com/felixaime/status/1236321303902269441; classtype:domain-c2; sid:2029598; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wget+http"; within:200; content:"sh+/"; within:200; fast_pattern; content:"rm+-rf"; within:100; classtype:bad-unknown; sid:2029589; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_09, deployment Perimeter, signature_severity Major, updated_at 2020_03_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"data=DIajqcc5lVuJpjwvr36"; fast_pattern; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,b48d220f21e545886a08f9686eb0b8c5; reference:url,blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html; classtype:command-and-control; sid:2029588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_03_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc 2020-03-09)"; flow:established,to_client; tls.cert_subject; content:"CN=WW/O=YY"; bsize:10; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,bc22e03d068ee58a0b7668fced505b7b; reference:url,twitter.com/JAMESWT_MHT/status/1237028470565240832; classtype:trojan-activity; sid:2029596; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc 2020-03-09)"; flow:established,to_client; tls.cert_subject; content:"CN=WW/O=YY"; bsize:10; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,bc22e03d068ee58a0b7668fced505b7b; reference:url,twitter.com/JAMESWT_MHT/status/1237028470565240832; classtype:domain-c2; sid:2029596; rev:1; metadata:attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Mattermost API Usage"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/v4/teams/name/"; http.header; content:"|0d 0a|Authorization|3a 20|Bearer|20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; reference:md5,df7e78609dd63fe9f3be87be0e2420fa; classtype:misc-activity; sid:2029599; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_03_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; content:"/vid.aspx?id="; http_uri; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]+$/URi"; http_header_names; content:!"Cookie|0d 0a|"; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:6; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pakes2 - EXE Download Request"; flow:established,to_server; urilen:<12; content:".exe"; http_uri; http_start; content:"1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a|"; within:19; classtype:trojan-activity; sid:2015547; rev:5; metadata:created_at 2012_07_30, former_category MALWARE, updated_at 2020_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pakes2 - EXE Download Request"; flow:established,to_server; urilen:<12; content:".exe"; http_uri; http_start; content:"1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a|"; within:19; classtype:trojan-activity; sid:2015547; rev:5; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2020_03_09;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsonp=__mtz_cb_"; fast_pattern; content:"&key="; distance:0; content:"&t="; distance:0; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029592; rev:1; metadata:created_at 2020_03_09, former_category INFO, updated_at 2020_03_10;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/metric/?mid="; startswith; fast_pattern; content:"&wid="; distance:0; content:"&sid="; distance:0; content:"&tid="; distance:0; content:"&rid="; distance:0; pcre:"/^(?:BEFORE_OUTPUT_REQ|FINISHED|LOADED|LAUNCHED)/RU"; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029593; rev:1; metadata:created_at 2020_03_09, former_category INFO, performance_impact Low, updated_at 2020_03_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsonp=__mtz_cb_"; fast_pattern; content:"&key="; distance:0; content:"&t="; distance:0; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029600; rev:1; metadata:created_at 2020_03_09, former_category INFO, updated_at 2020_03_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsonp=__mtz_cb_"; fast_pattern; content:"&key="; distance:0; content:"&t="; distance:0; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029600; rev:1; metadata:created_at 2020_03_09, former_category INFO, updated_at 2020_03_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/metric/?mid="; startswith; fast_pattern; content:"&wid="; distance:0; content:"&sid="; distance:0; content:"&tid="; distance:0; content:"&rid="; distance:0; pcre:"/^(?:BEFORE_OUTPUT_REQ|FINISHED|LOADED|LAUNCHED)/RU"; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029601; rev:1; metadata:created_at 2020_03_09, former_category INFO, performance_impact Low, updated_at 2020_03_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/metric/?mid="; startswith; fast_pattern; content:"&wid="; distance:0; content:"&sid="; distance:0; content:"&tid="; distance:0; content:"&rid="; distance:0; pcre:"/^(?:BEFORE_OUTPUT_REQ|FINISHED|LOADED|LAUNCHED)/RU"; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029601; rev:1; metadata:created_at 2020_03_09, former_category INFO, performance_impact Low, updated_at 2020_03_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ViperSoftX CnC Activity M1"; flow:established,to_server; http.header; content:"User-Agent|3a 20|viperSoftx_"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat.html; classtype:command-and-control; sid:2029608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, signature_severity Major, updated_at 2020_03_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ViperSoftX CnC Activity M2"; flow:established,to_server; http.header; content:"x-header|3a 20|viperSoftx_"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat.html; classtype:command-and-control; sid:2029609; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, signature_severity Major, updated_at 2020_03_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PXJ Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.php?token_value="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,142ed79d41f3e9551b6d2fa7bcfd1590; reference:url,securityintelligence.com/posts/pxj-ransomware-campaign-identified-by-x-force-iris/; classtype:command-and-control; sid:2029615; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PXJ Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.php?token_value="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,142ed79d41f3e9551b6d2fa7bcfd1590; reference:url,securityintelligence.com/posts/pxj-ransomware-campaign-identified-by-x-force-iris/; classtype:command-and-control; sid:2029615; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected SandCat Related Communication (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hulk/___"; startswith; fast_pattern; content:".php"; within:15; endswith; http.request_body; content:"u_id="; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fe5338aee73b3aae375d7192067dc5c8; classtype:trojan-activity; sid:2029621; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected SandCat Related CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?EIO="; depth:16; content:"&transport=polling"; distance:0; endswith; http.request_body; content:"|5b 22|add|20|user|22|,|22|ID_"; offset:5; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eeecfa2999aea400deb8029d27db125e; classtype:command-and-control; sid:2029619; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_12;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (ipify .org)"; flow:established,to_server; http.uri; content:"/?format="; depth:9; http.host; content:"api.ipify.org"; depth:13; endswith; fast_pattern; classtype:policy-violation; sid:2029622; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:"|0d 0a|Accept-Language|3a 20|en-US,*|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|Host|3a 20|";fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec; http.request_line; content:"POST /api HTTP/1.1"; depth:18; isdataat:!1,relative; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:98; isdataat:!1,relative; reference:md5,fe5338aee73b3aae375d7192067dc5c8; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/; classtype:misc-activity; sid:2029634; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_03_12;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected Android Youzicheng Proxy Activity"; flow:established,to_server; urilen:17; http.method; content:"POST"; http.uri; content:"/api/socksLog/add"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"|7b 22|channelid|22 3a 22|"; startswith; nocase; fast_pattern; content:"|2c 22|content|22 3a 22|"; distance:0; content:"|2c 22|deviceid|22 3a 22|"; distance:0; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c907d74ace51cec7cb53b0c8720063e1; classtype:trojan-activity; sid:2029635; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY QQ Browser WUP Request - qbpcstatf.stat"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c|LV|08|qbpcstatf|04|stat|7d 00|"; fast_pattern; content:"|05|crypt|18 00|"; distance:0; content:"|01 06 0a|list|3c|char|3e|"; distance:0; threshold:type limit, track by_src, count 1, seconds 60; reference:url,citizenlab.ca/2016/03/privacy-security-issues-qq-browser/; classtype:policy-violation; sid:2029632; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_13;)
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTTPTool User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|HTTPTool/"; reference:md5,6526946c39fd53dd813a8a206446e491; classtype:trojan-activity; sid:2029637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_16, deployment Perimeter, signature_severity Major, updated_at 2020_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=corvusaint.com"; nocase; endswith; reference:md5,eea4776399514664d888633ce72a2a8b; classtype:domain-c2; sid:2029639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=corvusaint.com"; nocase; endswith; reference:md5,eea4776399514664d888633ce72a2a8b; classtype:domain-c2; sid:2029639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higaisa CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|rv|3a|13.0) Gecko/2010010"; depth:58; fast_pattern; pcre:"/^[A-F0-9]{8}$/Rsi"; http.header_names; content:!"Accept"; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,23a30f6afa17f971148d9e955f65ae98; classtype:command-and-control; sid:2029640; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, malware_family Higasa, signature_severity Major, updated_at 2020_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/SandCat CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hpphhpph.com"; nocase; endswith; classtype:domain-c2; sid:2029642; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/SandCat CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hpphhpph.com"; nocase; endswith; classtype:domain-c2; sid:2029642; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SandCat CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"u_id="; depth:5; content:"&username="; content:"&computername="; content:"&arch="; content:"&os=Microsoft Windows|20|"; content:"&local_ip_address="; content:"&global_ip_address="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,fe5338aee73b3aae375d7192067dc5c8; classtype:command-and-control; sid:2029643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SandCat, signature_severity Major, updated_at 2020_03_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polaris Botnet User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2029646; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] MZRevenge Ransomware Server Response"; flow: established,to_client; content:"|0d 0a 0d 0a|MZR-"; isdataat:!180; fast_pattern; http.content_type; content:"text/html|3b 20|charset=UTF-8"; endswith; bsize:24; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029644; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] MZRevenge Ransomware Server Response"; flow: established,to_client; content:"|0d 0a 0d 0a|MZR-"; isdataat:!180; fast_pattern; http.content_type; content:"text/html|3b 20|charset=UTF-8"; endswith; bsize:24; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029644; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-14"; flow:established,to_client; file_data; content:"<TITLE>DHL|20 7c 20|Tracking</TITLE>"; nocase; fast_pattern; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Invalid Password."; nocase; distance:0; content:"Please try again using correct details."; nocase; distance:0; classtype:credential-theft; sid:2029654; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-14"; flow:established,to_client; file_data; content:"<TITLE>DHL|20 7c 20|Tracking</TITLE>"; nocase; fast_pattern; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Invalid Password."; nocase; distance:0; content:"Please try again using correct details."; nocase; distance:0; classtype:credential-theft; sid:2029654; rev:4; metadata:created_at 2015_09_15, former_category PHISHING, updated_at 2020_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Terse POST to Wordpress Folder - Probable Successful Phishing M2"; flow:to_server,established; content:"POST"; http_method; content:"/wp-"; http_uri; depth:4; content:".php"; http_uri; content:"username="; nocase; depth:9; http_client_body; fast_pattern; content:"&pass"; nocase; http_client_body; distance:0; content:!"__utma="; classtype:credential-theft; sid:2031580; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=get-downloads.com"; nocase; endswith; classtype:domain-c2; sid:2029648; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_03_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=get-downloads.com"; nocase; endswith; classtype:domain-c2; sid:2029648; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=dysoool.com"; nocase; endswith; classtype:domain-c2; sid:2029649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_03_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=dysoool.com"; nocase; endswith; classtype:domain-c2; sid:2029649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=clietns-download.com"; nocase; endswith; classtype:domain-c2; sid:2029650; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_03_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=clietns-download.com"; nocase; endswith; classtype:domain-c2; sid:2029650; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=static-downloads.com"; nocase; endswith; classtype:domain-c2; sid:2029651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_03_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=static-downloads.com"; nocase; endswith; classtype:domain-c2; sid:2029651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fake World Health Organization COVID-19 Portal 2020-03-20"; flow:established,to_client; file.data; content:"<title>Coronavirus disease (COVID-19"; nocase; fast_pattern; content:"Verify your account details"; distance:0; nocase; content:"COVID-19 SAFETY PORTAL"; distance:0; nocase; classtype:social-engineering; sid:2029695; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_20, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_03_20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CoreDDRAT Screenshot Exfil"; flow:established,to_server; content:"|40 2f 44 44 48 63 6b 2f 2e|"; startswith; fast_pattern; content:"|2c 2f 44 44 48 63 6b 2f 2e|"; within:100; content:"|4a 46 49 46|"; within:10; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NHS Webmail Phish 2020-03-23"; flow:established,to_server; http.method; content:"POST"; http.header; content:"nhs"; nocase; http.request_body; content:"usr="; nocase; content:"&pss="; nocase; fast_pattern; content:"formimage1.x="; nocase; content:"formimage1.y="; nocase; classtype:credential-theft; sid:2029701; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NHS Webmail Phish 2020-03-23"; flow:established,to_server; http.method; content:"POST"; http.header; content:"nhs"; nocase; http.request_body; content:"usr="; nocase; content:"&pss="; nocase; fast_pattern; content:"formimage1.x="; nocase; content:"formimage1.y="; nocase; classtype:credential-theft; sid:2029701; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sekhmet Ransomware CnC Activity"; flow:established,to_server; http.start; content:"POST /update.php?id="; startswith; fast_pattern; pcre:"/^\d+\sHTTP\//R"; http.user_agent; bsize:34; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0)"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x00$/"; reference:url,twitter.com/fbgwls245/status/1241179394405621760; reference:md5,b7ad5f7ec71dc812b4771950671b192a; classtype:command-and-control; sid:2029728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sekhmet Ransomware CnC Activity"; flow:established,to_server; http.start; content:"POST /update.php?id="; startswith; fast_pattern; pcre:"/^\d+\sHTTP\//R"; http.user_agent; bsize:34; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0)"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x00$/"; reference:url,twitter.com/fbgwls245/status/1241179394405621760; reference:md5,b7ad5f7ec71dc812b4771950671b192a; classtype:command-and-control; sid:2029728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buer Loader CnC Domain (kkjjhhdff .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"kkjjhhdff.site"; bsize:14; reference:md5,797e835bae78cfcba5fef3d075a92599; reference:md5,d374419d6d9c9c968ece8a4e337515e0; reference:url,sysopfb.github.io/malware,/buer,/smokeloader/2020/03/18/SmokeLoader.html; classtype:command-and-control; sid:2029729; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buer Loader CnC Domain (kkjjhhdff .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"kkjjhhdff.site"; bsize:14; reference:md5,797e835bae78cfcba5fef3d075a92599; reference:md5,d374419d6d9c9c968ece8a4e337515e0; reference:url,sysopfb.github.io/malware,/buer,/smokeloader/2020/03/18/SmokeLoader.html; classtype:command-and-control; sid:2029729; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING UK GOV Identity Verification Phishing Landing"; flow:established,to_client; file.data; content:"|3c 74 69 74 6c 65 3e 50 72 d0 be ce bd d0 b5 20 ce a5 d0 be cf 85 72 20 c6 96 64 d0 b5 6e 74 69 74 79|"; content:"<form action=need.php"; distance:0; content:"method=post"; distance:0; classtype:social-engineering; sid:2029702; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam 2020-03-24"; flow:established,to_client; file.data; content:"<title>Microsoft _Official_Support"; classtype:social-engineering; sid:2029733; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful World Health Organization COVID-19 Phish 2020-03-23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"covid"; nocase; http.request_body; content:"phone="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&contactSubmit=Verify"; distance:0; fast_pattern; isdataat:!1,relative; classtype:credential-theft; sid:2029700; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful World Health Organization COVID-19 Phish 2020-03-23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"covid"; nocase; http.request_body; content:"phone="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&contactSubmit=Verify"; distance:0; fast_pattern; isdataat:!1,relative; classtype:credential-theft; sid:2029700; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=cdn.javacon.eu"; nocase; endswith; classtype:domain-c2; sid:2029730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=cdn.javacon.eu"; nocase; endswith; classtype:domain-c2; sid:2029730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8000:9000 (msg:"ET MALWARE Win32/RaaLoader CnC Activity"; flow:established,to_server; dsize:12; content:"|12 10 00 00 00 00 00 00 00 00 00 00|"; depth:12; fast_pattern; reference:md5,16b4b114f6ccfff008de265d535656a2; classtype:command-and-control; sid:2029731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, malware_family RaaLoader, signature_severity Major, updated_at 2020_03_24;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/n2019cov (COVID-19) Ransomware CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"n2019cov.000webhostapp.com"; bsize:26; reference:md5,f02e5ae5b997e447a43ace281bc2bae9; classtype:domain-c2; sid:2029735; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/n2019cov (COVID-19) Ransomware CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"n2019cov.000webhostapp.com"; bsize:26; reference:md5,f02e5ae5b997e447a43ace281bc2bae9; classtype:domain-c2; sid:2029735; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Colleagues Quarantined with COVID-19 Phish 2020-03-25"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"menamn="; depth:7; nocase; content:"&talk="; nocase; distance:0; content:"|25|40"; distance:0; content:"&onehundr="; nocase; distance:0; content:"&pullfilk="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029737; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Colleagues Quarantined with COVID-19 Phish 2020-03-25"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"menamn="; depth:7; nocase; content:"&talk="; nocase; distance:0; content:"|25|40"; distance:0; content:"&onehundr="; nocase; distance:0; content:"&pullfilk="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029737; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-25"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"/continue_bnb.php"; nocase; fast_pattern; isdataat:!1,relative; http.header; content:"airbnb"; nocase; content:"covid"; nocase; classtype:credential-theft; sid:2029738; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-25"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"/continue_bnb.php"; nocase; fast_pattern; isdataat:!1,relative; http.header; content:"airbnb"; nocase; content:"covid"; nocase; classtype:credential-theft; sid:2029738; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Milum CnC"; flow:established,to_server; content:"|0d 0a 0d 0a|md="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"md="; startswith; content:"&nk="; distance:0; content:"&val="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,17b1a05fc367e52aada7bde07714666b; reference:url,securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/; classtype:command-and-control; sid:2029739; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-26"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; file.data; content:"<script>parent.location='https://www.airbnb.com/help/article/2701/extenuating-circumstances-policy-and-the-coronavirus"; fast_pattern; classtype:credential-theft; sid:2029747; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_03_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-26"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; file.data; content:"<script>parent.location='https://www.airbnb.com/help/article/2701/extenuating-circumstances-policy-and-the-coronavirus"; fast_pattern; classtype:credential-theft; sid:2029747; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Havex APT)"; flow:established,to_server; http.request_line; content:"GET|20|/include/template/isx.php|20|HTTP/1.1"; fast_pattern; bsize:38; http.cookie; bsize:172; content:"="; offset:171; depth:1; endswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/"; http.user_agent; content:" Java/"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/havex.profile; classtype:command-and-control; sid:2029740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Havex APT)"; flow:established,to_server; http.request_line; content:"GET|20|/include/template/isx.php|20|HTTP/1.1"; fast_pattern; bsize:38; http.cookie; bsize:172; content:"="; offset:171; depth:1; endswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/"; http.user_agent; content:" Java/"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/havex.profile; classtype:command-and-control; sid:2029740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Magnitude EK)"; flow:established,to_server; urilen:>235; http.request_line; content:"GET|20|/themes/index.php?id="; fast_pattern; http.uri; content:"/themes/index.php?id="; startswith; pcre:"/^[a-z]{200,}$/Rs"; http.accept; content:"image/jpeg, application/*"; bsize:25; reference:url,github.com//rsmudge/Malleable-C2-Profiles/blob/master/crimeware/magnitude.profile; classtype:command-and-control; sid:2029741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Magnitude EK)"; flow:established,to_server; urilen:>235; http.request_line; content:"GET|20|/themes/index.php?id="; fast_pattern; http.uri; content:"/themes/index.php?id="; startswith; pcre:"/^[a-z]{200,}$/Rs"; http.accept; content:"image/jpeg, application/*"; bsize:25; reference:url,github.com//rsmudge/Malleable-C2-Profiles/blob/master/crimeware/magnitude.profile; classtype:command-and-control; sid:2029741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (xPCAP)"; flow:established,to_server; http.user_agent; content:"xPCAP"; bsize:5; classtype:bad-unknown; sid:2029748; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|iamdelta"; fast_pattern; classtype:web-application-attack; sid:2029764; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_30, deployment Perimeter, signature_severity Major, updated_at 2020_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Lightspy Implant CnC"; flow:established,to_server; content:"|0d 0a 0d 0a|udid="; fast_pattern; http.method; content:"POST"; http.uri; content:"/update_device"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"udid="; startswith; content:"&brand="; distance:0; content:"&model="; distance:0; content:"&os="; distance:0; content:"&osversion="; nocase; distance:0; content:"&x="; distance:0; content:"&y="; distance:0; content:"&sdcard="; distance:0; content:"&cid="; distance:0; reference:md5,fadff5b601f6fca588007660934129eb; reference:url,https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/; classtype:command-and-control; sid:2029765; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Lightspy Implant CnC"; flow:established,to_server; content:"|0d 0a 0d 0a|udid="; fast_pattern; http.method; content:"POST"; http.uri; content:"/update_device"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"udid="; startswith; content:"&brand="; distance:0; content:"&model="; distance:0; content:"&os="; distance:0; content:"&osversion="; nocase; distance:0; content:"&x="; distance:0; content:"&y="; distance:0; content:"&sdcard="; distance:0; content:"&cid="; distance:0; reference:md5,fadff5b601f6fca588007660934129eb; reference:url,securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/; classtype:command-and-control; sid:2029765; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MOBILE_MALWARE, malware_family lightspy, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Glupteba CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"myinfoart.xyz"; bsize:13; reference:md5,4cc43c345aa4d6e8fd2d0b6747c3d996; classtype:domain-c2; sid:2029751; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Http-connect)"; flow:established,to_server; http.user_agent; content:"Http-connect"; bsize:12; classtype:bad-unknown; sid:2029752; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Update Request"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/api/update/"; depth:12; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Apple-iPhone7C2/1202.466|3b 20|U|3b 20|CPU like Mac OS X|3b 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,8a47ed652ce8c2dee39c8fa8fcb3fa9d; classtype:command-and-control; sid:2029768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, signature_severity Major, updated_at 2020_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Update Request"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/api/update/"; depth:12; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Apple-iPhone7C2/1202.466|3b 20|U|3b 20|CPU like Mac OS X|3b 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,8a47ed652ce8c2dee39c8fa8fcb3fa9d; classtype:command-and-control; sid:2029768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_03_31;)
alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|NoIr_x.86/"; fast_pattern; classtype:attempted-admin; sid:2029769; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_31, deployment Perimeter, signature_severity Minor, updated_at 2020_03_31;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Linux/Agent.HX CnC Activity M2"; flow:established,to_client; flowbits:isset,ET.LinuxAgent.HX; flowbits:unset,ET.LinuxAgent.HX; dsize:9; content:"beatHeart"; fast_pattern; reference:md5,3176bee52ecd305816b17fdb9db7335e; reference:url,twitter.com/michalmalik/status/1245347696065630210; classtype:command-and-control; sid:2029787; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency COVID-19 Assistance Eligability Phish 2020-04-01"; flow:established,to_server; content:"|0d 0a 0d 0a|FN="; fast_pattern; http.method; content:"POST"; http.request_body; content:"FN="; depth:3; content:"&SN="; distance:0; content:"&submit=Start+Process"; nocase; distance:0; classtype:credential-theft; sid:2029782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_04_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency COVID-19 Assistance Eligability Phish 2020-04-01"; flow:established,to_server; content:"|0d 0a 0d 0a|FN="; fast_pattern; http.method; content:"POST"; http.request_body; content:"FN="; depth:3; content:"&SN="; distance:0; content:"&submit=Start+Process"; nocase; distance:0; classtype:credential-theft; sid:2029782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency COVID-19 Assistance Eligability (FR) Phish 2020-04-01"; flow:established,to_server; content:"|0d 0a 0d 0a|FN="; fast_pattern; http.method; content:"POST"; http.request_body; content:"FN="; depth:3; content:"&SN="; distance:0; content:"&submit=Lancer+le+Processus"; nocase; distance:0; classtype:credential-theft; sid:2029783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_04_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency COVID-19 Assistance Eligability (FR) Phish 2020-04-01"; flow:established,to_server; content:"|0d 0a 0d 0a|FN="; fast_pattern; http.method; content:"POST"; http.request_body; content:"FN="; depth:3; content:"&SN="; distance:0; content:"&submit=Lancer+le+Processus"; nocase; distance:0; classtype:credential-theft; sid:2029783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency COVID-19 Assistance Eligibility Phishing Landing 2020-04-01"; flow:established,to_client; file.data; content:"$(|22|#sin|22|).keyup(function(e){"; nocase; fast_pattern; content:"<title>Confirmez Votre Identit"; nocase; content:"href=|22|./details_files/"; nocase; content:"<input type=|22|tel|22 20|name=|22|SN|22|"; nocase; classtype:social-engineering; sid:2029788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency COVID-19 Assistance Eligibility Phishing Landing 2020-04-01"; flow:established,to_client; file.data; content:"$(|22|#sin|22|).keyup(function(e){"; nocase; content:"<title>COVID-19 Check your eligibility"; nocase; fast_pattern; content:"href=|22|./details_files/"; nocase; content:"<input type=|22|tel|22 20|name=|22|SN|22|"; nocase; classtype:social-engineering; sid:2029789; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_01;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Stitch Variant Backdoor CnC"; flow:established,to_server; content:"|00 00 00 0f|stitch626hctits"; fast_pattern; content:!"Referer|3a 20|"; content:!"User-Agent|3a 20|"; content:!"Connection|3a 20|"; content:!"Host|3a 20|"; content:!"Keep-Alive:|3a 20|"; reference:md5, ec993ff561cbc175953502452bfa554a; reference:url,https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:command-and-control; sid:2029794; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
-
alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M2"; flow:established,to_server; tls.sni; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; classtype:bad-unknown; sid:2029708; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_04_02;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible COVID-19 Domain in SSL Certificate M1"; flow:established,to_client; tls.cert_subject; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; classtype:bad-unknown; sid:2029705; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_04_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EQO Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ping.php"; endswith; http.request_body; content:"|7b 22|DATA|22 3a 7b 22|DEVICE_ID|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|TAG|22 3a 22|"; within:25; content:"|22|CC_GRABBER|22 3a|"; distance:0; reference:md5,849796248bfe2560039f6986c83f43d6; reference:md5,a8dd3cd7860f3fd2d34a33b0c87bd615; reference:url,twitter.com/PAsinovsky/status/1245790690946285569; classtype:command-and-control; sid:2029811; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_04_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBE Script (COVID-19 Phish 04-03-2020)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"id=covid"; fast_pattern; depth:8; http.user_agent; content:"Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http.header_names; content:!"Referer"; reference:md5,7d9a1ed7057e1b5c574ddccc9d45c3eb; classtype:trojan-activity; sid:2029812; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBE Script (COVID-19 Phish 2020-04-03)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"id=covid"; fast_pattern; depth:8; http.user_agent; content:"Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http.header_names; content:!"Referer"; reference:md5,7d9a1ed7057e1b5c574ddccc9d45c3eb; classtype:trojan-activity; sid:2029812; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_03;)
alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2029790; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Minor, updated_at 2020_04_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC BOTNET|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2029809; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_03, deployment Perimeter, signature_severity Major, updated_at 2020_04_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (cmd_exec)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/cmd_exec"; startswith; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029816; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (cmd_exec)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/cmd_exec"; startswith; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029816; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (powershell_exec)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/powershell_exec"; startswith; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|command|22 0d 0a 0d 0a|"; content:"form-data|3b 20|name=|22|hwid|22 0d 0a 0d 0a|"; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029817; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (powershell_exec)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/powershell_exec"; startswith; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|command|22 0d 0a 0d 0a|"; content:"form-data|3b 20|name=|22|hwid|22 0d 0a 0d 0a|"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029817; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (rdp_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/rdp_exec?command="; startswith; fast_pattern; content:"&status="; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (rdp_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/rdp_exec?command="; startswith; fast_pattern; content:"&status="; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (update_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/update_exec?command="; startswith; fast_pattern; content:"&status="; distance:0; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (update_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/update_exec?command="; startswith; fast_pattern; content:"&status="; distance:0; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (download_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/download_exec?command="; startswith; fast_pattern; content:"&status="; distance:0; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029820; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (download_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/download_exec?command="; startswith; fast_pattern; content:"&status="; distance:0; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029820; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (update)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHVwZGF0ZX"; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029821; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (update)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHVwZGF0ZX"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029821; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fGRvd25sb2Fkf"; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029822; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fGRvd25sb2Fkf"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029822; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (powershell)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHBvd2Vyc2hlbGx8"; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (powershell)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHBvd2Vyc2hlbGx8"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (rdp)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHJkcH"; reference:md5,106f8c7ddbf265fc108a7501b6af292000dd5219; classtype:command-and-control; sid:2029824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (rdp)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHJkcH"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Billing.php?sslchannel="; fast_pattern; nocase; content:"&sessionid="; distance:0; nocase; http.request_body; content:"name="; depth:5; nocase; content:"&dob="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&telephone="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&town="; nocase; distance:0; content:"&mmn="; nocase; distance:0; classtype:credential-theft; sid:2029850; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_06;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M8"; flow:established,to_client; content:"|7a 3e 71 73|"; depth:4; fast_pattern; content:"|cf 46 80|"; distance:1; within:3; flowbits:isset,ET.Parallax-8; reference:md5,b92a8d983864505cfb74ad9c70b3ca48; classtype:command-and-control; sid:2029815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful CDC Coronavirus Related Phish 2020-04-07"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location: https://www.cdc.gov"; fast_pattern; classtype:credential-theft; sid:2029827; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful CDC Coronavirus Related Phish 2020-04-07"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location: https://www.cdc.gov"; fast_pattern; classtype:credential-theft; sid:2029827; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING CDC Coronavirus Related Phishing Landing 2020-04-07"; flow:from_server,established; file.data; content:"<link rel=|22|icon|22 20|href=|22|https://www.cdc.gov/"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"submit=|22|return ValidateContactForm()|3b 22|"; nocase; distance:0; fast_pattern; content:"src=|22|./untitled.png|22|"; nocase; distance:0; content:"Sign in with your email"; nocase; distance:0; classtype:social-engineering; sid:2029828; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_04_07;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PS Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ps; flowbits:unset,http.dottedquadhost; http.request_line; content:".ps HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027258; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, tag Phishing, updated_at 2020_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PS1 Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ps1; flowbits:unset,http.dottedquadhost; http.request_line; content:".ps1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027259; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host VBS Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.vbs; flowbits:unset,http.dottedquadhost; http.request_line; content:".vbs HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027260; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host HTA Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.hta; flowbits:unset,http.dottedquadhost; http.request_line; content:".hta HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027261; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Minor, updated_at 2020_04_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host RAR Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.rar; flowbits:unset,http.dottedquadhost; http.request_line; content:".rar HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027266; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Knowb4 Simulated Phish Domain"; dns_query; content:".authentication.directory"; nocase; isdataat:!1,relative; classtype:credential-theft; sid:2029834; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_11_16;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MSIL/Agent.TRM CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-hohm.space"; bsize:23; fast_pattern; reference:url,twitter.com/w3ndige/status/1247547923845578755; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; classtype:domain-c2; sid:2029852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MSIL/Agent.TRM CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-hohm.space"; bsize:23; fast_pattern; reference:url,twitter.com/w3ndige/status/1247547923845578755; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; classtype:domain-c2; sid:2029852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky APT Connectivity Check via Document"; flow:established,to_server; http.header; content:".mireene.com|0d 0a|Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.user_agent; content:"Microsoft Office Protocol Discovery"; classtype:targeted-activity; sid:2029851; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, signature_severity Major, updated_at 2020_04_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2020-04-10"; flow:established,to_client; file.data; content:"<title>Windows_Official_Support"; nocase; fast_pattern; classtype:social-engineering; sid:2029857; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, signature_severity Major, updated_at 2020_04_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"<title>OneDrive File Viewer"; nocase; distance:0; fast_pattern; content:"document.write(unescape("; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; classtype:social-engineering; sid:2029858; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_04_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"<title>OneDrive File Viewer"; nocase; distance:0; fast_pattern; content:"document.write(unescape("; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; classtype:social-engineering; sid:2029858; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029859; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MINI MO Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MINI MO Shell</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029876; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"<title>Share Point Online"; nocase; fast_pattern; content:"ACCESS YOUR DOCUMENT"; nocase; distance:0; content:"///url email getting///"; nocase; distance:0; classtype:social-engineering; sid:2029877; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_04_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"<title>Share Point Online"; nocase; fast_pattern; content:"ACCESS YOUR DOCUMENT"; nocase; distance:0; content:"///url email getting///"; nocase; distance:0; classtype:social-engineering; sid:2029877; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"Instagram Help Center</title>"; nocase; fast_pattern; content:"reviewed and decied your account complaited"; nocase; distance:0; classtype:social-engineering; sid:2029878; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_04_10;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='>>' style="; distance:0; fast_pattern; classtype:web-application-attack; sid:2029909; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Critical, updated_at 2020_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.dealctr.com"; bsize:16; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,darkreader.org/blog/attention/; reference:url,github.com/rainyrainyday/HomebrewOverlay; classtype:domain-c2; sid:2029921; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.dealctr.com"; bsize:16; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,darkreader.org/blog/attention/; reference:url,github.com/rainyrainyday/HomebrewOverlay; classtype:domain-c2; sid:2029921; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.liveupdt.com"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,darkreader.org/blog/attention/; reference:url,github.com/rainyrainyday/HomebrewOverlay; classtype:domain-c2; sid:2029922; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.liveupdt.com"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,darkreader.org/blog/attention/; reference:url,github.com/rainyrainyday/HomebrewOverlay; classtype:domain-c2; sid:2029922; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ap-ms.net"; nocase; endswith; reference:md5,58363311f04f03c6e9ccd17b780d03b2; classtype:domain-c2; sid:2029911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2020_04_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ap-ms.net"; nocase; endswith; reference:md5,58363311f04f03c6e9ccd17b780d03b2; classtype:domain-c2; sid:2029911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed DeepFreezeWeb User-Agent"; flow:established,to_server; http.user_agent; content:"DeepFreezeWeb"; bsize:13; classtype:policy-violation; sid:2029912; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_04_15;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Mirai Variant CnC Activity"; flow:established,from_server; dsize:9; content:"|21 2a 20 41 72 63 65 75 73|"; reference:md5,8fb3048b2aa6c63f53c031b9abd4879a; classtype:command-and-control; sid:2029913; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2020_04_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Encoded Payload Inbound"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3d fa 61 3c 79 ee de ea 18 90 08 95 55 44 8d 41|"; depth:16; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category TROJAN, malware_family Ursniff, performance_impact Low, signature_severity Major, updated_at 2020_04_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Encoded Payload Inbound"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3d fa 61 3c 79 ee de ea 18 90 08 95 55 44 8d 41|"; depth:16; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2020_04_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT [PTsecurity] Grandsoft EK Payload"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|96 08 FA EC DE C0 22 84 66 58 4A BC 2E|"; fast_pattern; reference:url,www.malware-traffic-analysis.net/2018/03/15/index3.html; classtype:exploit-kit; sid:2025437; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family GrandSoft_EK, signature_severity Major, updated_at 2020_05_22;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Receive Data"; content:"|00 00 00 00 00 00 32 38 42|"; fast_pattern; dns.query; content:"8B"; depth:2; nocase; content:"B9."; nocase; distance:46; within:3; pcre:"/^8b[a-fA-F0-9]{46}b9\./i"; reference:url,technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns; classtype:command-and-control; sid:2028882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, tag Trickbot, updated_at 2020_04_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"port="; fast_pattern; content:"&uname="; distance:0; content:"&uuid="; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/"; http.header; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; classtype:command-and-control; sid:2017642; rev:4; metadata:created_at 2013_10_30, former_category MALWARE, updated_at 2020_04_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"port="; fast_pattern; content:"&uname="; distance:0; content:"&uuid="; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/"; http.header; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; classtype:command-and-control; sid:2017642; rev:4; metadata:created_at 2013_10_30, former_category MALWARE, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<font><font>file Manager</font></font>"; nocase; distance:0; content:"<font><font>Back Connect"; nocase; distance:0; content:"<font><font>CgiShell</font></font>"; nocase; distance:0; content:"<font><font>Symlink</font></font>"; nocase; distance:0; content:"Mailer</font></font>"; nocase; distance:0; content:"<font><font>Auto r00t</font></font>"; nocase; distance:0; content:"<font><font>Upload</font></font>"; nocase; distance:0; content:"Exploiter & scan Tools</font></font>"; nocase; distance:0; fast_pattern; content:"<font><font>Self remove</font></font>"; nocase; distance:0; classtype:web-application-attack; sid:2029916; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"arch=x"; depth:6; content:"&computer%5fname="; distance:0; nocase; fast_pattern; content:"&guid="; distance:0; content:"&ip="; distance:0; content:"&os="; distance:0; content:"&tracking%5ftoken="; distance:0; nocase; content:"&version="; distance:0; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:command-and-control; sid:2029924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2020_04_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B External IP Check to CnC M2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/2.php"; fast_pattern; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:trojan-activity; sid:2029925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2020_04_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B External IP Check to CnC M2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/2.php"; fast_pattern; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:trojan-activity; sid:2029925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CONFUCIOUS_B CnC)"; flow:established,to_client; tls.cert_serial; content:"00:f9:1c:f7:fd:a7:bc:0a:9a"; bsize:26; fast_pattern; tls.cert_subject; content:"Internet Widgets"; reference:md5,2d2fe787b2728332341166938a25fa26; reference:url,unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites; classtype:domain-c2; sid:2029926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2020_04_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CONFUCIOUS_B CnC)"; flow:established,to_client; tls.cert_serial; content:"00:f9:1c:f7:fd:a7:bc:0a:9a"; bsize:26; fast_pattern; tls.cert_subject; content:"Internet Widgets"; reference:md5,2d2fe787b2728332341166938a25fa26; reference:url,unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites; classtype:domain-c2; sid:2029926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, malware_family CONFUCIUS_B, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Exfil via FTP"; flow:established,to_server; content:"STOR|20|PW_"; depth:8; fast_pattern; content:"_20"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:".html|0d 0a|"; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2029927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_16;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012436; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; http.uri; content:".log"; nocase; content:"id="; nocase; content:"softid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; http.uri; content:".log"; nocase; content:"id="; nocase; content:"softid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; http.uri; content:"req.php"; nocase; content:"pid="; nocase; content:"ver="; nocase; content:"area="; nocase; content:"insttime="; nocase; content:"first="; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; http.uri; content:"req.php"; nocase; content:"pid="; nocase; content:"ver="; nocase; content:"area="; nocase; content:"insttime="; nocase; content:"first="; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download ddos.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ddos.exe"; nocase; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012457; rev:3; metadata:created_at 2011_03_10, updated_at 2020_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; http.uri; content:"/push/androidxml/"; nocase; content:"sim="; nocase; content:"tel="; nocase; content:"imsi="; content:"pid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2029932; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; http.uri; content:"/push/androidxml/"; nocase; content:"sim="; nocase; content:"tel="; nocase; content:"imsi="; content:"pid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2029932; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012468; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id UNION SELECT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012499; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_14, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id INSERT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012500; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_14, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id INSERT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012500; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_15, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS Injection Attempt -- constructrXmlOutput.content.xml.php page_id DELETE"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012501; rev:4; metadata:created_at 2011_03_14, updated_at 2020_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS Injection Attempt -- constructrXmlOutput.content.xml.php page_id DELETE"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012501; rev:4; metadata:created_at 2011_03_15, updated_at 2020_04_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012502; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_14, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012502; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_15, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Akamai NetSession Interface PUTing data"; flow:established,to_server; http.method; content:"PUT"; http.header; content:"user-agent|3a|netsession_win_"; fast_pattern; reference:url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html; classtype:policy-violation; sid:2012508; rev:3; metadata:created_at 2011_03_16, updated_at 2020_04_19;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012560; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012567; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012567; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012568; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/basicstats.php?"; nocase; content:"AjaxHandler="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012603; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; http.header; content:"|29 20|Havij|0d 0a|Connection|3a 20|"; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; http.header; content:"|29 20|Havij|0d 0a|Connection|3a 20|"; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_31, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; http.header; content:"|29 20|Havij|0d 0a|Connection|3a 20|"; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_12, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012698; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=RAT"; bsize:6; fast_pattern; tls.cert_issuer; content:"CN=RAT"; bsize:6; reference:md5,90d126886fa0aef7de91d4033a4261f7; classtype:command-and-control; sid:2029953; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=RAT"; bsize:6; fast_pattern; tls.cert_issuer; content:"CN=RAT"; bsize:6; reference:md5,90d126886fa0aef7de91d4033a4261f7; classtype:domain-c2; sid:2029953; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/action.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012561; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012715; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; http.uri; content:"/favicon.ico?0="; content:"&1="; content:"&2="; content:"&3="; content:"&4="; content:"&5="; content:"&6="; content:"&7="; reference:url,www.threatexpert.com/report.aspx?md5=fbcdfecc73c4389e8d3ed7e2e573b6f1; classtype:command-and-control; sid:2012299; rev:4; metadata:created_at 2011_02_06, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; http.uri; content:"/favicon.ico?0="; content:"&1="; content:"&2="; content:"&3="; content:"&4="; content:"&5="; content:"&6="; content:"&7="; reference:md5,fbcdfecc73c4389e8d3ed7e2e573b6f1; classtype:command-and-control; sid:2012299; rev:4; metadata:created_at 2011_02_07, former_category MALWARE, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/PluginController.php?"; nocase; content:"path="; nocase; reference:url,packetstormsecurity.org/files/view/100823/OrangeHRM2.6.3-lfi.txt; classtype:web-application-attack; sid:2012750; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/lib/jscalendar/test.php?"; nocase; content:"lang="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101056/WebAuction0.3.6-XSS.txt; classtype:web-application-attack; sid:2012797; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FakeSysdef Rogue AV Checkin"; flow:established,to_server; http.uri; content:"/dfrg/dfrg"; reference:url,www.threatexpert.com/report.aspx?md5=f0f750e8f195dcfc8623679ff2df1267; reference:url,www.threatexpert.com/report.aspx?md5=e186e530ebf0aec07f0cd2afd706633c; reference:url,www.threatexpert.com/report.aspx?md5=294a729bb6a8fc266990b4c94eb86359; classtype:command-and-control; sid:2012725; rev:10; metadata:created_at 2011_04_26, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FakeSysdef Rogue AV Checkin"; flow:established,to_server; http.uri; content:"/dfrg/dfrg"; reference:md5,f0f750e8f195dcfc8623679ff2df1267; reference:md5,e186e530ebf0aec07f0cd2afd706633c; reference:md5,294a729bb6a8fc266990b4c94eb86359; classtype:command-and-control; sid:2012725; rev:10; metadata:created_at 2011_04_26, former_category MALWARE, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Automne upload-controler.php Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upload-controler.php?"; nocase; content:"atm-regen="; nocase; reference:url,securelist.com/en/advisories/43589; classtype:web-application-attack; sid:2012805; rev:4; metadata:created_at 2011_05_14, updated_at 2020_04_20;)
alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Targeted Activity - CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"dellgenius.hopto.org"; endswith; reference:md5,bedf648063aa10ea2810b2f6b9601326; classtype:domain-c2; sid:2029952; rev:1; metadata:created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SepSys/SepSystem Ransomware Style External IP Address Check"; flow:established,to_server; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Host|3a 20|www.myip.ch|0d 0a|Accept|3a 20|*/*|0d 0a|"; bsize:50; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,c596d787d0848722d393a4a5945b3e15; classtype:trojan-activity; sid:2029933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Sepsys, signature_severity Major, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SepSys/SepSystem Ransomware Style External IP Address Check"; flow:established,to_server; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Host|3a 20|www.myip.ch|0d 0a|Accept|3a 20|*/*|0d 0a|"; bsize:50; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,c596d787d0848722d393a4a5945b3e15; classtype:trojan-activity; sid:2029933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Sepsys, signature_severity Major, tag Ransomware, updated_at 2020_04_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PoetRAT Domain (dellgenius .hoptop .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"dellgenius.hoptop.org"; bsize:21; reference:url,blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html; classtype:domain-c2; sid:2029975; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (PhoneMonitor)"; flow:established,to_server; http.user_agent; content:"PhoneMonitor"; bsize:12; reference:md5,09aa3bb05a55b0df864d1e1709c29960; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:trojan-activity; sid:2029980; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_20, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:277; content:"/api/3.1/query?style="; startswith; fast_pattern; pcre:"/^[a-z]{256}$/R"; http.header; content:"Referer|3a 20|https://www.google.com|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Transfer-Encoding|3a 20|base64|0d 0a|"; reference:url,twitter.com/CyberRaiju/status/1249272772963864576; reference:md5,79bbe1365fb7532613823ce3e0cac499; classtype:command-and-control; sid:2029977; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Minor, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:277; content:"/api/3.1/query?style="; startswith; fast_pattern; pcre:"/^[a-z]{256}$/R"; http.header; content:"Referer|3a 20|https://www.google.com|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Transfer-Encoding|3a 20|base64|0d 0a|"; reference:url,twitter.com/CyberRaiju/status/1249272772963864576; reference:md5,79bbe1365fb7532613823ce3e0cac499; classtype:command-and-control; sid:2029977; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012829; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/components/com_mgm/help.mgm.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/94593/joomlamgm-rfi.txt; reference:url,securityreason.com/wlb_show/WLB-2010100045; classtype:web-application-attack; sid:2012837; rev:3; metadata:created_at 2011_05_20, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user agent string (CholTBAgent)"; flow:to_server,established; threshold: type limit, count 2, seconds 40, track by_src; http.header; content:"User-Agent|3a 20|CholTBAgent"; classtype:trojan-activity; sid:2012757; rev:6; metadata:created_at 2011_04_29, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user agent string (CholTBAgent)"; flow:to_server,established; threshold: type limit, count 2, seconds 40, track by_src; http.header; content:"User-Agent|3a 20|CholTBAgent"; classtype:trojan-activity; sid:2012757; rev:6; metadata:created_at 2011_04_30, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Inbox Access"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/InboxLight.aspx"; depth:21; http.header; content:"mail.live.com"; reference:url,doc.emergingthreats.net/2008238; classtype:policy-violation; sid:2008238; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/profil.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012954; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/2.0/modules?"; startswith; fast_pattern; http.header_names; content:!"Referer"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Transfer-Encoding|3a 20|base64|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,twitter.com/CyberRaiju/status/1249272772963864576; reference:md5,79bbe1365fb7532613823ce3e0cac499; classtype:command-and-control; sid:2029978; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/2.0/modules?"; startswith; fast_pattern; http.header_names; content:!"Referer"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Transfer-Encoding|3a 20|base64|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,twitter.com/CyberRaiju/status/1249272772963864576; reference:md5,79bbe1365fb7532613823ce3e0cac499; classtype:command-and-control; sid:2029978; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER perl command attempt"; flow:to_server,established; http.uri; content:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:2101649; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Update Request"; flow:established,to_server; http.uri; content:"/u/upd_"; content:"cb"; pcre:"/\x2Fu\x2Fupd\x5F(?:cb|.+\x2Ecb)/"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012971; rev:3; metadata:created_at 2011_06_08, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Update Request"; flow:established,to_server; http.uri; content:"/u/upd_"; content:"cb"; pcre:"/\x2Fu\x2Fupd\x5F(?:cb|.+\x2Ecb)/"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012971; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Request for Compromised FTP Sites"; flow:established,to_server; http.uri; content:"/cgi-bin/jl/ad03.pl?pv=2&d="; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012972; rev:3; metadata:created_at 2011_06_08, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Request for Compromised FTP Sites"; flow:established,to_server; http.uri; content:"/cgi-bin/jl/ad03.pl?pv=2&d="; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012972; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt"; flow:established,to_server; http.uri; content:"/hpdiags/frontend2/help/search.php?query="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,45420; reference:cve,2010-4111; classtype:web-application-attack; sid:2012976; rev:3; metadata:created_at 2011_06_08, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt"; flow:established,to_server; http.uri; content:"/hpdiags/frontend2/help/search.php?query="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,45420; reference:cve,2010-4111; classtype:web-application-attack; sid:2012976; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZOHO ManageEngine ADSelfService Employee Search XSS Attempt"; flow:established,to_server; http.uri; content:"/EmployeeSearch"; nocase; fast_pattern; content:"actionId="; nocase; content:"searchString="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3274; classtype:web-application-attack; sid:2012980; rev:3; metadata:created_at 2011_06_08, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZOHO ManageEngine ADSelfService Employee Search XSS Attempt"; flow:established,to_server; http.uri; content:"/EmployeeSearch"; nocase; fast_pattern; content:"actionId="; nocase; content:"searchString="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3274; classtype:web-application-attack; sid:2012980; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_people"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/16001; classtype:web-application-attack; sid:2012995; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; http.uri; content:"/ProtocolGW/"; fast_pattern; nocase; content:"filename="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DLoader File Download Request Activity"; flow:established,to_server; http.uri; content:"/load.php?file="; pcre:"/^(?:\d+|(?:\w+)?grabbers?|uploader)(?:&luck=\d)?$/R"; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:url,www.threatexpert.com/report.aspx?md5=3310259795b787210dd6825e7b6d6d28; reference:url,www.threatexpert.com/report.aspx?md5=12554e7f2e78daf26e73a2f92d01e7a7; reference:url,www.threatexpert.com/report.aspx?md5=7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013045; rev:3; metadata:created_at 2011_06_16, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DLoader File Download Request Activity"; flow:established,to_server; http.uri; content:"/load.php?file="; pcre:"/^(?:\d+|(?:\w+)?grabbers?|uploader)(?:&luck=\d)?$/R"; reference:md5,12554e7f2e78daf26e73a2f92d01e7a7; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:md5,3310259795b787210dd6825e7b6d6d28; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:md5,7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013045; rev:3; metadata:created_at 2011_06_16, updated_at 2020_04_20;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin"; flow:established,to_server; threshold: type limit, count 2, seconds 300, track by_src; http.uri; content:"/api/work/getwork?"; depth:18; http.header; content:"bitcoinplus.com"; classtype:coin-mining; sid:2013059; rev:4; metadata:created_at 2011_06_17, former_category POLICY, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?im="; http.header; content:"User-Agent|3a 20|J2ME/UCWEB"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_21, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?im="; http.header; content:"User-Agent|3a 20|J2ME/UCWEB"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_06_21, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; http.uri; content:"/android/android.dbug.php?action=heart"; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:command-and-control; sid:2013078; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; http.uri; content:"/android/android.dbug.php?action=heart"; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:command-and-control; sid:2013078; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; http.uri; content:"/ss/attachments/files/URLshorter.apk"; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_21, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; http.uri; content:"/ss/attachments/files/URLshorter.apk"; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013080; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013080; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013081; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013081; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013082; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013082; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013083; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013083; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013084; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013084; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/templates/admin_default/confirm.tpl.php?"; nocase; content:"nsextt="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,seclists.org/bugtraq/2011/Jun/59; classtype:web-application-attack; sid:2013085; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/templates/admin_default/confirm.tpl.php?"; nocase; content:"nsextt="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,seclists.org/bugtraq/2011/Jun/59; classtype:web-application-attack; sid:2013085; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/xperience.php?"; nocase; content:"sortfield="; nocase; content:"sortorder="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/102001/xperience-xss.txt; classtype:web-application-attack; sid:2013086; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/xperience.php?"; nocase; content:"sortfield="; nocase; content:"sortorder="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/102001/xperience-xss.txt; classtype:web-application-attack; sid:2013086; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/FCKeditor/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013087; rev:3; metadata:created_at 2011_06_21, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/FCKeditor/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013087; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/tinymce/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013088; rev:3; metadata:created_at 2011_06_21, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/tinymce/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013088; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/dhtmltextarea/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013089; rev:3; metadata:created_at 2011_06_21, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/dhtmltextarea/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013089; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/nagios/cgi-bin/config.cgi"; nocase; content:"type=command&expand="; fast_pattern; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/deleteNetworkProxy!confirm.action?"; nocase; content:"proxyid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013104; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addRepository.action"; nocase; content:"repository.id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc xss.txt; classtype:web-application-attack; sid:2013105; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addRepository.action"; nocase; content:"repository.id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.com/files/101797/; classtype:web-application-attack; sid:2013105; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/confirmDeleteRepository.action?"; nocase; content:"repoid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc xss.txt; classtype:web-application-attack; sid:2013106; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/confirmDeleteRepository.action?"; nocase; content:"repoid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.com/files/101797/; classtype:web-application-attack; sid:2013106; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/editAppearance.action"; nocase; content:"organisationName="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013107; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Genome Initial Checkin"; flow:established,to_server; http.uri; content:"/?uid="; content:"&aid="; content:"&linkuid="; classtype:command-and-control; sid:2013196; rev:3; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fosniw CnC Checkin Style 2"; flow:established,to_server; http.uri; content:".asp?prj="; content:"&pid="; content:"&mac="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:command-and-control; sid:2013203; rev:3; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fosniw CnC Checkin Style 2"; flow:established,to_server; http.uri; content:".asp?prj="; content:"&pid="; content:"&mac="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:command-and-control; sid:2013203; rev:3; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; http.uri; content:"/wat.php"; nocase; http.host; content:"incorporateapps.com"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:command-and-control; sid:2013209; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/annonce.php?"; nocase; content:"secteur="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013226; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; http.uri; content:"/alotWorkTask.aspx?no="; content:"&uid="; content:"&ti="; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; http.uri; content:"/alotWorkTask.aspx?no="; content:"&uid="; content:"&ti="; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Music Streaming"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stream?id="; http.header; content:"googleusercontent.com|0d 0a|"; reference:url,music.google.com/about; classtype:policy-violation; sid:2012935; rev:7; metadata:created_at 2011_06_06, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP Request to a Suspicious *.cu.cc domain"; flow:to_server,established; http.header; content:".cu.cc|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2013242; rev:4; metadata:created_at 2011_07_08, updated_at 2020_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Suspicious *.cu.cc domain"; flow:to_server,established; http.header; content:".cu.cc|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2013242; rev:4; metadata:created_at 2011_07_09, former_category HUNTING, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; http.uri; content:"?id="; content:"&time="; content:"&imei="; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:4; metadata:created_at 2011_05_25, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; http.uri; content:"?id="; content:"&time="; content:"&imei="; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:4; metadata:created_at 2011_05_26, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)"; flow:established,to_server; http.uri; content:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtI"; reference:url,doc.emergingthreats.net/2008232; classtype:command-and-control; sid:2008232; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; http.uri; content:"/Submit.aspx?ver="; content:"&sys="; content:"&imei="; content:"&ua="; content:"&pro="; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:command-and-control; sid:2013316; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pamesg/ArchSMS.HL CnC Checkin"; flow:established,to_server; http.uri; content:".php?aid="; content:"&uncv="; content:"&skey="; reference:url,www.threatexpert.com/report.aspx?md5= 00068992bc003713058a17d50d9e3e14; classtype:command-and-control; sid:2013345; rev:3; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pamesg/ArchSMS.HL CnC Checkin"; flow:established,to_server; http.uri; content:".php?aid="; content:"&uncv="; content:"&skey="; reference:md5,00068992bc003713058a17d50d9e3e14; classtype:command-and-control; sid:2013345; rev:3; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PUT Website Defacement Attempt"; flow:established,to_server; http.method; content:"PUT"; http.request_body; content:"<title>.|3a 3a|[+] Defaced by "; nocase; classtype:web-application-attack; sid:2013365; rev:3; metadata:created_at 2011_08_05, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nolja Trojan Downloader Initial Checkin"; flow:established,to_server; http.uri; content:"/info.php?pid="; content:"&bo_table="; content:"&wr_id="; content:"&mac="; classtype:command-and-control; sid:2013375; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (kill)"; flow:established,to_server; http.uri; content:"/kill/"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013367; rev:5; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (kill)"; flow:established,to_server; http.uri; content:"/kill/"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013367; rev:5; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (sleep)"; flow:established,to_server; http.uri; content:"/sleep"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013368; rev:4; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (sleep)"; flow:established,to_server; http.uri; content:"/sleep"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013368; rev:4; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (go https)"; flow:established,to_server; http.uri; content:"/https"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013369; rev:4; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (go https)"; flow:established,to_server; http.uri; content:"/https"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013369; rev:4; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert Fake Security Tool Checkin"; flow:established,to_server; http.uri; content:"==/count.htm"; reference:url,threatexpert.com/reports.aspx?find=03abdc31d0f864c7b69b09d6481d3ff7; classtype:command-and-control; sid:2013386; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert Fake Security Tool Checkin"; flow:established,to_server; http.uri; content:"==/count.htm"; reference:md5,03abdc31d0f864c7b69b09d6481d3ff7; classtype:command-and-control; sid:2013386; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hupigon.B User Agent TSDownload"; flow:established,to_server; http.header; content:"User-Agent|3A 20|TSDownload"; classtype:trojan-activity; sid:2013392; rev:3; metadata:created_at 2011_08_10, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downadup/Conficker A or B Worm reporting"; flow:to_server,established; http.uri; content:"/search?q="; pcre:"/^[0-9]{1,3}(?:&aq=7(?:\?[0-9a-f]{8})?)?$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; classtype:trojan-activity; sid:2009024; rev:14; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troxen Downloader Checkin"; flow:established,to_server; http.uri; content:"/active_count.php?"; content:"?mac="; content:"&pid="; reference:url,www.threatexpert.com/report.aspx?md5=c936b15a8f7a3732bc16ee36693831ec; classtype:command-and-control; sid:2013450; rev:4; metadata:created_at 2011_08_23, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troxen Downloader Checkin"; flow:established,to_server; http.uri; content:"/active_count.php?"; content:"?mac="; content:"&pid="; reference:md5,c936b15a8f7a3732bc16ee36693831ec; classtype:command-and-control; sid:2013450; rev:4; metadata:created_at 2011_08_23, former_category MALWARE, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET Custom Installer Possible Bundled Bloatware"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/"; content:"/softwareProductLink?"; content:"productSetId="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations; classtype:policy-violation; sid:2013453; rev:3; metadata:created_at 2011_08_23, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET Custom Installer Possible Bundled Bloatware"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/"; content:"/softwareProductLink?"; content:"productSetId="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations; classtype:policy-violation; sid:2013453; rev:3; metadata:created_at 2011_08_24, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013471; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt"; flow:established,to_server; http.header; content:"Range|3a|bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013472; rev:5; metadata:created_at 2011_08_26, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Meredrop/Nusump Checkin"; flow:established,to_server; http.uri; content:"?id="; content:"&co="; content:"&us="; content:"&os="; content:"&vr="; content:"&dt="; fast_pattern; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FNusump&ThreatID=-2147329857; reference:url,www.threatexpert.com/report.aspx?md5=ef0616d75bd892ed69fe22a510079686; reference:url,www.threatexpert.com/report.aspx?md5=463cdec2df12a04d6ea1d015746ee950; classtype:command-and-control; sid:2011489; rev:6; metadata:created_at 2010_09_27, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Meredrop/Nusump Checkin"; flow:established,to_server; http.uri; content:"?id="; content:"&co="; content:"&us="; content:"&os="; content:"&vr="; content:"&dt="; fast_pattern; reference:md5,463cdec2df12a04d6ea1d015746ee950; reference:md5,ef0616d75bd892ed69fe22a510079686; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FNusump&ThreatID=-2147329857; classtype:command-and-control; sid:2011489; rev:6; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; http.uri; content:"/WiPlayer?movieid="; http.host; content:"movies.netflix.com"; bsize:18; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:3; metadata:created_at 2011_08_30, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lalus Trojan Downloader User Agent (Message Center)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Message Center|0D 0A|"; classtype:trojan-activity; sid:2013510; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_31, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Loader Request List.php"; flow:established,to_server; http.uri; content:"/list.php?c="; depth:12; content:"&v="; pcre:"/c\x3d[0-9a-f]{100}/i"; classtype:trojan-activity; sid:2013518; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Loader Request List.php"; flow:established,to_server; http.uri; content:"/list.php?c="; depth:12; content:"&v="; pcre:"/c\x3d[0-9a-f]{100}/i"; classtype:trojan-activity; sid:2013518; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Revolution"; reference:url,threatexpert.com/report.aspx?md5=1431f4ab4bbe3ad1087eb14cf4d7dff9; classtype:trojan-activity; sid:2013542; rev:3; metadata:created_at 2011_09_06, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Revolution"; reference:md5,1431f4ab4bbe3ad1087eb14cf4d7dff9; classtype:trojan-activity; sid:2013542; rev:3; metadata:created_at 2011_09_06, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Gagolino Banking Trojan Reporting to CnC"; flow:established,to_server; http.uri; content:"?op="; content:"&macaddress="; content:"&pcname="; content:"&nomeusuario="; content:"&serialhd="; content:"&versaowindows="; content:"&versaoatual="; content:"&arquivosplugins="; content:"&origem="; classtype:command-and-control; sid:2013546; rev:3; metadata:created_at 2011_09_06, former_category MALWARE, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OneFileCMS p parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/onefilecms.php?"; nocase; content:"p="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; classtype:web-application-attack; sid:2013568; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (fsize)"; flow:to_server,established; http.uri; content:"/fsize.php?name="; content:"/WF-update.log"; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013670; rev:3; metadata:created_at 2011_09_19, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (fsize)"; flow:to_server,established; http.uri; content:"/fsize.php?name="; content:"/WF-update.log"; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013670; rev:3; metadata:created_at 2011_09_19, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013673; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; threshold:type limit, count 1, seconds 600, track by_src; http.header; content:"Mozilla/5.0 (iPhone"; content:" OS 4_"; distance:0; content:!"OS 4_2_1 like"; pcre:"/OS 4_2_[0-9] like/"; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013336; rev:5; metadata:created_at 2011_07_29, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; threshold:type limit, count 1, seconds 600, track by_src; http.header; content:"Mozilla/5.0 (iPhone"; content:" OS 4_"; distance:0; content:!"OS 4_2_1 like"; pcre:"/OS 4_2_[0-9] like/"; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013336; rev:5; metadata:created_at 2011_07_30, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; threshold: type limit, count 1, seconds 600, track by_src; http.header; content:"Mozilla/5.0 |28|iPhone"; content:" OS 4_"; distance:0; content:!"OS 4_2_1 like"; pcre:"/OS 4_2_[0-9] like/"; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013408; rev:7; metadata:created_at 2011_08_12, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joostina CMS users component Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_users"; nocase; content:"user="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100853/joostinausers-sql.txt; classtype:web-application-attack; sid:2013713; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent BGroom"; flow:established,to_server; http.header; content:"User-Agent|3A 20|BGroom"; classtype:trojan-activity; sid:2013717; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent BGroom"; flow:established,to_server; http.header; content:"User-Agent|3A 20|BGroom"; classtype:trojan-activity; sid:2013717; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent (Tiny)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|tiny|0D 0A|"; classtype:trojan-activity; sid:2013718; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent (Tiny)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|tiny|0D 0A|"; classtype:trojan-activity; sid:2013718; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/OnLineGames GetMyIP Style Checkin"; flow:established,to_server; http.uri; content:".asp?ID="; content:"&Action=GetMyIP"; classtype:command-and-control; sid:2013728; rev:3; metadata:created_at 2011_09_30, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/OnLineGames GetMyIP Style Checkin"; flow:established,to_server; http.uri; content:".asp?ID="; content:"&Action=GetMyIP"; classtype:command-and-control; sid:2013728; rev:3; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rokquickcart"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/view/96804/joomlarokquickcart-lfi.txt; classtype:web-application-attack; sid:2013738; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; http.uri; content:"/gate.php?hwid="; nocase; content:"&pc="; nocase; content:"&localip="; nocase; content:"&winver="; nocase; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:command-and-control; sid:2013748; rev:5; metadata:created_at 2011_09_23, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; http.uri; content:"/gate.php?hwid="; nocase; content:"&pc="; nocase; content:"&localip="; nocase; content:"&winver="; nocase; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:command-and-control; sid:2013748; rev:5; metadata:created_at 2011_09_24, former_category MALWARE, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2"; flow:established,to_server; http.uri; content:"/phpThumb.demo.random.php?"; nocase; content:"dir="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013765; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; http.uri; content:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:15; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; classtype:policy-violation; sid:2013400; rev:8; metadata:created_at 2011_08_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; classtype:policy-violation; sid:2013400; rev:8; metadata:created_at 2011_08_11, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/vars.inc.php?"; nocase; content:"_SESSION[SCRIPT_PATH]="; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009181; classtype:web-application-attack; sid:2009181; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHool mainnav Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/layout/plain.footer.php?"; nocase; content:"mainnav="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/106073/sportsphool-rfi.txt; classtype:web-application-attack; sid:2013815; rev:4; metadata:created_at 2011_10_31, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.dlinkddns.com domain"; flow:established,to_server; http.host; content:".dlinkddns.com"; endswith; classtype:bad-unknown; sid:2013311; rev:4; metadata:created_at 2011_07_25, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.dlinkddns.com domain"; flow:established,to_server; http.host; content:".dlinkddns.com"; endswith; classtype:bad-unknown; sid:2013311; rev:4; metadata:created_at 2011_07_26, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBSng str Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/util/show_multistr.php?"; nocase; content:"str="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,50468; classtype:web-application-attack; sid:2013871; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress disclosure policy plugin Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/disclosure-policy-plugin/functions/action.php?"; nocase; pcre:"/abspath=\s*(?:ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/17865; classtype:web-application-attack; sid:2013886; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Second Life setup download"; flow:established,to_server; http.uri; content:"/Second_Life_Setup.exe"; reference:url,en.wikifur.com/wiki/Second_Life; reference:url,wiki.secondlife.com/wiki/Furry; classtype:policy-violation; sid:2013910; rev:4; metadata:created_at 2011_11_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Second Life setup download"; flow:established,to_server; http.uri; content:"/Second_Life_Setup.exe"; reference:url,en.wikifur.com/wiki/Second_Life; reference:url,wiki.secondlife.com/wiki/Furry; classtype:policy-violation; sid:2013910; rev:4; metadata:created_at 2011_11_11, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY APT User-Agent to BackTrack Repository"; flow:established,to_server; http.user_agent; content:"Ubuntu APT-HTTP|2F|"; startswith; http.host; content:"repository.backtrack-linux.org"; within:40; reference:url,www.backtrack-linux.org; classtype:targeted-activity; sid:2013914; rev:5; metadata:created_at 2011_11_16, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dofoil.L Checkin"; flow:to_server,established; http.uri; content:"/index.php?cmd="; content:"&login="; content:"&ver="; content:"&bits="; reference:url,www.threatexpert.com/report.aspx?md5=47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:command-and-control; sid:2013917; rev:5; metadata:created_at 2011_09_29, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dofoil.L Checkin"; flow:to_server,established; http.uri; content:"/index.php?cmd="; content:"&login="; content:"&ver="; content:"&bits="; reference:md5,47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:command-and-control; sid:2013917; rev:5; metadata:created_at 2011_09_29, former_category MALWARE, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel login"; flow:to_server,established; http.uri; content:"/password.cgi?sptPassword="; classtype:not-suspicious; sid:2013919; rev:3; metadata:created_at 2011_11_17, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel login"; flow:to_server,established; http.uri; content:"/password.cgi?sptPassword="; classtype:not-suspicious; sid:2013919; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel password change"; flow:to_server,established; http.request_body; content:"pwdOld="; content:"pwNew="; content:"pwCfm="; classtype:not-suspicious; sid:2013920; rev:3; metadata:created_at 2011_11_17, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel password change"; flow:to_server,established; http.request_body; content:"pwdOld="; content:"pwNew="; content:"pwCfm="; classtype:not-suspicious; sid:2013920; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DNS changer cPanel attempt"; flow:to_server,established; http.request_body; content:"pwCfm=Dn5Ch4ng3"; classtype:web-application-attack; sid:2013921; rev:3; metadata:created_at 2011_11_17, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DNS changer cPanel attempt"; flow:to_server,established; http.request_body; content:"pwCfm=Dn5Ch4ng3"; classtype:web-application-attack; sid:2013921; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality User-Agent (DEBUT.TMP)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|DEBUT.TMP|0D 0A|"; classtype:trojan-activity; sid:2013959; rev:3; metadata:created_at 2011_11_23, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; http.uri; content:"/android_notifier/notifier.php?app="; content:"&deviceId="; content:"&mobile="; content:"&country="; content:"&carrier="; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; http.uri; content:"/android_notifier/notifier.php?app="; content:"&deviceId="; content:"&mobile="; content:"&country="; content:"&carrier="; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; http.uri; content:"/AndroidService.aspx?imsi="; content:"&mobile="; content:"&pid="; content:"&ownerid="; content:"&testchlid="; content:"&androidver="; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; http.uri; content:"/AndroidService.aspx?imsi="; content:"&mobile="; content:"&pid="; content:"&ownerid="; content:"&testchlid="; content:"&androidver="; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_11_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; http.uri; content:"/search/isavailable"; content:".php?imei="; content:"&ch="; content:"&ver="; http.user_agent; content:"adlib/"; startswith; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; http.uri; content:"/search/isavailable"; content:".php?imei="; content:"&ch="; content:"&ver="; http.user_agent; content:"adlib/"; startswith; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tinderbox.mozilla.org showbuilds.cgi Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/showbuilds.cgi?"; nocase; content:"tree=SeaMonkey"; nocase; content:"hours="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstorm.codar.com.br/1111-exploits/tinderbox-xss.txt; classtype:web-application-attack; sid:2013980; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.oz)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|oz|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029955; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Put"; flow:established,from_client; http.uri; content:"/kys_allow_put.asp?type="; content:"&hostname="; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014007; rev:3; metadata:created_at 2011_12_08, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Put"; flow:established,from_client; http.uri; content:"/kys_allow_put.asp?type="; content:"&hostname="; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014007; rev:3; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getgrab Command"; flow:established,to_server; http.uri; content:"cmd=getgrab"; classtype:trojan-activity; sid:2014009; rev:4; metadata:created_at 2011_12_08, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getgrab Command"; flow:established,to_server; http.uri; content:"cmd=getgrab"; classtype:trojan-activity; sid:2014009; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getproxy Command"; flow:established,to_server; http.uri; content:"cmd=getproxy&login="; classtype:trojan-activity; sid:2014010; rev:4; metadata:created_at 2011_12_08, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getproxy Command"; flow:established,to_server; http.uri; content:"cmd=getproxy&login="; classtype:trojan-activity; sid:2014010; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getsock Command"; flow:established,to_server; http.uri; content:"cmd=getsocks&login="; classtype:trojan-activity; sid:2014011; rev:4; metadata:created_at 2011_12_08, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getsock Command"; flow:established,to_server; http.uri; content:"cmd=getsocks&login="; classtype:trojan-activity; sid:2014011; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getload Command"; flow:established,to_server; http.uri; content:"cmd=getload&login="; reference:url,sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf; reference:url,symantec.com/security_response/writeup.jsp?docid=2011-100515-1838-99&tabid=2; classtype:trojan-activity; sid:2014012; rev:4; metadata:created_at 2011_12_08, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getload Command"; flow:established,to_server; http.uri; content:"cmd=getload&login="; reference:url,sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf; reference:url,symantec.com/security_response/writeup.jsp?docid=2011-100515-1838-99&tabid=2; classtype:trojan-activity; sid:2014012; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:3; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:3; metadata:created_at 2011_12_10, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; content:"Runtime.getRuntime().exec("; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:3; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; content:"Runtime.getRuntime().exec("; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:3; metadata:created_at 2011_12_10, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Checkin User-Agent 2"; flow:established,to_server; http.header; content:"Gootkit ldr"; classtype:command-and-control; sid:2014021; rev:3; metadata:created_at 2011_12_12, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Checkin User-Agent 2"; flow:established,to_server; http.header; content:"Gootkit ldr"; classtype:command-and-control; sid:2014021; rev:3; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_04_20;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Gootkit Scanner User-Agent Inbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014022; rev:3; metadata:created_at 2011_12_12, former_category SCAN, updated_at 2020_04_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Gootkit Scanner User-Agent Inbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014022; rev:3; metadata:created_at 2011_12_13, former_category SCAN, updated_at 2020_04_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Scanner User-Agent Outbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014023; rev:3; metadata:created_at 2011_12_12, former_category MALWARE, updated_at 2020_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Scanner User-Agent Outbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014023; rev:3; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_04_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Scalaxy exploit kit binary download request"; flow:established,to_server; urilen:37; http.uri; content:"/"; offset:2; depth:3; content:"/"; within:3; pcre:"/\/[a-z]\/[0-9]\/[0-9a-f]{32}$/"; classtype:exploit-kit; sid:2014026; rev:2; metadata:created_at 2011_12_12, former_category EXPLOIT_KIT, updated_at 2020_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Scalaxy exploit kit binary download request"; flow:established,to_server; urilen:37; http.uri; content:"/"; offset:2; depth:3; content:"/"; within:3; pcre:"/\/[a-z]\/[0-9]\/[0-9a-f]{32}$/"; classtype:exploit-kit; sid:2014026; rev:2; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GridinSoft.com Software Version Check"; flow:established,to_server; http.header; content:"User-Agent|3A 20|GridinSoft"; classtype:trojan-activity; sid:2013719; rev:4; metadata:created_at 2011_09_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GridinSoft.com Software Version Check"; flow:established,to_server; http.header; content:"User-Agent|3A 20|GridinSoft"; classtype:trojan-activity; sid:2013719; rev:4; metadata:created_at 2011_10_01, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Mozilla/5.0|20 28|Windows NT 5.1|20 3B 20|v|2E|"; fast_pattern; classtype:trojan-activity; sid:2014001; rev:5; metadata:created_at 2011_12_08, former_category USER_AGENTS, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hydra User-Agent"; flow: established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (Hydra)"; nocase; fast_pattern; reference:url,freeworld.thc.org/thc-hydra; classtype:attempted-recon; sid:2011497; rev:5; metadata:created_at 2010_09_27, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hydra User-Agent"; flow: established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (Hydra)"; nocase; fast_pattern; reference:url,freeworld.thc.org/thc-hydra; classtype:attempted-recon; sid:2011497; rev:5; metadata:created_at 2010_09_28, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN McAfee/Foundstone Scanner Web Scan"; flow:established,to_server; threshold: type both, count 2, seconds 120, track by_src; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b 20|Windows NT 6.1|3b 20|en-US)|0d 0a|"; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|text|0d 0a|"; reference:url,www.mcafee.com/us/products/vulnerability-manager.aspx; classtype:attempted-recon; sid:2013492; rev:5; metadata:created_at 2011_08_30, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014065; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability "; flow:established,to_server; http.uri; content:"/details_view.php?"; nocase; content:"event_id="; nocase; content:"date="; nocase; content:"view="; nocase; content:"loc="; nocase; content:"page_info_message="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/107995; classtype:web-application-attack; sid:2014067; rev:4; metadata:created_at 2012_01_02, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/details_view.php?"; nocase; content:"event_id="; nocase; content:"date="; nocase; content:"view="; nocase; content:"loc="; nocase; content:"page_info_message="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/107995; classtype:web-application-attack; sid:2014067; rev:4; metadata:created_at 2012_01_02, former_category WEB_SPECIFIC_APPS, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Better Internet Spyware User-Agent (poller)"; flow: to_server,established; http.user_agent; content:"Poller"; fast_pattern; reference:url,doc.emergingthreats.net/2002005; classtype:pup-activity; sid:2002005; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014078; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"xajax=SelTheme"; nocase; content:"ajaxargs[]="; nocase; reference:url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt; classtype:web-application-attack; sid:2014082; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"xajax=SelTheme"; nocase; content:"ajaxargs[]="; nocase; reference:url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt; classtype:web-application-attack; sid:2014082; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014080; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014080; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Planex Mini-300PU & Mini100s Cross-site Scripting Attempt"; flow:established,to_server; http.uri; content:"/RESTART.HTM?"; nocase; content:"NDSContext="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,exploit-db.com/exploits/17114; classtype:web-application-attack; sid:2014086; rev:5; metadata:created_at 2012_01_02, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Planex Mini-300PU & Mini100s Cross-site Scripting Attempt"; flow:established,to_server; http.uri; content:"/RESTART.HTM?"; nocase; content:"NDSContext="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,exploit-db.com/exploits/17114; classtype:web-application-attack; sid:2014086; rev:5; metadata:created_at 2012_01_03, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014087; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014087; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014088; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014088; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openads row Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/libraries/lib-view-main.inc.php?"; nocase; content:"row="; nocase; pcre:"/basedir_save=\s*(?:ftps?|https?|php)\x3a\//i"; classtype:web-application-attack; sid:2013562; rev:6; metadata:created_at 2011_09_12, updated_at 2020_04_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit Checkin"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php|3F|a|3D|QQk"; reference:url,blog.fireeye.com/research/2011/03/the-rise-of-incognito.html; classtype:exploit-kit; sid:2012841; rev:6; metadata:created_at 2011_05_25, former_category EXPLOIT_KIT, updated_at 2020_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; http.header; content:"Accept|3a 20|?"; classtype:trojan-activity; sid:2013974; rev:4; metadata:created_at 2011_11_30, former_category POLICY, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; http.header; content:"Accept|3a 20|?"; classtype:trojan-activity; sid:2013974; rev:4; metadata:created_at 2011_12_01, former_category POLICY, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:to_server,established; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; http.uri; content:"/CreatingUserAccounts.aspx"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:4; metadata:created_at 2012_01_03, updated_at 2020_04_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER globals.pl access"; flow:to_server,established; http.uri; content:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2102073; rev:7; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Small.agoy Checkin"; flow:to_server,established; http.uri; content:"/?jutr="; fast_pattern; nocase; content:"&oo="; nocase; content:"&ra="; nocase; http.host; pcre:"/^(?:0-9]{1,3}\.){3}\d{1,3}$/"; reference:url,www.threatexpert.com/report.aspx?md5=e491d25d82f4928138a0d8b3a6365c39; reference:url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F; reference:url,doc.emergingthreats.net/2008859; classtype:command-and-control; sid:2008859; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Small.agoy Checkin"; flow:to_server,established; http.uri; content:"/?jutr="; fast_pattern; nocase; content:"&oo="; nocase; content:"&ra="; nocase; http.host; pcre:"/^(?:0-9]{1,3}\.){3}\d{1,3}$/"; reference:url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F; reference:md5,e491d25d82f4928138a0d8b3a6365c39; reference:url,doc.emergingthreats.net/2008859; classtype:command-and-control; sid:2008859; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; flow:to_server,established; http.user_agent; content:"DriveCleaner Updater"; bsize:20; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; classtype:pup-activity; sid:2003486; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; flow:to_server,established; http.user_agent; content:"DriveCleaner Updater"; bsize:20; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; classtype:pup-activity; sid:2003486; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_04_21, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"Atomic_Email_Hunter/"; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013173; rev:5; metadata:created_at 2011_07_04, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /etc/shadow Detected in URI"; flow:to_server,established; http.uri; content:"/etc/shadow"; nocase; reference:url,en.wikipedia.org/wiki/Shadow_password; reference:url,doc.emergingthreats.net/2009485; classtype:attempted-recon; sid:2009485; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Landing Page Request"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?s="; pcre:"/^[0-9a-fA-F]{25}$/R"; reference:url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html; classtype:exploit-kit; sid:2014147; rev:3; metadata:created_at 2012_01_23, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Landing Page Request"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?s="; pcre:"/^[0-9a-fA-F]{25}$/R"; reference:url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html; classtype:exploit-kit; sid:2014147; rev:3; metadata:created_at 2012_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Binary Load Request"; flow:established,to_server; http.uri; content:"/load.php?spl="; pcre:"/^[-_\w]+$/R"; classtype:exploit-kit; sid:2014148; rev:3; metadata:created_at 2012_01_23, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Binary Load Request"; flow:established,to_server; http.uri; content:"/load.php?spl="; pcre:"/^[-_\w]+$/R"; classtype:exploit-kit; sid:2014148; rev:3; metadata:created_at 2012_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; http.uri; content:"/android_notifier/notifier.php?h="; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:command-and-control; sid:2014162; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; http.uri; content:"/android_notifier/notifier.php?h="; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:command-and-control; sid:2014162; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; http.uri; content:"/gate.php?username="; content:"&country="; content:"&OS="; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:command-and-control; sid:2014164; rev:3; metadata:created_at 2012_01_27, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; http.uri; content:"/gate.php?username="; content:"&country="; content:"&OS="; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:command-and-control; sid:2014164; rev:3; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; http.uri; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; http.content_type; content:"Multipart"; reference:bugtraq,9978; classtype:web-application-activity; sid:2102547; rev:5; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v"; content:"/?v="; content:"&c="; pcre:"/\/v\d\.\d\.\d/"; pcre:"/\/\?v=\d/"; classtype:trojan-activity; sid:2013888; rev:6; metadata:created_at 2011_11_08, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Coced.PasswordStealer User-Agent 5.0"; flow:established,to_server; http.header; content:"User-Agent|3A 20|5.0|0D 0A|"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:trojan-activity; sid:2014344; rev:3; metadata:created_at 2012_03_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Coced.PasswordStealer User-Agent 5.0"; flow:established,to_server; http.header; content:"User-Agent|3A 20|5.0|0D 0A|"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:trojan-activity; sid:2014344; rev:3; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User Agent UpdateSoft"; flow:established,to_server; http.header; content:"User-Agent|3A 20|UpdateSoft"; reference:md5,254efc77c18eb2f427d2a3920e07c2e8; classtype:trojan-activity; sid:2014345; rev:4; metadata:created_at 2012_03_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User Agent UpdateSoft"; flow:established,to_server; http.header; content:"User-Agent|3A 20|UpdateSoft"; reference:md5,254efc77c18eb2f427d2a3920e07c2e8; classtype:trojan-activity; sid:2014345; rev:4; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smart Fortress FakeAV/Kryptik.ABNC Checkin"; flow:established,to_server; http.uri; content:"/?&affid="; fast_pattern; http.header; content:"Accept|3a| *//*|0d 0a|"; reference:md5,fa20c17e5f58e7419b4f0eed318fa95a; reference:url,support.kaspersky.com/viruses/rogue/description?qid=208286259; classtype:command-and-control; sid:2014293; rev:4; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download InternetAntivirusPro.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/InternetAntivirus"; content:".exe"; reference:url,doc.emergingthreats.net/2010061; classtype:trojan-activity; sid:2010061; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Win32/Antivirus2008 CnC Beacon"; flow:established,to_server; http.uri; content:"nick="; nocase; content:"&group="; nocase; content:"&os="; http.header; content:"User-Agent|3a 20|Mozilla|0d 0a|"; reference:url,doc.emergingthreats.net/2008483; classtype:command-and-control; sid:2008483; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Win32/Antivirus2008 CnC Beacon"; flow:established,to_server; http.uri; content:"nick="; nocase; content:"&group="; nocase; content:"&os="; http.header; content:"User-Agent|3a 20|Mozilla|0d 0a|"; reference:url,doc.emergingthreats.net/2008483; classtype:command-and-control; sid:2008483; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asprox Form Submission to C&C"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/forum.php"; nocase; http.content_type; content:"multipart/form-data|3b 20|boundary=1BEF0A57BE110FD467A"; startswith; reference:url,doc.emergingthreats.net/2009054; classtype:command-and-control; sid:2009054; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Downloader Communicating With Controller (1)"; flow:established,to_server; http.uri; content:"action="; nocase; content:"&entity_list="; nocase; content:"&uid="; nocase; content:"&first="; content:"&guid="; nocase; content:"&rnd="; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; classtype:trojan-activity; sid:2009353; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrutrk/Gibon/Bredolab Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?ddos=x"; nocase; pcre:"/^(?:x\d{1,2}){5,}/Ri"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; reference:url,doc.emergingthreats.net/2010381; classtype:command-and-control; sid:2010381; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrutrk/Gibon/Bredolab Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?ddos=x"; nocase; pcre:"/^(?:x\d{1,2}){5,}/Ri"; reference:url,doc.emergingthreats.net/2010381; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:md5,011d403b345672adc29846074e717865; reference:md5,a5f94577d00d0306e4ef64bad30e5d37; classtype:command-and-control; sid:2010381; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?type="; nocase; content:"&affid="; distance:0; nocase; content:"&subid="; distance:0; nocase; reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; reference:url,doc.emergingthreats.net/2010382; classtype:trojan-activity; sid:2010382; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?type="; nocase; content:"&affid="; distance:0; nocase; content:"&subid="; distance:0; nocase; reference:url,doc.emergingthreats.net/2010382; reference:md5,8d1b47452307259f1e191e16ed23cd35; classtype:trojan-activity; sid:2010382; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cashout Proxy Bot reg_DST"; flow:to_server,established; http.uri; content:".php?"; content:"lang="; content:"&pal="; content:"&bay="; content:"&gold="; content:"&id="; content:"¶m="; content: "&socksport="; content:"&httpport="; reference:url,doc.emergingthreats.net/2008248; classtype:trojan-activity; sid:2008248; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer-715 Install Checkin"; flow: established,to_server; http.uri; content:"/perl/invoc_oneway.pl"; nocase; content:"?id_service="; nocase; content:"&nom_exe="; nocase; content:"&skin="; nocase; content:"&id_produit="; nocase; reference:url,doc.emergingthreats.net/2003650; classtype:command-and-control; sid:2003650; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"c="; content:"&v="; content:"&b="; content:"&id="; content:"&cnt="; fast_pattern; content:"&q="; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; reference:url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d; reference:url,doc.emergingthreats.net/2007743; classtype:command-and-control; sid:2007743; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"c="; content:"&v="; content:"&b="; content:"&id="; content:"&cnt="; fast_pattern; content:"&q="; reference:md5,e9f1f226ff86e72c558e9a9da32c796d; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; reference:url,doc.emergingthreats.net/2007743; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; classtype:command-and-control; sid:2007743; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.Trojan Activity"; flow: to_server,established; http.uri; content:"/dialer_min/getnum.asp?nip"; reference:url,doc.emergingthreats.net/2008345; classtype:trojan-activity; sid:2008345; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donkeyp2p Update Detected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"donkeyp2p.php"; content:"?kind="; content:"&args="; content:"&ver="; content:"&uniq="; content:"&dllver="; nocase; reference:url,doc.emergingthreats.net/2008364; classtype:trojan-activity; sid:2008364; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; http.uri; content:"hingDeny="; nocase; content:"&id="; nocase; pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/"; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,doc.emergingthreats.net/2010334; classtype:trojan-activity; sid:2010334; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; http.uri; content:"hingDeny="; nocase; content:"&id="; nocase; pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/"; reference:url,doc.emergingthreats.net/2010334; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:md5,fd2d6bb1d2a9803c49f1e175d558a934; reference:md5,e4664144f8e95cfec510d5efa24a35e7; classtype:trojan-activity; sid:2010334; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bot Backdoor Checkin/registration Request"; flow:established,to_server; http.uri; content:"/remote.php?"; content:"os="; content:"&user="; content:"&status="; content:"&version="; content:"&build="; reference:url,doc.emergingthreats.net/2006366; classtype:command-and-control; sid:2006366; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Count Tracking URL"; flow:established,to_server; http.uri; content:"/install_count.html?id="; nocase; content:"&MAC=0"; nocase; pcre:"/^[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ri"; reference:url,doc.emergingthreats.net/2008133; classtype:trojan-activity; sid:2008133; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Count Tracking URL (partner)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/partner/counter/install.php?pid="; nocase; content:"&cid="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2008134; reference:url,www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403; classtype:trojan-activity; sid:2008134; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Count Tracking URL (partner)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/partner/counter/install.php?pid="; nocase; content:"&cid="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,ea70e0971cc490a15e53d24ad6564403; reference:url,doc.emergingthreats.net/2008134; classtype:trojan-activity; sid:2008134; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"a="; nocase; content:"&k="; nocase; content:"&wmid="; nocase; content:"&ucid="; nocase; reference:url,doc.emergingthreats.net/2008182; classtype:trojan-activity; sid:2008182; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Trojan HTTP GET Logging"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?type="; nocase; content:"&setup_id="; nocase; content:"&version="; nocase; content:"&os="; nocase; content:"&sp="; nocase; reference:url,www.virustotal.com/analisis/df09ec9ec4e5caa42db9d08e0f9d34b378e301a1eeb3aa1e6dbd0de1aa4a66be-1246158969; reference:url,doc.emergingthreats.net/2009451; classtype:trojan-activity; sid:2009451; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader Checkin - HTTP GET "; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"machineid="; nocase; content:"pubuserid="; nocase; content:"checkversion="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009527; classtype:command-and-control; sid:2009527; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader Checkin - HTTP GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"machineid="; nocase; content:"pubuserid="; nocase; content:"checkversion="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009527; classtype:command-and-control; sid:2009527; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader checkin (3)"; flow:established,to_server; http.uri; content:".php?"; content:"c_pcode="; content:"c_pid="; content:"c_kind="; content:"c_mac="; reference:url,doc.emergingthreats.net/2010888; classtype:command-and-control; sid:2010888; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"loads.php?code="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a| "; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010626; classtype:command-and-control; sid:2010626; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"loads.php?code="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a| "; reference:url,doc.emergingthreats.net/2010626; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010626; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"cgi-bin/download.pl?code="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010627; classtype:command-and-control; sid:2010627; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"cgi-bin/download.pl?code="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2010627; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010627; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"cgi-bin/get.pl?l="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010628; classtype:command-and-control; sid:2010628; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"cgi-bin/get.pl?l="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2010628; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010628; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fasec/FakeAV Alert/Keylogger/Dropper/DNSChanger Possible Rootkit - HTTP GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"Command="; nocase; content:"snNO="; nocase; content:"Encode="; nocase; content:"SFBH"; nocase; reference:url,www.avast.com/eng/win32-fasec.html; reference:url,www.threatexpert.com/threats/virus-win32-fasec.html; reference:url,doc.emergingthreats.net/2009472; classtype:trojan-activity; sid:2009472; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullspace.cc or Related Checkin (2)"; flow:established,to_server; http.uri; content:"/register."; nocase; content:"?id="; nocase; content:"&port="; nocase; content:"&connect="; nocase; content:"&ver="; nocase; content:"ip="; nocase; reference:url,doc.emergingthreats.net/2008398; classtype:command-and-control; sid:2008398; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gaboc Trojan Check-in"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp"; content:"?type="; content:"&machinename="; reference:url,www.threatexpert.com/report.aspx?md5=6e871b9c440d5c77b9158ebcbe3fcd4b; reference:url,doc.emergingthreats.net/2009519; classtype:trojan-activity; sid:2009519; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gaboc Trojan Check-in"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp"; content:"?type="; content:"&machinename="; reference:md5,6e871b9c440d5c77b9158ebcbe3fcd4b; reference:url,doc.emergingthreats.net/2009519; classtype:trojan-activity; sid:2009519; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Buzus Checkin"; flow:established,to_server; http.uri; content:".php?guid_bot="; content:"&ver_bot="; content:"&stat_bot="; reference:url,doc.emergingthreats.net/2008550; classtype:command-and-control; sid:2008550; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Trojan HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"f=0&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l=&ck="; content:"&c_fb="; reference:url,doc.emergingthreats.net/2008864; classtype:command-and-control; sid:2008864; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Koobface Beaconing (getexe)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?getexe="; content:".exe"; reference:url,doc.emergingthreats.net/2010700; classtype:trojan-activity; sid:2010700; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Koobface Beaconing (getexe)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?getexe="; content:".exe"; reference:url,doc.emergingthreats.net/2010700; classtype:trojan-activity; sid:2010700; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Initial Checkin"; flow:established,to_server; http.uri; content:"/cp/rule.php?"; nocase; content:"fstt="; nocase; content:"&b="; nocase; content:"name="; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003187; classtype:command-and-control; sid:2003187; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lop_com or variant Checkin (9kgen_up)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/9kgen_up.int"; reference:url,www.threatexpert.com/reports.aspx?find=9kgen_up.int; reference:url,doc.emergingthreats.net/2008943; classtype:command-and-control; sid:2008943; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"?nid_mac="; content:"&nid_os_ver=Windows"; content:"&nid_ie_ver="; reference:url,doc.emergingthreats.net/2008592; classtype:command-and-control; sid:2008592; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"?nid_mac="; content:"&nid_os_ver=Windows"; content:"&nid_ie_ver="; reference:url,doc.emergingthreats.net/2008592; classtype:command-and-control; sid:2008592; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oficla Checkin (1)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"v="; nocase; content:"&id="; nocase; content:"&b="; nocase; content:"&tm="; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; nocase; content:!"Accept-Encoding|0d 0a|"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; classtype:command-and-control; sid:2010743; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oficla Checkin (1)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"v="; nocase; content:"&id="; nocase; content:"&b="; nocase; content:"&tm="; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; nocase; content:!"Accept-Encoding|0d 0a|"; nocase; reference:md5,f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; classtype:command-and-control; sid:2010743; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Optix Pro Trojan/Keylogger Reporting Installation via HTTP-Email Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"to="; content:"Optix Pro v"; content:" Server Online"; reference:url,en.wikipedia.org/wiki/Optix_Pro; reference:url,doc.emergingthreats.net/2008218; classtype:trojan-activity; sid:2008218; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE carberp check in"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/set/first.html"; http.request_body; content:"id="; content:"os="; content:"plist="; classtype:trojan-activity; sid:2011798; rev:4; metadata:created_at 2010_10_09, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp checkin task"; flow:established,to_server; http.uri; content:"/task.php?id="; fast_pattern; content:"&task="; distance:0; pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/"; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; reference:url,www.honeynet.org/node/578; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2; reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb; reference:url,www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85; reference:url,www.threatexpert.com/report.aspx?md5=1d0d38dd63551a30eda664611ed4958b; reference:url,www.threatexpert.com/report.aspx?md5=6f89b98729483839283d04b82055dc44; reference:url,www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36; classtype:command-and-control; sid:2011799; rev:8; metadata:created_at 2010_10_12, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp checkin task"; flow:established,to_server; http.uri; content:"/task.php?id="; fast_pattern; content:"&task="; distance:0; pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/"; reference:md5,1d0d38dd63551a30eda664611ed4958b; reference:url,www.honeynet.org/node/578; reference:md5,07d3fbb124ff39bd5c1045599f719e36; reference:md5,31a4bc4e9a431d91dc0b368f4a76ee85; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2; reference:md5,6f89b98729483839283d04b82055dc44; reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb; classtype:command-and-control; sid:2011799; rev:8; metadata:created_at 2010_10_13, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp file download"; flow:established,to_server; http.uri; content:"/cfg/"; depth:5; content:".plug"; classtype:trojan-activity; sid:2011850; rev:5; metadata:created_at 2010_10_25, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp file download"; flow:established,to_server; http.uri; content:"/cfg/"; depth:5; content:".plug"; classtype:trojan-activity; sid:2011850; rev:5; metadata:created_at 2010_10_26, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp CnC request POST /set/task.html"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/set/task.html"; depth:14; http.request_body; content:"id=dvlsl"; classtype:command-and-control; sid:2012178; rev:5; metadata:created_at 2011_01_14, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp CnC request POST /set/task.html"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/set/task.html"; depth:14; http.request_body; content:"id=dvlsl"; classtype:command-and-control; sid:2012178; rev:5; metadata:created_at 2011_01_15, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 2"; flow:established,to_server; content:"winsoft"; nocase; http.uri; content:".asp?prj="; content:"&pid="; content:"&mac="; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012223; rev:3; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 2"; flow:established,to_server; content:"winsoft"; nocase; http.uri; content:".asp?prj="; content:"&pid="; content:"&mac="; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012223; rev:3; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 3"; flow:established,to_server; content:"winsoft"; nocase; http.uri; content:"autoidcnt.asp?mer_seq="; content:"&realid="; content:"&mac="; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012224; rev:3; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 3"; flow:established,to_server; content:"winsoft"; nocase; http.uri; content:"autoidcnt.asp?mer_seq="; content:"&realid="; content:"&mac="; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012224; rev:3; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; http.uri; content:"/clientRequest.htm?method="; nocase; pcre:"/^(?:update|startcharge)/Ri"; content:"&os="; content:"&brand="; nocase; content:"&sdkVersion="; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:command-and-control; sid:2013299; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit TDSS/Alureon Checkin 2"; flow:established,to_server; http.uri; content:"/dx.php?i="; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}&a=/Ri"; content:"&x64="; content:"os="; content:"&f="; reference:url,contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html; classtype:command-and-control; sid:2012314; rev:4; metadata:created_at 2011_02_14, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanDownloader Win32/Harnig.gen-P Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/bhanx.php?"; nocase; content:"adv="; nocase; content:"&code1="; nocase; content:"&code2="; nocase; content:"&id="; nocase; content:"&p="; nocase; reference:url,threatexpert.com/report.aspx?md5=40d1819b9c3c85e1f3b7723c7a9118ad; classtype:trojan-activity; sid:2012438; rev:6; metadata:created_at 2011_03_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanDownloader Win32/Harnig.gen-P Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/bhanx.php?"; nocase; content:"adv="; nocase; content:"&code1="; nocase; content:"&code2="; nocase; content:"&id="; nocase; content:"&p="; nocase; reference:md5,40d1819b9c3c85e1f3b7723c7a9118ad; classtype:trojan-activity; sid:2012438; rev:6; metadata:created_at 2011_03_08, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Banload Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/avisa.php?"; nocase; content:"usuario="; nocase; content:"pc="; nocase; content:"serial="; nocase; content:"versao="; nocase; reference:url,threatexpert.com/report.aspx?md5=43b0ddf87c66418053ee055501193abf; reference:url,scumware.org/report/89.108.68.81; classtype:trojan-activity; sid:2012441; rev:5; metadata:created_at 2011_03_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Banload Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/avisa.php?"; nocase; content:"usuario="; nocase; content:"pc="; nocase; content:"serial="; nocase; content:"versao="; nocase; reference:url,scumware.org/report/89.108.68.81; reference:md5,43b0ddf87c66418053ee055501193abf; classtype:trojan-activity; sid:2012441; rev:5; metadata:created_at 2011_03_08, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/frame.php?pl=Win32"; nocase; classtype:trojan-activity; sid:2012506; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_15, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; http.uri; content:"/wg.txt"; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:3; metadata:created_at 2012_03_19, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; http.uri; content:"/wg.txt"; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:3; metadata:created_at 2012_03_20, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Virut.BN Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"list.php?c="; content:"&v="; distance:0; content:"&t="; distance:0; pcre:"/c\x3d[0-9A-F]{100}/i"; reference:url,www.threatexpert.com/report.aspx?md5=199d9ea754f193194e251415a2f6dd46; classtype:command-and-control; sid:2012533; rev:5; metadata:created_at 2011_03_21, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Virut.BN Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"list.php?c="; content:"&v="; distance:0; content:"&t="; distance:0; pcre:"/c\x3d[0-9A-F]{100}/i"; reference:md5,199d9ea754f193194e251415a2f6dd46; classtype:command-and-control; sid:2012533; rev:5; metadata:created_at 2011_03_21, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV.chhq Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/index.php?|30 64 34 30 62 30 3d|"; fast_pattern; http.user_agent; content:"Mozilla/3.0"; startswith; classtype:command-and-control; sid:2012620; rev:10; metadata:created_at 2011_04_01, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"data=vK6yv+"; classtype:command-and-control; sid:2012686; rev:5; metadata:created_at 2011_04_13, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet Protection FakeAV checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"php?partner_id="; content:"&u="; content:"&log_id="; content:"&os="; reference:url,www.threatexpert.com/report.aspx?md5=7710686d03cd3174b6f644434750b22b; classtype:command-and-control; sid:2012713; rev:4; metadata:created_at 2011_04_22, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet Protection FakeAV checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"php?partner_id="; content:"&u="; content:"&log_id="; content:"&os="; reference:md5,7710686d03cd3174b6f644434750b22b; classtype:command-and-control; sid:2012713; rev:4; metadata:created_at 2011_04_22, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BestAntivirus2011 Fake AV reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?affid="; content:"&data="; content:"&v="; classtype:trojan-activity; sid:2012727; rev:4; metadata:created_at 2011_04_26, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper/Clicker Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/nxdtic.txt"; classtype:command-and-control; sid:2012931; rev:5; metadata:created_at 2011_06_06, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Webpage Infection Routine POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/jl/ad03.pl"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012973; rev:4; metadata:created_at 2011_06_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Webpage Infection Routine POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/jl/ad03.pl"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012973; rev:4; metadata:created_at 2011_06_09, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Meredrop Checkin"; flow:established, to_server; http.method; content:"POST"; nocase; http.request_body; content:"praquem="; content:"&titulo="; reference:url,www.virustotal.com/file-scan/report.html?id=14c8e9f054d6f7ff4d59b71b65933d73027fe39a2a62729257712170e36f32c5-1308250070; classtype:command-and-control; sid:2013073; rev:5; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Banker.Win32.Agent Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|ICS)"; fast_pattern; http.request_body; content:"para="; depth:5; content:"&subject="; content:"&dados="; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0; reference:url,www.threatexpert.com/report.aspx?md5=c8b3d2bc407b0260b40b7f97e504faa5; classtype:command-and-control; sid:2013185; rev:7; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Banker.Win32.Agent Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|ICS)"; fast_pattern; http.request_body; content:"para="; depth:5; content:"&subject="; content:"&dados="; reference:md5,c8b3d2bc407b0260b40b7f97e504faa5; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0; classtype:command-and-control; sid:2013185; rev:7; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Internet Connectivity Check"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/geo/productid.php"; depth:18; http.header; content:"adobe.com"; content:"Opera/"; content:"Pesto/"; classtype:trojan-activity; sid:2013207; rev:6; metadata:created_at 2011_07_06, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Papras Banking Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"|4e 2a 43 cc 01 c0 2a 77|"; depth:23; reference:url,www.threatexpert.com/report.aspx?md5=85d82c840f4b90fcb6d5311f501374ca; classtype:command-and-control; sid:2013287; rev:6; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Papras Banking Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"|4e 2a 43 cc 01 c0 2a 77|"; depth:23; reference:md5,85d82c840f4b90fcb6d5311f501374ca; classtype:command-and-control; sid:2013287; rev:6; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Ponmocup Driveby Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/se/"; nocase; pcre:"/^[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/Ri"; reference:url,www9.dyndns-server.com%3a8080/pub/botnet/r-cgi_malware_analyse.txt; classtype:bad-unknown; sid:2013312; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mnless Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"cpname="; depth:7; content:"&hardid="; distance:0; content:"&netid="; distance:0; content:"&user="; distance:0; content:"&sname="; distance:0; content:"&ver="; distance:0; content:"&val="; distance:0; classtype:command-and-control; sid:2013443; rev:5; metadata:created_at 2011_08_22, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (postit3)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/postit3.php"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013672; rev:4; metadata:created_at 2011_09_19, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (postit3)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/postit3.php"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013672; rev:4; metadata:created_at 2011_09_19, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/Count.asp?UserID="; content:"&MAC="; distance:0; content:"&Process="; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=7d2eb4b364e15e90cec1ddd7dcb97f64; reference:url,blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; reference:url,threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20; classtype:command-and-control; sid:2013741; rev:7; metadata:created_at 2011_10_04, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/Count.asp?UserID="; content:"&MAC="; distance:0; content:"&Process="; distance:0; reference:md5,b3106dbfb3ab114755af311883f33697; reference:md5,7d2eb4b364e15e90cec1ddd7dcb97f64; reference:url,blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; classtype:command-and-control; sid:2013741; rev:7; metadata:created_at 2011_10_05, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.PEx.Delphi.1151005043 Post-infection Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/boot.php?ptr="; nocase; reference:url,www.threatexpert.com/report.aspx?md5=b58485c9a221e8bd5b4725e7e19988b0; reference:url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043; classtype:command-and-control; sid:2013798; rev:4; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.PEx.Delphi.1151005043 Post-infection Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/boot.php?ptr="; nocase; reference:url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043; reference:md5,b58485c9a221e8bd5b4725e7e19988b0; classtype:command-and-control; sid:2013798; rev:4; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cycbot POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"FILE0|00 44 30 A8 71 D1 89 53 50|"; reference:url,www.threatexpert.com/report.aspx?md5=1f04bd1b4eceb42e6d5859b6330fc7d7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx; classtype:trojan-activity; sid:2013802; rev:4; metadata:created_at 2011_10_25, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cycbot POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"FILE0|00 44 30 A8 71 D1 89 53 50|"; reference:md5,1f04bd1b4eceb42e6d5859b6330fc7d7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx; classtype:trojan-activity; sid:2013802; rev:4; metadata:created_at 2011_10_26, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Get Config Request"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/kys_allow_get.asp?"; content:"name=getkys.kys"; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; classtype:trojan-activity; sid:2014008; rev:6; metadata:created_at 2011_12_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Get Config Request"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/kys_allow_get.asp?"; content:"name=getkys.kys"; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; classtype:trojan-activity; sid:2014008; rev:6; metadata:created_at 2011_12_09, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Greenpeace.fr filter_dpt Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/incinerateurs/list.php?"; nocase; content:"list_name="; nocase; content:"filter_dpt="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110989/Greenpeace.fr-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader.Bancos Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Lead3r_Ship.exe"; nocase; reference:url,symantec.com/security_response/writeup.jsp?docid=2006-061110-0512-99; classtype:trojan-activity; sid:2014070; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_02, deployment Perimeter, former_category TROJAN, malware_family Bancos, signature_severity Major, tag Trojan_Downloader, tag Banking_Trojan, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32-WebSec Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cb_soft.php?"; nocase; content:"q="; nocase; content:"tj="; nocase; reference:url,threatexpert.com/report.aspx?md5=971e560b80e335ab88ef518b416d415a; classtype:trojan-activity; sid:2014085; rev:6; metadata:created_at 2012_01_02, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32-WebSec Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cb_soft.php?"; nocase; content:"q="; nocase; content:"tj="; nocase; reference:md5,971e560b80e335ab88ef518b416d415a; classtype:trojan-activity; sid:2014085; rev:6; metadata:created_at 2012_01_03, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Jiwerks.A Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|a="; fast_pattern; http.method; content:"POST"; nocase; http.uri; content:"/update.aspx"; http.accept_lang; content:"zh-cn"; http.request_body; content:"a="; depth:2; content:"&v="; distance:0; reference:md5,0e47c711d9edee337575b6dbef850514; classtype:command-and-control; sid:2014133; rev:5; metadata:created_at 2012_01_18, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSUpdater POST checkin to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/microsoft/errorpost/default.aspx?ID="; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014212; rev:4; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bbs/info.asp"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:command-and-control; sid:2014336; rev:4; metadata:created_at 2012_03_08, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bbs/info.asp"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:command-and-control; sid:2014336; rev:4; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B POST checkin"; flow:from_client,established; http.method; content:"POST"; nocase; http.header; content:"Mozilla/4.8.20 (compatible|3b 20|MSIE 5.0.2|3b 20|Win32)|0d 0a|Host|3a 20|"; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:command-and-control; sid:2014360; rev:5; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B POST checkin"; flow:from_client,established; http.method; content:"POST"; nocase; http.header; content:"Mozilla/4.8.20 (compatible|3b 20|MSIE 5.0.2|3b 20|Win32)|0d 0a|Host|3a 20|"; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:command-and-control; sid:2014360; rev:5; metadata:created_at 2012_03_10, former_category MALWARE, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/103680/joomlacommunity-sql.txt; classtype:web-application-attack; sid:2013467; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Authentication Bypass - Password Retrieval"; flow:established,to_server; xbits:isset,ET.IBMDRM1,track ip_dst; http.method; content:"POST"; http.uri; bsize:21; content:"/albatross/user/login"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; startswith; http.request_body; content:"name=|22|username|22 0d 0a|"; content:"name=|22|clientDetails|22 0d 0a|"; content:"name=|22|password|22 0d 0a|"; content:"name=|22|sessionId|22 0d 0a|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029987; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/s"; depth:5; classtype:exploit-kit; sid:2014446; rev:3; metadata:created_at 2012_03_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/s"; depth:5; classtype:exploit-kit; sid:2014446; rev:3; metadata:created_at 2012_03_31, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic Dns Exploit Pack Java exploit"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/"; depth:4; content:".jar"; distance:32; within:4; classtype:exploit-kit; sid:2014447; rev:7; metadata:created_at 2012_03_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic Dns Exploit Pack Java exploit"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/"; depth:4; content:".jar"; distance:32; within:4; classtype:exploit-kit; sid:2014447; rev:7; metadata:created_at 2012_03_31, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP Wordpress enable-latex plugin url Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/enable-latex/core.php?"; fast_pattern:19,20; nocase; content:"url="; distance:0; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/107260/WordPress-Enable-Latex-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014448; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_31, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
-
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Event Calendar PHP cal_year Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/demo_eventcalendar.php?"; nocase; content:"cal_id="; nocase; content:"cal_month="; nocase; content:"cal_year="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/111161/Event-Calendar-PHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014449; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_31, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
-
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mini Mail Dashboard Widget abspath Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?"; nocase; fast_pattern:42,20; content:"abspath="; distance:0; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/105238/WordPress-Mini-Mail-Dashboard-Widget-1.36-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014450; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_31, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Event Calendar PHP cal_year Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/demo_eventcalendar.php?"; nocase; content:"cal_id="; nocase; content:"cal_month="; nocase; content:"cal_year="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/111161/Event-Calendar-PHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014449; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (tcp)"; flow:established,from_client; urilen:8; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http.method; content:"POST"; http.uri; content:"/service"; classtype:policy-violation; sid:2014459; rev:3; metadata:created_at 2012_04_03, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/OpenSiteAdmin/pages/pageHeader.php?"; nocase; pcre:"/^.{0,300}=(?:https?:|ftps?:)/Ri"; reference:url,www.securityfocus.com/bid/36445/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009931; classtype:web-application-attack; sid:2009931; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Balucaf.A Checkin"; flow:to_server,established; http.uri; content:"/setting.ini"; nocase; http.header; content:"User-Agent|3a 20|AutoIt"; nocase; http.header_names; content:!"Accept|0d 0a|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FTupym.A; reference:url,www.securelist.com/en/descriptions/6349329/Worm.Win32.AutoRun.esf; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tupym-D/detailed-analysis.aspx; classtype:command-and-control; sid:2031450; rev:5; metadata:created_at 2011_09_23, former_category MALWARE, updated_at 2020_12_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Balucaf.A Checkin"; flow:to_server,established; http.uri; content:"/setting.ini"; nocase; http.header; content:"User-Agent|3a 20|AutoIt"; nocase; http.header_names; content:!"Accept|0d 0a|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FTupym.A; reference:url,www.securelist.com/en/descriptions/6349329/Worm.Win32.AutoRun.esf; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tupym-D/detailed-analysis.aspx; classtype:command-and-control; sid:2031450; rev:5; metadata:created_at 2011_09_24, former_category MALWARE, updated_at 2020_12_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I User-Agent"; flow:established,to_server; http.header; content:"|20|WOW64|3b 20|rv|3a|9.0.1|3b 20|sv|3a|"; content:"|20|id|3a|"; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:2014534; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Facebook-Page-Promoter-Lightbox settings-updated Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/facebook-page-promoter-lightbox/arevico_options.php?"; nocase; content:"settings-updated="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108238/WordPress-Facebook-Page-Promoter-Lightbox-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014592; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_16, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashBack Mac OSX malware Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/aaupdate/"; fast_pattern; http.header; content:"User-Agent|3a 20|"; content:!"Mozilla"; within:7; content:!"|0d 0a|"; within:124; reference:url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/; classtype:command-and-control; sid:2014596; rev:6; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashBack Mac OSX malware Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/aaupdate/"; fast_pattern; http.header; content:"User-Agent|3a 20|"; content:!"Mozilla"; within:7; content:!"|0d 0a|"; within:124; reference:url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/; classtype:command-and-control; sid:2014596; rev:6; metadata:created_at 2012_03_01, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/owncheck/"; classtype:command-and-control; sid:2014597; rev:3; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/owncheck/"; classtype:command-and-control; sid:2014597; rev:3; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; http.uri; content:"/stat.php?w="; content:"&i="; content:"&a="; http.user_agent; content:"Opera/6"; startswith; http.header; content:"|3b 20|LangID="; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:command-and-control; sid:2014604; rev:4; metadata:created_at 2012_03_01, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; http.uri; content:"/stat.php?w="; content:"&i="; content:"&a="; http.user_agent; content:"Opera/6"; startswith; http.header; content:"|3b 20|LangID="; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:command-and-control; sid:2014604; rev:4; metadata:created_at 2012_03_02, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/images.php?t="; startswith; pcre:"/^\d+$/Ri"; http.header; content:"|29 20|Java/"; classtype:exploit-kit; sid:2014609; rev:3; metadata:created_at 2012_04_17, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (file upload)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"jembot"; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:3; metadata:created_at 2012_04_17, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (file upload)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"jembot"; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:3; metadata:created_at 2012_04_18, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Requesting Payload 2020-04-21"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".wbk?raw=true"; fast_pattern; endswith; http.user_agent; content:"Microsoft Office Existence Discovery"; bsize:36; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache-"; content:!"Pragma"; reference:md5,dffa1f38375e20e98c8ffaa752936e42; classtype:trojan-activity; sid:2029982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_joomtouch"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/104112/Joomla-JoomTouch-1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014716; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|SnadBoy"; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:5; metadata:created_at 2012_03_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|SnadBoy"; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:5; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/andromeda.php?"; nocase; content:"q="; nocase; content:"s="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112549/Andromeda-Streaming-MP3-Server-1.9.3.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014736; rev:4; metadata:created_at 2012_05_11, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (5)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; nocase; http.request_body; content:"email="; nocase; content:"&computador="; distance:0; nocase; content:"&nomfile="; distance:0; nocase; content:"&user="; distance:0; nocase; reference:url,doc.emergingthreats.net/2008044; classtype:command-and-control; sid:2008044; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Nintendo Wii User-Agent"; flow:established,to_server; http.header; content:"(Nintendo Wii"; reference:url,www.useragentstring.com/pages/Opera/; classtype:policy-violation; sid:2014718; rev:4; metadata:created_at 2012_05_07, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Nintendo Wii User-Agent"; flow:established,to_server; http.header; content:"(Nintendo Wii"; reference:url,www.useragentstring.com/pages/Opera/; classtype:policy-violation; sid:2014718; rev:4; metadata:created_at 2012_05_08, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hoax.Win32.BadJoke/DownLoader1.57593 Checkin"; flow:established,to_server; http.uri; content:"/agent.htm"; http.header; content:"User-Agent|3a 20|OINC|0d 0a|"; reference:url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/; classtype:command-and-control; sid:2014581; rev:4; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_acooldebate controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_acooldebate"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/102422/Joomla-A-Cool-Debate-1.0.3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014815; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain"; flow:established,to_server; http.host; content:".myftp.biz|0d 0a|"; endswith; classtype:bad-unknown; sid:2013824; rev:5; metadata:created_at 2011_11_04, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain"; flow:established,to_server; http.host; content:".myftp.biz|0d 0a|"; endswith; classtype:bad-unknown; sid:2013824; rev:5; metadata:created_at 2011_11_05, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain"; flow:established,to_server; http.host; content:".ez-dns.com"; endswith; classtype:bad-unknown; sid:2013846; rev:4; metadata:created_at 2011_11_04, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain"; flow:established,to_server; http.host; content:".ez-dns.com"; endswith; classtype:bad-unknown; sid:2013846; rev:4; metadata:created_at 2011_11_05, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain"; flow:to_server,established; http.host; content:".dyndns-web.com"; endswith; classtype:bad-unknown; sid:2013864; rev:4; metadata:created_at 2011_11_07, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.net Domain"; flow:established,to_server; http.host; content:".slyip.net"; endswith; classtype:bad-unknown; sid:2014509; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.2288.org"; flow:established,to_server; http.host; content:".2288.org"; endswith; classtype:misc-activity; sid:2014787; rev:6; metadata:created_at 2012_05_18, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.2288.org"; flow:established,to_server; http.host; content:".2288.org"; endswith; classtype:misc-activity; sid:2014787; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.6600.org"; flow:established,to_server; http.host; content:".6600.org"; endswith; classtype:misc-activity; sid:2014789; rev:5; metadata:created_at 2012_05_18, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.6600.org"; flow:established,to_server; http.host; content:".6600.org"; endswith; classtype:misc-activity; sid:2014789; rev:5; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.7766.org"; flow:established,to_server; http.host; content:".7766.org"; endswith; classtype:misc-activity; sid:2014790; rev:7; metadata:created_at 2012_05_18, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.7766.org"; flow:established,to_server; http.host; content:".7766.org"; endswith; classtype:misc-activity; sid:2014790; rev:7; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8800.org"; flow:established,to_server; http.host; content:".8800.org"; endswith; classtype:misc-activity; sid:2014791; rev:6; metadata:created_at 2012_05_18, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8800.org"; flow:established,to_server; http.host; content:".8800.org"; endswith; classtype:misc-activity; sid:2014791; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.9966.org"; flow:established,to_server; http.host; content:".9966.org"; endswith; classtype:misc-activity; sid:2014792; rev:6; metadata:created_at 2012_05_18, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.9966.org"; flow:established,to_server; http.host; content:".9966.org"; endswith; classtype:misc-activity; sid:2014792; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Exponent file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/framework/modules/pixidou/download.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/101230/Exponent-2.0.0-Beta-1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014840; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin opt parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/options-general.php?"; nocase; content:"page=joliprint/joliprint_admin_options.php"; nocase; content:"opt="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014839; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; http.uri; content:"/getfile.php?i="; content:"&key="; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/i"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014851; rev:3; metadata:created_at 2012_06_04, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; http.uri; content:"/getfile.php?i="; content:"&key="; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/i"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014851; rev:3; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redirect to driveby sid=mix"; flow:to_server,established; http.uri; content:"/go.php?sid=mix"; classtype:exploit-kit; sid:2014866; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Dynamic Widgets plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/themes.php?"; nocase; content:"page=dynwid-config"; nocase; content:"action="; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112706/WordPress-Dynamic-Widgets-1.5.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014811; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible attempt to enumerate MS SQL Server version"; flow:established,to_server; http.uri; content:"@@version"; nocase; reference:url,support.microsoft.com/kb/321185; classtype:attempted-admin; sid:2014890; rev:3; metadata:created_at 2012_06_13, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible attempt to enumerate MS SQL Server version"; flow:established,to_server; http.uri; content:"@@version"; nocase; reference:url,support.microsoft.com/kb/321185; classtype:attempted-admin; sid:2014890; rev:3; metadata:created_at 2012_06_14, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_ckforms controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_ckforms"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95623/Joomla-CKForms-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014905; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin xing-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?"; nocase; fast_pattern; content:"xing-url="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014901; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; http.uri; content:"/getfile.php?"; http.user_agent; content:"Java/1"; classtype:exploit-kit; sid:2014924; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; http.uri; content:"/getfile.php?"; http.user_agent; content:"Java/1"; classtype:exploit-kit; sid:2014924; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"verint="; content:"&uid="; distance:0; content:"&wv="; distance:0; content:"&report="; distance:0; content:"&abbr="; distance:0; content:"&pid="; distance:0; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"verint="; content:"&uid="; distance:0; content:"&wv="; distance:0; content:"&report="; distance:0; content:"&abbr="; distance:0; content:"&pid="; distance:0; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/"; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; http.uri; content:"/image/logo.jpg?queryid="; pcre:"/^\d+$/R"; reference:url,doc.emergingthreats.net/2008049; classtype:command-and-control; sid:2008049; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"board["; fast_pattern; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; http.header; content:"Server|3A 20|DynDNS-CheckIP/"; classtype:external-ip-check; sid:2014932; rev:3; metadata:created_at 2012_06_21, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; http.header; content:"Server|3A 20|DynDNS-CheckIP/"; classtype:external-ip-check; sid:2014932; rev:3; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nagios XI view parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/perfgraphs/index.php?"; nocase; content:"start="; nocase; content:"end="; nocase; content:"view="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014951; rev:3; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugins Wp-ImageZoom file parameter Remote File Disclosure Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/wp-imagezoom/download.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,1337day.com/exploits/18685; classtype:web-application-attack; sid:2014949; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/includes/components/graphexplorer/visApi.php?"; nocase; fast_pattern:20,20; content:"type="; nocase; content:"div="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014950; rev:5; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; http.uri; content:"/newuser.php?saff="; pcre:"/^(?:\d+|x.+)/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response"; flow:established,to_server; http.uri; content:"/js/data/encryptedtest.dll"; reference:md5,7b2bfb9d270a5f446f32502d2ed34d67; classtype:command-and-control; sid:2014962; rev:3; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response"; flow:established,to_server; http.uri; content:"/js/data/encryptedtest.dll"; reference:md5,7b2bfb9d270a5f446f32502d2ed34d67; classtype:command-and-control; sid:2014962; rev:3; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Armageddon CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|ArmageddoN"; nocase; fast_pattern; http.request_body; content:"GetList="; depth:8; reference:md5,3f4c5649d66fc5befc0db47930edb9f6; classtype:command-and-control; sid:2014963; rev:3; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Armageddon CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|ArmageddoN"; nocase; fast_pattern; http.request_body; content:"GetList="; depth:8; reference:md5,3f4c5649d66fc5befc0db47930edb9f6; classtype:command-and-control; sid:2014963; rev:3; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Install 2"; flow:to_server,established; http.uri; content:"/api/urls/?ts="; content:"&affid="; http.header; content:"GTB0.0|3b|"; reference:md5,181999985de5feae6f44f9578915417f; classtype:trojan-activity; sid:2014816; rev:6; metadata:created_at 2012_05_24, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:".php"; endswith; pcre:"/^\/[a-z]{15}[0-9]\.php$/"; classtype:exploit-kit; sid:2014967; rev:4; metadata:created_at 2012_06_26, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Fareit.A/Pony Downloader Checkin"; flow:to_server,established; http.request_body; content:"CRYPTED0"; depth:8; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:command-and-control; sid:2013934; rev:6; metadata:created_at 2011_05_19, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Fareit.A/Pony Downloader Checkin"; flow:to_server,established; http.request_body; content:"CRYPTED0"; depth:8; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:md5,99fab94fd824737393f5184685e8edf2; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; classtype:command-and-control; sid:2013934; rev:6; metadata:created_at 2011_05_19, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC POST /common/versions.php"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/versions.php"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014979; rev:3; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress jRSS Widget url parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/jrss-widget/proxy.php?"; nocase; fast_pattern; content:"url="; nocase; reference:url,packetstormsecurity.org/files/95638/WordPress-jRSS-Widget-1.1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014995; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC POST /common/timestamps.php"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/timestamps.php"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014999; rev:3; metadata:created_at 2012_07_02, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC POST /common/timestamps.php"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/timestamps.php"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014999; rev:3; metadata:created_at 2012_07_03, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Numnet.Downloader CnC Checkin 1"; flow:established,to_server; http.uri; content:"/counter/mac_proc.php?cid="; fast_pattern; content:"&mid="; http.user_agent; content:"internet"; bsize:8; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:command-and-control; sid:2015020; rev:3; metadata:created_at 2012_07_03, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Numnet.Downloader CnC Checkin 1"; flow:established,to_server; http.uri; content:"/counter/mac_proc.php?cid="; fast_pattern; content:"&mid="; http.user_agent; content:"internet"; bsize:8; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:command-and-control; sid:2015020; rev:3; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2020_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Numnet.Downloader CnC Checkin 2"; flow:established,to_server; http.uri; content:"/check_counter.php?pid="; fast_pattern; content:"&mid="; http.user_agent; content:"internet"; bsize:8; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:command-and-control; sid:2015021; rev:3; metadata:created_at 2012_07_03, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Numnet.Downloader CnC Checkin 2"; flow:established,to_server; http.uri; content:"/check_counter.php?pid="; fast_pattern; content:"&mid="; http.user_agent; content:"internet"; bsize:8; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:command-and-control; sid:2015021; rev:3; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2020_04_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack exploit pack /mix/ payload"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/mix/"; depth:5; content:".php"; content:"fid="; content:"quote="; classtype:exploit-kit; sid:2015011; rev:3; metadata:created_at 2012_07_04, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete CMS approveImmediately parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php/tools/required/edit_collection_popup.php?"; nocase; content:"ctask="; nocase; content:"approveImmediately="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/Ri"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015033; rev:5; metadata:created_at 2012_07_06, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete CMS approveImmediately parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php/tools/required/edit_collection_popup.php?"; nocase; content:"ctask="; nocase; content:"approveImmediately="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/Ri"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015033; rev:5; metadata:created_at 2012_07_07, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; content:"func="; nocase; content:"root="; nocase; content:"path="; nocase; reference:url,1337day.com/exploits/15332; classtype:web-application-attack; sid:2015035; rev:3; metadata:created_at 2012_07_06, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; content:"func="; nocase; content:"root="; nocase; content:"path="; nocase; reference:url,1337day.com/exploits/15332; classtype:web-application-attack; sid:2015035; rev:3; metadata:created_at 2012_07_07, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Count Per Day Plugin page parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/count-per-day/userperspan.php?"; nocase; fast_pattern; content:"page="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49692/; classtype:web-application-attack; sid:2015038; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_06, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Count Per Day Plugin page parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/count-per-day/userperspan.php?"; nocase; fast_pattern; content:"page="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49692/; classtype:web-application-attack; sid:2015038; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_wisroyq controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_wisroyq"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95508/Joomla-Wisroyq-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015039; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_06, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_wisroyq controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_wisroyq"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95508/Joomla-Wisroyq-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015039; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_rssreader"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95430/Joomla-RSSReader-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015040; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS *.pdf.exe in HTTP HEADER"; flow:from_server,established; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; content:".pdf.exe"; nocase; distance:0; fast_pattern; classtype:bad-unknown; sid:2013478; rev:9; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; http.header; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; content:"AntiVirus"; within:24; nocase; content:".exe"; within:24; classtype:trojan-activity; sid:2013827; rev:7; metadata:created_at 2011_11_04, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; http.header; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; content:"AntiVirus"; within:24; nocase; content:".exe"; within:24; classtype:trojan-activity; sid:2013827; rev:7; metadata:created_at 2011_11_05, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_marker) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaflet_marker"; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015466; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Manager cid parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=file-manager/categories"; nocase; content:"cid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112708/WordPress-Download-Manager-2.2.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015497; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Geo Location IP info online service (geoiptool.com)"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"geoiptool.com"; endswith; reference:md5,04f02d7fea812ef78d2340015c5d768e; classtype:policy-violation; sid:2015500; rev:4; metadata:created_at 2012_07_20, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Geo Location IP info online service (geoiptool.com)"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"geoiptool.com"; endswith; reference:md5,04f02d7fea812ef78d2340015c5d768e; classtype:policy-violation; sid:2015500; rev:4; metadata:created_at 2012_07_21, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - .com.tw/check_version.php"; flow:established,to_server; http.uri; content:"/check_version.php"; content:"&version="; http.host; content:".com.tw"; endswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015503; rev:3; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious NULL DNS Request"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; fast_pattern; distance:0; classtype:misc-activity; sid:2029994; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Informational, updated_at 2020_04_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspicious Long NULL DNS Request - Possible DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; distance:70; fast_pattern; classtype:trojan-activity; sid:2029995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Major, updated_at 2020_04_22;)
-
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; fast_pattern; nocase; content:"title="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"gruppe_id="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; fast_pattern; distance:0; nocase; content:"UNION"; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; fast_pattern:19,20; content:"pid="; distance:0; nocase; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_22;)
-
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; http.uri; content:"BULK"; nocase; content:"INSERT"; nocase; distance:0; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; fast_pattern:35,20; nocase; content:"gall_id="; distance:0; nocase; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_22;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; http.uri; content:"/wp-content/uploads/fgallery/"; fast_pattern; nocase; content:".php"; nocase; distance:0; classtype:bad-unknown; sid:2015518; rev:6; metadata:created_at 2012_07_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; http.uri; content:"/wp-content/uploads/fgallery/"; fast_pattern; nocase; content:".php"; nocase; distance:0; classtype:bad-unknown; sid:2015518; rev:6; metadata:created_at 2012_07_24, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAvCn-A Checkin 3"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?0Q9oBPXEN0uECUg"; classtype:command-and-control; sid:2014857; rev:4; metadata:created_at 2012_06_04, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAvCn-A Checkin 3"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?0Q9oBPXEN0uECUg"; classtype:command-and-control; sid:2014857; rev:4; metadata:created_at 2012_06_05, former_category MALWARE, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Fake Googlebot UA 2 Inbound"; flow:established,to_server; http.user_agent; content:"Googlebot-"; fast_pattern; nocase; content:!"Googlebot-News"; startswith; content:!"Googlebot-Image/1.0"; startswith; content:!"Googlebot-Video/1.0"; startswith; content:!"Mobile/2.1|3b| +http|3a|//www.google.com/bot.html)"; endswith; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:network-scan; sid:2015527; rev:3; metadata:created_at 2012_07_25, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Fake Googlebot UA 2 Inbound"; flow:established,to_server; http.user_agent; content:"Googlebot-"; fast_pattern; nocase; content:!"Googlebot-News"; startswith; content:!"Googlebot-Image/1.0"; startswith; content:!"Googlebot-Video/1.0"; startswith; content:!"Mobile/2.1|3b| +http|3a|//www.google.com/bot.html)"; endswith; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:network-scan; sid:2015527; rev:3; metadata:created_at 2012_07_26, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; http.uri; content:".ida"; nocase; endswith; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medfos/Midhos Checkin"; flow:to_server,established; http.uri; content:"/id="; content:"&rt="; distance:0; content:"AAAAAAAAAAA"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; reference:md5,00da8acc14d0e827dbb1326c023fc720; reference:md5,8f561f46fb262cac6bb4cacf3e4e78a6; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:command-and-control; sid:2014722; rev:5; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (IST)"; flow: to_server,established; http.user_agent; content:"IST"; fast_pattern; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001493; classtype:pup-activity; sid:2001493; rev:36; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_04_22;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV POST datan.php"; flow:established,to_server; http.uri; content:"/datan.php"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; nocase; classtype:trojan-activity; sid:2013206; rev:4; metadata:created_at 2011_07_05, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV POST datan.php"; flow:established,to_server; http.uri; content:"/datan.php"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; nocase; classtype:trojan-activity; sid:2013206; rev:4; metadata:created_at 2011_07_06, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker Software Manager request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/"; content:"Report?"; fast_pattern; content:"Id="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2013454; rev:4; metadata:created_at 2011_08_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker Software Manager request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/"; content:"Report?"; fast_pattern; content:"Id="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2013454; rev:4; metadata:created_at 2011_08_24, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Beomok/PSW - HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?i="; fast_pattern; nocase; content:"&o="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2009448; classtype:trojan-activity; sid:2009448; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Lanoba Social plugin action parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/lanoba-social-plugin/index.php?"; nocase; fast_pattern; content:"action="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107191/WordPress-Lanoba-Social-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015610; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server; http.user_agent; content:"Mozilla"; startswith; content:"|3b 20|MyIE|20|"; fast_pattern; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:8; metadata:created_at 2011_03_01, former_category USER_AGENTS, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server; http.user_agent; content:"Mozilla"; startswith; content:"|3b 20|MyIE|20|"; fast_pattern; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:8; metadata:created_at 2011_03_01, former_category USER_AGENTS, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0"; flow:established,to_server; http.header; content:"User-Agent|3A| SimpleClient "; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:bad-unknown; sid:2012860; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_05_25, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0"; flow:established,to_server; http.header; content:"User-Agent|3A| SimpleClient "; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:bad-unknown; sid:2012860; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_05_26, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (adlib)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|adlib/"; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (adlib)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|adlib/"; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/web/deki/gui/link.php?"; nocase; content:"IP="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015637; rev:4; metadata:created_at 2012_08_17, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_g2bridge controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_g2bridge"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/90150/Joomla-G2Bridge-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015645; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely TDS redirecting to exploit kit"; flow:established,to_server; http.uri; content:".php?go="; pcre:"/^\d$/R"; classtype:exploit-kit; sid:2014854; rev:5; metadata:created_at 2012_06_04, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely TDS redirecting to exploit kit"; flow:established,to_server; http.uri; content:".php?go="; pcre:"/^\d$/R"; classtype:exploit-kit; sid:2014854; rev:5; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.JS.QLP Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/read.php?nm="; startswith; http.header_names; content:!"User-Agent|0d 0a|"; classtype:command-and-control; sid:2015673; rev:4; metadata:created_at 2012_08_30, former_category MALWARE, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scheck/"; http.user_agent; pcre:"/^[A-Za-z0-9+\/=]+?$/"; classtype:command-and-control; sid:2014598; rev:7; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scheck/"; http.user_agent; pcre:"/^[A-Za-z0-9+\/=]+?$/"; classtype:command-and-control; sid:2014598; rev:7; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga/Win32.Kexject.A Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"|CE FA AD DE 03 00|"; depth:6; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; classtype:command-and-control; sid:2013819; rev:5; metadata:created_at 2011_11_02, former_category MALWARE, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 300; http.uri; content:"?action=getData&servicePort="; http.user_agent; content:"Java/"; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu Scanner User-Agent Inbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ZmEu|0d 0a|"; classtype:trojan-activity; sid:2012936; rev:4; metadata:created_at 2011_06_06, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu Scanner User-Agent Inbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ZmEu|0d 0a|"; classtype:trojan-activity; sid:2012936; rev:4; metadata:created_at 2011_06_07, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-blank login credentials"; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:"/manager/html"; nocase; http.header; content:"|0d 0a|Authorization|3a| Basic YWRtaW46|0d 0a|"; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009218; classtype:attempted-admin; sid:2009218; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; http.host; content:"stats.norton.com"; endswith; http.user_agent; content:"Install Stub"; depth:12; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:6; metadata:created_at 2011_11_08, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|curl/"; nocase; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:5; metadata:created_at 2011_06_14, updated_at 2020_04_22;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BearShare P2P Gnutella Client HTTP Request "; flow:to_server,established; http.uri; content:"/gnutella/"; nocase; content:"?client=BEAR"; nocase; content:"&version="; reference:url,doc.emergingthreats.net/bin/view/Main/2006379; classtype:trojan-activity; sid:2006379; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BearShare P2P Gnutella Client HTTP Request"; flow:to_server,established; http.uri; content:"/gnutella/"; nocase; content:"?client=BEAR"; nocase; content:"&version="; reference:url,doc.emergingthreats.net/bin/view/Main/2006379; classtype:trojan-activity; sid:2006379; rev:7; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:19; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Absinthe SQL Injection Tool HTTP Header Detected"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Absinthe"; nocase; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; classtype:attempted-recon; sid:2009555; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"|20|yum|2F|"; reference:url,www.phy.duke.edu/~rgb/General/yum_HOWTO/yum_HOWTO/; classtype:policy-violation; sid:2013505; rev:4; metadata:created_at 2011_09_01, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"|20|yum|2F|"; reference:url,www.phy.duke.edu/~rgb/General/yum_HOWTO/yum_HOWTO/; classtype:policy-violation; sid:2013505; rev:4; metadata:created_at 2011_09_02, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Proxy TRACE Request - inbound"; flow: to_server,established; http.method; content:"TRACE"; nocase; reference:url,doc.emergingthreats.net/2010766; classtype:bad-unknown; sid:2010766; rev:12; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)"; flow:established,to_server; http.user_agent; content:"Carbonite Installer"; nocase; depth:19; reference:url,doc.emergingthreats.net/2009801; classtype:policy-violation; sid:2009801; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; http.header.raw; content:"|0d 0a|Cookie|3a|"; content:"%3D|3b 20|cc2="; distance:0; content:"%3D|3b 20|cc3="; content:"%3D|3b 20|cc4="; content:"|20|Java/"; classtype:exploit-kit; sid:2013695; rev:5; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; http.header.raw; content:"|0d 0a|Cookie|3a|"; content:"%3D|3b 20|cc2="; distance:0; content:"%3D|3b 20|cc3="; content:"%3D|3b 20|cc4="; content:"|20|Java/"; classtype:exploit-kit; sid:2013695; rev:5; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (buddy list)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/buddy_list.php"; http.header; content:"facebook.com"; reference:url,doc.emergingthreats.net/2010785; classtype:policy-violation; sid:2010785; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"POST"; http.uri; content:"/wp-login.php"; nocase; http.request_body; content:"log|3d|"; content:"pwd|3d|"; classtype:attempted-recon; sid:2014020; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_12_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"POST"; http.uri; content:"/wp-login.php"; nocase; http.request_body; content:"log|3d|"; content:"pwd|3d|"; classtype:attempted-recon; sid:2014020; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_12_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VMware User-Agent Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|vmware"; reference:url,www.vmware.com; classtype:policy-violation; sid:2013749; rev:6; metadata:created_at 2011_10_11, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu exploit scanner"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"Made by ZmEu"; depth:12; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:2010715; rev:10; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BingBar ToolBar User-Agent (BingBar)"; flow:established,to_server; http.user_agent; content:"BingBar"; depth:7; classtype:policy-violation; sid:2013715; rev:5; metadata:created_at 2011_09_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BingBar ToolBar User-Agent (BingBar)"; flow:established,to_server; http.user_agent; content:"BingBar"; depth:7; classtype:policy-violation; sid:2013715; rev:5; metadata:created_at 2011_10_01, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"attachment"; nocase; file.data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:7; metadata:created_at 2012_04_05, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"attachment"; nocase; file.data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:7; metadata:created_at 2012_04_06, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/nano.php?x="; classtype:exploit-kit; sid:2015734; rev:4; metadata:created_at 2012_09_24, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/nano.php?x="; classtype:exploit-kit; sid:2015734; rev:4; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; http.user_agent; content:"ZDM/4.0|3B| Windows Mobile 7.0|3B|"; depth:28; classtype:not-suspicious; sid:2013784; rev:7; metadata:created_at 2011_10_20, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (system command)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"empix="; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:3; metadata:created_at 2012_04_17, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (system command)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"empix="; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:3; metadata:created_at 2012_04_18, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; http.user_agent; content:"APT-HTTP|2F|"; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:6; metadata:created_at 2011_08_31, former_category POLICY, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; http.uri; content:"/cp/rule.php?gcu="; nocase; pcre:"/^\d/Ri"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oficla Downloader Activity Observed"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?id="; nocase; content:"&v="; nocase; content:"&tm="; nocase; fast_pattern; content:"&b="; nocase; pcre:"/\x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D/i"; reference:url,www.threatexpert.com/report.aspx?md5=38e1d644e2a16041b5ec1a02826df280; reference:url,www.threatexpert.com/report.aspx?md5=1db0c8d48a76662496af7faf581b1cf0; reference:url,doc.emergingthreats.net/2009776; classtype:trojan-activity; sid:2009776; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oficla Downloader Activity Observed"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?id="; nocase; content:"&v="; nocase; content:"&tm="; nocase; fast_pattern; content:"&b="; nocase; pcre:"/\x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D/i"; reference:md5,38e1d644e2a16041b5ec1a02826df280; reference:url,doc.emergingthreats.net/2009776; reference:md5,1db0c8d48a76662496af7faf581b1cf0; classtype:trojan-activity; sid:2009776; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virut Counter/Check-in "; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?mac="; nocase; content:"&ver="; distance:0; nocase; pcre:"/\.asp\?mac=(?:[0-9A-F]{2}-){5}(?:[0-9A-F]{2})+&ver=\d/i"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virut Counter/Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?mac="; nocase; content:"&ver="; distance:0; nocase; pcre:"/\.asp\?mac=(?:[0-9A-F]{2}-){5}(?:[0-9A-F]{2})+&ver=\d/i"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; http.uri; content:"/show.php?"; nocase; content:"id="; nocase; content:"UNION"; distance:0; nocase; pcre:"/id=-?\d+\s+UNION\s/i"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/awstatstotals.php?"; nocase; content:"sort="; nocase; pcre:"/^\w/Ri"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:4; metadata:created_at 2011_06_10, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shylock Module Data POST"; flow:established,to_server; http.request_body; content:"id="; content:"&bid="; distance:0; content:"&query="; distance:0; content:"&data="; distance:0; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w/"; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013687; rev:5; metadata:created_at 2011_09_21, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shylock Module Data POST"; flow:established,to_server; http.request_body; content:"id="; content:"&bid="; distance:0; content:"&query="; distance:0; content:"&data="; distance:0; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w/"; reference:md5,4fda5e7e8e682870e993f97ad26ba6b2; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; classtype:trojan-activity; sid:2013687; rev:5; metadata:created_at 2011_09_22, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; content:"cmd="; nocase; pcre:"/cmd=\w/i"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:6; metadata:created_at 2012_01_02, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; http.uri; content:"/?"; fast_pattern; isdataat:64,relative; content:"="; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/"; classtype:exploit-kit; sid:2015781; rev:3; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"heritrix"; nocase; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:5; metadata:created_at 2012_10_11, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"heritrix"; nocase; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:5; metadata:created_at 2012_10_12, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec"; flow:established,to_server; http.uri; content:"/phptax/"; nocase; content:"&pfilez="; nocase; classtype:web-application-attack; sid:2015794; rev:3; metadata:created_at 2012_10_11, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec"; flow:established,to_server; http.uri; content:"/phptax/"; nocase; content:"&pfilez="; nocase; classtype:web-application-attack; sid:2015794; rev:3; metadata:created_at 2012_10_12, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebResource.axd"; nocase; content:!"&t="; nocase; content:!"&|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:7; metadata:created_at 2010_10_12, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebResource.axd"; nocase; content:!"&t="; nocase; content:!"&|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:7; metadata:created_at 2010_10_13, updated_at 2020_04_22;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FaTaLisTiCz_Fx Webshell Detected"; flow:established,from_server; http.cookie; content:"visitz="; file.data; content:"FaTaLisTiCz_Fx"; classtype:web-application-activity; sid:2015811; rev:3; metadata:created_at 2012_10_18, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FHScan core User-Agent Detect"; flow:to_server,established; http.user_agent; content:"FHScan Core 1."; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; classtype:attempted-recon; sid:2014541; rev:6; metadata:created_at 2012_04_12, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot requesting update"; flow:to_server,established; http.uri; content:"/modules/docs/upload/calc.exe"; classtype:trojan-activity; sid:2015853; rev:3; metadata:created_at 2012_10_31, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot requesting update"; flow:to_server,established; http.uri; content:"/modules/docs/upload/calc.exe"; classtype:trojan-activity; sid:2015853; rev:3; metadata:created_at 2012_11_01, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Program RebateInformerSetup.exe Download Reporting"; flow:established,to_server; http.uri; content:"/RebateInformerSetup.exe"; nocase; http.user_agent; content:"Inno Setup Downloader"; startswith; reference:url,www.ripoffreport.com/directory/rebategiant-com.aspx; classtype:trojan-activity; sid:2015862; rev:4; metadata:created_at 2012_11_02, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; http.uri; content:"/Dot.class"; classtype:exploit-kit; sid:2015885; rev:3; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Wauchos.A CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|stpfu"; http.method; content:"POST"; classtype:trojan-activity; sid:2015895; rev:3; metadata:created_at 2012_11_19, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Wauchos.A CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|stpfu"; http.method; content:"POST"; classtype:trojan-activity; sid:2015895; rev:3; metadata:created_at 2012_11_20, former_category MALWARE, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJ_PROX.AFV POST"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; nocase; http.request_body; content:"=|22|sid|22|"; nocase; content:"=|22|up|22|"; nocase; content:"=|22|wbfl|22|"; nocase; content:"=|22|v|22|"; nocase; content:"=|22|ping|22|"; nocase; content:"=|22|guid|22|"; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; reference:url,doc.emergingthreats.net/2007728; classtype:trojan-activity; sid:2007728; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure w/multipart"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data\; name=|22|a|22|"; content:"form-data\; name=|22|c|22|"; content:"form-data\; name=|22|p1|22|"; classtype:attempted-user; sid:2015920; rev:3; metadata:created_at 2012_11_21, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java payload request /5-digit"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; pcre:"/^\/\d{5}$/"; http.user_agent; content:"|29 20|Java/"; classtype:exploit-kit; sid:2015923; rev:4; metadata:created_at 2012_11_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java payload request /5-digit"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; pcre:"/^\/\d{5}$/"; http.user_agent; content:"|29 20|Java/"; classtype:exploit-kit; sid:2015923; rev:4; metadata:created_at 2012_11_24, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PHP eMailer"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|from|22|"; content:"form-data|3b| name=|22|realname|22|"; content:"form-data|3b| name=|22|amount|22|"; classtype:web-application-activity; sid:2015924; rev:3; metadata:created_at 2012_11_23, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PHP eMailer"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|from|22|"; content:"form-data|3b| name=|22|realname|22|"; content:"form-data|3b| name=|22|amount|22|"; classtype:web-application-activity; sid:2015924; rev:3; metadata:created_at 2012_11_24, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PostMan"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|formSubmited|22|"; content:"form-data|3b| name=|22|scriptPassword|22|"; classtype:misc-activity; sid:2015937; rev:8; metadata:created_at 2012_11_26, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PostMan"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|formSubmited|22|"; content:"form-data|3b| name=|22|scriptPassword|22|"; classtype:misc-activity; sid:2015937; rev:8; metadata:created_at 2012_11_27, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2"; flow:established,to_server; http.uri; content:"/core/DataTable/Filter/Megre.php"; nocase; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015948; rev:3; metadata:created_at 2012_11_27, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2"; flow:established,to_server; http.uri; content:"/core/DataTable/Filter/Megre.php"; nocase; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015948; rev:3; metadata:created_at 2012_11_28, updated_at 2020_04_22;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PIWIK Backdored Version calls home"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/x.php"; http.host; content:"prostoivse.com"; endswith; http.request_body; content:"reff="; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:5; metadata:created_at 2012_11_28, updated_at 2020_04_22;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PIWIK Backdoored Version calls home"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/x.php"; http.host; content:"prostoivse.com"; endswith; http.request_body; content:"reff="; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:5; metadata:created_at 2012_11_28, former_category WEB_SERVER, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad/?"; startswith; fast_pattern; pcre:"/^[a-z]{1,4}\x3d[a-z0-9]+?$/Ri"; http.header_names; content:!"User-Agent|0d 0a|"; classtype:command-and-control; sid:2015958; rev:4; metadata:created_at 2012_11_28, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad/?"; startswith; fast_pattern; pcre:"/^[a-z]{1,4}\x3d[a-z0-9]+?$/Ri"; http.header_names; content:!"User-Agent|0d 0a|"; classtype:command-and-control; sid:2015958; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request"; flow:established,to_server; http.uri; content:"/p5.php?t=u00"; content:"&oh="; classtype:exploit-kit; sid:2015961; rev:12; metadata:created_at 2012_11_28, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request"; flow:established,to_server; http.uri; content:"/p5.php?t=u00"; content:"&oh="; classtype:exploit-kit; sid:2015961; rev:12; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin 1"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/1/?"; startswith; http.host; content:".ddns"; fast_pattern; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/^\d{5}\x2eddns[a-z0-9]\x2eeu$/"; http.user_agent; content:"MSIE 7.0|3b|"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:command-and-control; sid:2015968; rev:9; metadata:created_at 2012_11_29, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin 1"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/1/?"; startswith; http.host; content:".ddns"; fast_pattern; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/^\d{5}\x2eddns[a-z0-9]\x2eeu$/"; http.user_agent; content:"MSIE 7.0|3b|"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:command-and-control; sid:2015968; rev:9; metadata:created_at 2012_11_30, former_category MALWARE, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; http.uri; content:".html"; endswith; pcre:"/\/[0-9]{2}\.html$/"; http.user_agent; content:" Java/1"; classtype:exploit-kit; sid:2015990; rev:3; metadata:created_at 2012_12_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; http.uri; content:".html"; endswith; pcre:"/\/[0-9]{2}\.html$/"; http.user_agent; content:" Java/1"; classtype:exploit-kit; sid:2015990; rev:3; metadata:created_at 2012_12_06, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/iis/host.aspx"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; http.content_type; content:"application/octet-stream"; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:3; metadata:created_at 2012_12_07, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/iis/host.aspx"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; http.content_type; content:"application/octet-stream"; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:3; metadata:created_at 2012_12_08, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/tests/test_tools/functional_tests.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/tests/test_tools/functional_tests.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/demos/time-tracker/tests/functional.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/demos/time-tracker/tests/functional.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; http.uri; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; pcre:"/(?:\?|&)(?:host|service|opt|end|start)=[^&]+?\x60.+?\x60/i"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:4; metadata:created_at 2012_12_03, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; http.uri; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; pcre:"/(?:\?|&)(?:host|service|opt|end|start)=[^&]+?\x60.+?\x60/i"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:4; metadata:created_at 2012_12_04, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising FlashPost - POST to *.stats"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".stats"; http.request_body; content:"pageURL="; classtype:bad-unknown; sid:2016023; rev:4; metadata:created_at 2012_12_12, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising FlashPost - POST to *.stats"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".stats"; http.request_body; content:"pageURL="; classtype:bad-unknown; sid:2016023; rev:4; metadata:created_at 2012_12_13, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/floating-social-media-links/fsml-admin.js.php?"; nocase; fast_pattern; content:"wpp="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016037; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/adm_program/modules/guestbook/guestbook_new.php?"; nocase; fast_pattern; content:"headline="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/116155/Admidio-2.3.5-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2016045; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server; http.uri; content:"/list.php?db="; fast_pattern; http.accept_lang; content:"ko-kr"; startswith; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016050; rev:4; metadata:created_at 2012_12_17, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server; http.uri; content:"/list.php?db="; fast_pattern; http.accept_lang; content:"ko-kr"; startswith; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016050; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY poclbm BitCoin miner"; flow:established,to_server; http.user_agent; content:"poclbm/"; nocase; startswith; reference:url,abcpool.co/mining-software-comparison.php; classtype:coin-mining; sid:2016068; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY poclbm BitCoin miner"; flow:established,to_server; http.user_agent; content:"poclbm/"; nocase; startswith; reference:url,abcpool.co/mining-software-comparison.php; classtype:coin-mining; sid:2016068; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=video-lead-form"; nocase; fast_pattern; content:"errMsg="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/118466/WordPress-Video-Lead-Form-0.5-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016076; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SonicWALL SonicOS searchStr XML Tag Script Insertion Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dbInfo"; nocase; content:"dbInfoRequest"; nocase; content:"searchStr"; nocase; pcre:"/(?:\x3c|\x253c)dbInfo(?:\x3e|\x253e)[\r\n\s]*?(?:\x3c|\x253c)dbInfoRequest(?:\x3e|\x253e).+?(?:\x3c|\x253c)searchStr(?:\x3e|\x253e)((?!(?:\x3c|\x253c)(?:\/|\x252f)searchStr(?:\x3e|\x253e)).)+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=)).+?(?:\x3c|\x253c)(?:\/|\x252f)searchStr(?:\x3e|\x253e)/si"; reference:url,securelist.com/en/advisories/51615; reference:url,seclists.org/bugtraq/2012/Dec/110; classtype:web-application-attack; sid:2016086; rev:3; metadata:created_at 2012_12_21, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SmokeLoader - Init 0x"; flow:established,to_client; http.header; content:"Init|3a| 0x"; classtype:trojan-activity; sid:2016088; rev:3; metadata:created_at 2012_12_21, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SmokeLoader - Init 0x"; flow:established,to_client; http.header; content:"Init|3a| 0x"; classtype:trojan-activity; sid:2016088; rev:3; metadata:created_at 2012_12_22, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; http.uri; content:"KAhFXlx9"; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/"; classtype:exploit-kit; sid:2016091; rev:3; metadata:created_at 2012_12_27, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; http.uri; content:"KAhFXlx9"; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/"; classtype:exploit-kit; sid:2016091; rev:3; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; http.uri; content:"/phone_getinfokou_android.php"; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_12_27, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; http.uri; content:"/phone_getinfokou_android.php"; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_12_28, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dexter Infostealer CnC POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"page="; depth:5; content:"&spec="; distance:0; content:"&opt="; distance:0; content:"var="; distance:0; content:"val="; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html; classtype:command-and-control; sid:2016095; rev:3; metadata:created_at 2012_12_27, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dexter Infostealer CnC POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"page="; depth:5; content:"&spec="; distance:0; content:"&opt="; distance:0; content:"var="; distance:0; content:"val="; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html; classtype:command-and-control; sid:2016095; rev:3; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache Directory"; flow:established,to_server; http.uri; content:"/wp-content/w3tc/dbcache"; nocase; reference:url,seclists.org/fulldisclosure/2012/Dec/242; classtype:trojan-activity; sid:2016100; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_27, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache Directory"; flow:established,to_server; http.uri; content:"/wp-content/w3tc/dbcache"; nocase; reference:url,seclists.org/fulldisclosure/2012/Dec/242; classtype:trojan-activity; sid:2016100; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown - Loader - Check .exe Updated"; flow:established,to_server; urilen:<10; http.uri; content:".exe"; fast_pattern; http.header; content:"If-Modified-Since|3a| "; content:"If-None-Match|3a| "; classtype:trojan-activity; sid:2016097; rev:5; metadata:created_at 2012_12_27, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown - Loader - Check .exe Updated"; flow:established,to_server; urilen:<10; http.uri; content:".exe"; fast_pattern; http.header; content:"If-Modified-Since|3a| "; content:"If-None-Match|3a| "; classtype:trojan-activity; sid:2016097; rev:5; metadata:created_at 2012_12_28, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin uploadify.php Arbitrary File Upload Vulnerability"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/wp-property/third-party/uploadify/uploadify.php"; nocase; http.request_body; content:"Filedata"; nocase; reference:url,www.securityfocus.com/bid/53787/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/53787.php; classtype:web-application-attack; sid:2016109; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/?cmd=new_section"; nocase; fast_pattern; content:"section="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016114; rev:3; metadata:created_at 2012_12_28, updated_at 2020_04_22;)
-
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/index.php/Child_Page?"; nocase; content:"cmd=new_section"; nocase; fast_pattern; content:"section="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016115; rev:3; metadata:created_at 2012_12_28, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/?cmd=new_section"; nocase; fast_pattern; content:"section="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016114; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/index.php/Admin_Theme_Content?"; nocase; content:"cmd=edittext"; nocase; fast_pattern; content:"key="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016116; rev:3; metadata:created_at 2012_12_28, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/index.php/Child_Page?"; nocase; content:"cmd=new_section"; nocase; fast_pattern; content:"section="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016115; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/mailz/lists/config/config.php?"; fast_pattern:20,20; nocase; content:"wpabspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/105236/WordPress-Mailing-List-1.3.2-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016117; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/index.php/Admin_Theme_Content?"; nocase; content:"cmd=edittext"; nocase; fast_pattern; content:"key="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016116; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/pages/links.php?"; nocase; content:"configpath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/116202/Wiki-Web-Help-0.3.11-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016120; rev:3; metadata:created_at 2012_12_28, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/pages/links.php?"; nocase; content:"configpath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/116202/Wiki-Web-Help-0.3.11-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016120; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/relocate-upload/relocate-upload.php?"; nocase; fast_pattern; content:"ru_folder="; nocase; content:"abspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/105239/WordPress-Relocate-Upload-0.14-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016121; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/relocate-upload/relocate-upload.php?"; nocase; fast_pattern; content:"ru_folder="; nocase; content:"abspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/105239/WordPress-Relocate-Upload-0.14-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016121; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/asktheoracle.php?"; nocase; fast_pattern; content:"type="; nocase; content:"oracle_query="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/119015/Loganalyzer-3.6.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016122; rev:3; metadata:created_at 2012_12_28, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/asktheoracle.php?"; nocase; fast_pattern; content:"type="; nocase; content:"oracle_query="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/119015/Loganalyzer-3.6.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016122; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/myflash/myextractXML.php"; nocase; fast_pattern; content:"path="; nocase; reference:url,packetstormsecurity.org/files/118400/WordPress-Myflash-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016123; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/myflash/myextractXML.php"; nocase; fast_pattern; content:"path="; nocase; reference:url,packetstormsecurity.org/files/118400/WordPress-Myflash-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016123; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon"; flow:established,to_server; http.uri; content:"/status.php?cliver="; content:"&uniqid="; content:"&langid="; classtype:command-and-control; sid:2016125; rev:3; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon"; flow:established,to_server; http.uri; content:"/status.php?cliver="; content:"&uniqid="; content:"&langid="; classtype:command-and-control; sid:2016125; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download 2"; flow:to_server,established; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/brightmail/admin/restore/download.do?"; content:"&localBackupFileSelection="; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00; classtype:attempted-user; sid:2016119; rev:4; metadata:created_at 2012_12_03, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download 2"; flow:to_server,established; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/brightmail/admin/restore/download.do?"; content:"&localBackupFileSelection="; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00; classtype:attempted-user; sid:2016119; rev:4; metadata:created_at 2012_12_04, updated_at 2020_04_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for fake postal receipt from e-mail link"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?php=receipt"; endswith; pcre:"/^\/[A-Z]+\.php\?php=receipt$/"; classtype:trojan-activity; sid:2016147; rev:3; metadata:created_at 2013_01_03, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Advanced Custom Fields Remote File Inclusion"; flow:established,to_server; http.uri; content:"/wp-content/plugins/advanced-custom-fields/core/actions/export.php"; nocase; fast_pattern; http.request_body; content:"abspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; classtype:attempted-user; sid:2016148; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHM filtername Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mail/filters/editfilter.html?"; nocase; content:"account="; nocase; content:"filtername="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57061; classtype:web-application-attack; sid:2016157; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHM filtername Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mail/filters/editfilter.html?"; nocase; content:"account="; nocase; content:"filtername="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57061; classtype:web-application-attack; sid:2016157; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Google Doc Embedder plugin file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/google-document-embedder/libs/pdf.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,secunia.com/advisories/50832; classtype:web-application-attack; sid:2016158; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Google Doc Embedder plugin file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/google-document-embedder/libs/pdf.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,secunia.com/advisories/50832; classtype:web-application-attack; sid:2016158; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Machines Forum ssi_function parameter path disclosure vulnerability"; flow:established,to_server; http.uri; content:"/SSI.php?ssi_function="; nocase; reference:url,packetstormsecurity.com/files/119240/Simple-Machines-Forum-2.0.3-Path-Disclosure.html; classtype:web-application-attack; sid:2016159; rev:3; metadata:created_at 2013_01_04, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Machines Forum ssi_function parameter path disclosure vulnerability"; flow:established,to_server; http.uri; content:"/SSI.php?ssi_function="; nocase; reference:url,packetstormsecurity.com/files/119240/Simple-Machines-Forum-2.0.3-Path-Disclosure.html; classtype:web-application-attack; sid:2016159; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of green Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/style/green/get_templet.php?"; nocase; content:"MyStyle[StylePath]="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016163; rev:3; metadata:created_at 2013_01_04, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of green Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/style/green/get_templet.php?"; nocase; content:"MyStyle[StylePath]="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016163; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of blue Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/style/blue/get_templet.php?"; nocase; content:"MyStyle[StylePath]="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016164; rev:3; metadata:created_at 2013_01_04, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of blue Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/style/blue/get_templet.php?"; nocase; content:"MyStyle[StylePath]="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016164; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cPanel dir Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/x3/files/dir.html?"; nocase; fast_pattern; content:"showhidden="; nocase; content:"dir="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57064; classtype:web-application-attack; sid:2016165; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cPanel dir Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/x3/files/dir.html?"; nocase; fast_pattern; content:"showhidden="; nocase; content:"dir="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57064; classtype:web-application-attack; sid:2016165; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; nocase; http.uri; content:"/CFIDE/wizards/common/_logintowizard.cfm"; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011358; rev:5; metadata:created_at 2010_09_28, updated_at 2020_04_22;)
alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion administrator access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/administrator"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016184; rev:6; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Midhos/Medfos downloader"; flow:established,to_server; http.uri; content:"/upload/fid="; content:"AAAAAAAAAAA"; http.header; content:"Host|3a 20|megaupload.com|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0"; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; classtype:trojan-activity; sid:2016189; rev:3; metadata:created_at 2013_01_11, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Midhos/Medfos downloader"; flow:established,to_server; http.uri; content:"/upload/fid="; content:"AAAAAAAAAAA"; http.header; content:"Host|3a 20|megaupload.com|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0"; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; classtype:trojan-activity; sid:2016189; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery plugin test-head parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/nextgen-gallery/nggallery.php?"; nocase; fast_pattern; content:"test-head="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/119360/WordPress-NextGEN-Gallery-1.9.10-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016194; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_11, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery plugin test-head parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/nextgen-gallery/nggallery.php?"; nocase; fast_pattern; content:"test-head="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/119360/WordPress-NextGEN-Gallery-1.9.10-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016194; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Browser Rejector Plugin wppath Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/browser-rejector/rejectr.js.php?"; nocase; fast_pattern; content:"wppath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51739/; classtype:web-application-attack; sid:2016195; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_11, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Browser Rejector Plugin wppath Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/browser-rejector/rejectr.js.php?"; nocase; fast_pattern; content:"wppath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51739/; classtype:web-application-attack; sid:2016195; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dell OpenManage Server Administrator topic parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?"; nocase; content:"topic="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,kb.cert.org/vuls/id/950172; classtype:web-application-attack; sid:2016196; rev:4; metadata:created_at 2013_01_11, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dell OpenManage Server Administrator topic parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?"; nocase; content:"topic="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,kb.cert.org/vuls/id/950172; classtype:web-application-attack; sid:2016196; rev:4; metadata:created_at 2013_01_12, updated_at 2020_04_22;)
#alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"T8hlGOo9"; fast_pattern; content:"OKl2N"; pcre:"/^(?:\\r\\n|\x0d\x0a)C/R"; content:"AAAAAAAA"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030007; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=vitlescaux.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Adiscon LogAnalyzer viewid Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/src/userchange.php?"; nocase; content:"op=changeview"; nocase; fast_pattern; content:"viewid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,secunia.com/advisories/51816/; classtype:web-application-attack; sid:2016199; rev:3; metadata:created_at 2013_01_11, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Adiscon LogAnalyzer viewid Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/src/userchange.php?"; nocase; content:"op=changeview"; nocase; fast_pattern; content:"viewid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,secunia.com/advisories/51816/; classtype:web-application-attack; sid:2016199; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser tinybrowser.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016200; rev:4; metadata:created_at 2013_01_11, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser tinybrowser.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016200; rev:4; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser edit.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/edit.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016201; rev:3; metadata:created_at 2013_01_11, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser edit.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/edit.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016201; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser upload.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/upload.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016202; rev:3; metadata:created_at 2013_01_11, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser upload.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/upload.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016202; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Gallery Plugin filename_1 Parameter Remote File Access Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/gallery-plugin/gallery-plugin.php?"; nocase; fast_pattern; content:"filename_1="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/57256/; classtype:web-application-attack; sid:2016203; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_11, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Gallery Plugin filename_1 Parameter Remote File Access Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/gallery-plugin/gallery-plugin.php?"; nocase; fast_pattern; content:"filename_1="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/57256/; classtype:web-application-attack; sid:2016203; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zemra.DDoS.Bot Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/telnet_cmd.php"; fast_pattern; http.user_agent; content:"Opera/9.61"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; content:"&c="; distance:0; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-1.html; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-2.html; classtype:command-and-control; sid:2016205; rev:4; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zemra.DDoS.Bot Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/telnet_cmd.php"; fast_pattern; http.user_agent; content:"Opera/9.61"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; content:"&c="; distance:0; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-1.html; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-2.html; classtype:command-and-control; sid:2016205; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geturl.aspx?email="; content:"&lat="; content:"&lon="; content:"&mobile="; content:"&group="; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:command-and-control; sid:2016209; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_ztautolink controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_ztautolink"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.com/files/118944/Joomla-ZtAutoLink-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016233; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,to_server; urilen:>100; flowbits:set,et.exploitkitlanding; http.uri; content:"/i.html?0x"; startswith; pcre:"/^\d{1,2}=[a-zA-Z0-9+=]{100}/R"; classtype:exploit-kit; sid:2016248; rev:7; metadata:created_at 2013_01_21, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,to_server; urilen:>100; flowbits:set,et.exploitkitlanding; http.uri; content:"/i.html?0x"; startswith; pcre:"/^\d{1,2}=[a-zA-Z0-9+=]{100}/R"; classtype:exploit-kit; sid:2016248; rev:7; metadata:created_at 2013_01_22, updated_at 2020_04_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown POST of Windows PW Hashes to External Site"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a|"; http.request_body; content:"PSTORE|3a|"; classtype:trojan-activity; sid:2016252; rev:4; metadata:created_at 2013_01_23, former_category MALWARE, updated_at 2020_04_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown POST of Windows PW Hashes to External Site"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a|"; http.request_body; content:"PSTORE|3a|"; classtype:trojan-activity; sid:2016252; rev:4; metadata:created_at 2013_01_24, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; http.uri; content:"/"; depth:1; content:".jar"; distance:1; within:4; endswith; pcre:"/^\/[a-z]\.jar$/"; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016254; rev:3; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; http.uri; content:"/"; depth:1; content:".jar"; distance:1; within:4; endswith; pcre:"/^\/[a-z]\.jar$/"; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016254; rev:3; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; http.uri; content:"/cve2012xxxx/Gondvv.class"; classtype:exploit-kit; sid:2016256; rev:3; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; http.uri; content:"/cve2012xxxx/Gondvv.class"; classtype:exploit-kit; sid:2016256; rev:3; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown POST of System Info"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a|"; http.request_body; content:"User is SYSTEM|3a|"; classtype:trojan-activity; sid:2016253; rev:4; metadata:created_at 2013_01_23, former_category MALWARE, updated_at 2020_04_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown POST of System Info"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a|"; http.request_body; content:"User is SYSTEM|3a|"; classtype:trojan-activity; sid:2016253; rev:4; metadata:created_at 2013_01_24, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Win32"; nocase; classtype:trojan-activity; sid:2012249; rev:5; metadata:created_at 2011_02_01, updated_at 2020_04_23;)
+alert http $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Win32"; nocase; classtype:trojan-activity; sid:2012249; rev:5; metadata:created_at 2011_02_02, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS - in.php"; flow:established,to_server; http.uri; content:"/in.php?s="; classtype:exploit-kit; sid:2016272; rev:3; metadata:created_at 2013_01_24, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS - in.php"; flow:established,to_server; http.uri; content:"/in.php?s="; classtype:exploit-kit; sid:2016272; rev:3; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bilakip.A Downloader API Ping CnC Beacon"; flow:established,to_server; http.uri; content:"/api/ping?stage="; content:"&uid="; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:command-and-control; sid:2016273; rev:3; metadata:created_at 2013_01_24, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bilakip.A Downloader API Ping CnC Beacon"; flow:established,to_server; http.uri; content:"/api/ping?stage="; content:"&uid="; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:command-and-control; sid:2016273; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bilakip.A Downloader Viruslist Download For Populating FakeAV"; flow:established,to_server; http.uri; content:"/viruslist/?uid="; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:trojan-activity; sid:2016274; rev:3; metadata:created_at 2013_01_24, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bilakip.A Downloader Viruslist Download For Populating FakeAV"; flow:established,to_server; http.uri; content:"/viruslist/?uid="; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:trojan-activity; sid:2016274; rev:3; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart loc parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin.php?_g=filemanager/language"; nocase; fast_pattern; content:"loc="; nocase; reference:url,packetstormsecurity.com/files/119082/CubeCart-4.4.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016284; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS result Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/data/file/edit.php?"; nocase; content:"hybridid="; nocase; content:"result="; nocase; content:"keyword="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016282; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/users/users.php?"; nocase; content:"type="; nocase; content:"keyword="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016283; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/users/users.php?"; nocase; content:"type="; nocase; content:"keyword="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016283; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS web wiz forums ThreadPage Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/post_message_form.asp?"; nocase; content:"ForumID="; nocase; content:"ThreadPage="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016290; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpMiniAdmin db Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/phpminiadmin.php?"; nocase; fast_pattern; content:"XSS="; nocase; content:"db="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,cxsecurity.com/issue/WLB-2013010179; classtype:web-application-attack; sid:2016291; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be Used to Spawn Shell)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"script"; nocase; content:"Submit"; nocase; content:"Runtime"; nocase; content:"getRuntime"; nocase; distance:0; content:".exec"; nocase; classtype:attempted-user; sid:2016294; rev:11; metadata:created_at 2013_01_24, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be Used to Spawn Shell)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"script"; nocase; content:"Submit"; nocase; content:"Runtime"; nocase; content:"getRuntime"; nocase; distance:0; content:".exec"; nocase; classtype:attempted-user; sid:2016294; rev:11; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Windows CMD Shell)"; http.method; content:"POST"; nocase; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"sun.misc.BASE64Decoder"; nocase; content:".decodeBuffer"; nocase; content:"cmd.exe"; fast_pattern; classtype:attempted-user; sid:2016295; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Windows CMD Shell)"; http.method; content:"POST"; nocase; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"sun.misc.BASE64Decoder"; nocase; content:".decodeBuffer"; nocase; content:"cmd.exe"; fast_pattern; classtype:attempted-user; sid:2016295; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Unix Shell)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"sun.misc.BASE64Decoder"; nocase; content:".decodeBuffer"; nocase; content:"/bin/sh"; fast_pattern; classtype:attempted-user; sid:2016296; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Unix Shell)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"sun.misc.BASE64Decoder"; nocase; content:".decodeBuffer"; nocase; content:"/bin/sh"; fast_pattern; classtype:attempted-user; sid:2016296; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS web wiz forums ForumID Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/forum_members.asp?"; nocase; content:"find="; nocase; content:"ForumID="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016289; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Non-Standard HTML page in Joomla /com_content/ dir"; flow:established,to_server; http.uri; content:"/components/com_content/"; content:!"index.html"; nocase; within:10; content:".html"; nocase; distance:0; classtype:bad-unknown; sid:2016311; rev:7; metadata:created_at 2013_01_29, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Non-Standard HTML page in Joomla /com_content/ dir"; flow:established,to_server; http.uri; content:"/components/com_content/"; content:!"index.html"; nocase; within:10; content:".html"; nocase; distance:0; classtype:bad-unknown; sid:2016311; rev:7; metadata:created_at 2013_01_30, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloaderAgent.fajk Successful Infection CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/count.php?isOnline=1"; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:command-and-control; sid:2016312; rev:3; metadata:created_at 2013_01_29, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloaderAgent.fajk Successful Infection CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/count.php?isOnline=1"; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:command-and-control; sid:2016312; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloaderAgent.fajk Second Stage Download List Requested"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Down/list.txt"; depth:14; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:trojan-activity; sid:2016313; rev:4; metadata:created_at 2013_01_29, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloaderAgent.fajk Second Stage Download List Requested"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Down/list.txt"; depth:14; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:trojan-activity; sid:2016313; rev:4; metadata:created_at 2013_01_30, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/SSHDoor.A Reporting Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:"port="; pcre:"/^[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x3A[0-9]{1,5}/R"; content:"|3A|"; content:"&uname="; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016314; rev:3; metadata:created_at 2013_01_29, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/SSHDoor.A Reporting Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:"port="; pcre:"/^[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x3A[0-9]{1,5}/R"; content:"|3A|"; content:"&uname="; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016314; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious user-agent (f**king)"; flow:established,to_server; http.header; content:"fucking|0d 0a|"; fast_pattern; http.user_agent; content:"fucking"; endswith; classtype:trojan-activity; sid:2016317; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SecVerif.Downloader Second Stage Download Request"; flow:established,to_server; http.uri; content:"/ssl/cert.dll"; fast_pattern; http.header; content:"Accept-Language|3A| de-at"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:trojan-activity; sid:2016330; rev:4; metadata:created_at 2013_01_31, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SecVerif.Downloader Second Stage Download Request"; flow:established,to_server; http.uri; content:"/ssl/cert.dll"; fast_pattern; http.header; content:"Accept-Language|3A| de-at"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:trojan-activity; sid:2016330; rev:4; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSClass file Parameter Remote File Access Attempt"; flow:established,to_server; http.uri; content:"/oc-admin/index.php?"; nocase; content:"page="; nocase; content:"action=upgrade"; nocase; content:"file="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016334; rev:3; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 2"; flow:established,to_server; http.uri; content:"/oc-admin/index.php?"; nocase; content:"page="; nocase; content:"action=edit_category_post"; nocase; fast_pattern; content:"id="; nocase; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016336; rev:3; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern:12,20; nocase; content:"src="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016337; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_23;)
-
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern; nocase; content:"h="; nocase; content:"src="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016338; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMSQLITE id parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/mediaAdmin.php?"; nocase; content:"id="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016339; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMSQLITE mediaAdmin.php file Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/mediaAdmin.php?"; nocase; content:"d="; nocase; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016340; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/nt/sk"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/nt/sk"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016215; rev:4; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/nt/sk"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/nt/sk"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016215; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/dllhost/ac"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/dllhost/ac"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016216; rev:7; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/dllhost/ac"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/dllhost/ac"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016216; rev:7; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WSO WebShell Activity POST structure 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:" name=|22|c|22|"; content:"name=|22|p1|22|"; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/i"; classtype:attempted-user; sid:2016354; rev:4; metadata:created_at 2013_02_05, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ServStart.Variant CnC Beacon"; flow:established,to_server; http.uri; content:"&mac="; nocase; content:"type="; nocase; content:"id="; nocase; http.header; content:"User-Agent|3a 20|Google ++|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2016355; rev:3; metadata:created_at 2013_02_05, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ServStart.Variant CnC Beacon"; flow:established,to_server; http.uri; content:"&mac="; nocase; content:"type="; nocase; content:"id="; nocase; http.header; content:"User-Agent|3a 20|Google ++|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2016355; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; http.uri; content:"/controls.php"; http.user_agent; content:"Dalvik/"; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StartPage.eba Dropper Checkin"; flow:established,to_server; http.uri; content:"/Count.asp?mac="; content:"&ver="; content:"&t="; http.user_agent; content:"Forthgoer"; reference:url,www.securelist.com/en/descriptions/24621847/Trojan-Dropper.Win32.StartPage.eba; classtype:command-and-control; sid:2016316; rev:4; metadata:created_at 2013_01_30, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/nt/th"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/nt/th"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016214; rev:4; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/nt/th"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/nt/th"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016214; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/ms/check"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/ms/check"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016217; rev:4; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/ms/check"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/ms/check"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016217; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/ms/flush"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/ms/flush"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016218; rev:4; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/ms/flush"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/ms/flush"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016218; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/win/wcx"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/win/wcx"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016219; rev:4; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/win/wcx"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/win/wcx"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016219; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/win/cab"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/win/cab"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016220; rev:4; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/win/cab"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/win/cab"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016220; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SecVerif.Downloader Initial Checkin"; flow:established,to_server; http.uri; content:"/atp.txt"; fast_pattern; http.header; content:"Accept-Language|3A| de-at"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:command-and-control; sid:2016329; rev:5; metadata:created_at 2013_01_31, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SecVerif.Downloader Initial Checkin"; flow:established,to_server; http.uri; content:"/atp.txt"; fast_pattern; http.header; content:"Accept-Language|3A| de-at"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:command-and-control; sid:2016329; rev:5; metadata:created_at 2013_02_01, former_category MALWARE, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Umbra/Multibot Loader User-Agent (umbra)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|umbra|0d 0a|"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016366; rev:4; metadata:created_at 2013_02_08, former_category MALWARE, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP ecommerce Shop Styling Plugin dompdf RFI Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-ecommerce-shop-styling/includes/generate-pdf.php?"; nocase; fast_pattern; content:"dompdf="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51707/; classtype:web-application-attack; sid:2016381; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FloatingCloud.Banker CnC Beacon"; flow:established,to_server; http.uri; content:"/Install/Post.asp?Uid="; nocase; pcre:"/^[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}$/Ri"; reference:url,www.securelist.com/en/blog/798/God_horses_are_floating_clouds_The_story_of_a_Chinese_banker_Trojan; classtype:command-and-control; sid:2016399; rev:4; metadata:created_at 2013_02_08, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FloatingCloud.Banker CnC Beacon"; flow:established,to_server; http.uri; content:"/Install/Post.asp?Uid="; nocase; pcre:"/^[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}$/Ri"; reference:url,www.securelist.com/en/blog/798/God_horses_are_floating_clouds_The_story_of_a_Chinese_banker_Trojan; classtype:command-and-control; sid:2016399; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PDF 0day Communication - agent UA Feb 14 2013"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/param"; http.header; content:"User-Agent|3a| agent|0d 0a|"; fast_pattern; content:"Content-Length|3a|"; reference:url,www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html; classtype:trojan-activity; sid:2016411; rev:4; metadata:created_at 2013_02_14, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PDF 0day Communication - agent UA Feb 14 2013"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/param"; http.header; content:"User-Agent|3a| agent|0d 0a|"; fast_pattern; content:"Content-Length|3a|"; reference:url,www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html; classtype:trojan-activity; sid:2016411; rev:4; metadata:created_at 2013_02_15, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Vundo.Downloader Reporting User Website Session Information"; flow:established,to_server; http.uri; content:"/js.php?ran="; fast_pattern; content:"&t="; content:"&u="; http.accept_lang; content:"ru-RU"; nocase; startswith; reference:url,www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32vundojd; classtype:trojan-activity; sid:2016417; rev:3; metadata:created_at 2013_02_16, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vundo.OD Checkin"; flow:to_server,established; http.uri; content:"/get.php?"; pcre:"/^(?:id|key)=/Ri"; content:"id="; content:"key="; content:"&os="; content:"&av="; content:"&vm="; content:"&al="; content:"&p="; content:"&z="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.threatexpert.com/report.aspx?md5=8840a0d9d7f4dba3953ccb68b17b2d6c; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FVundo.OD; classtype:command-and-control; sid:2016424; rev:6; metadata:created_at 2011_12_16, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vundo.OD Checkin"; flow:to_server,established; http.uri; content:"/get.php?"; pcre:"/^(?:id|key)=/Ri"; content:"id="; content:"key="; content:"&os="; content:"&av="; content:"&vm="; content:"&al="; content:"&p="; content:"&z="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FVundo.OD; reference:md5,8840a0d9d7f4dba3953ccb68b17b2d6c; classtype:command-and-control; sid:2016424; rev:6; metadata:created_at 2011_12_17, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarext32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:4; metadata:created_at 2013_02_14, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarext32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:4; metadata:created_at 2013_02_15, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarhlp32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:4; metadata:created_at 2013_02_14, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarhlp32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:4; metadata:created_at 2013_02_15, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likseput.B Checkin"; flow:established,to_server; http.header; pcre:"/User-Agent\x3a[^\r\n]+[^\x20]\x3bTrident\/4\.0\x29\s\d{2}\x3a\d{2}\s\r$/mi"; http.user_agent; content:"|3b|Trident/4.0 "; fast_pattern; reference:md5,95d85aa629a786bb67439a064c4349ec; classtype:command-and-control; sid:2016432; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Namsoth.A Checkin/NEWSREELS APT1 Related"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; depth:5; content:"&userid="; distance:0; content:"&other"; distance:4; within:6; pcre:"/&userid=\d{4}&other=[MF]/"; reference:md5,a2cd1189860b9ba214421aab86ecbc8a; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016439; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CLOVER Download UA"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|1.8.0.12) Firefox/1.5.0.12"; fast_pattern; bsize:74; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:command-and-control; sid:2016453; rev:3; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CLOVER Download UA"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|1.8.0.12) Firefox/1.5.0.12"; fast_pattern; bsize:74; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:command-and-control; sid:2016453; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related"; flow:to_server,established; urilen:27; http.uri; content:"/Default.aspx?ID="; pcre:"/^[A-Z]{10}$/R"; http.user_agent; content:!"Mozilla"; startswith; reference:url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016459; rev:6; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related"; flow:to_server,established; urilen:27; http.uri; content:"/Default.aspx?ID="; pcre:"/^[A-Z]{10}$/R"; http.user_agent; content:!"Mozilla"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,www.mandiant.com/apt1; reference:md5,ba45339da92ca4622b472ac458f4c8f2; classtype:targeted-activity; sid:2016459; rev:6; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-UGX User-Agent (Windows+NT+5.x) APT1"; flow:established,to_server; flowbits:set,ET.webc2ugx; http.user_agent; content:"Windows+NT+5"; depth:12; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016471; rev:4; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-UGX User-Agent (Windows+NT+5.x) APT1"; flow:established,to_server; flowbits:set,ET.webc2ugx; http.user_agent; content:"Windows+NT+5"; depth:12; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016471; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Enhanced CTorrent 3.x)"; flow:to_server,established; http.user_agent; content:"Enhanced-CTorrent"; reference:url,www.rahul.net/dholmes/ctorrent; reference:url,doc.emergingthreats.net/2011703; classtype:policy-violation; sid:2011703; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; http.user_agent; content:"core-project/1.0"; classtype:web-application-activity; sid:2008529; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Android_SMS/receiving.php"; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:command-and-control; sid:2016513; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Android_SMS/receiving.php"; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:command-and-control; sid:2016513; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimemo Activity"; flow:established,to_server; http.uri; content:"mainsettings/settings.sol"; http.user_agent; content:" MSIE 7.0|3b|"; classtype:trojan-activity; sid:2016515; rev:5; metadata:created_at 2013_03_04, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure"; flow:established,to_server; content:"|0d 0a 0d 0a|act="; fast_pattern; http.method; content:"POST"; http.request_body; content:"act="; depth:4; content:"&d="; within:20; classtype:attempted-user; sid:2016516; rev:3; metadata:created_at 2013_03_04, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox Passgrub POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; http.request_body; content:"akk="; depth:4; content:"&client="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016529; rev:3; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox Passgrub POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; http.request_body; content:"akk="; depth:4; content:"&client="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016529; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Fetch Time CnC Beacon"; flow:established,to_server; http.uri; content:"/features/fetch/time/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016533; rev:3; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Fetch Time CnC Beacon"; flow:established,to_server; http.uri; content:"/features/fetch/time/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016533; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Get New MAC CnC Beacon"; flow:established,to_server; http.uri; content:"/features/get/new/mac/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; content:!"Connection|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016534; rev:3; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Get New MAC CnC Beacon"; flow:established,to_server; http.uri; content:"/features/get/new/mac/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; content:!"Connection|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016534; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Set Done Day CnC Beacon"; flow:established,to_server; http.uri; content:"/features/set/done/day/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; content:!"Connection|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016535; rev:3; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Set Done Day CnC Beacon"; flow:established,to_server; http.uri; content:"/features/set/done/day/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; content:!"Connection|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016535; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Fetch Header CnC Beacon"; flow:established,to_server; http.uri; content:"/features/fetch/header/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016536; rev:3; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Fetch Header CnC Beacon"; flow:established,to_server; http.uri; content:"/features/fetch/header/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016536; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stabuniq Checkin"; flow:to_server,established; http.request_body; content:"id="; depth:3; content:"&varname="; content:"&comp="; content:"&ver="; content:"&xid="; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:command-and-control; sid:2016130; rev:4; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stabuniq Checkin"; flow:to_server,established; http.request_body; content:"id="; depth:3; content:"&varname="; content:"&comp="; content:"&ver="; content:"&xid="; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:command-and-control; sid:2016130; rev:4; metadata:created_at 2012_12_29, former_category MALWARE, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; http.header; content:!".jar"; nocase; file.data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; classtype:exploit-kit; sid:2016540; rev:4; metadata:created_at 2013_03_05, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; http.header; content:!".jar"; nocase; file.data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; classtype:exploit-kit; sid:2016540; rev:4; metadata:created_at 2013_03_06, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trustezeb.C CnC Beacon"; flow:established,to_server; http.uri; content:".php?ltype="; content:"&ccr="; content:"&id="; content:"&stat="; content:"&ver="; content:"&loc="; content:"&os="; reference:url,www.abuse.ch/?p=5175; reference:url,www.virusradar.com/Win32_Trustezeb.C/description; classtype:command-and-control; sid:2016552; rev:3; metadata:created_at 2013_03_07, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trustezeb.C CnC Beacon"; flow:established,to_server; http.uri; content:".php?ltype="; content:"&ccr="; content:"&id="; content:"&stat="; content:"&ver="; content:"&loc="; content:"&os="; reference:url,www.abuse.ch/?p=5175; reference:url,www.virusradar.com/Win32_Trustezeb.C/description; classtype:command-and-control; sid:2016552; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Client Cookie mysql_web_admin*="; flow:established,to_server; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016575; rev:4; metadata:created_at 2013_03_13, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Client Cookie mysql_web_admin*="; flow:established,to_server; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016575; rev:4; metadata:created_at 2013_03_14, updated_at 2020_04_23;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Server Set Cookie mysql_web_admin*="; flow:established,to_client; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016576; rev:3; metadata:created_at 2013_03_13, updated_at 2020_04_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Server Set Cookie mysql_web_admin*="; flow:established,to_client; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016576; rev:3; metadata:created_at 2013_03_14, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar2)"; flow:established,to_server; http.uri; content:"varchar2("; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2016596; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_03_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar2)"; flow:established,to_server; http.uri; content:"varchar2("; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2016596; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_03_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xtrat Checkin 2"; flow:to_server,established; http.uri; content:"/1234.functions"; reference:md5,fea70e818984b82c9a6bbdc5157d4a40; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fXtrat.A; classtype:command-and-control; sid:2016599; rev:5; metadata:created_at 2012_10_25, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xtrat Checkin 2"; flow:to_server,established; http.uri; content:"/1234.functions"; reference:md5,fea70e818984b82c9a6bbdc5157d4a40; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fXtrat.A; classtype:command-and-control; sid:2016599; rev:5; metadata:created_at 2012_10_26, former_category MALWARE, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameThief Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/count/bindplugin.ini"; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; classtype:command-and-control; sid:2016637; rev:4; metadata:created_at 2013_03_20, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameThief Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/count/bindplugin.ini"; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; classtype:command-and-control; sid:2016637; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Depyot.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/pdf.php?id="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible)"; bsize:24; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FDepyot.A&ThreatID=-2147288740; classtype:command-and-control; sid:2016638; rev:3; metadata:created_at 2013_03_21, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Depyot.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/pdf.php?id="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible)"; bsize:24; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FDepyot.A&ThreatID=-2147288740; classtype:command-and-control; sid:2016638; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; http.uri; content:"/Android_SMS/installing.php"; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_23;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ERROR syntax error at or near)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"ERROR|3a| syntax error at or near"; classtype:bad-unknown; sid:2016675; rev:4; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/0"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/0"; fast_pattern; nocase; classtype:bad-unknown; sid:2016695; rev:3; metadata:created_at 2013_04_01, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/0"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/0"; fast_pattern; nocase; classtype:bad-unknown; sid:2016695; rev:3; metadata:created_at 2013_04_02, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; http.cookie; content:"visited=TRUE|3b 20|mutex="; startswith; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2014408; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_21, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; http.cookie; content:"visited=TRUE|3b 20|mutex="; startswith; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2014408; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus User-Agent(z00sAgent)"; flow:to_server,established; http.user_agent; content:"z00sAgent"; startswith; reference:md5,e94fb19f3a38f9b2a775b925e4c0abe3; classtype:trojan-activity; sid:2016710; rev:4; metadata:created_at 2013_04_02, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; http.stat_code; content:"301"; http.stat_msg; content:"Moved Permanently"; http.location; content:"/update/winword.pkg"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016713; rev:3; metadata:created_at 2013_04_03, former_category MALWARE, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; http.stat_code; content:"301"; http.stat_msg; content:"Moved Permanently"; http.location; content:"/update/winword.pkg"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016713; rev:3; metadata:created_at 2013_04_04, former_category MALWARE, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel Infection or Config URL Request"; flow:established,to_server; http.uri; content:"/file.php|7C|file="; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:3; metadata:created_at 2013_04_09, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Getting Template"; flow:to_server,established; http.uri; content:"/lnd/template="; fast_pattern; pcre:"/\/[a-z0-9]+$/i"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT 5.1|3b|"; classtype:trojan-activity; sid:2016749; rev:3; metadata:created_at 2013_04_10, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - pdfx.html"; flow:established,to_server; http.uri; content:"/pdfx.html"; classtype:exploit-kit; sid:2016055; rev:4; metadata:created_at 2012_12_17, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - pdfx.html"; flow:established,to_server; http.uri; content:"/pdfx.html"; classtype:exploit-kit; sid:2016055; rev:4; metadata:created_at 2012_12_18, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Bitcoin Mining Extensions Header"; flow:to_server,established; http.method; content:"POST"; http.header; content:"X-Mining-Extensions|3a|"; classtype:coin-mining; sid:2016758; rev:5; metadata:created_at 2013_04_16, former_category POLICY, updated_at 2020_04_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - Haxplorer URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=dir&dir="; classtype:attempted-user; sid:2016761; rev:3; metadata:created_at 2013_04_16, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=con"; classtype:attempted-user; sid:2016762; rev:3; metadata:created_at 2013_04_16, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=con"; classtype:attempted-user; sid:2016762; rev:3; metadata:created_at 2013_04_17, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim Process List Dump"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&pl=|5b|System|20|Process"; content:"svchost.exe"; content:"&r="; content:"&g="; content:"&s="; content:"&c="; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016770; rev:3; metadata:created_at 2013_04_18, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim Process List Dump"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&pl=|5b|System|20|Process"; content:"svchost.exe"; content:"&r="; content:"&g="; content:"&s="; content:"&c="; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016770; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO Generic HTTP EXE Upload Inbound"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"MZ"; content:"|00 00 00 00|"; distance:0; content:"PE|00 00|"; fast_pattern; distance:0; classtype:misc-activity; sid:2016774; rev:3; metadata:created_at 2013_04_18, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO Generic HTTP EXE Upload Inbound"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"MZ"; content:"|00 00 00 00|"; distance:0; content:"PE|00 00|"; fast_pattern; distance:0; classtype:misc-activity; sid:2016774; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic HTTP EXE Upload Outbound"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"MZ"; content:"|00 00 00 00|"; distance:0; content:"PE|00 00|"; fast_pattern; distance:0; classtype:misc-activity; sid:2016775; rev:3; metadata:created_at 2013_04_18, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic HTTP EXE Upload Outbound"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"MZ"; content:"|00 00 00 00|"; distance:0; content:"PE|00 00|"; fast_pattern; distance:0; classtype:misc-activity; sid:2016775; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; http.user_agent; content:"|3b 20|Silk/"; pcre:"/^\d+\.\d/R"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:5; metadata:created_at 2012_01_04, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myrahost/list.aspx?"; nocase; reference:url,doc.emergingthreats.net/2007765; classtype:policy-violation; sid:2007765; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent MyAgrent"; flow:established,to_server; http.user_agent; content:"MyAgrent"; reference:md5,75c2f3168eca26e10bd5b2f3f0e2a8c5; classtype:trojan-activity; sid:2014165; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent MyAgrent"; flow:established,to_server; http.user_agent; content:"MyAgrent"; reference:md5,75c2f3168eca26e10bd5b2f3f0e2a8c5; classtype:trojan-activity; sid:2014165; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TCYWin.Downloader User-Agent"; flow:established,to_server; http.user_agent; content:"TCYWinHTTPDownload"; reference:md5,4cfe5674d9f33804572ae0d14f0c941b; classtype:trojan-activity; sid:2014305; rev:4; metadata:created_at 2012_03_05, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"dynamic-cached-content"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/i"; classtype:attempted-user; sid:2016790; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/enterprise/control/agent.php"; http.header; content:"HTTP_AUTH_LOGIN|3a|"; pcre:"/^[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:4; metadata:created_at 2013_04_26, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/enterprise/control/agent.php"; http.header; content:"HTTP_AUTH_LOGIN|3a|"; pcre:"/^[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:4; metadata:created_at 2013_04_27, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; http.request_body; content:"current_version="; pcre:"/^[a-z0-9]{196}/Ri"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; http.uri; content:"CHAR("; nocase; pcre:"/^[0-9]{2,3}\)char\([^\x0d\x0a\x20]{98}/Ri"; classtype:attempted-admin; sid:2014352; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 1"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"JnN1cmk9"; distance:0; fast_pattern; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016793; rev:6; metadata:created_at 2013_04_26, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 1"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"JnN1cmk9"; distance:0; fast_pattern; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016793; rev:6; metadata:created_at 2013_04_27, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 2"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"mc3VyaT0"; fast_pattern; distance:0; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016814; rev:5; metadata:created_at 2013_05_03, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 3"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"ZzdXJpP"; fast_pattern; distance:0; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016815; rev:5; metadata:created_at 2013_05_03, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum/login.cgi"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016819; rev:6; metadata:created_at 2013_05_03, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum/login.cgi"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016819; rev:6; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/7"; flow:established,to_server; http.user_agent; content:"Mozilla/7"; depth:9; nocase; classtype:bad-unknown; sid:2016692; rev:5; metadata:created_at 2013_04_01, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/7"; flow:established,to_server; http.user_agent; content:"Mozilla/7"; depth:9; nocase; classtype:bad-unknown; sid:2016692; rev:5; metadata:created_at 2013_04_02, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/9"; flow:established,to_server; http.user_agent; content:"Mozilla/9"; depth:9; nocase; classtype:bad-unknown; sid:2016694; rev:5; metadata:created_at 2013_04_01, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/9"; flow:established,to_server; http.user_agent; content:"Mozilla/9"; depth:9; nocase; classtype:bad-unknown; sid:2016694; rev:5; metadata:created_at 2013_04_02, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Faked Russian Opera UA without Accept - probable downloader"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"Opera/9.80"; depth:10; content:"Edition Yx|3b| ru"; fast_pattern; distance:0; classtype:trojan-activity; sid:2016034; rev:4; metadata:created_at 2012_12_13, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Faked Russian Opera UA without Accept - probable downloader"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"Opera/9.80"; depth:10; content:"Edition Yx|3b| ru"; fast_pattern; distance:0; classtype:trojan-activity; sid:2016034; rev:4; metadata:created_at 2012_12_14, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSISDL Iplookup.php IPCheck"; flow:established,to_server; http.uri; content:"/iplookup.php"; fast_pattern; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; classtype:policy-violation; sid:2016744; rev:6; metadata:created_at 2013_04_09, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion scheduleedit access"; flow:established,to_server; http.uri; content:"/CFIDE/administrator/scheduler/scheduleedit.cfm"; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016843; rev:3; metadata:created_at 2013_05_14, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.AutoIt.mj Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/downloads/IPFilter.exe"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; reference:url,threatexpert.com/report.aspx?md5=c4e923564c564163620959f23691cc26; reference:md5,4a77d3575845cf24b72400816d0b95c2; classtype:command-and-control; sid:2016844; rev:4; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.AutoIt.mj Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/downloads/IPFilter.exe"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; reference:md5,c4e923564c564163620959f23691cc26; reference:md5,4a77d3575845cf24b72400816d0b95c2; classtype:command-and-control; sid:2016844; rev:4; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTPing Usage Inbound"; flow:established,to_server; http.user_agent; content:"HTTPing"; depth:7; reference:url,www.vanheusden.com/httping/; classtype:policy-violation; sid:2016845; rev:4; metadata:created_at 2013_05_14, updated_at 2020_04_24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/[a-z]\/$/Ui"; http.user_agent; content:"(compatible|3b|"; content:"|20|MSIE|20|"; distance:0; content:"(Compatible|3b|"; fast_pattern; distance:0; classtype:command-and-control; sid:2016829; rev:4; metadata:created_at 2013_05_07, former_category MALWARE, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 1"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad"; depth:3; pcre:"/^\/ad[^\x2f]*?\/\?[a-z]{1,5}\x3d\x2e?[a-z0-9]+?$/i"; http.user_agent; content:"Microsoft BITS/"; depth:15; classtype:command-and-control; sid:2015957; rev:8; metadata:created_at 2012_11_28, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 1"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad"; depth:3; pcre:"/^\/ad[^\x2f]*?\/\?[a-z]{1,5}\x3d\x2e?[a-z0-9]+?$/i"; http.user_agent; content:"Microsoft BITS/"; depth:15; classtype:command-and-control; sid:2015957; rev:8; metadata:attack_target Client_Endpoint, created_at 2012_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD)"; flow:established,to_server; http.user_agent; content:"EMSFRTCBVD"; depth:10; reference:md5,0e9e46d068fea834e12b2226cc8969fd; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016865; rev:3; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD)"; flow:established,to_server; http.user_agent; content:"EMSFRTCBVD"; depth:10; reference:md5,0e9e46d068fea834e12b2226cc8969fd; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016865; rev:3; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 0 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 0"; nocase; classtype:trojan-activity; sid:2016880; rev:7; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 0 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 0"; nocase; classtype:trojan-activity; sid:2016880; rev:7; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DSMBVCTFRE)"; flow:established,to_server; http.user_agent; content:"DSMBVCTFRE"; nocase; depth:10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016882; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMOMAKE)"; flow:established,to_server; http.user_agent; content:"DEMOMAKE"; nocase; depth:8; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016885; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(sendFile)"; flow:established,to_server; http.user_agent; content:"sendFile"; nocase; depth:8; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016888; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(vbusers)"; flow:established,to_server; http.user_agent; content:"vbusers"; nocase; depth:7; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016891; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(folderwin)"; flow:established,to_server; http.user_agent; content:"folderwin"; nocase; depth:9; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016892; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(bugmaal)"; flow:established,to_server; http.user_agent; content:"bugmaal"; nocase; depth:7; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016895; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.KeyLogger.acuj Checkin"; flow:established,to_server; http.uri; content:".php"; http.user_agent; content:"MyHttpClient"; depth:12; http.request_body; content:"tit="; fast_pattern; depth:4; content:"&cont="; reference:md5,078d12eb9fc2b1665c0cc3001448b69b; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016866; rev:5; metadata:created_at 2013_05_20, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.KeyLogger.acuj Checkin"; flow:established,to_server; http.uri; content:".php"; http.user_agent; content:"MyHttpClient"; depth:12; http.request_body; content:"tit="; fast_pattern; depth:4; content:"&cont="; reference:md5,078d12eb9fc2b1665c0cc3001448b69b; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016866; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (ChilkatUpload)"; flow:to_server,established; http.user_agent; content:"ChilkatUpload"; depth:13; nocase; reference:url,chilkatsoft.com; classtype:trojan-activity; sid:2016904; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(FMBVDFRESCT)"; flow:established,to_server; http.user_agent; content:"FMBVDFRESCT"; nocase; depth:11; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016881; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Registration Rev3"; flow:established,to_server; http.uri; content:"/gate.php?id="; pcre:"/^[a-z]{15}$/R"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(compatible|3b| Synapse)"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016909; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Registration Rev3"; flow:established,to_server; http.uri; content:"/gate.php?id="; pcre:"/^[a-z]{15}$/R"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(compatible|3b| Synapse)"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016909; rev:4; metadata:created_at 2013_05_22, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Get Command Rev3"; flow:established,to_server; http.uri; content:"/get"; endswith; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(compatible|3b| Synapse)"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016910; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Get Command Rev3"; flow:established,to_server; http.uri; content:"/get"; endswith; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(compatible|3b| Synapse)"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016910; rev:4; metadata:created_at 2013_05_22, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 2."; nocase; classtype:policy-violation; sid:2016873; rev:6; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 2."; nocase; classtype:policy-violation; sid:2016873; rev:6; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 3."; nocase; classtype:policy-violation; sid:2016872; rev:5; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 3."; nocase; classtype:policy-violation; sid:2016872; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 0."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/0."; nocase; classtype:policy-violation; sid:2016875; rev:5; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 0."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/0."; nocase; classtype:policy-violation; sid:2016875; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 1."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/1."; nocase; classtype:policy-violation; sid:2016876; rev:5; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 1."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/1."; nocase; classtype:policy-violation; sid:2016876; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 2."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/2."; nocase; classtype:policy-violation; sid:2016877; rev:5; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 2."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/2."; nocase; classtype:policy-violation; sid:2016877; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 4."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Windows NT 4."; nocase; classtype:policy-violation; sid:2016878; rev:5; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 4."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Windows NT 4."; nocase; classtype:policy-violation; sid:2016878; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 5.0"; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Windows NT 5.0"; nocase; classtype:policy-violation; sid:2016879; rev:5; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 5.0"; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Windows NT 5.0"; nocase; classtype:policy-violation; sid:2016879; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 1."; nocase; classtype:policy-violation; sid:2016874; rev:5; metadata:created_at 2013_05_20, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 1."; nocase; classtype:policy-violation; sid:2016874; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Gapz MSIE 9 on Windows NT 5"; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 9.0|3b| Windows NT 5."; fast_pattern; reference:url,windows.microsoft.com/en-us/internet-explorer/products/ie-9/system-requirements; classtype:trojan-activity; sid:2016897; rev:8; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; http.request_body; content:"_ajax_nonce="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57771/; classtype:web-application-attack; sid:2016384; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Safe User Agent Fantasia"; flow:established,to_server; http.user_agent; content:"Fantasia"; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf; classtype:trojan-activity; sid:2016934; rev:4; metadata:created_at 2013_05_28, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Safe User Agent Fantasia"; flow:established,to_server; http.user_agent; content:"Fantasia"; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf; classtype:trojan-activity; sid:2016934; rev:4; metadata:created_at 2013_05_29, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vobfus Check-in"; flow:established,to_server; http.uri; content:".php?page="; content:"&style=LED_g&nbdigits="; distance:0; fast_pattern; http.user_agent; content:"Opera"; nocase; depth:5; classtype:trojan-activity; sid:2016940; rev:4; metadata:created_at 2013_05_28, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vobfus Check-in"; flow:established,to_server; http.uri; content:".php?page="; content:"&style=LED_g&nbdigits="; distance:0; fast_pattern; http.user_agent; content:"Opera"; nocase; depth:5; classtype:trojan-activity; sid:2016940; rev:4; metadata:created_at 2013_05_29, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs Checkin"; flow:established,to_server; http.uri; content:"/cntr.php?b="; nocase; content:"&c="; nocase; content:"&d="; nocase; reference:url,doc.emergingthreats.net/2002959; classtype:command-and-control; sid:2002959; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; http.uri; content:"java.lang.Runtime@getRuntime().exec("; nocase; classtype:attempted-user; sid:2016953; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; http.request_body; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; classtype:attempted-user; sid:2016954; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; http.request_body; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; classtype:attempted-user; sid:2016954; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; http.uri; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; http.uri; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; http.request_body; content:"java.lang.Runtime@getRuntime().exec("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; http.request_body; content:"java.lang.Runtime@getRuntime().exec("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; http.request_body; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; http.request_body; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; http.uri; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; http.uri; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Travnet.A Internet Connection Check (microsoft.com)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/info/privacy_security.htm"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"microsoft.com"; endswith; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; classtype:trojan-activity; sid:2016969; rev:6; metadata:created_at 2013_06_04, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Travnet.A Internet Connection Check (microsoft.com)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/info/privacy_security.htm"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"microsoft.com"; endswith; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; classtype:trojan-activity; sid:2016969; rev:6; metadata:created_at 2013_06_05, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Access to /phppath/php Possible Plesk 0-day Exploit June 05 2013"; flow:established,to_server; http.uri; content:"/phppath/php"; pcre:"/^\b/R"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:attempted-admin; sid:2016983; rev:3; metadata:created_at 2013_06_05, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Access to /phppath/php Possible Plesk 0-day Exploit June 05 2013"; flow:established,to_server; http.uri; content:"/phppath/php"; pcre:"/^\b/R"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:attempted-admin; sid:2016983; rev:3; metadata:created_at 2013_06_06, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Served From /tmp/ Directory - Malware Hosting Behaviour"; flow:established,to_server; http.uri; content:"/tmp/"; depth:5; content:".exe"; distance:0; pcre:"/^\/tmp\/.+\.exe$/"; classtype:bad-unknown; sid:2016985; rev:3; metadata:created_at 2013_06_06, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Served From /tmp/ Directory - Malware Hosting Behaviour"; flow:established,to_server; http.uri; content:"/tmp/"; depth:5; content:".exe"; distance:0; pcre:"/^\/tmp\/.+\.exe$/"; classtype:bad-unknown; sid:2016985; rev:3; metadata:created_at 2013_06_07, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"EmailSiphon"; nocase; depth:11; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013033; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toby.N Multilocker Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/picture.php"; endswith; http.header_names; content:!"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; http.connection; content:"Keep-Alive"; bsize:10; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:command-and-control; sid:2016368; rev:4; metadata:created_at 2013_02_08, former_category MALWARE, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KimJongRAT cnc exe pull"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"subject="; nocase; depth:8; content:"&data="; nocase; pcre:"/^subject=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})_(?:(?:list|que)_done|ini(?:_done)?)&data/"; reference:url,malware.lu/Pro/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf; classtype:command-and-control; sid:2017009; rev:6; metadata:created_at 2013_06_12, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KimJongRAT cnc exe pull"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"subject="; nocase; depth:8; content:"&data="; nocase; pcre:"/^subject=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})_(?:(?:list|que)_done|ini(?:_done)?)&data/"; reference:url,malware.lu/Pro/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf; classtype:command-and-control; sid:2017009; rev:6; metadata:created_at 2013_06_13, former_category MALWARE, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_21, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_22, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (Google page)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Google page"; classtype:trojan-activity; sid:2017067; rev:6; metadata:created_at 2011_05_31, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alina User-Agent(Alina)"; flow: established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Alina v"; depth:7; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016838; rev:6; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
-alert http any any -> any any (msg:"ET INFO HTTP POST contains pasa= in cleartext"; flow:established,to_server; http.request_body; content:"pasa="; pcre:"/^(?!&)./R"; classtype:policy-violation; sid:2017080; rev:3; metadata:created_at 2013_07_01, former_category INFO, updated_at 2020_04_24;)
+alert http any any -> any any (msg:"ET INFO HTTP POST contains pasa= in cleartext"; flow:established,to_server; http.request_body; content:"pasa="; pcre:"/^(?!&)./R"; classtype:policy-violation; sid:2017080; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
-alert http any any -> any any (msg:"ET INFO HTTP URI contains pasa="; flow:established,to_server; http.uri; content:"pasa="; nocase; pcre:"/(?<=(?:\?|&))pasa=(?!&)./i"; classtype:policy-violation; sid:2017081; rev:3; metadata:created_at 2013_07_01, former_category INFO, updated_at 2020_04_24;)
+alert http any any -> any any (msg:"ET INFO HTTP URI contains pasa="; flow:established,to_server; http.uri; content:"pasa="; nocase; pcre:"/(?<=(?:\?|&))pasa=(?!&)./i"; classtype:policy-violation; sid:2017081; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
-alert http any any -> any any (msg:"ET INFO HTTP POST contains pasa form"; flow:established,to_server; http.request_body; content:"name=|22|pasa|22|"; classtype:policy-violation; sid:2017082; rev:3; metadata:created_at 2013_07_01, former_category INFO, updated_at 2020_04_24;)
+alert http any any -> any any (msg:"ET INFO HTTP POST contains pasa form"; flow:established,to_server; http.request_body; content:"name=|22|pasa|22|"; classtype:policy-violation; sid:2017082; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
alert http any any -> any any (msg:"ET WEB_SERVER WebShell - GODSpy - Cookie"; flow:established; http.cookie; content:"godid="; classtype:trojan-activity; sid:2017085; rev:3; metadata:created_at 2013_07_02, updated_at 2020_04_24;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE VBulletin Backdoor C2 URI Structure"; flow:established,to_server; http.uri; content:"/ss?t=f&"; depth:8; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:command-and-control; sid:2017112; rev:5; metadata:created_at 2013_07_05, former_category MALWARE, updated_at 2020_04_24;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE VBulletin Backdoor C2 Domain "; flow:established,to_server; http.header; content:"adabeupdate.com|0d 0a|"; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:command-and-control; sid:2017113; rev:5; metadata:created_at 2013_07_05, former_category MALWARE, updated_at 2020_04_24;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE VBulletin Backdoor C2 Domain"; flow:established,to_server; http.header; content:"adabeupdate.com|0d 0a|"; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:command-and-control; sid:2017113; rev:5; metadata:created_at 2013_07_05, former_category MALWARE, updated_at 2020_04_24;)
-alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; http.stat_code; content:"502"; http.stat_msg; content:"Bad gateway"; file.data; content:"Burp proxy error|3A 20|"; within:18; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:4; metadata:created_at 2013_07_15, updated_at 2020_04_24;)
+alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; http.stat_code; content:"502"; http.stat_msg; content:"Bad gateway"; file.data; content:"Burp proxy error|3A 20|"; within:18; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:4; metadata:created_at 2013_07_16, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ProtocolGW/protocol/"; nocase; pcre:"/(?:(?:command(?:statu)?|bookmark|shortcut)s|h(?:omepage|istory)|eula(?:status)?|installation|activate|dumplog)/i"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:7; metadata:created_at 2011_06_16, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; http.stat_code; content:"200"; http.stat_msg; content:"OK"; file.data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:3; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; http.uri; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/i"; http.user_agent; content:"Java/1."; fast_pattern; content:"Mozilla"; depth:7; classtype:trojan-activity; sid:2014912; rev:7; metadata:created_at 2012_06_15, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; http.uri; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/i"; http.user_agent; content:"Java/1."; fast_pattern; content:"Mozilla"; depth:7; classtype:trojan-activity; sid:2014912; rev:7; metadata:created_at 2012_06_16, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletHigh.jar"; flow:established,to_server; http.uri; content:"/AppletHigh.jar"; http.user_agent; content:"Java/1."; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016639; rev:5; metadata:created_at 2013_03_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletHigh.jar"; flow:established,to_server; http.uri; content:"/AppletHigh.jar"; http.user_agent; content:"Java/1."; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016639; rev:5; metadata:created_at 2013_03_22, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; http.request_line; content:".zip HTTP/1."; http.uri; pcre:"/\/[a-f0-9]+\.zip$/"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016839; rev:7; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; http.uri; content:"/app.jar"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017096; rev:5; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2020_04_24;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; http.uri; content:"/jot.class"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016556; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; http.uri; content:"/app.jar"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017096; rev:5; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Serialized Data request"; flow:established,to_server; http.uri; content:".ser"; endswith; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016504; rev:5; metadata:created_at 2013_02_25, updated_at 2020_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; http.uri; content:"/jot.class"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016556; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; flowbits:set,ET.http.javaclient; flowbits:noalert; http.user_agent; content:"Java/1."; classtype:misc-activity; sid:2013035; rev:4; metadata:created_at 2011_06_16, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Serialized Data request"; flow:established,to_server; http.uri; content:".ser"; endswith; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016504; rev:5; metadata:created_at 2013_02_26, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; http.uri; content:"java.lang.ProcessBuilder("; nocase; classtype:attempted-user; sid:2017172; rev:5; metadata:created_at 2013_07_23, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; http.uri; content:"java.lang.ProcessBuilder("; nocase; classtype:attempted-user; sid:2017172; rev:5; metadata:created_at 2013_07_24, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:5; metadata:created_at 2013_07_23, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:5; metadata:created_at 2013_07_24, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura)"; flow:established,to_server; http.uri; content:!"/404."; depth:5; pcre:"/^\/\d{2,}\.[a-z0-9]+$/i"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017199; rev:5; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura)"; flow:established,to_server; http.uri; content:!"/404."; depth:5; pcre:"/^\/\d{2,}\.[a-z0-9]+$/i"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017199; rev:5; metadata:created_at 2013_07_26, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2"; flow:established,to_server; http.uri; content:"/img/info.php?info="; nocase; classtype:trojan-activity; sid:2017257; rev:3; metadata:created_at 2013_07_29, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2"; flow:established,to_server; http.uri; content:"/img/info.php?info="; nocase; classtype:trojan-activity; sid:2017257; rev:3; metadata:created_at 2013_07_30, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ASP File Uploaded"; flow:established,to_server; http.request_body; content:"|0D 0A|"; content:"<%"; within:5; fast_pattern; content:"%>"; distance:0; pcre:"/<%[\x00-\x7f]{20}/"; classtype:trojan-activity; sid:2017260; rev:12; metadata:created_at 2013_07_31, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealRat Checkin"; flow:established,to_server; http.uri; content:"/d/"; startswith; fast_pattern; content:".jpg"; distance:0; endswith; pcre:"/^\/d\/[a-z]+\d+\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"www.google.com"; bsize:14; classtype:command-and-control; sid:2017263; rev:3; metadata:created_at 2013_07_31, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBReplay Checkin"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"filename=|22|"; pcre:"/^\d+?\x22/R"; classtype:command-and-control; sid:2017264; rev:3; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBReplay Checkin"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"filename=|22|"; pcre:"/^\d+?\x22/R"; classtype:command-and-control; sid:2017264; rev:3; metadata:created_at 2013_07_31, former_category MALWARE, updated_at 2020_04_24;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{5}\/\d+\/\d{2}[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{3}\/$/"; http.user_agent; content:"|3b|Windows"; nocase; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:command-and-control; sid:2017262; rev:6; metadata:created_at 2013_07_31, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{5}\/\d+\/\d{2}[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{3}\/$/"; http.user_agent; content:"|3b|Windows"; nocase; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:command-and-control; sid:2017262; rev:6; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Outbound Communication"; flow:established,to_server; http.header; content:"Accept-Language|3a 20|en-en|0d 0a|"; http.user_agent; content:"|3b|Windows|20|"; nocase; reference:url,doc.emergingthreats.net/2009125; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2009125; rev:16; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Ransom.Win32.Blocker.bjat"; flow:established,to_server; http.uri; content:"?&"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"User-Agent|3a 20|Update"; fast_pattern; classtype:trojan-activity; sid:2017281; rev:4; metadata:created_at 2013_08_06, updated_at 2020_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Ransom.Win32.Blocker.bjat"; flow:established,to_server; http.uri; content:"?&"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"User-Agent|3a 20|Update"; fast_pattern; classtype:trojan-activity; sid:2017281; rev:4; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2022_03_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Rovnix.I Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ld.aspx?key="; startswith; http.header_names; content:!"Accept|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; http.user_agent; content:"FWVersionTestAgent"; depth:18; reference:md5,605daaa9662b82c0d5982ad3a742d2e7; classtype:command-and-control; sid:2017279; rev:4; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; http.request_body; content:"4d5a"; nocase; content:"50450000"; distance:0; classtype:bad-unknown; sid:2017293; rev:3; metadata:created_at 2013_08_06, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; http.request_body; content:"4d5a"; nocase; content:"50450000"; distance:0; classtype:bad-unknown; sid:2017293; rev:3; metadata:created_at 2013_08_07, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Adobe PKG Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Adobe.Site.Download; flowbits:noalert; http.uri; content:"pkg"; http.host; content:"platformdl.adobe.com"; bsize:20; classtype:misc-activity; sid:2017294; rev:4; metadata:created_at 2013_08_06, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Adobe PKG Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Adobe.Site.Download; flowbits:noalert; http.uri; content:"pkg"; http.host; content:"platformdl.adobe.com"; bsize:20; classtype:misc-activity; sid:2017294; rev:4; metadata:created_at 2013_08_07, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible OpenX Backdoor Backdoor Access POST to flowplayer"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/flowplayer-3.1.1.min.js"; nocase; reference:url,blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html; classtype:trojan-activity; sid:2017280; rev:4; metadata:created_at 2013_08_06, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"[System Process]|0a|"; depth:17; classtype:trojan-activity; sid:2011364; rev:6; metadata:created_at 2010_09_28, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pirate Browser Download"; flow:established,to_server; http.uri; content:"/PirateBrowser"; content:".exe"; reference:url,piratebrowser.com; classtype:policy-violation; sid:2017329; rev:3; metadata:created_at 2013_08_14, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pirate Browser Download"; flow:established,to_server; http.uri; content:"/PirateBrowser"; content:".exe"; reference:url,piratebrowser.com; classtype:policy-violation; sid:2017329; rev:3; metadata:created_at 2013_08_15, updated_at 2020_04_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker User-Agent (CNET TechTracker)"; flow:established,to_server; http.user_agent; content:"CNET TechTracker"; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2014574; rev:5; metadata:created_at 2012_04_16, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InetSim Response from External Source Possible SinkHole"; flow:from_server,established; http.server; content:"INetSim HTTP Server"; bsize:19; classtype:bad-unknown; sid:2017363; rev:3; metadata:created_at 2013_08_21, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.uri; content:".action?"; content:"redirect|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:5; metadata:created_at 2013_07_16, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.uri; content:".action?"; content:"redirect|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.uri; content:".action?"; content:"redirectAction|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017156; rev:5; metadata:created_at 2013_07_16, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.uri; content:".action?"; content:"redirectAction|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017156; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.uri; content:".action?"; content:"action|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]action\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:5; metadata:created_at 2013_07_16, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.uri; content:".action?"; content:"action|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]action\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Win32/Napolar.A URL Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"!http|3a|//"; within:8; pcre:"/^[^\r\n]+?\$$/R"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017367; rev:3; metadata:created_at 2013_08_22, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Dirtjump Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"req="; depth:4; pcre:"/^[A-Za-z0-9]{15}(?:[A-Za-z0-9]{19})?$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; reference:md5,50a538221e015d77cf4794ae78978ce2; classtype:command-and-control; sid:2017385; rev:3; metadata:created_at 2013_08_27, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Dirtjump Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"req="; depth:4; pcre:"/^[A-Za-z0-9]{15}(?:[A-Za-z0-9]{19})?$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; reference:md5,50a538221e015d77cf4794ae78978ce2; classtype:command-and-control; sid:2017385; rev:3; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT-12 Related C2"; flow:to_server,established; http.uri; content:"/url.asp?"; content:"-ShowNewsID-"; fast_pattern; distance:0; pcre:"/=[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations; classtype:targeted-activity; sid:2017386; rev:3; metadata:created_at 2013_08_27, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT-12 Related C2"; flow:to_server,established; http.uri; content:"/url.asp?"; content:"-ShowNewsID-"; fast_pattern; distance:0; pcre:"/=[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations; classtype:targeted-activity; sid:2017386; rev:3; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"txtpath="; depth:8; content:"&cmd="; classtype:trojan-activity; sid:2017392; rev:3; metadata:created_at 2013_08_28, updated_at 2020_04_24;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?upload=@&txtpath="; http.request_body; content:"Upload !"; classtype:trojan-activity; sid:2017393; rev:3; metadata:created_at 2013_08_28, updated_at 2020_04_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 1"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:c(?:o(?:l(?:leg(?:e(?:(?:confidential|-station|prowler)\.net|s?explained\.com)|iate(?:explained|info)\.com)|(?:o(?:rado-springs-jobs|nexplained)|umnexplore)\.com)|m(?:p(?:uter(?:explained\.com|themes\.net)|assiondefinition\.com)|m(?:oditylingerie|unesinfo|ercekid)\.com)|n(?:ce(?:rtparis\.net|ptsets\.com)|trolwedding\.com)|(?:(?:rnell|upon)explained|peguide)\.com|7\.us)|a(?:(?:(?:mpaign|talog|det)explained|n(?:cersexplained|adadaycore)|p(?:itali[sz]eguide|ricornhi)|b(?:leexplained|indynamic))\.com|r(?:(?:tograph(?:yanalysis|erwhat)|cinomas?explained|scratch-remover|eblack)\.com|insurance-compare\.net)|ce\.us)|h(?:(?:a(?:r(?:med-episodes|les-proxy|tpixel)|p(?:elsinfo|terball)|nnelexplained)|ristmas(?:gift-ideas|motion)|inesenewyearboom|eckingwatch)\.com|(?:orizo|urros)\.es)|(?:e(?:l(?:lularexplained|iac-diet)|ntigrade(?:explained|info))|(?:li(?:nical|ck)|ustomized)explained|r(?:uiseshipdating|iticsmart)|pu-benchmark|nc-cs)\.com|8\.biz|z\.cc)|a(?:(?:ll(?:about(?:(?:(?:collegi|gradu)at|yal)e|s(?:eminary|tudent)|(?:facul|varsi)ty|bestsellers|academic|teaching|harvard|ucla|pro)|babyours)|n(?:(?:tipodesbi|alyzelan)d|onymous-film)|(?:mericas-nexttopmode|gentsbal)l|r(?:chitectureice|lingtonwriter)|c(?:ademicexplaine|tionmo)d|ero(?:flotinfo|bicfund))\.com|u(?:(?:toma(?:tedexplained|kers24)|stralia-airlines|xiliaryverb)\.com|di(?:t(?:jewellery\.com|report\.net)|o-planet\.com))|p(?:(?:rilfools(?:hotel|spin)|ple-airport)\.com|[fh]i\.biz)|ir(?:(?:bnb-coupon|waysinfo)\.com|portshuttleseattle\.net)|v(?:enue(?:domain|hello)\.com|li\.biz)|\.e\.gy)|b(?:(?:a(?:c(?:helorexplained|kpackscope)|by(?:online-shop|revision)|(?:rcelonarea|ggagecoo)l|s(?:icexplained|escope)|ttle-field-3)|e(?:(?:st-hoteldeal|er-calorie|t-award)s|nefitexplained)|u(?:y-invite|dgetyep)|logger-com)\.com|r(?:(?:o(?:adbandinternet-providers|king(?:explained|guide))|unomarsalbum|yan-college)\.com|ea(?:st(?:cancertattoos\.net|explained\.com)|dmachine-recipes\.com))|o(?:(?:(?:om(?:ing|s)|nd)explained|tany(?:explained|info)|dybuildingdomains|rrowings?24)\.com|stoncolleges\.net)|irthcertificatetemplate\.net|3g\.biz)|d(?:e(?:(?:(?:(?:benture|posit)explaine|alershipislan)d|n(?:guefevertreatment|verhowto)|ductguide|veloptea)\.com|(?:xterstreaming|ciduoustrees)\.net)|o(?:(?:ctorate(?:s?explained|info)|llar-converter|gwalking-jobs|texplained|mainsknow)\.com|wnload(?:starcraft|-films|ubuntu)\.net)|(?:a(?:ncecentralsonglist|rtmouthexplained)|na-replication|hcp-server|vd-codec|rivewww)\.com|i(?:(?:s(?:count|ease)explained|nnerparty-recipes|walifile)\.com|rect-golf\.net))|e(?:(?:a(?:r(?:fulexplained|th-clinic)|sy(?:-costumes|repayment))|conomic(?:save|24))\.com|\.gy)|4(?:(?:4qs|h5)\.com|[jp]\.org|ql\.biz)|3(?:vt\.info|gb\.biz|q\.org)|2(?:eat\.com|sf\.biz|u\.se)|8(?:c1\.net|x\.biz)|7(?:c\.org|p\.biz)|11r\.(?:biz|us))(\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017457; rev:4; metadata:created_at 2013_09_13, former_category HUNTING, updated_at 2020_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 1"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:c(?:o(?:l(?:leg(?:e(?:(?:confidential|-station|prowler)\.net|s?explained\.com)|iate(?:explained|info)\.com)|(?:o(?:rado-springs-jobs|nexplained)|umnexplore)\.com)|m(?:p(?:uter(?:explained\.com|themes\.net)|assiondefinition\.com)|m(?:oditylingerie|unesinfo|ercekid)\.com)|n(?:ce(?:rtparis\.net|ptsets\.com)|trolwedding\.com)|(?:(?:rnell|upon)explained|peguide)\.com|7\.us)|a(?:(?:(?:mpaign|talog|det)explained|n(?:cersexplained|adadaycore)|p(?:itali[sz]eguide|ricornhi)|b(?:leexplained|indynamic))\.com|r(?:(?:tograph(?:yanalysis|erwhat)|cinomas?explained|scratch-remover|eblack)\.com|insurance-compare\.net)|ce\.us)|h(?:(?:a(?:r(?:med-episodes|les-proxy|tpixel)|p(?:elsinfo|terball)|nnelexplained)|ristmas(?:gift-ideas|motion)|inesenewyearboom|eckingwatch)\.com|(?:orizo|urros)\.es)|(?:e(?:l(?:lularexplained|iac-diet)|ntigrade(?:explained|info))|(?:li(?:nical|ck)|ustomized)explained|r(?:uiseshipdating|iticsmart)|pu-benchmark|nc-cs)\.com|8\.biz|z\.cc)|a(?:(?:ll(?:about(?:(?:(?:collegi|gradu)at|yal)e|s(?:eminary|tudent)|(?:facul|varsi)ty|bestsellers|academic|teaching|harvard|ucla|pro)|babyours)|n(?:(?:tipodesbi|alyzelan)d|onymous-film)|(?:mericas-nexttopmode|gentsbal)l|r(?:chitectureice|lingtonwriter)|c(?:ademicexplaine|tionmo)d|ero(?:flotinfo|bicfund))\.com|u(?:(?:toma(?:tedexplained|kers24)|stralia-airlines|xiliaryverb)\.com|di(?:t(?:jewellery\.com|report\.net)|o-planet\.com))|p(?:(?:rilfools(?:hotel|spin)|ple-airport)\.com|[fh]i\.biz)|ir(?:(?:bnb-coupon|waysinfo)\.com|portshuttleseattle\.net)|v(?:enue(?:domain|hello)\.com|li\.biz)|\.e\.gy)|b(?:(?:a(?:c(?:helorexplained|kpackscope)|by(?:online-shop|revision)|(?:rcelonarea|ggagecoo)l|s(?:icexplained|escope)|ttle-field-3)|e(?:(?:st-hoteldeal|er-calorie|t-award)s|nefitexplained)|u(?:y-invite|dgetyep)|logger-com)\.com|r(?:(?:o(?:adbandinternet-providers|king(?:explained|guide))|unomarsalbum|yan-college)\.com|ea(?:st(?:cancertattoos\.net|explained\.com)|dmachine-recipes\.com))|o(?:(?:(?:om(?:ing|s)|nd)explained|tany(?:explained|info)|dybuildingdomains|rrowings?24)\.com|stoncolleges\.net)|irthcertificatetemplate\.net|3g\.biz)|d(?:e(?:(?:(?:(?:benture|posit)explaine|alershipislan)d|n(?:guefevertreatment|verhowto)|ductguide|veloptea)\.com|(?:xterstreaming|ciduoustrees)\.net)|o(?:(?:ctorate(?:s?explained|info)|llar-converter|gwalking-jobs|texplained|mainsknow)\.com|wnload(?:starcraft|-films|ubuntu)\.net)|(?:a(?:ncecentralsonglist|rtmouthexplained)|na-replication|hcp-server|vd-codec|rivewww)\.com|i(?:(?:s(?:count|ease)explained|nnerparty-recipes|walifile)\.com|rect-golf\.net))|e(?:(?:a(?:r(?:fulexplained|th-clinic)|sy(?:-costumes|repayment))|conomic(?:save|24))\.com|\.gy)|4(?:(?:4qs|h5)\.com|[jp]\.org|ql\.biz)|3(?:vt\.info|gb\.biz|q\.org)|2(?:eat\.com|sf\.biz|u\.se)|8(?:c1\.net|x\.biz)|7(?:c\.org|p\.biz)|11r\.(?:biz|us))(\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017457; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 2"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:f(?:(?:a(?:c(?:ultyexplained|e-bok)|(?:ncy-font|ke-nail)s|ir(?:explained|fuse)|shion-wallpaper|lterguide)|i(?:nanc(?:i(?:al|ng)explained|epets)|rm(?:explained|s24)|lter-coffee)|o(?:r(?:umexplained|ecastbooks|ceestate)|x-drama)|udaninfo)\.com|re(?:e(?:-(?:(?:(?:foodcoupon|angrybird)s|s(?:oundclips|tock)|photoeditor)\.com|music-download\.net)|(?:p(?:owerpointthem|roduct-sampl)es|dom-ofspeech)\.com|fileconverter\.net)|snoever\.com)|l(?:a(?:shplayerdownload\.net|tbelly-diet\.com)|oridaunemploymentclaim\.com|v-downloader\.net)|e(?:rtility-calculator\.net|stivalexplained\.com)|b(?:-smileys\.com|skins\.net))|l(?:(?:i(?:n(?:k(?:explained|master)|colnsbirthdaytea)|(?:ability|ver)explained|(?:berty-saf|ftmov)e|stings(?:biz|red)|teraturemulti)|u(?:ng(?:explained|abscess)|ggageboom)|o(?:cationssecure|ndon-riots|gback))\.com|e(?:(?:a(?:singexplained|ther-trousers)|(?:edsunited-new|d-candle)s|cturer(?:explained|info)|nd(?:ing|er)explained|isure-diving)\.com|u(?:kemiaexplained\.com|e\.biz)|tup\.org)|a(?:guay\.(?:com|es)|-gazzetta\.com)|6\.org)|i(?:n(?:s(?:(?:ur(?:er(?:s(?:explained|24)|explained)|ancesexplained)|ide-film)\.com|(?:pection-camera|taflex)\.net)|d(?:e(?:pendenceday(?:portal|realty)|mnityexplained)\.com|ividual-healthinsurance\.net)|t(?:er(?:estexplained\.com|trigo\.net)|ranet(?:explained|pm)\.com)|(?:(?:vestment|centive)explained|expensivehyper)\.com|f(?:ections?explained\.com|o\.se))|(?:(?:mmersio|sd)nexplained|ronmancom|pone-5)\.com|i(?:nkai|lg)\.biz)|m(?:(?:e(?:tropolis(?:(?:cruis|fac|mov)e|pixel)|(?:lanoma|dical)explained|r(?:idiantotal|cedes-cls)|ntal-healthjobs|morialdaycon|ssenger-mac|ansgift)|i(?:ami(?:-holidays|what)|di-editor)|baexplained)\.com|a(?:r(?:(?:tial-empires|ket-hq)\.com|iogames-online\.net)|n(?:(?:agejoin|ualzap)\.com|ipal-university\.net)|(?:lignanthypertension|gazinedownload)\.net|s(?:on(?:wave|car)|tersexplained)\.com|c2\.org))|e(?:(?:s(?:ta(?:tes(?:mob|fx)|blishstyle)|lexplained)|mploy(?:e(?:eexplained|r24)|mentexplained))\.com|n(?:(?:(?:gagement-photo|able-cookie)s|rollexplained)\.com|trepreneur-ideas\.net)|x(?:(?:(?:hibition|po)explained|ecutive-decision)\.com|tremedeal\.net)|l(?:ect(?:ronicexplained|orate123)\.com|guay\.(?:com|es))|q(?:uityexplained\.com|8\.biz))|g(?:(?:o(?:a(?:d(?:minister|vertize|just)|cademic|llocate)|(?:thic-literatur|handl)e|(?:bailou|conduc)t|govern)|r(?:a(?:duate(?:explained|sinfo)|ndparentsdayplan)|oceryexplained|4)|ym(?:glas|car)s|m[69])\.com|a(?:(?:(?:llaudet|te)explained|mevelocity|rnerguide)\.com|511\.net)|cwsa\.org)|h(?:o(?:(?:me(?:made-biscuits|pageexplained)|(?:nours|tline|using)explained|6)\.com|stel-barcelona\.net)|a(?:r(?:dback(?:city|yoga)|vardexplained)|n(?:dlechange|ukkahbio)|lloweenorange)\.com|y(?:perthyroidsymptoms\.net|d\.me)|ellokittypictures\.net)|j(?:(?:o(?:urnalism(?:explained|info)|hn-grisham|ker-tattoo)|query-examples)\.com|a(?:cksonvillepath\.com|vacollection\.net)|(?:vvg|6)\.org)|k(?:ilometersreach|udosexplained|jyg)\.com)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017458; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2020_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 2"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:f(?:(?:a(?:c(?:ultyexplained|e-bok)|(?:ncy-font|ke-nail)s|ir(?:explained|fuse)|shion-wallpaper|lterguide)|i(?:nanc(?:i(?:al|ng)explained|epets)|rm(?:explained|s24)|lter-coffee)|o(?:r(?:umexplained|ecastbooks|ceestate)|x-drama)|udaninfo)\.com|re(?:e(?:-(?:(?:(?:foodcoupon|angrybird)s|s(?:oundclips|tock)|photoeditor)\.com|music-download\.net)|(?:p(?:owerpointthem|roduct-sampl)es|dom-ofspeech)\.com|fileconverter\.net)|snoever\.com)|l(?:a(?:shplayerdownload\.net|tbelly-diet\.com)|oridaunemploymentclaim\.com|v-downloader\.net)|e(?:rtility-calculator\.net|stivalexplained\.com)|b(?:-smileys\.com|skins\.net))|l(?:(?:i(?:n(?:k(?:explained|master)|colnsbirthdaytea)|(?:ability|ver)explained|(?:berty-saf|ftmov)e|stings(?:biz|red)|teraturemulti)|u(?:ng(?:explained|abscess)|ggageboom)|o(?:cationssecure|ndon-riots|gback))\.com|e(?:(?:a(?:singexplained|ther-trousers)|(?:edsunited-new|d-candle)s|cturer(?:explained|info)|nd(?:ing|er)explained|isure-diving)\.com|u(?:kemiaexplained\.com|e\.biz)|tup\.org)|a(?:guay\.(?:com|es)|-gazzetta\.com)|6\.org)|i(?:n(?:s(?:(?:ur(?:er(?:s(?:explained|24)|explained)|ancesexplained)|ide-film)\.com|(?:pection-camera|taflex)\.net)|d(?:e(?:pendenceday(?:portal|realty)|mnityexplained)\.com|ividual-healthinsurance\.net)|t(?:er(?:estexplained\.com|trigo\.net)|ranet(?:explained|pm)\.com)|(?:(?:vestment|centive)explained|expensivehyper)\.com|f(?:ections?explained\.com|o\.se))|(?:(?:mmersio|sd)nexplained|ronmancom|pone-5)\.com|i(?:nkai|lg)\.biz)|m(?:(?:e(?:tropolis(?:(?:cruis|fac|mov)e|pixel)|(?:lanoma|dical)explained|r(?:idiantotal|cedes-cls)|ntal-healthjobs|morialdaycon|ssenger-mac|ansgift)|i(?:ami(?:-holidays|what)|di-editor)|baexplained)\.com|a(?:r(?:(?:tial-empires|ket-hq)\.com|iogames-online\.net)|n(?:(?:agejoin|ualzap)\.com|ipal-university\.net)|(?:lignanthypertension|gazinedownload)\.net|s(?:on(?:wave|car)|tersexplained)\.com|c2\.org))|e(?:(?:s(?:ta(?:tes(?:mob|fx)|blishstyle)|lexplained)|mploy(?:e(?:eexplained|r24)|mentexplained))\.com|n(?:(?:(?:gagement-photo|able-cookie)s|rollexplained)\.com|trepreneur-ideas\.net)|x(?:(?:(?:hibition|po)explained|ecutive-decision)\.com|tremedeal\.net)|l(?:ect(?:ronicexplained|orate123)\.com|guay\.(?:com|es))|q(?:uityexplained\.com|8\.biz))|g(?:(?:o(?:a(?:d(?:minister|vertize|just)|cademic|llocate)|(?:thic-literatur|handl)e|(?:bailou|conduc)t|govern)|r(?:a(?:duate(?:explained|sinfo)|ndparentsdayplan)|oceryexplained|4)|ym(?:glas|car)s|m[69])\.com|a(?:(?:(?:llaudet|te)explained|mevelocity|rnerguide)\.com|511\.net)|cwsa\.org)|h(?:o(?:(?:me(?:made-biscuits|pageexplained)|(?:nours|tline|using)explained|6)\.com|stel-barcelona\.net)|a(?:r(?:dback(?:city|yoga)|vardexplained)|n(?:dlechange|ukkahbio)|lloweenorange)\.com|y(?:perthyroidsymptoms\.net|d\.me)|ellokittypictures\.net)|j(?:(?:o(?:urnalism(?:explained|info)|hn-grisham|ker-tattoo)|query-examples)\.com|a(?:cksonvillepath\.com|vacollection\.net)|(?:vvg|6)\.org)|k(?:ilometersreach|udosexplained|jyg)\.com)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017458; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 3"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:p(?:r(?:o(?:pert(?:ies(?:-forsale\.net|winters\.com)|y-(?:singapore|rental)\.net)|(?:fessors|state)explained\.com)|e(?:miums(?:e(?:xplained|ek)|guide)|(?:acher|cinct|late)sinfo|pexplained)\.com|i(?:va(?:te(?:car-sales|explained)\.com|do\.info)|nceton\.me))|e(?:(?:n(?:sionexplained|thousepal|cetruck)|diatricsexplained)\.com|rsonal(?:trainer-certification\.net|-injuryclaims\.com)|tardo\.es)|o(?:(?:wer(?:borrowings?|repayment|debts)|rt(?:land-holidays|alexplained)|intexplained|litical24)\.com|kertexas-holdem\.net)|a(?:(?:ss(?:engersinfo|agepix)|ge(?:explained|as)|cemaker-surgery|ttinson-robert|rk-edu)\.com|loaltocollege\.net)|(?:u(?:blicationgift|pils?info)|ickups(?:articles|gen)|neumoniaexplained|sychologyquotes|lus-sign)\.com|h(?:o(?:toedit(?:orfreedownload\.net|ingsite\.com)|neexplained\.com)|pbb-themes\.com|yscology\.net)|cbp\.net|9\.org)|o(?:n(?:line(?:(?:(?:f(?:o(?:ster|rce)|irstborn|raternal|ulltime)|b(?:r(?:idegroom|owse)|oxoffice)|e(?:(?:valuat|xpress)e|fficient)|-(?:collegecourse|radiostation)|d(?:escendant|aughter|iscusse)|v(?:illage|acant)|re(?:sidence|al))s|c(?:(?:r(?:iti(?:c(?:ize|al)|que)|ew)|o(?:nsider|usin)|a(?:pture|meo)|elluloid)s|ha(?:racters|teau))|a(?:(?:(?:vailabl|doptiv|llianc|pprais)e|ss(?:esse|ay)|unt)s|n(?:(?:cestor|alyze)s|imated)|way)|per(?:sonal-trainer|manents))\.com|mediaconverter\.net)|e-lyrics\.com|amia\.biz)|(?:ver(?:seasexplained|drawnreal)|(?:wnership|ffline)explained|cean(?:ic-cable|you)|rphanagesinfo|klahomafuse)\.com|a(?:klandour\.com|pg\.org))|r(?:e(?:(?:s(?:idenc(?:e(?:attorney|dating|cook|food)|yexplained)|erves(?:development|core))|(?:c(?:o(?:ver(?:ing|ed)|up)|laim)guid|laxationhyp|bateventur)e|g(?:i(?:on(?:private|mentor)|stercommunity)|ainguide)|t(?:r(?:ainingexplained|ieveguide)|ailexplained)|motecontrol-helicopter|viewwinters|payment24)\.com|alestate-perth\.net)|(?:a(?:cetracksinfo|veexplained|iserepair|tetask)|ising-antivirus|bnnetwork)\.com|o(?:(?:o(?:m(?:sfootball|mateco)|fcute)|admodern)\.com|yallondonhospital\.net))|s(?:(?:o(?:(?:lventsourc|ftenguid)e|urceexplained|cietiesinfo|ng-india)|a(?:n(?:antoniosource|diegodiscover)|l(?:aryexplaine|euploa)d)|ta(?:nford(?:explained|info)|(?:bilis|v)eguide|r-treck)|p(?:ecialtyexplained|iralwatch|orts-tab)|ch(?:oolexplained|eduleedu)|ites?explained)\.com|e(?:(?:minar(?:y(?:explained|info)|explained)|c(?:(?:urities|tor)explained|what)|aworld-coupons)\.com|rvertransfer\.net)|m(?:ier\.org|oz\.us)|hellgascard\.net|gba\.biz)|m(?:o(?:(?:t(?:oristsinfo|iveshare)|ntre-breitling|dernexplained|squesinfo)\.com|hamed\.me)|(?:y(?:borrowings|-husband)|ultimediaexplained|inistriesinfo)\.com|mcd\.us)|n(?:(?:a(?:ming(?:mac|our)|uticalfit|vigateadd)|e(?:tworkexplained|w-college))\.com|8\.biz))(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017459; rev:4; metadata:created_at 2013_09_13, former_category HUNTING, updated_at 2020_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 3"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:p(?:r(?:o(?:pert(?:ies(?:-forsale\.net|winters\.com)|y-(?:singapore|rental)\.net)|(?:fessors|state)explained\.com)|e(?:miums(?:e(?:xplained|ek)|guide)|(?:acher|cinct|late)sinfo|pexplained)\.com|i(?:va(?:te(?:car-sales|explained)\.com|do\.info)|nceton\.me))|e(?:(?:n(?:sionexplained|thousepal|cetruck)|diatricsexplained)\.com|rsonal(?:trainer-certification\.net|-injuryclaims\.com)|tardo\.es)|o(?:(?:wer(?:borrowings?|repayment|debts)|rt(?:land-holidays|alexplained)|intexplained|litical24)\.com|kertexas-holdem\.net)|a(?:(?:ss(?:engersinfo|agepix)|ge(?:explained|as)|cemaker-surgery|ttinson-robert|rk-edu)\.com|loaltocollege\.net)|(?:u(?:blicationgift|pils?info)|ickups(?:articles|gen)|neumoniaexplained|sychologyquotes|lus-sign)\.com|h(?:o(?:toedit(?:orfreedownload\.net|ingsite\.com)|neexplained\.com)|pbb-themes\.com|yscology\.net)|cbp\.net|9\.org)|o(?:n(?:line(?:(?:(?:f(?:o(?:ster|rce)|irstborn|raternal|ulltime)|b(?:r(?:idegroom|owse)|oxoffice)|e(?:(?:valuat|xpress)e|fficient)|-(?:collegecourse|radiostation)|d(?:escendant|aughter|iscusse)|v(?:illage|acant)|re(?:sidence|al))s|c(?:(?:r(?:iti(?:c(?:ize|al)|que)|ew)|o(?:nsider|usin)|a(?:pture|meo)|elluloid)s|ha(?:racters|teau))|a(?:(?:(?:vailabl|doptiv|llianc|pprais)e|ss(?:esse|ay)|unt)s|n(?:(?:cestor|alyze)s|imated)|way)|per(?:sonal-trainer|manents))\.com|mediaconverter\.net)|e-lyrics\.com|amia\.biz)|(?:ver(?:seasexplained|drawnreal)|(?:wnership|ffline)explained|cean(?:ic-cable|you)|rphanagesinfo|klahomafuse)\.com|a(?:klandour\.com|pg\.org))|r(?:e(?:(?:s(?:idenc(?:e(?:attorney|dating|cook|food)|yexplained)|erves(?:development|core))|(?:c(?:o(?:ver(?:ing|ed)|up)|laim)guid|laxationhyp|bateventur)e|g(?:i(?:on(?:private|mentor)|stercommunity)|ainguide)|t(?:r(?:ainingexplained|ieveguide)|ailexplained)|motecontrol-helicopter|viewwinters|payment24)\.com|alestate-perth\.net)|(?:a(?:cetracksinfo|veexplained|iserepair|tetask)|ising-antivirus|bnnetwork)\.com|o(?:(?:o(?:m(?:sfootball|mateco)|fcute)|admodern)\.com|yallondonhospital\.net))|s(?:(?:o(?:(?:lventsourc|ftenguid)e|urceexplained|cietiesinfo|ng-india)|a(?:n(?:antoniosource|diegodiscover)|l(?:aryexplaine|euploa)d)|ta(?:nford(?:explained|info)|(?:bilis|v)eguide|r-treck)|p(?:ecialtyexplained|iralwatch|orts-tab)|ch(?:oolexplained|eduleedu)|ites?explained)\.com|e(?:(?:minar(?:y(?:explained|info)|explained)|c(?:(?:urities|tor)explained|what)|aworld-coupons)\.com|rvertransfer\.net)|m(?:ier\.org|oz\.us)|hellgascard\.net|gba\.biz)|m(?:o(?:(?:t(?:oristsinfo|iveshare)|ntre-breitling|dernexplained|squesinfo)\.com|hamed\.me)|(?:y(?:borrowings|-husband)|ultimediaexplained|inistriesinfo)\.com|mcd\.us)|n(?:(?:a(?:ming(?:mac|our)|uticalfit|vigateadd)|e(?:tworkexplained|w-college))\.com|8\.biz))(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017459; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 4"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:t(?:e(?:(?:l(?:e(?:phoneexplained|comsguide)|learth)|n(?:ured(?:explained|info)|nis-ranking))\.com|mp(?:l(?:ates-gratis\.com|ecollege\.net)|converter\.net)|a(?:ching(?:-certificate\.net|explained\.com)|m\.pro))|r(?:a(?:(?:(?:nsferbyt|de-)e|in(?:eesinf|ge)o|mray)\.com|vel(?:insurance-comparison\.net|agentnerd\.com))|e(?:k-bicycles|nd-online)\.net|uckstool\.com|onco\.es)|(?:o(?:wn(?:housepic|study|euro|meta)|(?:tal-tool|memap)s|pgamebook|olboxsol)|u(?:mors?explained|lsatrain|rn-ons)|attoo-websites|ype-racer|wainfo)\.com|h(?:(?:anksgivinggaming|riftexplained)\.com|e(?:sis-examples\.com|atreparis\.net))|i(?:mezonevendor\.com|dl\.net)|cmn\.biz)|w(?:e(?:b(?:(?:b(?:estseller|ailout)|administer)\.com|site(?:downloader\.net|explained\.com)|developertoolbar\.net)|(?:l(?:lesley|fare)explained|akenguide)\.com)|or(?:th(?:voice|war)\.com|ld-records\.net)|ater(?:front-property\.net|-plants\.com)|(?:riterpics|hoiscan)\.com|pbh\.org|sse\.us)|s(?:(?:t(?:ud(?:ent(?:financecontact|s?explained)|yexplained)|r(?:eetmaphub|ongat)|patricksweightloss|onewhat)|wissairinfo)\.com|u(?:(?:mmertimelyrics|nset-wallpaper|per-committee|itegraphic)\.com|b\.(?:name|cat|es)))|v(?:(?:i(?:llage(?:(?:in|na)no|crystal)|deo(?:-mediaset|explained)|ta(?:minssms|lwow)|rtualexplained)|o(?:lumesynergy|ucheragent|ters24)|a(?:rsityexplained|lentinesproxy)|entureexplained)\.com|qtel\.net|f1\.us)|u(?:n(?:i(?:versityexplained\.com|nstalltool\.net|\.me)|(?:(?:secured|am)explained|ravelguide)\.com|limited-web-hosting\.net)|(?:cla(?:explained|info)|s-inflation|alinfo|zdom)\.com|[04]\.org)|y(?:(?:o(?:u(?:ngstersinfo|rbroking)|mkippursocial)|(?:eshiva|ale)explained|vxs)\.com|nna\.biz)|zwr\.org)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017460; rev:4; metadata:created_at 2013_09_13, former_category HUNTING, updated_at 2020_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 4"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:t(?:e(?:(?:l(?:e(?:phoneexplained|comsguide)|learth)|n(?:ured(?:explained|info)|nis-ranking))\.com|mp(?:l(?:ates-gratis\.com|ecollege\.net)|converter\.net)|a(?:ching(?:-certificate\.net|explained\.com)|m\.pro))|r(?:a(?:(?:(?:nsferbyt|de-)e|in(?:eesinf|ge)o|mray)\.com|vel(?:insurance-comparison\.net|agentnerd\.com))|e(?:k-bicycles|nd-online)\.net|uckstool\.com|onco\.es)|(?:o(?:wn(?:housepic|study|euro|meta)|(?:tal-tool|memap)s|pgamebook|olboxsol)|u(?:mors?explained|lsatrain|rn-ons)|attoo-websites|ype-racer|wainfo)\.com|h(?:(?:anksgivinggaming|riftexplained)\.com|e(?:sis-examples\.com|atreparis\.net))|i(?:mezonevendor\.com|dl\.net)|cmn\.biz)|w(?:e(?:b(?:(?:b(?:estseller|ailout)|administer)\.com|site(?:downloader\.net|explained\.com)|developertoolbar\.net)|(?:l(?:lesley|fare)explained|akenguide)\.com)|or(?:th(?:voice|war)\.com|ld-records\.net)|ater(?:front-property\.net|-plants\.com)|(?:riterpics|hoiscan)\.com|pbh\.org|sse\.us)|s(?:(?:t(?:ud(?:ent(?:financecontact|s?explained)|yexplained)|r(?:eetmaphub|ongat)|patricksweightloss|onewhat)|wissairinfo)\.com|u(?:(?:mmertimelyrics|nset-wallpaper|per-committee|itegraphic)\.com|b\.(?:name|cat|es)))|v(?:(?:i(?:llage(?:(?:in|na)no|crystal)|deo(?:-mediaset|explained)|ta(?:minssms|lwow)|rtualexplained)|o(?:lumesynergy|ucheragent|ters24)|a(?:rsityexplained|lentinesproxy)|entureexplained)\.com|qtel\.net|f1\.us)|u(?:n(?:i(?:versityexplained\.com|nstalltool\.net|\.me)|(?:(?:secured|am)explained|ravelguide)\.com|limited-web-hosting\.net)|(?:cla(?:explained|info)|s-inflation|alinfo|zdom)\.com|[04]\.org)|y(?:(?:o(?:u(?:ngstersinfo|rbroking)|mkippursocial)|(?:eshiva|ale)explained|vxs)\.com|nna\.biz)|zwr\.org)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017460; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess P2P Module v6 Reporting"; flow:to_server,established; http.uri; content:"dj02LjAmaWQ9"; offset:13; depth:12; http.header_names; content:!"Referer|0d 0a|"; reference:url,dnsamplificationattacks.blogspot.gr/p/blog-page.html; classtype:trojan-activity; sid:2017462; rev:3; metadata:created_at 2013_09_13, updated_at 2020_04_24;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M9"; flow:established,to_client; content:"|a5 20 94 f5|"; depth:4; fast_pattern; content:"|6d 54 21|"; distance:1; within:3; flowbits:isset,ET.Parallax-9; reference:md5,1b3f8c92d5d1ace34fa4dc2dd80c3eb7; classtype:command-and-control; sid:2030039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_25, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2020_04_25;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"line.largefamiliesonpurpose.com"; bsize:31; reference:md5,c09e51350aa0a023136542d0b613755e; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:trojan-activity; sid:2030028; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"line.largefamiliesonpurpose.com"; bsize:31; reference:md5,c09e51350aa0a023136542d0b613755e; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030028; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"line.monalisapizzeriasi.com"; bsize:27; reference:md5,c09e51350aa0a023136542d0b613755e; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:trojan-activity; sid:2030029; rev:1; metadata:created_at 2020_04_27, former_category MALWARE, updated_at 2020_04_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"line.monalisapizzeriasi.com"; bsize:27; reference:md5,c09e51350aa0a023136542d0b613755e; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030029; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"basa.nutarborg.com"; bsize:18; reference:md5,f461bf12c4d3ed1d25af638d9f21ca0f; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:trojan-activity; sid:2030030; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"basa.nutarborg.com"; bsize:18; reference:md5,f461bf12c4d3ed1d25af638d9f21ca0f; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030030; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hesperus.Banker Tr-mail Variant Sending Data To CnC"; flow:established,to_server; http.uri; content:"/gr-mail/tr-mail.php"; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:command-and-control; sid:2017464; rev:4; metadata:created_at 2013_09_16, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/srev.asp"; http.request_body; content:"action="; depth:7; content:"&b_name="; distance:0; content:"&b_conter="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:command-and-control; sid:2017466; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_09_16, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/srev.asp"; http.request_body; content:"action="; depth:7; content:"&b_name="; distance:0; content:"&b_conter="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:command-and-control; sid:2017466; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_09_16, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zzinfor.A Retrieving Instructions From CnC Server"; flow:established,to_server; http.uri; content:"/static/hotkey.txt"; http.header_names; content:!"User-Agent"; content:!"Accept-"; reference:md5,7e37a407a8fb0df3b2835419ad16f500; reference:md5,422b926dbbe03d0e4555328282c8f32b; classtype:command-and-control; sid:2017489; rev:4; metadata:created_at 2013_09_19, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.Mevade.FBV CnC Beacon"; flow:established,to_server; urilen:42; http.uri; content:"/updater/"; pcre:"/^[a-f0-9]{32}\/[0-9]$/Ri"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/; reference:url,blog.damballa.com/archives/2135; classtype:command-and-control; sid:2017490; rev:4; metadata:created_at 2013_09_19, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.Mevade.FBV CnC Beacon"; flow:established,to_server; urilen:42; http.uri; content:"/updater/"; pcre:"/^[a-f0-9]{32}\/[0-9]$/Ri"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/; reference:url,blog.damballa.com/archives/2135; classtype:command-and-control; sid:2017490; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_09_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Reports/install-report.php"; content:"abbr="; http.user_agent; content:"TALWinInetHTTPClient"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010241; classtype:trojan-activity; sid:2010241; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Reports/install-report.php"; content:"abbr="; http.user_agent; content:"TALWinInetHTTPClient"; reference:url,doc.emergingthreats.net/2010241; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010241; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DRIVEBY Generic - *.com.exe HTTP Attachment"; flow:established,to_client; http.header; content:".com.exe"; nocase; file.data; content:"MZ"; within:2; classtype:trojan-activity; sid:2017504; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DRIVEBY Generic - *.com.exe HTTP Attachment"; flow:established,to_client; http.header; content:".com.exe"; nocase; file.data; content:"MZ"; within:2; classtype:trojan-activity; sid:2017504; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT.Agtid callback"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Agtid|3a 20|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2017511; rev:4; metadata:created_at 2013_09_23, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT.Agtid callback"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Agtid|3a 20|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2017511; rev:4; metadata:created_at 2013_09_24, former_category MALWARE, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT W32/Caphaw DriveBy Campaign Statistic.js"; flow:established,to_server; http.uri; content:"/statistic.js?k="; content:"&d="; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017512; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-sending"; nocase; content:".exe"; distance:0; reference:md5,d2e799904582f03281060689f5447585; classtype:command-and-control; sid:2017517; rev:6; metadata:created_at 2013_08_27, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-sending"; nocase; content:".exe"; distance:0; reference:md5,d2e799904582f03281060689f5447585; classtype:command-and-control; sid:2017517; rev:6; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; flowbits:set,ET.Hiloti; http.uri; content:"/get"; nocase; content:".php?c="; nocase; distance:0; content:"&d="; nocase; distance:0; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2010071; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mevade Checkin "; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/attachments/ip.php"; classtype:command-and-control; sid:2017558; rev:4; metadata:created_at 2013_10_04, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mevade Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/attachments/ip.php"; classtype:command-and-control; sid:2017558; rev:4; metadata:created_at 2013_10_05, former_category MALWARE, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start of value"; flow:to_server,established; http.uri; content:".php?"; nocase; content:"=AES_ENCRYPT("; nocase; distance:0; reference:url,localhost.re/p/whmcs-527-vulnerability; classtype:attempted-admin; sid:2017560; rev:5; metadata:created_at 2013_10_04, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start of value"; flow:to_server,established; http.uri; content:".php?"; nocase; content:"=AES_ENCRYPT("; nocase; distance:0; reference:url,localhost.re/p/whmcs-527-vulnerability; classtype:attempted-admin; sid:2017560; rev:5; metadata:created_at 2013_10_05, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoLocker EXE Download"; flow:to_server,established; http.uri; content:"/crypt_"; content:"sell"; distance:0; content:".exe"; distance:0; pcre:"/\/crypt_[^\/]*?sell[^\/]*?\d\.exe$/"; classtype:trojan-activity; sid:2017583; rev:6; metadata:created_at 2013_10_11, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoLocker EXE Download"; flow:to_server,established; http.uri; content:"/crypt_"; content:"sell"; distance:0; content:".exe"; distance:0; pcre:"/\/crypt_[^\/]*?sell[^\/]*?\d\.exe$/"; classtype:trojan-activity; sid:2017583; rev:6; metadata:created_at 2013_10_12, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/KanKan Update officeaddinupdate.xml Request"; flow:established,to_server; http.uri; content:"/officeaddinupdate.xml"; bsize:22; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017586; rev:4; metadata:created_at 2013_10_13, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/KanKan Update officeaddinupdate.xml Request"; flow:established,to_server; http.uri; content:"/officeaddinupdate.xml"; bsize:22; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017586; rev:4; metadata:created_at 2013_10_14, updated_at 2020_04_27;)
alert http $HOME_NET any -> any any (msg:"ET SCAN NETWORK Outgoing Masscan detected"; flow:established,to_server; http.user_agent; content:"masscan/"; depth:8; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017615; rev:6; metadata:created_at 2013_10_18, updated_at 2020_04_27;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHMCS lt 5.2.8 SQL Injection"; flow:established,to_server; http.uri; content:"[sqltype]="; nocase; content:"[value]="; nocase; content:".php?"; nocase; reference:url,localhost.re/res/whmcs2.py; classtype:attempted-admin; sid:2017622; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_10_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"X-Sinkhole|3a 20|"; nocase; classtype:trojan-activity; sid:2016803; rev:6; metadata:created_at 2013_04_30, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"X-Sinkhole|3a 20|"; nocase; classtype:trojan-activity; sid:2016803; rev:6; metadata:created_at 2013_05_01, updated_at 2020_04_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Web Crawl using Wget"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"Wget"; nocase; reference:url,www.gnu.org/software/wget/; reference:url,doc.emergingthreats.net/2002823; classtype:attempted-recon; sid:2002823; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Badur.Spy User Agent lawl"; flow:established,to_server; http.header; content:"User-Agent|3a 20|lawl"; reference:md5,4f5d28c43795b9c4e6257bf26c52bdfe; classtype:trojan-activity; sid:2017655; rev:5; metadata:created_at 2013_11_01, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment"; flow:established,to_client; http.header; content:" filename=|22|%2e/files/"; nocase; pcre:"/^[^\x22\x2f\r\n]+?\x22\r\n/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016742; rev:7; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment"; flow:established,to_client; http.header; content:" filename=|22|%2e/files/"; nocase; pcre:"/^[^\x22\x2f\r\n]+?\x22\r\n/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016742; rev:7; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/login.cgi"; nocase; http.request_body; content:"name="; nocase; content:"pwd="; nocase; pcre:"/(?:^|[\n\&])pwd=/i"; pcre:"/(?:^|[\n\&])name=(?:%\d{2}|[^%&]){129}/i"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017684; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Schneebly Posting ScreenShot"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/viewimage.php?s="; nocase; content:!"&"; distance:0; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"filename="; content:"JFIF"; distance:0; reference:url,www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017689; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel.Arx Variant CnC Beacon 1"; flow:established,to_server; http.uri; content:"/rssfeed.php?a="; pcre:"/^[^&]+?&\d+$/R"; http.header_names; content:!"Referer|0d 0a|"; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:command-and-control; sid:2017690; rev:3; metadata:created_at 2013_11_07, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel.Arx Variant CnC Beacon 1"; flow:established,to_server; http.uri; content:"/rssfeed.php?a="; pcre:"/^[^&]+?&\d+$/R"; http.header_names; content:!"Referer|0d 0a|"; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:command-and-control; sid:2017690; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel.Arx Varient CnC Beacon 2"; flow:established,to_server; http.uri; content:"/psp.php?p="; content:"&g="; content:"&s="; content:"&t="; content:"&r="; http.header_names; content:!"Referer|0d 0a|"; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:command-and-control; sid:2017691; rev:3; metadata:created_at 2013_11_07, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel.Arx Varient CnC Beacon 2"; flow:established,to_server; http.uri; content:"/psp.php?p="; content:"&g="; content:"&s="; content:"&t="; content:"&r="; http.header_names; content:!"Referer|0d 0a|"; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:command-and-control; sid:2017691; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude IE EK Payload Nov 8 2013"; flow:established,to_server; urilen:34; http.uri; content:"/?"; depth:2; fast_pattern; pcre:"/^\/\?[a-f0-9]{32}$/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; classtype:exploit-kit; sid:2017694; rev:7; metadata:created_at 2013_11_08, former_category EXPLOIT_KIT, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FaceBook IM & Web Driven Facebook Trojan Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tsone/ajuno.php"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"u="; depth:2; content:"&p="; distance:0; content:"&l="; distance:0; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017697; rev:6; metadata:created_at 2013_11_08, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017678; rev:4; metadata:created_at 2013_11_06, former_category HUNTING, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017678; rev:4; metadata:created_at 2013_11_06, former_category HUNTING, updated_at 2021_06_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Download Executable"; flow:established,to_server; http.uri; content:"/gate.php?cmd=getinstallconfig"; fast_pattern; endswith; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016902; rev:6; metadata:created_at 2013_05_21, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017721; rev:4; metadata:created_at 2013_11_14, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017721; rev:4; metadata:created_at 2013_11_15, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:4; metadata:created_at 2013_11_14, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:4; metadata:created_at 2013_11_15, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital checkin"; flow:established,to_server; http.uri; content:".php?subid="; content:"&os="; distance:0; content:"&id="; distance:0; content:"&ver="; distance:0; classtype:command-and-control; sid:2017710; rev:4; metadata:created_at 2013_11_13, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital checkin"; flow:established,to_server; http.uri; content:".php?subid="; content:"&os="; distance:0; content:"&id="; distance:0; content:"&ver="; distance:0; classtype:command-and-control; sid:2017710; rev:4; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sisproc update"; flow:to_server,established; http.uri; content:"/poll/update.txt"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f8b3fb4e5f8f1b3bd643e58f1015f9fc; classtype:trojan-activity; sid:2017725; rev:6; metadata:created_at 2013_11_15, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sisproc update"; flow:to_server,established; http.uri; content:"/poll/update.txt"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f8b3fb4e5f8f1b3bd643e58f1015f9fc; classtype:trojan-activity; sid:2017725; rev:6; metadata:created_at 2013_11_16, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; http.uri; content:"/post.php?referanceMod="; nocase; content:"java"; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:5; metadata:created_at 2013_11_19, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; http.uri; content:"/post.php?referanceMod="; nocase; content:"java"; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:5; metadata:created_at 2013_11_20, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.AV"; flow:to_server,established; urilen:10; flowbits:set,et.GENOME.AV; http.method; content:"GET"; http.uri; content:"/other.txt"; fast_pattern; http.header; content:"User-Agent|3a 20|NSIS_Inetc|20|(Mozilla)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017746; rev:4; metadata:created_at 2013_11_25, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; http.user_agent; content:"Zollard"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:3; metadata:created_at 2013_12_04, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; http.user_agent; content:"Zollard"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:3; metadata:created_at 2013_12_05, updated_at 2020_04_27;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SAP Possible CTC Auth/HTTP Verb Bypass Attempt"; flow:to_server,established; http.method; content:"HEAD"; nocase; http.uri; content:"/ctc/"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017802; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema Access"; flow:to_server,established; http.uri; content:"information_schema"; nocase; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017808; rev:3; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DirCrypt.Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3A| form-data|3B| name=|22|cmd|22|"; content:"Content-Disposition|3A| form-data|3B| name=|22|botid|22|"; fast_pattern; content:"Content-Disposition|3A| form-data|3B| name=|22|lid|22|"; reference:url,anubis.iseclab.org/?action=result&task_id=19e3b6cbfdf8d6bd429ecc75ed016fb91; reference:url,blog.avast.com/2013/11/21/ransomware-annoys-its-victims-by-displaying-child-pornography-pictures/#more-20393; reference:url,blog.avast.com/2013/10/24/what-to-do-if-your-computer-is-attacked-by-ransomware/; reference:url,johannesbader.ch/2015/03/the-dga-of-dircrypt; classtype:command-and-control; sid:2017308; rev:4; metadata:created_at 2013_08_12, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DirCrypt.Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3A| form-data|3B| name=|22|cmd|22|"; content:"Content-Disposition|3A| form-data|3B| name=|22|botid|22|"; fast_pattern; content:"Content-Disposition|3A| form-data|3B| name=|22|lid|22|"; reference:url,blog.avast.com/2013/10/24/what-to-do-if-your-computer-is-attacked-by-ransomware/; reference:url,blog.avast.com/2013/11/21/ransomware-annoys-its-victims-by-displaying-child-pornography-pictures/#more-20393; reference:url,johannesbader.ch/2015/03/the-dga-of-dircrypt; reference:url,anubis.iseclab.org/?action=result&task_id=19e3b6cbfdf8d6bd429ecc75ed016fb91; classtype:command-and-control; sid:2017308; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack URI Struct .php?id=Hex"; flow:established,to_server; http.uri; content:".php?id="; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=/"; classtype:exploit-kit; sid:2017814; rev:4; metadata:created_at 2013_12_06, former_category EXPLOIT_KIT, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Zbot EXE filename Dec 09 2013"; flow:established,to_server; http.uri; content:"/bc.exe"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2017818; rev:3; metadata:created_at 2013_12_09, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Zbot EXE filename Dec 09 2013"; flow:established,to_server; http.uri; content:"/bc.exe"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2017818; rev:3; metadata:created_at 2013_12_10, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Connection To Known Sinkhole Domain sinkdns.org"; flow:to_server,established; http.host; content:".sinkdns.org"; pcre:"/^(\x3a\d{1,5})?$/R"; classtype:trojan-activity; sid:2017838; rev:3; metadata:created_at 2013_12_11, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Connection To Known Sinkhole Domain sinkdns.org"; flow:to_server,established; http.host; content:".sinkdns.org"; pcre:"/^(\x3a\d{1,5})?$/R"; classtype:trojan-activity; sid:2017838; rev:3; metadata:created_at 2013_12_12, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"id="; startswith; content:"&info="; distance:0; pcre:"/^id=[A-Z0-9]+?&info=[A-Z0-9]+?$/"; classtype:command-and-control; sid:2017839; rev:3; metadata:created_at 2013_12_11, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"id="; startswith; content:"&info="; distance:0; pcre:"/^id=[A-Z0-9]+?&info=[A-Z0-9]+?$/"; classtype:command-and-control; sid:2017839; rev:3; metadata:created_at 2013_12_12, former_category MALWARE, updated_at 2020_04_27;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/lib/admin/media-upload"; pcre:"/^(?:-lncthumb|-sq_button)?\.php/Ri"; http.request_body; content:"<?"; content:".php"; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017853; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_12_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MovieStar.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p3oahin/"; depth:9; content:".aspx?r="; distance:0; content:"&a="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017855; rev:3; metadata:created_at 2013_12_13, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MovieStar.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p3oahin/"; depth:9; content:".aspx?r="; distance:0; content:"&a="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017855; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.Snake.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ke3chang/Directx.aspx?r="; depth:25; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017856; rev:3; metadata:created_at 2013_12_13, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.Snake.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ke3chang/Directx.aspx?r="; depth:25; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017856; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MyWeb.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/MYWEB/SearchX.ASpX?id1="; depth:24; content:"&id2="; distance:0; content:"&id3="; distance:0; content:"&id4="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017857; rev:3; metadata:created_at 2013_12_13, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MyWeb.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/MYWEB/SearchX.ASpX?id1="; depth:24; content:"&id2="; distance:0; content:"&id3="; distance:0; content:"&id4="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017857; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.Dream.APT Campaign CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/shfam9y/"; depth:9; content:".aspx?r="; distance:0; content:"&a="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017859; rev:3; metadata:created_at 2013_12_13, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.Dream.APT Campaign CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/shfam9y/"; depth:9; content:".aspx?r="; distance:0; content:"&a="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017859; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ASNAROK Related Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"sophosefirewallupdate.com"; bsize:25; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:trojan-activity; sid:2030032; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Eourdegh/Swdfrp.ASpX?id1="; depth:26; content:"&id2="; distance:0; content:"&id3="; distance:0; content:"&id4="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,jsunpack.jeek.org/dec/go?report=e5f9dae61673a75db6dcb2475cb6ea8f22f66e9a; classtype:targeted-activity; sid:2017860; rev:3; metadata:created_at 2013_12_13, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Eourdegh/Swdfrp.ASpX?id1="; depth:26; content:"&id2="; distance:0; content:"&id3="; distance:0; content:"&id4="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,jsunpack.jeek.org/dec/go?report=e5f9dae61673a75db6dcb2475cb6ea8f22f66e9a; classtype:targeted-activity; sid:2017860; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprint Web Server Fingerprint Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/antidisestablishmentarianism"; reference:url,www.net-square.com/httprint/; reference:url,www.net-square.com/httprint/httprint_paper.html; reference:url,doc.emergingthreats.net/2008416; classtype:attempted-recon; sid:2008416; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Feed404 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/feed404/mysfeeds.php"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:command-and-control; sid:2017867; rev:3; metadata:created_at 2013_12_16, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Feed404 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/feed404/mysfeeds.php"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:command-and-control; sid:2017867; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Images CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/images/gx.php"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:command-and-control; sid:2017868; rev:3; metadata:created_at 2013_12_16, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Images CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/images/gx.php"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:command-and-control; sid:2017868; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Get Final Payload Request"; flow:established,to_server; http.uri; content:"/get/"; content:"/final"; http.cookie; content:"ip="; depth:3; pcre:"/^[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}/R"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017870; rev:4; metadata:created_at 2013_12_16, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Get Final Payload Request"; flow:established,to_server; http.uri; content:"/get/"; content:"/final"; http.cookie; content:"ip="; depth:3; pcre:"/^[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}/R"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017870; rev:4; metadata:created_at 2013_12_17, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"(compatible|3b| Google Desktop)"; fast_pattern; nocase; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; classtype:policy-violation; sid:2002801; rev:15; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; flowbits:set,ET.autoit.ua; http.header; content:"User-Agent|3a 20|AutoIt"; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; classtype:policy-violation; sid:2008350; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; http.request_body; content:"Jm9zX2ZsYXZvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_23, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; http.request_body; content:"Jm9zX2ZsYXZvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; http.request_body; content:"Zvc19mbGF2b3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_23, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; http.request_body; content:"Zvc19mbGF2b3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; http.request_body; content:"mb3NfZmxhdm9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_23, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; http.request_body; content:"mb3NfZmxhdm9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS FOCA User-Agent"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; http.header; content:"User-Agent|3a 20|FOCA"; fast_pattern; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017949; rev:6; metadata:created_at 2014_01_09, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS FOCA User-Agent"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; http.header; content:"User-Agent|3a 20|FOCA"; fast_pattern; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017949; rev:6; metadata:created_at 2014_01_10, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command"; flow:established,to_server; http.request_body; content:"work_dir="; content:"command="; content:"submit_btn=Execute+Command"; classtype:web-application-attack; sid:2017952; rev:3; metadata:created_at 2014_01_10, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command"; flow:established,to_server; http.request_body; content:"work_dir="; content:"command="; content:"submit_btn=Execute+Command"; classtype:web-application-attack; sid:2017952; rev:3; metadata:created_at 2014_01_11, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mevade.Variant CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F(?:policy|cache)$/"; http.header; content:"uuid|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"|C8 71 04 ED 87 F6 DD 77 87|"; depth:9; reference:url,labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:command-and-control; sid:2017959; rev:3; metadata:created_at 2014_01_11, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mevade.Variant CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F(?:policy|cache)$/"; http.header; content:"uuid|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"|C8 71 04 ED 87 F6 DD 77 87|"; depth:9; reference:url,labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:command-and-control; sid:2017959; rev:3; metadata:created_at 2014_01_12, former_category MALWARE, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header"; flow:established,to_client; http.header; content:"X-Stratum|3A|"; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:coin-mining; sid:2017960; rev:3; metadata:created_at 2014_01_11, former_category POLICY, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header"; flow:established,to_client; http.header; content:"X-Stratum|3A|"; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:coin-mining; sid:2017960; rev:3; metadata:created_at 2014_01_12, former_category POLICY, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kishop.A checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:".php?mark="; content:"&type="; content:"&theos="; reference:md5,bad7cd3c534c95867f5dbe5c5169a4da; classtype:command-and-control; sid:2017964; rev:3; metadata:created_at 2014_01_13, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kishop.A checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:".php?mark="; content:"&type="; content:"&theos="; reference:md5,bad7cd3c534c95867f5dbe5c5169a4da; classtype:command-and-control; sid:2017964; rev:3; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ferret DDOS Bot CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Mozilla|20|"; fast_pattern; http.request_body; content:"m"; depth:1; pcre:"/^(?:ode)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&h(?:wid)?=/R"; reference:md5,f582667d5ce743436fb24771eb22a0e8; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017917; rev:6; metadata:created_at 2014_01_02, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ferret DDOS Bot CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Mozilla|20|"; fast_pattern; http.request_body; content:"m"; depth:1; pcre:"/^(?:ode)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&h(?:wid)?=/R"; reference:md5,f582667d5ce743436fb24771eb22a0e8; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017917; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Win32/Daceluw.A Checkin"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/wow/wow.asp"; depth:12; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"&WOWID="; depth:7; content:"&Area="; distance:0; content:"&WU="; distance:0; content:"&WP="; distance:0; content:"&MAX="; distance:0; content:"&Gold="; distance:0; content:"&Serv="; distance:0; content:"&rn="; distance:0; content:"&key="; distance:0; reference:url,xylibox.com/2014/01/trojwowspy-a.html; classtype:command-and-control; sid:2017970; rev:4; metadata:created_at 2014_01_13, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Win32/Daceluw.A Checkin"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/wow/wow.asp"; depth:12; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"&WOWID="; depth:7; content:"&Area="; distance:0; content:"&WU="; distance:0; content:"&WP="; distance:0; content:"&MAX="; distance:0; content:"&Gold="; distance:0; content:"&Serv="; distance:0; content:"&rn="; distance:0; content:"&key="; distance:0; reference:url,xylibox.com/2014/01/trojwowspy-a.html; classtype:command-and-control; sid:2017970; rev:4; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye C&C Check-in URI"; flow:established,to_server; http.uri; content:"guid="; content:"ver="; content:"stat="; fast_pattern; content:"ie="; content:"os="; pcre:"/(\?|&)guid=[^!&]+?\!/"; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; classtype:command-and-control; sid:2011857; rev:7; metadata:created_at 2010_10_27, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/reportMessage"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018004; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/reportMessage"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018004; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/getTask"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018003; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/getTask"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018003; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Vagaa peer-to-peer (Transfer)"; flow:from_client,established; http.header; content:"VAGAA-OPERATION|3a| Transfer|0d 0a|"; reference:url,en.wikipedia.org/wiki/Vagaa; classtype:policy-violation; sid:2018012; rev:3; metadata:created_at 2014_01_27, updated_at 2020_04_27;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious HTTP Request to .bit domain"; flow:to_server,established; http.host; content:".bit"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,normanshark.com/blog/necurs-cc-domains-non-censorable/; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:bad-unknown; sid:2018009; rev:4; metadata:created_at 2014_01_24, former_category HUNTING, updated_at 2020_04_27;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Limitless Logger RAT HTTP Activity"; flow:established,to_server; http.uri; content:"/Limitless/Login/"; http.host; content:"limitlessproducts.org"; classtype:trojan-activity; sid:2018030; rev:3; metadata:created_at 2014_01_28, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download MessageBox"; flow:established,to_server; http.uri; content:"/MessageBox.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018038; rev:3; metadata:created_at 2014_01_29, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download MessageBox"; flow:established,to_server; http.uri; content:"/MessageBox.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018038; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download ComputerInfo"; flow:established,to_server; http.uri; content:"/ComputerInfo.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018039; rev:3; metadata:created_at 2014_01_29, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download ComputerInfo"; flow:established,to_server; http.uri; content:"/ComputerInfo.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018039; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download WalletSteal"; flow:established,to_server; http.uri; content:"/WalletSteal.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018040; rev:3; metadata:created_at 2014_01_29, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download WalletSteal"; flow:established,to_server; http.uri; content:"/WalletSteal.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018040; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Neverquest.InfoStealer Configuration Request CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forumdisplay.php?fid="; http.request_body; content:"id="; depth:3; content:"&info="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/neverquest-banking-trojan-wild; classtype:command-and-control; sid:2018047; rev:3; metadata:created_at 2014_01_31, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Neverquest.InfoStealer Configuration Request CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forumdisplay.php?fid="; http.request_body; content:"id="; depth:3; content:"&info="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/neverquest-banking-trojan-wild; classtype:command-and-control; sid:2018047; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nikto Web App Scan in Progress"; flow:to_server,established; threshold: type both, count 5, seconds 60, track by_src; http.user_agent; content:"(Nikto"; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; classtype:web-application-attack; sid:2002677; rev:14; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; http.uri; content:"/iconfig.txt"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible)"; bsize:24; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Blackshades/Shadesrat Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"crypt"; depth:5; content:"="; within:3; reference:md5,9d11cfb7799089823483b72daec5fd2b; reference:md5,a01451eae2d47872ce796bb85f116710; classtype:command-and-control; sid:2018079; rev:3; metadata:created_at 2014_02_05, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Blackshades/Shadesrat Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"crypt"; depth:5; content:"="; within:3; reference:md5,9d11cfb7799089823483b72daec5fd2b; reference:md5,a01451eae2d47872ce796bb85f116710; classtype:command-and-control; sid:2018079; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ASNAROK Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ragnarokfromasgard.com"; bsize:22; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:command-and-control; sid:2030034; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/register"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018000; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/register"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018000; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/login"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018001; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/login"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018001; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/report"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018002; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/report"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018002; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152"; flow:established,to_server; http.uri; content:"/reports/rwservlet?"; nocase; content:"JOBTYPE"; nocase; content:"rwurl"; nocase; content:"URLPARAMETER"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a/Ri"; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018092; rev:3; metadata:created_at 2014_02_06, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152"; flow:established,to_server; http.uri; content:"/reports/rwservlet?"; nocase; content:"JOBTYPE"; nocase; content:"rwurl"; nocase; content:"URLPARAMETER"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a/Ri"; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018092; rev:3; metadata:created_at 2014_02_07, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DirtJumper Activity"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; http.request_body; content:"&req="; pcre:"/^\d+?=\d+?(?:&ver=\d+?)?&req=\d+?(?:&r=)?$/"; reference:md5,5474129345d9756649c871f9c8b46287; reference:md5,ff5608e00d5e6e81af9c993461479e43; classtype:trojan-activity; sid:2018094; rev:3; metadata:created_at 2014_02_06, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DirtJumper Activity"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; http.request_body; content:"&req="; pcre:"/^\d+?=\d+?(?:&ver=\d+?)?&req=\d+?(?:&r=)?$/"; reference:md5,5474129345d9756649c871f9c8b46287; reference:md5,ff5608e00d5e6e81af9c993461479e43; classtype:trojan-activity; sid:2018094; rev:3; metadata:created_at 2014_02_07, updated_at 2020_04_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<html><body>hi!<|2F|body><|2F|html>"; within:30; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018097; rev:3; metadata:created_at 2014_02_10, former_category MALWARE, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<html><body>hi!<|2F|body><|2F|html>"; within:30; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018097; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rshot.Backdoor File Upload CnC Beacon"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/uploadb.php?"; fast_pattern; http.request_body; content:"name=|22|archivo|22|"; content:".dmp|22|"; distance:0; reference:md5,08881eb702a1525f7792c3fef19ae9ff; classtype:command-and-control; sid:2018100; rev:3; metadata:created_at 2014_02_10, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rshot.Backdoor File Upload CnC Beacon"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/uploadb.php?"; fast_pattern; http.request_body; content:"name=|22|archivo|22|"; content:".dmp|22|"; distance:0; reference:md5,08881eb702a1525f7792c3fef19ae9ff; classtype:command-and-control; sid:2018100; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Woai.Dropper Config Request"; flow:established,to_server; http.uri; content:"/client/config.ini"; fast_pattern; http.user_agent; content:"MSIE"; content:"|3B 29|"; distance:0; endswith; reference:md5,0425a66e3b268ef8cbdd481d8e44b227; classtype:trojan-activity; sid:2018102; rev:6; metadata:created_at 2014_02_10, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Mask C2 Traffic"; flow:established,to_server; http.uri; content:".cgi?Group="; nocase; content:"&Ver="; nocase; content:"&Inst"; nocase; content:"&Ask="; nocase; content:"&Bn="; nocase; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:command-and-control; sid:2018105; rev:3; metadata:created_at 2014_02_11, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Mask C2 Traffic"; flow:established,to_server; http.uri; content:".cgi?Group="; nocase; content:"&Ver="; nocase; content:"&Inst"; nocase; content:"&Ask="; nocase; content:"&Bn="; nocase; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:command-and-control; sid:2018105; rev:3; metadata:created_at 2014_02_10, former_category MALWARE, updated_at 2020_04_27;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Jar name JavaUpdate.jar"; flow:established,to_server; http.uri; content:"/JavaUpdate.jar"; nocase; http.user_agent; content:"Java/1."; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018106; rev:4; metadata:created_at 2014_02_10, former_category HUNTING, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Jar name JavaUpdate.jar"; flow:established,to_server; http.uri; content:"/JavaUpdate.jar"; nocase; http.user_agent; content:"Java/1."; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018106; rev:4; metadata:created_at 2014_02_11, former_category HUNTING, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Jackpos Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"something"; depth:9; http.request_body; content:"mac="; fast_pattern; depth:4; content:"&t1="; content:"&t2="; pcre:"/^mac=(?:[A-F0-9]{2}-){5}[A-F0-9]{2}&t1=/"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:command-and-control; sid:2018108; rev:4; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackbeard Check-in"; flow:established,to_server; http.uri; content:"/task/2000"; endswith; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018120; rev:3; metadata:created_at 2014_02_12, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linkup Ransomware check-in"; flow:established,to_server; urilen:20; http.method; content:"POST"; http.uri; content:"/uplink.php?logo.jpg"; http.request_body; content:"token="; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:2018122; rev:3; metadata:created_at 2014_02_12, updated_at 2020_11_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linkup Ransomware check-in"; flow:established,to_server; urilen:20; http.method; content:"POST"; http.uri; content:"/uplink.php?logo.jpg"; http.request_body; content:"token="; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:2018122; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Win32.FraudPack User-Agent (Downloader MLR 1.0.0)"; flow:to_server,established; http.user_agent; content:"Downloader MLR 1.0.0"; depth:20; reference:md5,c9d54e9086357491bd1fdf8d8d804dce; classtype:trojan-activity; sid:2018112; rev:5; metadata:created_at 2013_11_04, updated_at 2020_04_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/FakeKakao checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"androidbugreport.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"md="; content:"&fo="; content:"&ds="; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:command-and-control; sid:2018137; rev:4; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"androidbugreport.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; content:"&token="; depth:7; content:"&target="; depth:8; content:"&rd="; depth:4; content:"&fo="; depth:4; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_02_14, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"androidbugreport.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; content:"&token="; depth:7; content:"&target="; depth:8; content:"&rd="; depth:4; content:"&fo="; depth:4; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"filter.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_02_14, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"filter.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"history.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; content:"&ds="; depth:4; content:"&sg="; depth:4; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_02_14, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"history.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; content:"&ds="; depth:4; content:"&sg="; depth:4; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Zapchast Checkin"; flow:to_server,established; http.uri; content:"/files/def"; fast_pattern; endswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:"AutoIt"; depth:6; reference:url,www.virustotal.com/en/file/9f41604b71d1c9a4c094d0aa2685ffa49cc0d4ba19b20b7c22467eafb671064c analysis/; reference:md5,63586aef2be494150a492d822147055a; classtype:command-and-control; sid:2018142; rev:4; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Zapchast Checkin"; flow:to_server,established; http.uri; content:"/files/def"; fast_pattern; endswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:"AutoIt"; depth:6; reference:md5,63586aef2be494150a492d822147055a; classtype:command-and-control; sid:2018142; rev:4; metadata:created_at 2014_02_15, former_category MALWARE, updated_at 2020_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon"; flow:established,to_server; http.uri; content:"/dnsmake.txt"; fast_pattern; http.user_agent; content:"Indy Library"; reference:md5,dd3e5b41238a73d627c6c48108a15452; classtype:command-and-control; sid:2018150; rev:4; metadata:created_at 2014_02_17, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon"; flow:established,to_server; http.uri; content:"/dnsmake.txt"; fast_pattern; http.user_agent; content:"Indy Library"; reference:md5,dd3e5b41238a73d627c6c48108a15452; classtype:command-and-control; sid:2018150; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible BAZAR Backdoor CnC"; ja3.hash; content:"f5e62b5a2ed9467df09fae7a8a54dda6"; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:unknown; sid:2030040; rev:1; metadata:created_at 2020_04_28, former_category JA3, updated_at 2020_04_28;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Query"; dns.query; content:"rythemsjoy.club"; nocase; endswith; classtype:domain-c2; sid:2030038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_04_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Firebird RAT CnC Checkin"; flow:established,to_server; dsize:<100; content:"|01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 00 06 01 00 00 00|"; startswith; fast_pattern; content:"|0b|"; distance:0; endswith; reference:md5,ede8ebfc82463d1e7e6f29ca66f96514; classtype:command-and-control; sid:2029606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family Firebird, signature_severity Major, updated_at 2020_04_28;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:3; metadata:created_at 2014_02_18, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:3; metadata:created_at 2014_02_18, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/share_editor.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:3; metadata:created_at 2014_02_18, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/share_editor.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass switch_boot.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/switch_boot.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018159; rev:4; metadata:created_at 2014_02_18, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass switch_boot.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/switch_boot.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018159; rev:4; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:to_server,established; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/Ii"; http.uri; content:"/thumb.php?"; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/i"; pcre:"/[&?]f=/i"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:3; metadata:created_at 2014_02_21, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:to_server,established; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/Ii"; http.uri; content:"/thumb.php?"; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/i"; pcre:"/[&?]f=/i"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:3; metadata:created_at 2014_02_22, updated_at 2020_04_28;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoCore RAT CnC 27"; flow:to_server,established; dsize:68; content:"|40 00 00 00 fe 31 80 44 e7 eb 4a 77|"; depth:12; reference:md5,aa73e99d7e1d62265f75ccc0443a1a7f; classtype:command-and-control; sid:2029996; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING URL Observed in PDF Downloaded via Dropbox"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"x-dropbox-request-id|3a|"; file.data; content:"|25 50 44 46|"; depth:4; content:"/Type /Action /S /URI"; fast_pattern; nocase; classtype:misc-activity; sid:2030047; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_28, deployment SSLDecrypt, signature_severity Informational, updated_at 2020_04_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET [8443,9090] (msg:"ET WEB_SPECIFIC_APPS Symantec Endpoint Manager XXE RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/servlet/ConsoleServlet?ActionType=ConsoleLog"; http.request_body; content:"Content-Type|3a| text/xml|0d 0a|"; nocase; content:"|3c 21|DOCTYPE"; nocase; content:"http|3a|//127.0.0.1|3a|9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av&SequenceNum="; nocase; content:"&Parameter="; nocase; reference:cve,2013-5014; reference:cve,2013-5015; reference:url,cxsecurity.com/issue/WLB-2014020199; classtype:web-application-attack; sid:2018176; rev:4; metadata:created_at 2014_02_25, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET [8443,9090] (msg:"ET WEB_SPECIFIC_APPS Symantec Endpoint Manager XXE RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/servlet/ConsoleServlet?ActionType=ConsoleLog"; http.request_body; content:"Content-Type|3a| text/xml|0d 0a|"; nocase; content:"|3c 21|DOCTYPE"; nocase; content:"http|3a|//127.0.0.1|3a|9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av&SequenceNum="; nocase; content:"&Parameter="; nocase; reference:cve,2013-5014; reference:cve,2013-5015; reference:url,cxsecurity.com/issue/WLB-2014020199; classtype:web-application-attack; sid:2018176; rev:4; metadata:created_at 2014_02_26, updated_at 2020_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?tq="; fast_pattern; pcre:"/\.(?:(?:jp|pn)g|cgi|gif)\?tq=/"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2013865; rev:8; metadata:created_at 2011_11_07, former_category MALWARE, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?tq="; fast_pattern; pcre:"/\.(?:(?:jp|pn)g|cgi|gif)\?tq=/"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2013865; rev:8; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2020_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Matsnu.L Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?text="; content:"&img_url=http"; distance:0; content:"&rpt=simage&pos="; distance:0; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:" Windows NT 5.0"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN%3AWIN32/MATSNU.L; reference:md5,38b1862a42a6453d8ccdf1c2d2eff018; classtype:command-and-control; sid:2018200; rev:4; metadata:created_at 2014_03_03, former_category MALWARE, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Matsnu.L Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?text="; content:"&img_url=http"; distance:0; content:"&rpt=simage&pos="; distance:0; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:" Windows NT 5.0"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN%3AWIN32/MATSNU.L; reference:md5,38b1862a42a6453d8ccdf1c2d2eff018; classtype:command-and-control; sid:2018200; rev:4; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Qakbot.Bot Version 8 CnC Beacon"; flow:established,to_server; urilen:7<>32; content:"|0d 0a 0d 0a|v="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; pcre:"/^\/[b-u][A-Za-z0-9]{6,25}\.php$/"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"&c="; reference:url,www.anubisnetworks.com/the-return-of-qakbot/; reference:md5,e9201c8b126ac40229e9ce3f82f5c608; reference:md5,749a7bf2ad84212bd78e46d240a4f434; classtype:command-and-control; sid:2018204; rev:4; metadata:created_at 2014_03_03, former_category MALWARE, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Qakbot.Bot Version 8 CnC Beacon"; flow:established,to_server; urilen:7<>32; content:"|0d 0a 0d 0a|v="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; pcre:"/^\/[b-u][A-Za-z0-9]{6,25}\.php$/"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"&c="; reference:url,www.anubisnetworks.com/the-return-of-qakbot/; reference:md5,e9201c8b126ac40229e9ce3f82f5c608; reference:md5,749a7bf2ad84212bd78e46d240a4f434; classtype:command-and-control; sid:2018204; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; threshold: type both, track by_src, count 100, seconds 300; http.uri; content:"/?"; fast_pattern; depth:2; content:"="; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/"; http.header; content:"Keep|2d|Alive|3a|"; content:"Connection|3a| keep|2d|alive"; content:"Cache|2d|Control|3a|"; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/m"; content:"Accept|2d|Encoding|3a|"; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:3; metadata:created_at 2014_03_04, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; threshold: type both, track by_src, count 100, seconds 300; http.uri; content:"/?"; fast_pattern; depth:2; content:"="; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/"; http.header; content:"Keep|2d|Alive|3a|"; content:"Connection|3a| keep|2d|alive"; content:"Cache|2d|Control|3a|"; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/m"; content:"Accept|2d|Encoding|3a|"; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:3; metadata:created_at 2014_03_05, updated_at 2020_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.info Domain"; flow:established,to_server; http.host; content:".ddns.info"; endswith; classtype:bad-unknown; sid:2018220; rev:6; metadata:created_at 2011_12_14, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.info Domain"; flow:established,to_server; http.host; content:".ddns.info"; endswith; classtype:bad-unknown; sid:2018220; rev:6; metadata:created_at 2011_12_15, updated_at 2020_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.name Domain"; flow:established,to_server; http.host; content:".ddns.name"; endswith; classtype:bad-unknown; sid:2018221; rev:6; metadata:created_at 2011_12_14, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.name Domain"; flow:established,to_server; http.host; content:".ddns.name"; endswith; classtype:bad-unknown; sid:2018221; rev:6; metadata:created_at 2011_12_15, updated_at 2020_04_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY InstallIQ Updater Software request"; flow:to_server,established; http.uri; content:"/api/detectionrequest.aspx?keyid=1&shortname="; content:"&langid="; http.host; content:".installiq.com"; endswith; classtype:policy-violation; sid:2018222; rev:4; metadata:created_at 2012_02_13, updated_at 2020_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.uri; content:".exe"; endswith; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b|MSIE 7.0|3b|Windows NT 6.0)|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018224; rev:5; metadata:created_at 2014_03_04, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.uri; content:".exe"; endswith; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b|MSIE 7.0|3b|Windows NT 6.0)|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018224; rev:5; metadata:created_at 2014_03_05, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SWF filename used in IE 2014-0322 Watering Hole Attacks"; flow:established,to_server; http.uri; content:"/Tope.swf"; classtype:exploit-kit; sid:2018223; rev:4; metadata:created_at 2014_03_04, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SWF filename used in IE 2014-0322 Watering Hole Attacks"; flow:established,to_server; http.uri; content:"/Tope.swf"; classtype:exploit-kit; sid:2018223; rev:4; metadata:created_at 2014_03_05, updated_at 2020_04_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SMSHoax Riskware checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:"/api.php"; http.request_body; content:"YWx0X2FwaV9iYXNlX3Vy"; depth:20; reference:md5,4b779acb1a0e726cee73fc2ca8a6a0be; classtype:command-and-control; sid:2018230; rev:3; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2020_04_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Image - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; http.content_type; content:"image/"; startswith; file.data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:exploit-kit; sid:2018233; rev:3; metadata:created_at 2014_03_07, former_category INFO, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Image - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; http.content_type; content:"image/"; startswith; file.data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:exploit-kit; sid:2018233; rev:3; metadata:created_at 2014_03_08, former_category INFO, updated_at 2020_04_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Text Content - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; http.content_type; content:"text/"; startswith; file.data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:exploit-kit; sid:2018234; rev:3; metadata:created_at 2014_03_07, former_category INFO, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Text Content - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; http.content_type; content:"text/"; startswith; file.data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:exploit-kit; sid:2018234; rev:3; metadata:created_at 2014_03_08, former_category INFO, updated_at 2020_04_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos Infection Executable Download With Malformed Header"; flow:established,from_server; http.header; content:"Last-Modified|3a|"; http.header.raw; pcre:"/^Last-Modified\x3a(?:\s[^\r\n]{2}|[^\r\n\s]{3}),/m"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018241; rev:3; metadata:created_at 2014_03_08, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos Infection Executable Download With Malformed Header"; flow:established,from_server; http.header; content:"Last-Modified|3a|"; http.header.raw; pcre:"/^Last-Modified\x3a(?:\s[^\r\n]{2}|[^\r\n\s]{3}),/m"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018241; rev:3; metadata:created_at 2014_03_09, updated_at 2020_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PointOfSales.Misc CnC Beacon"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/www/cmd.php"; fast_pattern; http.user_agent; content:"Browser"; depth:7; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018249; rev:4; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PointOfSales.Misc CnC Beacon"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/www/cmd.php"; fast_pattern; http.user_agent; content:"Browser"; depth:7; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018249; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PointOfSales.Misc CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?"; pcre:"/^\d{5,}$/R"; http.user_agent; content:"Browser"; depth:7; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018250; rev:4; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Activity POST"; flow:to_server,established; urilen:15; http.method; content:"POST"; http.uri; content:"/pk/request.flv"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,a354873df6dbce59e801380cee39ac17; classtype:trojan-activity; sid:2017582; rev:5; metadata:created_at 2013_10_11, updated_at 2020_04_28;)
-
-alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService Pong response"; id:1; ttl:<0; content:"101|3b|0000|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030055; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_29;)
-
-#alert udp $HOME_NET 1234 -> $EXTERNAL_NET any (msg:"ET MALWARE NAZAR EYService File exfiltrate response"; id:1; ttl:<0; content:"---"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030057; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Activity POST"; flow:to_server,established; urilen:15; http.method; content:"POST"; http.uri; content:"/pk/request.flv"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,a354873df6dbce59e801380cee39ac17; classtype:trojan-activity; sid:2017582; rev:5; metadata:created_at 2013_10_12, updated_at 2020_04_28;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"gizasector.xyz"; endswith; classtype:domain-c2; sid:2030051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"fekilopol.xyz"; endswith; classtype:domain-c2; sid:2030052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (W32/TrojanDownloader.Agent.FBF Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=analyticsonline.top"; nocase; endswith; reference:md5,c5a467fa017cf4003768e63115fcddae; classtype:domain-c2; sid:2030046; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (W32/TrojanDownloader.Agent.FBF Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=analyticsonline.top"; nocase; endswith; reference:md5,c5a467fa017cf4003768e63115fcddae; classtype:domain-c2; sid:2030046; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HCZR Variant Initial Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?wqasd="; startswith; content:"&qrjatyd=imofugclqu"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,9163f1f4f16ac8ec82eaa0a274850c36; reference:url,twitter.com/3XS0/status/1255491188565688323; classtype:command-and-control; sid:2030054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (h55u4u4u5uii5)"; flow:established,to_server; http.user_agent; content:"h55u4u4u5uii5"; bsize:13; reference:url,www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/; classtype:trojan-activity; sid:2030058; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_04_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; http.uri; pcre:"/\?[0-9a-f]{6}$/"; http.cookie; content:"SECID="; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:8; metadata:created_at 2013_04_26, former_category CURRENT_EVENTS, updated_at 2020_04_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; http.uri; pcre:"/\?[0-9a-f]{6}$/"; http.cookie; content:"SECID="; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:8; metadata:created_at 2013_04_27, former_category CURRENT_EVENTS, updated_at 2020_04_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadMR)"; flow:to_server,established; http.user_agent; content:"DownloadMR"; nocase; depth:10; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016903; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_05_21, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; http.uri; content:"/Default.aspx?INDEX="; pcre:"/\?ID=[A-Z]{10}$/"; http.user_agent; content:!"Mozilla"; startswith; reference:url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,intelreport.mandiant.com/; reference:md5,8dd6a7fe83bd9682187d956f160ffb47; classtype:targeted-activity; sid:2016460; rev:8; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; http.uri; content:"/Default.aspx?INDEX="; pcre:"/\?ID=[A-Z]{10}$/"; http.user_agent; content:!"Mozilla"; startswith; reference:md5,8dd6a7fe83bd9682187d956f160ffb47; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:md5,ba45339da92ca4622b472ac458f4c8f2; reference:url,intelreport.mandiant.com/; classtype:targeted-activity; sid:2016460; rev:8; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2020_04_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dorkbot Loader Payload Request"; flow:established,to_server; urilen:<11; http.uri; content:".exe"; fast_pattern; http.header; content:"Mozilla/4.0|0D 0A|Host|3a|"; reference:md5,3452c20fd0df69ccfdea520a6515208a; classtype:trojan-activity; sid:2016578; rev:6; metadata:created_at 2013_03_15, updated_at 2020_04_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,from_server; http.header; content:"X-Sinkholed-Domain|3a|"; reference:md5,723a90462a417337355138cc6aba2290; classtype:trojan-activity; sid:2017662; rev:4; metadata:created_at 2013_11_04, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; http.header; content:"User-Agent|3A 20|toys|3A 3A|file"; reference:md5,6b712c6dbc3cd87bbaeb955ea1d2d24f; classtype:trojan-activity; sid:2014341; rev:4; metadata:created_at 2012_03_08, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; http.header; content:"User-Agent|3A 20|toys|3A 3A|file"; reference:md5,6b712c6dbc3cd87bbaeb955ea1d2d24f; classtype:trojan-activity; sid:2014341; rev:4; metadata:created_at 2012_03_09, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit Install CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/install/"; http.request_body; content:"q="; depth:2; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018331; rev:3; metadata:created_at 2014_03_28, former_category MALWARE, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit Install CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/install/"; http.request_body; content:"q="; depth:2; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018331; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get/?q="; http.user_agent; content:"win32"; depth:5; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018332; rev:4; metadata:created_at 2014_03_28, former_category MALWARE, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get/?q="; http.user_agent; content:"win32"; depth:5; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018332; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover Campaign Keylogger 2 checkin"; flow:established,to_server; http.uri; content:"/access.php"; fast_pattern; http.user_agent; content:"sendfile"; depth:8; nocase; reference:md5,0b38f87841ed347cc2a5ffa510a1c8f6; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016862; rev:5; metadata:created_at 2013_05_20, former_category MALWARE, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover Campaign Keylogger 2 checkin"; flow:established,to_server; http.uri; content:"/access.php"; fast_pattern; http.user_agent; content:"sendfile"; depth:8; nocase; reference:md5,0b38f87841ed347cc2a5ffa510a1c8f6; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016862; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_04_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN IBM NSA User Agent"; flow:established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.user_agent; content:"Network-Services-Auditor"; reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; reference:url,doc.emergingthreats.net/2003171; classtype:attempted-recon; sid:2003171; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (hi)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|hi|0d 0a|"; nocase; classtype:trojan-activity; sid:2018381; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_10, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit Successful Install GET Type CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/install/?q="; http.user_agent; content:"win32"; depth:5; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018345; rev:7; metadata:created_at 2014_04_01, former_category MALWARE, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit Successful Install GET Type CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/install/?q="; http.user_agent; content:"win32"; depth:5; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018345; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake/Short Google Search Appliance UA Win32/Ranbyus and Others"; flow:established,to_server; http.header; content:"User-Agent|3a 20|gsa-crawler|0d 0a|"; nocase; fast_pattern; reference:url,developers.google.com/search-appliance/documentation/50/help_mini/crawl_headers; reference:md5,98b58bd8a5138a31105e118e755a3773; reference:md5,c07a6035e9c7fed2467afab1a9dbcf40; classtype:trojan-activity; sid:2017937; rev:4; metadata:created_at 2014_01_07, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake/Short Google Search Appliance UA Win32/Ranbyus and Others"; flow:established,to_server; http.header; content:"User-Agent|3a 20|gsa-crawler|0d 0a|"; nocase; fast_pattern; reference:url,developers.google.com/search-appliance/documentation/50/help_mini/crawl_headers; reference:md5,98b58bd8a5138a31105e118e755a3773; reference:md5,c07a6035e9c7fed2467afab1a9dbcf40; classtype:trojan-activity; sid:2017937; rev:4; metadata:created_at 2014_01_08, updated_at 2020_04_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virut Family GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgate.php?n="; pcre:"/^[0-9A-F]{12,24}/Ri"; reference:url,www.f-secure.com/v-descs/virus_w32_virut.shtml; reference:url,doc.emergingthreats.net/2009444; classtype:trojan-activity; sid:2009444; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GreenDou Downloader User-Agent (hello crazyk)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|hello crazyk"; reference:md5,67d52ae285ac82f959b3675550de8a2d; reference:md5,e668a501bd107de161378a9fd9c5d1f2; classtype:trojan-activity; sid:2018404; rev:3; metadata:created_at 2014_04_21, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GreenDou Downloader User-Agent (hello crazyk)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|hello crazyk"; reference:md5,67d52ae285ac82f959b3675550de8a2d; reference:md5,e668a501bd107de161378a9fd9c5d1f2; classtype:trojan-activity; sid:2018404; rev:3; metadata:created_at 2014_04_22, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.A.FakeAV Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/404.php?"; nocase; content:"type=stats"; nocase; content:"affid="; nocase; content:"subid="; nocase; reference:url,securelist.com/en/descriptions/24405309/Trojan.Win32.FakeAV.dlbc; reference:md5,ac0ba9e186aee9cf9889d71158485715; classtype:trojan-activity; sid:2014083; rev:6; metadata:created_at 2012_01_02, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.A.FakeAV Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/404.php?"; nocase; content:"type=stats"; nocase; content:"affid="; nocase; content:"subid="; nocase; reference:url,securelist.com/en/descriptions/24405309/Trojan.Win32.FakeAV.dlbc; reference:md5,ac0ba9e186aee9cf9889d71158485715; classtype:trojan-activity; sid:2014083; rev:6; metadata:created_at 2012_01_03, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption"; flow:established,to_server; http.uri; content:"/Generic/BEX/iexplore_exe/"; content:"/vgx_dll_unloaded/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018434; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption"; flow:established,to_server; http.uri; content:"/Generic/BEX/iexplore_exe/"; content:"/vgx_dll_unloaded/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018434; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2"; flow:established,to_server; http.uri; content:"/StageOne/iexplore_exe/"; content:"/vgx_dll/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018436; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/check_value.php"; http.user_agent; content:!"User-Agent|0d 0a|"; http.request_body; content:"identifiant="; depth:12; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:command-and-control; sid:2018443; rev:3; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/check_value.php"; http.user_agent; content:!"User-Agent|0d 0a|"; http.request_body; content:"identifiant="; depth:12; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:command-and-control; sid:2018443; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 05 2014"; flow:from_server,established; http.header; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; content:"|0d 0a|X-Powered-By|3a 20|PHP"; file.data; content:"|ef bb bf 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R"; classtype:exploit-kit; sid:2018451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox php.dll.crp POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.host; pcre:"/\x3a\d{1,5}$/"; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; http.request_body; content:"id="; depth:3; content:"&code="; fast_pattern; distance:0; content:"&data="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016527; rev:5; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox php.dll.crp POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.host; pcre:"/\x3a\d{1,5}$/"; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; http.request_body; content:"id="; depth:3; content:"&code="; fast_pattern; distance:0; content:"&data="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016527; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rodecap CnC Checkin"; flow:established,to_server; http.uri; content:".cgi?s"; content:"&r="; pcre:"/\.cgi\?s(?:id)?=\d{1,12}&r=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; http.header; content:"Cache-Control|3a| no-cache|0d 0a|"; content:"User-Agent|3a 20 2d 0d 0a|"; fast_pattern; classtype:command-and-control; sid:2013201; rev:8; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_29;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<form method=post style=|22|font-family:fantasy|3b 22|>"; content:"Password: <input type=password name=pass style=|22|background-color|3a|whitesmoke|3b|border|3a|1px solid #FFF|3b 22|><input type=submit value='>>' style=|22|border|3a|none|3b|background-color|3a|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030066; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Opera/9.25 (Windows NT 6.0|3b 20|U|3b|"; fast_pattern; http.host; content:"windowsupdate.microsoft.com"; startswith; http.connection; content:"Close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa696180cd0369e264ed8e9137a4f254; classtype:trojan-activity; sid:2018419; rev:7; metadata:created_at 2014_04_24, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Opera/9.25 (Windows NT 6.0|3b 20|U|3b|"; fast_pattern; http.host; content:"windowsupdate.microsoft.com"; startswith; http.connection; content:"Close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa696180cd0369e264ed8e9137a4f254; classtype:trojan-activity; sid:2018419; rev:7; metadata:created_at 2014_04_25, updated_at 2020_04_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Sinkhole banner"; flow:established,to_client; http.header; content:"Server|3a 20|You got served|21|"; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2013/12/30/detecting-sinkholed-domains-in-your-environment; classtype:trojan-activity; sid:2018117; rev:4; metadata:created_at 2014_02_12, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 4"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/\/(?:[^\x2f]+?\/)?[a-z-_]+?\.(?:php|html)$/i"; http.header; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| Trident/5.0)|0d 0a|"; fast_pattern; depth:77; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,0032856449dbef5e63b8ed2f7a61fff9; classtype:command-and-control; sid:2017903; rev:4; metadata:created_at 2013_12_26, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 4"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/\/(?:[^\x2f]+?\/)?[a-z-_]+?\.(?:php|html)$/i"; http.header; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| Trident/5.0)|0d 0a|"; fast_pattern; depth:77; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,0032856449dbef5e63b8ed2f7a61fff9; classtype:command-and-control; sid:2017903; rev:4; metadata:created_at 2013_12_27, former_category MALWARE, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.BitcoinMiner Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?user="; nocase; content:"&type="; nocase; content:"&id="; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"sysin="; fast_pattern; depth:6; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/05/16/zeuscoiner-detection-zeus-variant-engages-in-bitcoining; classtype:coin-mining; sid:2018504; rev:3; metadata:created_at 2014_05_28, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.BitcoinMiner Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?user="; nocase; content:"&type="; nocase; content:"&id="; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"sysin="; fast_pattern; depth:6; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/05/16/zeuscoiner-detection-zeus-variant-engages-in-bitcoining; classtype:coin-mining; sid:2018504; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_05_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_04_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent"; flow:established,to_server; http.user_agent; content:"rome0321"; depth:8; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018519; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover related campaign Checkin"; flow:established,to_server; http.uri; content:"post.php?filename="; fast_pattern; content:"&folder="; distance:0; pcre:"/\/\/?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0392fb51816dd9583f9cb206a2cf02d9; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:command-and-control; sid:2018566; rev:3; metadata:created_at 2014_06_16, former_category MALWARE, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.su domain with direct request/fakebrowser (multiple families flowbit set) "; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".su"; pcre:"/^(?:\x3a\d{1,5})?$/Ri"; classtype:trojan-activity; sid:2018570; rev:4; metadata:created_at 2014_06_16, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.su domain with direct request/fakebrowser (multiple families flowbit set)"; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".su"; pcre:"/^(?:\x3a\d{1,5})?$/Ri"; classtype:trojan-activity; sid:2018570; rev:4; metadata:created_at 2014_06_17, former_category MALWARE, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.pw domain with direct request/fake browser (multiple families flowbit set) "; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".pw"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/i"; classtype:trojan-activity; sid:2018571; rev:4; metadata:created_at 2014_06_16, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.pw domain with direct request/fake browser (multiple families flowbit set)"; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".pw"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/i"; classtype:trojan-activity; sid:2018571; rev:4; metadata:created_at 2014_06_17, former_category MALWARE, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.Bot Knock Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{20,}+$/"; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})$/i"; http.request_body; content:"<knock>"; fast_pattern; depth:7; content:"<ID>"; within:6; content:"<group>"; distance:0; content:"<version>"; distance:0; content:"<status>"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html; classtype:command-and-control; sid:2018574; rev:3; metadata:created_at 2014_06_17, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.Bot Knock Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{20,}+$/"; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})$/i"; http.request_body; content:"<knock>"; fast_pattern; depth:7; content:"<ID>"; within:6; content:"<group>"; distance:0; content:"<version>"; distance:0; content:"<status>"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html; classtype:command-and-control; sid:2018574; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_06_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Optimum Installer User-Agent IE6 on Windows XP"; flow:established,to_server; http.user_agent; content:"IE6 on Windows XP"; startswith; fast_pattern; classtype:pup-activity; sid:2012629; rev:6; metadata:created_at 2011_04_05, former_category USER_AGENTS, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; http.uri; content:"/load_module.php?e="; classtype:exploit-kit; sid:2014705; rev:5; metadata:created_at 2012_05_03, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; http.uri; content:"/load_module.php?e="; classtype:exploit-kit; sid:2014705; rev:5; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; http.uri; content:"/download_file.php?e="; classtype:exploit-kit; sid:2014706; rev:4; metadata:created_at 2012_05_03, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; http.uri; content:"/download_file.php?e="; classtype:exploit-kit; sid:2014706; rev:4; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; http.header; content:"filename=payload.exe.exe|0d 0a|"; classtype:exploit-kit; sid:2014707; rev:5; metadata:created_at 2012_05_03, updated_at 2020_04_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; http.header; content:"filename=payload.exe.exe|0d 0a|"; classtype:exploit-kit; sid:2014707; rev:5; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 4"; flow:established,to_server; http.uri; content:"/wsman/simple_auth.passwd"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018588; rev:5; metadata:created_at 2014_06_20, updated_at 2020_04_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Citadel Download From CnC Server /files/ attachment"; flow:established,to_client; flowbits:isset,et.citadel; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename=|22 25 32 65|/files/"; fast_pattern; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:command-and-control; sid:2018599; rev:8; metadata:created_at 2014_06_24, former_category MALWARE, updated_at 2020_04_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Crawler"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.user_agent; content:"PHPCrawl"; depth:8; reference:url,phpcrawl.cuab.de/; classtype:attempted-user; sid:2018607; rev:3; metadata:created_at 2014_06_25, updated_at 2020_04_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Crawler"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.user_agent; content:"PHPCrawl"; depth:8; reference:url,phpcrawl.cuab.de/; classtype:attempted-user; sid:2018607; rev:3; metadata:created_at 2014_06_26, updated_at 2020_04_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/VBKlip BAN Download"; flow:established,to_server; http.header; content:"Accept|20|Language|3a| en-us|0d 0a|"; fast_pattern; reference:url,cert.pl/news/8478/langswitch_lang/en; classtype:trojan-activity; sid:2018618; rev:3; metadata:created_at 2014_07_01, updated_at 2020_04_30;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle Event Processing FileUploadServlet Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wlevs/visualizer/upload"; http.request_body; content:"filename"; pcre:"/^\s*?=\s*?[\x22\x27]?[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; reference:url,www.exploit-db.com/exploits/33989/; reference:cve,2014-2424; classtype:web-application-attack; sid:2018652; rev:4; metadata:created_at 2014_07_08, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT Checkin"; flow:to_server,established; http.uri; content:".php?"; content:"email="; content:"&serverid="; content:"User|3a|"; content:"PC|3a|"; http.header_names; content:!"Referer"; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:command-and-control; sid:2018659; rev:3; metadata:created_at 2014_07_09, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT Checkin"; flow:to_server,established; http.uri; content:".php?"; content:"email="; content:"&serverid="; content:"User|3a|"; content:"PC|3a|"; http.header_names; content:!"Referer"; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:command-and-control; sid:2018659; rev:3; metadata:created_at 2014_07_10, former_category MALWARE, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT User-Agent (USER_CHECK)"; flow:to_server,established; http.user_agent; content:"USER_CHECK"; depth:10; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:trojan-activity; sid:2018660; rev:4; metadata:created_at 2014_07_09, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT User-Agent (USER_CHECK)"; flow:to_server,established; http.user_agent; content:"USER_CHECK"; depth:10; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:trojan-activity; sid:2018660; rev:4; metadata:created_at 2014_07_10, updated_at 2020_04_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Request"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uuid="; depth:5; nocase; content:"&id="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&pcname="; nocase; distance:0; fast_pattern; content:"&osver="; nocase; distance:0; content:"&timeout="; nocase; distance:0; reference:md5,7d22d5b7cac4c8789f3fe7102e459edd; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:targeted-activity; sid:2030067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rhabdo CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wwwlib/title.php?ID="; depth:21; pcre:"/^[A-Za-z0-9]{48}\x3a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64|3b 20|rv:47.0) Gecko / 20100101 Chrome/73.0.3645.0"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; endswith; reference:url,www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center?utm_medium=social&utm_source=linkedin&utm_content=blog; classtype:targeted-activity; sid:2030070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/webviewAdReq"; nocase; depth:13; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/webviewAdReq"; nocase; depth:13; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_11, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Minirem"; flow: established,to_server; urilen:>18; http.method; content:"GET"; http.uri; content:"/FC001/"; fast_pattern; depth:7; http.user_agent; content:"Microsoft Internet Explorer"; reference:md5,d92075280872b9fe4f541f090bf0076c; classtype:trojan-activity; sid:2018664; rev:7; metadata:created_at 2014_01_22, updated_at 2020_04_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016581; rev:5; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016933; rev:6; metadata:created_at 2013_05_28, former_category INFO, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016933; rev:6; metadata:created_at 2013_05_29, former_category INFO, updated_at 2020_04_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Zbot.Variant CnC Response"; flow:established,from_server; flowbits:isset,ET.zbot.ua.2106509; http.stat_code; content:"200"; http.header; content:"Content-Length|3a| 0|0d 0a|Content-Type|3a| text/html|0d 0a|"; fast_pattern; http.header_names; content:"Content-Type|0d 0a 0d 0a|"; endswith; reference:md5,0c4d7d9138de7d7919e3b3c33ac2f851; classtype:command-and-control; sid:2018764; rev:5; metadata:created_at 2013_04_26, former_category MALWARE, updated_at 2020_04_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swizzor User-Agent (Swizz03r)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Swizz03r Download Agent"; nocase; depth:23; reference:md5,5d232faca6d2b082b450b8ee4e238483; classtype:trojan-activity; sid:2018765; rev:5; metadata:created_at 2013_06_03, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swizzor User-Agent (Swizz03r)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Swizz03r Download Agent"; nocase; depth:23; reference:md5,5d232faca6d2b082b450b8ee4e238483; classtype:trojan-activity; sid:2018765; rev:5; metadata:created_at 2013_06_04, updated_at 2020_04_30;)
alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1"; flow:established,to_server; content:"_prep_auth_info"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030071; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internet Scanning Project HTTP scan"; flow:established,to_server; http.user_agent; content:"research-scanner/"; startswith; http.host; content:"internetscanningproject.org"; reference:url,www.internetscanningproject.org; classtype:attempted-recon; sid:2018782; rev:3; metadata:created_at 2014_07_25, updated_at 2020_05_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Waski.F Locker DL URI Struct Jul 25 2014"; flow:to_server,established; http.uri; content:"/wp-content/themes/"; depth:19; pcre:"/^[^\x2f]+\/[a-z0-9]+$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:md5,dc4d0bd7fb9e647501c3b0d75aa2be65; classtype:trojan-activity; sid:2018787; rev:3; metadata:created_at 2014_07_25, former_category MALWARE, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Waski.F Locker DL URI Struct Jul 25 2014"; flow:to_server,established; http.uri; content:"/wp-content/themes/"; depth:19; pcre:"/^[^\x2f]+\/[a-z0-9]+$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:md5,dc4d0bd7fb9e647501c3b0d75aa2be65; classtype:trojan-activity; sid:2018787; rev:3; metadata:created_at 2014_07_26, former_category MALWARE, updated_at 2020_05_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Chroot-apache0day Unknown Web Scanner User Agent"; flow:established,to_server; http.user_agent; content:"chroot-apach0day"; nocase; depth:16; reference:url,isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453; classtype:attempted-recon; sid:2018800; rev:5; metadata:created_at 2014_07_29, updated_at 2020_05_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Gatak Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/(?:[a-z]{4,9}\/[a-z]{3,10}\?[a-z_]{2,9}=[0-9]{2,8}|[a-z]{10})&[a-z]{5,9}=[a-zA-Z0-9_*]{30,}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32/Gatak; reference:url,www.malwaresigs.com/2013/01/30/trojan-gatak-post-compromise/; classtype:trojan-activity; sid:2018799; rev:4; metadata:created_at 2014_07_28, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Gatak Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/(?:[a-z]{4,9}\/[a-z]{3,10}\?[a-z_]{2,9}=[0-9]{2,8}|[a-z]{10})&[a-z]{5,9}=[a-zA-Z0-9_*]{30,}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32/Gatak; reference:url,www.malwaresigs.com/2013/01/30/trojan-gatak-post-compromise/; classtype:trojan-activity; sid:2018799; rev:4; metadata:created_at 2014_07_29, updated_at 2020_05_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/path/DeviceManager.php"; nocase; depth:23; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.request_body; content:"func="; depth:5; content:"&deviceid="; distance:0; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_08_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/path/DeviceManager.php"; nocase; depth:23; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.request_body; content:"func="; depth:5; content:"&deviceid="; distance:0; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_04, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ddex Loader Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?t="; content:"&o="; content:"&i="; content:"&task_id="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf; classtype:trojan-activity; sid:2018895; rev:3; metadata:created_at 2014_08_05, updated_at 2020_05_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pushdo.S CnC response"; flow:established,from_server; flowbits:isset,ET.Pushdo.S; http.header; content:"X-GeoIP-Country-Code|3a| "; content:"X-Real-IP|3a| "; reference:md5,27aef1d328da442d3bd02c50c1a6b651; classtype:command-and-control; sid:2018897; rev:3; metadata:created_at 2014_08_05, former_category MALWARE, updated_at 2020_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pushdo.S CnC response"; flow:established,from_server; flowbits:isset,ET.Pushdo.S; http.header; content:"X-GeoIP-Country-Code|3a| "; content:"X-Real-IP|3a| "; reference:md5,27aef1d328da442d3bd02c50c1a6b651; classtype:command-and-control; sid:2018897; rev:3; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_05_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BITTERBUG Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?compname="; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}_/R"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:command-and-control; sid:2018900; rev:3; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_05_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit exe.exe Payload"; flow:established,to_client; http.header; content:"Content-disposition|3a 20|attachment|3b 20|filename=exe.exe"; fast_pattern; reference:url,www.malware-traffic-analysis.net/2014/08/06/index.html; classtype:exploit-kit; sid:2018914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_08, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_05_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lurk Downloader Check-in"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lolo/"; startswith; fast_pattern; content:".html"; endswith; pcre:"/^\/lolo\/[0-9]+\/[0-9]+\/[0-9]+\/[0-9]+\.html$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018926; rev:4; metadata:created_at 2014_08_11, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lurk Downloader Check-in"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lolo/"; startswith; fast_pattern; content:".html"; endswith; pcre:"/^\/lolo\/[0-9]+\/[0-9]+\/[0-9]+\/[0-9]+\.html$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018926; rev:4; metadata:created_at 2014_08_12, updated_at 2020_05_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lurk Click fraud Template Request"; flow:to_server,established; http.request_line; content:"GET /log/"; fast_pattern; startswith; http.uri; content:"/?id="; pcre:"/^\/log\/[0-9]+\/[0-9]+\/\?id=[0-9]+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"Host|0d 0a|"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018927; rev:3; metadata:created_at 2014_08_11, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lurk Click fraud Template Request"; flow:to_server,established; http.request_line; content:"GET /log/"; fast_pattern; startswith; http.uri; content:"/?id="; pcre:"/^\/log\/[0-9]+\/[0-9]+\/\?id=[0-9]+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"Host|0d 0a|"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018927; rev:3; metadata:created_at 2014_08_12, updated_at 2020_05_01;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nubjub.A HTTP Check-in "; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php"; content:"?&mode="; fast_pattern; content:"&id="; content:"&output="; content:"&time="; reference:url,doc.emergingthreats.net/2009521; classtype:trojan-activity; sid:2009521; rev:7; metadata:created_at 2010_07_30, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nubjub.A HTTP Check-in"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php"; content:"?&mode="; fast_pattern; content:"&id="; content:"&output="; content:"&time="; reference:url,doc.emergingthreats.net/2009521; classtype:trojan-activity; sid:2009521; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_05_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Secure-Soft.Stealer Checkin"; flow:to_server,established; http.request_body; content:"|0d 0a|Content-Disposition|3A 20|form-data|3B 20|name|3D 22|programm|22 0d 0a 0d 0a|Windows Key|0d 0a|"; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=c86923d90ef91653b0a61eb2fbfae202; reference:url,www.threatexpert.com/report.aspx?md5=0a52131eebbee1df877767875ab32352; classtype:command-and-control; sid:2013026; rev:4; metadata:created_at 2011_06_13, former_category MALWARE, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Secure-Soft.Stealer Checkin"; flow:to_server,established; http.request_body; content:"|0d 0a|Content-Disposition|3A 20|form-data|3B 20|name|3D 22|programm|22 0d 0a 0d 0a|Windows Key|0d 0a|"; fast_pattern; reference:md5,c86923d90ef91653b0a61eb2fbfae202; reference:md5,0a52131eebbee1df877767875ab32352; classtype:command-and-control; sid:2013026; rev:4; metadata:created_at 2011_06_13, former_category MALWARE, updated_at 2020_05_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Asteria md5)"; flow:to_server,established; http.user_agent; content:"d9d385b3522b242398af91fd425b386d"; depth:32; reference:md5,56c16ad7da8cecb429dccb168aef46b7; classtype:trojan-activity; sid:2018985; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_22, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_05_01;)
alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030093; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Minor, updated_at 2020_05_04;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Online%20Scheduling%20System/login.php"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&lgn=Login"; nocase; distance:0; endswith; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
-
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//netcore_get.cgi"; depth:17; fast_pattern; http.cookie; content:"homeFirstShow=yes"; reference:url,www.exploit-db.com/exploits/48384; classtype:attempted-admin; sid:2030095; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; http.user_agent; content:"Nmap NSE"; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; http.user_agent; content:"Casper Bot"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; sid:2011175; rev:8; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; http.uri; content:"/w3af/remoteFileInclude.html"; nocase; http.host; content:"w3af.sourceforge.net"; startswith; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:6; metadata:affected_product Any, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_04;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; http.uri; content:"/w3af/remoteFileInclude.html"; nocase; http.host; content:"w3af.sourceforge.net"; startswith; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:6; metadata:affected_product Any, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WafWoof Web Application Firewall Detection Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/<invalid>hello.html"; reference:url,code.google.com/p/waffit/; reference:url,doc.emergingthreats.net/2011720; classtype:attempted-recon; sid:2011720; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT exploit kit x/exe.php?x=mdac"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"exe.php?x=mdac"; nocase; classtype:exploit-kit; sid:2011908; rev:4; metadata:created_at 2010_11_08, former_category EXPLOIT_KIT, updated_at 2020_05_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/exe.php?x=mdac"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"exe.php?x=mdac"; nocase; classtype:exploit-kit; sid:2011908; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DD-WRT Information Disclosure Attempt"; flow:established,to_server; flowbits:set,et.ddwrt.infodis; http.uri; content:"/Info.live.htm"; nocase; reference:url,www.exploit-db.com/exploits/15842/; classtype:attempted-recon; sid:2012116; rev:6; metadata:created_at 2010_12_30, updated_at 2020_05_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|MSIE 8.0|3b 20|Windows NT 6.0|3b 20|en-US)"; fast_pattern; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012802; rev:6; metadata:created_at 2011_05_10, updated_at 2020_05_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internal Dummy Connection User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"(internal dummy connection)"; classtype:trojan-activity; sid:2012937; rev:4; metadata:created_at 2011_06_06, updated_at 2020_05_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internal Dummy Connection User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"(internal dummy connection)"; classtype:trojan-activity; sid:2012937; rev:4; metadata:created_at 2011_06_07, updated_at 2020_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Nikto Scan Remote File Include Retrieval"; flow:established,to_server; http.uri; content:"/rfiinc.txt"; http.host; content:"cirt.net"; bsize:8; reference:url,cirt.net/nikto2; classtype:web-application-activity; sid:2011390; rev:5; metadata:affected_product Any, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Nikto Scan Remote File Include Retrieval"; flow:established,to_server; http.uri; content:"/rfiinc.txt"; http.host; content:"cirt.net"; bsize:8; reference:url,cirt.net/nikto2; classtype:web-application-activity; sid:2011390; rev:5; metadata:affected_product Any, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HighTide trojan Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?"; depth:2; pcre:"/^\/\?\d(?:[A-Za-z0-9~_]{4})*(?:[A-Za-z0-9~_]{2}--|[A-Za-z0-9~_]{3}-|[A-Za-z0-9~_]{4})$/"; http.header; content:"Trident/5.0|29 0d 0a|"; fast_pattern; http.referer; content:"http://www.google.com/"; bsize:22; reference:md5,6e59861931fa2796ee107dc27bfdd480; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:command-and-control; sid:2019113; rev:3; metadata:created_at 2014_09_04, former_category MALWARE, updated_at 2020_05_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/iplookup/iplookup.php?format="; fast_pattern; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:external-ip-check; sid:2019126; rev:3; metadata:created_at 2014_09_05, former_category POLICY, updated_at 2020_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bravix.Dropper CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get.php?file=cmds/main"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,19484a240a16c7faea84dcac0c38d118; classtype:command-and-control; sid:2019128; rev:3; metadata:created_at 2014_09_05, former_category MALWARE, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bravix.Dropper CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get.php?file=cmds/main"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,19484a240a16c7faea84dcac0c38d118; classtype:command-and-control; sid:2019128; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WP CuckooTap Arbitrary File Download"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php"; content:"action=revslider_show_image"; http.uri.raw; content:"img=|2e 2e 2f|"; reference:url,exploit-db.com/exploits/34511/; classtype:web-application-attack; sid:2019137; rev:3; metadata:created_at 2014_09_08, updated_at 2020_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT OSX.XSLCmd CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/compose.aspx?s="; fast_pattern; http.accept_lang; content:"zh-cn"; bsize:5; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)"; reference:url,fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html; classtype:targeted-activity; sid:2019136; rev:6; metadata:created_at 2014_09_08, former_category MALWARE, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT OSX.XSLCmd CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/compose.aspx?s="; fast_pattern; http.accept_lang; content:"zh-cn"; bsize:5; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)"; reference:url,fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html; classtype:targeted-activity; sid:2019136; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecebalPOS User-Agent"; flow:established,to_server; http.user_agent; content:"Decebalv"; depth:8; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019161; rev:4; metadata:created_at 2014_09_11, updated_at 2020_05_04;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-05-05)"; flow:established,to_client; tls.cert_subject; content:"CN=www.astedams.it"; nocase; endswith; reference:md5,9ea365c1714eb500e5f4a749a3ed0fe7; classtype:domain-c2; sid:2030101; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-05-05)"; flow:established,to_client; tls.cert_subject; content:"CN=www.astedams.it"; nocase; endswith; reference:md5,9ea365c1714eb500e5f4a749a3ed0fe7; classtype:domain-c2; sid:2030101; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_05_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nspps Backdoor CnC Activity"; flow:established,to_server; http.header; content:"|0d 0a|Arch|3a 20|"; content:"|0d 0a|Cores|3a 20|"; content:"|0d 0a|Mem|3a 20|"; content:"|0d 0a|Os|3a 20|"; content:"|0d 0a|Osname|3a 20|"; content:"|0d 0a|Osversion|3a 20|"; fast_pattern; content:"|0d 0a|Root|3a 20|"; content:"|0d 0a|Uuid|3a 20|"; content:"|0d 0a|Version|3a 20|"; reference:url,ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; reference:md5,435716b4f56cf94fdb7f6085dced41e5; classtype:command-and-control; sid:2030108; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_05;)
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"/Online%20Scheduling%20System/"; http.request_body; content:"username=0&password=0&lgn=Login"; startswith; fast_pattern; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030107; rev:1; metadata:attack_target Server, created_at 2020_05_05, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ragnarok Ransomware CnC Activity M1"; flow:established,to_server; http.start; bsize:22; content:"GET /START_ HTTP/1.1|0d 0a|"; reference:url,twitter.com/malwrhunterteam/status/1256263426441125888; reference:md5,32ed52d918a138ddad24dd3a84e20e56; classtype:command-and-control; sid:2030116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ragnarok Ransomware CnC Activity M1"; flow:established,to_server; http.start; bsize:22; content:"GET /START_ HTTP/1.1|0d 0a|"; reference:url,twitter.com/malwrhunterteam/status/1256263426441125888; reference:md5,32ed52d918a138ddad24dd3a84e20e56; classtype:command-and-control; sid:2030116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EVILNUM CnC Response"; flow:established,to_client; http.response_body; content:"jifhruhajsdfg444"; fast_pattern; startswith; content:"jifhruhajsdfg444"; endswith; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030119; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JsOutProx Variant CnC Activity"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Content-Type|3a 20|application/x-www-Form-urlencoded|3b 20|Charset=UTF-8|0d 0a|"; fast_pattern; http.cookie; pcre:"/^[a-z]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; classtype:command-and-control; sid:2030114; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, signature_severity Major, updated_at 2020_05_06;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Default CobaltStrike SSL Certificate"; flow:established,to_client; tls.cert_issuer; content:"C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike"; nocase; reference:url,fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html; classtype:trojan-activity; sid:2030111; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_05_06;)
-
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Cobalt Strike Stager Domain in DNS Query"; dns.query; content:"cylenceprotect.com"; bsize:18; nocase; reference:url,fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html; classtype:domain-c2; sid:2030112; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_06;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET POLICY Observed iesnare/iovation Tracking Activity"; flow:established,to_server; dsize:22; content:"|47 45 54 20 2f 73 70 61 63 65 20 20 48 54 54 50 2f 31 2e 30 0a 0a|"; classtype:policy-violation; sid:2030113; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"GET"; http.uri; content:"/?id="; fast_pattern; depth:5; content:"&msg="; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/"; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:6; metadata:created_at 2012_01_23, updated_at 2020_05_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC POST"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"POST"; http.request_body; content:"13"; depth:2; content:"=MSG"; fast_pattern; distance:11; within:4; pcre:"/^13\d{11}/"; classtype:web-application-attack; sid:2016030; rev:5; metadata:created_at 2012_12_13, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC POST"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"POST"; http.request_body; content:"13"; depth:2; content:"=MSG"; fast_pattern; distance:11; within:4; pcre:"/^13\d{11}/"; classtype:web-application-attack; sid:2016030; rev:5; metadata:created_at 2012_12_14, updated_at 2020_05_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC GET"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"GET"; http.uri; content:"/?msg=MSG"; classtype:web-application-attack; sid:2016031; rev:4; metadata:created_at 2012_12_13, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC GET"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"GET"; http.uri; content:"/?msg=MSG"; classtype:web-application-attack; sid:2016031; rev:4; metadata:created_at 2012_12_14, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|ru|3b 20|rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:4; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti loader requesting payload URL"; flow:established,to_server; http.uri; content:"/lurl.php?affid="; depth:16; classtype:trojan-activity; sid:2012514; rev:4; metadata:created_at 2011_03_16, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit malware payload download"; flow:established,to_server; http.uri; content:".php?deserialize="; reference:url,doc.emergingthreats.net/2011183; classtype:exploit-kit; sid:2011183; rev:6; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2020_05_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit malware payload download"; flow:established,to_server; http.uri; content:".php?deserialize="; reference:url,doc.emergingthreats.net/2011183; classtype:exploit-kit; sid:2011183; rev:6; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request for hide-my-ip.com autoupdate"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/auto_update/HideMyIP/update.dat"; nocase; classtype:policy-violation; sid:2011311; rev:6; metadata:created_at 2010_09_28, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab CnC URL Detected"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"controller.php"; nocase; content:"action=bot"; nocase; content:"entity_list="; nocase; content:"uid="; nocase; content:"guid="; nocase; reference:url,blog.fireeye.com/.a/6a00d835018afd53ef013488839529970c-pi; classtype:command-and-control; sid:2011861; rev:5; metadata:created_at 2010_10_28, former_category MALWARE, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT exploit kit x/load/svchost.exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"load/svchost.exe"; nocase; classtype:exploit-kit; sid:2011906; rev:4; metadata:created_at 2010_11_08, former_category EXPLOIT_KIT, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT exploit kit x/load/svchost.exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"load/svchost.exe"; nocase; classtype:exploit-kit; sid:2011906; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue AV Downloader concat URI"; flow:established,to_server; http.uri; content:".php?id="; content:"x="; distance:0; content:"os="; distance:0; content:"n="; distance:0; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d/"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:7; metadata:created_at 2010_11_15, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious bot.exe Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot.exe"; nocase; reference:url,www.malwareurl.com/listing.php?domain=19eylulmusikicemiyeti.com; classtype:trojan-activity; sid:2011967; rev:4; metadata:created_at 2010_11_22, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Post-infection Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/license_"; nocase; pcre:"/^[0-9A-F]{550,}\.html/Ri"; classtype:command-and-control; sid:2011969; rev:10; metadata:created_at 2010_11_22, former_category MALWARE, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Post-infection Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/license_"; nocase; pcre:"/^[0-9A-F]{550,}\.html/Ri"; classtype:command-and-control; sid:2011969; rev:10; metadata:created_at 2010_11_23, former_category MALWARE, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious flash_player.exe Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/flash_player.exe"; reference:url,www.malwareurl.com/listing.php?domain=newpornmov.info; classtype:bad-unknown; sid:2011982; rev:4; metadata:created_at 2010_11_24, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tzl/tzl.php?"; nocase; content:"hl="; nocase; reference:url,threatexpert.com/report.aspx?md5=d5ff6df296c068fcc0ddd303984fa6b9; reference:url,support.clean-mx.de/clean-mx/viruses.php?domain=wyunion.com&sort=first desc; classtype:trojan-activity; sid:2012113; rev:4; metadata:created_at 2010_12_30, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tzl/tzl.php?"; nocase; content:"hl="; nocase; reference:md5,d5ff6df296c068fcc0ddd303984fa6b9; classtype:trojan-activity; sid:2012113; rev:4; metadata:created_at 2010_12_30, former_category MALWARE, updated_at 2020_05_06;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.ini"; flow:established,to_server; http.uri; content:"/setting.ini"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=fcb828c0b735ea8d560a45b3bdd29b94; reference:url,www.threatexpert.com/report.aspx?md5=36d9a446d6311f9a4c19865e2b62f15d; classtype:trojan-activity; sid:2012198; rev:6; metadata:created_at 2011_01_17, former_category MALWARE, updated_at 2020_05_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.ini"; flow:established,to_server; http.uri; content:"/setting.ini"; nocase; reference:md5,36d9a446d6311f9a4c19865e2b62f15d; reference:md5,fcb828c0b735ea8d560a45b3bdd29b94; classtype:trojan-activity; sid:2012198; rev:6; metadata:created_at 2011_01_17, former_category MALWARE, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.xls"; flow:established,to_server; http.uri; content:"/setting.xls"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012199; rev:5; metadata:created_at 2011_01_17, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.xls"; flow:established,to_server; http.uri; content:"/setting.xls"; nocase; reference:md5,fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012199; rev:5; metadata:created_at 2011_01_17, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc"; flow:established,to_server; http.uri; content:"/setting.doc"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012200; rev:5; metadata:created_at 2011_01_17, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc"; flow:established,to_server; http.uri; content:"/setting.doc"; nocase; reference:md5,fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012200; rev:5; metadata:created_at 2011_01_17, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cnzz.cn Related Dropper Checkin"; flow:established,to_server; http.uri; content:"?Hook1=1,Setup="; classtype:command-and-control; sid:2013790; rev:6; metadata:created_at 2011_02_27, former_category MALWARE, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Download Setup_ exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Setup_"; nocase; content:".exe"; nocase; pcre:"/\/Setup_\d+\.exe$/i"; reference:url,www.malwareurl.com/listing.php?domain=antivirus-live21.com; classtype:trojan-activity; sid:2012392; rev:6; metadata:created_at 2011_02_28, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Download Setup_ exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Setup_"; nocase; content:".exe"; nocase; pcre:"/\/Setup_\d+\.exe$/i"; reference:url,www.malwareurl.com/listing.php?domain=antivirus-live21.com; classtype:trojan-activity; sid:2012392; rev:6; metadata:created_at 2011_03_01, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential FakePAV Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/soft-usage/favicon.ico?"; nocase; pcre:"/\?0=.*\&1=.*\&2=.*\&3=.*\&4=.*\&5=.*\&6=.*\&7=.*\&8=/i"; reference:url,www.threatexpert.com/report.aspx?md5=f5dd61e29eff89a93c591fba7ea14d92; classtype:command-and-control; sid:2012405; rev:5; metadata:created_at 2011_03_01, former_category MALWARE, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential FakePAV Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/soft-usage/favicon.ico?"; nocase; pcre:"/\?0=.*\&1=.*\&2=.*\&3=.*\&4=.*\&5=.*\&6=.*\&7=.*\&8=/i"; reference:md5,f5dd61e29eff89a93c591fba7ea14d92; classtype:command-and-control; sid:2012405; rev:5; metadata:created_at 2011_03_01, former_category MALWARE, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.gv.vg domain"; flow:established,to_server; http.host; content:".gv.vg"; endswith; classtype:bad-unknown; sid:2012542; rev:6; metadata:created_at 2011_03_24, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.ce.ms domain"; flow:established,to_server; http.host; content:".ce.ms"; endswith; classtype:bad-unknown; sid:2012593; rev:6; metadata:created_at 2011_03_29, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Slugin.A PatchTimeCheck.dat Request"; flow:established,to_server; http.uri; content:"/PatchTimeCheck.dat"; nocase; classtype:trojan-activity; sid:2012616; rev:5; metadata:created_at 2011_03_31, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Slugin.A PatchTimeCheck.dat Request"; flow:established,to_server; http.uri; content:"/PatchTimeCheck.dat"; nocase; classtype:trojan-activity; sid:2012616; rev:5; metadata:created_at 2011_04_01, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cw.cm domain"; flow:established,to_server; http.host; content:".cw.cm"; endswith; classtype:bad-unknown; sid:2012737; rev:5; metadata:created_at 2011_04_28, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Tracur.Q HTTP Communication"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"fQ_fQ_fQ_fQ"; reference:url,xml.ssdsandbox.net/view/d2afc3be7357f96834ec684ab329d7e2; classtype:trojan-activity; sid:2013064; rev:4; metadata:created_at 2011_06_17, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.be domain"; flow: to_server,established; http.host; content:".co.be"; endswith; classtype:bad-unknown; sid:2013123; rev:6; metadata:created_at 2011_06_28, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.be domain"; flow: to_server,established; http.host; content:".co.be"; endswith; classtype:bad-unknown; sid:2013123; rev:6; metadata:created_at 2011_06_29, updated_at 2020_05_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.co.com.au domain"; flow:to_server,established; http.host; content:".co.com.au"; endswith; classtype:bad-unknown; sid:2013412; rev:4; metadata:created_at 2011_08_16, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.cz.tf domain"; flow:to_server,established; http.host; content:".cz.tf"; endswith; classtype:bad-unknown; sid:2013415; rev:4; metadata:created_at 2011_08_16, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.cz.tf domain"; flow:to_server,established; http.host; content:".cz.tf"; endswith; classtype:bad-unknown; sid:2013415; rev:4; metadata:created_at 2011_08_17, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.c0m.li domain"; flow:to_server,established; http.host; content:".c0m.li"; endswith; classtype:bad-unknown; sid:2013460; rev:4; metadata:created_at 2011_08_25, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.c0m.li domain"; flow:to_server,established; http.host; content:".c0m.li"; endswith; classtype:bad-unknown; sid:2013460; rev:4; metadata:created_at 2011_08_26, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.int.tf domain"; flow:to_server,established; http.host; content:".int.tf"; endswith; classtype:bad-unknown; sid:2013829; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.int.tf domain"; flow:to_server,established; http.host; content:".int.tf"; endswith; classtype:bad-unknown; sid:2013829; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.edu.tf domain"; flow:to_server,established; http.host; content:".edu.tf"; endswith; classtype:bad-unknown; sid:2013830; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.edu.tf domain"; flow:to_server,established; http.host; content:".edu.tf"; endswith; classtype:bad-unknown; sid:2013830; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.us.tf domain"; flow:to_server,established; http.host; content:".us.tf"; endswith; classtype:bad-unknown; sid:2013831; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.us.tf domain"; flow:to_server,established; http.host; content:".us.tf"; endswith; classtype:bad-unknown; sid:2013831; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ca.tf domain"; flow:to_server,established; http.host; content:".ca.tf"; endswith; classtype:bad-unknown; sid:2013832; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ca.tf domain"; flow:to_server,established; http.host; content:".ca.tf"; endswith; classtype:bad-unknown; sid:2013832; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.bg.tf domain"; flow:to_server,established; http.host; content:".bg.tf"; endswith; classtype:bad-unknown; sid:2013833; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.bg.tf domain"; flow:to_server,established; http.host; content:".bg.tf"; endswith; classtype:bad-unknown; sid:2013833; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ru.tf domain"; flow:to_server,established; http.host; content:".ru.tf"; endswith; classtype:bad-unknown; sid:2013834; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ru.tf domain"; flow:to_server,established; http.host; content:".ru.tf"; endswith; classtype:bad-unknown; sid:2013834; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pl.tf domain"; flow:to_server,established; http.host; content:".pl.tf"; endswith; classtype:bad-unknown; sid:2013835; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pl.tf domain"; flow:to_server,established; http.host; content:".pl.tf"; endswith; classtype:bad-unknown; sid:2013835; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.de.tf domain"; flow:to_server,established; http.host; content:".de.tf"; endswith; classtype:bad-unknown; sid:2013837; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.de.tf domain"; flow:to_server,established; http.host; content:".de.tf"; endswith; classtype:bad-unknown; sid:2013837; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.at.tf domain"; flow:to_server,established; http.host; content:".at.tf"; endswith; classtype:bad-unknown; sid:2013838; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.at.tf domain"; flow:to_server,established; http.host; content:".at.tf"; endswith; classtype:bad-unknown; sid:2013838; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ch.tf domain"; flow:to_server,established; http.host; content:".ch.tf"; endswith; classtype:bad-unknown; sid:2013839; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ch.tf domain"; flow:to_server,established; http.host; content:".ch.tf"; endswith; classtype:bad-unknown; sid:2013839; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.sg.tf domain"; flow:to_server,established; http.host; content:".sg.tf"; endswith; classtype:bad-unknown; sid:2013840; rev:7; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.sg.tf domain"; flow:to_server,established; http.host; content:".sg.tf"; endswith; classtype:bad-unknown; sid:2013840; rev:7; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.nl.ai domain"; flow:to_server,established; http.host; content:".nl.ai"; endswith; classtype:bad-unknown; sid:2013841; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.nl.ai domain"; flow:to_server,established; http.host; content:".nl.ai"; endswith; classtype:bad-unknown; sid:2013841; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.xe.cx domain"; flow:to_server,established; http.host; content:".xe.cx"; endswith; classtype:bad-unknown; sid:2013842; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.xe.cx domain"; flow:to_server,established; http.host; content:".xe.cx"; endswith; classtype:bad-unknown; sid:2013842; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.orge.pl Domain"; flow:established,to_server; http.host; content:".orge.pl"; endswith; classtype:bad-unknown; sid:2013844; rev:5; metadata:created_at 2011_11_04, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.orge.pl Domain"; flow:established,to_server; http.host; content:".orge.pl"; endswith; classtype:bad-unknown; sid:2013844; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT google.com.br DNS Poisoning redirecting to exploit kit 1"; flow:established,to_server; http.uri; content:"/Google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013895; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2020_05_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 1"; flow:established,to_server; http.uri; content:"/Google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013895; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (moanmyip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"moanmyip.com"; fast_pattern; classtype:policy-violation; sid:2030126; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_07;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (ipchicken .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ipchicken.com"; fast_pattern; classtype:policy-violation; sid:2030137; rev:1; metadata:created_at 2020_05_08, updated_at 2020_05_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT google.com.br DNS Poisoning redirecting to exploit kit 2"; flow:established,to_server; http.uri; content:"google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013896; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2020_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 2"; flow:established,to_server; http.uri; content:"google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013896; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT google.com.br DNS Poisoning redirecting to exploit kit 3"; flow:established,to_server; http.uri; content:"/FaceBook_Complemento.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013897; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2020_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 3"; flow:established,to_server; http.uri; content:"/FaceBook_Complemento.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013897; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT google.com.br DNS Poisoning redirecting to exploit kit 4"; flow:established,to_server; http.uri; content:"/YouTube_Setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013898; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2020_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 4"; flow:established,to_server; http.uri; content:"/YouTube_Setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013898; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT google.com.br DNS Poisoning redirecting to exploit kit 5"; flow:established,to_server; http.uri; content:"/google2.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013899; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2020_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 5"; flow:established,to_server; http.uri; content:"/google2.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013899; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; http.uri; content:"/baby.mid"; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible SKyWIper/Win32.Flame POST"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/wp-content/rss.php"; http.request_body; content:"UNIQUE_NUMBER="; depth:14; fast_pattern; content:"&PASSWORD="; distance:0; content:"&ACTION="; distance:0; reference:url,blog.cuckoobox.org/2012/05/29/cuckoo-in-flame/; classtype:trojan-activity; sid:2014822; rev:7; metadata:created_at 2012_05_30, updated_at 2020_05_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh/Bublik Checkin /was/vas.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/was/vas.php"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8; reference:url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb; reference:url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24; classtype:command-and-control; sid:2015512; rev:6; metadata:created_at 2012_07_23, former_category MALWARE, malware_family URLZone, tag Banking_Trojan, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh/Bublik Checkin /was/vas.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/was/vas.php"; reference:md5,3ccc73f049a1de731baf7ea8915c92a8; reference:md5,91ce41376a5b33059744cb58758213bb; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:md5,21880326089f2eab466128974fc70d24; classtype:command-and-control; sid:2015512; rev:6; metadata:created_at 2012_07_24, former_category MALWARE, malware_family URLZone, tag Banking_Trojan, updated_at 2020_05_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz/Asprox Activity"; flow:established,to_server; flowbits:set,ET.Kuluoz; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[A-Fa-f0-9]+|index\.php)$/"; http.header_names; content:!"Referer"; http.request_body; content:"|80 00 00 00|"; depth:4; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2017895; rev:9; metadata:created_at 2013_12_23, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz/Asprox Activity"; flow:established,to_server; flowbits:set,ET.Kuluoz; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[A-Fa-f0-9]+|index\.php)$/"; http.header_names; content:!"Referer"; http.request_body; content:"|80 00 00 00|"; depth:4; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2017895; rev:9; metadata:created_at 2013_12_24, updated_at 2020_05_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewPosThings Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; http.request_body; content:"cs="; content:"&p="; content:"&m="; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:command-and-control; sid:2019197; rev:3; metadata:created_at 2014_09_19, former_category MALWARE, updated_at 2020_05_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot UA"; flow:established,to_server; http.user_agent; content:"Windows NT 7.1"; content:"Firefox/9.1.2"; classtype:trojan-activity; sid:2015780; rev:6; metadata:created_at 2012_10_04, updated_at 2020_05_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georgian Targeted Attack - Trojan Checkin"; flow:established,to_server; http.uri; content:"/index312.php?ver="; content:"&cam="; content:"&p=spy"; content:"&id="; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:command-and-control; sid:2015850; rev:4; metadata:created_at 2012_10_31, former_category MALWARE, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georgian Targeted Attack - Trojan Checkin"; flow:established,to_server; http.uri; content:"/index312.php?ver="; content:"&cam="; content:"&p=spy"; content:"&id="; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:command-and-control; sid:2015850; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_05_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Component SQLi Attempt"; flow:established,to_server; http.uri; content:"option=com_"; nocase; content:"union"; nocase; distance:0; content:"select"; nocase; distance:0; content:"from"; nocase; distance:0; content:"jos_users"; distance:0; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:4; metadata:created_at 2012_12_04, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Component SQLi Attempt"; flow:established,to_server; http.uri; content:"option=com_"; nocase; content:"union"; nocase; distance:0; content:"select"; nocase; distance:0; content:"from"; nocase; distance:0; content:"jos_users"; distance:0; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:4; metadata:created_at 2012_12_05, updated_at 2020_05_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Simple Slowloris Flooder"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"POST"; http.header; content:"Content-length|3a 20|5235|0d 0a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:5; metadata:created_at 2012_12_13, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Simple Slowloris Flooder"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"POST"; http.header; content:"Content-length|3a 20|5235|0d 0a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:5; metadata:created_at 2012_12_14, updated_at 2020_05_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware CnC Request - status.php"; flow:established,to_server; http.uri; content:"/status.php"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016186; rev:5; metadata:created_at 2013_01_11, former_category MALWARE, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware CnC Request - status.php"; flow:established,to_server; http.uri; content:"/status.php"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016186; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware Invalid URI CnC Request - "; flow:established,to_server; http.uri; content:"/.ru|60|utr/qiq"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016187; rev:5; metadata:created_at 2013_01_11, former_category MALWARE, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware Invalid URI CnC Request"; flow:established,to_server; http.uri; content:"/.ru|60|utr/qiq"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016187; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BroBot POST"; flow:established,to_server; threshold: type limit, count 1, seconds 300, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 Firefox/3.6.12"; fast_pattern; bsize:26; http.request_body; pcre:"/^(?:c(?:omment|_id)|m(?:jdu)?)=/"; classtype:web-application-attack; sid:2016212; rev:5; metadata:created_at 2013_01_15, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BroBot POST"; flow:established,to_server; threshold: type limit, count 1, seconds 300, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 Firefox/3.6.12"; fast_pattern; bsize:26; http.request_body; pcre:"/^(?:c(?:omment|_id)|m(?:jdu)?)=/"; classtype:web-application-attack; sid:2016212; rev:5; metadata:created_at 2013_01_16, updated_at 2020_05_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Ruby on Rails CVE-2013-0333 Attempt"; flow:established,to_server; http.request_body; content:"!ruby/"; nocase; content:"NamedRouteCollection"; nocase; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:8; metadata:created_at 2013_01_29, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Ruby on Rails CVE-2013-0333 Attempt"; flow:established,to_server; http.request_body; content:"!ruby/"; nocase; content:"NamedRouteCollection"; nocase; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:8; metadata:created_at 2013_01_30, updated_at 2020_05_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew downloader without user-agent string exe download without User Agent"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"open="; nocase; content:"myid="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; classtype:targeted-activity; sid:2016475; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_05_08;)
alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE CommentCrew Possible APT backdoor download logo.png"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/logo.png"; http.accept; content:"*/*,,,,,,"; bsize:9; fast_pattern; classtype:targeted-activity; sid:2016487; rev:6; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_05_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request"; flow:established,to_server; http.uri; content:"2p/"; content:".exe"; fast_pattern; distance:0; endswith; pcre:"/\/p?2p\/[0-9]{1,2}\.exe$/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018184; rev:6; metadata:created_at 2014_02_26, updated_at 2020_05_08;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; http.uri; content:"/2p/"; depth:4; content:".exe"; distance:0; endswith; fast_pattern; pcre:"/^\/2p\/[a-z]{1,2}\.exe$/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:4; metadata:created_at 2014_04_11, updated_at 2020_05_08;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/11"; fast_pattern; depth:3; pcre:"/^\/1+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; classtype:trojan-activity; sid:2018413; rev:5; metadata:created_at 2014_04_23, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/11"; fast_pattern; depth:3; pcre:"/^\/1+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; classtype:trojan-activity; sid:2018413; rev:5; metadata:created_at 2014_04_24, updated_at 2020_05_08;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Bossabot DDoS tool RFI attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"php?-d|20|allow_url"; fast_pattern; content:"auto_prepend_file|3d|php|3a 2f|"; http.request_body; content:"<?php|0d 0a|"; depth:7; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823; classtype:trojan-activity; sid:2019212; rev:3; metadata:created_at 2014_09_22, updated_at 2020_05_08;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Possible QBot User-Agent"; flow:established,to_server; http.user_agent; bsize:14; content:"MelindaMelinda"; reference:md5,d5129d51bf982b055ee00fe7ef4da3c0; classtype:trojan-activity; sid:2030149; rev:1; metadata:created_at 2020_05_11, updated_at 2020_05_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SSL/TLS Certificate Observed (Betcity CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.boxberry1.ru"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,twitter.com/ReBensk/status/1259146097978564609; classtype:domain-c2; sid:2030150; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_05_11, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SSL/TLS Certificate Observed (Betcity CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.boxberry1.ru"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,twitter.com/ReBensk/status/1259146097978564609; classtype:domain-c2; sid:2030150; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_05_11, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING French Government COVID-19 Landing Page"; flow:established,to_client; content:"<title>Info Coronavirus COVID-19|20 7c 20|Gouvernement.fr"; fast_pattern; content:"Informations <strong>Coronavirus </strong></h1>"; distance:0; content:"method=|22|post|22 20|action=|22|"; pcre:"/^(?:(?!\.php).+)\.php\x22/R"; classtype:social-engineering; sid:2030145; rev:1; metadata:created_at 2020_05_11, former_category PHISHING, updated_at 2020_05_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS COVID-19 Landing Page"; flow:established,to_client; content:"<title>Get My Payment"; fast_pattern; content:"title=|22|Go to IRS Home Page|22|"; content:".php|22 20|method=|22|post|22|"; distance:0; content:"discovered that you are eligible for an instant amount"; distance:0; content:"credited to your confirmed financial institution in a timeframe of"; distance:0; classtype:social-engineering; sid:2030147; rev:1; metadata:created_at 2020_05_11, former_category PHISHING, updated_at 2020_05_11;)
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hakbit/Thanos Ransomware Exfil via FTP"; flow:established,to_server; content:"STOR "; depth:5; content:"/UserName="; distance:0; content:"_MachineName="; distance:0; fast_pattern; content:"_"; distance:0; classtype:trojan-activity; sid:2030156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_12;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hakbit/Thanos Ransomware Exfil via FTP"; flow:established,to_server; content:"STOR "; depth:5; content:"/UserName="; distance:0; content:"_MachineName="; distance:0; fast_pattern; content:"_"; distance:0; classtype:trojan-activity; sid:2030156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Complaint Management System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"/Complaint%20Management%20System/admin/"; http.request_body; content:"username=%27%3D%27%27or%27&password="; startswith; fast_pattern; reference:url,www.exploit-db.com/exploits/48452; classtype:attempted-admin; sid:2030160; rev:1; metadata:attack_target Web_Server, created_at 2020_05_12, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_12;)
alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie"; flow:established,to_server; http.cookie; content:"|28 29 20 7b|"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019239; rev:5; metadata:created_at 2014_09_25, updated_at 2020_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/TargetConnect.aspx"; content:"&tIMEI="; content:"&tIMSI="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:3; metadata:created_at 2014_10_01, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/TargetConnect.aspx"; content:"&tIMEI="; content:"&tIMSI="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:3; metadata:attack_target Mobile_Client, created_at 2014_10_01, former_category MOBILE_MALWARE, updated_at 2020_05_12, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/TargetUploadGps.aspx"; content:"tmac="; content:"&JZ="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:3; metadata:created_at 2014_10_01, updated_at 2020_05_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/TargetUploadFile.aspx"; content:"tmac="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:3; metadata:created_at 2014_10_01, updated_at 2020_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; urilen:18; http.method; content:"GET"; nocase; http.uri; content:"/CheckLibrary.aspx"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:3; metadata:created_at 2014_10_01, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; urilen:18; http.method; content:"GET"; nocase; http.uri; content:"/CheckLibrary.aspx"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:3; metadata:attack_target Mobile_Client, created_at 2014_10_01, former_category MOBILE_MALWARE, updated_at 2020_05_12, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptowall 2.0 DL URI Struct Oct 2 2014"; flow:to_server,established; http.request_line; content:"GET /blog/"; depth:10; pcre:"/^[a-z0-9]+\x20HTTP/R"; http.user_agent; pcre:"/(?:MSIE|rv\x3a11\.0)/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019341; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2020_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (HEAD)"; flow:to_server,established; http.method; content:"HEAD"; classtype:bad-unknown; sid:2013927; rev:5; metadata:created_at 2011_11_17, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (HEAD)"; flow:to_server,established; http.method; content:"HEAD"; classtype:bad-unknown; sid:2013927; rev:5; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PROPFIND)"; flow:to_server,established; http.method; content:"PROPFIND"; classtype:bad-unknown; sid:2013928; rev:5; metadata:created_at 2011_11_17, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PROPFIND)"; flow:to_server,established; http.method; content:"PROPFIND"; classtype:bad-unknown; sid:2013928; rev:5; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (POST)"; flow:to_server,established; http.method; content:"POST"; http.header; content:!".etrade.com|3a|443|0d 0a|"; classtype:bad-unknown; sid:2013926; rev:9; metadata:created_at 2011_11_17, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (POST)"; flow:to_server,established; http.method; content:"POST"; http.header; content:!".etrade.com|3a|443|0d 0a|"; classtype:bad-unknown; sid:2013926; rev:9; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (DELETE)"; flow:to_server,established; http.method; content:"DELETE"; classtype:bad-unknown; sid:2013931; rev:4; metadata:created_at 2011_11_17, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (DELETE)"; flow:to_server,established; http.method; content:"DELETE"; classtype:bad-unknown; sid:2013931; rev:4; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY 2Downloadz.com File Sharing User-Agent"; flow:established,to_server; http.user_agent; content:"2Downloadz.com Agent"; depth:20; classtype:policy-violation; sid:2019366; rev:4; metadata:created_at 2014_10_08, updated_at 2020_05_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo GET Checkin"; flow:established,to_server; urilen:>25; http.method; content:"GET"; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a 0d 0a|"; bsize:73; http.content_type; content:"octet/binary"; bsize:13; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:command-and-control; sid:2018772; rev:6; metadata:created_at 2014_07_24, former_category MALWARE, updated_at 2020_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/24x7Help.ScareWare CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/client.asmx/SendData"; http.user_agent; content:"mFramework HTTPGet"; fast_pattern; http.request_body; content:"CFG="; depth:4; content:"&Lng="; distance:0; content:"&sinst="; distance:0; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; classtype:command-and-control; sid:2019498; rev:4; metadata:created_at 2014_10_23, former_category MALWARE, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/24x7Help.ScareWare CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/client.asmx/SendData"; http.user_agent; content:"mFramework HTTPGet"; fast_pattern; http.request_body; content:"CFG="; depth:4; content:"&Lng="; distance:0; content:"&sinst="; distance:0; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; classtype:command-and-control; sid:2019498; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"=0"; content:"=0000"; distance:3; fast_pattern; pcre:"/=0[0-2](?:&\w+=[a-fA-F0-9]{8}){2}&\w+=[a-fA-F0-9]+$/"; http.header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019500; rev:3; metadata:created_at 2014_10_24, updated_at 2020_05_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chopstick Checkin (APT28 Related)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webhp?rel="; fast_pattern; content:"ai="; distance:0; pcre:"/^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})+/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,6fc8602c8b3a18765bb6d2307d8a4ae1; classtype:targeted-activity; sid:2019537; rev:4; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request adawareblock.com"; flow:established,to_server; http.header; content:"Host|3a 20|adawareblock.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019546; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request adawareblock.com"; flow:established,to_server; http.header; content:"Host|3a 20|adawareblock.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019546; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request adobeincorp.com"; flow:established,to_server; http.header; content:"Host|3a 20|adobeincorp.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019547; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request adobeincorp.com"; flow:established,to_server; http.header; content:"Host|3a 20|adobeincorp.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019547; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request azureon-line.com"; flow:established,to_server; http.header; content:"Host|3a 20|azureon-line.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019548; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request azureon-line.com"; flow:established,to_server; http.header; content:"Host|3a 20|azureon-line.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019548; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkmalware.info"; flow:established,to_server; http.header; content:"Host|3a 20|checkmalware.info|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019549; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkmalware.info"; flow:established,to_server; http.header; content:"Host|3a 20|checkmalware.info|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019549; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkwinframe.com"; flow:established,to_server; http.header; content:"Host|3a 20|checkwinframe.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019550; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkwinframe.com"; flow:established,to_server; http.header; content:"Host|3a 20|checkwinframe.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019550; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request check-fix.com"; flow:established,to_server; http.header; content:"Host|3a 20|check-fix.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019551; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request check-fix.com"; flow:established,to_server; http.header; content:"Host|3a 20|check-fix.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019551; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request hotfix-update.com"; flow:established,to_server; http.header; content:"Host|3a 20|hotfix-update.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019552; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request hotfix-update.com"; flow:established,to_server; http.header; content:"Host|3a 20|hotfix-update.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019552; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request microsofi.org"; flow:established,to_server; http.header; content:"Host|3a 20|microsofi.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019553; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request microsofi.org"; flow:established,to_server; http.header; content:"Host|3a 20|microsofi.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019553; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request microsof-update.com"; flow:established,to_server; http.header; content:"Host|3a 20|microsof-update.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019554; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request microsof-update.com"; flow:established,to_server; http.header; content:"Host|3a 20|microsof-update.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019554; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request scanmalware.info"; flow:established,to_server; http.header; content:"Host|3a 20|scanmalware.info|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019555; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request scanmalware.info"; flow:established,to_server; http.header; content:"Host|3a 20|scanmalware.info|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019555; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request secnetcontrol.com"; flow:established,to_server; http.header; content:"Host|3a 20|secnetcontrol.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019556; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request secnetcontrol.com"; flow:established,to_server; http.header; content:"Host|3a 20|secnetcontrol.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019556; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request securitypractic.com"; flow:established,to_server; http.header; content:"Host|3a 20|securitypractic.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019557; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request securitypractic.com"; flow:established,to_server; http.header; content:"Host|3a 20|securitypractic.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019557; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request testservice24.net"; flow:established,to_server; http.header; content:"Host|3a 20|testservice24.net|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019558; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request testservice24.net"; flow:established,to_server; http.header; content:"Host|3a 20|testservice24.net|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019558; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request testsnetcontrol.com"; flow:established,to_server; http.header; content:"Host|3a 20|testsnetcontrol.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019559; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request testsnetcontrol.com"; flow:established,to_server; http.header; content:"Host|3a 20|testsnetcontrol.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019559; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request updatepc.org"; flow:established,to_server; http.header; content:"Host|3a 20|updatepc.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019560; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request updatepc.org"; flow:established,to_server; http.header; content:"Host|3a 20|updatepc.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019560; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request updatesoftware24.com"; flow:established,to_server; http.header; content:"Host|3a 20|updatesoftware24.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019561; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request updatesoftware24.com"; flow:established,to_server; http.header; content:"Host|3a 20|updatesoftware24.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019561; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request windows-updater.com"; flow:established,to_server; http.header; content:"Host|3a 20|windows-updater.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019562; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request windows-updater.com"; flow:established,to_server; http.header; content:"Host|3a 20|windows-updater.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019562; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkmalware.org"; flow:established,to_server; http.header; content:"Host|3a 20|checkmalware.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019563; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkmalware.org"; flow:established,to_server; http.header; content:"Host|3a 20|checkmalware.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019563; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request symanttec.org"; flow:established,to_server; http.header; content:"Host|3a 20|symanttec.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019583; rev:2; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request symanttec.org"; flow:established,to_server; http.header; content:"Host|3a 20|symanttec.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019583; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Coreshell Checkin (APT28 Related)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/~xh/sn.cgi?"; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,272f0fde35dbdfccbca1e33373b3570d; classtype:targeted-activity; sid:2019539; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request malwarecheck.info"; flow:established,to_server; http.header; content:"Host|3a 20|malwarecheck.info|0d 0a|"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:targeted-activity; sid:2019641; rev:3; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.ABCG Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:!"Referer|3a|"; http.user_agent; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; depth:38; http.request_body; content:"act="; depth:4; content:"&atom="; distance:0; fast_pattern; content:"&id="; distance:0; reference:md5,acad4be4c587b9db9f39268cc4c0c192; reference:md5,b07a6a590c729fcd47ebce37fdd6c90b; classtype:command-and-control; sid:2019653; rev:4; metadata:created_at 2014_11_05, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.ABCG Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:!"Referer|3a|"; http.user_agent; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; depth:38; http.request_body; content:"act="; depth:4; content:"&atom="; distance:0; fast_pattern; content:"&id="; distance:0; reference:md5,acad4be4c587b9db9f39268cc4c0c192; reference:md5,b07a6a590c729fcd47ebce37fdd6c90b; classtype:command-and-control; sid:2019653; rev:4; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.FakeMS Checkin"; flow:established,to_server; urilen:5; http.method; content:"POST"; http.header; content:!"Referer"; http.request_body; content:"|20|(64|20|=|20|"; content:")|20|EXE|20|=|20|"; distance:1; within:8; pcre:"/^\x5b[^\r\n]+\(64\s=\s\d\)\sEXE\s=/"; reference:md5,e606e56a222f788ab5cbcf40842cbc39; reference:md5,099dc535bdd09d6a7bc4edabc8ded5de; classtype:command-and-control; sid:2019654; rev:7; metadata:created_at 2014_11_05, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.FakeMS Checkin"; flow:established,to_server; urilen:5; http.method; content:"POST"; http.header; content:!"Referer"; http.request_body; content:"|20|(64|20|=|20|"; content:")|20|EXE|20|=|20|"; distance:1; within:8; pcre:"/^\x5b[^\r\n]+\(64\s=\s\d\)\sEXE\s=/"; reference:md5,e606e56a222f788ab5cbcf40842cbc39; reference:md5,099dc535bdd09d6a7bc4edabc8ded5de; classtype:command-and-control; sid:2019654; rev:7; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_05_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla YJ Contact Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yjcontactus"; content:"view="; nocase; reference:url,packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt; classtype:web-application-attack; sid:2013816; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_31, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smoke Loader Checkin r=gate"; flow:established,to_server; http.uri; content:".php?r=gate&"; content:"&group="; distance:0; content:"&debug="; distance:0; http.user_agent; content:"5.0 (Windows|3b 20|U|3b 20|MSIE 9"; reference:md5,7ef1e61d9b394a972516cc453bf0ec06; classtype:command-and-control; sid:2014728; rev:7; metadata:created_at 2012_05_09, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smoke Loader Checkin r=gate"; flow:established,to_server; http.uri; content:".php?r=gate&"; content:"&group="; distance:0; content:"&debug="; distance:0; http.user_agent; content:"5.0 (Windows|3b 20|U|3b 20|MSIE 9"; reference:md5,7ef1e61d9b394a972516cc453bf0ec06; classtype:command-and-control; sid:2014728; rev:7; metadata:created_at 2012_05_10, former_category MALWARE, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mac/update.zip"; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019665; rev:3; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mac/update.zip"; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019665; rev:3; metadata:created_at 2014_11_07, former_category MALWARE, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for www.comeinbaby.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"www.comeinbaby.com"; startswith; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019666; rev:4; metadata:created_at 2014_11_06, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for www.comeinbaby.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"www.comeinbaby.com"; startswith; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019666; rev:4; metadata:created_at 2014_11_07, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miuref/Boaxxe Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"bB"; offset:2; depth:2; content:"MqrU"; within:20; content:"VAMU"; within:29; fast_pattern; reference:md5,79d1c8c33062324388d3d563f193a43b; reference:md5,ee3c562151cc9181c6d87602bbf0a285; reference:md5,a42797315c50e335f3de87f6cea61b77; classtype:command-and-control; sid:2019683; rev:7; metadata:created_at 2014_11_07, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miuref/Boaxxe Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"bB"; offset:2; depth:2; content:"MqrU"; within:20; content:"VAMU"; within:29; fast_pattern; reference:md5,79d1c8c33062324388d3d563f193a43b; reference:md5,ee3c562151cc9181c6d87602bbf0a285; reference:md5,a42797315c50e335f3de87f6cea61b77; classtype:command-and-control; sid:2019683; rev:7; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2020_05_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:4; metadata:created_at 2014_11_10, updated_at 2020_05_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:4; metadata:created_at 2014_11_11, updated_at 2020_05_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; http.uri; content:"/cgi-bin/r.cgi"; nocase; depth:14; content:"p="; nocase; content:"h="; nocase; content:"u="; nocase; content:"q="; nocase; content:"t="; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:11; metadata:created_at 2011_07_04, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta URI Struct"; flow:established,to_server; urilen:>64; flowbits:set,ET.Fiesta.Exploit.URI; http.uri; content:"|3b|"; offset:63; fast_pattern; content:!"="; content:!"&"; pcre:"/^\/[^\x2f]+?\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$/"; classtype:exploit-kit; sid:2018407; rev:10; metadata:created_at 2014_04_22, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta URI Struct"; flow:established,to_server; urilen:>64; flowbits:set,ET.Fiesta.Exploit.URI; http.uri; content:"|3b|"; offset:63; fast_pattern; content:!"="; content:!"&"; pcre:"/^\/[^\x2f]+?\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$/"; classtype:exploit-kit; sid:2018407; rev:10; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; http.content_type; content:"image/"; depth:6; file.data; content:"Rar!"; within:4; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; classtype:trojan-activity; sid:2008754; rev:8; metadata:created_at 2010_07_30, updated_at 2020_05_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker User-agent (globalupdate)"; flow:to_server,established; flowbits:set,ET.WireLurkerUA; http.user_agent; content:"globalupdate"; depth:12; reference:url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; classtype:trojan-activity; sid:2019660; rev:5; metadata:created_at 2014_11_06, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Asprox Pizza"; flow:established,to_server; http.uri; content:"/title.php?pizza="; pcre:"/^[a-zA-Z0-9+/]{43}/R"; reference:url,www.malware-traffic-analysis.net/2014/10/28/index.html; classtype:trojan-activity; sid:2019713; rev:3; metadata:created_at 2014_11_14, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Asprox Pizza"; flow:established,to_server; http.uri; content:"/title.php?pizza="; pcre:"/^[a-zA-Z0-9+/]{43}/R"; reference:url,www.malware-traffic-analysis.net/2014/10/28/index.html; classtype:trojan-activity; sid:2019713; rev:3; metadata:created_at 2014_11_15, updated_at 2020_05_13;)
alert http $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt"; flow:established,to_server; http.uri; content:"search"; nocase; content:"source="; nocase; distance:0; content:"script_fields"; nocase; distance:0; content:"import"; distance:0; nocase; content:"java."; nocase; distance:0; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-admin; sid:2018495; rev:4; metadata:created_at 2014_05_21, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Photos/Query.cgi?loginid="; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016820; rev:4; metadata:created_at 2013_05_03, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Photos/Query.cgi?loginid="; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016820; rev:4; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Catelog/login1.cgi"; fast_pattern; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016821; rev:5; metadata:created_at 2013_05_03, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Catelog/login1.cgi"; fast_pattern; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016821; rev:5; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alureon Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"winver="; depth:7; content:"&ver="; distance:0; pcre:"/^winver=\d+&ver=\d+$/"; reference:md5,2155b7942ddc6d7a82e7d96a8c594501; classtype:command-and-control; sid:2019717; rev:3; metadata:created_at 2014_11_17, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alureon Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"winver="; depth:7; content:"&ver="; distance:0; pcre:"/^winver=\d+&ver=\d+$/"; reference:md5,2155b7942ddc6d7a82e7d96a8c594501; classtype:command-and-control; sid:2019717; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for manhuaba.com.cn"; flow:established,to_server; http.method; content:"GET"; http.host; content:"manhuaba.com.cn"; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019731; rev:4; metadata:created_at 2014_11_17, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for manhuaba.com.cn"; flow:established,to_server; http.method; content:"GET"; http.host; content:"manhuaba.com.cn"; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019731; rev:4; metadata:created_at 2014_11_18, updated_at 2020_05_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ncsi.txt"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; content:"|0d 0a|Host|0d 0a|"; depth:8; http.user_agent; content:"Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/5.0)"; fast_pattern; classtype:trojan-activity; sid:2019754; rev:4; metadata:created_at 2014_11_20, updated_at 2020_05_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP.//Input in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"php|3a 2f 2f|input"; fast_pattern; http.request_body; content:"<?"; depth:2; reference:url,www.deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2019804; rev:4; metadata:created_at 2014_11_25, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/SGCommand.aspx?sgcommand="; fast_pattern:6,20; content:"&uid="; distance:0; content:"&sid="; distance:0; content:"&value="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; http.user_agent; content:"|20|Android|20|"; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_11_25, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_05_13;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinHttpRequest (flowbits no alert)"; flow:established,to_server; flowbits:set,et.WinHttpRequest; flowbits:noalert; http.host; content:!".microsoft.com"; endswith; content:!".qq.com"; endswith; http.user_agent; content:"WinHttp.WinHttpRequest"; fast_pattern; classtype:trojan-activity; sid:2019821; rev:9; metadata:created_at 2014_12_01, updated_at 2020_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hyteod.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/payment_gateway/"; startswith; content:".gz"; distance:0; endswith; pcre:"/\/[a-z0-9]{3,}\.gz$/"; http.user_agent; content:"OperaMini"; depth:9; reference:md5,8258c3d8bab63cacf143cf034e2e7c1a; classtype:command-and-control; sid:2019824; rev:4; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_05_14;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Coinminer.Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:".php?id="; http.user_agent; content:"Mozzilla/4.0 (copmatible|3B|"; fast_pattern; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:coin-mining; sid:2019826; rev:5; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Coinminer.Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:".php?id="; http.user_agent; content:"Mozzilla/4.0 (copmatible|3B|"; fast_pattern; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:coin-mining; sid:2019826; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Wadolin.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/upgrade-functions.php?v="; fast_pattern; content:"&id="; http.user_agent; content:"Mozilla/4.0 (compatible|3B| MSIE 6.1|3B| Windows XP)"; startswith; reference:md5,693c007d651bb5a8c6d2a4f5ed65a69c; classtype:command-and-control; sid:2019827; rev:3; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Wadolin.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/upgrade-functions.php?v="; fast_pattern; content:"&id="; http.user_agent; content:"Mozilla/4.0 (compatible|3B| MSIE 6.1|3B| Windows XP)"; startswith; reference:md5,693c007d651bb5a8c6d2a4f5ed65a69c; classtype:command-and-control; sid:2019827; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex v2 POST Checkin"; flow:established,to_server; urilen:>20; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Authorization|0d 0a|Content-Length|0d 0a 0d 0a|"; startswith; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; content:"Authorization|3a 20|Basic"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; reference:url,securityblog.s21sec.com/2014/11/dridex-learns-new-trick-p2p-over-http.html; classtype:command-and-control; sid:2019830; rev:3; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Cryptexplorer API Check - Potential CoinMiner Traffic"; flow:established,to_server; http.uri; content:"/api/"; startswith; content:"coin/balance/"; distance:0; fast_pattern; pcre:"/^\/api\/(?:bit|lite)coin\/balance\//"; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:coin-mining; sid:2019825; rev:4; metadata:created_at 2014_12_01, former_category COINMINER, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Cryptexplorer API Check - Potential CoinMiner Traffic"; flow:established,to_server; http.uri; content:"/api/"; startswith; content:"coin/balance/"; distance:0; fast_pattern; pcre:"/^\/api\/(?:bit|lite)coin\/balance\//"; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:coin-mining; sid:2019825; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Double Encoded Characters in URI (../)"; flow:to_server,established; http.uri.raw; content:"%252E%252E%252F"; nocase; classtype:misc-attack; sid:2019880; rev:5; metadata:created_at 2014_12_05, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Double Encoded Characters in URI (../)"; flow:to_server,established; http.uri.raw; content:"%252E%252E%252F"; nocase; classtype:misc-attack; sid:2019880; rev:5; metadata:created_at 2014_12_06, updated_at 2020_05_14;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Insomnia Shell HTTP Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx"; http.request_body; content:"txtRemoteHost="; fast_pattern; content:"txtRemotePort="; distance:0; content:"txtBindPort="; distance:0; content:"txtPipeName="; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019899; rev:3; metadata:created_at 2014_12_09, updated_at 2020_05_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pandora FMS SQLi"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/pandora_console/mobile/index.php"; http.request_body; content:"action=login"; fast_pattern; content:"user="; distance:0; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,www.rapid7.com/db/modules/exploit/linux/http/pandora_fms_sqli; classtype:attempted-admin; sid:2019903; rev:4; metadata:created_at 2014_12_09, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pandora FMS SQLi"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/pandora_console/mobile/index.php"; http.request_body; content:"action=login"; fast_pattern; content:"user="; distance:0; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,www.rapid7.com/db/modules/exploit/linux/http/pandora_fms_sqli; classtype:attempted-admin; sid:2019903; rev:4; metadata:created_at 2014_12_10, updated_at 2020_05_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; http.header; content:"aGVsbF9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:5; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; http.header; content:"aGVsbF9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; http.header; content:"JHAgPSBhcnJheShhcnJh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:5; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; http.header; content:"JHAgPSBhcnJheShhcnJh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; http.header; content:"JGggPSBwb3Bl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:5; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; http.header; content:"JGggPSBwb3Bl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; http.header; content:"JHBlcmwgPSBuZXcg"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:5; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; http.header; content:"JHBlcmwgPSBuZXcg"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; http.header; content:"ZXhlYygn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:5; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; http.header; content:"ZXhlYygn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; http.header; content:"QHN5c3Rl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013937; rev:7; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TRCrypt.ULPM Downloader CnC Beacon"; flow:established,to_server; http.uri; content:".aspx?id="; content:"&macaddress="; content:"&pcname="; content:"&username="; content:"&osversion="; content:"&versaoatual="; fast_pattern; content:"&winkey="; reference:md5,3b4f77eefd208f699e6a540878e753a8; classtype:command-and-control; sid:2019947; rev:3; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TRCrypt.ULPM Downloader CnC Beacon"; flow:established,to_server; http.uri; content:".aspx?id="; content:"&macaddress="; content:"&pcname="; content:"&username="; content:"&osversion="; content:"&versaoatual="; fast_pattern; content:"&winkey="; reference:md5,3b4f77eefd208f699e6a540878e753a8; classtype:command-and-control; sid:2019947; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MorXploit Shell Command"; flow:established,to_server; http.uri; content:"?cmd=ZXhpdA=="; fast_pattern; http.user_agent; content:"Mozilla 5"; startswith; reference:url,seclists.org/fulldisclosure/2014/Nov/78; classtype:bad-unknown; sid:2019951; rev:3; metadata:created_at 2014_12_16, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"UAC/"; depth:4; content:"|28|Android|20|"; distance:0; http.request_body; content:"name=|22|softwareVersion|22|"; nocase; content:"name=|22|isEnc|22|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:command-and-control; sid:2019959; rev:4; metadata:created_at 2014_12_17, former_category MOBILE_MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"UAC/"; depth:4; content:"|28|Android|20|"; distance:0; http.request_body; content:"name=|22|softwareVersion|22|"; nocase; content:"name=|22|isEnc|22|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:command-and-control; sid:2019959; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; http.user_agent; content:"UAC/"; depth:4; fast_pattern; content:"|28|Android|20|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:4; metadata:created_at 2014_12_17, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.AAXV Retrieving key from Pinterest"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pin/"; depth:5; http.header; content:"User-Agent|3a 20|Internet Explorer 6.0|0d 0a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f25a8e3f5265a57269590b84a506b672; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel/; classtype:trojan-activity; sid:2019961; rev:4; metadata:created_at 2014_12_17, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.AAXV Retrieving key from Pinterest"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pin/"; depth:5; http.header; content:"User-Agent|3a 20|Internet Explorer 6.0|0d 0a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f25a8e3f5265a57269590b84a506b672; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel/; classtype:trojan-activity; sid:2019961; rev:4; metadata:created_at 2014_12_18, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix Accept HTTP Header detected scan in progress"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"Accept|3a 20|acunetix"; reference:url,www.acunetix.com/; classtype:attempted-recon; sid:2019963; rev:3; metadata:created_at 2014_12_17, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix Accept HTTP Header detected scan in progress"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"Accept|3a 20|acunetix"; reference:url,www.acunetix.com/; classtype:attempted-recon; sid:2019963; rev:3; metadata:created_at 2014_12_18, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tendrit CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/css.ashx?"; depth:10; http.uri.raw; pcre:"/^[a-z]{2,}=(?:%[A-F0-9]{2})+&/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:command-and-control; sid:2019985; rev:3; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tendrit CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/css.ashx?"; depth:10; http.uri.raw; pcre:"/^[a-z]{2,}=(?:%[A-F0-9]{2})+&/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:command-and-control; sid:2019985; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tendrit CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon?"; depth:9; http.uri.raw; pcre:"/^[a-z]{2,}=(?:%[A-F0-9]{2})+&/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:command-and-control; sid:2019986; rev:3; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tendrit CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon?"; depth:9; http.uri.raw; pcre:"/^[a-z]{2,}=(?:%[A-F0-9]{2})+&/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:command-and-control; sid:2019986; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Generic.5325921 Checkin"; flow:to_server,established; http.uri; content:"?p="; content:"&botmajor="; content:"&botminor="; content:"&osmajor="; content:"&osminor="; reference:url,www.threatexpert.com/report.aspx?md5=203cec547d7d7d7b3a51084ad1abd793; classtype:command-and-control; sid:2020090; rev:4; metadata:created_at 2015_01_05, former_category MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Generic.5325921 Checkin"; flow:to_server,established; http.uri; content:"?p="; content:"&botmajor="; content:"&botminor="; content:"&osmajor="; content:"&osminor="; reference:md5,203cec547d7d7d7b3a51084ad1abd793; classtype:command-and-control; sid:2020090; rev:4; metadata:created_at 2015_01_05, former_category MALWARE, updated_at 2020_05_14;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation"; flow:established,to_server; http.uri; content:"/servlets/DCPluginServelet?"; nocase; content:"action=addPlugInUser"; nocase; content:"role="; nocase; content:"userName="; nocase; content:"email="; nocase; content:"password="; nocase; content:"salt="; nocase; reference:cve,CVE-2014-7862; reference:url,seclists.org/fulldisclosure/2015/Jan/2; classtype:trojan-activity; sid:2020092; rev:3; metadata:created_at 2015_01_05, updated_at 2020_05_14;)
alert http any [$HTTP_PORTS,7547] -> any any (msg:"ET EXPLOIT Possible Misfortune Cookie RomPager Server banner"; flow:established,from_server; flowbits:isset,ET.Misfortune_Cookie; http.server; content:"RomPager"; nocase; startswith; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020101; rev:3; metadata:created_at 2015_01_06, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to Lockbit Ransomware Payment Domain"; flow:established,to_server; http.host; content:"lockbit-decryptor.com"; endswith; fast_pattern; classtype:trojan-activity; sid:2030166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_14, deployment Perimeter, former_category POLICY, malware_family LockBit, signature_severity Informational, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to Lockbit Ransomware Payment Domain"; flow:established,to_server; http.host; content:"lockbit-decryptor.com"; endswith; fast_pattern; classtype:trojan-activity; sid:2030166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_14, deployment Perimeter, former_category POLICY, malware_family LockBit, signature_severity Major, tag Ransomware, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible IP Check ip-addr.es"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip-addr.es"; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020105; rev:3; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible IP Check curlmyip.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"curlmyip.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020106; rev:3; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet.C Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.header; content:"MASE|0d 0a|"; http.request_body; content:"name=|22|c1|22 0d 0a 0d 0a|c"; reference:md5,37d530ffa0bf1129f2db63b75fccce28; classtype:command-and-control; sid:2020156; rev:8; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet.C Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.header; content:"MASE|0d 0a|"; http.request_body; content:"name=|22|c1|22 0d 0a 0d 0a|c"; reference:md5,37d530ffa0bf1129f2db63b75fccce28; classtype:command-and-control; sid:2020156; rev:8; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2020_05_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP System Command in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?"; content:"system|28|"; distance:0; classtype:web-application-attack; sid:2020102; rev:5; metadata:created_at 2015_01_06, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP System Command in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?"; content:"system|28|"; distance:0; classtype:web-application-attack; sid:2020102; rev:5; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0000"; offset:2; pcre:"/^\/[^\x2f]+\/0000[A-F0-9]{4}\/0[0-2]\/[A-F0-9]{8}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,1a5ee37a6075b5a95faf8f07ad060cc9; classtype:trojan-activity; sid:2025087; rev:3; metadata:created_at 2015_01_08, former_category TROJAN, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0000"; offset:2; pcre:"/^\/[^\x2f]+\/0000[A-F0-9]{4}\/0[0-2]\/[A-F0-9]{8}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,1a5ee37a6075b5a95faf8f07ad060cc9; classtype:trojan-activity; sid:2025087; rev:3; metadata:created_at 2015_01_09, former_category TROJAN, updated_at 2020_05_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; depth:2; content:"/0000"; distance:2; pcre:"/^\/0[0-2]\/[^\x2f]+\/0000[A-F0-9]{4}\/[^\x2f]+\/[A-F0-9]{8}$/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2025088; rev:3; metadata:created_at 2015_01_08, former_category TROJAN, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; depth:2; content:"/0000"; distance:2; pcre:"/^\/0[0-2]\/[^\x2f]+\/0000[A-F0-9]{4}\/[^\x2f]+\/[A-F0-9]{8}$/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2025088; rev:3; metadata:created_at 2015_01_09, former_category TROJAN, updated_at 2020_05_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename svchost.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"svchost.exe"; nocase; fast_pattern; within:11; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]svchost\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020198; rev:6; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
#alert http $EXTERNAL_NET any -> any any (msg:"ET DELETED Possible Netlink XPON 1GE Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr="; startswith; content:"&waninf="; distance:0; reference:url,www.exploit-db.com/exploits/48470; classtype:attempted-admin; sid:2030175; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_05_14, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/contacts"; endswith; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"contact|25|26="; depth:11; fast_pattern; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_02_02, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/contacts"; endswith; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"contact|25|26="; depth:11; fast_pattern; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_15, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor User-Agent (ALIZER)"; flow:established,to_server; http.user_agent; content:"ALIZER"; bsize:6; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020344; rev:3; metadata:created_at 2015_02_02, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor User-Agent (ALIZER)"; flow:established,to_server; http.user_agent; content:"ALIZER"; bsize:6; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020344; rev:3; metadata:created_at 2015_02_03, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; http.uri; content:"/input_data_get_contact.asp?user="; content:"&pwd="; content:"&addr="; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:command-and-control; sid:2020353; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; http.uri; content:"/input_data_get_contact.asp?user="; content:"&pwd="; content:"&addr="; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:command-and-control; sid:2020353; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_05_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WPScan User Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"WPScan v"; depth:8; reference:url,github.com/wpscanteam/wpscan; classtype:web-application-attack; sid:2020338; rev:4; metadata:created_at 2015_01_30, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; http.uri; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"XAgent/1."; depth:9; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:4; metadata:created_at 2015_02_04, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; http.uri; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"XAgent/1."; depth:9; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:4; metadata:attack_target Mobile_Client, created_at 2015_02_05, former_category MOBILE_MALWARE, updated_at 2020_05_15, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; http.user_agent; content:"XAgent/1."; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:4; metadata:created_at 2015_02_04, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; http.user_agent; content:"XAgent/1."; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:4; metadata:created_at 2015_02_05, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DEEP PANDA C2 Activity"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0+(compatible|3b|+MSIE+8.0|3b|+Windows+NT+5.1|3b|+SV1)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Accept"; http.request_body; content:"|00 00 00 00 00|"; classtype:command-and-control; sid:2020373; rev:6; metadata:created_at 2015_02_05, former_category MALWARE, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DEEP PANDA C2 Activity"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0+(compatible|3b|+MSIE+8.0|3b|+Windows+NT+5.1|3b|+SV1)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Accept"; http.request_body; content:"|00 00 00 00 00|"; classtype:command-and-control; sid:2020373; rev:6; metadata:created_at 2015_02_06, former_category MALWARE, updated_at 2020_05_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rovnix.J Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"[0]|0d 0a|LP="; content:"|0a|VID="; distance:0; reference:md5,9471e926eda81b4f797b6cfe273e4e79; classtype:command-and-control; sid:2020396; rev:3; metadata:created_at 2015_02_11, former_category MALWARE, updated_at 2020_05_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Babar POST Request"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSI 6.0|3b 20|"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020471; rev:3; metadata:created_at 2015_02_18, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Babar POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/n.php"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"id="; depth:3; content:"&Action="; distance:0; fast_pattern; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020474; rev:3; metadata:created_at 2015_02_18, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Babar POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/n.php"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"id="; depth:3; content:"&Action="; distance:0; fast_pattern; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020474; rev:3; metadata:created_at 2015_02_19, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Jar URI Struct"; flow:established,to_server; http.uri; content:".jar"; pcre:"/(?:\/[A-Z][a-z][A-Z][a-z][A-Z][a-z]|(?:b(?:m(?:nw|wn)|n(?:mw|wm)|w(?:mn|nm))|m(?:b(?:nw|wn)|n(?:bw|wb)|w(?:bn|nb))|n(?:b(?:mw|wm)|m(?:bw|wb)|w(?:bm|mb))|w(?:b(?:mn|nm)|m(?:bn|nb)|n(?:bm|mb))))\.jar$/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2020476; rev:4; metadata:created_at 2015_02_18, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Jar URI Struct"; flow:established,to_server; http.uri; content:".jar"; pcre:"/(?:\/[A-Z][a-z][A-Z][a-z][A-Z][a-z]|(?:b(?:m(?:nw|wn)|n(?:mw|wm)|w(?:mn|nm))|m(?:b(?:nw|wn)|n(?:bw|wb)|w(?:bn|nb))|n(?:b(?:mw|wm)|m(?:bw|wb)|w(?:bm|mb))|w(?:b(?:mn|nm)|m(?:bn|nb)|n(?:bm|mb))))\.jar$/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2020476; rev:4; metadata:created_at 2015_02_19, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperFish CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/set.php?ID="; depth:12; content:"&Action="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020489; rev:3; metadata:created_at 2015_02_19, former_category MALWARE, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperFish CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/set.php?ID="; depth:12; content:"&Action="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020489; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sys/"; fast_pattern; pcre:"/t=1?\d\/[0-3]?\d\/201\d [0-2]?\d\x3a[0-5]\d\x3a[0-5]\d [AP]M$/"; pcre:"/^\/sys\/(?:who|genid|data|upload|update)/"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020431; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Arid Viper APT Advtravel Campaign POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/customer/do_it"; fast_pattern; http.user_agent; content:"Internet"; bsize:8; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"pn="; content:"&data="; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020433; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Arid Viper APT Advtravel Campaign POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/customer/do_it"; fast_pattern; http.user_agent; content:"Internet"; bsize:8; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"pn="; content:"&data="; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020433; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_05_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)"; flow:established,from_server; flowbits:isset,exe.no.referer; http.header; content:"Server|3a 20|HFS"; fast_pattern; file.data; content:"MZ"; within:2; classtype:exploit-kit; sid:2020500; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_05_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Checkin"; flow:established,to_server; http.uri; content:"/safecontent.php?"; http.user_agent; content:"Mozilla/5.0 (Windows|3b| U|3b| MSIE 7.0|3b| Windows NT 6.0|3b| en-US)"; fast_pattern; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020579; rev:3; metadata:created_at 2015_02_27, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LogPOS Sending Data"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?encoding="; fast_pattern; content:"&t="; distance:0; content:"&cc="; distance:0; content:"&process="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,morphick.net/blog/2015/2/27/mailslot-pos; classtype:trojan-activity; sid:2020602; rev:3; metadata:created_at 2015_03_03, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LogPOS Sending Data"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?encoding="; fast_pattern; content:"&t="; distance:0; content:"&cc="; distance:0; content:"&process="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,morphick.net/blog/2015/2/27/mailslot-pos; classtype:trojan-activity; sid:2020602; rev:3; metadata:created_at 2015_03_04, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; content:"/"; distance:0; pcre:"/^\/[A-Za-z0-9]+\/[A-Za-z0-9]+\/$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; http.user_agent; content:"MSIE 7.0|3b|"; fast_pattern; content:"Windows NT 6.0"; within:15; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:command-and-control; sid:2019693; rev:6; metadata:created_at 2014_11_11, former_category MALWARE, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; content:"/"; distance:0; pcre:"/^\/[A-Za-z0-9]+\/[A-Za-z0-9]+\/$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; http.user_agent; content:"MSIE 7.0|3b|"; fast_pattern; content:"Windows NT 6.0"; within:15; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:command-and-control; sid:2019693; rev:6; metadata:created_at 2014_11_12, former_category MALWARE, updated_at 2020_05_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE rechnung zip file download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rechnung"; fast_pattern; nocase; content:".zip"; nocase; distance:0; endswith; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020622; rev:4; metadata:created_at 2015_03_05, former_category CURRENT_EVENTS, updated_at 2020_05_15;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pandora Usage"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 3600; http.method; content:"POST"; http.uri; content:"/radio/xmlrpc/"; http.host; content:"pandora.com"; endswith; reference:url,www.pandora.com; classtype:policy-violation; sid:2014997; rev:4; metadata:created_at 2012_07_02, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pandora Usage"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 3600; http.method; content:"POST"; http.uri; content:"/radio/xmlrpc/"; http.host; content:"pandora.com"; endswith; reference:url,www.pandora.com; classtype:policy-violation; sid:2014997; rev:4; metadata:created_at 2012_07_03, updated_at 2020_05_15;)
#alert http $EXTERNAL_NET any -> any any (msg:"ET DELETED Possible Netlink XPON 1GE Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr="; startswith; content:"&waninf="; distance:0; reference:url,www.exploit-db.com/exploits/48470; classtype:attempted-admin; sid:2030167; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_05_14, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Exfil Via SMTP"; flow:established,to_server; content:"|0d 0a|Time|3a 20|"; content:"<br>User Name|3a 20|"; distance:0; content:"<br>OSFullName|3a 20|"; distance:0; fast_pattern; reference:md5,b8b71fc1124765b75b3aa3be805e9d12; classtype:trojan-activity; sid:2030171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2020_05_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to NOIP DynDNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030172; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to NOIP DynDNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030172; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to ChangeIP Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to ChangeIP Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030174; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030174; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smanage.php?sid="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030188; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Command Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getresponse.php?slave="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.referer; content:"interact.php?slave="; content:"&sid="; distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030192; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (info)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|info=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, updated_at 2020_05_19;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (gen)"; flow:established,to_server; content:"|0d 0a 0d 0a|gen="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (info)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|info=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (id)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&mass="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (id)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&mass="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Attempted Symantec Secure Web Gateway RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/spywall/timeConfig.php"; bsize:23; fast_pattern; http.user_agent; content:"XTC"; http.request_body; content:"posttime="; content:"&saveForm="; content:"×ync="; content:"&ntpserver="; content:"wget"; content:"/tmp/viktor|29 3b|"; content:"timezone="; reference:url,unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/; classtype:attempted-user; sid:2030193; rev:1; metadata:attack_target Web_Server, created_at 2020_05_19, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamarue/Andromeda Downloading Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; pcre:"/^\/[a-z]+\/[a-z]+\.exe$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; reference:md5,85d925a76909f29c3f370f35faedb9ea; classtype:trojan-activity; sid:2020683; rev:3; metadata:created_at 2015_03_12, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkness DDoS Bot Checkin"; flow:established,to_server; http.uri; content:".php?uid="; nocase; content:"&ver="; distance:0; pcre:"/\.php\?uid=\d{5,6}&ver=[^&]+(?:&traff=\d+)?$/"; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"darkness"; depth:8; fast_pattern; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:url,ef.kaffenews.com/?p=833; reference:url,www.threatexpert.com/report.aspx?md5=55edeb8742f0c38aaa3d984eb4205c68; reference:url,www.threatexpert.com/report.aspx?md5=60c84bb1ca03f80ca385f16946322440; reference:url,www.threatexpert.com/report.aspx?md5=7fcebf5bd67cede35d08bedd683e3524; reference:url,www.threatexpert.com/report.aspx?md5=778113cc4e758ed65de0123bb79cbd1f; classtype:command-and-control; sid:2011996; rev:14; metadata:created_at 2010_12_06, former_category MALWARE, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkness DDoS Bot Checkin"; flow:established,to_server; http.uri; content:".php?uid="; nocase; content:"&ver="; distance:0; pcre:"/\.php\?uid=\d{5,6}&ver=[^&]+(?:&traff=\d+)?$/"; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"darkness"; depth:8; fast_pattern; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:md5,7fcebf5bd67cede35d08bedd683e3524; reference:md5,60c84bb1ca03f80ca385f16946322440; reference:md5,778113cc4e758ed65de0123bb79cbd1f; reference:md5,55edeb8742f0c38aaa3d984eb4205c68; reference:url,ef.kaffenews.com/?p=833; classtype:command-and-control; sid:2011996; rev:14; metadata:created_at 2010_12_06, former_category MALWARE, updated_at 2020_05_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicepass CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?data="; depth:16; http.header; content:!"User-Agent|3a|"; content:!"Accept"; content:!"Referer|3a|"; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/mi"; reference:md5,5f1997927e94b98982e5ee2cea095956; classtype:command-and-control; sid:2020690; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicepass CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?data="; depth:16; http.header; content:!"User-Agent|3a|"; content:!"Accept"; content:!"Referer|3a|"; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/mi"; reference:md5,5f1997927e94b98982e5ee2cea095956; classtype:command-and-control; sid:2020690; rev:3; metadata:created_at 2015_03_13, former_category MALWARE, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE - Fake UA"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".exe"; endswith; http.header_names; content:!"Accept-"; content:!"Referer|3a|"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:trojan-activity; sid:2035044; rev:4; metadata:created_at 2015_03_17, former_category MALWARE, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WMN CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent"; depth:59; fast_pattern; http.request_body; content:"="; offset:4; depth:9; content:"=&"; distance:55; within:2; pcre:"/^[a-z]{4,12}=(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{3}=&[a-z]{4,12}=[A-Za-z0-9+/]{4}/"; reference:md5,3031604f1cf95ee4ccc339c9e4d5b92f; classtype:command-and-control; sid:2020708; rev:3; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WMN CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent"; depth:59; fast_pattern; http.request_body; content:"="; offset:4; depth:9; content:"=&"; distance:55; within:2; pcre:"/^[a-z]{4,12}=(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{3}=&[a-z]{4,12}=[A-Za-z0-9+/]{4}/"; reference:md5,3031604f1cf95ee4ccc339c9e4d5b92f; classtype:command-and-control; sid:2020708; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RocketKitten APT Checkin"; flow:to_server,established; http.uri; content:"/index.php?c="; content:"&r="; distance:0; http.header; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Rocket+Kitten+Is+it+still+APT+if+you+can+buy+it+off+the+shelf/19123; reference:md5,f89a4d4ae5cca6d69a5256c96111e707; classtype:targeted-activity; sid:2020078; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Teslacrypt Ransomware HTTP CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?U3ViamVjdD1"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:command-and-control; sid:2020718; rev:4; metadata:created_at 2015_03_20, former_category MALWARE, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Teslacrypt Ransomware HTTP CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?U3ViamVjdD1"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:command-and-control; sid:2020718; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Payload URI Struct March 20 2015"; flow:established,to_server; urilen:>220; http.uri; content:"/index.php?"; depth:11; content:"=l3S"; fast_pattern; offset:26; depth:4; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2020720; rev:3; metadata:created_at 2015_03_20, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Payload URI Struct March 20 2015"; flow:established,to_server; urilen:>220; http.uri; content:"/index.php?"; depth:11; content:"=l3S"; fast_pattern; offset:26; depth:4; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2020720; rev:3; metadata:created_at 2015_03_21, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyLogger related to FindPOS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"uid="; depth:4; content:"&win="; distance:0; content:"&vers="; distance:0; reference:md5,593af622a90f2038e35ee980e09c1c3c; reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:command-and-control; sid:2020724; rev:3; metadata:created_at 2015_03_20, former_category MALWARE, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyLogger related to FindPOS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"uid="; depth:4; content:"&win="; distance:0; content:"&vers="; distance:0; reference:md5,593af622a90f2038e35ee980e09c1c3c; reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:command-and-control; sid:2020724; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; http.uri; content:"/api/log.html|3f|"; fast_pattern; content:"c="; content:"&o="; content:"&n="; http.user_agent; content:"Apache-HttpClient"; depth:18; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_05_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy Checkin"; flow:to_server,established; http.uri; content:"/get_"; content:"did="; http.user_agent; content:"Downloader"; depth:10; reference:md5,73d2dd466df92b77a4c34adcd13e8b50; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/28/new-kazy-variant-kazy-forces; classtype:command-and-control; sid:2018341; rev:8; metadata:created_at 2013_09_11, former_category MALWARE, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanProxy.JpiProx.B CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"/?ext="; within:7; fast_pattern; content:"&pid="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,aa9542f02b26a554650a9649d2239181; classtype:command-and-control; sid:2020737; rev:3; metadata:created_at 2015_03_24, former_category MALWARE, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanProxy.JpiProx.B CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"/?ext="; within:7; fast_pattern; content:"&pid="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,aa9542f02b26a554650a9649d2239181; classtype:command-and-control; sid:2020737; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"b3NfbmFtZT"; depth:10; fast_pattern; pcre:"/^[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020751; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"b3NfbmFtZT"; depth:10; fast_pattern; pcre:"/^[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020751; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Jm9zX3ZlbmRvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Jm9zX3ZlbmRvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Zvc192ZW5kb3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Zvc192ZW5kb3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"mb3NfdmVuZG9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"mb3NfdmVuZG9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; content:"/0000"; distance:1; fast_pattern; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"Windows NT"; classtype:trojan-activity; sid:2019457; rev:14; metadata:created_at 2014_10_17, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B ClickFraud Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/item/fmt?ct="; depth:13; fast_pattern; http.referer; pcre:"/^http\x3a\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r?$/i"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020750; rev:5; metadata:created_at 2015_03_25, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B ClickFraud Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/item/fmt?ct="; depth:13; fast_pattern; http.referer; pcre:"/^http\x3a\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r?$/i"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020750; rev:5; metadata:created_at 2015_03_26, updated_at 2020_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (ext)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|5|0d 0a 0d 0a|ext=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030185; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (ext)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|5|0d 0a 0d 0a|ext=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030185; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (name)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|name=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030186; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (name)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|name=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030186; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JS/Magecart Domain in TLS SNI (manag .icu)"; flow:established,to_server; tls.sni; content:"manag.icu"; bsize:9; reference:url,twitter.com/felixaime/status/1263134882991046658; classtype:domain-c2; sid:2030194; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Remote Access - RView - Host - *.rview.com"; flow:established,to_server; http.host; content:".rview.com"; endswith; classtype:policy-violation; sid:2020804; rev:4; metadata:created_at 2015_03_30, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Remote Access - RView - Host - *.rview.com"; flow:established,to_server; http.host; content:".rview.com"; endswith; classtype:policy-violation; sid:2020804; rev:4; metadata:created_at 2015_03_31, updated_at 2020_05_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive Fake User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020810; rev:5; metadata:created_at 2015_03_31, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; http.uri; content:".php?win="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020812; rev:5; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; http.uri; content:".php?win="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020812; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; http.uri; content:".php?micro="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020813; rev:5; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; http.uri; content:".php?micro="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020813; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Skyfall fake Skype install link"; flow:established,to_server; http.uri; content:"/video/?n="; depth:10; reference:url,www.windowstechupdates.com/omg-video-httpskypepopvideo-netvideonskype-user-name-virus/; reference:url,securelist.com/blog/incidents/69065/skyfall-meets-skype/; classtype:trojan-activity; sid:2020801; rev:5; metadata:created_at 2015_03_30, updated_at 2020_05_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip-whois"; flow:established,to_server; http.host; content:"ip-whois.net"; bsize:12; classtype:external-ip-check; sid:2020831; rev:5; metadata:created_at 2015_04_02, former_category POLICY, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mikey Variant HTTP CnC Beacon 1"; flow:established,to_server; http.header; content:"Referer|3a 20|HTTP/1.0|0d 0a|"; depth:19; fast_pattern; http.header_names; content:!"Accept-"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020833; rev:4; metadata:created_at 2015_04_02, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 1"; flow:established,to_server; http.header; content:"Referer|3a 20|HTTP/1.0|0d 0a|"; depth:19; fast_pattern; http.header_names; content:!"Accept-"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020833; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mikey Variant HTTP CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?N="; content:"["; distance:0; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020835; rev:4; metadata:created_at 2015_04_02, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?N="; content:"["; distance:0; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020835; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hangover related campaign Response"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:!"Referer|0d 0a|"; file.data; content:"|3a 5c|Bootfile|5c|firewall|5c|1"; pcre:"/^[C-J]\r\n/R"; reference:md5,f761060ced467394a6f87fd2204c6a74; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:trojan-activity; sid:2018567; rev:5; metadata:created_at 2014_06_16, updated_at 2020_05_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hangover related campaign Response"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:!"Referer|0d 0a|"; file.data; content:"|3a 5c|Bootfile|5c|firewall|5c|1"; pcre:"/^[C-J]\r\n/R"; reference:md5,f761060ced467394a6f87fd2204c6a74; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:trojan-activity; sid:2018567; rev:5; metadata:created_at 2014_06_17, updated_at 2020_05_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke variant C&C activity"; flow:to_server,established; http.uri; content:"&Auth="; content:"&Session="; distance:0; content:"&DataID="; distance:0; content:"&FamilyID="; distance:0; reference:md5,8bbc55ec1a7e86cb21d3cda5ccb43e1e; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:targeted-activity; sid:2023909; rev:5; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2020_05_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_21, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/SillyFDC WordPress Traffic"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?dm=6b2280e30391615dcaa18e533ccb99a9"; fast_pattern; depth:37; reference:md5,3c10f65f8c1a84c53d94c331a63cad06; classtype:trojan-activity; sid:2020845; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_04_06, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/SillyFDC WordPress Traffic"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?dm=6b2280e30391615dcaa18e533ccb99a9"; fast_pattern; depth:37; reference:md5,3c10f65f8c1a84c53d94c331a63cad06; classtype:trojan-activity; sid:2020845; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_04_07, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_05_21;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Motorola SBG900 Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/goformFOO/AlFrame?"; content:"/goformFOO/AlFrame?"; distance:0; content:"Gateway.Wan.dnsAddress1="; distance:0; reference:url,github.com/hkm/routerpwn.com/blob/master/index.html; classtype:attempted-admin; sid:2020861; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; content:"wan_dns1_x="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020863; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/webcm?"; fast_pattern; content:"getpage="; distance:0; content:"&var|3a|lang="; http.uri.raw; content:"|2e 2e|/html/menus/menu2.html"; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:5; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/webcm?"; fast_pattern; content:"getpage="; distance:0; content:"&var|3a|lang="; http.uri.raw; content:"|2e 2e|/html/menus/menu2.html"; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:5; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; urilen:26; http.method; content:"POST"; http.uri; content:"/apply.cgi?/BAS_update.htm"; http.request_body; content:"submit_flag=ether"; depth:17; fast_pattern; content:"ðer_dnsaddr1="; distance:0; nocase; content:"&Apply=Apply"; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:5; metadata:created_at 2015_04_07, updated_at 2020_05_21;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; urilen:26; http.method; content:"POST"; http.uri; content:"/apply.cgi?/BAS_update.htm"; http.request_body; content:"submit_flag=ether"; depth:17; fast_pattern; content:"ðer_dnsaddr1="; distance:0; nocase; content:"&Apply=Apply"; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:5; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; fast_pattern; content:"dnsserver="; distance:0; content:"&dnsserver2="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020871; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; fast_pattern; content:"dnsserver="; distance:0; content:"&dnsserver2="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020871; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/basic/uiViewIPAddr="; fast_pattern; content:"&uiViewDns1Mark="; distance:0; content:"&uiViewDns2Mark="; distance:0; reference:url,pastebin.com/u0MRLmjp; classtype:attempted-admin; sid:2020872; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180 Solutions (Zango Installer) User Agent"; flow:to_server,established; http.user_agent; content:"SAIv"; fast_pattern; reference:url,doc.emergingthreats.net/2003062; classtype:pup-activity; sid:2003062; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/raw.php?i="; depth:11; fast_pattern; http.host; content:"pastebin.com"; bsize:12; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; depth:57; http.header_names; content:!"Referer|0d 0a|"; reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:6; metadata:created_at 2015_04_10, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/raw.php?i="; depth:11; fast_pattern; http.host; content:"pastebin.com"; bsize:12; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; depth:57; http.header_names; content:!"Referer|0d 0a|"; reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:6; metadata:created_at 2015_04_11, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LankerBoy HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; http.header; content:"User-Agent|3a 20|us|0d 0a|Host"; depth:20; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,db2c617a6e53a24fa887e6ecf60a076d; classtype:command-and-control; sid:2020902; rev:4; metadata:created_at 2015_04_13, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LankerBoy HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; http.header; content:"User-Agent|3a 20|us|0d 0a|Host"; depth:20; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,db2c617a6e53a24fa887e6ecf60a076d; classtype:command-and-control; sid:2020902; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault CnC Beacon M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"eyJib3RpbmZvIjp7InVwbG9hZElkIjo"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020908; rev:4; metadata:created_at 2015_04_14, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault CnC Beacon M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"eyJib3RpbmZvIjp7InVwbG9hZElkIjo"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020908; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Upatre Binary Download Jan 02 2014"; flow:established,from_server; http.content_type; content:"text/plain"; bsize:10; file.data; content:"ZZP|00|"; within:4; classtype:trojan-activity; sid:2018055; rev:5; metadata:created_at 2014_02_03, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log.php?id=|5b|"; fast_pattern; content:"|7c|"; distance:0; content:"|5d|"; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020919; rev:4; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log.php?id=|5b|"; fast_pattern; content:"|7c|"; distance:0; content:"|5d|"; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020919; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog HTTP POST Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STTip.asp"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020924; rev:4; metadata:created_at 2015_04_15, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog HTTP POST Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STTip.asp"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020924; rev:4; metadata:created_at 2015_04_16, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon Fake UA"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla Firefox/4.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020934; rev:4; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon Fake UA"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla Firefox/4.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020934; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"key="; depth:4; fast_pattern; pcre:"/^[A-Z]+$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020935; rev:4; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"key="; depth:4; fast_pattern; pcre:"/^[A-Z]+$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020935; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"bit="; depth:4; fast_pattern; pcre:"/^(?:32|64)$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020937; rev:4; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"bit="; depth:4; fast_pattern; pcre:"/^(?:32|64)$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020937; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; pcre:"/\/$/"; http.request_body; content:"unkey="; depth:6; fast_pattern; content:!"&"; distance:0; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020938; rev:4; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; pcre:"/\/$/"; http.request_body; content:"unkey="; depth:6; fast_pattern; content:!"&"; distance:0; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020938; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tesch.B CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|"; fast_pattern; http.request_body; pcre:"/^[a-f0-9]+(?:\x20[a-f0-9]+)+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,0032395c3a980e09c511b6b41ab3da48; classtype:command-and-control; sid:2020945; rev:5; metadata:created_at 2015_04_17, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tesch.B CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|"; fast_pattern; http.request_body; pcre:"/^[a-f0-9]+(?:\x20[a-f0-9]+)+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,0032395c3a980e09c511b6b41ab3da48; classtype:command-and-control; sid:2020945; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".jpg"; endswith; content:!"upload.wikimedia.org"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:11; metadata:created_at 2010_07_30, updated_at 2020_05_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access"; flow:established,to_server; http.uri; content:"Adminhtml"; nocase; content:!"|2f|admin|2f|"; nocase; reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; classtype:attempted-admin; sid:2021005; rev:3; metadata:created_at 2015_04_24, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dalexis Downloading EXE"; flow:established,to_server; http.uri; content:".jpg"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; fast_pattern; http.connection; content:"Close"; bsize:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2021017; rev:3; metadata:created_at 2015_04_27, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dalexis Downloading EXE"; flow:established,to_server; http.uri; content:".jpg"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; fast_pattern; http.connection; content:"Close"; bsize:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2021017; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible ThousandEyes User-Agent Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; fast_pattern; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021025; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
alert http any any -> $HTTP_SERVERS any (msg:"ET INFO Possible ThousandEyes User-Agent Inbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; fast_pattern; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021026; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:9; depth:3; pcre:"/^\/-?[a-f0-9]{8,9}\/-?\d+(?:\.php|\/)$/"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:command-and-control; sid:2035045; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim Checkin"; flow:established,to_server; flowbits:set,ET.FB.troj; http.method; content:"GET"; http.uri; content:"/ok.txt"; endswith; http.user_agent; content:"AutoHotkey"; depth:10; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:command-and-control; sid:2020348; rev:5; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2020_05_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline|3b|"; content:".swf"; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/m"; file.data; content:"WS"; within:3; classtype:exploit-kit; sid:2020981; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSF Meterpreter Default User Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; fast_pattern; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; classtype:bad-unknown; sid:2021060; rev:3; metadata:created_at 2015_05_05, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSF Meterpreter Default User Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; fast_pattern; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; classtype:bad-unknown; sid:2021060; rev:3; metadata:created_at 2015_05_06, updated_at 2020_05_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; http.header; content:!"|0d 0a|x-avast"; file.data; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:5; metadata:created_at 2012_09_28, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"JnB3ZD"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:3; metadata:created_at 2015_05_08, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"JnB3ZD"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"Zwd2Q9"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:3; metadata:created_at 2015_05_08, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"Zwd2Q9"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"mcHdkP"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:3; metadata:created_at 2015_05_08, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"mcHdkP"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|danutzbaiatfinutz"; fast_pattern; classtype:attempted-admin; sid:2030198; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_05_21, deployment Perimeter, signature_severity Minor, updated_at 2020_05_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BF Botnet CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?ver="; content:"&os="; distance:0; content:"&binary="; distance:0; content:"&token="; distance:0; content:"&run_time="; distance:0; fast_pattern; http.header; content:"Pragma|3a 20 20|"; content:"Cache-Control|3a 20 20|"; reference:md5,3c475b319959069053191e740822fcd6; classtype:trojan-activity; sid:2030207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family BFBotnet, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected KETRUM2 CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?id="; http.accept; content:"text/html,text/xml,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; fast_pattern; content:"*/*"; distance:0; http.accept_lang; content:"q=0.8,en|3b|q=0.7"; http.header; content:!"Referer"; content:!"User-Agent"; reference:md5,278ac5d64e21a1ab63ec2c590a803253; classtype:command-and-control; sid:2030208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family APT15, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT15/NICKEL KETRUM CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?id="; http.accept; content:"text/html,text/xml,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; fast_pattern; content:"*/*"; distance:0; http.accept_lang; content:"q=0.8,en|3b|q=0.7"; http.header; content:!"Referer"; content:!"User-Agent"; reference:md5,278ac5d64e21a1ab63ec2c590a803253; classtype:command-and-control; sid:2030208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family APT15, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FrauDrop Checkin"; flow:established,to_server; http.uri; content:".asp?sn="; content:"&tmac="; distance:0; content:"&action="; distance:0; content:"&ver="; distance:0; http.header; pcre:"/^User-Agent\x3a[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x30442e9d036a40c8cbd41f8f4c9afab1ba\x20no-cache\r\n(?:\r\n)?$/"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:command-and-control; sid:2021103; rev:3; metadata:created_at 2015_05_15, former_category MALWARE, updated_at 2020_05_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Hellsing Proxy Checker Checkin"; flow:established,to_server; http.uri; content:"/common.asp?action="; content:"&uid="; distance:0; content:"&lan="; distance:0; content:"&hname="; distance:7; within:22; content:"&uname="; distance:1; within:22; content:"&os="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b7e7186d962d562af6a5d10a25d19b02; reference:url,securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/; classtype:targeted-activity; sid:2021108; rev:4; metadata:created_at 2015_05_15, former_category MALWARE, updated_at 2020_05_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoyah CnC Beacon"; flow:established,to_server; http.header; content:"User-Agent|3a 20|MSIE|28|"; content:"|29 29 3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"|29 20|VR|28|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf; classtype:command-and-control; sid:2021114; rev:3; metadata:created_at 2015_05_18, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoyah CnC Beacon"; flow:established,to_server; http.header; content:"User-Agent|3a 20|MSIE|28|"; content:"|29 29 3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"|29 20|VR|28|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf; classtype:command-and-control; sid:2021114; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fsysna.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|*/*|0d 0a|"; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE "; content:".0|3B 20|Win32|29 3B 20|"; distance:1; within:15; fast_pattern; pcre:"/^\d+$/R"; reference:url,blogs.mcafee.com/mcafee-labs/targeted-attacks-japanese-firm-use-old-activex-vulnerability; reference:md5,2b91011e122364148698a249c2f4b7fe; reference:md5,6c040be9d91083ffba59405f9b2c89bf; classtype:command-and-control; sid:2018462; rev:6; metadata:created_at 2014_05_09, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fsysna.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|*/*|0d 0a|"; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE "; content:".0|3B 20|Win32|29 3B 20|"; distance:1; within:15; fast_pattern; pcre:"/^\d+$/R"; reference:url,blogs.mcafee.com/mcafee-labs/targeted-attacks-japanese-firm-use-old-activex-vulnerability; reference:md5,2b91011e122364148698a249c2f4b7fe; reference:md5,6c040be9d91083ffba59405f9b2c89bf; classtype:command-and-control; sid:2018462; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Timezone Check (earthtools.org)"; flow:established,to_server; http.uri; content:"/timezone/"; depth:10; http.host; content:"www.earthtools.org"; bsize:18; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:policy-violation; sid:2021120; rev:3; metadata:created_at 2015_05_20, updated_at 2020_05_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)"; flow:to_server,established; http.uri.raw; content:"/_plugin/"; fast_pattern; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ri"; reference:cve,2015-3337; classtype:web-application-attack; sid:2021138; rev:5; metadata:created_at 2015_05_22, updated_at 2020_05_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE H1N1 Loader CnC Beacon M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http.request_body; content:"N0BRBh"; depth:6; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:command-and-control; sid:2021140; rev:3; metadata:created_at 2015_05_22, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE H1N1 Loader CnC Beacon M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http.request_body; content:"N0BRBh"; depth:6; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:command-and-control; sid:2021140; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose HTTP CnC Beacon Response"; flow:established,from_server; http.server; content:"Apache/20.2.25 (RedHat)"; fast_pattern; bsize:23; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021148; rev:3; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2020_05_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose HTTP CnC Beacon Response"; flow:established,from_server; http.server; content:"Apache/20.2.25 (RedHat)"; fast_pattern; bsize:23; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021148; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; content:"&f="; distance:0; content:"&m="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021147; rev:4; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; content:"&f="; distance:0; content:"&m="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021147; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in M2"; flow:established,to_server; urilen:<110; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.header; content:" rv|3a|11.0"; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.header_names; content:!"|0d 0a|Accept-"; nocase; content:!"Referer|0d 0a|"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020855; rev:4; metadata:created_at 2015_04_07, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in M2"; flow:established,to_server; urilen:<110; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.header; content:" rv|3a|11.0"; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.header_names; content:!"|0d 0a|Accept-"; nocase; content:!"Referer|0d 0a|"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020855; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gatak.DR Payload Instructions"; flow:established,to_server; urilen:45; http.method; content:"GET"; http.uri; content:"/uploads/"; depth:9; fast_pattern; content:".png"; distance:32; within:4; pcre:"/\/[a-f0-9]{32}\.png$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Gatak.DR#tab=2; classtype:trojan-activity; sid:2021160; rev:3; metadata:created_at 2015_05_28, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gatak.DR Payload Instructions"; flow:established,to_server; urilen:45; http.method; content:"GET"; http.uri; content:"/uploads/"; depth:9; fast_pattern; content:".png"; distance:32; within:4; pcre:"/\/[a-f0-9]{32}\.png$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Gatak.DR#tab=2; classtype:trojan-activity; sid:2021160; rev:3; metadata:created_at 2015_05_29, updated_at 2020_05_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"action="; depth:7; content:"&uid="; distance:0; content:"key="; distance:0; fast_pattern; pcre:"/&(?:un)?key=[A-Z]+$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021168; rev:3; metadata:created_at 2015_05_28, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"action="; depth:7; content:"&uid="; distance:0; content:"key="; distance:0; fast_pattern; pcre:"/&(?:un)?key=[A-Z]+$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021168; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_06_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_06_05, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_22, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IOS.Oneclickfraud HTTP Host"; flow:to_server,established; http.host; content:"eroeroou.com"; startswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-060111-2757-99&tabid=2; classtype:trojan-activity; sid:2021187; rev:3; metadata:created_at 2015_06_04, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IOS.Oneclickfraud HTTP Host"; flow:to_server,established; http.host; content:"eroeroou.com"; startswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-060111-2757-99&tabid=2; classtype:trojan-activity; sid:2021187; rev:3; metadata:created_at 2015_06_05, updated_at 2020_05_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Databack CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?pn="; fast_pattern; content:"&s="; distance:0; content:"&x="; distance:0; pcre:"/\.php\?pn=[^&]+&s=[0-9]+&x=0\.[0-9]{7}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc7b0c078482b68c1ff89da3ac88949b; classtype:command-and-control; sid:2021189; rev:4; metadata:created_at 2015_06_05, former_category MALWARE, updated_at 2020_05_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IsSpace/Zacom Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.microsoft.com"; bsize:17; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 7.0|3b|Windows NT 5.1)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021215; rev:3; metadata:created_at 2015_06_08, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IsSpace/Zacom Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.microsoft.com"; bsize:17; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 7.0|3b|Windows NT 5.1)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021215; rev:3; metadata:created_at 2015_06_09, updated_at 2020_05_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Xpopup Instant Messenger Downloading Configuration"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/xpopinfo.dat"; fast_pattern; http.user_agent; content:"Mozilla/4.1 (compatible|3b 20|"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c7abe2297ee64362e33584f9f654ebd; classtype:policy-violation; sid:2021205; rev:5; metadata:created_at 2015_06_08, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Xpopup Instant Messenger Downloading Configuration"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/xpopinfo.dat"; fast_pattern; http.user_agent; content:"Mozilla/4.1 (compatible|3b 20|"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c7abe2297ee64362e33584f9f654ebd; classtype:policy-violation; sid:2021205; rev:5; metadata:created_at 2015_06_09, updated_at 2020_05_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet v2 Exfiltrating Outlook information"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<Information>"; fast_pattern; content:"<id>"; distance:0; content:"<Version>"; distance:0; content:"<profile>"; distance:0; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,securelist.com/analysis/69560/the-banking-trojan-emotet-detailed-analysis/; classtype:trojan-activity; sid:2020900; rev:4; metadata:created_at 2015_04_13, updated_at 2020_05_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gatak.DR Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/([a-z]{4,9}\/[a-z]{4,12}\?[a-z]{4,7}\=[0-9]{5,7})$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,adb3242f8efad48ca174a7e46991f507; classtype:trojan-activity; sid:2021246; rev:4; metadata:created_at 2015_06_11, updated_at 2020_05_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/p?"; depth:3; fast_pattern; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\/p\?\d+(?:\x3b\d+){4}$/"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021088; rev:4; metadata:created_at 2015_05_12, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/p?"; depth:3; fast_pattern; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\/p\?\d+(?:\x3b\d+){4}$/"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021088; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s?"; depth:3; fast_pattern; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"."; distance:1; within:2; content:"_"; distance:0; pcre:"/^\/s\?\d+\x3b\d+\x3b\d{1,2}\.\d_(?:32|64)_\d+(?:\x3b\d+){4}$/"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021257; rev:3; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s?"; depth:3; fast_pattern; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"."; distance:1; within:2; content:"_"; distance:0; pcre:"/^\/s\?\d+\x3b\d+\x3b\d{1,2}\.\d_(?:32|64)_\d+(?:\x3b\d+){4}$/"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021257; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/api/?a="; depth:8; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:command-and-control; sid:2021262; rev:3; metadata:created_at 2015_06_12, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/api/?a="; depth:8; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:command-and-control; sid:2021262; rev:3; metadata:created_at 2015_06_13, former_category MALWARE, updated_at 2020_05_22;)
alert tcp $HOME_NET [!$HTTP_PORTS,!445,!22] -> any any (msg:"ET EXPLOIT Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:5; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2020_05_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request for ISO File Direct to IP"; flow:established,to_server; http.method; content:"GET"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d+)?$/"; http.request_line; content:".iso HTTP/1."; fast_pattern; classtype:misc-activity; sid:2030205; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_05_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (checksoffice .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"checksoffice.me"; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030209; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (checksoffice .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"checksoffice.me"; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030209; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (plaintsotherest .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"plaintsotherest.net"; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030210; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (plaintsotherest .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"plaintsotherest.net"; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030210; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (thesawmeinrew .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"thesawmeinrew.net"; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030211; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (thesawmeinrew .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"thesawmeinrew.net"; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030211; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni Stage 2 Payload Exfiltrating Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?client_id="; fast_pattern; http.request_body; content:"name=|22|fileToUpload|22 3b|"; content:"Upload|20|Image|0d 0a|----"; distance:0; content:"|00 00 00 00 00 00|"; endswith; reference:md5,d41b09aa32633d77a8856dae33b3d7b9; classtype:command-and-control; sid:2030219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Konni, updated_at 2020_05_26;)
-#alert dns $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617)"; content:"|00|"; distance:0; byte_extract:1,1,rec_name,relative; content:"|00 00 fa 00 ff|"; distance:rec_name; within:5; fast_pattern; content:"|00 10 00 00|"; distance:0; endswith; reference:cve,2020-8617; classtype:denial-of-service; sid:2030221; rev:1; metadata:attack_target DNS_Server, created_at 2020_05_26, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_26;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Uploader Accessed on External Server"; flow:established,to_client; file.data; content:"PHP Uploader - By Phenix-TN & Mr.Anderson"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|File Reload|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030212; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Major, updated_at 2020_05_26;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Uploader Accessed on Internal Server"; flow:established,to_client; file.data; content:"PHP Uploader - By Phenix-TN & Mr.Anderson"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|File Reload|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030213; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Critical, updated_at 2020_05_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity"; flow:established,to_server; http.start; content:"POST /qy/g"; startswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"js=DhIhAwgjKRsxKCJdJjgcAjIzMREiAQQcJyghAjEsIgIkASoYIg"; startswith; fast_pattern; reference:md5,92a0de9944b6d180f072c4bce5250ec8; classtype:pup-activity; sid:2030222; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lucy Security Phishing Landing Page "; flow:to_client,established; file.data; content:"href=|22|/public/campaign/"; content:"src=|22|/public/campaign/"; distance:0; content:"no connection or relationship between the trademark owner and Lucy Security or the LUCY Security customer"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2030214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_05_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lucy Security Phishing Landing Page"; flow:to_client,established; file.data; content:"href=|22|/public/campaign/"; content:"src=|22|/public/campaign/"; distance:0; content:"no connection or relationship between the trademark owner and Lucy Security or the LUCY Security customer"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2030214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_05_26;)
alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion . ly)"; dns.query; content:".onion.ly"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2030215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_05_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Witch3r Mini Shell"; nocase; fast_pattern; content:"Mini-Shell</h1></font>"; nocase; distance:0; classtype:web-application-attack; sid:2030218; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Major, updated_at 2020_05_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-05-27)"; flow:established,to_client; tls.cert_subject; content:"CN=www.anca-aste.it"; nocase; endswith; reference:md5,56470e113479eacda081c2eeead153bf; classtype:domain-c2; sid:2030223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_05_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-05-27)"; flow:established,to_client; tls.cert_subject; content:"CN=www.anca-aste.it"; nocase; endswith; reference:md5,56470e113479eacda081c2eeead153bf; classtype:domain-c2; sid:2030223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_05_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Socelars Stealer CnC Activity"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1|0d 0a|"; bsize:17; http.request_body; content:"JSON=d0hy65aW"; startswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,81a7f493c7b5a7c52ac19981a75f57df; classtype:command-and-control; sid:2030224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, malware_family Soclears, signature_severity Major, updated_at 2020_05_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO User-Agent (wininet)"; flow:established,to_server; flowbits:set,ET.wininet.UA; flowbits:noalert; http.header; content:"User-Agent|3a 20|wininet|0d 0a|"; classtype:misc-activity; sid:2021311; rev:4; metadata:created_at 2015_06_19, updated_at 2020_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 3 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/archive/"; nocase; offset:9; fast_pattern; content:".html"; nocase; distance:8; within:7; pcre:"/\/[a-f0-9]{8}\/archive\/\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021277; rev:5; metadata:created_at 2015_06_16, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 3 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/archive/"; nocase; offset:9; fast_pattern; content:".html"; nocase; distance:8; within:7; pcre:"/\/[a-f0-9]{8}\/archive\/\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021277; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Keatep.B Checkin"; flow:established,to_server; http.uri; content:"&id="; nocase; content:"&v="; pcre:"/\?[0-9a-f]{5,}=\d+&id=\d+&v=\d+$/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Keatep.B; reference:md5,239aacf49bb6381fd71841fda4d4ee58; classtype:command-and-control; sid:2011336; rev:6; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/ftp/grabftp"; fast_pattern; content:".bin"; distance:0; endswith; pcre:"/^\/download\/ftp\/(?:grabftp|grabftp64)\.bin$/"; http.header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Win64|3B 20|x64)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:3; metadata:created_at 2015_06_23, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/check?iid="; fast_pattern; content:"kernel="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&kernel=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021334; rev:3; metadata:created_at 2015_06_24, former_category MALWARE, updated_at 2020_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/check?iid="; fast_pattern; content:"kernel="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&kernel=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021334; rev:3; metadata:created_at 2015_06_23, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/compiler?iid="; fast_pattern; content:"username="; distance:0; content:"password="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&username=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021335; rev:3; metadata:created_at 2015_06_24, former_category MALWARE, updated_at 2020_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/compiler?iid="; fast_pattern; content:"username="; distance:0; content:"password="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&username=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021335; rev:3; metadata:created_at 2015_06_23, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; flow:to_server,established; http.uri; content:".jsp?"; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.host; content:!"reg.163.com"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017713; rev:8; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; flow:to_server,established; http.uri; content:".jsp?"; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.host; content:!"reg.163.com"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017713; rev:8; metadata:created_at 2013_11_13, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; offset:2; depth:7; pcre:"/^\x2F[a-z]\x2Ephp\x3Fp\x3D[a-z0-9]{30,}$/i"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018681; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; offset:2; depth:7; pcre:"/^\x2F[a-z]\x2Ephp\x3Fp\x3D[a-z0-9]{30,}$/i"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018681; rev:4; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2020_05_28;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/track/?ip="; fast_pattern; depth:11; content:"&data="; distance:0; pcre:"/^\x2Ftrack\x2F\x3Fip\x3D\d&data\x3D/"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018682; rev:4; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/track/?ip="; fast_pattern; depth:11; content:"&data="; distance:0; pcre:"/^\x2Ftrack\x2F\x3Fip\x3D\d&data\x3D/"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018682; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315"; flow:established,to_server; http.uri; content:"viewtopic.php"; nocase; content:"highlight="; nocase; http.uri.raw; pcre:"/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/i"; reference:cve,2004-1315; classtype:web-application-attack; sid:2021390; rev:3; metadata:created_at 2015_07_07, updated_at 2020_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/upload.php"; http.request_body; content:"conteudo="; fast_pattern; depth:9; content:"&myFile="; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:command-and-control; sid:2021404; rev:3; metadata:created_at 2015_07_10, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/upload.php"; http.request_body; content:"conteudo="; fast_pattern; depth:9; content:"&myFile="; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:command-and-control; sid:2021404; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Waterspout.APT Backdoor CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"_id="; distance:3; within:4; fast_pattern; pcre:"/\/\d{5}\/(?P<s1>[a-z]{3})[a-z]\.php\?(?P=s1)_id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:targeted-activity; sid:2019115; rev:6; metadata:created_at 2014_09_04, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Waterspout.APT Backdoor CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"_id="; distance:3; within:4; fast_pattern; pcre:"/\/\d{5}\/(?P<s1>[a-z]{3})[a-z]\.php\?(?P=s1)_id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:targeted-activity; sid:2019115; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nymaim Checkin (2)"; flow:to_server,established; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; nocase; bsize:33; http.user_agent; content:"|20|MSIE|20|"; http.request_body; content:"filename="; depth:9; fast_pattern; content:"&data="; distance:0; pcre:"/^filename=[a-z]+?\.[a-z]+?&data=/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2016757; rev:11; metadata:created_at 2013_04_15, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nymaim Checkin (2)"; flow:to_server,established; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; nocase; bsize:33; http.user_agent; content:"|20|MSIE|20|"; http.request_body; content:"filename="; depth:9; fast_pattern; content:"&data="; distance:0; pcre:"/^filename=[a-z]+?\.[a-z]+?&data=/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2016757; rev:11; metadata:created_at 2013_04_16, former_category MALWARE, updated_at 2020_05_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bancos.AMM CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ID_MAQUINA="; depth:11; nocase; fast_pattern; content:"&VERSAO="; distance:0; nocase; content:"&WIN="; distance:0; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f52ff1dc059f1df95781830d84a12869; classtype:command-and-control; sid:2021439; rev:3; metadata:created_at 2015_07_20, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bancos.AMM CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ID_MAQUINA="; depth:11; nocase; fast_pattern; content:"&VERSAO="; distance:0; nocase; content:"&WIN="; distance:0; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f52ff1dc059f1df95781830d84a12869; classtype:command-and-control; sid:2021439; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, malware_family Bancos, signature_severity Major, tag Banking_Trojan, tag c2, updated_at 2020_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger HTTP Pattern"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/post.php?type="; fast_pattern; content:"&machinename="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?/"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021440; rev:3; metadata:created_at 2015_07_20, updated_at 2020_05_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload M2 (set)"; flow:established,to_server; flowbits:set,ET.BARTALEX; flowbits:noalert; http.uri; content:".txt"; http.header; content:"WinHttp.WinHttpRequest"; classtype:trojan-activity; sid:2021531; rev:3; metadata:created_at 2015_07_24, updated_at 2020_05_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Potao CnC POST Response"; flow:to_client,established; http.server; content:"nginx"; startswith; file.data; content:"<?xml version=|27|1.0|27|?>"; depth:21; content:"<methodResponse>"; distance:1; content:"<params>|0a|<param>"; distance:1; content:"<value><base64>"; fast_pattern; distance:1; pcre:"/^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a/R"; classtype:command-and-control; sid:2021555; rev:3; metadata:created_at 2015_07_30, former_category MALWARE, updated_at 2020_05_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Potao CnC POST Response"; flow:to_client,established; http.server; content:"nginx"; startswith; file.data; content:"<?xml version=|27|1.0|27|?>"; depth:21; content:"<methodResponse>"; distance:1; content:"<params>|0a|<param>"; distance:1; content:"<value><base64>"; fast_pattern; distance:1; pcre:"/^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a/R"; classtype:command-and-control; sid:2021555; rev:3; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_05_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; fast_pattern; pcre:"/_W\d+\.[A-F0-9]+\/\d+\/[^\x2f]+\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,3e215dfa84c271bb431b3de2e5da016a; classtype:command-and-control; sid:2021556; rev:3; metadata:created_at 2015_07_30, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; fast_pattern; pcre:"/_W\d+\.[A-F0-9]+\/\d+\/[^\x2f]+\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,3e215dfa84c271bb431b3de2e5da016a; classtype:command-and-control; sid:2021556; rev:3; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_05_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PhantomSuper.class"; fast_pattern; http.header; content:"Java/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021557; rev:3; metadata:created_at 2015_07_30, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PhantomSuper.class"; fast_pattern; http.header; content:"Java/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021557; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ArrayReplace.class"; fast_pattern; http.header; content:"Java/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021558; rev:3; metadata:created_at 2015_07_30, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ArrayReplace.class"; fast_pattern; http.header; content:"Java/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021558; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE URI Struct Observed in Pawn Storm CVE-2015-2950"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?p2="; content:"&recr="; distance:0; fast_pattern; content:"&p3="; distance:0; content:"&as="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021560; rev:3; metadata:created_at 2015_07_30, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE URI Struct Observed in Pawn Storm CVE-2015-2950"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?p2="; content:"&recr="; distance:0; fast_pattern; content:"&p3="; distance:0; content:"&as="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021560; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alina.POS-Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; content:"application/octet-stream"; bsize:24; fast_pattern; http.user_agent; content:"Mozilla/"; startswith; content:"|20|InfoPath|2e|"; distance:0; pcre:"/x20InfoPath\x2e\d[^\x29]+$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2019163; rev:4; metadata:created_at 2014_09_11, former_category MALWARE, updated_at 2020_05_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alina.POS-Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Accept|3a 20|application/octet-stream|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; depth:74; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2021597; rev:5; metadata:created_at 2015_08_05, former_category MALWARE, updated_at 2020_05_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; pcre:"/\/\d{4,}\.txt$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"Accept|0d 0a|"; content:"Accept-Language|0d 0a|"; reference:md5,545ee3114faa5abd994f9730713f2261; classtype:trojan-activity; sid:2021304; rev:5; metadata:created_at 2015_06_18, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; pcre:"/\/\d{4,}\.txt$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"Accept|0d 0a|"; content:"Accept-Language|0d 0a|"; reference:md5,545ee3114faa5abd994f9730713f2261; classtype:trojan-activity; sid:2021304; rev:5; metadata:created_at 2015_06_19, updated_at 2020_05_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Initial Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=creation"; fast_pattern; content:"result="; distance:1; content:"&info="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021610; rev:3; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Initial Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=creation"; fast_pattern; content:"result="; distance:1; content:"&info="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021610; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/submit_net_debug.cgi"; nocase; http.request_body; content:"cmd_param="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/si"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:4; metadata:created_at 2015_08_18, updated_at 2020_05_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Bank of America Phish 2015-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"onlineid="; depth:9; fast_pattern; content:"&passcode="; distance:0; content:"&fullname="; distance:0; content:"&address="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031761; rev:3; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2021_06_23;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VBKrypt.vquj Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; fast_pattern; http.request_body; content:"|03 00|"; depth:2; content:"|00 01 00|"; within:4; content:"|00 01 00|"; within:4; reference:md5,0c420e1eef4b1f097ffec8d0c0ff438a; classtype:command-and-control; sid:2021605; rev:5; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2020_05_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX August 11 2015"; flow:to_server,established; http.uri; content:".jpg"; nocase; pcre:"/\/(?:[a-z]+|\d+)\.jpg/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|FSL 7.0.6.01001)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,1bcea0364088c5308ed217649eeef4d9; classtype:trojan-activity; sid:2021625; rev:5; metadata:created_at 2015_08_14, updated_at 2020_05_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SHLAYER CnC"; flow:established,to_server; http.request_line; content:"POST http://"; fast_pattern; http.uri; content:"/l"; endswith; http.request_body; content:"cs="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,4d86ae25913374cfcb80a8d798b9016e; reference:url,securelist.com/shlayer-for-macos/95724/; classtype:command-and-control; sid:2030231; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_29;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise Style IP Check M2"; flow:to_server,established; urilen:16; http.uri; content:"/myip?format=txt"; http.header; content:"User-Agent|3a 20|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Win32)"; http.host; content:"api.ipaddress.com"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2030229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, signature_severity Major, updated_at 2020_05_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Proxy Server Lookup (nntime)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"nntime.com"; bsize:10; reference:md5,a09f817656ca4336581140fe81921f71; classtype:misc-activity; sid:2030230; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_05_29;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/NukeSped Variant CnC Domain (fudcitydelivers .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"fudcitydelivers.com"; bsize:19; reference:md5,7b07ed5338e6288b5cd510c38e2ab8ed; reference:url,twitter.com/ShadowChasing1/status/1267431137023979522; classtype:command-and-control; sid:2030234; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banker.bqba Checkin"; flow:to_server,established; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; fast_pattern; bsize:31; http.request_body; content:"windows="; depth:8; content:"&av="; reference:md5,838d43239ba2c28bd968f8a7da64d340; classtype:command-and-control; sid:2023693; rev:3; metadata:created_at 2015_08_25, former_category MALWARE, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banker.bqba Checkin"; flow:to_server,established; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; fast_pattern; bsize:31; http.request_body; content:"windows="; depth:8; content:"&av="; reference:md5,838d43239ba2c28bd968f8a7da64d340; classtype:command-and-control; sid:2023693; rev:3; metadata:created_at 2015_08_26, former_category MALWARE, updated_at 2020_06_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml?"; fast_pattern; pcre:"/\?[a-z0-9]{32}$/"; http.host; content:"www.ecb.europa.eu"; bsize:17; classtype:trojan-activity; sid:2019400; rev:6; metadata:created_at 2014_10_15, updated_at 2020_06_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Cheshire Cat CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0|3b 20|Windows NT 4.0)"; fast_pattern; bsize:50; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021719; rev:3; metadata:created_at 2015_08_26, former_category MALWARE, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Cheshire Cat CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0|3b 20|Windows NT 4.0)"; fast_pattern; bsize:50; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021719; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PawnStorm Sednit DL Aug 28 2015"; flow:established,to_server; http.uri; content:"/cormac.mcr"; http.header_names; content:!"Referer|0d 0a|"; classtype:targeted-activity; sid:2021729; rev:3; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2020_06_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/6.0)"; startswith; http.request_body; content:"AQAAA"; fast_pattern; depth:5; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,0f6a9b15bd9fd719bb96491e16eb2f9c; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; classtype:command-and-control; sid:2021739; rev:3; metadata:created_at 2015_08_31, former_category MALWARE, updated_at 2020_06_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Requesting Module"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.content_type; content:"text/plain"; startswith; http.header_names; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021741; rev:3; metadata:created_at 2015_08_31, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Requesting Module"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.content_type; content:"text/plain"; startswith; http.header_names; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021741; rev:3; metadata:created_at 2015_09_01, updated_at 2020_06_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exx"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021742; rev:3; metadata:created_at 2015_08_31, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exx"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021742; rev:3; metadata:created_at 2015_09_01, updated_at 2020_06_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Landing URI Struct March 20 2015"; flow:established,to_server; http.uri; content:"/?"; depth:2; content:"=l3S"; fast_pattern; offset:17; depth:4; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/"; classtype:exploit-kit; sid:2020722; rev:4; metadata:created_at 2015_03_20, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Landing URI Struct March 20 2015"; flow:established,to_server; http.uri; content:"/?"; depth:2; content:"=l3S"; fast_pattern; offset:17; depth:4; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/"; classtype:exploit-kit; sid:2020722; rev:4; metadata:created_at 2015_03_21, updated_at 2020_06_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful EDF Account Phish 2015-09-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"email="; depth:6; content:"&pass="; distance:0; fast_pattern; content:"&nom"; distance:0; content:"&adresse1="; distance:0; content:"&ville="; distance:0; classtype:credential-theft; sid:2031769; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Module Download 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f32f2209a1986c55750ceb6d8066df9f; classtype:trojan-activity; sid:2021754; rev:3; metadata:created_at 2015_09_09, updated_at 2020_06_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; http.uri; content:"/NEI_ModuleDispatch.php"; content:"module=NEI_AdvancedConfig"; distance:0; content:"&function=HapiGetFileContents"; fast_pattern; distance:0; http.uri.raw; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/i"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:4; metadata:created_at 2015_09_09, updated_at 2020_06_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; http.uri; content:"/NEI_ModuleDispatch.php"; content:"module=NEI_AdvancedConfig"; distance:0; content:"&function=HapiGetFileContents"; fast_pattern; distance:0; http.uri.raw; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/i"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:4; metadata:created_at 2015_09_10, updated_at 2020_06_01;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - net user"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net"; nocase; content:!"work"; within:4; nocase; content:"user"; nocase; within:11; content:!"-agent"; nocase; within:6; pcre:"/net(?:%(?:25)?20|\s)+user/i"; classtype:bad-unknown; sid:2016680; rev:7; metadata:created_at 2013_03_27, updated_at 2020_06_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Odlanor CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; content:"&v="; distance:0; content:"&os="; distance:0; content:"&c="; distance:0; content:"&u="; distance:0; http.request_body; pcre:"/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ce19c30ffda76cd63a88eeb8af0340f0; reference:url,welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats-at-poker/; classtype:command-and-control; sid:2021800; rev:3; metadata:created_at 2015_09_18, former_category MALWARE, updated_at 2020_06_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http.request_body; content:"|20 7c 20 22|0x"; fast_pattern; content:"_"; distance:0; content:"|22 20 7c 20|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021814; rev:3; metadata:created_at 2015_09_22, former_category MALWARE, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Battle.net Phish 2015-09-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?"; http.request_body; content:"accountName="; depth:12; fast_pattern; content:"&password="; distance:0; content:"&persistLogin="; distance:0; content:"&csrftoken="; distance:0; classtype:credential-theft; sid:2031729; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Amazon Phish 2015-09-22"; flow:to_client,established; http.stat_code; content:"200"; file.data; content:"<title>|0a 20 20 20 20|! successful"; fast_pattern; content:"successful !"; distance:0; content:"Data has been successfully updated"; distance:0; classtype:credential-theft; sid:2031770; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http.request_body; content:"|20 7c 20 22|0x"; fast_pattern; content:"_"; distance:0; content:"|22 20 7c 20|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021814; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XcodeGhost CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.host; content:"init.icloud-analysis.com"; fast_pattern; bsize:24; reference:url,github.com/XcodeGhostSource/XcodeGhost; classtype:command-and-control; sid:2021822; rev:3; metadata:created_at 2015_09_23, former_category MALWARE, updated_at 2020_06_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential FakeAV HTTP GET Check-IN (/check)"; flow:established,to_server; urilen:6; http.method; content:"GET"; http.uri; content:"/check"; nocase; http.header; content:"User-Agent|3a 20|Microsoft Internet Explorer|0d 0a|Host|3a 20|"; depth:47; fast_pattern; nocase; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue%3AWin32/FakeSpypro; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010597; classtype:trojan-activity; sid:2010597; rev:7; metadata:created_at 2010_07_30, updated_at 2020_06_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Data Exfil"; flow:established,to_server; urilen:>125; http.method; content:"POST"; http.uri; pcre:"/\.[a-z]{3,4}$/"; http.request_body; content:"name=|22|upload_file|22 3b 20|filename=|22|"; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:command-and-control; sid:2021830; rev:4; metadata:created_at 2015_09_23, former_category MALWARE, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Data Exfil"; flow:established,to_server; urilen:>125; http.method; content:"POST"; http.uri; pcre:"/\.[a-z]{3,4}$/"; http.request_body; content:"name=|22|upload_file|22 3b 20|filename=|22|"; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:command-and-control; sid:2021830; rev:4; metadata:created_at 2015_09_24, former_category MALWARE, updated_at 2020_06_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XcodeGhost CnC M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|00 00 01|"; content:"|00 65 00 0a 95 3a 10 8a 09 25 4e d7 94 5e e9 70 59 e2 95 79|"; distance:1; within:20; classtype:command-and-control; sid:2021832; rev:3; metadata:created_at 2015_09_24, former_category MALWARE, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XcodeGhost CnC M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|00 00 01|"; content:"|00 65 00 0a 95 3a 10 8a 09 25 4e d7 94 5e e9 70 59 e2 95 79|"; distance:1; within:20; classtype:command-and-control; sid:2021832; rev:3; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC POST"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/r0/index.php"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021839; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
alert icmp $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Zephyr RTOS ICMPv4 Stack Buffer Overflow"; icode:0; dsize:>120; content:"|30 31 32 07 80|"; fast_pattern; content:"|00|"; endswith; reference:url,research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment/; classtype:bad-unknown; sid:2030242; rev:1; metadata:created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector Sep 29 2015"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/snitch?default|5f|keyword="; depth:24; fast_pattern; content:"&referrer="; distance:0; content:"&se_referrer="; distance:0; content:"&source="; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021847; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector Sep 29 2015"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/snitch?default|5f|keyword="; depth:24; fast_pattern; content:"&referrer="; distance:0; content:"&se_referrer="; distance:0; content:"&source="; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021847; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"M FSO object created|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021852; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"M FSO object created|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021852; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A Successfully Installed CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"M STATE|3a 20|INSTALL|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021853; rev:4; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A Successfully Installed CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"M STATE|3a 20|INSTALL|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021853; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"unit_action="; depth:12; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021854; rev:5; metadata:created_at 2015_09_30, former_category MALWARE, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"unit_action="; depth:12; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021854; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Sep 30 2015"; flow:to_server,established; urilen:5; http.uri; content:"/052F"; classtype:exploit-kit; sid:2021870; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hola VPN Activity - X-Hola-* Headers"; flow:established,to_server; threshold:type limit,track by_src,seconds 300,count 1; http.header; content:"|0d 0a|X-Hola-"; classtype:policy-violation; sid:2021886; rev:3; metadata:created_at 2015_10_01, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hola VPN Activity - X-Hola-* Headers"; flow:established,to_server; threshold:type limit,track by_src,seconds 300,count 1; http.header; content:"|0d 0a|X-Hola-"; classtype:policy-violation; sid:2021886; rev:3; metadata:created_at 2015_10_02, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Retrieving PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.header; content:"Host|3a 20|www.quaverse.com|0d 0a|"; depth:24; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ccdffdc551b36980b7cd04e33d5fb100; classtype:trojan-activity; sid:2021889; rev:3; metadata:created_at 2015_10_01, former_category TROJAN, malware_family QRat, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Retrieving PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.header; content:"Host|3a 20|www.quaverse.com|0d 0a|"; depth:24; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ccdffdc551b36980b7cd04e33d5fb100; classtype:trojan-activity; sid:2021889; rev:3; metadata:created_at 2015_10_02, former_category TROJAN, malware_family QRat, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (OPTIONS)"; flow:to_server,established; http.method; content:"OPTIONS"; classtype:bad-unknown; sid:2013929; rev:6; metadata:created_at 2011_11_17, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (OPTIONS)"; flow:to_server,established; http.method; content:"OPTIONS"; classtype:bad-unknown; sid:2013929; rev:6; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (TRACE)"; flow:to_server,established; http.method; content:"TRACE"; classtype:bad-unknown; sid:2013932; rev:5; metadata:created_at 2011_11_17, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (TRACE)"; flow:to_server,established; http.method; content:"TRACE"; classtype:bad-unknown; sid:2013932; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PUT)"; flow:to_server,established; http.method; content:"PUT"; classtype:bad-unknown; sid:2013930; rev:5; metadata:created_at 2011_11_17, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PUT)"; flow:to_server,established; http.method; content:"PUT"; classtype:bad-unknown; sid:2013930; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; http.method; content:"CONNECT"; classtype:bad-unknown; sid:2013933; rev:5; metadata:created_at 2011_11_17, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; http.method; content:"CONNECT"; classtype:bad-unknown; sid:2013933; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"TRACE"; http.uri; content:".jsf"; nocase; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:4; metadata:created_at 2011_06_08, updated_at 2020_06_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"TRACE"; http.uri; content:".jsf"; nocase; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:4; metadata:created_at 2011_06_09, updated_at 2020_06_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT User-Agent (I'm a mu mu mu ?)"; flow:established,to_server; http.user_agent; content:"I|27|m a mu mu mu|20 3f|"; fast_pattern; startswith; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021917; rev:3; metadata:created_at 2015_10_06, updated_at 2020_06_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neshta.A Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|file|22 3b 20|filename=|22|Browser"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; nocase; reference:md5,e93e5af213707ef1888784fa1e709004; classtype:trojan-activity; sid:2021923; rev:4; metadata:created_at 2015_10_07, updated_at 2020_06_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1.jsp?e="; fast_pattern; depth:10; content:"&s="; distance:0; content:"&g="; distance:0; content:"&versionCode="; distance:0; content:"&osVersion="; distance:0; content:"&countryCode="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1.jsp?e="; fast_pattern; depth:10; content:"&s="; distance:0; content:"&g="; distance:0; content:"&versionCode="; distance:0; content:"&osVersion="; distance:0; content:"&countryCode="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_10_08, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_06_02, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TeamViewer Dyngate User-Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 120, track by_src; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|DynGate)"; fast_pattern; depth:43; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; classtype:policy-violation; sid:2009475; rev:12; metadata:created_at 2010_07_30, updated_at 2020_06_02;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Potential Spyware Domain (app .hubstaff .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"app.hubstaff.com"; bsize:16; classtype:policy-violation; sid:2030248; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_06_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/xDrop Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"slave.php"; endswith; http.user_agent; content:"Apache-HttpClient/UNAVAILABLE ("; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"&password="; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,f154d5596ecb8f63de1e7319e31ad369; classtype:command-and-control; sid:2030243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/xDrop Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"slave.php"; endswith; http.user_agent; content:"Apache-HttpClient/UNAVAILABLE ("; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"&password="; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,f154d5596ecb8f63de1e7319e31ad369; classtype:command-and-control; sid:2030243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Kinsing Payload Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kinsing"; endswith; fast_pattern; http.user_agent; content:"Wget/"; nocase; startswith; http.header_names; content:!"Referer"; reference:url,blog.redteam.pl/2020/06/kinsing-malware-liferay.html; classtype:trojan-activity; sid:2030244; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity M2"; flow:established,to_server; http.start; content:"POST /qy/g"; depth:10; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"js=|7b 22|appid|22 3a|"; startswith; fast_pattern; content:"|2c 22|avs|22 3a|"; distance:0; reference:md5,efa431afc414c52d0703392a19c9fa2e; classtype:pup-activity; sid:2030250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_04, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Web App Phish 2015-10-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"app=o365&"; nocase; depth:9; fast_pattern; content:"&name="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031731; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Magento Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/magmi-importer/web/"; fast_pattern; content:"download_file.php?file="; distance:0; http.uri.raw; content:"|2e 2e 2f|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/; classtype:trojan-activity; sid:2021951; rev:3; metadata:created_at 2015_10_15, former_category CURRENT_EVENTS, updated_at 2020_06_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting EXE payload 2015-10-07"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"key="; nocase; distance:0; fast_pattern; content:!"pdf="; nocase; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021952; rev:3; metadata:created_at 2015_10_15, updated_at 2020_06_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting PDF payload 2015-10-07"; flow:to_server,established; flowbits:set,ET.nemucod.pdfrequest; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"key="; nocase; distance:0; fast_pattern; content:"pdf="; nocase; distance:0; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}&pdf=[a-zA-Z]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021953; rev:3; metadata:created_at 2015_10_15, updated_at 2020_06_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/StreamFlaw.A Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/6.0 (compatible|3b 20|MSIE 6.0"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,981672cd969fe8cb1f887d0526b1ecf2; classtype:command-and-control; sid:2020947; rev:4; metadata:created_at 2015_04_17, former_category MALWARE, updated_at 2020_06_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/StreamFlaw.A Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/6.0 (compatible|3b 20|MSIE 6.0"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,981672cd969fe8cb1f887d0526b1ecf2; classtype:command-and-control; sid:2020947; rev:4; metadata:created_at 2015_04_18, former_category MALWARE, updated_at 2020_06_04;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability"; flow:to_server,established; http.uri; content:"?"; content:"-"; fast_pattern; distance:0; pcre:"/(?:\/(?:php)?|\.php)\?[\s\+]*\-[A-Za-z]/i"; http.uri.raw; content:!"="; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:8; metadata:created_at 2012_05_04, updated_at 2020_06_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod Downloading Payload 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/document.php?rnd="; depth:18; fast_pattern; content:"&id="; distance:0; pcre:"/^\/document\.php\?rnd=[0-9]{4}&id=[A-F0-9]{100,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/malware/js_nemucod.hqk; classtype:trojan-activity; sid:2021956; rev:4; metadata:created_at 2015_10_16, updated_at 2020_06_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete CMS btask parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"arHandle="; nocase; fast_pattern; content:"method="; nocase; content:"btask="; nocase; pcre:"/btask\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/i"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015034; rev:5; metadata:created_at 2012_07_07, updated_at 2020_06_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability"; flow:to_server,established; http.uri; content:"?"; content:"-"; fast_pattern; distance:0; pcre:"/(?:\/(?:php)?|\.php)\?[\s\+]*\-[A-Za-z]/i"; http.uri.raw; content:!"="; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:8; metadata:created_at 2012_05_03, updated_at 2020_06_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; http.uri; content:"/index.php?"; content:"="; distance:1; within:1; content:!"=aHR0"; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2030249; rev:7; metadata:created_at 2013_10_02, former_category CURRENT_EVENTS, updated_at 2020_06_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod Downloading Payload 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/document.php?rnd="; depth:18; fast_pattern; content:"&id="; distance:0; pcre:"/^\/document\.php\?rnd=[0-9]{4}&id=[A-F0-9]{100,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/malware/js_nemucod.hqk; classtype:trojan-activity; sid:2021956; rev:4; metadata:created_at 2015_10_15, updated_at 2020_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"option="; nocase; content:"view="; nocase; content:"list[select]="; nocase; fast_pattern; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; reference:cve,2015-7297; reference:cve,2015-7587; reference:cve,2015-7858; classtype:attempted-admin; sid:2021992; rev:3; metadata:created_at 2015_10_22, former_category WEB_SPECIFIC_APPS, updated_at 2020_06_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete CMS btask parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"arHandle="; nocase; fast_pattern; content:"method="; nocase; content:"btask="; nocase; pcre:"/btask\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/i"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015034; rev:5; metadata:created_at 2012_07_06, updated_at 2020_06_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"legalfirstname="; depth:15; nocase; content:"&legallastname="; nocase; distance:0; content:"&date_ob="; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; classtype:credential-theft; sid:2031782; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"option="; nocase; content:"view="; nocase; content:"list[select]="; nocase; fast_pattern; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; classtype:trojan-activity; sid:2021992; rev:3; metadata:created_at 2015_10_22, updated_at 2020_06_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"cardNumber="; depth:11; nocase; content:"&date_ex="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&btn_card=Continue"; nocase; distance:0; classtype:credential-theft; sid:2031732; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cushion Redirection"; flow:established,to_server; content:"/index.php?"; http_uri; content:"="; distance:1; within:1; http_uri; content:!"=aHR0"; http_uri; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017552; rev:6; metadata:created_at 2013_10_01, updated_at 2020_06_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-28 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"bankname="; depth:9; nocase; content:"&accountid="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&accounnumber="; nocase; distance:0; classtype:credential-theft; sid:2031733; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=consultane.com"; nocase; endswith; reference:md5,9b0af1d42eb9d1e7033a958d5a0870c8; classtype:domain-c2; sid:2030252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cushion Redirection"; flow:established,to_server; http.uri; content:"/index.php?"; content:"="; distance:1; within:1; content:!"=aHR0"; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017552; rev:7; metadata:created_at 2013_10_02, updated_at 2020_06_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check"; flow:established,to_server; http.request_line; content:"GET|20|/|20|HTTP/1.1"; bsize:14; http.header; content:"User-Agent|3a 20|WinInet|0d 0a|Host|3a 20|api.myip.com|0d 0a|"; bsize:41; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c9ec0d9ff44f445ce5614cc87398b38d; classtype:trojan-activity; sid:2030253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Avaddon, signature_severity Major, updated_at 2020_06_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=consultane.com"; nocase; endswith; reference:md5,9b0af1d42eb9d1e7033a958d5a0870c8; classtype:domain-c2; sid:2030252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check"; flow:established,to_server; http.request_line; content:"GET|20|/|20|HTTP/1.1"; bsize:14; http.header; content:"User-Agent|3a 20|WinInet|0d 0a|Host|3a 20|api.myip.com|0d 0a|"; bsize:41; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c9ec0d9ff44f445ce5614cc87398b38d; classtype:trojan-activity; sid:2030253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Avaddon, signature_severity Major, tag Ransomware, updated_at 2020_06_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Directory Traversal via HTTP Cookie (CVE-2020-9484)"; flow:established,to_server; http.cookie; content:"JSESSIONID=../"; startswith; fast_pattern; reference:url,github.com/masahiro331/CVE-2020-9484/blob/master/README.md; reference:cve,2020-9484; classtype:attempted-recon; sid:2030256; rev:1; metadata:affected_product Tomcat, attack_target Server, created_at 2020_06_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data 2"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; content:"/0000"; distance:1; fast_pattern; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; classtype:trojan-activity; sid:2022016; rev:3; metadata:created_at 2015_11_02, updated_at 2020_06_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish Oct 30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"1="; depth:2; content:"&2="; nocase; distance:0; content:"Log+In=Log+In"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022017; rev:3; metadata:created_at 2015_11_02, updated_at 2020_06_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish Oct 30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"1="; depth:2; content:"&2="; nocase; distance:0; content:"Log+In=Log+In"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022017; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"name="; depth:5; content:"&adress1="; nocase; distance:0; content:"&phone="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022018; rev:3; metadata:created_at 2015_11_02, former_category PHISHING, updated_at 2020_06_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"name="; depth:5; content:"&adress1="; nocase; distance:0; content:"&phone="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022018; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"chldr="; depth:7; content:"&ccnum="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022019; rev:3; metadata:created_at 2015_11_02, former_category PHISHING, updated_at 2020_06_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"chldr="; depth:7; content:"&ccnum="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022019; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blaze/Supreme Bot Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update.php?tag="; depth:16; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"; bsize:112; http.header_names; content:!"Referer"; reference:url,dfir.it/blog/2019/02/26/the-supreme-backdoor-factory; classtype:trojan-activity; sid:2030254; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higaisa CnC (ipconfig)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"inter.php"; bsize:9; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"&test="; startswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/higaisa/; classtype:command-and-control; sid:2030265; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Attempted SMB RCE Exploitation M1 (CVE-2020-0796)"; flow:established,to_server; content:"|41 8B 47 3C 4C 01 F8 8B 80 88 00 00 00 4C 01 F8 50|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030263; rev:2; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2020_06_08;)
+#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M1 (CVE-2020-0796)"; flow:established,to_server; content:"|41 8B 47 3C 4C 01 F8 8B 80 88 00 00 00 4C 01 F8 50|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030263; rev:2; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Attempted SMB RCE Exploitation M2 (CVE-2020-0796)"; flow:established,to_server; content:"|FF C9 8B 34 8B 4C 01 FE|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030264; rev:2; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2020_06_08;)
+#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M2 (CVE-2020-0796)"; flow:established,to_server; content:"|FF C9 8B 34 8B 4C 01 FE|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030264; rev:2; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Malvertising Communication"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?rand_key="; fast_pattern; content:"&packagename="; distance:0; content:"&imei="; distance:0; content:"&login="; distance:0; http.user_agent; content:"|20|U|3b 20|Android|20|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/; reference:md5,c73cf82c0043463f8079d0540b2634e0; classtype:trojan-activity; sid:2030266; rev:1; metadata:attack_target Mobile_Client, created_at 2020_06_08, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OZH Rat)"; flow:established,to_client; tls.cert_subject; content:"CN=www.ozhsec.com"; nocase; endswith; classtype:domain-c2; sid:2030257; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OZH Rat)"; flow:established,to_client; tls.cert_subject; content:"CN=www.ozhsec.com"; nocase; endswith; classtype:domain-c2; sid:2030257; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Archer C5 v4 (CVE-2019-7405)"; flow:established,to_server; http.uri; content:"/cgi/setPwd?pwd="; http.referer; bsize:14; content:"tplinkwifi.net"; fast_pattern; reference:cve,2019-7405; reference:url,securityintelligence.com/posts/tp-link-archer-router-vulnerability-voids-admin-password-can-allow-remote-takeover/; classtype:attempted-admin; sid:2029181; rev:3; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2019_12_17, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Xfinity Gateway - Remote Code Execution"; flow:to_server,established; urilen:48; http.method; content:"POST"; http.uri; content:"/actionHandler/ajax_network_diagnostic_tools.php"; fast_pattern; http.request_body; content:"test_connectivity=true&destination_address=www.comcast.net|20 7c 7c 20|"; depth:62; reference:url,www.exploit-db.com/exploits/40856; classtype:attempted-admin; sid:2030262; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, signature_severity Major, updated_at 2020_06_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-11-03 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"FN="; depth:3; nocase; fast_pattern; content:"&LN="; nocase; distance:0; content:"&ST="; nocase; distance:0; content:"&AL="; nocase; distance:0; content:"&CT="; nocase; distance:0; content:"&SA="; nocase; distance:0; content:"&CN="; nocase; distance:0; content:"&Code="; nocase; distance:0; classtype:credential-theft; sid:2031734; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-11-03 M4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"CC="; depth:3; nocase; fast_pattern; content:"&EM="; nocase; distance:0; content:"&EY="; nocase; distance:0; content:"&CV="; nocase; distance:0; content:"&SC="; nocase; distance:0; content:"&BD="; nocase; distance:0; content:"&SN="; nocase; distance:0; content:"&SO="; nocase; distance:0; classtype:credential-theft; sid:2031735; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"Arachni/"; pcre:"/Arachni\/v?\d\.\d\.\d$/i"; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:6; metadata:created_at 2012_06_07, updated_at 2020_06_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Silent Miner Changelog Checkin"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; startswith; file.data; content:"Changelog v"; depth:11; fast_pattern; content:"-Added startup folder"; distance:0; content:"-Changed AutoUpdate Mode"; distance:0; content:"|7c 7c|----------------"; distance:0; content:"-Fixed startup .exe without name bug"; distance:0; content:"-Changed files hosting"; distance:0; content:"- Added CPU Threads"; reference:md5,2d51e11a38b7fd448cd0b1d319915e44; classtype:command-and-control; sid:2022034; rev:3; metadata:created_at 2015_11_04, former_category MALWARE, updated_at 2020_06_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh connectivity check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Host|3a 20|"; depth:6; content:"Content-Length|3a 20|0|0d 0a|"; distance:0; content:"|3a 20|no-cache"; distance:0; http.header_names; content:!"|0d 0a|User-Agent"; content:!"|0d 0a|Accept"; reference:md5,ccb463b2dadaf362a03c8bbf34dc247e; classtype:trojan-activity; sid:2014778; rev:5; metadata:created_at 2012_05_18, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting EXE payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content: "jndj="; fast_pattern; content: !"&ncm="; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022037; rev:3; metadata:created_at 2015_11_04, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting EXE payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content: "jndj="; fast_pattern; content: !"&ncm="; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022037; rev:3; metadata:created_at 2015_11_05, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting PDF payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.pdfrequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content: "jndj="; fast_pattern; content: "&ncm="; distance:0; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}&ncm=[a-zA-Z]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022038; rev:3; metadata:created_at 2015_11_04, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting PDF payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.pdfrequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content: "jndj="; fast_pattern; content: "&ncm="; distance:0; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}&ncm=[a-zA-Z]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022038; rev:3; metadata:created_at 2015_11_05, updated_at 2020_06_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible vBulletin object injection vulnerability Attempt"; flow:established,to_server; http.uri; content:"/api/hook/decodeArguments"; nocase; content:"arguments="; nocase; content:"|7b|"; distance:0; content:"|3a|"; distance:0; content:"|3b|"; distance:0; content:"free_result"; nocase; distance:0; reference:url,blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html; classtype:attempted-admin; sid:2022039; rev:3; metadata:created_at 2015_11_05, former_category CURRENT_EVENTS, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bookworm CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"000"; fast_pattern; pcre:"/^\/[a-f0-9]+000[a-f0-9]{37}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,0f41c853a2d522e326f2c30b4b951b04; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:command-and-control; sid:2022074; rev:4; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2020_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Data Submitted to Weebly.com - Possible Phishing"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"weebly.net|0d 0a|"; fast_pattern; content:"X-W-DC|3a 20|"; http.content_type; content:"text/html"; startswith; file.data; content:"{|22|success|22 3a|true"; distance:0; content:"|22|action|22 3a 22|finished|22|"; distance:1; content:"Your information has been submitted"; nocase; distance:0; classtype:trojan-activity; sid:2031785; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Weebly Phishing Landing Observed 2015-11-10"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"weebly.net|0d 0a|"; fast_pattern; content:"X-W-DC|3a 20|"; http.content_type; content:"text/html"; startswith; file.data; content:"form enctype=|22|multipart/form-data|22|"; nocase; content:"VERIFY YOUR ACCOUNT BELOW FOR NEW UPGRADE"; nocase; distance:0; content:"U$er Name"; nocase; distance:0; content:"PASSW0RD"; nocase; distance:0; content:"CONFIRM PASSW0RD"; nocase; distance:0; classtype:social-engineering; sid:2031786; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bookworm CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"000"; fast_pattern; pcre:"/^\/[a-f0-9]+000[a-f0-9]{37}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,0f41c853a2d522e326f2c30b4b951b04; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:command-and-control; sid:2022074; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; http.host; content:"download.cloudsota.com"; startswith; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC GET"; flow:to_server,established; urilen:13; http.method; content:"GET"; http.uri; content:"/r0/index.php"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022111; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nymaim.BA CnC M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"/"; offset:1; content:!"|2e|"; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header; content:".in|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"Cache-Control|3a 20|no-cache"; content:"Pragma|3a 20|no-cache"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:command-and-control; sid:2022119; rev:3; metadata:created_at 2015_11_18, former_category MALWARE, updated_at 2020_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-17"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Keep-Alive|3a 20|timeout="; http.content_type; content:"text/html"; startswith; file.data; content:"To view document"; nocase; fast_pattern; content:"select your email provider"; nocase; distance:0; content:"select other email provider"; nocase; distance:0; content:"Sign In"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2031787; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nymaim.BA CnC M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"/"; offset:1; content:!"|2e|"; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header; content:".in|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"Cache-Control|3a 20|no-cache"; content:"Pragma|3a 20|no-cache"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:command-and-control; sid:2022119; rev:3; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nymaim.BA CnC M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"/"; offset:1; content:!"|2e|"; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:".pw|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"Cache-Control|3a 20|no-cache"; content:"Pragma|3a 20|no-cache"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:command-and-control; sid:2022120; rev:3; metadata:created_at 2015_11_18, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nymaim.BA CnC M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"/"; offset:1; content:!"|2e|"; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:".pw|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"Cache-Control|3a 20|no-cache"; content:"Pragma|3a 20|no-cache"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:command-and-control; sid:2022120; rev:3; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_06_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&ip="; content:"&os="; content:"&name="; content:"&ram="; content:"&cpu="; content:"&gpu="; content:"&av="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:command-and-control; sid:2022126; rev:2; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP CoinMiner Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check="; fast_pattern; pcre:"/\.php\?check=\d$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:coin-mining; sid:2022128; rev:2; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP CoinMiner Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check="; fast_pattern; pcre:"/\.php\?check=\d$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:coin-mining; sid:2022128; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_06_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Spartan/Nuclear EK Payload"; flow:established,from_server; http.server; content:"nginx"; startswith; http.header; content:"Accept-Ranges|3a 20|bytes|0d 0a|Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; fast_pattern; pcre:"/\x20filename=\r\n(?:\r\n)?$/"; http.content_type; content:"application/octet-stream"; startswith; classtype:exploit-kit; sid:2022135; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Landing Uri 2015-11-25"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?usernms="; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/i"; classtype:social-engineering; sid:2022185; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SFR Phishing 2015-11-24"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; distance:0; nocase; content:"&remember-me="; distance:0; nocase; content:"&identifier="; distance:0; nocase; classtype:credential-theft; sid:2031790; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Phishing Landing Uri 2015-11-25"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?usernms="; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/i"; classtype:social-engineering; sid:2022185; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swrort.A Checkin 3"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?/12345"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,24203ba70f584b64a432fb6dad52765d; classtype:command-and-control; sid:2022186; rev:3; metadata:created_at 2015_11_25, former_category MALWARE, updated_at 2020_06_09;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Creds"; flow:established,to_server; http.request_body; content:!"&date="; content:"code="; depth:5; content:"&submit="; distance:0; classtype:trojan-activity; sid:2017389; rev:7; metadata:created_at 2013_08_28, updated_at 2020_06_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Zmap User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; fast_pattern; bsize:21; classtype:network-scan; sid:2030345; rev:3; metadata:created_at 2015_11_30, former_category SCAN, updated_at 2020_06_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Zmap User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; fast_pattern; bsize:21; classtype:network-scan; sid:2030345; rev:3; metadata:created_at 2015_12_01, former_category SCAN, updated_at 2020_06_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Checkin"; flow:established,from_client; http.uri; content:"allow_get.asp?name="; fast_pattern; content:"&hostname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:command-and-control; sid:2014006; rev:4; metadata:created_at 2011_12_08, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Checkin"; flow:established,from_client; http.uri; content:"allow_get.asp?name="; fast_pattern; content:"&hostname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:command-and-control; sid:2014006; rev:4; metadata:created_at 2011_12_09, former_category MALWARE, updated_at 2020_06_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline"; nocase; content:".exe"; content:"load/"; fast_pattern; file.data; content:"MZ"; depth:2; classtype:exploit-kit; sid:2014314; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_06_09;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Possible BitCoin Miner User-Agent (miner)"; flow:established,to_server; http.user_agent; content:"miner"; nocase; pcre:"/miner[^a-z]/i"; reference:url,abcpool.co/mining-software-comparison.php; classtype:coin-mining; sid:2016067; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, deployment Datacenter, former_category COINMINER, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline"; nocase; content:".exe"; content:"load/"; fast_pattern; file.data; content:"MZ"; depth:2; classtype:exploit-kit; sid:2014314; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_06_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit/AZZY Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; http.header; content:"User-Agent|3a 20|MSIE|20|"; depth:17; fast_pattern; pcre:"/^User-Agent\x3a MSIE \d+\.\d+\r\n/i"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7c373c607c8724f8be461d61016ed272; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:url,securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/; classtype:targeted-activity; sid:2019534; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; http.method; content:"GET"; http.uri; content:".jpg"; pcre:"/\.jpg(?:\?\d+)?$/"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:102; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022220; rev:3; metadata:created_at 2015_12_04, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; http.method; content:"GET"; http.uri; content:".jpg"; pcre:"/\.jpg(?:\?\d+)?$/"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:102; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022220; rev:3; metadata:created_at 2015_12_05, updated_at 2020_06_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Scanning for Vulnerable JBoss"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/"; depth:9; content:"servlet/"; http.request_body; content:"org.jboss.invocation.MarshalledValue"; http.content_type; content:"application/x-java-serialized-object|3b|"; endswith; reference:url,blog.imperva.com/2015/12/zero-day-attack-strikes-again-java-zero-day-vulnerability-cve-2015-4852-tracked-by-imperva.html; classtype:web-application-attack; sid:2022240; rev:3; metadata:created_at 2015_12_08, updated_at 2020_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Scanning for Vulnerable JBoss"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/"; depth:9; content:"servlet/"; http.request_body; content:"org.jboss.invocation.MarshalledValue"; http.content_type; content:"application/x-java-serialized-object|3b|"; endswith; reference:url,blog.imperva.com/2015/12/zero-day-attack-strikes-again-java-zero-day-vulnerability-cve-2015-4852-tracked-by-imperva.html; classtype:web-application-attack; sid:2022240; rev:3; metadata:created_at 2015_12_09, updated_at 2020_06_09;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/MayhemBruter Inbound Ping From CnC"; flow:established,to_server; http.uri; content:"/wp-content/plugins/"; content:"/libso"; distance:0; pcre:"/\/libso\d{1,4}\.php\?id=[a-zA-Z0-9]+$/"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3405&p=27363; classtype:command-and-control; sid:2022224; rev:3; metadata:created_at 2015_12_07, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&is_valid_email="; nocase; distance:0; classtype:credential-theft; sid:2031795; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish 2015-12-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"t1="; depth:3; nocase; content:"&login="; fast_pattern; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2031796; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"workrepair.bazar"; nocase; bsize:16; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030267; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"realfish.bazar"; bsize:14; nocase; endswith; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030268; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2015-12-01"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".exe?"; fast_pattern; nocase; pcre:"/\/[0-9]{2}\.exe\?[0-9]$/i"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; nocase; http.header; content:!"User-Agent|3a 20|BlueCoat"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,77290f994d05ad0add5768c9c040dc55; classtype:trojan-activity; sid:2022207; rev:6; metadata:created_at 2015_12_02, updated_at 2020_06_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bookworm CnC Beacon"; flow:to_server,established; http.request_line; content:"GET /0"; startswith; fast_pattern; http.uri; pcre:"/^\/0[a-f0-9]{48}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,8ae2468d3f208d07fb47ebb1e0e297d7; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:command-and-control; sid:2022073; rev:4; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bookworm CnC Beacon"; flow:to_server,established; http.request_line; content:"GET /0"; startswith; fast_pattern; http.uri; pcre:"/^\/0[a-f0-9]{48}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,8ae2468d3f208d07fb47ebb1e0e297d7; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:command-and-control; sid:2022073; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetBackdoor Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|0d 0a|log="; fast_pattern; content:"path="; pcre:"/path=[A-Z]\x3a\x5c[A-F0-9]+\r\nlog=/i"; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:command-and-control; sid:2022244; rev:3; metadata:created_at 2015_12_11, former_category MALWARE, updated_at 2020_06_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetBackdoor Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|0d 0a|log="; fast_pattern; content:"path="; pcre:"/path=[A-Z]\x3a\x5c[A-F0-9]+\r\nlog=/i"; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:command-and-control; sid:2022244; rev:3; metadata:created_at 2015_12_12, former_category MALWARE, updated_at 2020_06_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DustySky CnC Beacon"; flow:established,to_server; http.uri; content:".php?"; content:"Pn="; nocase; distance:0; fast_pattern; content:"&ID="; nocase; content:"&o="; content:"&av="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:command-and-control; sid:2021919; rev:6; metadata:created_at 2015_10_06, former_category MALWARE, updated_at 2020_06_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DustySky CnC Beacon"; flow:established,to_server; http.uri; content:".php?"; content:"Pn="; nocase; distance:0; fast_pattern; content:"&ID="; nocase; content:"&o="; content:"&av="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:command-and-control; sid:2021919; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; http.method; content:"GET"; http.uri; content:".jpg"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Range|3a 20|"; content:"MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022262; rev:4; metadata:created_at 2015_12_14, updated_at 2020_06_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; http.method; content:"GET"; http.uri; content:".jpg"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Range|3a 20|"; content:"MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022262; rev:4; metadata:created_at 2015_12_15, updated_at 2020_06_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKBEN Ransomware"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?btc="; nocase; fast_pattern; content:"&wid="; nocase; distance:0; content:"|3a|TWljcm9zb2Z0IFdpbmR"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,c952a88edc0766adf819b30cd2683ac7; classtype:trojan-activity; sid:2022283; rev:2; metadata:created_at 2015_12_18, updated_at 2020_06_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKBEN Ransomware"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?btc="; nocase; fast_pattern; content:"&wid="; nocase; distance:0; content:"|3a|TWljcm9zb2Z0IFdpbmR"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,c952a88edc0766adf819b30cd2683ac7; classtype:trojan-activity; sid:2022283; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials Upload"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; depth:1; http.user_agent; content:"Apache-HttpClient/UNAVAILABLE"; startswith; http.request_body; content:"{|22|data|22 3A|"; depth:8; content:"|22|password old|22 3A|"; fast_pattern; distance:0; content:"|22|login|22 3A|"; content:"|22|type|22 3A|"; distance:0; content:"|22|login old|22 3A|"; distance:0; content:"|22|password|22 3A|"; distance:0; content:"|22|name|22 3A|"; distance:0; content:"|22|code|22 3A|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022289; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2020-06-10"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&pword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2030275; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_10, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_06_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2020-06-10"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&pword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2030275; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fastweb Fastgate 0.00.81 - Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/status.cgi?cmd="; content:"&act=nvset&service=usb_remove&mount="; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/47654; classtype:attempted-admin; sid:2030276; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.3.6 CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=C7K-kJipTS1A15X5"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html; classtype:command-and-control; sid:2030313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_06_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SocGholish Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"public.clickstat360.com"; bsize:23; reference:url,decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions; classtype:trojan-activity; sid:2035896; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_11;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - CenturyLink Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|syn_login_form|22 20|method=|22|post|22 20|action=|22|check.php|22|>"; classtype:social-engineering; sid:2030281; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Chase Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|login-form|22 20|method=|22|post|22 20|autocomplete=|22|off|22 20|action=|22|mask.php|22 20|>"; classtype:social-engineering; sid:2030282; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Whatsapp/Facebook Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"whatsapp"; nocase; content:"<form action=|22|check.php|22 20|method=|22|post|22|>"; distance:0; classtype:social-engineering; sid:2030294; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - M&T Bank Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"M&|3b|T Bank"; nocase; content:"<form action=|22|email1.php|22 20|method=|22|post|22 20|id=|22|aspnetform|22|>"; distance:0; classtype:social-engineering; sid:2030295; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - M&T Bank Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"M&|3b|T Bank"; nocase; content:"<form action=|22|email1.php|22 20|method=|22|post|22 20|id=|22|aspnetform|22|>"; distance:0; classtype:social-engineering; sid:2030295; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Yahoo Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|data|22 20|action=|22|wapg2gapp.php|22 20|id=|22|login-username-form|22 20|method=|22|post|22 20|class=|22|username-challenge|20 22|>"; classtype:social-engineering; sid:2030296; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - VK Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|authorization|22 20|action=|22|check.php|22 20|method=|22|post|22|>"; content:"href=|22|https://new.vk.com/"; distance:0; classtype:social-engineering; sid:2030301; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Possible Generic Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; classtype:social-engineering; sid:2030302; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Possible Generic Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; classtype:social-engineering; sid:2030302; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Chase Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|login-form|22 20|method=|22|post|22 20|autocomplete=|22|off|22 20|action=|22|jero.php|22|>"; classtype:social-engineering; sid:2030303; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LG SuperSign EZ CMS 2.5 Remote Code Execution CVE-2018-17173"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/qsr_server/device/getThumbnail?sourceUri="; fast_pattern; content:"'&targetUri="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2030317; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2020_06_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/Mist Stealer CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?alias="; fast_pattern; content:"&data="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(Connection\x0d\x0a)?\x0d\x0a$/R"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,5c7638d8247e6da38835daa8a63a0a60; classtype:trojan-activity; sid:2030316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/Mist Stealer CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?alias="; fast_pattern; content:"&data="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(Connection\x0d\x0a)?\x0d\x0a$/R"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,5c7638d8247e6da38835daa8a63a0a60; classtype:trojan-activity; sid:2030316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_12;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=meflying.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030330; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, updated_at 2020_06_12;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=meflying.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030330; rev:1; metadata:attack_target Client_and_Server, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>anaLTEAM"; nocase; fast_pattern; content:"name=|22|command|22 20|value=|22|Crotz|22|"; nocase; distance:0; content:"value=|22|Upload Bos"; nocase; distance:0; classtype:web-application-attack; sid:2030318; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Centreon 20.04 Authenticated RCE (CVE-2020-12688)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/main.get.php?p="; content:"&command_id="; distance:0; content:"&command_name=../"; distance:0; fast_pattern; content:"|3b|&command_line="; distance:0; reference:url,github.com/TheCyberGeek/Centreon-20.04; reference:cve,2020-12688; classtype:attempted-admin; sid:2030338; rev:1; metadata:attack_target Web_Server, created_at 2020_06_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ActionSpy CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ps/upinfo"; bsize:10; fast_pattern;http.user_agent; content:"android"; bsize:7; http.header; content:"Content-Encoding|3a 20|encrypted|0d 0a|"; reference:md5,43f1891a9c0d8fc69e273095708d9238; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/; classtype:command-and-control; sid:2030342; rev:1; metadata:attack_target Mobile_Client, created_at 2020_06_15, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
-
#alert tls any any -> $HTTP_SERVERS any (msg:"ET INFO GnuTLS Cryptographic Flaw Observed (CVE-2020-13777)"; flow:to_server,established; content:"|16|"; startswith; content:"|00 23|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:2; within:16; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"; reference:url,corelight.blog/2020/06/11/detecting-gnutls-cve-2020-13777-using-zeek/; classtype:attempted-recon; sid:2030340; rev:2; metadata:created_at 2020_06_15, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Significant, signature_severity Major, updated_at 2020_06_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for Malicious .dat File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.user_agent; content:"Microsoft Internet Explorer"; bsize:27; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,660d1132888b2a2ff83b695e65452f87; classtype:trojan-activity; sid:2030334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Koadic Header Structure"; flow:established,to_server; http.header; content:"|0d 0a|encoder|3a 20|"; content:"|0d 0a|shellchpc|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1e1afc93c8092b2c7e49a6d3a451629f; classtype:trojan-activity; sid:2030341; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_15, deployment Perimeter, former_category MALWARE, malware_family Koadic, signature_severity Major, updated_at 2020_06_15;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OceanLotus APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=summerevent.webhop.net"; nocase; endswith; classtype:domain-c2; sid:2030343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OceanLotus APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=summerevent.webhop.net"; nocase; endswith; classtype:domain-c2; sid:2030343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/safebrowsing/rd/"; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"PREF=ID=U="; depth:10; fast_pattern; pcre:"/^[a-z0-9]{10,}$/Rsi"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/safebrowsing/rd/"; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"PREF=ID=U="; depth:10; fast_pattern; pcre:"/^[a-z0-9]{10,}$/Rsi"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_06_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRat WebSockets Request M2"; flow:established,to_server; http.start; content:"GET /socket.io/?__sails_io_sdk_version=1.2.1&__sails_io_sdk_platform=node&__sails_io_sdk_language=javascript&EIO=3&transport=websocket HTTP/1.1|0d 0a|Sec-WebSocket-Version|3a 20|13|0d 0a|Sec-WebSocket-Key|3a 20|"; startswith; fast_pattern; http.header; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate|3b 20|client_max_window_bits|0d 0a|"; http.header_names; content:"|0d 0a|Sec-WebSocket-Version|0d 0a|Sec-WebSocket-Key|0d 0a|Connection|0d 0a|Upgrade|0d 0a|"; startswith; content:"Sec-WebSocket-Extensions|0d 0a|Host|0d 0a 0d 0a|"; endswith; classtype:command-and-control; sid:2030346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_16;)
alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e d1|"; depth:2; byte_test:4,>,16,11,relative,big; pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R"; reference:url,devel0pment.de/?p=1881; reference:cve,2020-13160; classtype:attempted-user; sid:2030348; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ironhalo CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0(compatible|3b|MSIE 8.0|3b|Windows NT 6.1)"; fast_pattern; bsize:47; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html; classtype:command-and-control; sid:2022298; rev:3; metadata:created_at 2015_12_22, former_category MALWARE, updated_at 2020_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ironhalo CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0(compatible|3b|MSIE 8.0|3b|Windows NT 6.1)"; fast_pattern; bsize:47; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html; classtype:command-and-control; sid:2022298; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M4"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"click?sid="; fast_pattern; content:"&cid="; distance:0; pcre:"/\?sid=[a-f0-9]{40}&cid=[0-9]$/"; http.header_names; content:"Referer|0d 0a|"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021251; rev:4; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2020_06_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ZoneAlarm Download Flowbit Set"; flow:established,to_server; http.uri; content:"pkg"; http.host; content:"zonealarm.com"; endswith; flowbits:set,ET.ZoneAlarm.Site.Download; flowbits:noalert; classtype:misc-activity; sid:2022285; rev:3; metadata:created_at 2015_12_18, updated_at 2020_06_16;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; flowbits:set,et.exploitkitlanding; http.header; content:!"smartsvn.com"; file.data; content:"PK|01 02|"; pcre:"/PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; classtype:exploit-kit; sid:2017181; rev:7; metadata:created_at 2013_07_23, updated_at 2020_06_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; flowbits:set,et.exploitkitlanding; http.header; content:!"smartsvn.com"; file.data; content:"PK|01 02|"; pcre:"/PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; classtype:exploit-kit; sid:2017181; rev:7; metadata:created_at 2013_07_24, updated_at 2020_06_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BBSRAT GET request CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bbs/"; depth:5; fast_pattern; content:"/forum.php?sid="; distance:0; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; startswith; http.cookie; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:command-and-control; sid:2022310; rev:3; metadata:created_at 2015_12_24, former_category MALWARE, updated_at 2020_06_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BBSRAT POST request CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/bbs/"; depth:5; fast_pattern; content:"/forum.php?sid="; distance:0; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; startswith; http.cookie; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:command-and-control; sid:2022311; rev:3; metadata:created_at 2015_12_24, former_category MALWARE, updated_at 2020_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-24 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login_cmd="; nocase; depth:10; fast_pattern; content:"&login_params="; nocase; distance:0; content:"&racho"; nocase; distance:0; content:"&submit.x="; nocase; distance:0; classtype:credential-theft; sid:2031799; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot download config - SET"; flow:established,to_server; flowbits:set,ET.zbot.dat; flowbits:noalert; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer"; classtype:trojan-activity; sid:2022317; rev:3; metadata:created_at 2015_12_30, updated_at 2020_06_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptojoker Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?info="; fast_pattern; content:"|3a 3a|"; distance:0; http.uri.raw; content:"|4f 4e 4c 25 35 43 6e|"; endswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.bleepingcomputer.com/news/security/the-cryptojoker-ransomware-is-nothing-to-laugh-about/; reference:md5,904b0888bfa02d200091fa8ad014d016; reference:md5,bca6c1fa9b9a8bf60eecbd91e08d1323; classtype:command-and-control; sid:2022333; rev:3; metadata:created_at 2016_01_05, former_category MALWARE, updated_at 2020_06_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptojoker Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?info="; fast_pattern; content:"|3a 3a|"; distance:0; http.uri.raw; content:"|4f 4e 4c 25 35 43 6e|"; endswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.bleepingcomputer.com/news/security/the-cryptojoker-ransomware-is-nothing-to-laugh-about/; reference:md5,904b0888bfa02d200091fa8ad014d016; reference:md5,bca6c1fa9b9a8bf60eecbd91e08d1323; classtype:command-and-control; sid:2022333; rev:3; metadata:created_at 2016_01_06, former_category MALWARE, updated_at 2020_06_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Sign In</title>"; nocase; fast_pattern; content:"value=|22|Account Summary|22|"; nocase; distance:0; content:"value=|22|Transfer|22|"; nocase; distance:0; content:"value=|22|Brokerage|22|"; nocase; distance:0; content:"value=|22|Trade|22|"; nocase; distance:0; content:"value=|22|MessageAlerts|22|"; nocase; distance:0; classtype:social-engineering; sid:2031956; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DustySky Payload Link Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&token1="; distance:0; content:"&token2="; distance:0; content:"&C="; distance:0; pcre:"/\/[A-Za-z]+\.php\?((?:id|token1|token2|C)=[A-Za-z0-9\/=+%]*={0,2}&?){4}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,clearskysec.com/wp-content/uploads/2016/01/Operation DustySky_TLP_WHITE.pdf; classtype:trojan-activity; sid:2022343; rev:3; metadata:created_at 2016_01_07, updated_at 2020_06_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wells Fargo Phish Loading Page 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Please Wait</title>"; nocase; fast_pattern; content:"http-equiv="; distance:0; nocase; content:"Refresh"; nocase; distance:1; within:8; content:"Verifying Your Account"; nocase; distance:0; content:"Please wait"; nocase; distance:0; classtype:credential-theft; sid:2031957; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invalid/Suspicious User-Agent (PHP)"; flow:to_server,established; http.user_agent; content:"PHP/5."; nocase; fast_pattern; startswith; pcre:"/^\{\d(?:\|\d){1,}\}\.\{\d(?:\|\d){1,}\}\{\d(?:\|\d){1,}\}/R"; classtype:web-application-attack; sid:2022350; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_01_11, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_06_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DustySky Payload Link Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&token1="; distance:0; content:"&token2="; distance:0; content:"&C="; distance:0; pcre:"/\/[A-Za-z]+\.php\?((?:id|token1|token2|C)=[A-Za-z0-9\/=+%]*={0,2}&?){4}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf; classtype:trojan-activity; sid:2022343; rev:3; metadata:created_at 2016_01_08, former_category MALWARE, updated_at 2020_06_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invalid/Suspicious User-Agent (PHP)"; flow:to_server,established; http.user_agent; content:"PHP/5."; nocase; fast_pattern; startswith; pcre:"/^\{\d(?:\|\d){1,}\}\.\{\d(?:\|\d){1,}\}\{\d(?:\|\d){1,}\}/R"; classtype:web-application-attack; sid:2022350; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_06_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"this is UP"; depth:10; fast_pattern; content:"|00 00 00 00|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022362; rev:3; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_06_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Generic Phish (set) 2016-01-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031862; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2016-01-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"GOVERNMENT SYSTEM IS FOR AUTHORIZED"; fast_pattern; content:"Use of this system constitutes"; nocase; distance:0; content:"Internal Revenue Service"; nocase; distance:0; content:"Electronic Filing PIN"; nocase; distance:0; content:"foreignPostalLbl"; nocase; distance:0; classtype:social-engineering; sid:2031958; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Update Phishing Landing 2016-01-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"form action=|22|http|3a|//www.formbuddy.com"; nocase; distance:0; content:"Name|3a|"; nocase; distance:0; content:"E-Mail|3a|"; nocase; distance:0; content:"Password|3a|"; fast_pattern; nocase; distance:0; content:"Submit Form"; nocase; distance:0; classtype:social-engineering; sid:2031959; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zbot download config"; flow:established,from_server; flowbits:isset,ET.zbot.dat; http.stat_code; content:"200"; http.stat_msg; content:"OK"; http.content_type; content:"application/x-ns-proxy-autoconfig"; fast_pattern; startswith; file.data; pcre:"/^(?=[a-zA-Z]*?\d)(?=[a-z0-9]*?[A-Z])[a-zA-Z0-9+/]{30}/R"; classtype:trojan-activity; sid:2022318; rev:4; metadata:created_at 2015_12_30, updated_at 2020_06_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Chrome Extension Phishing HTTP Request"; flow:to_server,established; http.host; content:"chrome-extension."; startswith; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022373; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/7ev3n Ransomware Initial Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?RIGHTS="; fast_pattern; nocase; content:"&WIN="; distance:0; nocase; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:command-and-control; sid:2022402; rev:3; metadata:created_at 2016_01_22, former_category MALWARE, updated_at 2020_06_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-01-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webscr?cmd=_"; nocase; fast_pattern; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"email="; nocase; content:"password="; nocase; distance:0; classtype:credential-theft; sid:2031960; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-01-15 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webscr?cmd=_"; nocase; fast_pattern; content:"&account_card="; distance:0; nocase; content:"&session="; nocase; distance:0; http.header; content:"&account_address="; nocase; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"address_1="; nocase; depth:10; content:"&address_2="; nocase; distance:0; classtype:credential-theft; sid:2031961; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/7ev3n Ransomware Process Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?SSTART="; nocase; content:"&CRYPTED_DATA="; nocase; distance:0; fast_pattern; content:"&ID="; nocase; distance:0; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:command-and-control; sid:2022403; rev:3; metadata:created_at 2016_01_22, former_category MALWARE, updated_at 2020_06_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-01-15 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Submit"; nocase; http.header; content:"/webscr?cmd=_"; nocase; content:"&account_card="; nocase; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"cc_holder="; nocase; depth:10; fast_pattern; content:"&cc_number="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; classtype:credential-theft; sid:2031962; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LeChiffre Ransomware CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sipvoice.php?"; depth:14; fast_pattern; content:"&session="; distance:0; http.header; content:"Keep-Alive|3a 20|300"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4523ccfd191dcceeae8e884f82f5c7ad; reference:url,blog.malwarebytes.org/intelligence/2016/01/draft-lechiffre-a-manually-run-ransomware/; classtype:command-and-control; sid:2022406; rev:3; metadata:created_at 2016_01_25, former_category MALWARE, updated_at 2020_06_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Webeden.co.uk (set) 2016-01-22"; flow:to_server,established; urilen:1; flowbits:set,ET.webeden.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"webeden.co.uk"; endswith; fast_pattern; classtype:social-engineering; sid:2031963; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kaicone.A Checkin via HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"Plug="; depth:5; fast_pattern; content:"Instituto="; distance:0; content:"&AV="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0dfaf7a70859ddb86296276dc20ce1ae; classtype:command-and-control; sid:2022407; rev:3; metadata:created_at 2016_01_25, former_category MALWARE, updated_at 2020_06_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/7ev3n Ransomware Initial Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?RIGHTS="; fast_pattern; nocase; content:"&WIN="; distance:0; nocase; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:command-and-control; sid:2022402; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/safebrowsing/rd/"; fast_pattern; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; bsize:264; content:"PREF=ID="; depth:8; pcre:"/^[a-z]{256}$/R"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; http.host; content:!"google.com"; endswith; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Moderate, signature_severity Major, updated_at 2020_06_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/7ev3n Ransomware Process Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?SSTART="; nocase; content:"&CRYPTED_DATA="; nocase; distance:0; fast_pattern; content:"&ID="; nocase; distance:0; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:command-and-control; sid:2022403; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LeChiffre Ransomware CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sipvoice.php?"; depth:14; fast_pattern; content:"&session="; distance:0; http.header; content:"Keep-Alive|3a 20|300"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4523ccfd191dcceeae8e884f82f5c7ad; reference:url,blog.malwarebytes.org/intelligence/2016/01/draft-lechiffre-a-manually-run-ransomware/; classtype:command-and-control; sid:2022406; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency Phishing Landing 2016-01-25"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"DEBUT DE L|27|EN-TETE"; nocase; fast_pattern; content:"DU GABARIT NSI"; nocase; distance:0; content:"<title>Get Tax Refund"; nocase; distance:0; content:"Canada Revenue Agency"; nocase; distance:0; classtype:social-engineering; sid:2031965; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kaicone.A Checkin via HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"Plug="; depth:5; fast_pattern; content:"Instituto="; distance:0; content:"&AV="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0dfaf7a70859ddb86296276dc20ce1ae; classtype:command-and-control; sid:2022407; rev:3; metadata:created_at 2016_01_26, former_category MALWARE, updated_at 2020_06_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/safebrowsing/rd/"; fast_pattern; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; bsize:264; content:"PREF=ID="; depth:8; pcre:"/^[a-z]{256}$/R"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; http.host; content:!"google.com"; endswith; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoldenSpy CnC Activity"; flow:established,to_server; http.request_line; content:"POST /softServer/req "; startswith; fast_pattern; http.request_body; content:"requestStr=%7B%22"; startswith; reference:md5,edadf30df18e6a7ea190041cf3bd4a0b; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/; classtype:command-and-control; sid:2030396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_17;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (DiplomatLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=dpi64x.easyllcwi.com"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2030351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_17, deployment Perimeter, signature_severity Major, updated_at 2020_06_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Interception Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/start.html"; bsize:11; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8,application/signed-exchange|3b|v=b3"; fast_pattern; bsize:118; http.header_names; content:"Host|0d 0a|Upgrade-Insecure-Requests|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf; reference:md5,851a4f13928a5edb3859a21a8041908e; classtype:trojan-activity; sid:2030356; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Interception Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/start.html"; bsize:11; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8,application/signed-exchange|3b|v=b3"; fast_pattern; bsize:118; http.header_names; content:"Host|0d 0a|Upgrade-Insecure-Requests|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf; reference:md5,851a4f13928a5edb3859a21a8041908e; classtype:trojan-activity; sid:2030356; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.VrBrothers.AI Variant CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/SubmitUsageInfor "; startswith; fast_pattern; http.user_agent; bsize:24; content:"Mozilla/4.0 (compatible)"; http.request_body; content:"data="; startswith; reference:md5,b0e8fed85cf0ae29fe921508e9c60fb9; classtype:pup-activity; sid:2030353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaDrug CnC Activity"; flow:established,to_server; http.request_line; content:"GET /client.config/?format=json&advert_key="; startswith; fast_pattern; http.uri; content:"&app="; content:"&oslang="; content:"&uid="; reference:md5,d739e41e0ba4f1d72f9283c6fcb2f761; classtype:pup-activity; sid:2030354; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike Malleable C2 Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=time.updateeset.com"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature; classtype:domain-c2; sid:2030349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike Malleable C2 Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=time.updateeset.com"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature; classtype:domain-c2; sid:2030349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-06-18)"; flow:established,to_client; tls.cert_subject; content:"CN=armybar.hopto.org"; nocase; endswith; reference:md5,afbe00e755a2cf963f0eedbb4e310198; classtype:domain-c2; sid:2030350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_06_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-06-18)"; flow:established,to_client; tls.cert_subject; content:"CN=armybar.hopto.org"; nocase; endswith; reference:md5,afbe00e755a2cf963f0eedbb4e310198; classtype:domain-c2; sid:2030350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SUPERAntiSpyware Install Checkin"; flow:established,to_server; http.uri; content:"&sEventData=tag:SUPERAntiSpyware.exe"; fast_pattern; http.user_agent; bsize:10; content:"SUPERSetup"; reference:md5,7f97a26e10500250b00e1f3c0240882a; classtype:pup-activity; sid:2030355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep Connectivity Check M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; nocase; http.host; content:"www.ecb.europa.eu"; bsize:17; http.accept; content:"text/html, application/xhtml+xml, */*"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; classtype:trojan-activity; sid:2022467; rev:3; metadata:created_at 2016_01_28, updated_at 2020_06_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CenterPOS Delete Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|7c|delplugs|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022470; rev:3; metadata:created_at 2016_01_28, updated_at 2020_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CenterPOS Delete Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|7c|delplugs|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022470; rev:3; metadata:created_at 2016_01_29, updated_at 2020_06_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CenterPOS Load Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|7c|loadplug|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022471; rev:3; metadata:created_at 2016_01_28, updated_at 2020_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CenterPOS Load Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|7c|loadplug|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022471; rev:3; metadata:created_at 2016_01_29, updated_at 2020_06_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible POSHC2 Client CnC"; flowbits:set,ET.poshc2.powershellclient; flowbits: noalert; ja3.hash; content:"c12f54a3f91dc7bafd92cb59fe009a35"; reference:url,https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030366; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category JA3, performance_impact Low, signature_severity Major, updated_at 2020_06_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Navy Federal Credit Union Phishing Landing 2016-01-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Navy Federal Credit Union"; fast_pattern; nocase; content:"Armed Forces Loans"; nocase; distance:0; classtype:social-engineering; sid:2031966; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible POSHC2 Server Response"; flowbits:isset,ET.poshc2.powershellclient; ja3s.hash; content:"ec74a5c51106f0419184d0dd08fb05bc"; reference:url,https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030367; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category JA3, performance_impact Low, signature_severity Major, updated_at 2020_06_19;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible POSHC2 Client CnC"; flowbits:set,ET.poshc2.powershellclient; flowbits: noalert; ja3.hash; content:"c12f54a3f91dc7bafd92cb59fe009a35"; reference:url,labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030366; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category JA3, malware_family PoshC2, performance_impact Low, signature_severity Major, updated_at 2020_06_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Agent.NSU CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/afu.php?zoneid="; startswith; fast_pattern; content:"&var="; isdataat:!2,relative; reference:md5,1924c8edcd59bd9540968305a3ed4988; classtype:command-and-control; sid:2030362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible POSHC2 Server Response"; flowbits:isset,ET.poshc2.powershellclient; ja3s.hash; content:"ec74a5c51106f0419184d0dd08fb05bc"; reference:url,labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030367; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category JA3, malware_family PoshC2, performance_impact Low, signature_severity Major, updated_at 2020_06_19;)
-alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number"; flow:established,to_server; http.protocol; content:"|28 29 20 7b|"; startswith; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019236; rev:5; metadata:created_at 2014_09_25, updated_at 2020_06_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Agent.NSU CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/afu.php?zoneid="; startswith; fast_pattern; content:"&var="; isdataat:!2,relative; reference:md5,1924c8edcd59bd9540968305a3ed4988; classtype:command-and-control; sid:2030362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE STRRAT CnC Checkin"; flow:established,to_server; dsize:<300; content:"ping|7c|STRRAT|7c|"; depth:12; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; classtype:command-and-control; sid:2030358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, malware_family STRRAT, signature_severity Major, updated_at 2020_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CollectorStealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&cc="; distance:0; content:"&pc="; distance:0; http.header; content:"User-Agent|3a 20|uploader|0d 0a|"; fast_pattern; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,e929f02353d22d95523be4f8fbf794c4; classtype:command-and-control; sid:2030368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/CollectorStealer User-Agent M2"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XLCTX|0d 0a|"; classtype:trojan-activity; sid:2034321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_06_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/CollectorStealer User-Agent M1"; flow:established,to_server; http.header; content:"User-Agent|3a 20|CLCTR|0d 0a|"; classtype:trojan-activity; sid:2034322; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_06_22;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VikroStealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate?pc_name="; fast_pattern; content:"&ip="; content:"&city="; content:"&countryCode="; content:"&passwords="; content:"&hwid="; content:"&user_id="; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,15c587698be36a72f4015b2758442e3c; classtype:command-and-control; sid:2030369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_06_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VikroStealer Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getSettings?user_id="; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,15c587698be36a72f4015b2758442e3c; classtype:command-and-control; sid:2030370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_06_22;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mokes CnC Keep-Alive"; flow:established,to_server; urilen:3; threshold: type both, count 9, seconds 60, track by_src; http.method; content:"GET"; http.uri; content:"/v1"; depth:3; fast_pattern; http.header; content:"Accept"; content:"User-Agent|3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/73503/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/; classtype:command-and-control; sid:2022477; rev:3; metadata:created_at 2016_02_01, former_category MALWARE, updated_at 2020_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Webeden.co.uk M1 2016-01-22"; flow:to_client,established; flowbits:isset,ET.webeden.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2031964; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_23;)
+
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Compromised Webserver Retriving Inject"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; pcre:"/^\/blog\/\?[a-z]+&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\x3a\d{1,5})?$/"; classtype:trojan-activity; sid:2022485; rev:3; metadata:created_at 2016_02_03, updated_at 2020_06_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Download Request Containing Suspicious Filename - Crypted"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"crypted.exe"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ff823130efcdf8ab267cad92eb5b90d7; reference:md5,e953e6b3be506c5b8ca80fbcd79c065e; reference:md5,1e2fa2e401cd2295a03ba8d8d3d3698b; classtype:trojan-activity; sid:2022491; rev:3; metadata:created_at 2016_02_04, former_category MALWARE, updated_at 2020_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fluxer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php?id="; fast_pattern; content:"&ver="; distance:0; content:"&m="; distance:0; pcre:"/&m=\d$/i"; http.user_agent; content:"Mozilla"; bsize:7; http.connection; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,648f432b41f3bcebc1a599f529055cf0; classtype:command-and-control; sid:2022492; rev:3; metadata:created_at 2016_02_04, former_category MALWARE, updated_at 2020_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fluxer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php?id="; fast_pattern; content:"&ver="; distance:0; content:"&m="; distance:0; pcre:"/&m=\d$/i"; http.user_agent; content:"Mozilla"; bsize:7; http.connection; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,648f432b41f3bcebc1a599f529055cf0; classtype:command-and-control; sid:2022492; rev:3; metadata:created_at 2016_02_05, former_category MALWARE, updated_at 2020_06_23;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed VikroStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tracksupporte.site"; bsize:18; reference:md5,851c42ec4709bd59d7610591fc38129a; classtype:domain-c2; sid:2030381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_23, deployment Perimeter, former_category MALWARE, malware_family VikroStealer, signature_severity Major, updated_at 2020_06_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Banload Downloading Executable"; flow:established,from_server; flowbits:isset,ET.autoit.ua; http.content_type; content:"image/"; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:md5,838ab7aacac590ea2e170888b2502a63; classtype:trojan-activity; sid:2019165; rev:4; metadata:created_at 2014_09_11, updated_at 2020_06_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DCS-930L Remote Command Execution attempt"; flow:to_server,established; urilen:17; http.method; content:"POST"; nocase; http.uri; content:"/setSystemCommand"; nocase; http.request_body; content:"SystemCommand="; nocase; reference:url,www.exploit-db.com/exploits/39437/; classtype:web-application-attack; sid:2022518; rev:3; metadata:created_at 2016_02_12, updated_at 2020_06_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USPS Phishing Landing 2016-02-10"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>USPS.com|c2 ae 20|- Sign In</title>"; nocase; fast_pattern; content:"Create a USPS.com"; nocase; distance:0; classtype:social-engineering; sid:2031967; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_11, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DCS-930L Remote Command Execution attempt"; flow:to_server,established; urilen:17; http.method; content:"POST"; nocase; http.uri; content:"/setSystemCommand"; nocase; http.request_body; content:"SystemCommand="; nocase; reference:url,www.exploit-db.com/exploits/39437/; classtype:web-application-attack; sid:2022518; rev:3; metadata:created_at 2016_02_13, updated_at 2020_06_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.request_body; content:"redirect|3a|"; content:"{"; distance:0; pcre:"/\bredirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017174; rev:6; metadata:created_at 2013_07_23, updated_at 2020_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.request_body; content:"redirect|3a|"; content:"{"; distance:0; pcre:"/\bredirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017174; rev:6; metadata:created_at 2013_07_24, updated_at 2020_06_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.request_body; content:"redirectAction|3a|"; content:"{"; pcre:"/\bredirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017175; rev:6; metadata:created_at 2013_07_23, updated_at 2020_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.request_body; content:"redirectAction|3a|"; content:"{"; pcre:"/\bredirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017175; rev:6; metadata:created_at 2013_07_24, updated_at 2020_06_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.request_body; content:"action|3a|"; content:"{"; distance:0; pcre:"/\baction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017176; rev:6; metadata:created_at 2013_07_23, updated_at 2020_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.request_body; content:"action|3a|"; content:"{"; distance:0; pcre:"/\baction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017176; rev:6; metadata:created_at 2013_07_24, updated_at 2020_06_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GCman.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/s2.cgi"; depth:15; http.request_body; pcre:"/^[a-f0-9]{31}\x3B(?:[a-zA-Z0-9+/=]+)?\r?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8a18846e17244db9af90009ddab341ce; reference:url,securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/; classtype:command-and-control; sid:2022529; rev:3; metadata:created_at 2016_02_16, former_category MALWARE, updated_at 2020_06_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GCman.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/s2.cgi"; depth:15; http.request_body; pcre:"/^[a-f0-9]{31}\x3B(?:[a-zA-Z0-9+/=]+)?\r?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8a18846e17244db9af90009ddab341ce; reference:url,securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/; classtype:command-and-control; sid:2022529; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Update Phish 2016-02-17 M2"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your e-mail account will be verify"; nocase; fast_pattern; content:"DO NOT RESEND"; nocase; distance:0; content:"MESSAGE IS FROM THE SYSTEM ADMIN"; nocase; distance:0; classtype:credential-theft; sid:2031968; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Maps Phishing Landing 2016-02-17"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Google Maps"; nocase; fast_pattern; content:"ultrozoic_rotating_by_dragontunders"; nocase; distance:0; content:"Please enter your email"; nocase; distance:0; content:"Please enter your email password"; nocase; distance:0; classtype:social-engineering; sid:2031969; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Data URI Inline Javascript 2016-02-09"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv"; content:"refresh"; nocase; distance:1; within:8; content:"content="; nocase; distance:0; pcre:"/^\x22[0-9]+?[^\x22]/Rsi"; content:"url=data|3a|text/html,http"; fast_pattern; nocase; distance:0; pcre:"/^[^\x22]+<\s*?script\s*?.+data\x3atext/html\x3bbase64,/Rsi"; classtype:social-engineering; sid:2031970; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary=AfPr0xY"; fast_pattern; bsize:37; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022533; rev:3; metadata:created_at 2016_02_17, updated_at 2020_06_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLotus C2 Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".db?k="; fast_pattern; content:"?q="; distance:0; pcre:"/\?q=[a-f0-9]{32}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:command-and-control; sid:2022541; rev:3; metadata:created_at 2016_02_18, former_category MALWARE, updated_at 2020_06_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 1"; nocase; content:!"0"; within:1; pcre:"/^[^0-9]/R"; classtype:trojan-activity; sid:2015898; rev:5; metadata:created_at 2012_11_19, updated_at 2020_06_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 1"; nocase; content:!"0"; within:1; pcre:"/^[^0-9]/R"; classtype:trojan-activity; sid:2015898; rev:5; metadata:created_at 2012_11_20, updated_at 2020_06_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Blockbuster User-Agent (Mozillar)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozillar"; depth:8; nocase; fast_pattern; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,www.operationblockbuster.com/resources/index.html; classtype:trojan-activity; sid:2022564; rev:4; metadata:created_at 2016_02_24, updated_at 2020_06_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely PadCrypt Locker PKG DL"; flow:established,to_server; http.uri; content:".pdcr"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022568; rev:3; metadata:created_at 2016_02_25, updated_at 2020_06_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely PadCrypt Locker PKG DL"; flow:established,to_server; http.uri; content:".pdcr"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022568; rev:3; metadata:created_at 2016_02_26, updated_at 2020_06_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USAA Phishing Landing 2016-02-26"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"google-site-verification|22 20|content=|22|ixTkEWd_UcMhrL39nLaMLEq66o3Ecdwa-btSiATF0Uc"; content:"<title>USAA / Welcome to USAA"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2031971; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-01 M3"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Account Verification"; fast_pattern; nocase; content:"Your Apple ID"; nocase; distance:0; content:"Account Verification Complete"; nocase; distance:0; content:"restore your account"; nocase; distance:0; classtype:credential-theft; sid:2031972; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Base64 Executable"; flow:from_server,established; http.stat_code; content:"200"; http.cookie; content:"|47 4f 44 5a 49 4c 4c 41|"; file.data; content:"<div style=|22|display|3a|none|22 20|id=|22|"; depth:30; fast_pattern; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>TVqQAA/Rsi"; classtype:trojan-activity; sid:2022595; rev:3; metadata:created_at 2016_03_04, updated_at 2020_06_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2016-03-01 M2"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>iCloud"; fast_pattern; nocase; content:"Sign in"; nocase; distance:0; content:"Apple ID"; nocase; distance:0; content:"Activation"; nocase; distance:0; content:"Privacy Policy"; nocase; distance:0; classtype:social-engineering; sid:2031973; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Custom Content Type Manager WP Backdoor Access"; flow:established,to_server; http.uri; content:"/plugins/custom-content-type-manager/auto-update.php"; fast_pattern; nocase; reference:url,blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html; classtype:trojan-activity; sid:2022596; rev:4; metadata:created_at 2016_03_06, updated_at 2020_06_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2016-03-01 M3"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".form input[type=email]"; nocase; content:".form input[type=password]"; nocase; distance:0; content:"Apple ID"; fast_pattern; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Sign In"; nocase; distance:0; classtype:social-engineering; sid:2031974; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cstype="; depth:7; content:"&authname="; distance:0; content:"&hostname="; distance:0; content:"&ostype="; distance:0; content:"&owner="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations; classtype:command-and-control; sid:2019831; rev:5; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_06_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-01 M5"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".form input[type=email]"; nocase; content:".form input[type=password]"; nocase; distance:0; content:"password are invalid"; fast_pattern; nocase; distance:0; content:"Apple ID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Sign In"; nocase; distance:0; classtype:credential-theft; sid:2031975; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Base64 Executable"; flow:from_server,established; http.stat_code; content:"200"; http.cookie; content:"|47 4f 44 5a 49 4c 4c 41|"; file.data; content:"<div style=|22|display|3a|none|22 20|id=|22|"; depth:30; fast_pattern; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>TVqQAA/Rsi"; classtype:trojan-activity; sid:2022595; rev:3; metadata:created_at 2016_03_05, updated_at 2020_06_24;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Custom Content Type Manager WP Backdoor Access"; flow:established,to_server; http.uri; content:"/plugins/custom-content-type-manager/auto-update.php"; fast_pattern; nocase; reference:url,blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html; classtype:trojan-activity; sid:2022596; rev:4; metadata:created_at 2016_03_07, updated_at 2020_06_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cstype="; depth:7; content:"&authname="; distance:0; content:"&hostname="; distance:0; content:"&ostype="; distance:0; content:"&owner="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations; classtype:command-and-control; sid:2019831; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HiveRAT CnC Activity"; flow:established,to_server; dsize:<300; content:"|7b 73 77 6f 72 64|"; offset:2; depth:6; fast_pattern; threshold:type both, count 10, seconds 60, track by_src; classtype:command-and-control; sid:2030383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_24, deployment Perimeter, former_category MALWARE, malware_family FirebirdRAT, signature_severity Major, updated_at 2020_06_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Terse Request for .pif"; flow:established,to_server; content:".pif|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".pif"; endswith; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache-"; content:!"Pragma"; content:!"Referer"; classtype:bad-unknown; sid:2030392; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_06_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoldenSpy CnC Activity"; flow:established,to_server; http.request_line; content:"POST /data/receive "; depth:19; fast_pattern; http.request_body; content:"ectid="; depth:6; content:"&taxCode="; distance:0; reference:md5,be1a7bbc42d5d6f3a3270201906a68d9; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/; classtype:command-and-control; sid:2030394; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_25;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RHttpCtrl Backdoor CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ver="; startswith; content:"&id="; distance:0; content:"&random="; distance:0; content:"&hname="; distance:0; content:"&lanip="; distance:0; fast_pattern; content:"&os="; distance:0; reference:md5,ed09b0dba74bf68ec381031e2faf4448; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030397; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family APT30, performance_impact Low, signature_severity Critical, updated_at 2020_06_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RCtrl Backdoor CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infos/p"; bsize:8; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a|"; reference:md5,373224fd766cb9b85e3d42d56d1702f3; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030398; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family APT30, performance_impact Low, signature_severity Critical, updated_at 2020_06_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IndigoDrop/Cobalt Strike Download"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"XHhmY1x4ZThceDg5XHgwMFx4MDBceDAwXHg2MFx4ODlceGU1X"; depth:49; fast_pattern; isdataat:!5000,relative; reference:url,blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html; classtype:trojan-activity; sid:2030400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_26, deployment Perimeter, signature_severity Major, updated_at 2020_06_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Lucy Server Phish"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"Server|3a 20|Lucy|0d 0a|"; fast_pattern; content:"/account|0d 0a|"; reference:url,lucysecurity.com/download/; classtype:credential-theft; sid:2030404; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Lucy Server Phish"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"Server|3a 20|Lucy|0d 0a|"; fast_pattern; content:"/account|0d 0a|"; reference:url,lucysecurity.com/download/; classtype:credential-theft; sid:2030404; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wombat Phishing Test"; flow:established,to_client; file.data; content:"been phished!</title>"; fast_pattern; content:"<form action=|22|/training/acceptance"; distance:0; content:"name=|22|training_ack|22 20|type=|22|submit|22|>Acknowledge"; distance:0; content:"href=|22|https://www.wombatsecurity.com/"; distance:0; classtype:misc-activity; sid:2030405; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_06_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wombat Phishing Test"; flow:established,to_client; file.data; content:"been phished!</title>"; fast_pattern; content:"<form action=|22|/training/acceptance"; distance:0; content:"name=|22|training_ack|22 20|type=|22|submit|22|>Acknowledge"; distance:0; content:"href=|22|https://www.wombatsecurity.com/"; distance:0; classtype:misc-activity; sid:2030405; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING T-Mobile Phishing Landing"; flow:established,to_client; file.data; content:"src=|22|./T-Mobile QuikView_ Please Login_files/"; fast_pattern; content:"href=|22|./T-Mobile QuikView_ Please Login_files/"; distance:0; content:".php|22 20|method=|22|post|22|"; distance:0; classtype:social-engineering; sid:2030406; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_06_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RezoStealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?ip="; content:"&user="; distance:0; content:"&localation="; distance:0; fast_pattern; content:"&windows="; distance:0; content:"&time="; distance:0; http.header_names; content:!"Referer"; reference:url,github.com/3xp0rt/RezoStealer/blob/master/FHwFvbCd/modules/SendToServer.cs; classtype:trojan-activity; sid:2030403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category MALWARE, malware_family RezoStealer, signature_severity Major, updated_at 2020_06_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"version="; depth:8; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020936; rev:4; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_06_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"version="; depth:8; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020936; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Genome User-Agent (Http Down)"; flow:established,to_server; http.user_agent; content:"Http Down"; fast_pattern; startswith; reference:md5,479306863946029e545a4803b303d74c; classtype:trojan-activity; sid:2022654; rev:3; metadata:created_at 2016_03_24, updated_at 2020_06_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IrcBot Fantasy Name Gen"; flow:established,to_server; http.host; content:"www.fantasynamegen.com"; fast_pattern; startswith; http.header_names; content:!"User-Agent"; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022655; rev:3; metadata:created_at 2016_03_24, updated_at 2020_06_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/submit.php"; fast_pattern; http.header; content:"www-form-urlencoded|0d 0a|"; http.user_agent; content:"User-Agent|3a|"; startswith; http.request_body; pcre:"/[\x80-\xff]/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:command-and-control; sid:2022665; rev:5; metadata:created_at 2016_03_28, former_category MALWARE, updated_at 2020_06_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/submit.php"; fast_pattern; http.header; content:"www-form-urlencoded|0d 0a|"; http.user_agent; content:"User-Agent|3a|"; startswith; http.request_body; pcre:"/[\x80-\xff]/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:command-and-control; sid:2022665; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Exploit URI Struct March 20 2015"; flow:established,to_server; urilen:>220; flowbits:set,ET.RIGEKExploit; http.uri; content:"/index.php?"; depth:11; content:"=l3S"; fast_pattern; offset:26; depth:4; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/"; http.header; content:"/?"; content:"=l3S"; classtype:exploit-kit; sid:2020721; rev:4; metadata:created_at 2015_03_21, updated_at 2020_06_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Exploit URI Struct March 20 2015"; flow:established,to_server; urilen:>220; flowbits:set,ET.RIGEKExploit; http.uri; content:"/index.php?"; depth:11; content:"=l3S"; fast_pattern; offset:26; depth:4; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/"; http.header; content:"/?"; content:"=l3S"; classtype:exploit-kit; sid:2020721; rev:4; metadata:created_at 2015_03_20, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via MyFreeSites.com (set) 2016-03-31"; flow:to_server,established; urilen:1; flowbits:set,ET.myfreesites.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"myfreesites.net"; fast_pattern; endswith; classtype:social-engineering; sid:2031976; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via MyFreeSites.com M2 2016-03-31"; flow:to_client,established; flowbits:isset,ET.myfreesites.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2031977; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".exe"; http.user_agent; content:"Microsoft BITS/7.5"; fast_pattern; bsize:18; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/(?:xyz|pw)$/"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:5; metadata:created_at 2016_03_30, former_category CURRENT_EVENTS, updated_at 2020_06_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com M2 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2031979; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Tripod.com Phish 2016-03-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".ajax?m="; content:"&type=Form"; distance:0; content:"&a=addResponse"; distance:0; http.header; content:".tripod.com/|0d 0a|"; http.request_body; content:"data%5Bresponse%5D"; depth:18; fast_pattern; content:"&data%5Bresponse%5D"; distance:0; content:"&data%5Bresponse%5D"; distance:0; pcre:"/=[A-Za-z0-9._+-]+%40[A-Za-z0-9.-]+\.[A-Za-z]{2,6}&data/"; classtype:credential-theft; sid:2031980; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com M1 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; fast_pattern; nocase; content:"mail"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2031978; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router Information Disclosure Exploit Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/data.ria?CfgType=get_homeCfg&file="; fast_pattern; depth:35; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022698; rev:3; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webpost.cgi"; http.request_body; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 70 69 6e 67 22 2c 22 63 6d 64 22 3a 22 70 69 6e 67 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022700; rev:3; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 2 (traceroute)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webpost.cgi"; http.request_body; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 74 72 61 63 65 72 74 22 2c 22 63 6d 64 22 3a 22 74 72 61 63 65 72 74 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022701; rev:4; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OWA Phishing Landing 2016-04-04 M2"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>WebMail"; fast_pattern; nocase; content:"@$_GET[|22|email"; nocase; content:"ldCookie(|27|username"; nocase; content:"Secure my account"; nocase; content:"This is a private computer"; nocase; distance:0; content:"By selecting this option"; nocase; distance:0; classtype:social-engineering; sid:2031981; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email System Manager Phishing Landing 2016-04-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"pixi_grey_blue.gif"; fast_pattern; nocase; content:"E-mail System Manager"; nocase; distance:0; content:"Password|3a|"; nocase; distance:0; classtype:social-engineering; sid:2031982; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PhishMe.com Phishing Exercise - Client Plugins"; flow:to_server,established; urilen:15; http.method; content:"POST"; http.uri; content:"/plugin_surveys"; fast_pattern; http.cookie; content:"_phishme.com_session_id="; classtype:trojan-activity; sid:2022729; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; http.header; content:"Cookie|3a 20|visited=TRUE"; http.header.raw; content:"Cookie|3a 20|mutex="; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2014407; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_21, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_06_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; http.header; content:"Cookie|3a 20|visited=TRUE"; http.header.raw; content:"Cookie|3a 20|mutex="; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2014407; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ponmocup.A Checkin"; flow:to_server,established; urilen:10; http.method; content:"GET"; http.uri; content:"/space.php"; fast_pattern; http.header.raw; content:"Accept|3a 20|*/*|0d 0a|Cookie|3a|"; depth:25; content:"User-Agent|3a 20|"; distance:0; content:"Host|3a 20|"; distance:0; http.cookie; content:"uid="; depth:4; content:"|3b 20|VISITOR="; distance:0; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:command-and-control; sid:2014660; rev:5; metadata:created_at 2012_05_01, former_category MALWARE, updated_at 2020_06_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Virus-Encoder Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"submit=submit&id="; fast_pattern; content:"&guid="; content:"&pc="; content:"&mail="; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,57a69d5130d32da0a278c72137ca58ee; classtype:command-and-control; sid:2022737; rev:4; metadata:created_at 2016_04_15, former_category MALWARE, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Virus-Encoder Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"submit=submit&id="; fast_pattern; content:"&guid="; content:"&pc="; content:"&mail="; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,57a69d5130d32da0a278c72137ca58ee; classtype:command-and-control; sid:2022737; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_04_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Quicktime User-Agent EOL With Known Bugs"; flow:established,to_server; threshold: type limit, count 1, seconds 600, track by_src; http.user_agent; content:"QuickTime"; content:"os=Windows NT"; fast_pattern; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA16-105A; classtype:policy-violation; sid:2022738; rev:4; metadata:created_at 2016_04_18, updated_at 2020_06_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary=AfPr0xY"; fast_pattern; bsize:37; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022342; rev:4; metadata:created_at 2016_01_07, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary=AfPr0xY"; fast_pattern; bsize:37; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022342; rev:4; metadata:created_at 2016_01_08, updated_at 2020_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST/UP007 Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"this is UP"; depth:10; fast_pattern; content:"|00 00 00 00|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:command-and-control; sid:2022749; rev:3; metadata:created_at 2016_04_20, former_category MALWARE, updated_at 2020_06_30;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Lyhr0x"; nocase; endswith; classtype:domain-c2; sid:2030409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, signature_severity Major, updated_at 2020_06_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Lyhr0x"; nocase; endswith; classtype:domain-c2; sid:2030409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Predator Anti Ban CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; bsize:11; content:"TrinitySeal"; fast_pattern; http.request_body; content:"&programtoken="; content:"&session_id="; distance:0; content:"&session_salt="; distance:0; reference:md5,2423133b438fdc9ef479d73ca0364060; classtype:pup-activity; sid:2030410; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (CODE)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:C5:5A:CC:01:BD:A7:5B:DA"; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030412; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:C5:5A:CC:01:BD:A7:5B:DA"; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030412; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"app-system2-update.com"; endswith; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030413; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:B7:E4:D1:83:71:78:B0:A9"; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030414; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:B7:E4:D1:83:71:78:B0:A9"; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030414; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"awe232-service-app.com"; endswith; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030415; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:B9:03:54:FD:F4:FF:6D:68"; fast_pattern; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030416; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:B9:03:54:FD:F4:FF:6D:68"; fast_pattern; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030416; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"upd-ncx4-server.com"; endswith; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030417; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"websitelistbuilder.com"; bsize:22; endswith; classtype:domain-c2; sid:2030448; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=websitelistbuilder.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030449; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=websitelistbuilder.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030449; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Predator the Thief Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Predator The Thief"; fast_pattern; nocase; content:"<form method=|22|POST|22 20|class=|22|sign-box|22|"; nocase; distance:0; content:"<input type=|22|text|22 20|class=|22|form-control|22 20|name=|22|login|22 20|value=|22 22 20|placeholder="; nocase; distance:0; content:"<input type=|22|password|22 20|class=|22|form-control|22 20|name=|22|password|22 20|placeholder="; nocase; distance:0; classtype:web-application-attack; sid:2030446; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_03, deployment Perimeter, signature_severity Major, updated_at 2020_07_03;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"traffichi.com"; bsize:13; endswith; classtype:domain-c2; sid:2030450; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=traffichi.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030451; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=traffichi.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030451; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"cofeedback.com"; bsize:14; endswith; classtype:domain-c2; sid:2030452; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cofeedback.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030453; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cofeedback.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030453; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"adsmarketart.com"; bsize:16; endswith; classtype:domain-c2; sid:2030454; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=adsmarketart.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030455; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=adsmarketart.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030455; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"advancedanalysis.be"; bsize:19; endswith; classtype:domain-c2; sid:2030456; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=advancedanalysis.be"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030457; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=advancedanalysis.be"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030457; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=advertstv.com"; nocase; endswith; classtype:domain-c2; sid:2030458; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=advertstv.com"; nocase; endswith; classtype:domain-c2; sid:2030458; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=amazingdonutco.com"; nocase; endswith; classtype:domain-c2; sid:2030460; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=amazingdonutco.com"; nocase; endswith; classtype:domain-c2; sid:2030460; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mwebsoft.com"; nocase; endswith; classtype:domain-c2; sid:2030462; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mwebsoft.com"; nocase; endswith; classtype:domain-c2; sid:2030462; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=rostraffic.com"; nocase; endswith; classtype:domain-c2; sid:2030464; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=rostraffic.com"; nocase; endswith; classtype:domain-c2; sid:2030464; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=typiconsult.com"; nocase; endswith; classtype:domain-c2; sid:2030466; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=typiconsult.com"; nocase; endswith; classtype:domain-c2; sid:2030466; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY CommandCam Download"; flow:established,to_client; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"CommandCam "; fast_pattern; reference:url,github.com/tedburke/CommandCam; classtype:policy-violation; sid:2030474; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_07_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Masayki"; fast_pattern; classtype:web-application-attack; sid:2030471; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?u="; content:"_"; distance:0; content:"&i="; distance:0; http.user_agent; content:"WinHTTP"; depth:7; endswith; http.request_body; content:"p=<br><mark>"; fast_pattern; depth:12; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/echo.php?req="; fast_pattern; content:"&u="; distance:0; content:"_"; distance:0; http.user_agent; content:"Microsoft WinHttp"; depth:17; endswith; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Response"; flow:established,to_server; content:"|0d 0a 0d 0a|ci="; fast_pattern; http.method; content:"POST"; http.uri; content:"/rite.php"; http.user_agent; content:"WinHTTP"; depth:7; endswith; http.request_body; content:"ci="; depth:3; content:"&r="; distance:0; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<h1>PAYLEETS - TESTER"; fast_pattern; nocase; content:">Check Mailling ..</font>"; nocase; distance:0; content:"type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030329; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Critical, updated_at 2020_07_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Cordoba Mailer</title>"; nocase; classtype:web-application-attack; sid:2030472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, signature_severity Major, updated_at 2020_07_06;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cordoba Mailer</title>"; nocase; classtype:web-application-attack; sid:2030473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_06, deployment Perimeter, signature_severity Critical, updated_at 2020_07_06;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zeromax Stealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=enibenny.space"; nocase; endswith; classtype:domain-c2; sid:2030475; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zeromax Stealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=enibenny.space"; nocase; endswith; classtype:domain-c2; sid:2030475; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat Initial CnC Activity"; flow:established,to_server; urilen:>100; http.request_line; content:"=c|20|HTTP/1.1"; endswith; fast_pattern; http.method; content:"GET"; http.uri; content:".php?"; content:"=c"; distance:32; within:2; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; content:!"Referer"; reference:md5,4467b54917f60b657e0c92df4296cbc1; classtype:command-and-control; sid:2029881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2020_07_07;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat CnC Activity"; flow:established,to_server; urilen:>100; http.method; content:"GET"; http.uri.raw; content:"=%3D"; fast_pattern; http.uri; content:".php?"; pcre:"/^\/[^\r\n]+\.php\?[a-f0-9]{32}(?:=(?:%3D|\x3d)*[A-Za-z0-9%\/]+&[a-f0-9]{32}){4,}=(?:%3D|\x3d)*[A-Za-z0-9%\/]+$/si"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; endswith; content:!"Referer"; content:!"Accept"; content:!"Cache"; threshold: type limit, track by_src, count 1, seconds 30; reference:md5,4467b54917f60b657e0c92df4296cbc1; classtype:command-and-control; sid:2029897; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2020_07_07;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TaurusStealer CnC)"; flow:established,to_client; tls.cert_serial; content:"0E:7F:A1:8D:53:1A"; endswith; classtype:domain-c2; sid:2030476; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, malware_family Taurus, performance_impact Low, signature_severity Major, updated_at 2020_07_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TaurusStealer CnC)"; flow:established,to_client; tls.cert_serial; content:"0E:7F:A1:8D:53:1A"; endswith; classtype:domain-c2; sid:2030476; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, malware_family Taurus, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Gaudox Checkin"; flow:to_server,established; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; fast_pattern; bsize:66; http.request_body; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/s"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:command-and-control; sid:2022505; rev:5; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Gaudox Checkin"; flow:to_server,established; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; fast_pattern; bsize:66; http.request_body; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/s"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:command-and-control; sid:2022505; rev:5; metadata:created_at 2016_02_12, former_category MALWARE, updated_at 2020_07_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT.Fwits CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/al?"; depth:4; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:targeted-activity; sid:2022756; rev:3; metadata:created_at 2016_04_25, former_category MALWARE, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT.Fwits CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/al?"; depth:4; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:targeted-activity; sid:2022756; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT.Fwits CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?---"; pcre:"/\?---[A-Z]$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:targeted-activity; sid:2022757; rev:3; metadata:created_at 2016_04_25, former_category MALWARE, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT.Fwits CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?---"; pcre:"/\?---[A-Z]$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:targeted-activity; sid:2022757; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackmoon/Banbra Configuration Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; http.header; content:"Accept|3a 20|*/*|0d 0d 0a|User-Agent"; fast_pattern; http.host; content:".qq.com"; endswith; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,bbcbd3dc203829c9cdbf7d1b057f0e79; classtype:trojan-activity; sid:2022759; rev:3; metadata:created_at 2016_04_25, updated_at 2020_07_07;)
alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/tmUnblock.cgi"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018132; rev:5; metadata:created_at 2014_02_13, updated_at 2020_07_07;)
-alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/hndUnblock.cgi"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,exploit-db.com/exploits/31683/; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018155; rev:5; metadata:created_at 2014_02_18, updated_at 2020_07_07;)
+alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/hndUnblock.cgi"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,exploit-db.com/exploits/31683/; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018155; rev:5; metadata:created_at 2014_02_19, updated_at 2020_07_07;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M1 2016-04-25"; flow:established,to_client; flowbits:isset,ET.wpphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your session has timed out"; fast_pattern; nocase; content:"sign in e-mail and continue"; nocase; distance:0; classtype:social-engineering; sid:2031983; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_04_18;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M2 2016-04-25"; flow:established,to_client; flowbits:isset,ET.wpphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; fast_pattern; nocase; content:"Confirm your identity"; distance:0; nocase; content:"account to view document"; distance:0; nocase; classtype:social-engineering; sid:2031984; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Document Phish 2016-04-25"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php?login="; nocase; fast_pattern; pcre:"/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}$/"; http.header; content:".php?login="; nocase; http.request_body; content:"email="; depth:6; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2031985; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Linux/Tsunami DOS User-Agent (x00_-gawa.sa.pilipinas.2015) INBOUND"; flow:to_server,established; http.user_agent; content:"x00_-gawa.sa.pilipinas.2015"; reference:url,vms.drweb.com/virus/?i=4656268; classtype:attempted-dos; sid:2022760; rev:3; metadata:created_at 2016_04_26, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist Phish 2016-04-25"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"step=confirmation&rt="; depth:21; fast_pattern; content:"&rp="; distance:0; content:"&username="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031986; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS BLEXBot User-Agent"; flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 300; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|BLEXBot/"; fast_pattern; startswith; reference:url,webmeup.com/about.html; classtype:misc-activity; sid:2022775; rev:3; metadata:created_at 2016_05_02, former_category MALWARE, updated_at 2020_07_07;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Magento Shoplift Exploit Inbound"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/admin/Cms_Wysiwyg/directive/index/"; http.request_body; content:"filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0w"; fast_pattern; depth:100; reference:url,blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html; reference:url,packetstormsecurity.com/files/133327/Magento-Add-Administrator-Account.html; classtype:web-application-attack; sid:2022776; rev:3; metadata:created_at 2016_05_03, updated_at 2020_07_07;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Dragon Raja Activity"; flow:established,to_server; http.uri; bsize:14; content:"/setup/dir.txt"; http.user_agent; bsize:16; content:"DragonRajaOrigin"; fast_pattern; reference:md5,33200121c71932220c67b9f3ccc57d60; classtype:misc-activity; sid:2030484; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_08, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Major, updated_at 2020_07_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hakbit/Thanos Ransomware BMP Download"; flow:established,to_server; content:".bmp HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^\/help(?:me)?\.bmp$/"; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:url,https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/; reference:md5,c78a9c6affbfbfabfc50fae515675c6a; reference:md5,acbf8739dce846472a7715c975dc8b40; classtype:trojan-activity; sid:2030485; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_07_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hakbit/Thanos Ransomware BMP Download"; flow:established,to_server; content:".bmp HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^\/help(?:me)?\.bmp$/"; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:url,labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/; reference:md5,c78a9c6affbfbfabfc50fae515675c6a; reference:md5,acbf8739dce846472a7715c975dc8b40; classtype:trojan-activity; sid:2030485; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_08, deployment Perimeter, former_category MALWARE, malware_family hakbit, malware_family thanos, signature_severity Major, tag Ransomware, updated_at 2020_07_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mslfiedjssfdes.com"; nocase; endswith; classtype:domain-c2; sid:2030486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Zloader, signature_severity Major, updated_at 2020_07_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mslfiedjssfdes.com"; nocase; endswith; classtype:domain-c2; sid:2030486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Zloader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRAT Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myO?gId="; startswith; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Accept-"; reference:md5,f1638d4cd6286b69cb29d8002478d0c1; classtype:trojan-activity; sid:2030494; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_09;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [9530,9527,23] (msg:"ET EXPLOIT Attempted HiSilicon DVR/NVR/IPCam RCE (Outbound)"; flow:established,to_server; dsize:21; content:"|15 4f 70 65 6e 54 65 6c 6e 65 74 3a 4f 70 65 6e 4f 6e 63 65 00|"; reference:url,github.com/Snawoot/hisilicon-dvr-telnet/blob/master/hs-dvr-telnet.c; reference:url,habr.com/en/post/486856/; classtype:attempted-admin; sid:2030488; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_09;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response"; flow:established,to_client; dsize:3; content:"|33 66 99|"; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030489; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2020_07_09;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)"; flow:established,to_server; dsize:5; content:"|33 66 99 01|"; depth:4; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030490; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2020_07_09;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)"; flow:established,to_server; dsize:<30; content:"|33 66 99|"; pcre:"/^[\x02-\x1e][A-Za-z0-9_-]+$/Rsi"; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030491; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2020_07_09;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potentially Malicious .cab Inbound (CVE-2020-1300)"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"MSCF"; startswith; content:"../../"; distance:0; fast_pattern; pcre:"/^[a-z0-9\-_\.\/]+\x00/Ri"; reference:url,www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files; classtype:attempted-admin; sid:2030493; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_10, deployment Perimeter, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_07_10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gafgyt vbot Variant CnC"; flow:established,to_server; content:"ver|3a|1.500000|3a|null|3a|"; fast_pattern; reference:md5,65cc35e68e3834b1955115737ff3c55e; classtype:trojan-activity; sid:2030496; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/BASHLITE vbot Variant CnC"; flow:established,to_server; content:"ver|3a|1.500000|3a|null|3a|"; fast_pattern; reference:md5,65cc35e68e3834b1955115737ff3c55e; classtype:trojan-activity; sid:2030496; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (grab)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|grab|0d 0a|"; classtype:bad-unknown; sid:2030492; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_07_10, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_10;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=|22|POST|22|>|0d 0a|"; content:"Password|3a 0d 0a|"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|auth|22 20|value=|22|"; distance:0; content:"<input type=|22|password|22 20|name=|22|password|22|>|0d 0a|"; distance:0; content:"<input type=|22|submit|22 20|value=|22|>>|22|>|0d 0a|"; fast_pattern; distance:0; classtype:web-application-attack; sid:2030501; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Major, updated_at 2020_07_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supercharge Component Download (ps1)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"quantumcore"; content:"orphic.ps1"; endswith; fast_pattern; reference:url,https://github.com/quantumcore/test/blob/master/; classtype:trojan-activity; sid:2030516; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supercharge Component Download (ps1)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"quantumcore"; content:"orphic.ps1"; endswith; fast_pattern; reference:url,github.com/quantumcore/test/blob/master/; classtype:trojan-activity; sid:2030516; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supercharge Component Download (exe)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"quantumcore"; fast_pattern; pcre:"/(?:BrowsingHistoryView|WebBrowserPassView)\.exe$/Ri"; reference:url,github.com/quantumcore/test/blob/master/; classtype:trojan-activity; sid:2030517; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supercharge Component Download (exe)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"quantumcore"; fast_pattern; pcre:"/(?:BrowsingHistoryView|WebBrowserPassView)\.exe$/Ri"; reference:url,https://github.com/quantumcore/test/blob/master/; classtype:trojan-activity; sid:2030517; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to DuckDNS Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".duckdns."; fast_pattern; classtype:bad-unknown; sid:2031581; rev:1; metadata:created_at 2020_07_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_07_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZoomInfo Contact Contributor Install"; flow:established,to_server; http.request_line; content:"GET /client/installopen?client_id={"; startswith; fast_pattern; content:"} HTTP/"; distance:36; within:7; reference:md5,b2e902c566dda9a77d9dfe1adfc9de59; reference:url,smallbiztrends.com/2010/05/zoominfo-provides-free-sales-prospecting-tool-to-small-businesses-and-entrepreneurs.html; classtype:command-and-control; sid:2030515; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZoomInfo Contact Contributor Install"; flow:established,to_server; http.request_line; content:"GET /client/installopen?client_id={"; startswith; fast_pattern; content:"} HTTP/"; distance:36; within:7; reference:md5,b2e902c566dda9a77d9dfe1adfc9de59; reference:url,smallbiztrends.com/2010/05/zoominfo-provides-free-sales-prospecting-tool-to-small-businesses-and-entrepreneurs.html; classtype:command-and-control; sid:2030515; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP POST to MEGA Userstorage"; flow:established,to_server; http.method; content:"POST"; http.host; content:".userstorage.mega.co.nz"; endswith; fast_pattern; classtype:policy-violation; sid:2030504; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, signature_severity Informational, updated_at 2020_11_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to .tk domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; content:".tk"; endswith; fast_pattern; classtype:misc-activity; sid:2030514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citizenbank Phish 2016-05-24 M1"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"CSRF_TOKEN="; depth:11; content:"&initlogin="; distance:0; content:"&UserID="; distance:0; nocase; content:"&passs="; distance:0; fast_pattern; content:"&btnLogin="; distance:0; classtype:credential-theft; sid:2031987; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citizenbank Phish 2016-05-24 M2"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"&UserID=|25|3C|25|3Fphp+echo|25|28|25|24Username"; fast_pattern; content:"&email="; distance:0; content:"&epass="; distance:0; content:"&Q1="; distance:0; classtype:credential-theft; sid:2031988; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious File Download Post-Phishing 2016-05-25"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"howLongToWait"; fast_pattern; nocase; content:"urlOfDownloadContent"; nocase; distance:0; content:"triggerDownload"; nocase; distance:0; content:"urlOfRedirectLocation"; nocase; distance:0; content:"startRedirect"; nocase; distance:0; classtype:social-engineering; sid:2031990; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-05-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"Processing.php?"; fast_pattern; nocase; http.request_body; content:"EM="; nocase; depth:3; content:"&PS="; nocase; distance:0; classtype:credential-theft; sid:2031991; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Joanap CnC Checkin"; flow:to_server,established; http.uri; content:".ico"; http.user_agent; content:"Mozillar"; depth:8; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,operationblockbuster.com/resources/index.html; classtype:command-and-control; sid:2021730; rev:4; metadata:created_at 2015_08_31, former_category MALWARE, updated_at 2020_07_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 4 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/access.cgi"; fast_pattern; http.header; content:"www-form-urlencoded|0d 0a|"; content:"User-Agent|3a|"; http.request_body; pcre:"/[\x80-\xff]/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,53859b74ab0ed0e98065982462f4e575; classtype:command-and-control; sid:2022844; rev:3; metadata:created_at 2016_05_31, former_category MALWARE, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 4 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/access.cgi"; fast_pattern; http.header; content:"www-form-urlencoded|0d 0a|"; content:"User-Agent|3a|"; http.request_body; pcre:"/[\x80-\xff]/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,53859b74ab0ed0e98065982462f4e575; classtype:command-and-control; sid:2022844; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M1"; flow:established,to_server; http.request_body; content:"<svg"; nocase; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 22 7c|"; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022846; rev:3; metadata:created_at 2016_06_01, updated_at 2020_07_14;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M2"; flow:established,to_server; http.request_body; content:"<svg"; nocase; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022847; rev:3; metadata:created_at 2016_06_01, updated_at 2020_07_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?profile="; content:"&ddager="; distance:0; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4027e40dc474f595d46a59f2eaaa4e8d; classtype:command-and-control; sid:2028919; rev:3; metadata:created_at 2016_06_02, former_category MALWARE, updated_at 2020_07_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Avast Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"is infected with"; nocase; content:"Your email will be shutdown"; fast_pattern; nocase; distance:0; content:"ForeColor"; distance:0; content:"It is finally here"; nocase; distance:0; content:"advised to run a total scan"; nocase; distance:0; classtype:social-engineering; sid:2031992; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Email Login Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Email-login"; nocase; fast_pattern; content:"MM_validateForm"; nocase; distance:0; content:"Powered By|3a|"; nocase; distance:0; content:"Sign in to your account"; nocase; distance:0; content:"Email address|3a|"; nocase; distance:0; content:"Password|3a|"; nocase; distance:0; classtype:social-engineering; sid:2031993; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?profile="; content:"&ddager="; distance:0; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4027e40dc474f595d46a59f2eaaa4e8d; classtype:command-and-control; sid:2028919; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Initial Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=new&username="; distance:0; content:"&computername="; distance:0; content:"&os="; distance:0; content:"&architecture="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:command-and-control; sid:2022862; rev:3; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2020_07_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS RAM Scraper Sending Details"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"add&log="; distance:0; content:"&foundin="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022872; rev:3; metadata:created_at 2016_06_07, updated_at 2020_07_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Criptobit/Mobef Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?a="; pcre:"/\.php\?a=\d{5,10}.+\x3a\d\x3a\d\x3a\d\.\d\x3a\d$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) Edge/13.10586"; fast_pattern; bsize:55; reference:md5,c90a8039f330ba6660a91113f6c53685; classtype:command-and-control; sid:2022845; rev:5; metadata:created_at 2016_05_31, former_category MALWARE, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Criptobit/Mobef Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?a="; pcre:"/\.php\?a=\d{5,10}.+\x3a\d\x3a\d\x3a\d\.\d\x3a\d$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) Edge/13.10586"; fast_pattern; bsize:55; reference:md5,c90a8039f330ba6660a91113f6c53685; classtype:command-and-control; sid:2022845; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BandarChor/CryptON Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"=8ACEFC"; offset:1; depth:7; fast_pattern; pcre:"/=8ACEFC[0-9A-F]{150,}$/"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; reference:md5,5ee28035c56c048580c64b67ec4f2124; classtype:command-and-control; sid:2022875; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DrSpam Phishing Landing 2016-06-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"drspam_form"; nocase; fast_pattern; content:"drspam_mail"; nocase; distance:0; content:"drspam_pass"; nocase; distance:0; content:"haxor"; nocase; distance:0; classtype:social-engineering; sid:2031994; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BandarChor/CryptON Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"=8ACEFC"; offset:1; depth:7; fast_pattern; pcre:"/=8ACEFC[0-9A-F]{150,}$/"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; reference:md5,5ee28035c56c048580c64b67ec4f2124; classtype:command-and-control; sid:2022875; rev:2; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2020_07_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DrSpam Phishing Landing CSS 2016-06-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"input.drspam"; nocase; fast_pattern; content:"select.drspam"; nocase; distance:0; content:"input.haxor"; nocase; distance:0; content:".boody"; nocase; distance:0; content:".contens"; nocase; distance:0; classtype:social-engineering; sid:2031995; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DrSpam Phish 2016-06-08 M1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"drspam_mail="; nocase; depth:12; fast_pattern; content:"&drspam_pass="; nocase; distance:0; classtype:credential-theft; sid:2031996; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DrSpam Phish 2016-06-08 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"drspam_name="; nocase; depth:12; fast_pattern; content:"&drspam_dob"; nocase; distance:0; content:"&drspam_adrs"; nocase; distance:0; content:"&drspam_acc"; nocase; distance:0; classtype:credential-theft; sid:2031997; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qarallax RAT Downloading Modules"; flow:to_server,established; http.method; content:"GET"; http.host; content:"qarallax.com"; endswith; fast_pattern; http.user_agent; content:"Java/"; startswith; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022881; rev:3; metadata:created_at 2016_06_08, updated_at 2020_07_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; http.uri; content:".exe"; http.host; content:"a.pomf.cat"; fast_pattern; bsize:10; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:3; metadata:created_at 2016_06_09, former_category CURRENT_EVENTS, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-06-09 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; nocase; fast_pattern; content:"&reason="; nocase; distance:0; content:"&portal="; nocase; distance:0; content:"&dltoken"; nocase; distance:0; http.header; content:".php?LOB="; http.request_body; content:"user="; nocase; depth:5; content:"&pass="; nocase; classtype:credential-theft; sid:2032016; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-06-09 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; nocase; fast_pattern; content:"&reason="; nocase; distance:0; content:"&portal="; nocase; distance:0; content:"&dltoken"; nocase; distance:0; http.header; content:".php?LOB="; http.request_body; content:"acct1="; nocase; depth:6; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032017; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bolek HTTP Checkin"; flow: to_server,established; http.method; content:"GET"; http.uri; pcre:"/\?[a-f0-9]{32}$/i"; http.user_agent; content:"Client 1.2"; fast_pattern; bsize:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:command-and-control; sid:2022889; rev:3; metadata:created_at 2016_06_10, former_category MALWARE, updated_at 2020_07_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"ps0="; depth:4; fast_pattern; content:"&ps1="; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($|\&[a-z]s\d=)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:command-and-control; sid:2017371; rev:12; metadata:created_at 2013_05_15, former_category MALWARE, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"ps0="; depth:4; fast_pattern; content:"&ps1="; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($|\&[a-z]s\d=)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:command-and-control; sid:2017371; rev:12; metadata:created_at 2013_05_16, former_category MALWARE, updated_at 2020_07_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Validate/valsrv"; bsize:16; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030526; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EvilNum CnC Checkin Response"; flow:established,to_client; http.response_body; content:"youwillnotfindthisanywhare"; bsize:<50; fast_pattern; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030527; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getid"; bsize:15; fast_pattern; http.request_body; content:"action="; startswith; content:"&computer_name="; distance:0; content:"&username="; distance:0; content:"&version="; distance:0; content:"&cli="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030528; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getid"; bsize:15; fast_pattern; http.request_body; content:"action="; startswith; content:"&computer_name="; distance:0; content:"&username="; distance:0; content:"&version="; distance:0; content:"&cli="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030528; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getcommand"; bsize:20; fast_pattern; http.request_body; content:"action="; startswith; content:"&uid="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030529; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ma Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2030518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ma Domain 2020-07-15"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ma"; endswith; fast_pattern; classtype:credential-theft; sid:2030519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ma Domain 2020-07-15"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ma"; endswith; fast_pattern; classtype:credential-theft; sid:2030519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert tcp $HOME_NET any -> any 53 (msg:"ET INFO Suspicious HTTP GET Request on Port 53 Outbound"; flow:established,to_server; content:"GET|20|"; startswith; content:"|20|HTTP|2f|"; distance:0; within:50; fast_pattern; classtype:bad-unknown; sid:2030520; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+alert tcp any any -> any 53 (msg:"ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet M1"; flow:established,to_server; dsize:>1200; content:"|90 90 90 90 90 90 90 90|"; fast_pattern; classtype:attempted-admin; sid:2030524; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_07_15;)
-#alert tcp any 53 -> [$HOME_NET,$HTTP_SERVERS,$DNS_SERVERS] any (msg:"ET INFO Suspicious HTTP GET Request on Port 53 Inbound"; flow:established,to_server; content:"GET|20|"; startswith; content:"|20|HTTP|2f|"; distance:0; within:50; fast_pattern; classtype:bad-unknown; sid:2030521; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+alert tcp any 53 -> any any (msg:"ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet M2"; flow:established,from_server; dsize:>1200; content:"|90 90 90 90 90 90 90 90|"; fast_pattern; classtype:attempted-admin; sid:2030525; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_07_15;)
-#alert tcp $HOME_NET any -> any 53 (msg:"ET INFO Suspicious HTTP POST Request on Port 53 Outbound"; flow:established,to_server; content:"POST|20|"; startswith; content:"|20|HTTP|2f|"; distance:0; within:50; classtype:bad-unknown; sid:2030522; rev:2; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Banker.DH Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|ru|3b 20|rv|3a|1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)"; fast_pattern; bsize:104; http.request_body; content:"id="; depth:3; nocase; http.content_type; content:"application/x-www-form-urlencoded"; startswith; reference:md5,39519ff5bddd6d0eee032232349fe0a6; classtype:command-and-control; sid:2022811; rev:4; metadata:created_at 2016_05_17, former_category MALWARE, updated_at 2020_07_15;)
-#alert tcp any 53 -> [$HOME_NET,$HTTP_SERVERS,$DNS_SERVERS] any (msg:"ET INFO Suspicious HTTP POST Request on Port 53 Inbound"; flow:established,to_server; content:"POST|20|"; startswith; content:"|20|HTTP|2f|"; distance:0; within:50; fast_pattern; classtype:bad-unknown; sid:2030523; rev:2; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Crypren/Zcrypt Ransomware Checkin"; flow:established,to_server; http.uri; content:".php?computerid="; pcre:"/\.php\?computerid=[a-fA-F0-9]{32}&(?:public|private)=\d$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7efb738c2b04aacdd3354d590cb3df47; classtype:command-and-control; sid:2022897; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp any any -> any 53 (msg:"ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet M1"; flow:established,to_server; dsize:>1200; content:"|90 90 90 90 90 90 90 90|"; fast_pattern; classtype:attempted-admin; sid:2030524; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_07_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/RAA Ransomware check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"|20|- RAA"; fast_pattern; http.header; content:"WinHttp.WinHttpRequest"; reference:md5,535494aa6ce3ccef7346b548da5061a9; classtype:trojan-activity; sid:2022899; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tcp any 53 -> any any (msg:"ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet M2"; flow:established,from_server; dsize:>1200; content:"|90 90 90 90 90 90 90 90|"; fast_pattern; classtype:attempted-admin; sid:2030525; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_07_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"id="; nocase; depth:3; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031568; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Banker.DH Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|ru|3b 20|rv|3a|1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)"; fast_pattern; bsize:104; http.request_body; content:"id="; depth:3; nocase; http.content_type; content:"application/x-www-form-urlencoded"; startswith; reference:md5,39519ff5bddd6d0eee032232349fe0a6; classtype:command-and-control; sid:2022811; rev:4; metadata:created_at 2016_05_17, former_category MALWARE, updated_at 2020_07_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031566; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_12_25, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Crypren/Zcrypt Ransomware Checkin"; flow:established,to_server; http.uri; content:".php?computerid="; pcre:"/\.php\?computerid=[a-fA-F0-9]{32}&(?:public|private)=\d$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7efb738c2b04aacdd3354d590cb3df47; classtype:command-and-control; sid:2022897; rev:3; metadata:created_at 2016_06_14, former_category MALWARE, updated_at 2020_07_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Termination Phishing Landing 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Protect"; nocase; distance:0; fast_pattern; content:"TERMINATION REQUEST"; nocase; distance:0; content:"Enter Your Email"; nocase; distance:0; content:"Disable Your Email"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2032018; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/RAA Ransomware check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"|20|- RAA"; fast_pattern; http.header; content:"WinHttp.WinHttpRequest"; reference:md5,535494aa6ce3ccef7346b548da5061a9; classtype:trojan-activity; sid:2022899; rev:3; metadata:created_at 2016_06_15, updated_at 2020_07_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Phishing Landing 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title> Webmail|20 3a 3a|"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"account from virus threats"; nocase; distance:0; content:"Secured by Webmail Security Systems"; nocase; distance:0; classtype:social-engineering; sid:2032019; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wildblue/CenturyLink Phish 2015-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&source="; nocase; distance:0; classtype:credential-theft; sid:2031794; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Vmware/Zimbra Phish 2015-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"username="; depth:9; fast_pattern; content:"&username"; distance:0; content:"&password="; distance:0; content:"&client="; distance:0; classtype:credential-theft; sid:2031730; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Microsoft Encrypted Email Phishing Landing 2016-06-23"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/microsoft.secure.encrypted"; fast_pattern; nocase; classtype:social-engineering; sid:2032020; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Data Submitted to yolasite.com"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.header; content:"forms.yola.com"; fast_pattern; http.request_body; content:"user"; nocase; content:"word"; distance:0; nocase; classtype:social-engineering; sid:2032021; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Upgrade Phishing Landing 2016-06-27"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Signin Template"; nocase; fast_pattern; content:"Please upgrade your mailbox"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"upgrade account"; nocase; distance:0; classtype:social-engineering; sid:2032022; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Upgrade Phish 2016-06-27 M1"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Upgrade"; nocase; fast_pattern; content:"form class=|22|form-signin"; nocase; distance:0; content:"Please wait"; nocase; distance:0; content:"id=|22|success"; nocase; distance:0; content:"Email account upgraded"; nocase; distance:0; classtype:credential-theft; sid:2032023; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Upgrade Phish 2016-06-27 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; http.header; content:".php?userid="; http.request_body; content:"password="; depth:9; nocase; fast_pattern; content:"&submit=upgrade+account"; nocase; distance:0; classtype:credential-theft; sid:2032024; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to MyFreeSites.com - Possible Phishing"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/form/Submit"; fast_pattern; http.header; content:"myfreesites.net|0d 0a|"; content:"X-Requested-With|3a 20|XMLHttpRequest|0d 0a|"; http.request_body; content:"{|22|siteID|22 3a|"; depth:10; http.accept; content:"application/json, text/javascript"; startswith; http.content_type; content:"application/json"; startswith; classtype:trojan-activity; sid:2032025; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> any any (msg:"ET USER_AGENTS SAP CVE-2020-6287 PoC UA Observed"; flow:established,to_server; http.user_agent; content:"CVE-2020-6287|20|PoC"; endswith; fast_pattern; reference:url,github.com/chipik/SAP_RECON/blob/master/RECON.py; classtype:attempted-recon; sid:2030548; rev:1; metadata:created_at 2020_07_16, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"Priv8 (Mailer Inbox Sender"; distance:0; content:"SMTP SETUP</font>"; distance:0; classtype:web-application-attack; sid:2030546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NEWPASS CnC Client Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"newpass="; startswith; content:"&server_page="; distance:0; content:"&passdb="; distance:0; content:"&targetlogin="; distance:0; fast_pattern; content:"&table_data="; distance:0; reference:url,www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/; classtype:command-and-control; sid:2030557; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NEWPASS CnC Client Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"newpass="; startswith; content:"&server_page="; distance:0; content:"&passdb="; distance:0; content:"&targetlogin="; distance:0; fast_pattern; content:"&table_data="; distance:0; reference:url,www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/; classtype:command-and-control; sid:2030557; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_17, deployment Perimeter, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
alert dns $HOME_NET any -> any any (msg:"ET INFO Outbound RRSIG DNS Query Observed"; content:"|00 00 2e 00 01|"; fast_pattern; classtype:bad-unknown; sid:2030555; rev:1; metadata:created_at 2020_07_17, updated_at 2020_07_17;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ALFA TEaM Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"ALFA TEaM Shell"; nocase; fast_pattern; pcre:"/^\s*\-\s*/R"; classtype:web-application-attack; sid:2029866; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_07_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Satana Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/add.php"; http.request_body; content:"id="; depth:3; content:"&code="; distance:0; content:"&sdata="; distance:0; content:"&name="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,d236fcc8789f94f085137058311e848b; reference:url,blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware; classtype:command-and-control; sid:2022929; rev:3; metadata:created_at 2016_06_30, former_category MALWARE, updated_at 2020_07_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Satana Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/add.php"; http.request_body; content:"id="; depth:3; content:"&code="; distance:0; content:"&sdata="; distance:0; content:"&name="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,d236fcc8789f94f085137058311e848b; reference:url,blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware; classtype:command-and-control; sid:2022929; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible USAA Phishing Landing 2016-07-05"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.uri; content:"/usaa.com"; pcre:"/\/usaa\.com(?:\.|-)(?:sec(?:ure)?|inet|ent)(?:\.|-)/i"; classtype:social-engineering; sid:2032026; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Excel Add-in Download M1"; flow:to_server,established; http.uri; content:".xla"; nocase; endswith; reference:url,blogs.mcafee.com/mcafee-labs/patch-now-simple-office-protected-view-bypass-could-have-big-impact/; classtype:bad-unknown; sid:2022965; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Excel Add-in Download M2"; flow:to_server,established; http.header; content:".xla"; nocase; pcre:"/Content-Disposition\x3a[^\r\n]*?\.xla[\s\x22\x27]/i"; reference:url,blogs.mcafee.com/mcafee-labs/patch-now-simple-office-protected-view-bypass-could-have-big-impact/; classtype:bad-unknown; sid:2022966; rev:3; metadata:created_at 2016_07_13, former_category INFO, updated_at 2020_07_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ranscam Ransomware Contact Form"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"action=|22|http|3a|//www.tectite.com"; fast_pattern; nocase; content:"EmailAddr|3a|Your email address"; nocase; distance:0; content:"Message|3a|Your message"; nocase; distance:0; content:"Use your real email if you want a response"; nocase; distance:0; content:"spam folder if you do not receive"; nocase; distance:0; reference:md5,926a8d1c842964b2b81f5f94f6ae73b1; reference:url,blog.talosintel.com/2016/07/ranscam.html; classtype:trojan-activity; sid:2022968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_07_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Hotmail Phish 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login="; depth:6; content:"&passwd="; fast_pattern; nocase; distance:0; content:"&SI=Sign+in"; nocase; distance:0; classtype:credential-theft; sid:2032027; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ranscam Ransomware Contact Form"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"action=|22|http|3a|//www.tectite.com"; fast_pattern; nocase; content:"EmailAddr|3a|Your email address"; nocase; distance:0; content:"Message|3a|Your message"; nocase; distance:0; content:"Use your real email if you want a response"; nocase; distance:0; content:"spam folder if you do not receive"; nocase; distance:0; reference:md5,926a8d1c842964b2b81f5f94f6ae73b1; reference:url,blog.talosintel.com/2016/07/ranscam.html; classtype:trojan-activity; sid:2022968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Razy.azv Downloading Content"; flow:established,to_server; http.uri; content:".so"; endswith; pcre:"/\/(?:tr(?:_w)?|ft)\.so$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; content:!"Accept"; nocase; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022969; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, malware_family Razy, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Synchronize Email Account Phishing Landing 2016-07-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Login to continue"; nocase; fast_pattern; content:"Global E-mail Server"; nocase; distance:0; content:"Synchronize your e-mail"; nocase; distance:0; content:"avoid deactivation"; nocase; distance:0; content:"registered email"; nocase; distance:0; content:"enter the matching password"; nocase; distance:0; content:"Synchronize My Account"; nocase; distance:0; classtype:social-engineering; sid:2032028; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail account"; nocase; fast_pattern; content:"Webmail Account"; nocase; distance:0; content:"for upgrade in your webmail"; nocase; distance:0; content:"check the required"; nocase; distance:0; content:"Confirm Passw"; nocase; distance:0; classtype:social-engineering; sid:2032029; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Account Phish 2016-07-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?src="; content:"&username="; nocase; distance:0; http.referer; content:".php?src="; nocase; content:"&username="; nocase; http.request_body; content:"username="; depth:9; fast_pattern; nocase; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032030; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,886] (msg:"ET MALWARE Win32/PSW.Agent.OIN CnC Activity"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.9|0d 0a|User-Agent|3a 20|Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36|0d 0a|Content-Length|3a 20|"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:!"&"; pcre:"/^(?:[a-zA-Z0-9+/\x20]{4})*(?:[a-zA-Z0-9+/\x20]{2}==|[a-zA-Z0-9+/\x20]{3}=|[a-zA-Z0-9+/\x20]{4})$/"; reference:md5,4589aaf8f84c91c5e290ddebcc368342; classtype:command-and-control; sid:2030560; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)"; flow:established,to_server; content:"|23 23 24 23 23 0d 0a|"; within:20; dsize:<190; reference:md5,f50a94513fd739f5f40a57879e2f3cff; classtype:trojan-activity; sid:2030558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, signature_severity Major, updated_at 2020_07_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)"; flow:established,to_client; content:"|23 23 24 23 23 0d 0a|"; within:20; dsize:<190; reference:md5,f50a94513fd739f5f40a57879e2f3cff; classtype:trojan-activity; sid:2030559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Project Plague CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; content:"&ip="; distance:0; content:"&os=Microsoft"; distance:0; fast_pattern; content:"&ram="; distance:0; content:"&cpu="; distance:0; content:"&av="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,0934bf4d962c598c405f8f085377529d; reference:url,twitter.com/c3rb3ru5d3d53c/status/1371174503129219081; classtype:command-and-control; sid:2032004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_20;)
+
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"funnymemos.shop"; bsize:15; classtype:domain-c2; sid:2030561; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"trythisshop.club"; bsize:16; classtype:domain-c2; sid:2030562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"shopoholics.best"; bsize:16; classtype:domain-c2; sid:2030564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Tripod/Lycos Form Submission - Possible Successful Phish"; flow:from_client,established; http.method; content:"POST"; http.uri; content:"/_zbl.ajax?m="; depth:13; fast_pattern; content:"&a=addResponse"; distance:0; http.header; content:".tripod.com|0d 0a|"; content:".tripod.com"; http.request_body; content:"data|25|5Bresponse|25|5D|25|5B"; depth:21; classtype:credential-theft; sid:2032015; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com (set) 2016-03-31"; flow:to_server,established; flowbits:set,ET.tripod.phish; flowbits:noalert; http.method; content:"GET"; http.header; content:"tripod.com|0d 0a|"; fast_pattern; classtype:social-engineering; sid:2032012; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
+
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (PHP)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=@eval"; depth:9; content:"base64_decode"; distance:0; content:"&action="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022976; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (aspx)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=Response.Write"; depth:18; fast_pattern; content:"eval"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022977; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-20"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>|3a 3a|WEBMAIL"; nocase; fast_pattern; content:"Sign in to Update Your Account"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Webmail Admin"; nocase; distance:0; classtype:social-engineering; sid:2032031; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2016-07-21 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern; nocase; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; classtype:social-engineering; sid:2022980; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil Monero Cryptocurrency Miner Request Pools"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<HTML>|0d 0a|<HEAD>|0d 0a|<BODY>|0d 0a|<DIV"; depth:28; content:"|0d 0a|899@"; distance:0; content:"0.rn,9.re9899@n&9,bgggs"; distance:0; fast_pattern; reference:md5,848720742b957d27f6ee94b9fe4126f0; reference:url,www.fireeye.com/blog/threat-research/2016/06/resurrection-of-the-evil-miner.html; classtype:trojan-activity; sid:2022982; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downer.B Variant Checkin"; flow:established,to_server; http.request_line; content:"GET /client/ad/"; startswith; fast_pattern; content:"winver="; distance:0; content:"&sdsoft="; distance:0; content:"&webid="; distance:0; content:"&channelid="; distance:0; content:"&softid"; distance:0; content:"&usesnum="; distance:0; content:"&mac="; distance:0; content:"&filename="; distance:0; reference:md5,fa304e71504863f32e6f9032b772cea1; classtype:pup-activity; sid:2030565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_07_21;)
-
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"circleoccupy.best"; bsize:17; classtype:domain-c2; sid:2030566; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"papuanewguinew.club"; bsize:19; classtype:domain-c2; sid:2030567; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Success"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"urn:CTCWebServiceSi"; fast_pattern; content:"Add|20|user|20|success"; distance:0; flowbits:isset,ET.CVE20206287.2; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-admin; sid:2030579; rev:1; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Saved Website Comment Observed"; flow:established,to_client; flowbits:isset,ET.genericphish; file.data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https?\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:credential-theft; sid:2030574; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_22, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Saved Website Comment Observed"; flow:established,to_client; flowbits:isset,ET.genericphish; file.data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https?\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:credential-theft; sid:2030574; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Probe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CTCWebService/CTCWebServiceBean"; fast_pattern; flowbits:set,ET.CVE20206287.1; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-recon; sid:2030576; rev:2; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Scylla/"; fast_pattern; classtype:web-application-attack; sid:2030584; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_23, deployment Perimeter, signature_severity Major, updated_at 2020_07_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Redeye Phish 2020-07-24"; flow:to_server,established; flowbits:isset,ET.genericphish; http.uri; content:"/redeye/"; fast_pattern; nocase; content:".php"; distance:0; isdataat:!1,relative; classtype:credential-theft; sid:2030587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_24;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FREAKZBROTHERS - PANEL LOGIn"; nocase; fast_pattern; classtype:web-application-attack; sid:2030588; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_07_24;)
-
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FREAKZBROTHERS - PANEL LOGIn"; nocase; fast_pattern; classtype:web-application-attack; sid:2030589; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Redeye Phish 2020-07-24"; flow:to_server,established; flowbits:isset,ET.genericphish; http.uri; content:"/redeye/"; fast_pattern; nocase; content:".php"; distance:0; isdataat:!1,relative; classtype:credential-theft; sid:2030587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>[ RC-SHELL v"; nocase; fast_pattern; classtype:web-application-attack; sid:2030590; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|0d 0a 09|<form method=|22|POST|22|>|0d 0a 09 09|Password|3a 20 0d 0a 09 09|"; nocase; content:"name=|22|password|22|>|0d 0a 09 09|<input type=|22|submit|22 20|value=|22|>>|22|>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030593; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Critical, updated_at 2020_07_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (.NET Framework Client)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|.NET Framework Client|0d 0a|"; classtype:bad-unknown; sid:2030586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (.NET Framework Client)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|.NET Framework Client|0d 0a|"; classtype:bad-unknown; sid:2030586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Website Ransomnote Accessed on External Compromised Server"; flow:established,to_client; file.data; content:!"<html"; nocase; content:"<p>We will systematically go through a series of steps of totally damaging your reputation"; nocase; content:"database will be leaked or sold to the highest bidder"; distance:0; nocase; content:"fault thusly damaging your reputation"; distance:0; fast_pattern; nocase; classtype:web-application-attack; sid:2030595; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Website Ransomnote Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:!"<html"; nocase; content:"<p>We will systematically go through a series of steps of totally damaging your reputation"; nocase; content:"database will be leaked or sold to the highest bidder"; distance:0; nocase; content:"fault thusly damaging your reputation"; distance:0; fast_pattern; nocase; classtype:web-application-attack; sid:2030596; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish 2020-07-27 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; startswith; content:"&paswd="; distance:0; classtype:credential-theft; sid:2031874; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"ja=userAgent"; nocase; depth:12; fast_pattern; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032032; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"mail="; nocase; depth:5; fast_pattern; content:"&name="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&address="; nocase; distance:0; classtype:credential-theft; sid:2032033; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"ssn="; nocase; depth:4; fast_pattern; content:"&cnum="; nocase; distance:0; content:"&exp="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032034; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Mobile Phishing Landing 2016-08-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"content=|22|Please verify"; nocase; content:"<meta name=|22|apple-mobile"; nocase; distance:0; content:"<title>Wells Fargo"; fast_pattern; nocase; distance:0; content:"your account is disabled"; nocase; distance:0; classtype:social-engineering; sid:2025670; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Radonskra.B C2 Check-in"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"&os=Windows"; nocase; content:"&mac="; nocase; content:"&lua="; nocase; content:"&firewall="; nocase; content:"&antivirus="; nocase; content:"&antispyware"; nocase; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,9d6b99e87faa3f7a23adef5031bd598b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fRadonskra.B; classtype:command-and-control; sid:2023033; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Lady CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v"; depth:2; content:"/lady_"; distance:0; fast_pattern; pcre:"/^\/v\d+\/lady_[ix]/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:command-and-control; sid:2023035; rev:3; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Linux_Lady, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Lady CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v"; depth:2; content:"/lady_"; distance:0; fast_pattern; pcre:"/^\/v\d+\/lady_[ix]/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:command-and-control; sid:2023035; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Linux_Lady, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL/EMS Documents Phishing Landing 2016-08-10"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>EMS |7c 20|Tracking"; fast_pattern; nocase; content:"<title>TRADE FILE"; nocase; distance:0; content:"Sign In Your"; nocase; distance:0; content:"example777@domain.com"; nocase; distance:0; content:"PASSWORD"; nocase; distance:0; classtype:social-engineering; sid:2032035; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Credential POST to FormBuddy.com - Possible Phishing Aug 10 2016"; flow:to_server,established; urilen:16; http.method; content:"POST"; http.uri; content:"/cgi-bin/form.pl"; fast_pattern; http.host; content:"formbuddy.com"; endswith; http.request_body; content:"username="; depth:9; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:social-engineering; sid:2032036; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Tectite Web Form Abuse"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name=|22|bad_url|22|"; fast_pattern; content:"name=|22|subject|22|"; content:"name=|22|recipients|22|"; content:"name=|22|env_report|22|"; content:"REMOTE_HOST,REMOTE_ADDR"; content:"AUTH_TYPE,REMOTE_USER"; content:"name=|22|good_url|22|"; content:"<input type=|22|password"; classtype:social-engineering; sid:2032037; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Tectite Web Form Submission - Possible Phishing"; flow:from_server,established; http.stat_code; content:"302"; file.data; content:"<title>Form Submission Succeeded"; fast_pattern; content:"Please wait while you are redirected"; distance:0; content:"www.tectite.com"; distance:0; classtype:credential-theft; sid:2032038; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing Common CSS 2016-08-10"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"background-color|3a 20|#EAEAEA"; nocase; content:"#pdf_holder"; nocase; distance:0; content:"background-color|3a 20|#DADADA"; nocase; distance:0; content:"background-color|3a 20|#069"; nocase; distance:0; content:"#errfnn"; fast_pattern; nocase; distance:0; content:"background-color|3a 20|#A51505"; nocase; distance:0; classtype:social-engineering; sid:2032039; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Gmail Phish M1 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Gmail Veri"; fast_pattern; nocase; content:"All of Google"; nocase; distance:0; content:"Verified, secured and updated"; nocase; distance:0; content:"You will will be instructed to login shortly"; nocase; distance:0; classtype:credential-theft; sid:2032040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (err.mp3) 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:social-engineering; sid:2023055; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (cso)"; flow:established,to_server; http.user_agent; content:"cso v"; startswith; fast_pattern; pcre:"/^[0-9][0-9]?\.[0-9][0-9]?$/R"; reference:md5,5640851c35221c3ae7bbde053d1bb38e; reference:url,app.any.run/tasks/d94c1428-253d-432a-be65-53ea3a0505f4/; classtype:trojan-activity; sid:2030600; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer CnC Exfil M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=SendFileZIPBoundary|0d 0a|"; depth:65; http.user_agent; content:"uploader"; depth:8; endswith; http.request_body; content:"form-data|3b 20|name=|22|fileToUpload|22 3b 20|filename=|22|zipfile.zip"; fast_pattern; reference:md5,fe15986992ef7dd209047deec2851e2e; classtype:command-and-control; sid:2034324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_07_27;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Symantec Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Symantec.Site.Download; flowbits:noalert; http.host; content:".symantec.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:misc-activity; sid:2023067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2020_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing M1 2016-08-16"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; nocase; fast_pattern; content:"Confirm your identity"; nocase; distance:0; content:"data|3a|image/jpeg|3b|base64"; nocase; distance:0; classtype:social-engineering; sid:2032042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2016-08-17"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:social-engineering; sid:2023073; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Docusign Phish M1 2016-08-17"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta HTTP-EQUIV="; nocase; content:"refresh"; nocase; distance:1; within:8; content:"<title>Error"; nocase; fast_pattern; distance:0; content:"MM_preloadImages"; nocase; distance:0; content:"Try Again"; nocase; distance:0; content:"This page will redirect"; nocase; distance:0; classtype:credential-theft; sid:2032043; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; content:"&2="; distance:0; content:"&4="; distance:0; content:"&5="; distance:0; content:"&6="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023076; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo C2 Response"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo C2 Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; content:!"&2="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023078; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing 2016-08-19"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe"; nocase; fast_pattern; content:"MM_reloadPage"; nocase; distance:0; content:"someone@example.com"; nocase; distance:0; classtype:social-engineering; sid:2032044; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, performance_impact Low, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Universal Webmail Phishing Landing 2016-08-19"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Universal Webmail"; fast_pattern; content:"de e-mail e senha para verificar"; nocase; distance:0; content:"/CMD_LOST_PASSWORD"; nocase; distance:0; classtype:social-engineering; sid:2032045; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, performance_impact Low, tag Phishing, updated_at 2020_07_27;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Curso Banker Downloading Modules"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/system/MA-"; depth:11; fast_pattern; content:".dll"; pcre:"/\/(?:IUpdate|fbclient|IETask|Mixeds|Ubuntu10)\.dll$/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,260a7aab3d29ed4bce9ac35002361a87; classtype:trojan-activity; sid:2023082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 2"; flow:established,to_server; http.uri; content:".html?a="; fast_pattern; content:"&b="; distance:0; content:"&nocache="; distance:0; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023132; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Data Submitted to yolasite.com M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.host; content:"forms.yola.com"; fast_pattern; http.request_body; content:"user"; nocase; content:"pass"; distance:0; nocase; classtype:social-engineering; sid:2032046; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Blocked Email Account Phishing Landing 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Recover Account"; fast_pattern; nocase; content:"Account Might Become Blocked"; nocase; distance:0; content:"these are all due to end user misuse"; nocase; distance:0; content:"email validation takes after one hour"; nocase; distance:0; classtype:social-engineering; sid:2032047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Blocked Email Account Phish M2 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Recover Account"; fast_pattern; nocase; content:"Account Might Become Blocked"; nocase; distance:0; content:"has been fixed successfully"; nocase; distance:0; content:"making us serve you better"; nocase; distance:0; classtype:credential-theft; sid:2032048; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Targeted Office 365 Phishing Landing 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<html dir=|22|ltr|22|"; content:"microsoftonline-p.com"; nocase; distance:0; content:"|61 63 74 69 6f 6e 3d 22 2f 61 75 74 68 74 72 75 65 2e 61 73 70 78 3f|"; fast_pattern; distance:0; classtype:social-engineering; sid:2032049; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Password Strength Phishing Landing 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Confirm Password Strength"; fast_pattern; nocase; content:"yimg.com"; nocase; distance:0; content:"Yahoo Mail"; nocase; distance:0; content:"Strengthen your account"; nocase; distance:0; content:"confirm your password strength"; nocase; distance:0; classtype:social-engineering; sid:2032050; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Password Strength Phish M1 2016-08-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&.scrumb="; nocase; distance:0; content:"&.partner="; nocase; distance:0; classtype:credential-theft; sid:2032051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Yahoo Password Strength Phish M2 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Success"; fast_pattern; nocase; content:"mail.yahoo.com"; nocase; distance:0; content:"Account Authenticated"; nocase; distance:0; content:"confirming your password"; nocase; distance:0; content:"secured by Yahoo"; nocase; distance:0; classtype:credential-theft; sid:2032053; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Team IPwned Phish 2016-08-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"=Team&"; nocase; content:"=IPwned&"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032052; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2016-08-25"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Function disabled by ALIBOBO"; nocase; content:"<title>My Drive"; fast_pattern; nocase; content:"You are not logged in"; nocase; distance:0; classtype:social-engineering; sid:2032054; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 2"; flow:established,to_server; http.uri; content:".html?a="; fast_pattern; content:"&b="; distance:0; content:"&nocache="; distance:0; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023132; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 5"; flow:established,to_server; http.uri; content:"Tring to download bundle(try|3a|"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023136; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M1 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/chaseonline.chase.com/"; nocase; fast_pattern; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2032055; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M3 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/online.chase.com/"; nocase; fast_pattern; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2032056; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M4 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__LASTFOCUS="; depth:12; fast_pattern; content:"&auth_userId="; nocase; distance:0; content:"&auth_contextId=login"; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032057; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 5"; flow:established,to_server; http.uri; content:"Tring to download bundle(try|3a|"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023136; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Form Data Submitted to yolasite.com - Possible Phishing"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.host; content:"forms.yola.com"; fast_pattern; classtype:trojan-activity; sid:2023139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Form Data Submitted to yolasite.com - Possible Phishing"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.host; content:"forms.yola.com"; fast_pattern; classtype:trojan-activity; sid:2023139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 1"; flow:established,to_server; http.uri; content:".html&nocache="; content:!"&"; distance:0; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023131; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 1"; flow:established,to_server; http.uri; content:".html&nocache="; content:!"&"; distance:0; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023131; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Logging in - PayPal"; nocase; fast_pattern; content:"<meta http-equiv="; nocase; distance:0; content:"refresh"; nocase; distance:1; content:"url=websc-"; nocase; distance:0; classtype:credential-theft; sid:2032059; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Websc Phishing Page 2016-02-05"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/websc-"; nocase; fast_pattern; pcre:"/^(?:l(?:o(?:ading|gin)|imited)|(?:proccess|card)ing|b(?:illing|ank)|success)\.php/R"; classtype:social-engineering; sid:2032014; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER DFind w00tw00t GET-Requests"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/w00tw00t."; nocase; depth:10; reference:url,doc.emergingthreats.net/2010794; classtype:attempted-recon; sid:2010794; rev:9; metadata:created_at 2010_07_30, updated_at 2020_07_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DMA Locker CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action="; fast_pattern; content:!".aspx"; pcre:"/\?action=\d(&botId=[A-F0-9]{32})?$/i"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,050f04ed78e96418179228272998d87d; classtype:command-and-control; sid:2022873; rev:4; metadata:created_at 2016_06_07, former_category MALWARE, updated_at 2020_07_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TeamIPwned Phish 2016-08-30"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"hellion.php"; nocase; fast_pattern; classtype:credential-theft; sid:2025003; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish OWA Credentials 2016-08-16"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"destination="; depth:12; nocase; fast_pattern; content:"&flags="; distance:0; nocase; content:"&forcedownlevel="; distance:0; nocase; content:"&trusted="; distance:0; nocase; content:"password"; distance:0; nocase; classtype:credential-theft; sid:2032041; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TeamIPwned/Hellion Phishing Landing 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"HELLION PROUDLY PRESENTS"; fast_pattern; content:"brought to you by Hellion"; nocase; distance:0; content:"teamipwned"; nocase; distance:0; content:"Do not touch anything"; nocase; distance:0; classtype:social-engineering; sid:2032060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TeamIPwned Phish 2016-08-30"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"hellion.php"; nocase; fast_pattern; classtype:credential-theft; sid:2025003; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful CIBC Phish 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Online Banking"; fast_pattern; nocase; content:"Online Banking Verification"; nocase; distance:0; content:"Verifying your CIBC Online Banking"; nocase; distance:0; content:"Please enter your personal information"; nocase; distance:0; content:"Social Insurance Number"; nocase; distance:0; classtype:credential-theft; sid:2032061; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websc-loading.php?Go=_Login_Success"; depth:36; fast_pattern; http.header; content:"/websc-"; http.request_body; content:"&Log+In=Log+In"; classtype:credential-theft; sid:2032062; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Dropbox Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Dropbox"; fast_pattern; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"_csp_external_script_nonce"; content:!"when_ready_configure_requirejs"; distance:0; content:!"DETERMINISTIC_MONKEY_CHECK"; distance:0; classtype:social-engineering; sid:2025659; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<TITLE>DHL|20 7c 20|"; nocase; fast_pattern; content:"<title>TRADE FILE"; nocase; distance:0; content:"Secured To Your Email"; nocase; distance:0; content:"Enter Your Email Password"; nocase; distance:0; classtype:social-engineering; sid:2032063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Google Docs Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"Google Docs"; fast_pattern; within:20; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"<title>|0a 20 20 20 20 20 20|Google Docs"; classtype:social-engineering; sid:2025669; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; content:"dropbox.com"; nocase; distance:0; content:"<title>Loading"; fast_pattern; nocase; distance:0; content:"Please Wait"; nocase; distance:0; content:"servers are currently busy"; nocase; distance:0; classtype:credential-theft; sid:2032064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Yahoo Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Yahoo - login"; fast_pattern; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"origin-when-cross-origin"; content:!"var MBR_config = {"; classtype:social-engineering; sid:2032058; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Google Docs Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"Google Docs"; fast_pattern; within:20; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"<title>|0a 20 20 20 20 20 20|Google Docs"; classtype:social-engineering; sid:2025669; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phish Landing 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function popupwnd"; fast_pattern; nocase; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"liamg"; nocase; distance:0; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"kooltuo"; nocase; distance:0; classtype:social-engineering; sid:2025684; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe PDF"; fast_pattern; nocase; content:"formbreeze_email"; nocase; distance:0; content:"formbreeze_filledin"; nocase; distance:0; content:"emailCheck"; nocase; distance:0; classtype:social-engineering; sid:2032065; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing M2 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; nocase; fast_pattern; content:"Authentication Is Required"; nocase; distance:0; content:"For security reasons"; nocase; distance:0; content:"confirm your email to view document"; nocase; distance:0; classtype:social-engineering; sid:2032066; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Alibaba Phishing Landing 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Alibaba"; nocase; fast_pattern; content:"validateForm"; nocase; distance:0; content:"Password is Empty"; nocase; distance:0; content:"Password is Too Short"; nocase; distance:0; content:"Login to Message Center"; nocase; distance:0; classtype:social-engineering; sid:2032067; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook 365 Encrypted Email Phishing Landing M1 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Sign in - Encrypted mail"; nocase; fast_pattern; content:".password-revealer"; nocase; distance:0; content:"microsoftonline-p.com"; nocase; classtype:social-engineering; sid:2032068; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to Webeden.co.uk - Possible Phishing"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/_form/submit"; fast_pattern; http.request_body; content:"PageID="; depth:7; classtype:trojan-activity; sid:2032069; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to Weebly.com - Possible Phishing"; flow:to_server,established; urilen:27; http.method; content:"POST"; http.uri; content:"/weebly/apps/formSubmit.php"; fast_pattern; http.host; content:"weebly.com"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; classtype:trojan-activity; sid:2032070; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; http.server; file.data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mailtype="; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&Passw"; distance:0; nocase; content:"=Sign+In"; distance:0; nocase; classtype:credential-theft; sid:2032071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M1 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"LOB=Logon"; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&ChangePassword"; distance:0; nocase; content:"NewPassword"; distance:0; nocase; classtype:credential-theft; sid:2032072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M2 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Change password"; nocase; fast_pattern; content:"ChangePasswordForm"; nocase; distance:0; content:"Outlook WebApp"; nocase; distance:0; content:"O365_MainLink"; nocase; distance:0; content:"ChangePasswordControl_PasswordRequirementText"; nocase; distance:0; content:"Incorrect password entered"; classtype:credential-theft; sid:2032073; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M3 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Change password"; nocase; fast_pattern; content:"Outlook WebApp"; nocase; distance:0; content:"O365_MainLink"; nocase; distance:0; content:"Remember your new password"; nocase; distance:0; content:"close this browser"; nocase; distance:0; classtype:credential-theft; sid:2032074; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Facebook - Log In"; fast_pattern; nocase; content:"background-image"; nocase; distance:0; content:"form-group"; nocase; distance:0; content:"class=|22|form-control|22|"; nocase; distance:0; content:"formValidation"; nocase; distance:0; classtype:social-engineering; sid:2032075; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Facebook Phish 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Facebook - Verification"; fast_pattern; nocase; content:"background-image"; nocase; distance:0; content:"<form name="; nocase; distance:0; content:"<input name="; nocase; distance:0; content:"Continue"; nocase; distance:0; classtype:credential-theft; sid:2032076; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; content:"_Product-UserID&userid="; distance:0; fast_pattern; http.request_body; content:"email="; depth:6; nocase; content:"&pass"; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032101; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/www.chase.com/"; fast_pattern; http.request_body; content:"&pas"; nocase; classtype:credential-theft; sid:2032102; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Validator Phish M2 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>..|3a 3a|Thank you"; nocase; fast_pattern; content:"email address|3a 3a|..</title>"; nocase; distance:0; classtype:credential-theft; sid:2032103; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Validator Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail Client Validator"; nocase; fast_pattern; content:"validate your account"; nocase; distance:0; content:"render your account"; nocase; distance:0; content:"Username"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2032104; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING iCloud Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2024230; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot?bid="; depth:9; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023155; rev:3; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, performance_impact Low, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot?bid="; depth:9; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023155; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Account Update Phishing Landing 2016-09-06"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Update Your User"; nocase; fast_pattern; content:"update your email"; nocase; distance:0; content:"Username"; nocase; distance:0; content:"Email Address"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm password"; nocase; distance:0; content:"Update My Details"; nocase; distance:0; classtype:social-engineering; sid:2032105; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/\x3b[a-f0-9]{32}/"; http.request_body; content:"eml="; depth:4; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032106; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 4"; flow:established,to_server; http.uri; content:".html?s="; fast_pattern; content:"&d="; distance:0; pcre:"/^[^&]+?\.html\?s=[^&]+?&d=$/"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023134; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 4"; flow:established,to_server; http.uri; content:".html?s="; fast_pattern; content:"&d="; distance:0; pcre:"/^[^&]+?\.html\?s=[^&]+?&d=$/"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023134; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Minimal HTTP Refresh to Googledrive.com - Possible Phishing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; http.header; pcre:"/Content\-Length\x3a\x20\d{3}\x0d\x0a/mi"; file.data; content:"<META HTTP-EQUIV="; nocase; content:"refresh"; distance:1; nocase; content:"googledrive.com"; distance:0; nocase; fast_pattern; within:50; classtype:trojan-activity; sid:2032107; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fedex Javascript Phishing Landing 2016-09-08"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; startswith; file.data; content:"click_to_download"; fast_pattern; nocase; content:"make_the_delay"; nocase; distance:0; content:"redirect_the"; nocase; distance:0; content:"now_download"; nocase; distance:0; content:"ajax"; nocase; distance:0; content:"POST"; nocase; distance:0; classtype:social-engineering; sid:2032108; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Microsoft Live Email Account Phish 2016-09-08"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; nocase; content:"live.com"; within:50; content:"<title>Loading"; nocase; distance:0; fast_pattern; content:"verified successfully"; nocase; distance:0; classtype:credential-theft; sid:2032109; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Mokes.A CnC Heartbeat Request (set)"; flow:established,to_server; urilen:3; flowbits:set,ET.OSX.Mokes; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/v1"; http.header; content:"Safari/7046A194A|0d 0a|"; fast_pattern; http.connection; content:"Close"; bsize:5; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:command-and-control; sid:2023182; rev:3; metadata:affected_product Mac_OSX, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, tag OSX_Malware, updated_at 2020_07_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plasmabot CnC Host Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"crypt="; depth:6; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,blogs.mcafee.com/mcafee-labs/plasma-http-botnet-steals-stored-passwords-chrome-filezilla; reference:md5,ffbf380abaa7c56b45edd2784feecf36; classtype:command-and-control; sid:2018393; rev:5; metadata:created_at 2014_04_16, former_category MALWARE, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"MAHDI_1="; depth:8; nocase; fast_pattern; content:"&MAHDI_2="; nocase; distance:0; classtype:credential-theft; sid:2032110; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SeniorPeopleMeet Phish M1 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"SkipCSSVerif="; depth:13; nocase; fast_pattern; content:"&FromLocation="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032111; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SeniorPeopleMeet Phish M2 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name="; depth:5; nocase; fast_pattern; content:"&cc1="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&s1="; nocase; distance:0; classtype:credential-theft; sid:2032112; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Quant Loader Download Response"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"dll=http"; depth:8; nocase; fast_pattern; content:"|3b|exe=http"; distance:0; nocase; content:"|3b|dll=http"; distance:0; nocase; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family Locky, malware_family Pony9, signature_severity Major, updated_at 2020_07_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M1 2016-09-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; classtype:social-engineering; sid:2023235; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M2 2016-09-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; classtype:social-engineering; sid:2023236; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"/images/"; fast_pattern; content:".gif"; distance:100; pcre:"/\/images(?:\/[a-zA-Z0-9_]+)+\.gif$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; pcre:"/^User-Agent\x3a\x20(?:Mozilla\/|Shockwave)/mi"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021813; rev:7; metadata:created_at 2015_09_22, former_category MALWARE, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful View Samples Phish 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"action=submit_form"; depth:19; nocase; fast_pattern; content:"&Email="; nocase; distance:0; content:"&Pass"; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032113; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M2 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"lobIndicator="; depth:13; nocase; fast_pattern; content:"&ssn"; nocase; distance:0; content:"&acctnum="; nocase; distance:0; content:"&atmpin="; nocase; distance:0; classtype:credential-theft; sid:2032115; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"u_p="; depth:4; nocase; content:"&LOB="; nocase; distance:0; content:"&origination="; nocase; distance:0; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032114; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-09-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; content:"&password="; nocase; distance:0; content:"&requestCmdId="; nocase; distance:0; fast_pattern; content:"&reqcrda="; nocase; distance:0; content:"&NONCE="; nocase; distance:0; content:"&userType="; nocase; distance:0; classtype:credential-theft; sid:2032116; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Square Enix Phishing Domain 2016-08-15"; flow:to_server,established; http.method; content:"GET"; http.host; content:"square-enix.com"; fast_pattern; content:!"square-enix.com"; endswith; http.referer; content:!"square-enix.com"; classtype:social-engineering; sid:2023065; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-09-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?excel="; http.header; content:".php?excel="; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&excel="; nocase; distance:0; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2032117; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pony Variant FOX Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"os_version="; depth:11; fast_pattern; content:"os_version_full="; distance:0; content:"processorId="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,190c607ef81fa0c27fb1313df5f05266; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:command-and-control; sid:2023292; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Pony, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M1"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; file.data; content:"<script>"; content:"eval("; within:20; content:"atob("; within:20; content:"dmFyIHM9I"; within:100; fast_pattern; classtype:social-engineering; sid:2030603; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_07_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M1"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; file.data; content:"<script>"; content:"eval("; within:20; content:"atob("; within:20; content:"dmFyIHM9I"; within:100; fast_pattern; classtype:social-engineering; sid:2030603; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M2"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; file.data; content:"<script>"; content:"eval("; within:20; content:"atob("; within:20; content:"dmFyIHM9I"; within:100; fast_pattern; classtype:social-engineering; sid:2030604; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_07_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M2"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; file.data; content:"<script>"; content:"eval("; within:20; content:"atob("; within:20; content:"dmFyIHM9I"; within:100; fast_pattern; classtype:social-engineering; sid:2030604; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M3"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; fast_pattern; file.data; content:"<script type=|22|text/javascript|22|>"; within:50; content:"<!--"; within:20; content:"document.write(unescape("; within:50; classtype:social-engineering; sid:2030605; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_07_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M3"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; fast_pattern; file.data; content:"<script type=|22|text/javascript|22|>"; within:50; content:"<!--"; within:20; content:"document.write(unescape("; within:50; classtype:social-engineering; sid:2030605; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M4"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; fast_pattern; file.data; content:"<script type=|22|text/javascript|22|>"; within:50; content:"<!--"; within:20; content:"document.write(unescape("; within:50; classtype:social-engineering; sid:2030606; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_07_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M4"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; fast_pattern; file.data; content:"<script type=|22|text/javascript|22|>"; within:50; content:"<!--"; within:20; content:"document.write(unescape("; within:50; classtype:social-engineering; sid:2030606; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Ostap CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?as="; content:"&kl="; distance:0; content:"&ed="; distance:0; content:"@@"; distance:0; content:"@@"; distance:0; content:"@@*"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,f5cf9ca73dd30caf43d75dd19240a79e; classtype:trojan-activity; sid:2030601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category MALWARE, malware_family Ostap, signature_severity Major, updated_at 2020_07_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (JS/Ostap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=pro100zver.mskhost.pro"; nocase; reference:md5,f5cf9ca73dd30caf43d75dd19240a79e; classtype:domain-c2; sid:2030602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category MALWARE, malware_family Ostap, signature_severity Major, updated_at 2020_07_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (JS/Ostap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=pro100zver.mskhost.pro"; nocase; reference:md5,f5cf9ca73dd30caf43d75dd19240a79e; classtype:domain-c2; sid:2030602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_28, deployment Perimeter, former_category MALWARE, malware_family Ostap, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?ID=login&Key="; fast_pattern; content:"&path="; distance:0; http.request_body; content:"xuser="; depth:6; nocase; content:"&xpass="; nocase; distance:0; content:"&xbtn="; nocase; distance:0; classtype:credential-theft; sid:2032118; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>k2ll33d"; nocase; fast_pattern; content:"function tukar("; distance:0; nocase; classtype:web-application-attack; sid:2030608; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_29, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_07_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>k2ll33d"; nocase; fast_pattern; content:"function tukar("; distance:0; nocase; classtype:web-application-attack; sid:2030609; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Captcha Check"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Security Check"; content:"function verifyCaptcha()"; distance:0; content:"var blockerurl"; distance:0; content:"email_par"; distance:0; content:"window.location.replace(blockerurl+"; fast_pattern; distance:0; content:".php|22 20|onsubmit=|22|return verifyCaptcha()"; distance:0; classtype:social-engineering; sid:2030610; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Captcha Check"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Security Check"; content:"function verifyCaptcha()"; distance:0; content:"var blockerurl"; distance:0; content:"email_par"; distance:0; content:"window.location.replace(blockerurl+"; fast_pattern; distance:0; content:".php|22 20|onsubmit=|22|return verifyCaptcha()"; distance:0; classtype:social-engineering; sid:2030610; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>PANEL FREAKZBROHTER"; nocase; fast_pattern; classtype:web-application-activity; sid:2030611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>PANEL FREAKZBROHTER"; nocase; fast_pattern; classtype:web-application-activity; sid:2030611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>PANEL FREAKZBROHTER"; nocase; fast_pattern; classtype:web-application-activity; sid:2030612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>PANEL FREAKZBROHTER"; nocase; fast_pattern; classtype:web-application-activity; sid:2030612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-07-29)"; flow:established,to_client; tls.cert_subject; content:"CN=robotica.cl"; nocase; endswith; reference:md5,f68456251ffe11d49ccdd845bcc55365; classtype:domain-c2; sid:2030607; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_07_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-07-29)"; flow:established,to_client; tls.cert_subject; content:"CN=robotica.cl"; nocase; endswith; reference:md5,f68456251ffe11d49ccdd845bcc55365; classtype:domain-c2; sid:2030607; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_29, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Anuna PHP Backdoor Sucessful Exploit"; flow:established,from_server; flowbits:isset,ET.Anuna.Backdoor; http.stat_code; content:"200"; file.data; content:"cookie=4"; within:8; classtype:trojan-activity; sid:2023306; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2016_09_28, deployment Perimeter, malware_family Anuna, signature_severity Major, updated_at 2020_07_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; content:"&email="; nocase; distance:0; http.request_body; content:"curl="; depth:5; nocase; content:"&flags="; nocase; distance:0; content:"&forcedownlevel="; nocase; distance:0; content:"&formdir="; nocase; distance:0; content:"&trusted="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&SubmitCreds="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?getinfo"; fast_pattern; http.request_body; content:"comid="; depth:6; nocase; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?action"; nocase; fast_pattern; http.request_body; content:"loginId="; depth:8; nocase; content:"&loginPd="; nocase; distance:0; classtype:credential-theft; sid:2032121; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.cookie; content:"__cfduid"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&pass="; nocase; distance:0; content:"&="; nocase; distance:0; classtype:credential-theft; sid:2032122; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Postbank Online Banking Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_loginForm_hf_0="; depth:21; nocase; content:"&jsDisabled="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&nutzername="; nocase; distance:0; fast_pattern; content:"&kennwort="; nocase; distance:0; content:"&loginButton="; nocase; distance:0; classtype:credential-theft; sid:2032123; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?cmd="; nocase; content:"&id="; nocase; content:"&session="; nocase; http.request_body; content:"provider="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2023964; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Postbank Online Banking Phish M2 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_loginForm_hf_0="; depth:21; nocase; content:"&jsDisabled="; nocase; distance:0; content:"&validation="; nocase; distance:0; content:"&vorname="; nocase; distance:0; content:"&nachname="; nocase; distance:0; fast_pattern; content:"&street="; nocase; distance:0; content:"&plz="; nocase; distance:0; content:"&ort="; nocase; distance:0; content:"&bday="; nocase; distance:0; content:"&mobilenr="; nocase; distance:0; content:"&telepinalt="; nocase; distance:0; content:"&telepinneu="; nocase; distance:0; content:"&loginButton="; nocase; distance:0; classtype:credential-theft; sid:2032124; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M1 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032097; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M2 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032098; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M3 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"E-mail"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032099; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M2 2016-01-26"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2032100; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M1 2016-10-03"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"user name"; nocase; content:"email"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032125; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M2 2016-10-03"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Nazwa uzytkownika"; nocase; content:"Email"; nocase; content:"Haslo"; fast_pattern; nocase; classtype:social-engineering; sid:2032126; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Byethost Phishing Redirect 2016-10-04"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Zhtml>"; depth:6; fast_pattern; content:"http-equiv="; nocase; distance:0; content:"REFRESH"; nocase; distance:1; content:"|3b|url=http"; nocase; distance:0; content:"ZBODY>"; distance:0; classtype:social-engineering; sid:2032127; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; content:"&email="; nocase; distance:0; http.request_body; content:"curl="; depth:5; nocase; content:"&flags="; nocase; distance:0; content:"&forcedownlevel="; nocase; distance:0; content:"&formdir="; nocase; distance:0; content:"&trusted="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&SubmitCreds="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic OWA Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp"; nocase; pcre:"/\.asp$/"; http.header; content:".asp?form_id="; http.request_body; content:"form-data|3b 20|name=|22|submit|22|"; nocase; content:"form-data|3b 20|name=|22|form_id|22|"; nocase; distance:0; content:"form-data|3b 20|name=|22|depart_id|22|"; nocase; distance:0; content:"gadgetStyleBOO"; nocase; fast_pattern; distance:0; http.content_type; content:"multipart/form-data|3b|"; startswith; classtype:credential-theft; sid:2032128; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?cmd="; nocase; content:"&id="; nocase; content:"&session="; nocase; http.request_body; content:"provider="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2023964; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; http.header; content:!"X-Trend-ActiveUpdate"; content:!"HTTrack"; http.user_agent; content:"Windows 98"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:22; metadata:created_at 2010_07_30, updated_at 2020_07_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing (DE) 2016-10-04"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<TITLE>Mot de passe - PayPal"; nocase; fast_pattern; content:"PayPal est le moyen"; nocase; distance:0; content:"Bitte geben Sie Ihr Passwort"; nocase; distance:0; classtype:social-engineering; sid:2032129; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Fake Copyright Infringement Hosted on 000webhostapp"; flow:established,to_client; file.data; content:"copyright infringement"; nocase; content:"Instagram account"; nocase; distance:0; content:"powered-by-000webhost"; distance:0; fast_pattern; content:"title=|22|Hosted on free web hosting 000webhost"; distance:0; classtype:social-engineering; sid:2030617; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Script Hosted on 000webhostapp"; flow:established,to_client; file.data; content:"<!-- SCRIPT BY"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php"; within:100; content:"powered-by-000webhost"; distance:0; content:"title=|22|Hosted on free web hosting 000webhost"; distance:0; classtype:social-engineering; sid:2030618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Script Hosted on 000webhostapp"; flow:established,to_client; file.data; content:"<!-- SCRIPT BY"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php"; within:100; content:"powered-by-000webhost"; distance:0; content:"title=|22|Hosted on free web hosting 000webhost"; distance:0; classtype:social-engineering; sid:2030618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Let's Encrypt Certificate containing Instagram"; flow:established,to_client; tls.cert_subject; content:"instagram"; nocase; fast_pattern; tls.cert_issuer; content:"Let's Encrypt"; classtype:social-engineering; sid:2030619; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Webmail Phishing Landing"; flow:to_client,established; file.data; content:"<title>EmaiI Securlty"; nocase; fast_pattern; classtype:credential-theft; sid:2030620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-07-30)"; flow:established,to_client; tls.cert_subject; content:"CN=ne-ba.org"; nocase; endswith; reference:md5,738ea366df7366a3c55f5673a58bf714; classtype:domain-c2; sid:2030614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2020_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-07-30)"; flow:established,to_client; tls.cert_subject; content:"CN=ne-ba.org"; nocase; endswith; reference:md5,738ea366df7366a3c55f5673a58bf714; classtype:domain-c2; sid:2030614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus APT MalDoc DL Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ne-ba.org"; bsize:9; reference:md5,738ea366df7366a3c55f5673a58bf714; classtype:domain-c2; sid:2030615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2020_07_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY XenArmor Password Recovery License Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xen-check-portable-license.php?key="; fast_pattern; http.user_agent; content:"Software License Checker"; bsize:24; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2030616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OILRIG CnC POST"; flow:established,to_server; content:"|3a 20|chrome|0d 0a|"; fast_pattern; http.method; content:"POST"; http.uri; content:"/?v="; startswith; http.header_names; content:"From|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; http.user_agent; content:"chrome"; bsize:6; reference:url,unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/; reference:md5,acaff6cb817399848887caef0104bd03; classtype:command-and-control; sid:2030634; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OILRIG CnC POST"; flow:established,to_server; content:"|3a 20|chrome|0d 0a|"; fast_pattern; http.method; content:"POST"; http.uri; content:"/?v="; startswith; http.header_names; content:"From|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; http.user_agent; content:"chrome"; bsize:6; reference:url,unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/; reference:md5,acaff6cb817399848887caef0104bd03; classtype:command-and-control; sid:2030634; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FormatFactory Install Checkin"; flow:established,to_server; http.request_line; content:"GET /ff/inst_stat?"; startswith; http.host; bsize:21; content:"server.pcfreetime.com"; reference:md5,3efa61c1ad1bc3a700563f54870676c3; classtype:pup-activity; sid:2030632; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST Form Submitted to Weebly Free Hosting"; flow:established,to_server; urilen:27; http.method; content:"POST"; http.uri; content:"/weebly/apps/formSubmit.php"; http.host; content:"www.weebly.com"; depth:14; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"|0d 0a|User-Agent|3a 20|app|0d 0a|"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|browser["; content:"]|22 3b 0d 0a|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|screenshot|22 3b 20|filename=|22|screenshot.png|22|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030626; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_07_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"|0d 0a|User-Agent|3a 20|app|0d 0a|"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|browser["; content:"]|22 3b 0d 0a|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|screenshot|22 3b 20|filename=|22|screenshot.png|22|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030626; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2022_04_18;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=bobpaceideas.xyz"; nocase; endswith; classtype:domain-c2; sid:2030627; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/HadesLocker Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"hwid="; depth:5; fast_pattern; content:"&tracking_id="; distance:0; content:"&usercomputername="; distance:0; content:"&ip="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,6970847bedab9ab83e69630d065ba67b; classtype:command-and-control; sid:2023481; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish M1 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; http.request_body; content:"showRmrMe="; depth:10; nocase; fast_pattern; content:"&openid.pape.max_auth_age="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&create="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032130; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?cmd="; nocase; http.request_body; content:"cazanova_qus1="; depth:14; nocase; fast_pattern; content:"_ans1="; nocase; distance:0; content:"_qus2="; nocase; distance:0; content:"_ans2="; nocase; distance:0; content:"_mail="; nocase; distance:0; content:"_pass="; nocase; distance:0; classtype:credential-theft; sid:2032131; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Orange (FR) Phish 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"co="; depth:3; nocase; content:"&tt="; nocase; distance:0; content:"&tp="; nocase; distance:0; content:"&rl="; nocase; distance:0; content:"&sv="; nocase; distance:0; content:"&dp="; nocase; distance:0; content:"&rt="; nocase; distance:0; content:"&isconn="; nocase; distance:0; content:"&credential="; nocase; distance:0; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032132; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Supplier Portal Phish 2016-10-07"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>WebMail</title>"; fast_pattern; content:"<h1>Login Error"; nocase; distance:0; content:"go back and login again"; nocase; distance:0; content:"valid information"; nocase; distance:0; content:"datasheet with your company profile"; nocase; distance:0; content:"<!-- 0 -->"; distance:0; classtype:credential-theft; sid:2032133; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; content:"UserID&userid="; distance:0; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032134; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (FR) M1 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; content:"apple"; nocase; http.request_body; content:"donnee1="; depth:8; nocase; fast_pattern; content:"&donnee2="; nocase; distance:0; classtype:credential-theft; sid:2032135; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (FR) M2 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032136; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=bobpaceideas.xyz"; nocase; endswith; classtype:domain-c2; sid:2030627; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2020_07_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-10"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=3d3d3d3d3d3d3d3d3d"; nocase; fast_pattern; distance:0; content:"4f6e6c6e654944"; nocase; distance:0; content:"50617373636f6465"; distance:0; content:"456d61696c"; nocase; distance:0; classtype:credential-theft; sid:2032137; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/HadesLocker Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"hwid="; depth:5; fast_pattern; content:"&tracking_id="; distance:0; content:"&usercomputername="; distance:0; content:"&ip="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,6970847bedab9ab83e69630d065ba67b; classtype:command-and-control; sid:2023481; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category MALWARE, malware_family Ransomware, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_07_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-10-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&passwd="; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032138; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish M2 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?email="; nocase; http.request_body; content:"continue="; depth:9; nocase; content:"&bgresponse="; nocase; distance:0; fast_pattern; content:"&phone="; nocase; distance:0; content:"&altemail="; nocase; distance:0; content:"&go="; nocase; distance:0; classtype:credential-theft; sid:2032139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Webeden.net 2016-10-13"; flow:to_client,established; flowbits:isset,ET.webeden.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"User name"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032140; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Infostealer.Snifula File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cgi"; http.header; content:"User-Agent|3a 20|IE|0d 0a|Host"; http.request_body; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,be16b8d1b85843c89301f189b35c4963; classtype:trojan-activity; sid:2023337; rev:3; metadata:created_at 2016_10_14, updated_at 2020_07_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryPy Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/victim.php?info="; fast_pattern; content:"&ip="; distance:0; pcre:"/\/victim\.php\?info=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&ip=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.user_agent; content:"Python-urllib"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:command-and-control; sid:2023345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category MALWARE, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_07_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"GALX="; depth:5; nocase; content:"&continue="; nocase; distance:0; content:"&service="; nocase; distance:0; content:"<mpl="; nocase; distance:0; content:"&Taju="; nocase; distance:0; fast_pattern; content:"&Tope="; nocase; distance:0; content:"&signIn="; nocase; distance:0; classtype:credential-theft; sid:2032141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.cookie; content:"PHPSESSID="; http.request_body; content:"login_email="; depth:12; nocase; fast_pattern; content:"&login_password="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; content:"&fso="; nocase; distance:0; classtype:credential-theft; sid:2032142; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; fast_pattern; content:"&DownTimeMessage="; nocase; distance:0; classtype:credential-theft; sid:2032143; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryPy Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/victim.php?info="; fast_pattern; content:"&ip="; distance:0; pcre:"/\/victim\.php\?info=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&ip=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.user_agent; content:"Python-urllib"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:command-and-control; sid:2023345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryPy Ransomware Encrypting File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/savekey.php?file="; fast_pattern; content:"&id="; distance:0; pcre:"/\/savekey\.php\?file=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.user_agent; content:"Python-urllib"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:trojan-activity; sid:2023346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, malware_family Ransomware, malware_family CryPy, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_07_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryPy Ransomware Encrypting File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/savekey.php?file="; fast_pattern; content:"&id="; distance:0; pcre:"/\/savekey\.php\?file=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.user_agent; content:"Python-urllib"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:trojan-activity; sid:2023346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryPy, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS User Agent (SQLi Injection / Scanning)"; flow:established,to_server; http.user_agent; content:"testitest"; fast_pattern; startswith; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2023351; rev:3; metadata:attack_target SQL_Server, created_at 2016_10_19, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|3d 30 78 30 36 2c 30 78 30 32 2c 30 78 30 30 2c 30 78 30 30|"; fast_pattern; content:"|2c 3c 62 72 3e 30 78|"; distance:0; content:"|2c 3c 62 72 3e 30 78|"; distance:0; content:"|2c 3c 62 72 3e 30 78|"; distance:0; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:command-and-control; sid:2022683; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryptFile2, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_08_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Webmail Phish 2016-10-21"; flow:established,from_server; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail</title>"; nocase; distance:0; fast_pattern; content:"<div class=|22|error"; nocase; distance:0; content:"Please enter a valid email"; nocase; distance:0; content:"Supported Email Providers"; nocase; distance:0; classtype:credential-theft; sid:2032144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&securityquestion="; nocase; distance:0; content:"&Answer="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&Password="; nocase; distance:0; content:"&Submit.x="; nocase; distance:0; content:"&Submit.y="; nocase; distance:0; classtype:credential-theft; sid:2032145; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|3d 30 78 30 36 2c 30 78 30 32 2c 30 78 30 30 2c 30 78 30 30|"; fast_pattern; content:"|2c 3c 62 72 3e 30 78|"; distance:0; content:"|2c 3c 62 72 3e 30 78|"; distance:0; content:"|2c 3c 62 72 3e 30 78|"; distance:0; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:command-and-control; sid:2022683; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"countrycode="; depth:12; nocase; content:"&username="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&.persistent="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; classtype:credential-theft; sid:2032146; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M2 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".jsp"; nocase; http.request_body; content:"inputCampo1="; depth:12; nocase; content:"&trpm=aHR0cDov"; nocase; distance:0; fast_pattern; content:"&inputCampo"; nocase; distance:0; classtype:credential-theft; sid:2032147; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-25"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Windows Live ID"; nocase; fast_pattern; content:"If page do not re-direct automatically"; nocase; distance:0; content:"login.live.com"; nocase; distance:0; classtype:credential-theft; sid:2032148; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Jackpot Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?HWInfo="; nocase; content:"}&Time="; nocase; distance:0; http.user_agent; content:"My Session"; fast_pattern; startswith; http.request_body; content:"|2e 00 70 00 68 00 70 00 3f 00 48 00 57 00 49 00 6e 00 66 00 6f 00 3d|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5624c920b1fd3da3a451d564bb7488d3; classtype:command-and-control; sid:2023465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Jackpot, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"xUserName="; depth:10; nocase; content:"&xPassWord="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032149; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; nocase; content:"dnsPrimary="; content:"dnsDynamic="; nocase; content:"dnsRefresh="; nocase; reference:url,www.expku.com/remote/5853.html; classtype:attempted-admin; sid:2023467; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"UserID="; depth:7; nocase; content:"&Password="; nocase; distance:0; content:"&fullnaxme="; nocase; distance:0; fast_pattern; content:"&homeadd1="; nocase; distance:0; content:"&citybma="; nocase; distance:0; content:"&staten="; nocase; distance:0; content:"&zip1co="; nocase; distance:0; content:"&home1phone="; nocase; distance:0; content:"&sn1="; nocase; distance:0; content:"&mamanx="; nocase; distance:0; content:"&do1="; nocase; distance:0; content:"&emailxnx="; nocase; distance:0; content:"&emailpassx="; nocase; distance:0; content:"&ccnumber"; nocase; distance:0; content:"&cvv"; nocase; distance:0; content:"&accten="; nocase; distance:0; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032150; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful 163.com Email Account Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"account_name="; depth:13; nocase; fast_pattern; content:"&domain="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&all_secure="; nocase; distance:0; content:"&secure="; nocase; distance:0; classtype:credential-theft; sid:2032151; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Jackpot Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?HWInfo="; nocase; content:"}&Time="; nocase; distance:0; http.user_agent; content:"My Session"; fast_pattern; startswith; http.request_body; content:"|2e 00 70 00 68 00 70 00 3f 00 48 00 57 00 49 00 6e 00 66 00 6f 00 3d|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5624c920b1fd3da3a451d564bb7488d3; classtype:command-and-control; sid:2023465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Jackpot, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&ctx="; nocase; distance:0; content:"&flowToken="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful American Express Phish M1 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"Face="; depth:5; nocase; content:"&Logon="; nocase; distance:0; content:"&acctSelected="; nocase; distance:0; fast_pattern; content:"&acctSelectedURL="; nocase; distance:0; content:"&TARGET="; nocase; distance:0; content:"&USERID="; nocase; distance:0; content:"&PWD="; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful American Express Phish M2 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"UserID="; depth:7; nocase; content:"&Password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&emailp="; nocase; distance:0; content:"&title="; nocase; distance:0; content:"&FName="; nocase; distance:0; content:"&MName="; nocase; distance:0; content:"&SName="; nocase; distance:0; content:"&dobyyyy="; nocase; distance:0; fast_pattern; content:"&mobileNo="; nocase; distance:0; content:"&homePhNo="; nocase; distance:0; classtype:credential-theft; sid:2032154; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"login="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&Salvc="; nocase; distance:0; content:"&salton="; nocase; distance:0; fast_pattern; content:"&cnum="; nocase; distance:0; content:"&cmonth="; nocase; distance:0; content:"&cyear="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&dobmonth="; nocase; distance:0; classtype:credential-theft; sid:2032155; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"EM="; depth:3; nocase; content:"&PS="; nocase; distance:0; content:"&CN="; nocase; distance:0; content:"=Login"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032156; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&Passwd="; nocase; distance:0; content:"&signIn=Sign+in&rmShown="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032120; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup - b4secure .com"; flow:established,to_server; urilen:12; http.uri; content:"/index.shtml"; http.host; content:"b4secure.com"; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:external-ip-check; sid:2023469; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, former_category POLICY, malware_family Emissary, malware_family Lotus_Blossom, signature_severity Informational, updated_at 2020_08_03;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; content:"http|3a|//purenetworks.com/HNAP1/"; fast_pattern; pcre:"/^SOAPAction\x3a\s+?[^\r\n]*?http\x3a\/\/purenetworks\.com\/HNAP1\/([^\x2f]+?[\x2f])?[^\x2f]/mi"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:5; metadata:created_at 2015_04_13, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CerberTear Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/^[A-F0-9]{8}$/Ri"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; http.connection; content:"Keep-Alive"; nocase; bsize:10; reference:md5,7d181574893ec9cb2795166623f8e531; classtype:command-and-control; sid:2023505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CerberTear, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CerberTear Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/^[A-F0-9]{8}$/Ri"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; http.connection; content:"Keep-Alive"; nocase; bsize:10; reference:md5,7d181574893ec9cb2795166623f8e531; classtype:command-and-control; sid:2023505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CerberTear, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Alcatrez Locker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?user="; fast_pattern; content:"&try="; distance:0; content:"&status="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; nocase; reference:md5,1cb51c130e6f75f11c095b122e008bbc; classtype:command-and-control; sid:2023506; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Alcatrez_Locker, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Alcatrez Locker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?user="; fast_pattern; content:"&try="; distance:0; content:"&status="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; nocase; reference:md5,1cb51c130e6f75f11c095b122e008bbc; classtype:command-and-control; sid:2023506; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Alcatrez_Locker, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/RequestActionsToExecute"; fast_pattern; pcre:"/\/RequestActionsToExecute$/"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"{|22|CommandLine|22 3a|"; depth:15; content:",|22|CurrentDirectory|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_08_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/RequestActionsToExecute"; fast_pattern; pcre:"/\/RequestActionsToExecute$/"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"{|22|CommandLine|22 3a|"; depth:15; content:",|22|CurrentDirectory|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/\/[a-f0-9]{32}\/\?\d$/i"; http.cookie; content:"PHPSESSID"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032157; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoLuck / YafunnLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&hi"; distance:0; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)"; fast_pattern; bsize:28; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,59109839de42d2acb44fbd7ff151fe0c; classtype:command-and-control; sid:2023533; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family YafunnLocker, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/\/[a-f0-9]{32}\/\?\d$/i"; http.cookie; content:"PHPSESSID"; http.request_body; content:"fullname="; depth:9; nocase; content:"&ccnumber="; nocase; distance:0; fast_pattern; content:"&cvv="; nocase; distance:0; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; classtype:credential-theft; sid:2032158; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoLuck / YafunnLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&hi"; distance:0; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)"; fast_pattern; bsize:28; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,59109839de42d2acb44fbd7ff151fe0c; classtype:command-and-control; sid:2023533; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family YafunnLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shared Document Phishing Landing Nov 16 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function checkemail"; nocase; content:"function checkbae"; nocase; distance:0; fast_pattern; content:"Sign in to view"; nocase; distance:0; content:"Select your email"; nocase; distance:0; classtype:social-engineering; sid:2025672; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CHIP Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a)?/"; http.request_body; content:"-----BEGIN CERTIFICATE-----"; depth:27; fast_pattern; content:"-----END CERTIFICATE-----"; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,18189daa96e711777158d7cb599c13b1; reference:url,malware-traffic-analysis.net/2016/11/17/index.html; classtype:command-and-control; sid:2023534; rev:4; metadata:created_at 2016_03_07, former_category MALWARE, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Business Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"emailcheck="; depth:11; nocase; fast_pattern; content:"&Psword="; nocase; distance:0; classtype:credential-theft; sid:2032159; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Email Update Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?user"; nocase; fast_pattern; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&red="; nocase; distance:0; content:"&comment="; nocase; distance:0; classtype:credential-theft; sid:2032160; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Shared Adobe PDF Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&Upgrade="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032190; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CHIP Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a)?/"; http.request_body; content:"-----BEGIN CERTIFICATE-----"; depth:27; fast_pattern; content:"-----END CERTIFICATE-----"; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,18189daa96e711777158d7cb599c13b1; reference:url,malware-traffic-analysis.net/2016/11/17/index.html; classtype:command-and-control; sid:2023534; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Expression Injection"; flow:to_server,established; http.uri; content:"|24 7b|"; content:"|25 7b|"; distance:0; content:"|7d|"; distance:0; pcre:"/\${\s*?%{/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:web-application-attack; sid:2023535; rev:3; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2016_11_18, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ispen BADNEWS CnC Beacon"; flow:established,to_server; http.uri; content:".php"; endswith; http.header; content:"Windows NT"; http.accept; content:"application/x-www-form-urlencoded"; fast_pattern; bsize:33; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,570ea00465a45bf7b4e7e0b7007b87a1; reference:md5,f974bb8a5b5220a061cb92a16fc6a1c6; reference:url,unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/; classtype:targeted-activity; sid:2030357; rev:4; metadata:created_at 2016_06_03, former_category MALWARE, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ispen BADNEWS CnC Beacon"; flow:established,to_server; http.uri; content:".php"; endswith; http.header; content:"Windows NT"; http.accept; content:"application/x-www-form-urlencoded"; fast_pattern; bsize:33; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,570ea00465a45bf7b4e7e0b7007b87a1; reference:md5,f974bb8a5b5220a061cb92a16fc6a1c6; reference:url,unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/; classtype:targeted-activity; sid:2030357; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC checkin Nov 21 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; pcre:"/\.cgi$/"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/m"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023552; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Delf.BXC CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?cg="; fast_pattern; content:"&b="; distance:0; content:">="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d199b13d4676080073eaeb4e0ff39a75; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue Phish 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?form=Tax"; nocase; content:"&sslchannel="; nocase; distance:0; content:"&sessionid="; nocase; distance:0; content:"&securessl="; nocase; distance:0; http.header; content:".php?form=Tax"; nocase; content:"&sslchannel="; nocase; distance:0; content:"&sessionid="; nocase; distance:0; http.request_body; content:"form-data|3b 20|name=|22|ccname|22|"; nocase; content:"form-data|3b 20|name=|22|ccno|22|"; nocase; content:"form-data|3b 20|name=|22|ccexp|22|"; nocase; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; classtype:credential-theft; sid:2032193; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; nocase; http.request_body; content:"surname="; depth:8; nocase; content:"&membershipNumber="; nocase; distance:0; fast_pattern; content:"&debitCardSet1="; nocase; distance:0; content:"&sortCodeSet1="; nocase; distance:0; content:"&accountNumber="; nocase; distance:0; classtype:credential-theft; sid:2032194; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websc-"; nocase; content:".php?SessionID-xb="; nocase; fast_pattern; within:40; classtype:credential-theft; sid:2023558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Delf.BXC CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?cg="; fast_pattern; content:"&b="; distance:0; content:">="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d199b13d4676080073eaeb4e0ff39a75; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"compte"; nocase; http.request_body; content:"comid="; depth:6; nocase; content:"&compw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032189; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"formtex"; nocase; depth:7; fast_pattern; content:"&formtex"; nocase; distance:0; content:"&formtex"; nocase; distance:0; classtype:credential-theft; sid:2031572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websc-"; nocase; content:".php?SessionID-xb="; nocase; fast_pattern; within:40; classtype:credential-theft; sid:2023558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Adobe Online PDF Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.header; content:"&Email="; nocase; http.request_body; content:"feedback="; depth:9; nocase; content:"&feedbacknow="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032195; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sharik/Smoke Loader Receiving Payload"; flow:established,from_server; http.stat_code; content:"404"; file.data; content:"|00|"; distance:1; within:1; content:"|00|MZ"; distance:1; within:3; content:"This program must be run under Win32"; distance:0; fast_pattern; reference:md5,65c7426b056482fcda962a7a14e86601; classtype:trojan-activity; sid:2023567; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, malware_family Sharik, malware_family Smoke_Loader, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible COVID-19 Domain in SSL Certificate M2"; flow:established,to_client; tls.cert_subject; content:"covid"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!".canada.ca"; isdataat:!1,relative; classtype:bad-unknown; sid:2029706; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DistTrack/Shamoon CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"."; content:"?"; distance:3; within:1; pcre:"/\.[a-z]{3}\?[a-z]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.user_agent; content:"Mozilla/5.0 (MSIE 7.1|3b 20|Windows NT 6.0)"; fast_pattern; bsize:38; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:command-and-control; sid:2023571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DistTrack/Shamoon CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"."; content:"?"; distance:3; within:1; pcre:"/\.[a-z]{3}\?[a-z]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.user_agent; content:"Mozilla/5.0 (MSIE 7.1|3b 20|Windows NT 6.0)"; fast_pattern; bsize:38; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:command-and-control; sid:2023571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"LOB=RBGLogon"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&pass="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; fast_pattern; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032196; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla GoogleMaps Plugin Open Proxy Access"; flow:established,to_server; http.uri; content:"/plugins/system/plugin_googlemap2_proxy.php?url="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,bnshosting.net/googlemap-proxy-vulnerability; classtype:web-application-attack; sid:2023574; rev:3; metadata:affected_product Joomla, attack_target Web_Server, created_at 2016_12_02, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Qadars Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"AAAA"; offset:10; depth:4; fast_pattern; content:"="; offset:7; depth:1; pcre:"/^[a-zA-Z]{7}=(?:[A-Za-z0-9+/]|%2[FB]){2}AAAA[a-z]A[^\s=]+=?=?$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Accept"; reference:md5,d611a633e8ceabdc9c2f5b0b9dd4f19e; reference:md5,a55b312d4e2006b5698e8f5ae8e5d735; reference:md5,3b4c2d3447bc49f057d76a92e7cae96b; reference:md5,08833cd7564f29f7f499a65a7be82d02; reference:url,www.lexsi-leblog.com/cert-en/qadars-new-banking-malware-with-fraudulent-mobile-application-component.html; classtype:command-and-control; sid:2023588; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_09, deployment Perimeter, former_category MALWARE, malware_family Qadars, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Phish M2 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"ci="; depth:3; nocase; content:"&path="; nocase; distance:0; content:"&vbpass="; nocase; distance:0; fast_pattern; content:"&userEmail="; nocase; distance:0; content:"&accNum="; nocase; distance:0; classtype:credential-theft; sid:2032197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Oct 10 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save.asp"; nocase; fast_pattern; http.header; content:"apple"; http.request_body; content:"u="; depth:2; nocase; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2023592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Qadars Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"AAAA"; offset:10; depth:4; fast_pattern; content:"="; offset:7; depth:1; pcre:"/^[a-zA-Z]{7}=(?:[A-Za-z0-9+/]|%2[FB]){2}AAAA[a-z]A[^\s=]+=?=?$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Accept"; reference:md5,d611a633e8ceabdc9c2f5b0b9dd4f19e; reference:md5,a55b312d4e2006b5698e8f5ae8e5d735; reference:md5,3b4c2d3447bc49f057d76a92e7cae96b; reference:md5,08833cd7564f29f7f499a65a7be82d02; reference:url,www.lexsi-leblog.com/cert-en/qadars-new-banking-malware-with-fraudulent-mobile-application-component.html; classtype:command-and-control; sid:2023588; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_10, deployment Perimeter, former_category MALWARE, malware_family Qadars, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Free Mobile (FR) Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?clientid="; nocase; http.header; content:".php?clientid="; nocase; http.request_body; content:"fuser="; depth:6; nocase; content:"&fpass="; nocase; distance:0; fast_pattern; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032198; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Oct 10 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save.asp"; nocase; fast_pattern; http.header; content:"apple"; http.request_body; content:"u="; depth:2; nocase; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2023592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-12-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"CN="; depth:3; nocase; content:"&DOB="; nocase; distance:0; content:"&CCN="; nocase; distance:0; fast_pattern; content:"&EXP="; nocase; distance:0; content:"&CVV="; nocase; distance:0; content:"&SSN="; nocase; distance:0; content:"&PAS="; nocase; distance:0; content:"&valider="; nocase; distance:0; classtype:credential-theft; sid:2032199; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Javascript XOR Encoding - Observed in Apple Phishing 2016-12-09"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"strHTML=|22 22 3b|"; nocase; within:100; fast_pattern; content:"strHTML+=|22|"; within:11; content:"function XOR"; nocase; distance:0; content:"strPass"; nocase; distance:0; content:"binl2b64"; nocase; distance:0; content:"core_hmac_md5"; nocase; distance:0; content:"hex_hmac_md5"; nocase; distance:0; classtype:social-engineering; sid:2032200; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Password Protected AMEX Phish 2016-12-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"uid="; depth:4; nocase; content:"&pw="; nocase; distance:0; content:"&AC1="; nocase; distance:0; content:"&AC2="; nocase; distance:0; content:"&AC3="; nocase; distance:0; content:"&CV="; nocase; distance:0; content:"&CSC="; nocase; distance:0; content:"&EM="; nocase; distance:0; content:"&EY="; nocase; distance:0; content:"&MN="; nocase; distance:0; content:"&MM="; nocase; distance:0; content:"&DD="; nocase; distance:0; content:"&BP="; nocase; distance:0; content:"&SCH="; nocase; distance:0; fast_pattern; content:"&SPN="; nocase; distance:0; content:"&EA="; nocase; distance:0; content:"&EP="; nocase; distance:0; classtype:credential-theft; sid:2032201; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R7000 Command Injection Exploit"; flow:established,to_server; http.uri; content:"/cgi-bin/"; depth:9; content:"$IFS"; fast_pattern; distance:0; content:"|3b|"; reference:url,www.kb.cert.org/vuls/id/582384; classtype:attempted-user; sid:2023628; rev:3; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2016_12_12, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots BCS-server CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"value="; depth:6; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, updated_at 2020_08_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Updating Billing Address"; nocase; fast_pattern; content:"Paypal"; nocase; distance:0; content:"Resolution Center"; nocase; distance:0; content:"Confirm my Billing"; nocase; distance:0; classtype:credential-theft; sid:2032203; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>PayPal Service Update"; nocase; fast_pattern; content:"Paypal"; nocase; distance:0; content:"Resolution Center"; nocase; distance:0; classtype:credential-theft; sid:2032204; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_fn="; depth:4; nocase; content:"&_ln="; nocase; distance:0; content:"&_birthd="; nocase; distance:0; content:"&_birthm="; nocase; distance:0; content:"&_birthy="; nocase; distance:0; content:"&_add1="; nocase; distance:0; content:"&_add2="; nocase; distance:0; content:"&_countr="; nocase; distance:0; fast_pattern; content:"&_ct="; nocase; distance:0; content:"&_st="; nocase; distance:0; content:"&_zipc="; nocase; distance:0; content:"&_ph="; nocase; distance:0; classtype:credential-theft; sid:2032205; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M4 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_fulln="; depth:7; nocase; content:"&_ccn="; nocase; distance:0; content:"&_ccv="; nocase; distance:0; content:"&_expm="; nocase; distance:0; content:"&_expy="; nocase; distance:0; content:"&_3d="; nocase; distance:0; content:"&_drv="; nocase; distance:0; content:"&_sortc="; nocase; distance:0; fast_pattern; content:"&_ssn1="; nocase; distance:0; content:"&_ssn2="; nocase; distance:0; content:"&_ssn3="; nocase; distance:0; classtype:credential-theft; sid:2032206; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M5 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_bkid="; depth:6; nocase; content:"&_bkpass="; nocase; distance:0; fast_pattern; content:"&_accn="; nocase; distance:0; content:"&_routn="; nocase; distance:0; classtype:credential-theft; sid:2032207; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots VBS Backdoor CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?-----BEGIN|20|CERTIFICATE-----"; fast_pattern; content:"-----END|20|CERTIFICATE-----"; distance:0; pcre:"/END\x20CERTIFICATE-----$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023656; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Shared PDF Phish 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function delayer"; content:"adobe.com"; nocase; within:50; content:"<title>PDF ONLINE"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032208; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-13"; flow:from_server,established; flowbits:isset,ET.genericphish; http.content_type; content:"text/html"; startswith; file.data; content:"Update Billing Information"; nocase; fast_pattern; content:"chase.com"; nocase; distance:0; classtype:credential-theft; sid:2032209; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots BCS-server CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"value="; depth:6; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Deactivation Phishing Landing 2016-12-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Server Message"; nocase; fast_pattern; content:"logo.png"; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:social-engineering; sid:2032210; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Deactivation Phish 2016-12-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Email Settings"; nocase; fast_pattern; content:"Processing."; nocase; distance:0; content:"Please wait"; nocase; distance:0; content:"update your account"; nocase; distance:0; classtype:credential-theft; sid:2032211; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots VBS Backdoor CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?-----BEGIN|20|CERTIFICATE-----"; fast_pattern; content:"-----END|20|CERTIFICATE-----"; distance:0; pcre:"/END\x20CERTIFICATE-----$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023656; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"isJsEnabled="; depth:12; nocase; content:"&session_key="; nocase; distance:0; content:"&session_password="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; content:"&session_redirect="; nocase; distance:0; content:"&trk="; nocase; distance:0; content:"&loginCsrfParam="; nocase; distance:0; content:"&fromEmail="; nocase; distance:0; classtype:credential-theft; sid:2032191; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Unconfigured nginx Access"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"|3C|title|3E|Welcome to nginx|213C2F|title|3E|"; classtype:bad-unknown; sid:2023668; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla PWS HTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"type="; depth:5; content:"&hwid="; content:"&time="; content:"&pcname="; content:"&logdata="; fast_pattern; content:"&screen="; content:"&ipadd="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,21d3c7d099aceff2a1f16d8ae0f38731; classtype:command-and-control; sid:2023144; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Inline HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"inline"; nocase; file.data; content:"MZ"; depth:2; fast_pattern; classtype:misc-activity; sid:2014519; rev:8; metadata:created_at 2012_04_05, updated_at 2020_08_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Inline HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"inline"; nocase; file.data; content:"MZ"; depth:2; fast_pattern; classtype:misc-activity; sid:2014519; rev:8; metadata:created_at 2012_04_06, updated_at 2020_08_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; http.server; content:"dbws"; bsize:4; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:10; metadata:created_at 2012_03_06, updated_at 2020_08_03;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=supercombinating.com"; nocase; endswith; classtype:domain-c2; sid:2030635; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; http.server; content:"dbws"; bsize:4; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:10; metadata:created_at 2012_03_05, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credential Phish (Multiple Brands) 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"donnee"; depth:6; nocase; content:"&donnee"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032192; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=supercombinating.com"; nocase; endswith; classtype:domain-c2; sid:2030635; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credential Phish (Multiple Brands) 2016-12-22"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"data1="; depth:6; nocase; content:"&data"; nocase; distance:0; content:"&data"; nocase; distance:0; content:"&donnee"; nocase; distance:0; fast_pattern; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032212; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Towerweb Ransomware Landing Page"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"WRITE THIS INFORMATION DOWN---------------<br>|0a|Ransom Id|3a|"; fast_pattern; content:"BTC Address|3a 20|"; distance:0; content:"|0a|Email|3a 20|"; distance:0; reference:md5,fb279dc7e47adefb3a9f1c78297c5870; reference:url,www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/; classtype:trojan-activity; sid:2022906; rev:4; metadata:created_at 2016_06_20, updated_at 2020_08_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Towerweb Ransomware Landing Page"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"WRITE THIS INFORMATION DOWN---------------<br>|0a|Ransom Id|3a|"; fast_pattern; content:"BTC Address|3a 20|"; distance:0; content:"|0a|Email|3a 20|"; distance:0; reference:md5,fb279dc7e47adefb3a9f1c78297c5870; reference:url,www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/; classtype:trojan-activity; sid:2022906; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Windows Live Phish 2016-12-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&remMe="; nocase; distance:0; content:"&SI="; nocase; distance:0; classtype:credential-theft; sid:2032213; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<?php"; fast_pattern; content:"|5c 22 20|"; content:"-X"; content:".php"; content:"@"; http.content_type; content:"multipart/form-data|3b|"; startswith; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; reference:url,github.com/opsxcq/exploit-CVE-2016-10033; classtype:attempted-user; sid:2023686; rev:3; metadata:affected_product PHPMailer, attack_target Web_Server, created_at 2016_12_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Archie EK Payload Checkin GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log?log="; depth:9; http.host; content:!"gigwise.com"; endswith; content:!"cleanerapp.net"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019680; rev:6; metadata:created_at 2014_11_07, former_category MALWARE, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"continue="; nocase; content:"&service="; nocase; distance:0; content:"&checkConnection="; nocase; distance:0; fast_pattern; content:"&checkedDomains="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Passwd="; nocase; distance:0; content:"&signIn="; nocase; distance:0; content:"&PersistentCookie="; nocase; distance:0; content:"&rmShown="; nocase; distance:0; classtype:credential-theft; sid:2032184; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banamex Bank Phish 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&USERID="; nocase; content:"&PASSWORD="; nocase; distance:0; content:"&AHN="; nocase; distance:0; content:"&BANK+ID="; nocase; distance:0; fast_pattern; content:"&PRODUCT+NAME="; nocase; distance:0; content:"&LANGUAGE+ID="; nocase; distance:0; content:"&EXTRA1="; nocase; distance:0; content:"&GROUP="; nocase; distance:0; content:"&PIN="; nocase; distance:0; classtype:credential-theft; sid:2032214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form-data|3b 20|name=|22|uid|22|"; content:"form-data|3b 20|name=|22|uname|22|"; content:"form-data|3b 20|name=|22|cname|22|"; content:"form-data|3b 20|name=|22|ltime|22|"; content:"form-data|3b 20|name=|22|uright|22|"; content:"form-data|3b 20|name=|22|sysinfo|22|"; fast_pattern; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, updated_at 2020_08_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Archie EK Payload Checkin GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log?log="; depth:9; http.host; content:!"gigwise.com"; endswith; content:!"cleanerapp.net"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019680; rev:6; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2022_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|43 50 55 20 4d 6f 64 65 6c 3a|"; fast_pattern; content:"|43 50 55 20 43 6f 75 6e 74 3a|"; content:"|47 65 74 52 41 4d 3a|"; content:"|5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d|"; content:"|5b 50 72 6f 67 72 61 6d 6d 73 5d|"; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023692; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form-data|3b 20|name=|22|uid|22|"; content:"form-data|3b 20|name=|22|uname|22|"; content:"form-data|3b 20|name=|22|cname|22|"; content:"form-data|3b 20|name=|22|ltime|22|"; content:"form-data|3b 20|name=|22|uright|22|"; content:"form-data|3b 20|name=|22|sysinfo|22|"; fast_pattern; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 03 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login_email"; depth:11; nocase; fast_pattern; content:"login_pass"; nocase; distance:0; classtype:credential-theft; sid:2024572; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|43 50 55 20 4d 6f 64 65 6c 3a|"; fast_pattern; content:"|43 50 55 20 43 6f 75 6e 74 3a|"; content:"|47 65 74 52 41 4d 3a|"; content:"|5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d|"; content:"|5b 50 72 6f 67 72 61 6d 6d 73 5d|"; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023692; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 03 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login_email"; depth:11; nocase; fast_pattern; content:"login_pass"; nocase; distance:0; classtype:credential-theft; sid:2024572; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackmoon/Banbra Configuration Request M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; fast_pattern; http.header; content:"keep-alive|0d 0a|User-Agent"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,56b8f9428b2171f45dc447fb9fa1b03f; classtype:trojan-activity; sid:2023694; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_04, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"p="; depth:2; nocase; content:"&a2="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&conta="; nocase; distance:0; fast_pattern; content:"&aa="; nocase; distance:0; content:"&digito="; nocase; distance:0; content:"&age="; nocase; distance:0; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2023696; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"p="; depth:2; nocase; content:"&a2="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&conta="; nocase; distance:0; fast_pattern; content:"&aa="; nocase; distance:0; content:"&digito="; nocase; distance:0; content:"&age="; nocase; distance:0; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2023696; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 15 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"form"; nocase; fast_pattern; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; classtype:credential-theft; sid:2024565; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Western Union/Paypal Phish 2016-09-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login_email="; depth:12; nocase; fast_pattern; content:"&login_password="; nocase; distance:0; content:"&image.x="; nocase; distance:0; classtype:credential-theft; sid:2032182; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 15 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"form"; nocase; fast_pattern; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; classtype:credential-theft; sid:2024565; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 12 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ID="; depth:3; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024573; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 12 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ID="; depth:3; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024573; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Select Sleep Time Delay"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SLEEP|28|"; nocase; distance:0; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016935; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Select Sleep Time Delay"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SLEEP|28|"; nocase; distance:0; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016935; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024574; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024574; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category CURRENT_EVENTS, tag Phishing, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user_id="; depth:8; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024575; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user_id="; depth:8; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024575; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category CURRENT_EVENTS, tag Phishing, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"countrycode="; depth:12; nocase; content:"&login="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&signin="; nocase; distance:0; content:"&_uuid="; nocase; distance:0; content:"&_seqid="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032188; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Windows Live Account Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&remMe="; nocase; distance:0; content:"&SI="; nocase; distance:0; classtype:credential-theft; sid:2032187; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop Dropper Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nconfirm.php?"; fast_pattern; content:"rev="; distance:0; content:"code="; content:"param="; content:"num="; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2013808; rev:5; metadata:created_at 2011_04_07, former_category MALWARE, updated_at 2020_08_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; content:"Warning|3a|"; nocase; distance:0; fast_pattern; content:"Call Microsoft"; nocase; classtype:social-engineering; sid:2023751; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_20, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websrc"; fast_pattern; endswith; http.request_body; content:"email"; nocase; content:"|25|40"; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2023759; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websrc"; fast_pattern; endswith; http.request_body; content:"email"; nocase; content:"|25|40"; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2023759; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"action=export_admin_table"; content:"&filename=../"; fast_pattern; reference:url,cpr-zero.checkpoint.com/vulns/cprid-2148/; reference:cve,2020-6008; classtype:attempted-admin; sid:2030644; rev:1; metadata:created_at 2020_08_04, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible InnocenceBot CnC"; ja3.hash; content:"9551e38f83daab8bcbc283ec0806cf65"; reference:md5,6a2749a5ab44dda4ed6459c8ca36ca64; classtype:unknown; sid:2030645; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_04, deployment Perimeter, former_category JA3, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; http.header; content:"Content-Type|3a 20|text/plain|3b|charset=UTF-8|0d 0a|Host|3a 20|"; depth:46; fast_pattern; content:"Expect|3a 20|100-continue|0d 0a|"; distance:0; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,31cf042e91de7492c86e1ad02dc9eaec; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023811; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, updated_at 2020_08_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com Mar 31 M3"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"mail"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032013; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; http.header; content:"Content-Type|3a 20|text/plain|3b|charset=UTF-8|0d 0a|Host|3a 20|"; depth:46; fast_pattern; content:"Expect|3a 20|100-continue|0d 0a|"; distance:0; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,31cf042e91de7492c86e1ad02dc9eaec; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023811; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shafttt MySQL Bruteforce Bot CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"get="; fast_pattern; depth:4; pcre:"/^get=\d+(?:$|&)/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:52; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cb4ab17468984f1b292adac9f745cb2b; classtype:command-and-control; sid:2023815; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family Shafttt, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shafttt MySQL Bruteforce Bot CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"get="; fast_pattern; depth:4; pcre:"/^get=\d+(?:$|&)/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:52; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cb4ab17468984f1b292adac9f745cb2b; classtype:command-and-control; sid:2023815; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family Shafttt, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"GALX="; fast_pattern; content:"bgresponse="; nocase; distance:0; content:"Email="; nocase; distance:0; content:"Passwd="; nocase; distance:0; classtype:credential-theft; sid:2032179; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows Update/Microsoft FP Flowbit"; flow:established,to_server; flowbits:set,ET.INFO.WindowsUpdate; flowbits:noalert; http.host; content:".windowsupdate.com"; endswith; classtype:trojan-activity; sid:2023818; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phishing 2016-12-12"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"chaseonline.chase.com"; nocase; content:"<title>Chase Online"; nocase; fast_pattern; classtype:credential-theft; sid:2032202; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netgear WNR2000v5 Possible Serial Number Leak"; flow:to_server,established; http.uri; content:"/BRS_netgear_success.html"; nocase; reference:cve,2016-10175; reference:url,cve.circl.lu/cve/CVE-2016-10175; classtype:attempted-recon; sid:2023830; rev:3; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 19 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login"; depth:5; fast_pattern; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024560; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 19 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login"; depth:5; fast_pattern; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024560; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 16 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e-mail="; depth:7; fast_pattern; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024566; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 16 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e-mail="; depth:7; fast_pattern; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024566; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 22 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"feedback="; depth:9; fast_pattern; nocase; content:"&feedback"; nocase; distance:0; content:"&feedback"; nocase; distance:0; classtype:credential-theft; sid:2024567; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 22 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"feedback="; depth:9; fast_pattern; nocase; content:"&feedback"; nocase; distance:0; content:"&feedback"; nocase; distance:0; classtype:credential-theft; sid:2024567; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 07 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Editbox1="; depth:9; nocase; content:"&Editbox2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024568; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 07 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Editbox1="; depth:9; nocase; content:"&Editbox2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024568; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"UserID="; depth:7; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024569; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"UserID="; depth:7; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024569; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 20 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"name"; depth:7; nocase; content:"&Pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024570; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 20 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"name"; depth:7; nocase; content:"&Pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024570; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 27 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uid="; depth:4; nocase; content:"&Pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024571; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 27 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uid="; depth:4; nocase; content:"&Pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024571; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Turla Kopiluwak User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64)|3b 20|"; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:targeted-activity; sid:2023868; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, malware_family Turla_Kopiluwak, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"/assets/"; fast_pattern; content:"."; distance:100; pcre:"/\/assets(?:\/[a-zA-Z0-9_]+)+\.(?:jpeg|gif)$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.user_agent; pcre:"/^(?:Mozilla\/|Shockwave)/i"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:command-and-control; sid:2023870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"/assets/"; fast_pattern; content:"."; distance:100; pcre:"/\/assets(?:\/[a-zA-Z0-9_]+)+\.(?:jpeg|gif)$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.user_agent; pcre:"/^(?:Mozilla\/|Shockwave)/i"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:command-and-control; sid:2023870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible iKittens OSX MacDownloader CNC Beacon"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/Servermac.php"; depth:14; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:command-and-control; sid:2023876; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category MALWARE, malware_family MacDownloader, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (Redirect to Download PDF) 2016-02-08"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<META HTTP-EQUIV="; nocase; within:100; fast_pattern; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:25; content:"url="; nocase; within:25; content:".php"; nocase; within:25; classtype:credential-theft; sid:2032176; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible iKittens OSX MacDownloader CNC Beacon"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/Servermac.php"; depth:14; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:command-and-control; sid:2023876; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category MALWARE, malware_family MacDownloader, signature_severity Major, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Action=SecurityCheck"; nocase; fast_pattern; http.header; content:".php?Action="; http.request_body; content:"csc="; depth:4; nocase; classtype:credential-theft; sid:2032183; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Microsoft Official Support"; nocase; fast_pattern; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; classtype:social-engineering; sid:2023889; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live External Link Phishing Landing M2 Feb 14 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Secure redirect"; nocase; fast_pattern; content:"auth.gfx.ms"; nocase; distance:0; content:"access sensitive information"; nocase; distance:0; content:"Confirm your password"; nocase; distance:0; classtype:social-engineering; sid:2025675; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoShield Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"id="; depth:3; content:"&numbers=-----"; content:"BEGIN|20|PRIVATE|20|KEY"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:md5,ef815146b802cfd6a5fb67d1f9267745; classtype:command-and-control; sid:2023814; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoShield Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"id="; depth:3; content:"&numbers=-----"; content:"BEGIN|20|PRIVATE|20|KEY"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:md5,ef815146b802cfd6a5fb67d1f9267745; classtype:command-and-control; sid:2023814; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.RETRIEVER CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asmx"; http.request_body; content:"<ip>"; content:"</ip><mac>"; distance:0; content:"</mac><host>"; distance:0; fast_pattern; content:"</host>"; distance:0; reference:md5,012f79570f720b997b9ef4ef327dd2da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023950; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_related, signature_severity Major, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.RETRIEVER CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asmx"; http.request_body; content:"<ip>"; content:"</ip><mac>"; distance:0; content:"</mac><host>"; distance:0; fast_pattern; content:"</host>"; distance:0; reference:md5,012f79570f720b997b9ef4ef327dd2da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023950; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_related, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK DNS Change GET Request (DNSChanger EK)"; flow:to_server,established; threshold:type both,track by_dst,count 3, seconds 90; http.method; content:"GET"; http.uri; content:"/userRpm/"; depth:9; fast_pattern; content:"&dnsserver="; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023995; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_17, deployment Internet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyCar CnC Beacon"; flow:established,to_server; http.uri; content:"=11&"; content:"=2"; distance:1; within:8; content:"&"; distance:6; within:7; content:"=410&"; distance:1; within:11; content:"=650&"; distance:1; within:11; fast_pattern; content:"=51"; distance:1; within:9; pcre:"/=11&[^&]{1,7}?=2[^&]{6,12}&[^&]{1,7}?=410&[^&]{1,7}?=650&[^&]{1,7}?=51$/"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:command-and-control; sid:2023965; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_CozyCar, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyCar CnC Beacon"; flow:established,to_server; http.uri; content:"=11&"; content:"=2"; distance:1; within:8; content:"&"; distance:6; within:7; content:"=410&"; distance:1; within:11; content:"=650&"; distance:1; within:11; fast_pattern; content:"=51"; distance:1; within:9; pcre:"/=11&[^&]{1,7}?=2[^&]{6,12}&[^&]{1,7}?=410&[^&]{1,7}?=650&[^&]{1,7}?=51$/"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:command-and-control; sid:2023965; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_CozyCar, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Sucessful Generic Phish (set) 2020-08-04"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"&form_item"; fast_pattern; content:"&form_item"; distance:0; classtype:credential-theft; sid:2030646; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_04, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Sucessful Generic Phish (set) 2020-08-04"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"&form_item"; fast_pattern; content:"&form_item"; distance:0; classtype:credential-theft; sid:2030646; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"locked.php"; nocase; content:"Account-Unlock"; nocase; distance:0; fast_pattern; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2023999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"locked.php"; nocase; content:"Account-Unlock"; nocase; distance:0; fast_pattern; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2023999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&txtCelular="; nocase; content:"&txtSenhaCartao="; nocase; distance:0; fast_pattern; content:"btnLogIn"; nocase; distance:0; classtype:credential-theft; sid:2024002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&txtCelular="; nocase; content:"&txtSenhaCartao="; nocase; distance:0; fast_pattern; content:"btnLogIn"; nocase; distance:0; classtype:credential-theft; sid:2024002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024003; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024003; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Opera Adblocker Update Flowbit Set"; flow:established,to_server; flowbits:set,ET.opera.adblock; flowbits:noalert; http.host; content:"get.geo.opera.com.global.prod.fastly.net"; bsize:40; classtype:not-suspicious; sid:2024006; rev:3; metadata:created_at 2017_02_22, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Matrix Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?apikey="; content:"&compuser="; distance:0; content:"&sid="; distance:0; content:"&phase="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ad8a7a383971ce0f5fc51e909e406996; classtype:command-and-control; sid:2024120; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Matrix, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Matrix Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?apikey="; content:"&compuser="; distance:0; content:"&sid="; distance:0; content:"&phase="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ad8a7a383971ce0f5fc51e909e406996; classtype:command-and-control; sid:2024120; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Matrix, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"self.location.replace("; within:100; fast_pattern; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:social-engineering; sid:2024007; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"self.location.replace("; within:100; fast_pattern; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:social-engineering; sid:2024007; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"step=confirmation"; depth:17; nocase; content:"&rt="; nocase; distance:0; content:"&rp="; nocase; distance:0; content:"&p="; nocase; distance:0; content:"&whichForm="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Parola="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024009; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"step=confirmation"; depth:17; nocase; content:"&rt="; nocase; distance:0; content:"&rp="; nocase; distance:0; content:"&p="; nocase; distance:0; content:"&whichForm="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Parola="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024009; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NumarCard="; depth:10; nocase; fast_pattern; content:"&CVV="; nocase; distance:0; content:"&Luna="; nocase; distance:0; content:"&NumeCard="; nocase; distance:0; content:"&PrenumeCard="; nocase; distance:0; content:"&NumedeContact="; nocase; distance:0; content:"&NumardeTelefon="; nocase; distance:0; content:"&EmaildeContact="; nocase; distance:0; content:"&cryptedStepCheck="; nocase; distance:0; classtype:credential-theft; sid:2024010; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NumarCard="; depth:10; nocase; fast_pattern; content:"&CVV="; nocase; distance:0; content:"&Luna="; nocase; distance:0; content:"&NumeCard="; nocase; distance:0; content:"&PrenumeCard="; nocase; distance:0; content:"&NumedeContact="; nocase; distance:0; content:"&NumardeTelefon="; nocase; distance:0; content:"&EmaildeContact="; nocase; distance:0; content:"&cryptedStepCheck="; nocase; distance:0; classtype:credential-theft; sid:2024010; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/webapps/"; content:"/websrc"; distance:5; within:7; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/i"; classtype:social-engineering; sid:2024018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?model="; nocase; content:"&brand="; nocase; distance:0; content:"&osversion="; nocase; distance:0; content:"&ip="; nocase; distance:0; content:"&voluumdata=BASE64"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024033; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_03_06, deployment Internet, former_category CURRENT_EVENTS, malware_family Fake_Alert, signature_severity Minor, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish M1 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"liamguname="; depth:11; nocase; fast_pattern; content:"&Button1="; distance:0; nocase; classtype:credential-theft; sid:2032181; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"liamgphn="; depth:9; nocase; content:"&liamgrecoveryem="; nocase; distance:0; fast_pattern; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032185; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Bank (FR) Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"origine="; nocase; content:"&situationTravail="; nocase; distance:0; content:"&canal="; nocase; distance:0; content:"&typeAuthentification="; nocase; distance:0; content:"&idUnique="; nocase; distance:0; content:"&caisse="; nocase; distance:0; content:"&CCCRYC="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032186; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing Mar 08 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>|26 23|68|3b 26 23|111|3b 26 23|99|3b 26 23|117|3b 26 23|115|3b 26 23|105|3b 26 23|103|3b 26 23|110|3b|"; fast_pattern; classtype:social-engineering; sid:2025662; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hamas Terrorist Propaganda TV Channel (aqsatv.ps)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"aqsatv.ps"; startswith; reference:url,nctc.gov/site/groups/hamas.html; classtype:policy-violation; sid:2023874; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots VBS Backdoor CnC Beacon 1"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/Hello"; http.request_body; content:"varname="; depth:8; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023654; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots VBS Backdoor CnC Beacon 1"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/Hello"; http.request_body; content:"varname="; depth:8; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023654; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots BCS-server User-Agent"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0|3b|"; fast_pattern; bsize:12; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:trojan-activity; sid:2023653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category TROJAN, malware_family TeleBots_payload, signature_severity Major, updated_at 2020_08_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shared Document Base64 Phishing Landing 2016-01-20"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3b|base64"; nocase; fast_pattern; content:"PCFET0NUWVBFIGh0bWw+"; distance:1; within:21; reference:md5,0c9a677efd2762c4d5d759c294bc00d7; classtype:social-engineering; sid:2032175; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_20, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep Connectivity Check M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; fast_pattern; nocase; http.host; content:"www.ecb.europa.eu"; bsize:17; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/i"; classtype:trojan-activity; sid:2022519; rev:5; metadata:created_at 2016_02_13, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-free.ru Domain"; flow:to_server,established; http.host; content:".dns-free.com"; endswith; classtype:bad-unknown; sid:2022380; rev:4; metadata:created_at 2016_01_19, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-free.ru Domain"; flow:to_server,established; http.host; content:".dns-free.com"; endswith; classtype:bad-unknown; sid:2022380; rev:4; metadata:created_at 2016_01_20, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyn-dns.ru Domain"; flow:to_server,established; http.host; content:".dyn-dns.ru"; endswith; classtype:bad-unknown; sid:2022379; rev:4; metadata:created_at 2016_01_19, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyn-dns.ru Domain"; flow:to_server,established; http.host; content:".dyn-dns.ru"; endswith; classtype:bad-unknown; sid:2022379; rev:4; metadata:created_at 2016_01_20, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsip.ru Domain"; flow:to_server,established; http.host; content:".dnsip.ru"; endswith; classtype:bad-unknown; sid:2022378; rev:3; metadata:created_at 2016_01_19, former_category INFO, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsip.ru Domain"; flow:to_server,established; http.host; content:".dnsip.ru"; endswith; classtype:bad-unknown; sid:2022378; rev:3; metadata:created_at 2016_01_20, former_category INFO, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsalias.ru Domain"; flow:to_server,established; http.host; content:".dnsalias.ru"; endswith; classtype:bad-unknown; sid:2022377; rev:4; metadata:created_at 2016_01_19, former_category INFO, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsalias.ru Domain"; flow:to_server,established; http.host; content:".dnsalias.ru"; endswith; classtype:bad-unknown; sid:2022377; rev:4; metadata:created_at 2016_01_20, former_category INFO, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetBackdoor User-Agent (.net backdor)"; flow:to_server,established; http.user_agent; content:"|2e|net backdor"; startswith; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022245; rev:3; metadata:created_at 2015_12_11, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetBackdoor User-Agent (.net backdoor)"; flow:to_server,established; http.user_agent; content:"|2e|net backdor"; startswith; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022245; rev:3; metadata:created_at 2015_12_12, former_category MALWARE, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Lookup Geoip.co.uk"; flow:established,to_server; urilen:1; http.host; content:"www.geoip.co.uk"; startswith; reference:md5,fa05d4f1558a9581a14936c0ab3723f7; classtype:external-ip-check; sid:2022123; rev:3; metadata:created_at 2015_11_20, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/query?version="; fast_pattern; content:"&sid="; distance:0; content:"&builddate="; distance:0; content:"&q="; distance:0; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021226; rev:3; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/8"; flow:established,to_server; http.user_agent; content:"Mozilla/8"; nocase; depth:9; classtype:bad-unknown; sid:2016693; rev:6; metadata:created_at 2013_04_01, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/8"; flow:established,to_server; http.user_agent; content:"Mozilla/8"; nocase; depth:9; classtype:bad-unknown; sid:2016693; rev:6; metadata:created_at 2013_04_02, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Post to C&C footer.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/footer.php"; http.header_names; content:!"Accept-"; classtype:command-and-control; sid:2016328; rev:3; metadata:created_at 2013_01_31, former_category MALWARE, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Post to C&C footer.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/footer.php"; http.header_names; content:!"Accept-"; classtype:command-and-control; sid:2016328; rev:3; metadata:created_at 2013_02_01, former_category MALWARE, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fragus Exploit jar Download"; flow:established,to_server; http.uri; content:"_.jar?"; pcre:"/\w_\.jar\?[a-f0-9]{8}$/"; classtype:exploit-kit; sid:2014802; rev:4; metadata:created_at 2012_05_23, former_category CURRENT_EVENTS, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.tv domain"; flow:to_server,established; http.host; content:".co.tv"; endswith; classtype:bad-unknown; sid:2012955; rev:5; metadata:created_at 2011_06_08, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Possible Worm Sohanad.Z or Other Infection Request for setting.nql"; flow:established,to_server; http.uri; content:"/setting.nql"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=a70aad8f27957702febfa162556dc5b5; classtype:trojan-activity; sid:2012201; rev:5; metadata:created_at 2011_01_17, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Possible Worm Sohanad.Z or Other Infection Request for setting.nql"; flow:established,to_server; http.uri; content:"/setting.nql"; nocase; reference:md5,a70aad8f27957702febfa162556dc5b5; classtype:trojan-activity; sid:2012201; rev:5; metadata:created_at 2011_01_17, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ProxyShell Hide IP Installation file download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/proxyshell_hide_ip_setup.exe"; nocase; reference:url,www.browserdefender.com/file/484661/site/putas18.info/; reference:url,doc.emergingthreats.net/2010792; classtype:policy-violation; sid:2010972; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ProxyShell Anonymous Access Connection"; flow:established,to_server; http.uri; content:"/services/get_proxies/"; reference:url,doc.emergingthreats.net/2010969; classtype:policy-violation; sid:2010969; rev:5; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/n/"; pcre:"/\/n\/\d{15}$/"; http.request_body; content:"content=eyJ"; depth:11; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:command-and-control; sid:2018630; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/n/"; pcre:"/\/n\/\d{15}$/"; http.request_body; content:"content=eyJ"; depth:11; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:command-and-control; sid:2018630; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>System Virus Alert"; nocase; fast_pattern; content:"|3a|-webkit-full-screen"; nocase; distance:0; classtype:social-engineering; sid:2024042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&digito="; nocase; distance:0; content:"&entrada_1="; nocase; distance:0; fast_pattern; content:"&entrada_2="; nocase; distance:0; content:"&entrada_3="; nocase; distance:0; content:"&entrada_4="; nocase; distance:0; content:"&looking1="; nocase; distance:0; classtype:credential-theft; sid:2023697; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&digito="; nocase; distance:0; content:"&entrada_1="; nocase; distance:0; fast_pattern; content:"&entrada_2="; nocase; distance:0; content:"&entrada_3="; nocase; distance:0; content:"&entrada_4="; nocase; distance:0; content:"&looking1="; nocase; distance:0; classtype:credential-theft; sid:2023697; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M3"; flow:to_server,established; http.header; content:"Content-Type|3a 20|%{(#"; nocase; fast_pattern; content:"multipart/form-data"; classtype:web-application-attack; sid:2024045; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_13, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Bank Phish Mar 13 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"aliasDispatcher="; depth:16; nocase; content:"&indBNCFunds="; nocase; distance:0; content:"&accountNumber1="; nocase; distance:0; content:"&cardExpirDate="; nocase; distance:0; fast_pattern; content:"®istrationMode="; nocase; distance:0; content:"&cardActionTypeSelected="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&clientIpAdress="; nocase; distance:0; content:"&clientUserAgent="; nocase; distance:0; content:"&clientScreenResolution="; nocase; distance:0; classtype:credential-theft; sid:2024047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Bank Phish Mar 13 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"aliasDispatcher="; depth:16; nocase; content:"&indBNCFunds="; nocase; distance:0; content:"&accountNumber1="; nocase; distance:0; content:"&cardExpirDate="; nocase; distance:0; fast_pattern; content:"®istrationMode="; nocase; distance:0; content:"&cardActionTypeSelected="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&clientIpAdress="; nocase; distance:0; content:"&clientUserAgent="; nocase; distance:0; content:"&clientScreenResolution="; nocase; distance:0; classtype:credential-theft; sid:2024047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING INTERAC Payment Multibank Phishing Landing Mar 14 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta property=|22|og|3a|title|22 20|content=|22|Deposit your INTERAC e-Transfer|22|"; nocase; content:"<title>INTERAC e-Transfer"; nocase; distance:0; fast_pattern; content:"INTERAC|25|20e-Transfer"; nocase; distance:0; classtype:social-engineering; sid:2025679; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING INTERAC Payment Multibank Phishing Landing Mar 14 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta property=|22|og|3a|title|22 20|content=|22|Deposit your INTERAC e-Transfer|22|"; nocase; content:"<title>INTERAC e-Transfer"; nocase; distance:0; fast_pattern; content:"INTERAC|25|20e-Transfer"; nocase; distance:0; classtype:social-engineering; sid:2025679; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Instagram Phish Mar 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cek=login"; depth:9; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2024051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Instagram Phish Mar 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cek=login"; depth:9; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2024051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_cmd="; depth:10; nocase; content:"&login_params="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2024052; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_cmd="; depth:10; nocase; content:"&login_params="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2024052; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appid="; depth:6; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pwd"; nocase; distance:0; classtype:credential-theft; sid:2024060; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appid="; depth:6; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pwd"; nocase; distance:0; classtype:credential-theft; sid:2024060; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fname="; depth:6; nocase; content:"&dob="; nocase; distance:0; content:"&cchn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; fast_pattern; content:"&expdate="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; classtype:credential-theft; sid:2024061; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fname="; depth:6; nocase; content:"&dob="; nocase; distance:0; content:"&cchn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; fast_pattern; content:"&expdate="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; classtype:credential-theft; sid:2024061; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS Downloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"data=domain%253a"; depth:16; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:command-and-control; sid:2024066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, malware_family MagikPOS, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Email Account Phishing Landing Mar 16 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name="; nocase; content:"mswebdialog-title"; nocase; distance:1; within:18; content:"Arcadis Office 365"; nocase; within:50; fast_pattern; content:"<title>Sign In"; nocase; within:50; classtype:social-engineering; sid:2025664; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; http.uri; content:".exe"; fast_pattern; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/"; http.header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http.host; content:!".bloomberg.com"; content:!"leg1.state.va.us"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:45; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022566; rev:6; metadata:created_at 2016_02_25, former_category CURRENT_EVENTS, updated_at 2020_08_04;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 / Revenge Ransomware Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&count="; distance:0; fast_pattern; pcre:"/^id=[0-9A-Z]+&count=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,116fbce554b25829b17b6e47990821b4; classtype:command-and-control; sid:2024056; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category MALWARE, malware_family CryptFile2, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 / Revenge Ransomware Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&count="; distance:0; fast_pattern; pcre:"/^id=[0-9A-Z]+&count=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,116fbce554b25829b17b6e47990821b4; classtype:command-and-control; sid:2024056; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category MALWARE, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used)"; flow:to_server,established; http.header; content:"JGFyZ3MgPSBh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013943; rev:7; metadata:created_at 2011_11_21, updated_at 2020_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used)"; flow:to_server,established; http.header; content:"JGFyZ3MgPSBh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013943; rev:7; metadata:created_at 2011_11_22, updated_at 2020_08_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used)"; flow:to_server,established; http.header; content:"QHB5dGhvbl9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013942; rev:6; metadata:created_at 2011_11_21, former_category WEB_SERVER, updated_at 2020_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used)"; flow:to_server,established; http.header; content:"QHB5dGhvbl9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013942; rev:6; metadata:created_at 2011_11_22, former_category WEB_SERVER, updated_at 2020_08_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.ACUT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; bsize:38; http.request_body; content:"plugin="; depth:7; content:"&windows="; content:"&user="; content:"&av="; content:"&bs="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,219cf8b022d3933ba46f482478450f49; classtype:command-and-control; sid:2024099; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category MALWARE, malware_family Banload, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; http.header; content:"multipart/form-data"; nocase; http.request_body; content:"Content-Disposition|3a|"; nocase; content:"filename"; nocase; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/mi"; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:4; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 22 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"identif="; depth:8; nocase; content:"&elserr="; nocase; distance:0; fast_pattern; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2024100; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 22 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"identif="; depth:8; nocase; content:"&elserr="; nocase; distance:0; fast_pattern; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2024100; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&K1="; nocase; distance:0; content:"&Q1="; nocase; distance:0; classtype:credential-theft; sid:2024101; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&K1="; nocase; distance:0; content:"&Q1="; nocase; distance:0; classtype:credential-theft; sid:2024101; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)"; flow:to_server,established; http.header; content:"If|3a 20 3c|"; pcre:"/^If\x3a\x20\x3c[^\r\n>]+?(?:[\x7f-\xff])/mi"; reference:url,github.com/edwardz246003/IIS_exploit/blob/master/exploit.py; classtype:attempted-user; sid:2024107; rev:3; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2017_03_28, cve cve_2017_7269, deployment Datacenter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic Webshell Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?ganteng"; endswith; fast_pattern; http.referer; content:".php?ganteng"; endswith; http.request_body; content:"key=password&method="; startswith; content:"&submit="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/; classtype:web-application-attack; sid:2030651; rev:1; metadata:attack_target Web_Server, created_at 2020_08_05, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cnumber="; depth:8; nocase; fast_pattern; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&cname="; nocase; distance:0; content:"&submitForm="; nocase; distance:0; classtype:credential-theft; sid:2024185; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cnumber="; depth:8; nocase; fast_pattern; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&cname="; nocase; distance:0; content:"&submitForm="; nocase; distance:0; classtype:credential-theft; sid:2024185; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Archer C2 and Archer C20i Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi?"; nocase; http.header; content:"/mainFrame.htm"; http.request_body; content:"IPPING"; nocase; content:"X_TP_ConnName=ewan_ipoe_s"; fast_pattern; reference:url,github.com/reverse-shell/routersploit/blob/master/routersploit/modules/exploits/tplink/archer_c2_c20i_rce.py; classtype:command-and-control; sid:2024191; rev:3; metadata:affected_product TPLINK, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File Download Flowbit Set"; flow:established,to_client; flowbits:set,et.http.hta; flowbits:noalert; http.content_type; content:"application/hta"; fast_pattern; startswith; classtype:not-suspicious; sid:2024195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mole Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"guid="; depth:5; fast_pattern; content:"&ver="; distance:0; pcre:"/^guid=[^&]+?&ver=[^&]+?(?:&fc=[^\r\n]+)?$/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Malspam+on+20170411+pushes+yet+another+ransomware+variant/22290/; reference:md5,31c2e85ef5e4c0009e1f18794527b4ca; classtype:command-and-control; sid:2024203; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Mole, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mole Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"guid="; depth:5; fast_pattern; content:"&ver="; distance:0; pcre:"/^guid=[^&]+?&ver=[^&]+?(?:&fc=[^\r\n]+)?$/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Malspam+on+20170411+pushes+yet+another+ransomware+variant/22290/; reference:md5,31c2e85ef5e4c0009e1f18794527b4ca; classtype:command-and-control; sid:2024203; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Mole, signature_severity Major, tag c2, updated_at 2020_08_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Hidden-Tear Variant Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?rid=ClsgIFVzZXItSUQgIF0gID"; fast_pattern; pcre:"/\.php\?rid=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.header; content:"Ransom|3a 20|Client|0d 0a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,b991a99335b01bed8da4401fee1f2d45; classtype:command-and-control; sid:2024204; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Hidden-Tear Variant Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?rid=ClsgIFVzZXItSUQgIF0gID"; fast_pattern; pcre:"/\.php\?rid=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.header; content:"Ransom|3a 20|Client|0d 0a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,b991a99335b01bed8da4401fee1f2d45; classtype:command-and-control; sid:2024204; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, signature_severity Major, tag Ransomware, updated_at 2020_08_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nuke Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Expect|3a 20|100-continue"; http.request_body; content:"machine="; depth:8; fast_pattern; pcre:"/^machine=[^&]+$/Pi"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.spyware-techie.com/nuke-ransomware-removal-guide; reference:md5,ff0e42146794f0d080df0467337b2d01; classtype:command-and-control; sid:2023335; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Nuke, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nuke Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Expect|3a 20|100-continue"; http.request_body; content:"machine="; depth:8; fast_pattern; pcre:"/^machine=[^&]+$/Pi"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.spyware-techie.com/nuke-ransomware-removal-guide; reference:md5,ff0e42146794f0d080df0467337b2d01; classtype:command-and-control; sid:2023335; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Nuke, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE YAHOOYLO Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"|50 4b 03 04|"; startswith; content:"Information.txt"; distance:0; content:"=Hardware Info==========================|0d 0a|Username|3a 20|"; distance:0; fast_pattern; reference:md5,437e3fb3c14f32644df9c6168ca4fa2c; classtype:command-and-control; sid:2030648; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family YAHOOYLO, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_05;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (ldrtoyota .casa in TLS SNI)"; flow:established,to_server; tls.sni; content:"ldrtoyota.casa"; bsize:14; reference:md5,b5e40801df5010e6c18e0ad81806adf7; classtype:trojan-activity; sid:2030658; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=nellscorp.com"; nocase; endswith; classtype:domain-c2; sid:2030647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=nellscorp.com"; nocase; endswith; classtype:domain-c2; sid:2030647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible EXPLODINGCAN IIS5.0/6.0 Exploit Attempt"; flow:to_server,established; urilen:1; http.method; content:"PROPFIND"; http.header; content:"Content-Length|3a 20|0|0d 0a|Host|3a 20|"; depth:25; content:"|0d 0a|If|3a 20|<http"; fast_pattern; classtype:trojan-activity; sid:2024222; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2017_04_18, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office UA FB SET"; flow:established,to_server; flowbits:set,Office.UA; flowbits:noalert; http.user_agent; content:"Microsoft Office"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024225; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish 2015-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Home/Save"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest"; nocase; http.request_body; content:"u="; depth:2; fast_pattern; nocase; content:"&p="; distance:0; nocase; classtype:credential-theft; sid:2031793; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; http.header; content:"Expires|3A 20|Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; fast_pattern; classtype:trojan-activity; sid:2024229; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
alert http any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/report-email/send"; nocase; http.request_body; content:"/dev-report-overview.html"; nocase; content:"|3B|"; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/i"; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:3; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2017_04_21, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ARM Binary Requested via WGET to Known IoT Malware Domain"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/\.(?:arm(?:5n|7)?|m(?:ips|psl))$/"; http.user_agent; content:"Wget/"; depth:5; http.host; content:"ntp.gtpnet.ir"; startswith; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024243; rev:3; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful OWA Phish Apr 25 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; classtype:credential-theft; sid:2024999; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful OWA Phish Apr 25 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; classtype:credential-theft; sid:2024999; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ Default HTTP Headers"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Referrer|3a 20|"; content:"|0d 0a|TlEo|3a 20|"; fast_pattern; classtype:trojan-activity; sid:2024247; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ HTTP Beacon"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a|0000"; http.request_body; content:"|f0 00 00 00 45 ff 11 ff f0 44 00 00|"; fast_pattern; offset:0; classtype:trojan-activity; sid:2024248; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ HTTP Beacon"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a|0000"; http.request_body; content:"|f0 00 00 00 45 ff 11 ff f0 44 00 00|"; fast_pattern; offset:0; classtype:trojan-activity; sid:2024248; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Saker UA"; flow:established,to_server; http.user_agent; content:"Mozilla/"; depth:8; content:"|20|MSIE|20|"; distance:0; content:"|3b 20|Wis NT|20|"; distance:0; fast_pattern; content:"|3b 20|.NET CLR|20|"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,b362f833c9d6e5bed19aeec5a5b868ea; classtype:trojan-activity; sid:2018321; rev:7; metadata:created_at 2014_03_26, former_category TROJAN, updated_at 2020_08_05;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2"; flow:to_server,established; http.uri; content:"action=lostpassword"; nocase; fast_pattern; http.header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/mi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024278; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/NewHT Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?computerName="; fast_pattern; content:"&userName="; distance:0; content:"&key="; distance:0; content:"&id="; distance:0; content:"&time="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2e0ebb7a21d16ab6fa908f74bee260d6; classtype:command-and-control; sid:2024280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family NewHT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/NewHT Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?computerName="; fast_pattern; content:"&userName="; distance:0; content:"&key="; distance:0; content:"&id="; distance:0; content:"&time="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2e0ebb7a21d16ab6fa908f74bee260d6; classtype:command-and-control; sid:2024280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family NewHT, signature_severity Major, tag Ransomware, updated_at 2020_08_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-03-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appleId="; nocase; fast_pattern; content:"accountPassword="; nocase; content:"appIdKey="; nocase; classtype:credential-theft; sid:2032178; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sessions?path="; nocase; content:"sort="; nocase; pcre:"/sort\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_05;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sessions?path="; nocase; content:"orderby="; nocase; pcre:"/orderby\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013118; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Miniproxy Cloned Page - Possible Phishing Landing"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<!-- Proxified page constructed by miniProxy"; fast_pattern; nocase; within:100; reference:url,github.com/joshdick/miniProxy; classtype:social-engineering; sid:2024283; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Miniproxy Cloned Page - Possible Phishing Landing"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<!-- Proxified page constructed by miniProxy"; fast_pattern; nocase; within:100; reference:url,github.com/joshdick/miniProxy; classtype:social-engineering; sid:2024283; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Edge on Windows 10 SET"; flow:established,to_server; flowbits:set,ET_EDGE_UA; flowbits:noalert; http.user_agent; content:"Windows NT 10."; content:"Edge/12."; distance:0; fast_pattern; classtype:misc-activity; sid:2023197; rev:5; metadata:affected_product Microsoft_Edge_Browser, created_at 2016_09_13, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, tag User_Agent, updated_at 2020_08_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Bitcoin QR Code Generated via Btcfrog.com"; flow:established,to_server; http.uri; content:"/qr/bitcoinPNG.php?address="; fast_pattern; http.host; content:"www.btcfrog.com"; bsize:15; classtype:coin-mining; sid:2024292; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_05_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/EasyLocker Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/(?:countdown|check)\/[a-f0-9]{30,45}\/(?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})?$/i"; http.host; content:"noobcrypt"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,980342a5a783d7f6ce188c575d9ca97a; classtype:command-and-control; sid:2024320; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family EasyLocker, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 OCSP Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/oscp/"; fast_pattern; depth:6; pcre:"/^\/oscp\/[a-z]+$/"; http.header; content:"Host|3a 20|ocsp.verisign.com|0d 0a|Accept"; depth:31; content:"Microsoft-CryptoAPI/6.1"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2ba2e7af1246da08e4fd7345c7207b59; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/oscp.profile; classtype:command-and-control; sid:2032750; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_08_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/EasyLocker Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/(?:countdown|check)\/[a-f0-9]{30,45}\/(?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})?$/i"; http.host; content:"noobcrypt"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,980342a5a783d7f6ce188c575d9ca97a; classtype:command-and-control; sid:2024320; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family EasyLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ASPC Bot CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?key="; fast_pattern; content:"&string="; distance:0; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:\x3a\x3a[^\x3a]+?){5,}$/i"; http.user_agent; content:"Mozilla/"; startswith; http.request_body; content:"key="; depth:4; content:"&string="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:command-and-control; sid:2024321; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family ASPC_Bot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password<br><input type=password name=pass"; nocase; content:"background-color|3a|whitesmoke|3b|border"; distance:0; content:"type=submit name='watching' value='Login'"; distance:0; fast_pattern; classtype:web-application-attack; sid:2030662; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, signature_severity Major, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 24 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; depth:5; nocase; content:"|25|40"; distance:0; content:"senha"; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024576; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 24 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; depth:5; nocase; content:"|25|40"; distance:0; content:"senha"; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024576; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha6="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; classtype:credential-theft; sid:2024328; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha6="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; classtype:credential-theft; sid:2024328; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish May 25 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2024329; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish May 25 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2024329; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"handle="; depth:7; nocase; fast_pattern; content:"|25|40"; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024577; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"handle="; depth:7; nocase; fast_pattern; content:"|25|40"; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024577; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing May 31 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Dropbox"; nocase; content:"Select your email provider"; nocase; fast_pattern; distance:0; content:"Gmail"; nocase; distance:0; content:"Yahoo"; nocase; distance:0; classtype:social-engineering; sid:2025661; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 31 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"password="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; classtype:credential-theft; sid:2024578; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 31 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"password="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; classtype:credential-theft; sid:2024578; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload URI T1 Jun 02 2017 M2"; flow:established,from_server; http.header; content:"Content-Description|3a 20|File Transfer"; content:"Expires|3a 20|0"; pcre:"/Content-Disposition\x3a[^\r\n]+\.exe-rc4\.exe\r\n/i"; http.cookie; content:"ci_session"; file.data; content:!"MZ"; within:2; classtype:exploit-kit; sid:2024345; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fireball Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?clients="; content:"&reqs=visit."; distance:0; http.user_agent; content:"RookIE/"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection; reference:md5,69ffdf99149d19be7dc1c52f33aaa651; classtype:trojan-activity; sid:2024348; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category TROJAN, malware_family Fireball, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fireball Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?clients="; content:"&reqs=visit."; distance:0; http.user_agent; content:"RookIE/"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection; reference:md5,69ffdf99149d19be7dc1c52f33aaa651; classtype:trojan-activity; sid:2024348; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_03, deployment Perimeter, former_category TROJAN, malware_family Fireball, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS Request for Grey Advertising Often Leading to EK"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?&tid="; fast_pattern; content:"&red="; distance:0; content:"&abt="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:exploit-kit; sid:2024350; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Unk.HT-Based Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"hostname=csharp-"; depth:16; fast_pattern; content:"&enckey="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2aa11c090fd0737e52cd532418c1211e; classtype:command-and-control; sid:2024352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Unk.HT-Based Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"hostname=csharp-"; depth:16; fast_pattern; content:"&enckey="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2aa11c090fd0737e52cd532418c1211e; classtype:command-and-control; sid:2024352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jun 08 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; nocase; content:"&Pass"; nocase; distance:0; content:"formimage"; nocase; fast_pattern; classtype:credential-theft; sid:2024579; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jun 08 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; nocase; content:"&Pass"; nocase; distance:0; content:"formimage"; nocase; fast_pattern; classtype:credential-theft; sid:2024579; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ASPC Bot CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?key="; content:"&string="; distance:0; fast_pattern; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:(?:\x3a\x3a|3A3A)[^\x3a]+?){5,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:command-and-control; sid:2024322; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family ASPC_Bot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OTRS Installation Dialog (after auth) attempt"; flow:to_server,established; http.uri; content:"/otrs/index.pl?Action=Installer"; nocase; reference:cve,2017-9324; classtype:web-application-attack; sid:2024368; rev:3; metadata:affected_product OTRS, attack_target Web_Server, created_at 2017_06_08, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish Jun 09 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; nocase; content:"&conta="; nocase; distance:0; content:"&senha_eletronica="; nocase; distance:0; fast_pattern; content:"&senha_cartao="; nocase; distance:0; content:"&celular="; nocase; distance:0; classtype:credential-theft; sid:2024371; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish Jun 09 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; nocase; content:"&conta="; nocase; distance:0; content:"&senha_eletronica="; nocase; distance:0; fast_pattern; content:"&senha_cartao="; nocase; distance:0; content:"&celular="; nocase; distance:0; classtype:credential-theft; sid:2024371; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spectre Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?mode="; content:"&crypted="; distance:0; content:"&id="; distance:0; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e8af7ef13b6ced37d08dce0f747d7d8b; classtype:command-and-control; sid:2024373; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Spectre, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spectre Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?mode="; content:"&crypted="; distance:0; content:"&id="; distance:0; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e8af7ef13b6ced37d08dce0f747d7d8b; classtype:command-and-control; sid:2024373; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Spectre, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Hostinger Generic Phish Jun 09 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"wb_form_id="; nocase; depth:11; fast_pattern; content:"&message=&wb_input_0="; nocase; distance:8; within:21; content:"&wb_input_0="; nocase; distance:0; content:"&wb_input_1="; nocase; distance:0; content:"&wb_input_1="; nocase; distance:0; classtype:credential-theft; sid:2024375; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Hostinger Generic Phish Jun 09 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"wb_form_id="; nocase; depth:11; fast_pattern; content:"&message=&wb_input_0="; nocase; distance:8; within:21; content:"&wb_input_0="; nocase; distance:0; content:"&wb_input_1="; nocase; distance:0; content:"&wb_input_1="; nocase; distance:0; classtype:credential-theft; sid:2024375; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credit Card Information in HTTP POST - Possible Successful Phish Jun 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cnum="; depth:5; nocase; content:"&exp="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024377; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"save"; content:".asp"; within:6; pcre:"/\.asp$/"; http.request_body; content:"u="; depth:2; fast_pattern; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2032177; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credit Card Information in HTTP POST - Possible Successful Phish Jun 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cnum="; depth:5; nocase; content:"&exp="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024377; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE X-Malware-Sinkhole Header in HTTP Response"; flow:from_server,established; http.header; content:"X-Malware-Sinkhole|3a 20|"; classtype:trojan-activity; sid:2024378; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|YTS"; file.data; content:"<title>Yahoo - login"; fast_pattern; nocase; classtype:social-engineering; sid:2024390; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; content:"passwords.txt"; distance:0; nocase; fast_pattern; classtype:trojan-activity; sid:2035015; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_08_06, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_08_06;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|YTS"; file.data; content:"<title>Yahoo! Mail"; fast_pattern; nocase; classtype:social-engineering; sid:2024398; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/ad-"; pcre:"/\/ad-(?:strat|devi)\/$/"; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"RgQ7"; depth:4; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_06_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android_07012016, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/ad-"; pcre:"/\/ad-(?:strat|devi)\/$/"; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"RgQ7"; depth:4; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_06_19, deployment Perimeter, former_category MOBILE_MALWARE, tag Android_07012016, updated_at 2020_08_06, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible SharePoint XSS (CVE-2017-8514) Inbound"; flow:to_server,established; http.uri; content:"FollowSite="; nocase; fast_pattern; content:"SiteName="; nocase; content:"-confirm"; nocase; distance:0; reference:url,respectxss.blogspot.fr/2017/06/a-look-at-cve-2017-8514-sharepoints.html; classtype:attempted-user; sid:2024412; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_06_19, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF HTTP Get Outbound"; flow:to_server,established; threshold: type limit, track by_src, seconds 300, count 1; http.uri; content:".js?BEEFHOOK="; fast_pattern; reference:url,beefproject.com; classtype:attempted-user; sid:2024416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF HTTP Get Outbound"; flow:to_server,established; threshold: type limit, track by_src, seconds 300, count 1; http.uri; content:".js?BEEFHOOK="; fast_pattern; reference:url,beefproject.com; classtype:attempted-user; sid:2024416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Windows Scam ScreenLocker"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lock.php"; endswith; http.user_agent; content:"MyAgent"; fast_pattern; bsize:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,6443d8351f5ed62836003f103d8de20e; classtype:social-engineering; sid:2024417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_20, deployment Perimeter, former_category MALWARE, malware_family Screenlocker, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Naoinstalad Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?MD="; fast_pattern; content:"Naoinstalado"; nocase; http.user_agent; content:!"Mozilla"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,f136f9ec7f7f8cb1a12a9b835183be59; reference:url,www.malware-traffic-analysis.net/2017/06/08/index.html; classtype:command-and-control; sid:2024427; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lockscreen Ransomware Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.referer; content:"/?page_id=93"; endswith; fast_pattern; http.request_body; content:"&page_title=Windows Security Warning&"; within:100; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/; classtype:trojan-activity; sid:2030665; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lockscreen Ransomware Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.referer; content:"/?page_id=93"; endswith; fast_pattern; http.request_body; content:"&page_title=Windows Security Warning&"; within:100; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/; classtype:trojan-activity; sid:2030665; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DownLoadAdmin Activity"; flow:established,to_server; http.uri; content:"/install.php?bc="; startswith; fast_pattern; content:"&d="; content:"&cb="; http.header_names; content:"|0d 0a|user-agent|0d 0a|x-webinstallcode|0d 0a|"; reference:md5,cff290dcb07183541783bbc9ce7056b4; classtype:pup-activity; sid:2030663; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineId="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032180; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_08_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2020-08-07"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; content:"&paswd="; fast_pattern; distance:0; classtype:credential-theft; sid:2031871; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Mustang Panda CnC Activity"; flow:established,to_server; content:".dat HTTP/1.1|0d 0a|User-Agent|3a 20|Microsoft Internet Explorer|0d 0a|"; fast_pattern; http.method; content:"GET"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf; reference:md5,2ec79d0605a4756f4732aba16ef41b22; classtype:command-and-control; sid:2030671; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, updated_at 2020_08_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Hex Obfuscated Title - Possible Phishing Landing Jun 28 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:!"</title>"; nocase; within:20; content:"|26 23|x"; within:20; content:"|3b 26 23|x"; distance:2; within:4; fast_pattern; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024432; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Hex Obfuscated Title - Possible Phishing Landing Jun 28 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:!"</title>"; nocase; within:20; content:"|26 23|x"; within:20; content:"|3b 26 23|x"; distance:2; within:4; fast_pattern; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024432; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DCRat CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"flexym.myarena.site"; bsize:19; reference:md5,2e2a6ca2a4058c8a141ff23c3433bcc6; classtype:domain-c2; sid:2030669; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Petya Conn Check"; flow:established,to_server; urilen:1; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36"; fast_pattern; http.host; content:"myip.com.ua"; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,twitter.com/V_Baczynski/status/881051849700364288; classtype:trojan-activity; sid:2024443; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_05, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 06 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"b2="; depth:3; nocase; content:"&b1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024580; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 06 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"b2="; depth:3; nocase; content:"&b1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024580; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Blockchain title over non SSL Jul 10 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"bitcoin wallet - blockchain"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024450; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Blockchain title over non SSL Jul 10 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"bitcoin wallet - blockchain"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024450; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 10 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&pd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024581; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 10 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&pd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024581; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 11 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"IDToken"; depth:7; nocase; content:"&IDToken"; nocase; distance:0; fast_pattern; content:"&IDToken"; nocase; distance:0; content:"&IDToken"; nocase; distance:0; content:"&IDToken"; nocase; distance:0; classtype:credential-theft; sid:2024582; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 11 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"IDToken"; depth:7; nocase; content:"&IDToken"; nocase; distance:0; fast_pattern; content:"&IDToken"; nocase; distance:0; content:"&IDToken"; nocase; distance:0; content:"&IDToken"; nocase; distance:0; classtype:credential-theft; sid:2024582; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/PSW.Agent.QJK Stealer Data Exfil Via HTTP"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; fast_pattern; pcre:"/^(?:(?:Passwords|PCinformation)\.txt|(?:Data|GrabbedTxtFiles)\.zip)\x22\r\n/Ri"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:trojan-activity; sid:2024455; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family Unknown, performance_impact Moderate, signature_severity Major, updated_at 2020_08_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish - Credit Card"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ccnum"; fast_pattern; content:"&exp"; distance:0; content:"&cvv"; distance:0; classtype:credential-theft; sid:2021692; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; content:"password="; nocase; content:"View+PDF+Document"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032235; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish - Credit Card"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ccnum"; fast_pattern; content:"&exp"; distance:0; content:"&cvv"; distance:0; classtype:credential-theft; sid:2021692; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish - Three Security Questions"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"q1="; content:"&answer1="; distance:0; fast_pattern; content:"&q2="; distance:0; content:"&answer2="; distance:0; content:"&q3="; distance:0; content:"&answer3="; distance:0; classtype:credential-theft; sid:2021693; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Epass Phish 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.header; content:".php?email="; fast_pattern; http.request_body; content:"epass="; depth:6; nocase; classtype:credential-theft; sid:2032237; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish - Three Security Questions"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"q1="; content:"&answer1="; distance:0; fast_pattern; content:"&q2="; distance:0; content:"&answer2="; distance:0; content:"&q3="; distance:0; content:"&answer3="; distance:0; classtype:credential-theft; sid:2021693; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Phish M1 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"acc3="; depth:5; nocase; content:"&acc1="; nocase; distance:0; fast_pattern; content:"&acc2="; nocase; distance:0; content:"&isUtf8="; nocase; distance:0; classtype:credential-theft; sid:2032263; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern; content:"password-revealer"; nocase; distance:0; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:social-engineering; sid:2023047; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish Aug 15 2016"; flow:to_server,established; http.method; content:"POST"; http.header; content:".php?cmd=login_submit"; nocase; fast_pattern; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2023061; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish Aug 15 2016"; flow:to_server,established; http.method; content:"POST"; http.header; content:".php?cmd=login_submit"; nocase; fast_pattern; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2023061; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Bank Phish Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"redirect="; depth:9; nocase; content:"&txtState="; nocase; distance:0; content:"&txtCount="; nocase; distance:0; content:"&txtOneTime="; nocase; distance:0; content:"&Account_ID="; nocase; distance:0; content:"&active_Password="; nocase; distance:0; fast_pattern; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2023698; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Payment Phish M1 Jan 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"firstName="; depth:10; nocase; content:"&lastName="; nocase; distance:0; content:"&cardNumber="; nocase; distance:0; content:"&expirationMonth="; nocase; distance:0; content:"&expirationYear="; nocase; distance:0; content:"&securityCode="; nocase; distance:0; fast_pattern; content:"&SubmitButton="; nocase; distance:0; content:"&msg_agree="; nocase; distance:0; classtype:credential-theft; sid:2024462; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&ROLLOUT="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2023770; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2015-12-10"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&checkedDomains="; nocase; fast_pattern; content:"&checkConnection="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Passwd="; nocase; distance:0; content:"Download+Document"; nocase; distance:0; classtype:credential-theft; sid:2031797; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - AOL Creds Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aol.php"; fast_pattern; http.request_body; content:"sitedomain="; depth:11; content:"&isSiteStateEncoded="; nocase; distance:0; classtype:credential-theft; sid:2021322; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Bank Phish Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"redirect="; depth:9; nocase; content:"&txtState="; nocase; distance:0; content:"&txtCount="; nocase; distance:0; content:"&txtOneTime="; nocase; distance:0; content:"&Account_ID="; nocase; distance:0; content:"&active_Password="; nocase; distance:0; fast_pattern; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2023698; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - Hotmail Creds Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hotmail.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017753; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Payment Phish M1 Jan 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"firstName="; depth:10; nocase; content:"&lastName="; nocase; distance:0; content:"&cardNumber="; nocase; distance:0; content:"&expirationMonth="; nocase; distance:0; content:"&expirationYear="; nocase; distance:0; content:"&securityCode="; nocase; distance:0; fast_pattern; content:"&SubmitButton="; nocase; distance:0; content:"&msg_agree="; nocase; distance:0; classtype:credential-theft; sid:2024462; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - Other Creds Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/other.php"; fast_pattern; http.request_body; content:"&_task=login&_action=login"; nocase; classtype:credential-theft; sid:2021324; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&ROLLOUT="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2023770; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Complete+Apple+ID+Verification"; nocase; fast_pattern; classtype:credential-theft; sid:2031755; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - AOL Creds Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aol.php"; fast_pattern; http.request_body; content:"sitedomain="; depth:11; content:"&isSiteStateEncoded="; nocase; distance:0; classtype:credential-theft; sid:2021322; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Fedex Phish 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc_lang="; depth:8; content:"&afterwardsURL"; fast_pattern; distance:0; content:"https%3A%2F%2Fwww.fedex.com"; distance:1; content:"&username="; distance:0; content:"&password="; distance:0; content:"&login=Login"; distance:0; classtype:credential-theft; sid:2031753; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - Hotmail Creds Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hotmail.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017753; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phish M1 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; content:"&phone="; distance:0; content:"View+Document"; distance:0; fast_pattern; classtype:credential-theft; sid:2031751; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - Other Creds Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/other.php"; fast_pattern; http.request_body; content:"&_task=login&_action=login"; nocase; classtype:credential-theft; sid:2021324; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phish 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"pcode="; depth:6; fast_pattern; content:"&Submit=Validate"; distance:0; classtype:credential-theft; sid:2031752; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish Jun 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&vi="; nocase; distance:0; classtype:credential-theft; sid:2021296; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful ABSA Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"AccessAccount="; depth:14; nocase; fast_pattern; content:"&PIN="; nocase; distance:0; content:"&Operator="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032257; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish June 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; nocase; content:"&pswd="; nocase; distance:0; fast_pattern; content:"&Button1="; nocase; distance:0; classtype:credential-theft; sid:2021297; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Account Update Phish 2015-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&emailpassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031768; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish June 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"server="; depth:7; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2021298; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Account Update Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name="; depth:5; nocase; content:"&user"; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"Update+My+Details"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032238; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&locale="; nocase; distance:0; content:"=Sign+in"; distance:0; nocase; classtype:credential-theft; sid:2031764; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.header; content:".php?X1="; fast_pattern; http.request_body; content:"X1="; depth:3; nocase; content:"&X2="; nocase; distance:0; classtype:credential-theft; sid:2032243; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-04-29"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"client_id="; fast_pattern; content:"callback="; content:"&client_redirect="; distance:0; content:"&denied_callback="; distance:0; content:"&display="; distance:0; classtype:credential-theft; sid:2032227; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2015-08-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"client_id="; depth:10; fast_pattern; content:"&callback="; distance:0; content:"&email="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031767; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish M1 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; nocase; depth:6; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&authSrc=AdobeID"; nocase; distance:0; classtype:credential-theft; sid:2032229; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-07-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; content:"&pword="; nocase; distance:0; fast_pattern; content:"&login"; nocase; distance:0; content:"&ip_address="; nocase; distance:0; content:"&action=login"; nocase; distance:0; classtype:credential-theft; sid:2032233; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"adobe"; nocase; content:".php"; distance:0; http.header; content:"adobe"; nocase; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Form Names 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"formselect1="; depth:12; nocase; fast_pattern; content:"&formtext1="; nocase; distance:0; content:"&formtext2="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032244; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-08-10"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; fast_pattern; content:"&pass"; nocase; distance:0; content:"&submit=View+Document"; nocase; distance:0; classtype:credential-theft; sid:2032234; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish Jun 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&vi="; nocase; distance:0; classtype:credential-theft; sid:2021296; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish June 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; nocase; content:"&pswd="; nocase; distance:0; fast_pattern; content:"&Button1="; nocase; distance:0; classtype:credential-theft; sid:2021297; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish June 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"server="; depth:7; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2021298; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OGNL Expression Injection (CVE-2017-9791)"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"multipart"; content:"form-data"; distance:1; within:11; content:"ognl.OgnlContext"; distance:1; fast_pattern; content:"DEFAULT_MEMBER_ACCESS"; distance:1; within:23; content:"java.lang.ProcessBuilder"; distance:1; content:".start"; distance:1; reference:url,securityonline.info/tutorial-cve-2017-9791-apache-struts2-s2-048-remote-code-execution-vulnerability/; reference:cve,2017-9791; classtype:attempted-user; sid:2024468; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_07_14, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish (set) Jul 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&login.x="; nocase; distance:0; content:"&login.y="; nocase; distance:0; classtype:credential-theft; sid:2025021; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-05-04"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&password="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&ip_em="; nocase; distance:0; classtype:credential-theft; sid:2032228; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&message="; nocase; distance:0; content:"View+Document"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032262; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"frm-email="; depth:10; nocase; fast_pattern; content:"&frm-pass="; nocase; distance:0; content:"&frm-submit="; nocase; distance:0; content:"&frm-ac-tok="; nocase; distance:0; classtype:credential-theft; sid:2032246; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Credential Phish 2015-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psword="; nocase; distance:0; content:"&Psword1="; fast_pattern; nocase; distance:0; classtype:credential-theft; sid:2031777; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_cs"; depth:3; nocase; content:"&action="; nocase; distance:0; content:"&event_submit_do_verify_email="; nocase; distance:0; fast_pattern; content:"&tryTimes="; nocase; distance:0; content:"&em"; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2032255; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-12-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"noCsrfToken="; depth:12; nocase; content:"&xloginCheckToken="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032264; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"xloginPass"; depth:10; nocase; fast_pattern; content:"&xloginCheckToken="; nocase; distance:0; classtype:credential-theft; sid:2032256; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; content:"&xloginPassport="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032245; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"noCsrfToken="; depth:12; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&epass"; nocase; distance:0; classtype:credential-theft; sid:2032247; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M1 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"1="; depth:2; nocase; content:"&password="; nocase; distance:0; content:"&cvv1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025022; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sec="; depth:4; nocase; content:"&noCsrfToken="; nocase; distance:0; content:"&loginId="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&Psword1="; nocase; distance:0; fast_pattern; content:"&checkcode="; nocase; distance:0; classtype:credential-theft; sid:2032260; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M2 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"access1="; depth:8; nocase; fast_pattern; content:"&next.x="; nocase; distance:0; content:"&next.y="; nocase; distance:0; classtype:credential-theft; sid:2025023; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish (set) Jul 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&login.x="; nocase; distance:0; content:"&login.y="; nocase; distance:0; classtype:credential-theft; sid:2025021; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M3 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"access2="; depth:8; nocase; fast_pattern; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2025024; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M1 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"1="; depth:2; nocase; content:"&password="; nocase; distance:0; content:"&cvv1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025022; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M4 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&emailpass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025025; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M2 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"access1="; depth:8; nocase; fast_pattern; content:"&next.x="; nocase; distance:0; content:"&next.y="; nocase; distance:0; classtype:credential-theft; sid:2025023; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M3 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"access2="; depth:8; nocase; fast_pattern; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2025024; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M4 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&emailpass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025025; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing Jul 19 2017"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"function getSystemInfo"; nocase; distance:0; content:"OnChatTextKeyDown"; nocase; distance:0; fast_pattern; content:"function scrollcheck"; nocase; distance:0; content:"function callconv"; nocase; distance:0; content:"function istyping"; nocase; distance:0; content:"function dochat"; nocase; distance:0; classtype:social-engineering; sid:2024480; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Downloader CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"2.php?jpg="; fast_pattern; content:!"&"; distance:0; pcre:"/\/[a-z]+2\.php\?jpg=[^&]+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:targeted-activity; sid:2024482; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Critical, tag Targeted, tag APT, tag DarkHotel, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PHOEN!X Apple Phish M2 2015-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hold="; nocase; depth:5; fast_pattern; content:"&numb="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&submit.x=Validate"; nocase; distance:0; classtype:credential-theft; sid:2031802; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon (UK) Phish 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appActionToken="; depth:15; nocase; fast_pattern; content:"&appAction="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032254; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Downloader CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"2.php?jpg="; fast_pattern; content:!"&"; distance:0; pcre:"/\/[a-z]+2\.php\?jpg=[^&]+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:targeted-activity; sid:2024482; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, signature_severity Major, tag Targeted, tag APT, tag DarkHotel, tag c2, updated_at 2020_08_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Downloader CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|banner|22 0d 0a|"; fast_pattern; content:"name=|22|jpg|22 0d 0a|"; distance:0; content:"name=|22|userfile|22 3b 0d 0a|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:targeted-activity; sid:2024483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, signature_severity Major, tag Targeted, tag APT, tag DarkHotel, tag c2, updated_at 2020_08_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"emaillo="; depth:8; fast_pattern; content:"&create="; distance:0; content:"&passcode="; distance:0; classtype:credential-theft; sid:2031762; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FullName"; nocase; depth:8; content:"&Address"; nocase; distance:0; content:"&StateN="; nocase; distance:0; content:"&enterAddressIsDomestic="; nocase; distance:0; fast_pattern; content:"&isDomestic="; nocase; distance:0; classtype:credential-theft; sid:2031763; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish M2 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"showRmrMe="; depth:10; nocase; fast_pattern; content:"&openid.pape.max_auth_age="; nocase; distance:0; content:"&fullname="; nocase; distance:0; content:"&add1="; nocase; distance:0; content:"&add2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2032251; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish 2015-11-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NameonCards="; nocase; fast_pattern; content:"&Cardanumber="; nocase; distance:0; content:"&CVV2="; nocase; distance:0; content:"&Expiredate"; nocase; distance:0; classtype:credential-theft; sid:2031784; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ameli.fr Phish M1 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&prenom="; nocase; distance:0; content:"&dob1="; nocase; distance:0; content:"&mail="; nocase; distance:0; content:"&Pwd="; nocase; distance:0; content:"&adresse="; nocase; distance:0; fast_pattern; content:"&ville="; nocase; distance:0; content:"&tel="; nocase; distance:0; classtype:credential-theft; sid:2032258; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Downloader CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|banner|22 0d 0a|"; fast_pattern; content:"name=|22|jpg|22 0d 0a|"; distance:0; content:"name=|22|userfile|22 3b 0d 0a|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:targeted-activity; sid:2024483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Critical, tag Targeted, tag APT, tag DarkHotel, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ameli.fr Phish M2 Oct 26 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bank="; depth:5; nocase; content:"&ccnum="; nocase; distance:0; content:"&expMonth="; nocase; distance:0; content:"&expYear="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&account="; nocase; distance:0; content:"&ghazcisse="; nocase; distance:0; fast_pattern; content:"&Valider="; nocase; distance:0; classtype:credential-theft; sid:2032259; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 Dec 8 2015"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_csrf="; depth:6; nocase; fast_pattern; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; content:"=Login"; nocase; distance:0; classtype:credential-theft; sid:2031565; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Anonisma Paypal Phish 2015-12-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&ps="; nocase; distance:0; content:"&hostname="; nocase; distance:0; classtype:credential-theft; sid:2031801; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M1 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"firstnameoncard="; depth:16; fast_pattern; content:"&address"; nocase; distance:0; content:"&city"; nocase; distance:0; content:"&ssn="; nocase; distance:0; classtype:credential-theft; sid:2032230; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M1 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"paymenttype="; depth:12; fast_pattern; content:"&cardtype"; nocase; distance:0; content:"&nameoncard"; nocase; distance:0; content:"&cvv"; nocase; distance:0; classtype:credential-theft; sid:2032231; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M3 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"question="; depth:9; fast_pattern; content:"&answer"; nocase; distance:0; content:"&ScreenName"; nocase; distance:0; content:"&Password"; nocase; distance:0; classtype:credential-theft; sid:2032232; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"openiForgotInNewWindow="; depth:23; nocase; fast_pattern; content:"&fdcBrowserData="; nocase; distance:0; content:"&appIdKey="; nocase; distance:0; classtype:credential-theft; sid:2032250; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish M1 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email-ali1="; depth:11; nocase; content:"&password-ali"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032249; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2015-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; fast_pattern; nocase; content:"&pass"; distance:0; nocase; content:"&oemail="; distance:0; nocase; classtype:credential-theft; sid:2031792; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"FirstName="; depth:10; nocase; content:"&LastName="; nocase; distance:0; content:"&DOBM="; nocase; distance:0; content:"&AreaCode="; nocase; distance:0; content:"&Phone="; nocase; distance:0; content:"&cardNumber="; nocase; distance:0; fast_pattern; content:"&securityCode="; nocase; distance:0; content:"&VBV="; nocase; distance:0; classtype:credential-theft; sid:2032248; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain (nothingtodo .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"nothingtodo.co"; bsize:14; classtype:domain-c2; sid:2030670; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Mobile Device Posting Phone Number"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"&Phone"; fast_pattern; nocase; content:"Number="; nocase; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/i"; classtype:policy-violation; sid:2013208; rev:4; metadata:created_at 2011_07_06, former_category MOBILE_MALWARE, updated_at 2020_08_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve"; flow:to_client,established; http.header_names; content:!"Content-Type|0d 0a|text/xml|0d 0a|"; content:!"Content-Type|0d 0a|application/xml|0d 0a|"; file.data; content:"preserve"; nocase; content:"redim|20|"; nocase; fast_pattern; pcre:"/^\s*?Preserve\s*?(?P<var1>[a-z]\w{0,254}+)\s*?\x28\s*?[^\x29]+?\x29.*?redim\s*?Preserve\s*?(?P=var1)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019842; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve"; flow:to_client,established; http.header_names; content:!"Content-Type|0d 0a|text/xml|0d 0a|"; content:!"Content-Type|0d 0a|application/xml|0d 0a|"; file.data; content:"preserve"; nocase; content:"redim|20|"; nocase; fast_pattern; pcre:"/^\s*?Preserve\s*?(?P<var1>[a-z]\w{0,254}+)\s*?\x28\s*?[^\x29]+?\x29.*?redim\s*?Preserve\s*?(?P=var1)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019842; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/201"; depth:4; content:"/?c="; distance:1; within:4; fast_pattern; content:"&u="; distance:0; content:"&v="; distance:0; content:"&s="; distance:0; content:"&f="; distance:0; content:"&mi="; distance:0; content:"&b="; distance:0; content:"&t="; distance:0; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/; classtype:command-and-control; sid:2031410; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/de/?d=201"; depth:10; fast_pattern; content:"&t="; distance:0; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; classtype:command-and-control; sid:2031411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish - Fake Loading Page 2017-08-03"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"//configure destination URL"; nocase; fast_pattern; content:"targetdestination"; nocase; distance:0; content:"splashmessage[0]"; nocase; distance:0; content:"splashmessage[1]"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:credential-theft; sid:2029660; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish - Fake Loading Page 2017-08-03"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"//configure destination URL"; nocase; fast_pattern; content:"targetdestination"; nocase; distance:0; content:"splashmessage[0]"; nocase; distance:0; content:"splashmessage[1]"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:credential-theft; sid:2029660; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0; classtype:trojan-activity; sid:2024192; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.ATS CnC Activity"; flow:established,to_server; http.uri; content:"php?Hwid=S-"; fast_pattern; content:"-"; distance:0; content:"-"; distance:0; content:"-"; distance:0; pcre:"/\.php\?Hwid=[^&]+[0-9](?:&(?:Pc|Etat)=[^&]+)?(?:&user=[^&]+&Ip=[^&]+&Ping=[^&]+&v=[^&]+&Ville=[^&]+&Pays=[^&]+&Region=[^&]+)?$/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,53d3ee595bc5df7e97403906f1415c21; classtype:command-and-control; sid:2024528; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blockchain Account Phish Aug 19 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"UID_input="; depth:10; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024616; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blockchain Account Phish Aug 19 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"UID_input="; depth:10; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024616; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1|"; depth:48; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024533; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category TROJAN, malware_family ursnif, malware_family Gozi, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 Aug 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"address_1="; depth:10; nocase; fast_pattern; content:"&address_2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&postal="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&number_1="; nocase; distance:0; content:"&number_2="; nocase; distance:0; content:"&number_3="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2024545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 Aug 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"address_1="; depth:10; nocase; fast_pattern; content:"&address_2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&postal="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&number_1="; nocase; distance:0; content:"&number_2="; nocase; distance:0; content:"&number_3="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2024545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Square Phish Nov 16 2015"; flow:to_server,established; http.method; content:"POST"; http.header; content:"cmd=_identifier_Demarrer_ID="; nocase; fast_pattern; http.request_body; content:"&submit.x="; nocase; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2024547; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Square Phish Nov 16 2015"; flow:to_server,established; http.method; content:"POST"; http.header; content:"cmd=_identifier_Demarrer_ID="; nocase; fast_pattern; http.request_body; content:"&submit.x="; nocase; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2024547; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; urilen:7; http.method; content:"GET"; nocase; http.uri; content:"/status"; fast_pattern; http.header; content:"Host|3a|"; nocase; content:"|3b|"; within:50; distance:0; pcre:"/^Host\x3a[^\n]{0,50}?\x3b/mi"; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:2024548; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_08_14, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&mobile="; nocase; distance:0; content:"&ccnumber="; nocase; distance:0; fast_pattern; content:"&cvv="; nocase; distance:0; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; classtype:credential-theft; sid:2032252; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"spyuser="; depth:8; nocase; fast_pattern; content:"&spypass="; nocase; distance:0; classtype:credential-theft; sid:2032239; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"apple_login="; depth:12; nocase; fast_pattern; content:"&apple_password="; nocase; distance:0; classtype:credential-theft; sid:2032253; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"GivenName="; depth:10; nocase; fast_pattern; content:"&Surname="; nocase; distance:0; content:"&StreetAddress="; nocase; distance:0; content:"&ZipCode="; nocase; distance:0; content:"&TelephoneNumber="; nocase; distance:0; content:"&SSN="; nocase; distance:0; classtype:credential-theft; sid:2032240; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"CCNumber="; nocase; fast_pattern; content:"&CCExpires="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&CVV"; nocase; distance:0; classtype:credential-theft; sid:2032241; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2015-10-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; fast_pattern; content:"&trackdata="; nocase; distance:0; content:"&expdate="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2031780; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Oct 31 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appleId="; depth:8; nocase; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032261; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M1 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login-id="; depth:9; nocase; content:"&id-passwd="; nocase; distance:0; fast_pattern; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032265; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M2 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name-re="; depth:8; nocase; content:"&city-add="; nocase; distance:0; content:"&zip-add="; nocase; distance:0; content:"&state-code="; nocase; distance:0; content:"&country-code="; nocase; distance:0; content:"&question-se="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032266; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M3 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&pass="; nocase; distance:0; content:"&pays="; nocase; distance:0; content:"&first_name="; nocase; distance:0; content:"&ville="; nocase; distance:0; content:"&cpostal="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&expirationMonth="; nocase; distance:0; content:"&expirationYear="; nocase; distance:0; content:"&cvnum="; nocase; distance:0; fast_pattern; content:"&isvbv="; nocase; distance:0; classtype:credential-theft; sid:2032267; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M4 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bank_name="; depth:10; nocase; content:"&d3_code="; nocase; distance:0; fast_pattern; content:"&bin_ext="; nocase; distance:0; classtype:credential-theft; sid:2032268; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Transaction Cancellation Phish 2016-08-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cmd=_flow&"; depth:10; content:"&first_name="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&credit_card_type="; nocase; distance:0; fast_pattern; content:"&ccnumber="; nocase; distance:0; content:"&accno="; nocase; distance:0; classtype:credential-theft; sid:2032236; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Credential Phish 2015-10-03"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:".tries="; depth:7; fast_pattern; nocase; content:"&.challenge="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2031776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish M1 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag="; depth:3; nocase; content:"&ct="; nocase; distance:0; content:"&infor="; nocase; distance:0; content:"&limpar="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032308; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish M2 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag="; depth:3; nocase; content:"&ct="; nocase; distance:0; content:"&infor="; nocase; distance:0; content:"&telefone="; nocase; distance:0; fast_pattern; content:"&telefone"; nocase; distance:0; content:"&senha"; nocase; distance:0; content:"&bt"; nocase; distance:0; classtype:credential-theft; sid:2032309; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"password="; depth:9; nocase; content:"&ssn="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&emailpassword="; nocase; distance:0; fast_pattern; content:"&form1="; nocase; distance:0; content:"&form2="; nocase; distance:0; content:"&form3="; nocase; distance:0; content:"&form4="; nocase; distance:0; content:"&form5="; nocase; distance:0; classtype:credential-theft; sid:2032305; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&sitekeyChallengeAnswer1="; nocase; distance:0; fast_pattern; content:"&question2="; nocase; distance:0; content:"&sitekeyChallengeAnswer2="; nocase; distance:0; content:"&question3="; nocase; distance:0; content:"&sitekeyChallengeAnswer3="; nocase; distance:0; content:"&sitekeyDeviceBind="; nocase; distance:0; classtype:credential-theft; sid:2032301; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 29 2016"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; content:"has been blocked"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2022925; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M1 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&cn1="; nocase; distance:0; content:"&cn2="; nocase; distance:0; classtype:credential-theft; sid:2024586; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M1 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&cn1="; nocase; distance:0; content:"&cn2="; nocase; distance:0; classtype:credential-theft; sid:2024586; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M2 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc="; depth:3; nocase; content:"&pin="; nocase; distance:0; content:"&ccin="; nocase; distance:0; fast_pattern; content:"&mmn="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; content:"&ssn2="; nocase; distance:0; content:"&ssn3="; nocase; distance:0; content:"&dl="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2024587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cardnumber="; depth:11; nocase; fast_pattern; content:"&expirymonth="; nocase; distance:0; content:"&expiryyear="; nocase; distance:0; content:"&securitycode="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032306; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"account_state_held="; depth:19; nocase; fast_pattern; content:"&onlineid="; nocase; distance:0; content:"&passcode="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&___signon_js="; nocase; distance:0; classtype:credential-theft; sid:2032300; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&q1="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&q2="; nocase; distance:0; content:"&a2="; nocase; distance:0; content:"&q3="; nocase; distance:0; content:"&a3="; nocase; distance:0; content:"&q4="; nocase; distance:0; content:"&a4="; nocase; distance:0; content:"&q5="; nocase; distance:0; content:"&a5="; nocase; distance:0; content:"&passcode="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032302; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M2 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc="; depth:3; nocase; content:"&pin="; nocase; distance:0; content:"&ccin="; nocase; distance:0; fast_pattern; content:"&mmn="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; content:"&ssn2="; nocase; distance:0; content:"&ssn3="; nocase; distance:0; content:"&dl="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2024587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M3 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&code="; nocase; distance:0; content:"&q1="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&creditcard="; nocase; distance:0; fast_pattern; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; content:"&ccv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&fullname="; nocase; distance:0; content:"&add1="; nocase; distance:0; content:"&accnum="; nocase; distance:0; content:"&routing="; nocase; distance:0; classtype:credential-theft; sid:2032303; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"creditcard="; fast_pattern; content:"expyear="; content:"ccv="; content:"pin="; classtype:credential-theft; sid:2015907; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"creditcard="; fast_pattern; content:"expyear="; content:"ccv="; content:"pin="; classtype:credential-theft; sid:2015907; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic PII Phish"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&phone3="; content:"&ssn3="; fast_pattern; content:"&dob3="; classtype:credential-theft; sid:2015908; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic PII Phish"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&phone3="; content:"&ssn3="; fast_pattern; content:"&dob3="; classtype:credential-theft; sid:2015908; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic SSN Phish"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:!"LabTech Agent"; http.request_body; content:"ssn1="; fast_pattern; content:"ssn2="; content:"ssn3="; classtype:credential-theft; sid:2015952; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic SSN Phish"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:!"LabTech Agent"; http.request_body; content:"ssn1="; fast_pattern; content:"ssn2="; content:"ssn3="; classtype:credential-theft; sid:2015952; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AOL Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aol.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017750; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M4 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"REMOTE_ADDR="; depth:12; nocase; content:"&Sequence="; nocase; distance:0; content:"&fname="; nocase; distance:0; content:"&card="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&emailid="; nocase; distance:0; content:"&idpass="; nocase; distance:0; fast_pattern; content:"&alemail="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; content:"&dlisence="; nocase; distance:0; classtype:credential-theft; sid:2032304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AOL Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"aoluser="; content:"aolpassword="; classtype:credential-theft; sid:2015910; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-11-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"onlineid="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; content:"&email"; nocase; classtype:credential-theft; sid:2031789; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Gmail Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gmail.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017752; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2015-10-02"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"accountstate="; nocase; depth:13; fast_pattern; content:"&onlineid="; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031775; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Gmail Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"gmailuser="; content:"gmailpassword="; classtype:credential-theft; sid:2015912; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AOL Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aol.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017750; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Hotmail Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hotmailuser="; content:"hotmailpassword="; classtype:credential-theft; sid:2015913; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AOL Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"aoluser="; content:"aolpassword="; classtype:credential-theft; sid:2015910; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Other Credentials Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/other.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017754; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Gmail Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gmail.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017752; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Other Credentials Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"otheruser="; content:"otherpassword="; classtype:credential-theft; sid:2015914; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Gmail Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"gmailuser="; content:"gmailpassword="; classtype:credential-theft; sid:2015912; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/yahoo.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017751; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Hotmail Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hotmailuser="; content:"hotmailpassword="; classtype:credential-theft; sid:2015913; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"yahoouser="; content:"yahoopassword="; classtype:credential-theft; sid:2015911; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Other Credentials Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/other.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017754; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/yahoo.php"; fast_pattern; http.request_body; content:".tries="; nocase; depth:7; content:"&.challenge="; nocase; distance:0; classtype:credential-theft; sid:2021323; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Other Credentials Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"otheruser="; content:"otherpassword="; classtype:credential-theft; sid:2015914; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Interac Phish Aug 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024599; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/yahoo.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017751; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"yahoouser="; content:"yahoopassword="; classtype:credential-theft; sid:2015911; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M1 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Login.php?sslchannel="; depth:22; fast_pattern; content:"&sessionid="; distance:0; http.header; content:"/Login.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032280; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M2 2016-03-29"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Verify.php?sslchannel="; depth:23; fast_pattern; content:"&sessionid="; distance:0; http.header; content:"/Login.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032281; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M3 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Checkcc.php?&sessionid="; depth:24; fast_pattern; content:"&securessl="; distance:0; http.header; content:"/Verify.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032282; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M4 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/vbv.php?&sessionid="; depth:20; fast_pattern; content:"&securessl="; distance:0; http.header; content:"/Checkcc.php?&sessionid="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032283; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/yahoo.php"; fast_pattern; http.request_body; content:".tries="; nocase; depth:7; content:"&.challenge="; nocase; distance:0; classtype:credential-theft; sid:2021323; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Interac Phish Aug 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024599; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"stateo="; depth:7; nocase; fast_pattern; content:"&passcode="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2031781; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc="; depth:3; nocase; content:"&ex="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032294; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Scotland Phish M1 2015-11-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&frmLogin=frmLogin&submitToken="; nocase; content:"&target="; nocase; distance:0; content:"&hdn_mobile="; nocase; distance:0; content:"&dclinkjourid="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2031783; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banque Populaire (FR) Phish 2016-12-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"departement="; depth:12; nocase; fast_pattern; content:"&CCPTE="; nocase; distance:0; content:"&CCCRYC="; nocase; distance:0; content:"&SAMLResponse="; nocase; distance:0; classtype:credential-theft; sid:2032310; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cclast="; depth:7; nocase; fast_pattern; content:"&pinsentry1="; nocase; distance:0; content:"&pinsentry2="; nocase; distance:0; content:"&passcode="; nocase; distance:0; content:"&memorable="; nocase; distance:0; classtype:credential-theft; sid:2032295; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"screenName="; depth:11; nocase; content:"&surname="; nocase; distance:0; content:"&membershipNumber="; nocase; distance:0; fast_pattern; content:"&accountNumber="; nocase; distance:0; classtype:credential-theft; sid:2032290; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"address="; depth:8; nocase; content:"&address2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&postcode="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&Year="; nocase; distance:0; content:"&mmn="; nocase; distance:0; content:"&b3d="; nocase; distance:0; content:"&tbp="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&ccname="; nocase; distance:0; fast_pattern; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; content:"&ccv="; nocase; distance:0; classtype:credential-theft; sid:2032296; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M2 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"car2="; depth:5; nocase; fast_pattern; content:"&pn1="; nocase; distance:0; content:"&pn2="; nocase; distance:0; content:"&p1n="; nocase; distance:0; classtype:credential-theft; sid:2032291; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M3 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"requestid="; depth:10; nocase; fast_pattern; content:"&tpin="; nocase; distance:0; content:"&exp="; nocase; distance:0; content:"&mmn="; nocase; distance:0; classtype:credential-theft; sid:2032292; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BBVA Compass Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"locale="; depth:7; nocase; fast_pattern; content:"&question1="; nocase; distance:0; content:"&answer1="; nocase; distance:0; content:"&emailadd="; distance:0; content:"&emailpass="; nocase; classtype:credential-theft; sid:2031765; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blackboard Account Phish 2015-10-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&login=Login"; nocase; distance:0; content:"&action=login"; nocase; distance:0; content:"&new_loc="; nocase; distance:0; classtype:credential-theft; sid:2031778; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blocked Email Account Phish M1 2016-08-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&Login=Submit+Now"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032288; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Pharma Spam Template Active - Outbound Email Spam"; flow:to_server,established; content:"Subject|3a 20|Rx|20|Discount|20|"; fast_pattern; content:"Special|20|for|20|you|20|-----"; distance:0; classtype:command-and-control; sid:2030675; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family Tofsee, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_08_11;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/JobCrypter Ransomware Checkin via SMTP"; flow:to_server,established; content:"|0d 0a 0d 0a|jui=0D=0A=0D=0Atre|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a 2e 0d 0a|"; distance:0; isdataat:!1,relative; reference:md5,3bb560cb690a91134508910178928973; classtype:trojan-activity; sid:2030672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family JobCrypter, signature_severity Major, updated_at 2020_08_11;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/JobCrypter Ransomware Checkin via SMTP"; flow:to_server,established; content:"|0d 0a 0d 0a|jui=0D=0A=0D=0Atre|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a 2e 0d 0a|"; distance:0; isdataat:!1,relative; reference:md5,3bb560cb690a91134508910178928973; classtype:trojan-activity; sid:2030672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family JobCrypter, signature_severity Major, tag Ransomware, updated_at 2020_08_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"xxx="; depth:4; nocase; content:"&yyy="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025027; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"xxx="; depth:4; nocase; content:"&yyy="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025027; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Datper CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"="; within:9; pcre:"/\.php\?[a-z]{3,8}=[a-f0-9]{16}[01][a-z]+$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eae5b16bef5f7dc37909ec91367fa807; reference:url,blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html; classtype:command-and-control; sid:2024601; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Datper CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"="; within:9; pcre:"/\.php\?[a-z]{3,8}=[a-f0-9]{16}[01][a-z]+$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eae5b16bef5f7dc37909ec91367fa807; reference:url,blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html; classtype:command-and-control; sid:2024601; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Hancitor/Tordal Document Inbound"; flow:established,from_server; flowbits:isset,ET.Hancitor; http.stat_code; content:"200"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".doc"; distance:0; http.content_type; content:"application/msword|3b|"; startswith; file.data; content:"|d0 cf 11 e0|"; depth:4; fast_pattern; classtype:exploit-kit; sid:2024605; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M2"; flow:established,to_server; urilen:34; flowbits:set,ET.DisDain.EK; http.uri; content:"/test.mp3"; offset:25; depth:9; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/test\.mp3$/"; classtype:exploit-kit; sid:2024607; rev:3; metadata:created_at 2017_08_23, updated_at 2020_08_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Landing Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; http.stat_code; content:"200"; file.data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0;within:75; classtype:exploit-kit; sid:2024612; rev:3; metadata:created_at 2017_08_23, updated_at 2020_08_11;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; content:"AsyncRAT Server"; reference:md5,f69cadedae72d9d1a1d1578b56c39404; classtype:domain-c2; sid:2030673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, signature_severity Major, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; content:"Passwords.txt"; distance:0; nocase; fast_pattern; classtype:trojan-activity; sid:2035016; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_08_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (More_eggs CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=belum.uk.com"; nocase; endswith; classtype:domain-c2; sid:2030674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family More_eggs, signature_severity Major, updated_at 2020_08_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (More_eggs CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=belum.uk.com"; nocase; endswith; classtype:domain-c2; sid:2030674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family More_eggs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gazer HTTP POST Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:(?:a(?:(?:lbu|d)m|ccount|uthor)|c(?:ont(?:ac|en)|lien)t|p(?:artners|hoto)|(?:memb|us)er|session|video|hash|key|id)=[a-z0-9]{6,12}&){4}/Ri"; http.request_body; content:"|ff ff ff ff 00 00 00 00|"; depth:8; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf; classtype:command-and-control; sid:2024637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 31 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php?"; content:"csrfmiddlewaretoken="; nocase; distance:0; content:"username="; nocase; content:"&password="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024638; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain SSL Cert in SNI (RansomBlocker CnC)"; flow:established,to_server; tls.sni; content:"4fp2u2ue4pyqdpfu"; fast_pattern; reference:md5,2067d1cb1a25c6d6d371339fad9123ba; classtype:command-and-control; sid:2024485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dragonfly Backdoor.Goodor Go Implant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"."; content:"?"; distance:3; within:2; content:"="; distance:3; within:1; content:"&"; distance:32; within:1; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-f0-9]{32}&[a-z0-9]{3}=[^&]+&[a-z0-9]{3}=[a-f0-9]{32}$/"; http.header; content:"Go-http-client/1.1|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8943e71a8c73b5e343aa9d2e19002373; classtype:command-and-control; sid:2024894; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Critical, tag Targeted, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 31 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php?"; content:"csrfmiddlewaretoken="; nocase; distance:0; content:"username="; nocase; content:"&password="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024638; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dragonfly Backdoor.Goodor Go Implant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"."; content:"?"; distance:3; within:2; content:"="; distance:3; within:1; content:"&"; distance:32; within:1; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-f0-9]{32}&[a-z0-9]{3}=[^&]+&[a-z0-9]{3}=[a-f0-9]{32}$/"; http.header; content:"Go-http-client/1.1|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8943e71a8c73b5e343aa9d2e19002373; classtype:command-and-control; sid:2024894; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Targeted, tag c2, updated_at 2020_08_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder"; nocase; fast_pattern; content:"<command"; nocase; distance:0; pcre:"/^[\s>]/Rs"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024663; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_12;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec)"; flow:to_server,established; http.request_body; content:"java.lang.Runtime"; nocase; fast_pattern; content:".exec"; distance:0; content:"<command"; nocase; distance:0; pcre:"/^[\s>]/Rs"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024664; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ApolloLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:3; content:"&pname="; content:"&uname="; content:"&pkey="; content:"&aekey="; content:"&ppub="; content:"&userx=ApolloCrypto"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:command-and-control; sid:2024666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_06, deployment Perimeter, former_category MALWARE, malware_family ApolloLocker, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ApolloLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:3; content:"&pname="; content:"&uname="; content:"&pkey="; content:"&aekey="; content:"&ppub="; content:"&userx=ApolloCrypto"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:command-and-control; sid:2024666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_06, deployment Perimeter, former_category MALWARE, malware_family ApolloLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ApolloLocker Ransomware CnC Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:3; content:"&crypto=ApolloCrypto"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:command-and-control; sid:2024667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_06, deployment Perimeter, former_category MALWARE, malware_family ApolloLocker, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ApolloLocker Ransomware CnC Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:3; content:"&crypto=ApolloCrypto"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:command-and-control; sid:2024667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_06, deployment Perimeter, former_category MALWARE, malware_family ApolloLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"eXNvc2VyaWFsL"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024668; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M2 Sep 14 2017"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"connect.sid"; file.data; content:"mainController as mainCtrl"; nocase; content:"mainCtrl.username"; nocase; distance:0; content:"mainCtrl.password"; nocase; distance:0; content:"mainCtrl.submitCreds"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2024704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zbot Activity Common Download Struct"; flow:to_server,established; http.uri; content:".bin"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"passport.net"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:trojan-activity; sid:2017836; rev:5; metadata:created_at 2013_12_11, former_category TROJAN, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zbot Activity Common Download Struct"; flow:to_server,established; http.uri; content:".bin"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"passport.net"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:trojan-activity; sid:2017836; rev:5; metadata:created_at 2013_12_12, former_category TROJAN, updated_at 2020_08_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 Sep 15 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?country.x="; nocase; content:"&locale.x="; nocase; distance:0; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031576; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 Sep 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; content:"&address="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zipCode="; nocase; distance:0; content:"&nameoncard="; nocase; distance:0; content:"&cardnumber="; nocase; distance:0; fast_pattern; content:"&c_type="; nocase; distance:0; content:"&c_valid="; nocase; distance:0; content:"&expdate="; nocase; distance:0; content:"&csc="; nocase; distance:0; classtype:credential-theft; sid:2031577; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Mobile Malware POST of IMSI International Mobile Subscriber Identity in URI"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"imsi="; nocase; classtype:bad-unknown; sid:2012849; rev:5; metadata:created_at 2011_05_25, former_category POLICY, updated_at 2020_08_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Sep 19 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"pass="; depth:5; nocase; fast_pattern; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2025028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Sep 19 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"pass="; depth:5; nocase; fast_pattern; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2025028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER OptionsBleed (CVE-2017-9798)"; flow:from_server; http.header; content:"Allow|3a 20|"; pcre:"/^[^\n]+(?:[^ -~\x0d\x0a]|,\x20*,)/R"; reference:cve,CVE-2017-9798; classtype:misc-activity; sid:2024760; rev:5; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_09_19, deployment Datacenter, former_category WEB_SERVER, performance_impact Significant, signature_severity Minor, updated_at 2020_08_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.FC CnC Activity"; flow:established,to_server; http.start; content:"POST /loader/gate HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; http.user_agent; content:!"|20|"; http.referer; content:!"|2e|"; http.request_body; content:"data="; startswith; pcre:"/^(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})$/R"; reference:md5,d8dbaecab080b40e7782b10affb630f4; classtype:command-and-control; sid:2030678; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish Dec 4 2015 M1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hidCflag="; nocase; depth:9; fast_pattern; content:"&Email="; nocase; distance:0; content:"&Pass"; distance:0; nocase; content:"sign"; nocase; distance:0; classtype:credential-theft; sid:2022217; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_03, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish 2015-10-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sitedomain="; depth:11; nocase; fast_pattern; content:"&loginId="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031779; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish Dec 4 2015 M1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hidCflag="; nocase; depth:9; fast_pattern; content:"&Email="; nocase; distance:0; content:"&Pass"; distance:0; nocase; content:"sign"; nocase; distance:0; classtype:credential-theft; sid:2022217; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Sep 28 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"number"; depth:6; nocase; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&FormsButton"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025029; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Banking Phish (BR) 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; nocase; fast_pattern; content:"conta="; nocase; content:"digito="; nocase; classtype:credential-theft; sid:2032293; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"address="; depth:8; fast_pattern; content:"&driver="; distance:0; content:"&employer="; distance:0; content:"&submitBtn=Continue"; distance:0; classtype:credential-theft; sid:2031760; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"sin1="; depth:5; fast_pattern; content:"&amount="; distance:0; content:"&name="; distance:0; content:"&submitBtn=Continue"; distance:0; classtype:credential-theft; sid:2031759; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2016-08-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ccname="; depth:7; fast_pattern; content:"&cc="; nocase; distance:0; content:"&ccmm="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&sin1="; nocase; distance:0; content:"&atm="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"=Submit+Form"; nocase; distance:0; classtype:credential-theft; sid:2032289; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Carribean International Bank Account Phish 2015-08-25"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"secq1="; depth:6; nocase; fast_pattern; content:"&ans1="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&email="; distance:0; nocase; classtype:credential-theft; sid:2031766; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Sep 28 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"number"; depth:6; nocase; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&FormsButton"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025029; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful CenturyLink Phish 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.header; content:!"www.nwcable.net"; http.request_body; content:"domain="; depth:7; nocase; content:"&bounceto="; nocase; distance:0; content:"&submitted_data="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&email_domain="; nocase; distance:0; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032297; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-16"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hdnPrevSelectedRadio="; depth:21; nocase; content:"&hdnRHSLinkClicked="; nocase; distance:0; content:"&SESSION="; nocase; distance:0; content:"&__EVENTTARGET="; nocase; distance:0; content:"&__EVENTVALIDATION="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&epass="; nocase; distance:0; fast_pattern; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032311; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-12-22"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&auth_userId="; nocase; fast_pattern; content:"&auth_passwd="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&branch_assist="; nocase; distance:0; classtype:credential-theft; sid:2031798; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M1 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__EVENTTARGET="; depth:14; nocase; content:"&auth_userId="; nocase; distance:0; fast_pattern; content:"&auth_passwd="; nocase; distance:0; content:"&auth_passwd_org="; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M2 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hdnPrevSelectedRadio="; depth:21; nocase; content:"&hdnRHSLinkClicked="; nocase; distance:0; fast_pattern; content:"&inptUserId"; nocase; distance:0; content:"&ip_header="; nocase; distance:0; content:"&BirthMonth="; nocase; distance:0; content:"&exp_mon="; nocase; distance:0; content:"&exp_year="; nocase; distance:0; content:"&ccv"; nocase; distance:0; classtype:credential-theft; sid:2032307; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M2 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"UserID="; depth:7; nocase; fast_pattern; content:"&Password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032299; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] TR/Spy.Banker.agdtw Checkin"; flow:established,to_server; http.uri; content:"page"; http.method; content:"POST"; http.header; content:"Connection|3a 20|"; content:"Content-Type|3a 20|multipart"; nocase; distance:0; content:"Content-Length|3a 20|"; nocase; distance:0; content: "Accept|3a 20|"; distance:0; content: "Accept-Encoding|3a 20|"; nocase; distance:0; content:"User-Agent|3a 20|"; distance:0; http.request_body; content:"name=|22|ing|22|"; fast_pattern; depth:300; content:"name=|22|AT|22|"; within:300; content:"ver"; within:300; content:"name=|22|MD|22|"; within:300; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Formgrabber Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"c="; depth:2; content:"&v="; distance:0; content:"&h="; distance:0; content:"&t="; fast_pattern; distance:0; pcre:"/^c=[A-F0-9]{10,}&v=[^&]+&h=[^&]+&t=[0-9]$/si"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cb066c5625aa85957d6b8d4caef4e497; reference:url,thisissecurity.stormshield.com/2017/09/28/analyzing-form-grabber-malware-targeting-browsers; classtype:trojan-activity; sid:2024781; rev:3; metadata:created_at 2017_09_28, former_category TROJAN, updated_at 2020_08_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M1 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agg="; depth:4; nocase; content:"&acc="; nocase; distance:0; content:"&ss"; nocase; distance:0; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M1 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agg="; depth:4; nocase; content:"&acc="; nocase; distance:0; content:"&ss"; nocase; distance:0; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M2 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha"; nocase; distance:0; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M3 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cvv="; depth:4; nocase; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2022497; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Phish M3 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Webmail|20 3a 3a 20|Verify"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"has been successfully verified"; nocase; distance:0; content:"Thank you for using our"; nocase; distance:0; content:"We will redirect you shortly"; nocase; distance:0; content:"Webmail Security Systems"; nocase; distance:0; classtype:credential-theft; sid:2032286; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Phish M2 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Webmail|20 3a 3a 20|Verify"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"Please Provide your phone number used in creation"; nocase; distance:0; content:"Phone Number"; nocase; distance:0; content:"Webmail Security Systems"; nocase; distance:0; classtype:credential-theft; sid:2032285; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M2 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha"; nocase; distance:0; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing M1 2016-03-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Manage your Apple"; nocase; fast_pattern; content:"si-password"; nocase; distance:0; content:"si-remember-password"; nocase; distance:0; classtype:credential-theft; sid:2032279; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M3 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cvv="; depth:4; nocase; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"em="; nocase; depth:3; fast_pattern; content:"&psw="; nocase; content:"&sub="; nocase; classtype:credential-theft; sid:2032284; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2022497; rev:4; metadata:created_at 2016_02_08, former_category CURRENT_EVENTS, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Phish 2015-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"feedback="; nocase; depth:9; fast_pattern; content:"&feedbacknow="; nocase; distance:0; classtype:credential-theft; sid:2031774; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:6; content:"&pass"; nocase; distance:0; content:"&formimage1.x="; fast_pattern; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032287; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful UK Tax Phishing M2 2016-02-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; fast_pattern; content:"&securessl="; distance:0; http.request_body; content:"username="; depth:9; nocase; content:"&password="; distance:0; nocase; reference:md5,8a14eb5764c7c9d01b2b64430933036d; classtype:credential-theft; sid:2032278; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful UK Tax Phishing M1 2016-02-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; fast_pattern; content:"&securessl="; distance:0; http.request_body; content:"form-data|3b 20|name=|22|email|22|"; content:"form-data|3b 20|name=|22|ccexp|22|"; nocase; distance:0; reference:md5,8a14eb5764c7c9d01b2b64430933036d; classtype:credential-theft; sid:2032277; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M1 Mar 25 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your session has timed out"; fast_pattern; nocase; content:"Click OK to sign in and continue"; nocase; distance:0; classtype:social-engineering; sid:2025694; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Oct 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cpf="; depth:4; nocase; fast_pattern; content:"&s6="; nocase; distance:0; classtype:credential-theft; sid:2024800; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Oct 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cpf="; depth:4; nocase; fast_pattern; content:"&s6="; nocase; distance:0; classtype:credential-theft; sid:2024800; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Oct 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag_ct="; depth:6; nocase; content:"&ct_ct="; nocase; distance:0; content:"&us_user="; nocase; distance:0; content:"&us_pant="; nocase; distance:0; fast_pattern; content:"&sender="; nocase; distance:0; content:"&btn_now="; nocase; distance:0; classtype:credential-theft; sid:2024802; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-12-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"onlineID1="; depth:10; nocase; content:"&passcode1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Oct 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag_ct="; depth:6; nocase; content:"&ct_ct="; nocase; distance:0; content:"&us_user="; nocase; distance:0; content:"&us_pant="; nocase; distance:0; fast_pattern; content:"&sender="; nocase; distance:0; content:"&btn_now="; nocase; distance:0; classtype:credential-theft; sid:2024802; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish Outlook Credentials Oct 01 2015"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"outlookuser="; depth:12; nocase; fast_pattern; content:"outlookpassword="; nocase; distance:0; classtype:credential-theft; sid:2021890; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish Outlook Credentials Oct 01 2015"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"outlookuser="; depth:12; nocase; fast_pattern; content:"outlookpassword="; nocase; distance:0; classtype:credential-theft; sid:2021890; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive/Dropbox Phish Nov 20 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mailtype="; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&Passwd"; distance:0; nocase; classtype:credential-theft; sid:2022967; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive/Dropbox Phish Nov 20 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mailtype="; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&Passwd"; distance:0; nocase; classtype:credential-theft; sid:2022967; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Oklahoma Phish M1 Jul 21 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__RequestVerificationToken="; depth:27; content:"&forgotPassword="; nocase; distance:0; content:"&lat="; nocase; distance:0; content:"&userName="; nocase; distance:0; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2022978; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Oklahoma Phish M1 Jul 21 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__RequestVerificationToken="; depth:27; content:"&forgotPassword="; nocase; distance:0; content:"&lat="; nocase; distance:0; content:"&userName="; nocase; distance:0; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2022978; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Oklahoma Phish M2 Jul 21 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__RequestVerificationToken="; depth:27; content:"&bankId="; fast_pattern; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&q1="; nocase; distance:0; classtype:credential-theft; sid:2022979; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Oklahoma Phish M2 Jul 21 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__RequestVerificationToken="; depth:27; content:"&bankId="; fast_pattern; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&q1="; nocase; distance:0; classtype:credential-theft; sid:2022979; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M2 Aug 09 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"holdername="; nocase; depth:11; fast_pattern; content:"&numcard"; nocase; distance:0; content:"&ccv"; nocase; distance:0; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2023043; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M2 Aug 09 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"holdername="; nocase; depth:11; fast_pattern; content:"&numcard"; nocase; distance:0; content:"&ccv"; nocase; distance:0; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2023043; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Common /mpp/ Phishing URI Structure 2016-02-08"; flow:to_server,established; http.uri; content:"/mpp/"; fast_pattern; pcre:"/(?:\/mpp\/[0-9a-f]{32}\/|\/[0-9a-f]{32}\/mpp\/)/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:social-engineering; sid:2032370; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish Oct 10 2017 (set)"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Password1="; depth:10; nocase; fast_pattern; classtype:credential-theft; sid:2025031; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AirCanada Phish 2015-08-06"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"aircanada"; nocase; fast_pattern; classtype:credential-theft; sid:2031757; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish Oct 10 2017 (set)"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Password1="; depth:10; nocase; fast_pattern; classtype:credential-theft; sid:2025031; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"FNAME="; nocase; depth:6; fast_pattern; content:"&LNAME="; nocase; distance:0; content:"&Address="; nocase; distance:0; content:"&SSN="; nocase; distance:0; classtype:credential-theft; sid:2031772; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=3d3d3d3d3d3d3d3d3d"; nocase; fast_pattern; distance:0; content:"5573657220496e666f"; nocase; distance:0; content:"557365724944"; distance:0; content:"50617373776f7264"; nocase; distance:0; classtype:credential-theft; sid:2031773; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS DOC Download from commonly abused file share site"; flow:to_server,established; http.uri; content:".doc"; http.host; content:"a.pomf.cat"; fast_pattern; bsize:10; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024836; rev:3; metadata:created_at 2017_10_11, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ziraat Bankasi (TK) Phish M1 Oct 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rdLng="; nocase; fast_pattern; content:"&tc="; nocase; distance:0; content:"&sms"; nocase; distance:0; classtype:credential-theft; sid:2024838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"isJsEnabled="; depth:12; nocase; content:"&source_app="; nocase; distance:0; content:"&tryCount="; nocase; distance:0; content:"pass"; nocase; distance:0; content:"&loginCsrfParam="; nocase; distance:0; fast_pattern; content:"&sourceAlias="; nocase; distance:0; classtype:credential-theft; sid:2032411; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"countrycode="; depth:12; fast_pattern; content:"&username="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&signin="; nocase; distance:0; classtype:credential-theft; sid:2032400; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M1 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"pass1="; depth:6; fast_pattern; nocase; content:"&pass2="; nocase; distance:0; content:"&email="; nocase; distance:0; classtype:credential-theft; sid:2032382; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ziraat Bankasi (TK) Phish M2 Oct 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rdLng="; nocase; fast_pattern; content:"&tc="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2024839; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M2 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"Password Reset"; nocase; distance:0; content:"<meta http-equiv="; nocase; content:"REFRESH"; nocase; distance:1; within:7; content:"loader.gif"; distance:0; classtype:credential-theft; sid:2032383; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M3 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"Password Reset"; nocase; distance:0; content:"<meta http-equiv="; nocase; content:"REFRESH"; nocase; distance:1; within:7; content:"Your account is safe"; distance:0; classtype:credential-theft; sid:2032384; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"IDUser="; nocase; depth:7; fast_pattern; content:"&Passcode="; nocase; distance:0; content:"&Token="; nocase; distance:0; classtype:credential-theft; sid:2031771; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing CSS 2015-12-01"; flow:established,to_client; http.content_type; content:"text/css"; startswith; file.data; content:"|2e|Anonisma"; fast_pattern; nocase; classtype:social-engineering; sid:2031791; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing CSS 2015-12-29"; flow:established,from_server; http.content_type; content:"text/css"; startswith; file.data; content:".ANON-000-ISMA"; nocase; fast_pattern; classtype:social-engineering; sid:2031800; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ziraat Bankasi (TK) Phish M1 Oct 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rdLng="; nocase; fast_pattern; content:"&tc="; nocase; distance:0; content:"&sms"; nocase; distance:0; classtype:credential-theft; sid:2024838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ziraat Bankasi (TK) Phish M2 Oct 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rdLng="; nocase; fast_pattern; content:"&tc="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2024839; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-05-26"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<META HTTP-EQUIV="; nocase; content:"Refresh"; distance:1; nocase; content:"wellsfargo.com"; nocase; content:"Authenticating Account"; fast_pattern; nocase; distance:0; content:"information submitted successfully"; nocase; distance:0; classtype:credential-theft; sid:2032385; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Windows Settings Phishing Landing Jul 22 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:social-engineering; sid:2024098; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_22, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, tag Phishing, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 Oct 01 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"reason="; nocase; depth:7; fast_pattern; content:"Access_ID="; nocase; distance:0; content:"Current_Passcode="; nocase; distance:0; classtype:credential-theft; sid:2015909; rev:5; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Am3Refh Obfuscated Phishing Landing 2016-02-23"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Am3Refh.Com -->"; nocase; fast_pattern; content:"document.write"; nocase; distance:0; classtype:social-engineering; sid:2032371; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shipping Document Phishing Landing 2016-06-23"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>SHIPPING DOCUMENT"; nocase; fast_pattern; content:"Login Your Email To View Bill"; nocase; distance:0; content:"Lading and Invoice Document"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"<!-- Payment form -->"; nocase; distance:0; classtype:social-engineering; sid:2032395; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing 2016-03-10"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Send &|3b 20|Receive"; fast_pattern; nocase; content:"Adobe SendNow"; nocase; distance:0; content:"Click to Select Provider"; nocase; distance:0; content:"value=|22|gmail"; nocase; distance:0; classtype:social-engineering; sid:2032373; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing 2016-05-02"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe Online"; fast_pattern; nocase; content:"form method="; nocase; distance:0; content:"post"; nocase; distance:1; content:"someone@example.com"; nocase; distance:0; reference:md5,29e993483411a58d51b9032676a623a2; classtype:social-engineering; sid:2032381; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic POST to myform.php Feb 01 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/myform.php"; classtype:credential-theft; sid:2016327; rev:4; metadata:created_at 2013_01_31, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Cloud Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe File"; fast_pattern; nocase; content:"require sign in with your receiving email"; nocase; distance:0; content:"Adobe Document Cloud"; nocase; distance:0; classtype:social-engineering; sid:2032386; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Phish Mar 21 2014"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fname="; content:"lname="; content:"hnum="; content:"snam="; classtype:credential-theft; sid:2018305; rev:5; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phishing 2015-11-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; content:"&password="; nocase; distance:0; content:"&ip_address="; nocase; distance:0; fast_pattern; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:credential-theft; sid:2031788; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Chase/Bank of America Phishing Landing Uri Structure Nov 27 2012 "; flow:established,to_server; http.uri; content:"/Logon.php?LOB=RBG"; content:"&_pageLabel=page_"; classtype:social-engineering; sid:2015938; rev:4; metadata:created_at 2012_11_26, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 Oct 01 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"reason="; nocase; depth:7; fast_pattern; content:"Access_ID="; nocase; distance:0; content:"Current_Passcode="; nocase; distance:0; classtype:credential-theft; sid:2015909; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Nov 30 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login_email="; content:"login_password="; content:"target_page="; classtype:credential-theft; sid:2015972; rev:5; metadata:created_at 2012_11_30, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic POST to myform.php Feb 01 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/myform.php"; classtype:credential-theft; sid:2016327; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Dec 19 2012"; flow:established,to_server; http.request_body; content:"login_email="; content:"login_password="; content:"browser_version="; content:"operating_system="; fast_pattern; classtype:credential-theft; sid:2016063; rev:5; metadata:created_at 2012_12_19, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Phish Mar 21 2014"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fname="; content:"lname="; content:"hnum="; content:"snam="; classtype:credential-theft; sid:2018305; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Phish Mar 21 2014"; flow:established,to_server; http.request_body; content:"theAccountName="; content:"theAccountPW="; classtype:credential-theft; sid:2018304; rev:6; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Chase/Bank of America Phishing Landing Uri Structure Nov 27 2012"; flow:established,to_server; http.uri; content:"/Logon.php?LOB=RBG"; content:"&_pageLabel=page_"; classtype:social-engineering; sid:2015938; rev:4; metadata:created_at 2012_11_27, former_category PHISHING, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL/PayPal Phish Nov 24 2014"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"1="; content:"2="; content:"submit.x=Login"; classtype:credential-theft; sid:2019781; rev:5; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Nov 30 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login_email="; content:"login_password="; content:"target_page="; classtype:credential-theft; sid:2015972; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_11_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish Oct 10 2017"; flow:to_server,established; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"expm="; nocase; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025030; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Dec 19 2012"; flow:established,to_server; http.request_body; content:"login_email="; content:"login_password="; content:"browser_version="; content:"operating_system="; fast_pattern; classtype:credential-theft; sid:2016063; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Jan 23 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"locale.x="; nocase; content:"&processSignin="; nocase; distance:0; fast_pattern; content:"email="; nocase; distance:0; content:"password="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2023760; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Phish Mar 21 2014"; flow:established,to_server; http.request_body; content:"theAccountName="; content:"theAccountPW="; classtype:credential-theft; sid:2018304; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL/PayPal Phish Nov 24 2014"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"1="; content:"2="; content:"submit.x=Login"; classtype:credential-theft; sid:2019781; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish Oct 10 2017"; flow:to_server,established; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"expm="; nocase; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025030; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Jan 23 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"locale.x="; nocase; content:"&processSignin="; nocase; distance:0; fast_pattern; content:"email="; nocase; distance:0; content:"password="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2023760; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Revalidation Phish Landing Nov 13 2015"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Revalidation</title>"; fast_pattern; nocase; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; content:"REVALIDATION"; nocase; distance:0; content:"password"; nocase; distance:0; classtype:social-engineering; sid:2022086; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"fName="; depth:6; nocase; content:"&lName="; nocase; distance:0; content:"&ZIPCode="; nocase; distance:0; classtype:credential-theft; sid:2022498; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"fName="; depth:6; nocase; content:"&lName="; nocase; distance:0; content:"&ZIPCode="; nocase; distance:0; classtype:credential-theft; sid:2022498; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"ccNum="; depth:6; nocase; content:"&NameOnCard="; nocase; distance:0; content:"&CVV="; nocase; distance:0; classtype:credential-theft; sid:2022499; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"ccNum="; depth:6; nocase; content:"&NameOnCard="; nocase; distance:0; content:"&CVV="; nocase; distance:0; classtype:credential-theft; sid:2022499; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Suspended Account Phishing Landing Aug 09 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Log in to my account"; nocase; fast_pattern; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; classtype:social-engineering; sid:2023044; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel Online Phishing Landing Aug 09 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; classtype:social-engineering; sid:2023045; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; nocase; content:"pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024554; rev:8; metadata:created_at 2016_01_14, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; nocase; content:"pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024554; rev:8; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"&address"; nocase; fast_pattern; content:"&cc"; nocase; content:"&cvv"; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2024556; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jun 8 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&email="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024557; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; fast_pattern; nocase; content:"pwd"; nocase; distance:0; classtype:credential-theft; sid:2024558; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Sept 02 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; fast_pattern; nocase; content:"pwd="; nocase; distance:0; classtype:credential-theft; sid:2024561; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"jar"; nocase; depth:3; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&login="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024562; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 25 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"u="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024563; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"formtext"; nocase; content:"&formtext"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024564; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"&address"; nocase; fast_pattern; content:"&cc"; nocase; content:"&cvv"; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2024556; rev:5; metadata:created_at 2016_02_29, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Docusign Phish 2015-07-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; fast_pattern; content:"&Password="; distance:0; content:"&EmailLinkId="; distance:0; content:"RedirectUrl="; distance:0; classtype:credential-theft; sid:2031749; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jun 8 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&email="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024557; rev:5; metadata:created_at 2016_06_08, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Phish Fake Document Loading Error 2015-07-27"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|2f 2f|configure destination URL"; nocase; content:"VERIFYING LOGIN"; fast_pattern; nocase; content:"LOGIN ACCEPTED"; nocase; distance:0; content:"|2f 2f|Do not edit below this line"; nocase; classtype:credential-theft; sid:2031750; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; fast_pattern; nocase; content:"pwd"; nocase; distance:0; classtype:credential-theft; sid:2024558; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-30"; flow:to_server,established; http.method; content:"POST"; http.header; content:"apple.com"; nocase; http.request_body; content:"user="; depth:5; nocase; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031754; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Sept 02 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; fast_pattern; nocase; content:"pwd="; nocase; distance:0; classtype:credential-theft; sid:2024561; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2015-07-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"password="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2031756; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"jar"; nocase; depth:3; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&login="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024562; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email Credential Phish 2015-08-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?rand="; content:"&email="; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2031758; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 25 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"u="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024563; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Renew Phish 2015-08-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; nocase; depth:6; content:"&emailpassword="; nocase; distance:0; fast_pattern; content:"&submit=Submit"; nocase; distance:0; classtype:credential-theft; sid:2031813; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"formtext"; nocase; content:"&formtext"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024564; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN struts-pwn User-Agent"; flow:established,to_server; http.user_agent; content:"struts-pwn"; depth:10; fast_pattern; reference:url,github.com/mazen160/struts-pwn_CVE-2017-9805/blob/master/struts-pwn.py; reference:cve,2017-9805; reference:url,paladion.net/paladion-cyber-labs-discovers-a-new-ransomware/; classtype:attempted-user; sid:2024843; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_16, deployment Datacenter, former_category SCAN, performance_impact Moderate, signature_severity Minor, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN struts-pwn User-Agent"; flow:established,to_server; http.user_agent; content:"struts-pwn"; depth:10; fast_pattern; reference:url,github.com/mazen160/struts-pwn_CVE-2017-9805/blob/master/struts-pwn.py; reference:cve,2017-9805; reference:url,paladion.net/paladion-cyber-labs-discovers-a-new-ransomware/; classtype:attempted-user; sid:2024843; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_16, deployment Datacenter, former_category SCAN, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (FR) Phish Oct 16 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; content:"&mdp="; nocase; distance:0; content:"&toppl="; nocase; distance:0; fast_pattern; content:"Paypal"; nocase; distance:0; classtype:credential-theft; sid:2024847; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (FR) Phish Oct 16 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; content:"&mdp="; nocase; distance:0; content:"&toppl="; nocase; distance:0; fast_pattern; content:"Paypal"; nocase; distance:0; classtype:credential-theft; sid:2024847; rev:3; metadata:created_at 2017_10_16, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rememberMeStatus="; depth:17; fast_pattern; content:"&userId="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031832; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"usernms="; nocase; depth:8; content:"&pswds="; nocase; distance:0; classtype:credential-theft; sid:2031834; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-11-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; content:"&DownTimeMessage="; nocase; distance:0; classtype:credential-theft; sid:2031856; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; content:"&password="; fast_pattern; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; content:"&submit=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032399; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>DHL"; nocase; fast_pattern; content:"Dowloading"; nocase; content:"Click OK to continue"; nocase; distance:0; content:"Beginning of IP Script"; nocase; distance:0; classtype:social-engineering; sid:2032363; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.JS.Agent.dwz Checkin"; flow:established,to_server; http.request_body; content:!"|00|"; content:"|61 3d|"; depth:2; fast_pattern; byte_extract:2,12,byte0,relative; byte_test:2,=,byte0,30,relative; isdataat:!33,relative; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f886dbf6bd47a0a015ef40fc2bed03a2; classtype:command-and-control; sid:2024848; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_17, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trojan.JS.Agent.dwz Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept|3a 20|*/*"; content:"auth255|3a 20|login"; fast_pattern; http.request_body; content:"a="; depth:2; pcre:"/^(?:[a-f0-9]{30,60})$/R"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024849; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OX App Suite Phish 2017-10-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"location="; depth:9; nocase; content:"&loginpage="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; classtype:credential-theft; sid:2029663; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OX App Suite Phish 2017-10-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"location="; depth:9; nocase; content:"&loginpage="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; classtype:credential-theft; sid:2029663; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"sqlmapff.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024855; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"alienlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024866; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tordal/Hancitor/Chanitor Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"GUID="; depth:5; fast_pattern; content:"&BUILD="; distance:0; content:"&INFO="; distance:0; content:"&IP="; distance:0; content:"&TYPE="; distance:0; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2034127; rev:6; metadata:created_at 2016_04_28, former_category MALWARE, updated_at 2020_08_13;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination (google-searching .com)"; flow:established,to_server; http.host; content:"google-searching.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024875; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"awsstatics.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024876; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky Intermediate Downloader"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.user_agent; content:"Windows-Update-Agent"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Locky, updated_at 2020_08_13;)
-alert http $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Activity Via WebDAV (cscc)"; flow:established,to_server; urilen:16; http.method; content:"PROPFIND"; http.uri; content:"/admin$/cscc.dat"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV"; depth:16; classtype:trojan-activity; sid:2024905; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category TROJAN, malware_family BadRabbit, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-11-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; offset:4; depth:3; nocase; content:"&codepass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031855; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Activity Via WebDAV (infpub)"; flow:established,to_server; urilen:18; http.method; content:"PROPFIND"; http.uri; content:"/admin$/infpub.dat"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV"; depth:16; classtype:trojan-activity; sid:2024906; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category TROJAN, malware_family BadRabbit, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Activity Via WebDAV (cscc)"; flow:established,to_server; urilen:16; http.method; content:"PROPFIND"; http.uri; content:"/admin$/cscc.dat"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV"; depth:16; classtype:trojan-activity; sid:2024905; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, malware_family BadRabbit, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE BadRabbit Ransomware Payment Onion Domain"; dns.query; content:"caforssztxqzf2nm."; reference:md5,fbbdc39af1139aebba4da004475e8839; classtype:trojan-activity; sid:2024910; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Activity Via WebDAV (infpub)"; flow:established,to_server; urilen:18; http.method; content:"PROPFIND"; http.uri; content:"/admin$/infpub.dat"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV"; depth:16; classtype:trojan-activity; sid:2024906; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, malware_family BadRabbit, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE BadRabbit Ransomware Payment Onion Domain"; dns.query; content:"caforssztxqzf2nm."; reference:md5,fbbdc39af1139aebba4da004475e8839; classtype:trojan-activity; sid:2024910; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link 850L Password Extract Attempt"; flow:to_server,established; urilen:11; http.method; content:"POST"; http.uri; content:"/hedwig.cgi"; fast_pattern; http.request_body; content:"DEVICE.ACCOUNT"; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:2024913; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M4 (set)"; flow:established,to_server; urilen:4; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/sa5"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024927; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body"; flow:established,to_server; threshold:type limit, track by_src, seconds 3600, count 1; http.request_body; content:"wget"; nocase; content:"http"; nocase; within:11; classtype:web-application-attack; sid:2024930; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_10_26, deployment Datacenter, former_category WEB_SERVER, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body"; flow:established,to_server; threshold:type limit, track by_src, seconds 3600, count 1; http.request_body; content:"wget"; nocase; content:"http"; nocase; within:11; classtype:web-application-attack; sid:2024930; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_10_26, deployment Datacenter, former_category WEB_SERVER, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 26 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"lg="; depth:3; nocase; fast_pattern; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025032; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 26 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"lg="; depth:3; nocase; fast_pattern; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025032; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible BACKSWING JS Framework POST Observed"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Access-Control-Allow-Methods|3a 20|POST"; http.content_type; content:"application/json"; startswith; file.data; content:"|7b 22|InjectionType|22 3a|"; depth:17; fast_pattern; content:"|22|InjectionString|22 3a 22|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024932; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header"; flow:to_server,established; threshold: type limit, count 5, seconds 300, track by_src; http.header; content:"X-OSSProxy|3a 20|OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; classtype:policy-violation; sid:2001564; rev:13; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"action=SIGNIN"; http.request_body; content:"email="; depth:6; fast_pattern; content:"&password="; distance:0; content:"&oemail="; distance:0; classtype:credential-theft; sid:2031814; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Account Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"destination="; depth:12; fast_pattern; content:"&user"; distance:0; content:"&pass"; distance:0; content:"&screenid="; distance:0; content:"&origination="; distance:0; classtype:credential-theft; sid:2031815; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish M3 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NameonCards="; depth:12; fast_pattern; content:"&Cardanumber="; distance:0; content:"&CVV"; distance:0; content:"&Expiredate"; distance:0; classtype:credential-theft; sid:2031817; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Horde Webmail Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Horde="; nocase; fast_pattern; content:"&actionID"; nocase; distance:0; content:"&imapuser"; nocase; distance:0; content:"&pass="; distance:0; content:"&loginButton="; nocase; classtype:credential-theft; sid:2031821; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Woodforest Bank Phish M1 2015-08-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"X-ForwardTo="; depth:12; fast_pattern; content:"&principal="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031823; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Intuit Phish 2016-07-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"loginNow="; fast_pattern; nocase; depth:9; content:"&loginSalt="; nocase; distance:0; content:"&userStrId="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032401; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; http.user_agent; content:")ver"; fast_pattern; pcre:"/\)ver\d/"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (hhh)"; flow:established,to_server; http.user_agent; content:"hhh"; depth:3; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2004442; classtype:trojan-activity; sid:2004442; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vundo User-Agent Check-in"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0) WinNT 5.1"; fast_pattern; bsize:44; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99; reference:url,doc.emergingthreats.net/2010490; classtype:trojan-activity; sid:2010490; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent kav"; flow: established,to_server; http.user_agent; content:"kav"; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011482; rev:7; metadata:created_at 2010_09_28, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent kav"; flow: established,to_server; http.user_agent; content:"kav"; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011482; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Si25f_302 User-Agent"; flow:established,to_server; http.user_agent; content:"Si25"; depth:4; classtype:trojan-activity; sid:2012310; rev:7; metadata:created_at 2011_02_14, former_category TROJAN, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Im Luo"; flow:established,to_server; http.user_agent; content:"Im|27|Luo"; startswith; classtype:trojan-activity; sid:2012586; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_28, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MacShield User-Agent Likely Malware"; flow:established,to_server; http.user_agent; content:"MacShield"; startswith; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012959; rev:5; metadata:created_at 2011_06_08, former_category TROJAN, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MacShield User-Agent Likely Malware"; flow:established,to_server; http.user_agent; content:"MacShield"; startswith; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012959; rev:5; metadata:created_at 2011_06_09, former_category TROJAN, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV User-Agent XML"; flow:established,to_server; http.user_agent; content:"XML"; bsize:3; classtype:trojan-activity; sid:2013374; rev:4; metadata:created_at 2011_08_05, former_category USER_AGENTS, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MadeByLc)"; flow:established,to_server; http.user_agent; content:"MadeBy"; startswith; classtype:trojan-activity; sid:2013512; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_31, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS W32/OnlineGames User-Agent (LockXLS)"; flow:established,to_server; http.user_agent; content:"LockXLS"; startswith; classtype:trojan-activity; sid:2013724; rev:4; metadata:created_at 2011_09_30, former_category TROJAN, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS W32/OnlineGames User-Agent (LockXLS)"; flow:established,to_server; http.user_agent; content:"LockXLS"; startswith; classtype:trojan-activity; sid:2013724; rev:4; metadata:created_at 2011_10_01, former_category TROJAN, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (FULLSTUFF)"; flow: established,to_server; http.user_agent; content:"FULLSTUFF"; nocase; startswith; reference:url,threatexpert.com/reports.aspx?find=mrb.mail.ru; classtype:trojan-activity; sid:2013880; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HardCore Software For)"; flow:to_server,established; http.user_agent; content:"HardCore Software For"; depth:21; nocase; classtype:trojan-activity; sid:2018608; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Oct 30 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"o1="; depth:3; nocase; content:"&o2="; nocase; distance:0; fast_pattern; content:"&o3="; nocase; distance:0; content:"&o4="; nocase; distance:0; content:"&o5="; nocase; distance:0; classtype:credential-theft; sid:2025033; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Oct 30 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"o1="; depth:3; nocase; content:"&o2="; nocase; distance:0; fast_pattern; content:"&o3="; nocase; distance:0; content:"&o4="; nocase; distance:0; content:"&o5="; nocase; distance:0; classtype:credential-theft; sid:2025033; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Downeks/Quasar DNS Lookup (moreoffer .life)"; dns.query; content:"moreoffer.life"; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Second Stage Download Location Request"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.asproxfakeav; http.uri; content:"/api/urls/?ts="; content:"&affid="; pcre:"/\x26affid\x3D[0-9]{4,7}$/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016530; rev:4; metadata:created_at 2013_03_04, former_category TROJAN, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Second Stage Download Location Request"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.asproxfakeav; http.uri; content:"/api/urls/?ts="; content:"&affid="; pcre:"/\x26affid\x3D[0-9]{4,7}$/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016530; rev:4; metadata:created_at 2013_03_05, former_category TROJAN, updated_at 2020_08_13;)
alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Downeks/Quasar DNS Lookup (cloudns .club)"; dns.query; content:"download.data-server.cloudns.club"; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024937; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Downeks/Quasar DNS Lookup (updatesforme .club)"; dns.query; content:"signup.updatesforme.club"; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024939; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Free.fr Phish 2016-03-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?get="; fast_pattern; http.request_body; content:"comid="; nocase; depth:6; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032374; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qudox CnC Actiivty"; flow:established,to_server; http.start; content:"GET /gate.php HTTP/1.1|0d 0a|Host|3a 20|"; http.request_body; content:"0WmkD4"; startswith; fast_pattern; http.header_names; bsize:26; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,4806ceacf1f9ae4faddbace5201d36f0; classtype:command-and-control; sid:2030682; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Microsoft Hosted Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server|3a 20|Windows-Azure-Web/"; file.data; content:"<!-- saved from url=("; within:100; fast_pattern; classtype:social-engineering; sid:2030680; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
alert dns $HOME_NET any -> any any (msg:"ET PHISHING Sparkasse Phishing Domain Nov 03 2017"; dns.query; content:"netbanking.sparkasse.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024944; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Raiffeisen Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"banking.raiffeisen.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024947; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Raiffeisen Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"banking.raiffeisen.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024947; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"netbanking.sparkasse.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024948; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"netbanking.sparkasse.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024948; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Raiffeisen Bank Targeting (set)"; flow:to_server,established; flowbits:set,ET.marcherphish; flowbits:noalert; http.method; content:"GET"; http.host; content:"banking.raiffeisen.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:trojan-activity; sid:2024950; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Minor, tag Android, updated_at 2020_08_13;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)"; flow:from_server,established; http.stat_code; content:"403"; file.data; content:"<script"; nocase; depth:512; content:!"location.replace|28 22|https|3a 2f 2f|block.opendns.com"; distance:0; reference:url,doc.emergingthreats.net/2010515; classtype:web-application-attack; sid:2010515; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SAD Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&osname="; content:"&pcname="; content:"&key="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f4c2f65b5b89d4f4e74099571b40c0d5; classtype:command-and-control; sid:2024954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category MALWARE, malware_family SAD_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SAD Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&osname="; content:"&pcname="; content:"&key="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f4c2f65b5b89d4f4e74099571b40c0d5; classtype:command-and-control; sid:2024954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category MALWARE, malware_family SAD_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Randrew!rfn CnC Activity"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 30; http.request_body; content:"botversion="; depth:11; content:"xfor="; within:22; content:"winver="; within:33; reference:md5,74dd0e38deaf778e621434a2ca9c7c74; reference:url,microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:Win32/Randrew.A!bit; classtype:command-and-control; sid:2024955; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volex - OceanLotus JavaScript Load (connect.js)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"connect.js?timestamp="; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024966; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Feb 09 2016"; flow:to_client,established; http.stat_code; content:"302"; http.header; content:"|0d 0a|location|3a 20|"; fast_pattern; pcre:"/^[a-f0-9]{32}\??\x0d\x0a/Ri"; http.content_type; content:"text/html"; startswith; classtype:social-engineering; sid:2025006; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Feb 09 2016"; flow:to_client,established; http.stat_code; content:"302"; http.header; content:"|0d 0a|location|3a 20|"; fast_pattern; pcre:"/^[a-f0-9]{32}\??\x0d\x0a/Ri"; http.content_type; content:"text/html"; startswith; classtype:social-engineering; sid:2025006; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Delf.BVP Win32/BioData CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?b="; content:!"&"; distance:0; http.request_body; content:"form-data|3b 20|name=|22|unit|22 3b 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,68aab6163c29183ad8da1cf27a5a47c5; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families; classtype:command-and-control; sid:2023545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Delf.BVP Win32/BioData CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?b="; content:!"&"; distance:0; http.request_body; content:"form-data|3b 20|name=|22|unit|22 3b 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,68aab6163c29183ad8da1cf27a5a47c5; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families; classtype:command-and-control; sid:2023545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Browser Plugin Detect - Observed in Apple Phishing"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/ping.html"; http.header; content:".html?appIdKey="; http.request_body; content:"data=eyJwbHVnaW4i"; depth:17; fast_pattern; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; classtype:bad-unknown; sid:2024978; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_08, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected REDCURL CnC Activity M2"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".jpg"; endswith; http.user_agent; content:"curl/"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; bsize:30; content:!"Referer"; reference:url,www.group-ib.com/resources/threat-research/red-curl.html; reference:md5,12ec7e6876dc86f158f448ebfba9e0eb; classtype:command-and-control; sid:2030689; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Nov 09 2017 (set)"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025034; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish - Observed in Apple/Bank of America/Amazon 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; nocase; content:"&securessl="; nocase; distance:0; http.header; content:".php?sslchannel="; fast_pattern; content:"&sessionid="; distance:0; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032406; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Nov 09 2017 (set)"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025034; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Telstra Phish M1 2015-09-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"goto="; depth:5; nocase; fast_pattern; content:"&encoded="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031828; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"tkyjzgbqfwk3gr55."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Commonwealth Bank Phish 2015-08-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fname="; depth:6; content:"&dob1="; distance:0; content:"&ccnum="; distance:0; content:"&submit1.x="; fast_pattern; distance:0; classtype:credential-theft; sid:2031816; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"u2sg7pqxmmrhnzms."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024982; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish M1 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&prenom="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass"; distance:0; content:"&adress"; distance:0; nocase; fast_pattern; content:"&adress"; distance:0; nocase; classtype:credential-theft; sid:2031818; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"u7duee44hwu5lf7r."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024983; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish M2 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&postale="; nocase; distance:0; content:"&passtess="; nocase; distance:0; content:"&ccnum="; distance:0; nocase; fast_pattern; classtype:credential-theft; sid:2031819; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OWA Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/submit"; pcre:"/\/submit$/"; http.request_body; content:"form-data|3b 20|name=|22|todo|22|"; nocase; fast_pattern; content:"|0d 0a|submit|0d 0a|"; nocase; distance:0; content:"form-data|3b 20|name=|22|Email|22|"; nocase; distance:0; content:"form-data|3b 20|name=|22|Text field"; distance:0; nocase; http.content_type; content:"multipart/form-data|3b 20|boundary=-------"; startswith; classtype:credential-theft; sid:2031820; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2015-08-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"charset_test="; depth:13; fast_pattern; content:"&email="; distance:0; content:"&pass="; nocase; distance:0; content:"&charset_test="; distance:0; nocase; classtype:credential-theft; sid:2031822; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RCAP CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/callback.php?k="; fast_pattern; content:"&x="; distance:0; http.connection; content:"close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3410af519f791af5f9554cbff7ece24a; classtype:command-and-control; sid:2024984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/TinyNuke Payload ACF40 Inbound"; flow:established,to_client; flowbits:isset,ET.TinyNuke; http.stat_code; content:"200"; http.content_type; content:"text|2F|html"; startswith; file.data; byte_extract:8,896,byte0; byte_extract:8,904,byte1; byte_extract:8,912,byte2; byte_extract:8,920,byte3; byte_extract:8,928,byte4; byte_test:8,=,byte0,936; byte_test:8,!=,byte0,944; byte_test:8,=,byte1,944; byte_test:8,!=,byte1,952; byte_test:8,=,byte2,952; byte_test:8,!=,byte2,960; byte_test:8,=,byte3,960; byte_test:8,=,byte4,968; content:!"MZ"; depth:2; pcre:"/[\x80-\xff]{16}/"; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024513; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category TROJAN, malware_family TinyNuke, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"username"; nocase; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2025000; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M1 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"usr"; nocase; depth:3; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032377; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M2 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"user"; nocase; depth:4; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032378; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M3 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"email"; nocase; depth:5; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032379; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M5 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"email"; nocase; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032380; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.it"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2024835; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"username"; nocase; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2025000; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to ukit domain - Possible Phishing M2 2016-06-29"; flow:to_server,established; urilen:19; http.method; content:"POST"; http.uri; content:"/api/feedBack/check"; fast_pattern; http.host; pcre:"/(?:udo\.photo|ulcraft\.com|biennale\.info|topstyle\.me|urest\.org|ukit\.me)$/"; classtype:trojan-activity; sid:2032398; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to ukit domain - Possible Phishing M1 2016-06-29"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/api/feedBack"; fast_pattern; http.host; pcre:"/(?:udo\.photo|ulcraft\.com|biennale\.info|topstyle\.me|urest\.org|ukit\.me)$/"; classtype:trojan-activity; sid:2032397; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.it"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2024835; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"paypal.it"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2024834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"craigslist.org"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023880; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"craigslist.org"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023880; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"discover.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023829; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"discover.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023829; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023828; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023828; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"linkedin.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023827; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"linkedin.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023827; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"cartasi"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023826; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"cartasi"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023826; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"drive.google.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023825; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"drive.google.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023825; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"bankofamerica.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023824; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"bankofamerica.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023824; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023823; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023823; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023822; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023822; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023821; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023821; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023820; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023820; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.header; content:!"autodiscover"; http.host; content:"discover.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023819; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"POST"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"POST"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023775; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Poste Italiane Phish 2016-12-23"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:"postepay"; fast_pattern; classtype:credential-theft; sid:2032416; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"linkedin.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Cartasi Phishing Domain Nov 08 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"cartasi"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023495; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_09, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"bankofamerica.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023066; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Paypal Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022618; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon.com Phish M1 2016-06-27"; flow:to_server,established; http.method; content:"POST"; http.host; content:"amazon.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032396; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible USAA Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022617; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032393; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Apple Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022616; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032392; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Chase Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022615; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032391; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (App4)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"App"; depth:3; fast_pattern; pcre:"/^\d/R"; http.host; content:!"liveupdate.symantecliveupdate.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032390; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Apple Phishing Domain 2016-06-14"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"itunes.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032389; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible HMRC Phishing Domain 2016-06-08"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"online.hmrc.gov.uk"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032387; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Paypal Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022618; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible USAA Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022617; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Apple Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022616; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MyAgent)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:!"www.google-analytics.com"; http.user_agent; content:"MyAgent"; depth:7; nocase; fast_pattern; http.host; content:!"driverdl.lenovo.com.cn"; reference:url,doc.emergingthreats.net/bin/view/Main/2005320; classtype:trojan-activity; sid:2005320; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Chase Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022615; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic AES Phish M2 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; http.content_type; content:"text/html"; startswith; file.data; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:credential-theft; sid:2024998; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Formbuddy Credential Phish Submission 2016-01-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"www.formbuddy.com"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&reqd="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032364; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (App4)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"App"; depth:3; fast_pattern; pcre:"/^\d/R"; http.host; content:!"liveupdate.symantecliveupdate.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic AES Phish M2 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; http.content_type; content:"text/html"; startswith; file.data; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:credential-theft; sid:2024998; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; dns.query; content:".no-ip."; classtype:bad-unknown; sid:2013743; rev:5; metadata:created_at 2011_10_05, former_category HUNTING, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Generic - POST To gate.php with no referer"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2017930; rev:11; metadata:created_at 2014_01_03, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Generic - POST To gate.php with no referer"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2017930; rev:11; metadata:created_at 2014_01_04, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader (P2P Zeus dropper UA)"; flow:established,to_server; http.user_agent; content:"Updates downloader"; classtype:trojan-activity; sid:2017726; rev:6; metadata:created_at 2013_11_15, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader (P2P Zeus dropper UA)"; flow:established,to_server; http.user_agent; content:"Updates downloader"; classtype:trojan-activity; sid:2017726; rev:6; metadata:created_at 2013_11_16, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.header_names; content:!"Referer"; content:!"Content-Type"; classtype:trojan-activity; sid:2016858; rev:11; metadata:created_at 2013_05_15, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.header_names; content:!"Referer"; content:!"Content-Type"; classtype:trojan-activity; sid:2016858; rev:11; metadata:created_at 2013_05_16, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2016173; rev:10; metadata:created_at 2013_01_08, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallMonster.Downloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api"; http.user_agent; content:"Mozilla/3.0|20|(compatible|3b 20|Indy Library)"; endswith; fast_pattern; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; content:!"Content-Type"; reference:md5,70a6d9cb37e346b4dfd28bd4ea1f8671; classtype:command-and-control; sid:2017656; rev:6; metadata:created_at 2013_11_01, former_category MALWARE, updated_at 2020_08_17;)
-alert http $HOME_NET any -> any any (msg:"ET MALWARE Win32.Sality-GR Checkin"; flow:established,to_server; http.uri; content:".gif?"; fast_pattern; pcre:"/^[0-9a-f]{4,8}\x3d\x2d?\d+(?:&id\x3d\d+)?$/R"; http.header_names; content:"|0d 0a|User-Agent"; depth:12; content:!"Accept"; content:!"Referer"; reference:md5,3a03a20bfefe3fdd01659d47d2ed76c8; classtype:command-and-control; sid:2018340; rev:11; metadata:created_at 2013_06_06, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE Win32.Sality-GR Checkin"; flow:established,to_server; http.uri; content:".gif?"; fast_pattern; pcre:"/^[0-9a-f]{4,8}\x3d\x2d?\d+(?:&id\x3d\d+)?$/R"; http.header_names; content:"|0d 0a|User-Agent"; depth:12; content:!"Accept"; content:!"Referer"; reference:md5,3a03a20bfefe3fdd01659d47d2ed76c8; classtype:command-and-control; sid:2018340; rev:11; metadata:created_at 2013_06_07, former_category MALWARE, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; urilen:32; http.uri; content:".php?id="; offset:6; depth:8; pcre:"/^[A-Z0-9]{18}$/R"; http.user_agent; content:"MSIE 6.0|3b|"; reference:md5,f4b8b51b75f67e68d0c1a9639e2488c3; classtype:command-and-control; sid:2015808; rev:7; metadata:created_at 2012_10_17, former_category MALWARE, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http.accept; content:"*/*"; http.accept_lang; content:"en-us"; http.content_type; content:"application/octet-stream"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; content:!"Referer"; flowbits:set,ET.Pushdo.S; threshold: type threshold,track by_src,count 1,seconds 60; threshold: type limit,track by_src,count 1,seconds 600; classtype:command-and-control; sid:2016867; rev:6; metadata:created_at 2013_05_20, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http.accept; content:"*/*"; http.accept_lang; content:"en-us"; http.content_type; content:"application/octet-stream"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; content:!"Referer"; flowbits:set,ET.Pushdo.S; threshold: type threshold,track by_src,count 1,seconds 60; threshold: type limit,track by_src,count 1,seconds 600; classtype:command-and-control; sid:2016867; rev:6; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fosniw MacTryCnt CnC Style Checkin"; flow:established,to_server; http.uri; content:"&logdata=MacTryCnt|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:command-and-control; sid:2013202; rev:4; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fosniw MacTryCnt CnC Style Checkin"; flow:established,to_server; http.uri; content:"&logdata=MacTryCnt|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:command-and-control; sid:2013202; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_08_17;)
alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain"; dns.query; content:".dyndns."; nocase; classtype:misc-activity; sid:2012758; rev:6; metadata:created_at 2011_05_02, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot POST CnC Beacon"; flow:established,to_server; urilen:<33; http.method; content:"POST"; http.uri; content:"/b/"; fast_pattern; pcre:"/^[a-z]{3,4}\x2F[a-f0-9]{24}$/Ri"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018098; rev:5; metadata:created_at 2014_02_10, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot POST CnC Beacon"; flow:established,to_server; urilen:<33; http.method; content:"POST"; http.uri; content:"/b/"; fast_pattern; pcre:"/^[a-z]{3,4}\x2F[a-f0-9]{24}$/Ri"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018098; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?email="; fast_pattern; http.accept; http.accept; content:"*/*"; http.connection; http.connection; content:"close"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Host|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,a80440b3d9cb09898c0f12aaa05980c0; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:command-and-control; sid:2025020; rev:7; metadata:created_at 2015_02_11, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?email="; fast_pattern; http.accept; http.accept; content:"*/*"; http.connection; http.connection; content:"close"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Host|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,a80440b3d9cb09898c0f12aaa05980c0; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:command-and-control; sid:2025020; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pykspa.C Public IP Check"; flow:established,to_server; urilen:1; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|1.9.1.3) Gecko/20090824 Firefox/3.5.3"; fast_pattern; http.host; content:"myip"; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,b94e213153a1929db2f414f23d891d76; reference:md5,324ff262da1233ef874ff29213cf8f19; classtype:trojan-activity; sid:2018773; rev:5; metadata:created_at 2014_07_24, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (GenericHttp/VER_STR_COMMA)"; flow:established,to_server; http.user_agent; content:"GenericHttp/VER_STR_COMMA"; classtype:trojan-activity; sid:2013737; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Presto)"; flow:established,to_server; http.user_agent; content:"Opera/10.60 Presto/2.2.30"; http.header_names; content:!"Accept"; classtype:trojan-activity; sid:2012491; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_11, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Presto)"; flow:established,to_server; http.user_agent; content:"Opera/10.60 Presto/2.2.30"; http.header_names; content:!"Accept"; classtype:trojan-activity; sid:2012491; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_12, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup sina.com.cn"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/iplookup.php"; http.host; content:"dpool.sina.com.cn"; fast_pattern; classtype:external-ip-check; sid:2021438; rev:4; metadata:created_at 2015_07_20, former_category POLICY, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WildTangent User-Agent (WT Games App)"; flow:established,to_server; http.header; content:"|0d 0a|WT-User-Agent|3a 20|WT|20|Games|20|App|20|"; classtype:policy-violation; sid:2021384; rev:3; metadata:created_at 2015_07_06, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WildTangent User-Agent (WT Games App)"; flow:established,to_server; http.header; content:"|0d 0a|WT-User-Agent|3a 20|WT|20|Games|20|App|20|"; classtype:policy-violation; sid:2021384; rev:3; metadata:created_at 2015_07_07, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspected PUP/PUA User-Agent (OSSProxy)"; flow:established,to_server; threshold:type limit, count 2, seconds 300, track by_src; http.user_agent; content:"OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/2001562; classtype:policy-violation; sid:2001562; rev:36; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 1"; flow:established,to_server; http.uri; content:".asp?prj="; content:"&pid="; content:"&logdata="; http.host; content:"winsoft"; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012222; rev:4; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 1"; flow:established,to_server; http.uri; content:".asp?prj="; content:"&pid="; content:"&logdata="; http.host; content:"winsoft"; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012222; rev:4; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Requesting exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?"; offset:2; depth:11; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+?$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:15; metadata:created_at 2012_11_29, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Requesting exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?"; offset:2; depth:11; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+?$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:15; metadata:created_at 2012_11_30, updated_at 2020_08_17;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, former_category POLICY, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:established,to_server; http.user_agent; content:"MSDW"; depth:4; http.host; content:"watson.microsoft.com"; classtype:policy-violation; sid:2018170; rev:6; metadata:created_at 2014_02_24, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs/Harnig Downloader Activity"; flow:established,to_server; http.uri; content:".php?adv=adv"; http.user_agent; content:")ver"; fast_pattern; pcre:"/^\d+$/R"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs/Harnig Downloader Activity"; flow:established,to_server; http.uri; content:".php?adv=adv"; http.user_agent; content:")ver"; fast_pattern; pcre:"/^\d+$/R"; reference:md5,2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot Check-in 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".aspx"; http.user_agent; content:!"SmadavStat"; http.host; content:!"lavasoft.com"; http.request_body; content:!"id1="; content:"1="; content:"2="; distance:0; content:"3="; distance:0; content:"4="; distance:0; fast_pattern; pcre:"/&(?P<vname>[a-z]+)1=[A-F0-9]+&(?P=vname)2=[A-F0-9]+&(?P=vname)3=[A-F0-9]+&(?P=vname)4=[A-F0-9]/"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; depth:16; content:!"Referer";content:!"Accept"; reference:md5,5eada3ed47d7557df375d8798d2e0a8b; classtype:trojan-activity; sid:2018784; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category TROJAN, malware_family Neurevt, performance_impact Low, signature_severity Major, updated_at 2020_08_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Checkin"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/home/"; http.header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer"; reference:md5,6afc848066d274d8632c742340560a67; classtype:command-and-control; sid:2017584; rev:9; metadata:created_at 2013_10_11, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Checkin"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/home/"; http.header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer"; reference:md5,6afc848066d274d8632c742340560a67; classtype:command-and-control; sid:2017584; rev:9; metadata:created_at 2013_10_12, former_category MALWARE, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Graftor EXE Download Common Header Order"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.user_agent; content:"MSIE"; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:76; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2018254; rev:5; metadata:created_at 2014_03_12, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent (Windows+NT+5.x)"; flow:established,to_server; flowbits:set,ET.webc2ugx; http.user_agent; content:"Windows+NT+5"; reference:url,www.mandiant.com/apt1; reference:md5,14cfaefa5b8bc6400467fba8af146b71; classtype:targeted-activity; sid:2009486; rev:16; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_17;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Retrieving Domains via JS"; flow:established,to_server; http.uri; content:".txt?dummy="; fast_pattern; pcre:"/^\d+$/R"; http.user_agent; content:"Mozilla"; depth:7; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; classtype:trojan-activity; sid:2020031; rev:5; metadata:created_at 2014_12_23, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; urilen:16<>402; http.method; content:"GET"; nocase; http.uri; pcre:"/^\/[a-z0-9+\/=]{16,400}$/i"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE"; fast_pattern; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|"; depth:19; content:"Host|0d 0a|"; distance:0; content:!"Accept"; classtype:command-and-control; sid:2011894; rev:20; metadata:created_at 2010_11_05, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; urilen:16<>402; http.method; content:"GET"; nocase; http.uri; pcre:"/^\/[a-z0-9+\/=]{16,400}$/i"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE"; fast_pattern; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|"; depth:19; content:"Host|0d 0a|"; distance:0; content:!"Accept"; classtype:command-and-control; sid:2011894; rev:20; metadata:created_at 2010_11_06, former_category MALWARE, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Solarbot Check-in"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"v="; depth:2; content:"&u="; content:"&w="; content:"&c="; pcre:"/&s=\{?[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}\}?(?:&|$)/i"; http.header_names; content:!"Referer"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017742; rev:5; metadata:created_at 2013_11_21, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Solarbot Check-in"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"v="; depth:2; content:"&u="; content:"&w="; content:"&c="; pcre:"/&s=\{?[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}\}?(?:&|$)/i"; http.header_names; content:!"Referer"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017742; rev:5; metadata:created_at 2013_11_22, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE)"; flow:to_server,established; http.user_agent; content:"ClickAdsByIE"; depth:12; reference:url,doc.emergingthreats.net/2010220; classtype:pup-activity; sid:2010220; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-03-31"; flow:established,to_server; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:"/counter/?ad="; nocase; content:"="; distance:0; pcre:"/=\d+$/"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,c5ad81d8d986c92f90d0462bc06ac9c6; classtype:trojan-activity; sid:2022692; rev:4; metadata:created_at 2016_03_31, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comisproc Checkin"; flow:to_server,established; http.uri; content:".asp?mac="; content:"&ver="; distance:0; http.user_agent; content:"Google"; nocase; depth:6; reference:url,threatexpert.com/report.aspx?md5=9378ef5f2fb2e71e5eeed20f9f21d8dd; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Comisproc&ThreatID=-2147341910; reference:url,unixfreaxjp.blogspot.com.br/2012/11/ocjp-080-bootkitsoftbankbb.html; classtype:command-and-control; sid:2017066; rev:9; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comisproc Checkin"; flow:to_server,established; http.uri; content:".asp?mac="; content:"&ver="; distance:0; http.user_agent; content:"Google"; nocase; depth:6; reference:md5,9378ef5f2fb2e71e5eeed20f9f21d8dd; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Comisproc&ThreatID=-2147341910; reference:url,unixfreaxjp.blogspot.com.br/2012/11/ocjp-080-bootkitsoftbankbb.html; classtype:command-and-control; sid:2017066; rev:9; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2020_08_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ixeshe/Mecklow Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"&"; content:"."; content:"sp?"; distance:1; within:3; pcre:"/\/[A-Z0-9]+\.[aj]sp\?[a-zA-Z0-9+/\x20=]+$/"; http.user_agent; content:"MSIE 5.01|3b 20|Windows NT 5.0|29|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:md5,3422e76cf4c99ec1091f8c342a3aedaa; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; classtype:command-and-control; sid:2018379; rev:12; metadata:created_at 2011_04_26, former_category MALWARE, updated_at 2020_08_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 1"; flow:established,to_server; http.uri; content:".php?w="; content:"&i="; distance:0; content:"&a="; distance:0; pcre:"/\.php\?w=\d+&i=[0-9a-f]{32}&a=\d+$/"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:command-and-control; sid:2013685; rev:4; metadata:created_at 2011_09_21, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 1"; flow:established,to_server; http.uri; content:".php?w="; content:"&i="; distance:0; content:"&a="; distance:0; pcre:"/\.php\?w=\d+&i=[0-9a-f]{32}&a=\d+$/"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:command-and-control; sid:2013685; rev:4; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2020_08_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (GRIFFON CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fashionableeder.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030700; rev:1; metadata:created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family GRIFFON, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (GRIFFON CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fashionableeder.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030700; rev:1; metadata:attack_target Client_and_Server, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family GRIFFON, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ixeshe/Mecklow Checkin 2"; flow:established,to_server; http.header_names; content:"|0d 0a|x_bigfix_client_string|0d 0a|"; depth:26; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,df9ce5d06498419a3c93ad95a2ed82fd; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf; classtype:command-and-control; sid:2018380; rev:8; metadata:created_at 2012_06_19, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mazilla Suspicious User-Agent Jan 15 2015"; flow:established,to_server; http.user_agent; content:"Mazilla/"; depth:8; fast_pattern; reference:url,malware-traffic-analysis.net/2015/01/15/index.html; classtype:trojan-activity; sid:2020235; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin"; flow:established,to_server; http.uri; content:"/stat"; content:".php?w="; content:"&i=00000000000"; fast_pattern; content:"&a="; http.user_agent; content:"Opera/6 (Windows NT 5.1|3b 20|"; classtype:command-and-control; sid:2013907; rev:5; metadata:created_at 2011_11_10, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin"; flow:established,to_server; http.uri; content:"/stat"; content:".php?w="; content:"&i=00000000000"; fast_pattern; content:"&a="; http.user_agent; content:"Opera/6 (Windows NT 5.1|3b 20|"; classtype:command-and-control; sid:2013907; rev:5; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface HTTP Request (2)"; flow:established,to_server; http.uri; content:"?action="; nocase; content:"&v="; nocase; distance:0; pcre:"/\?action=\w+gen&v=\d/"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP Referer C Drive Path"; flow:established,to_server; http.referer; http.referer; content:"res|3a 2f 2f|c|3a 5c|"; depth:9; nocase; reference:md5,8ef81f2555725f7eeae00b3e31229e0e; classtype:trojan-activity; sid:2014302; rev:5; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".asp?resid="; fast_pattern; content:"&photoid="; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2021201; rev:4; metadata:created_at 2015_06_08, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".asp?resid="; fast_pattern; content:"&photoid="; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2021201; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M4"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; http.content_type; content:"image|2f|"; depth:6; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023672; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2020_08_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M4"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; http.content_type; content:"image|2f|"; depth:6; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023672; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_18;)
alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 1"; flow:established; urilen:7; http.method; content:"GET"; http.uri; content:"/HNAP1/"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; classtype:trojan-activity; sid:2018131; rev:6; metadata:created_at 2014_02_13, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BandarChor Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"number="; depth:7; content:"&id="; distance:0; content:"&pc="; distance:0; content:"&tail="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,fba4af888ae0e838dd083d4cfebc8f39; reference:md5,d32b6c067e64c141b0c239d23ab1ffd1; reference:url,f-secure.com/weblog/archives/00002795.html; classtype:command-and-control; sid:2021685; rev:8; metadata:created_at 2015_08_18, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BandarChor Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"number="; depth:7; content:"&id="; distance:0; content:"&pc="; distance:0; content:"&tail="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,fba4af888ae0e838dd083d4cfebc8f39; reference:md5,d32b6c067e64c141b0c239d23ab1ffd1; reference:url,f-secure.com/weblog/archives/00002795.html; classtype:command-and-control; sid:2021685; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gatak CnC"; flow:established,to_server; http.uri; content:"/report"; depth:7; fast_pattern; pcre:"/^\/report[0-9]?_(?:v[0-9])?[A-Z]?[A-F0-9_-]+_[0-9]{1,3}_(?:st(?:arted|ep)|already|mark|p(?:rocess|a(?:ge|yload))|watch2|http|image|gdiplus|crc|DIRRR|finished|(?:ex(cept|ecuted)))/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,636a911cc059415963da7009277bae17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-stealthy-information-stealer/; classtype:command-and-control; sid:2021268; rev:11; metadata:created_at 2015_06_15, former_category MALWARE, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 6"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:".php?"; pcre:"/\/[a-z]+\.php\?[A-F0-9]{250,}$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|Trident/7.0|3b 20|Touch|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:command-and-control; sid:2022300; rev:4; metadata:created_at 2015_12_22, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 6"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:".php?"; pcre:"/\/[a-z]+\.php\?[A-F0-9]{250,}$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|Trident/7.0|3b 20|Touch|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:command-and-control; sid:2022300; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot/Anchor ICMP Request"; itype:8; content:"hanc"; depth:4; content:"|08 00|"; distance:16; within:2; isdataat:!1,relative; reference:url,github.com/sysopfb/open_mal_analysis_notes/blob/master/546bf4fc684c5d1e17b204a28c795a414124335b6ef7cbadf52ae8fbadcb2a4a.md; classtype:trojan-activity; sid:2030698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family Anchor, signature_severity Major, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 3"; flow:to_server,established; http.method; content:"GET"; http.header; content:!"Taitus"; pcre:"/^Accept\x3a\x20text\/\*,\x20application\/\*\r\nUser-Agent\x3a\x20[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\nConnection\x3a Keep-Alive\r\nHost\x3a[^\r\n]+?\r\n(?:\r\n)?$/"; http.user_agent; content:!"Mozilla"; depth:7; http.accept; content:"text/*,|20|application/*"; depth:21; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|"; fast_pattern; content:"|0d 0a|Connection|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2020295; rev:7; metadata:created_at 2015_01_23, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 5"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:"/misc.php?"; fast_pattern; pcre:"/^[A-F0-9]{250,}$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:command-and-control; sid:2022284; rev:4; metadata:created_at 2015_12_18, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 5"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:"/misc.php?"; fast_pattern; pcre:"/^[A-F0-9]{250,}$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:command-and-control; sid:2022284; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/shoe/"; depth:8; fast_pattern; pcre:"/^\d+?$/R"; http.user_agent; content:"Mozilla/4.0|20|"; depth:12; http.header_names; content:!"Referer"; reference:md5,e1cbdba0c57ddb5ab70aa1306dbacaa9; classtype:command-and-control; sid:2018643; rev:5; metadata:created_at 2014_02_27, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/shoe/"; depth:8; fast_pattern; pcre:"/^\d+?$/R"; http.user_agent; content:"Mozilla/4.0|20|"; depth:12; http.header_names; content:!"Referer"; reference:md5,e1cbdba0c57ddb5ab70aa1306dbacaa9; classtype:command-and-control; sid:2018643; rev:5; metadata:created_at 2014_02_28, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SUSPICIOUS UA (iexplore)"; flow:established,to_server; http.user_agent; content:"iexplore"; depth:8; fast_pattern; nocase; http.host; content:!"su.pctools.com"; content:!".advent.com"; reference:md5,b0e8ce16c42dee20d2c1dfb1b87b3afc; classtype:bad-unknown; sid:2017365; rev:12; metadata:created_at 2013_08_21, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)"; flow:established,to_server; http.user_agent; content:"Transmission/"; depth:13; reference:url,www.transmissionbt.com; reference:url,doc.emergingthreats.net/2011699; classtype:policy-violation; sid:2011699; rev:7; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webhp"; nocase; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; depth:34; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013076; rev:10; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webhp"; nocase; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; depth:34; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013076; rev:10; metadata:created_at 2011_06_22, former_category MALWARE, updated_at 2020_08_18;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Brazilian Banker SSL Cert"; flow:established,from_server; tls.cert_subject; content:"CN=processamentos.com.br"; fast_pattern; nocase; classtype:trojan-activity; sid:2025075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/sinonet/mebroot/Torpig infected host checkin"; flow:established,to_server; http.uri; content:"/search"; depth:7; content:"?fr=altavista&itag="; within:30; content:"&kls="; distance:0; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2011365; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Knock.php Shiz or Rohimafo CnC Server Contact URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"knock.php?n="; nocase; content:"=seller-"; nocase; distance:0; http.header_names; content:!"User-Agent"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:command-and-control; sid:2011520; rev:6; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Knock.php Shiz or Rohimafo CnC Server Contact URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"knock.php?n="; nocase; content:"=seller-"; nocase; distance:0; http.header_names; content:!"User-Agent"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011520; rev:6; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup api.ipify.org"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"api.ipify.org"; fast_pattern; reference:md5,79809fd3e05a852581b897cc4b06aa32; classtype:external-ip-check; sid:2021997; rev:4; metadata:created_at 2015_10_23, former_category POLICY, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP POST to WP Theme Directory Without Referer"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/themes/"; fast_pattern; pcre:"/^[^&=?]*\/wp-content\/themes\//i"; http.host; content:!"citytv.com"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2020822; rev:7; metadata:created_at 2015_03_31, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST to WP Theme Directory Without Referer"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/themes/"; fast_pattern; pcre:"/^[^&=?]*\/wp-content\/themes\//i"; http.host; content:!"citytv.com"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2020822; rev:7; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/DarkStealer Variant CnC Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?chatid="; content:"&username="; content:"&machineName="; fast_pattern; content:"&Country="; content:"&HWID="; content:"&ip="; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,fed2a8736c84eda9dcc8533b5019f7d8; classtype:trojan-activity; sid:2030699; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family DarkStealer, malware_family EchelonStealer, signature_severity Major, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B Requesting ClickFraud Commands from CnC"; flow:to_server,established; flowbits:set,ET.Chroject; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:1; content:"="; distance:0; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/"; http.user_agent; content:"|20|like Gecko|29 20|Chrome/"; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020747; rev:9; metadata:created_at 2015_03_25, former_category MALWARE, updated_at 2020_08_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE webr00t WebShell Access"; flow:established,to_server; http.uri; content:"/?webr00t="; reference:url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html; classtype:trojan-activity; sid:2017701; rev:5; metadata:created_at 2013_11_08, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE webr00t WebShell Access"; flow:established,to_server; http.uri; content:"/?webr00t="; reference:url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html; classtype:trojan-activity; sid:2017701; rev:5; metadata:created_at 2013_11_09, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)"; flow:to_server,established; http.user_agent; content:"Deluge"; depth:6; reference:url,deluge-torrent.org; reference:url,doc.emergingthreats.net/2011704; classtype:policy-violation; sid:2011704; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 1"; flow:established,to_server; http.uri; content:".asp?imageid="; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2016139; rev:6; metadata:created_at 2013_01_03, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 1"; flow:established,to_server; http.uri; content:".asp?imageid="; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2016139; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE PHP script in OptimizePress Upload Directory Possible WebShell Access"; flow:to_server,established; http.uri; content:"/wp-content/uploads/optpress/images_"; fast_pattern; content:".php"; pcre:"/\/wp-content\/uploads\/optpress\/images\_(?:comingsoon|lncthumbs|optbuttons)\/.*?\.php/i"; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017854; rev:4; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
-alert http any any -> any any (msg:"ET EXPLOIT Netgear passwordrecovered.cgi attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/passwordrecovered.cgi?id="; nocase; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911; reference:cve,2017-5521; classtype:attempted-admin; sid:2017969; rev:5; metadata:created_at 2014_01_14, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
+alert http any any -> any any (msg:"ET EXPLOIT Netgear passwordrecovered.cgi attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/passwordrecovered.cgi?id="; nocase; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911; reference:cve,2017-5521; classtype:attempted-admin; sid:2017969; rev:5; metadata:created_at 2014_01_15, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dyndns Client IP Check"; flow:established,to_server; http.user_agent; content:"DynDNS-Client"; depth:13; http.host; content:"checkip.dyndns."; classtype:not-suspicious; sid:2014091; rev:4; metadata:created_at 2012_01_03, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Long Fake wget 3.0 User-Agent Detected"; flow:established,to_server; http.user_agent; content:"wget 3.0"; classtype:trojan-activity; sid:2013178; rev:6; metadata:created_at 2011_07_04, former_category TROJAN, updated_at 2020_08_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)"; flow:established,to_server; urilen:6; http.uri; content:"/rom-0"; nocase; reference:url,www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf; classtype:attempted-admin; sid:2018232; rev:4; metadata:created_at 2014_03_07, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)"; flow:established,to_server; urilen:6; http.uri; content:"/rom-0"; nocase; reference:url,www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf; classtype:attempted-admin; sid:2018232; rev:4; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent.BAAB Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/debug/trace/"; fast_pattern; pcre:"/^\/debug\/trace\/(?:Fw(?:Downloaded|Check)|N(?:oFw|sis))$/"; http.user_agent; content:"NSISDL/1.2|20|(Mozilla)"; depth:20; http.header_names; content:!"Referer"; content:"Accept"; reference:md5,406fea6262d8ee05e0ab4247c1083443; reference:url,www.virustotal.com/en/file/b0baed750f09ff058e5bd28d6443da833496dc1d1ed674ee6b2caf91889f648e/analysis/1389133969/; classtype:command-and-control; sid:2017946; rev:5; metadata:created_at 2014_01_08, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Checkin"; flow:established,to_server; http.uri; content:"update.php?"; content:"&key="; distance:0; content:"&dummy="; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-121000-1027-99&tabid=2; classtype:command-and-control; sid:2020034; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (WindowsNT) With No Separating Space"; flow:established,to_server; http.user_agent; content:"WindowsNT"; http.host; content:!".rview.com"; content:!".mobizen.com"; classtype:trojan-activity; sid:2013721; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (WindowsNT) With No Separating Space"; flow:established,to_server; http.user_agent; content:"WindowsNT"; http.host; content:!".rview.com"; content:!".mobizen.com"; classtype:trojan-activity; sid:2013721; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?num="; fast_pattern; content:"&rev="; distance:0; pcre:"/^\/[a-z]+\.php\?num=\d+&rev=/"; http.header_names; content:!"Referer"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2014112; rev:6; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?num="; fast_pattern; content:"&rev="; distance:0; pcre:"/^\/[a-z]+\.php\?num=\d+&rev=/"; http.header_names; content:!"Referer"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2014112; rev:6; metadata:attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)"; flow:established,from_server; tls.cert_subject; content:"O=MyCompany Ltd."; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2015560; rev:9; metadata:attack_target Client_Endpoint, created_at 2012_08_01, deployment Perimeter, former_category MALWARE, malware_family URLZone, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2020_08_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)"; flow:established,from_server; tls.cert_subject; content:"O=MyCompany Ltd."; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2015560; rev:9; metadata:attack_target Client_and_Server, created_at 2012_08_02, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2020_08_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic gate[.].php GET with minimal headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php"; nocase; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad4045887298439f5a21700bdbc7a311; classtype:trojan-activity; sid:2022818; rev:4; metadata:created_at 2016_05_18, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic gate .php GET with minimal headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php"; nocase; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad4045887298439f5a21700bdbc7a311; classtype:trojan-activity; sid:2022818; rev:4; metadata:created_at 2016_05_18, former_category MALWARE, updated_at 2020_08_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DirBuster Web App Scan in Progress"; flow:to_server,established; http.user_agent; content:"DirBuster"; depth:9; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; classtype:web-application-attack; sid:2008186; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cu.cc domain"; flow:established,to_server; http.host; content:".cu.cc"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:bad-unknown; sid:2013170; rev:6; metadata:created_at 2011_07_02, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?resid="; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2021200; rev:4; metadata:created_at 2015_06_08, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?resid="; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2021200; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV checkin"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Accept"; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:command-and-control; sid:2016089; rev:6; metadata:created_at 2012_12_21, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV checkin"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Accept"; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:command-and-control; sid:2016089; rev:6; metadata:created_at 2012_12_22, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Ufasoft bitcoin Related User-Agent"; flow:established,to_server; http.user_agent; content:"Ufasoft"; depth:7; classtype:trojan-activity; sid:2013391; rev:6; metadata:created_at 2011_08_10, former_category TROJAN, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rerdom/Asprox CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/pkg/"; fast_pattern; pcre:"/^[A-Za-z0-9]{14,15}$/R"; reference:url,malware-traffic-analysis.net/2014/08/24/index.html; reference:url,www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf; classtype:command-and-control; sid:2019760; rev:4; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rerdom/Asprox CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/pkg/"; fast_pattern; pcre:"/^[A-Za-z0-9]{14,15}$/R"; reference:url,malware-traffic-analysis.net/2014/08/24/index.html; reference:url,www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf; classtype:command-and-control; sid:2019760; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptowall .onion Proxy Domain"; dns.query; content:"3wzn5p2yiumh7akj"; depth:16; nocase; reference:url,www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names; classtype:trojan-activity; sid:2022048; rev:3; metadata:created_at 2015_11_09, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious user agent (V32)"; flow:to_server,established; http.user_agent; content:"V"; depth:1; pcre:"/^\d{2}$/R"; classtype:trojan-activity; sid:2014090; rev:8; metadata:created_at 2011_06_07, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emold.C Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?v="; fast_pattern; content:"&rs="; distance:0; content:"&n="; distance:0; pcre:"/\.php\?v\x3d\d+?\x26rs\x3d(?:(?:\d+?\x2d){3})?\d+?\x26n\x3d\d/i"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer"; reference:url,www.threatexpert.com/report.aspx?md5=49205774f0ff7605c226828e080238f3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FEmold.C; classtype:command-and-control; sid:2016251; rev:7; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emold.C Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?v="; fast_pattern; content:"&rs="; distance:0; content:"&n="; distance:0; pcre:"/\.php\?v\x3d\d+?\x26rs\x3d(?:(?:\d+?\x2d){3})?\d+?\x26n\x3d\d/i"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FEmold.C; reference:md5,49205774f0ff7605c226828e080238f3; classtype:command-and-control; sid:2016251; rev:7; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Softango.com Installer Checking For Update"; flow:established,to_server; http.uri; content:"/service/updater.php"; http.host; content:".smartiengine.com"; classtype:policy-violation; sid:2014123; rev:4; metadata:created_at 2012_01_12, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gulpix/PlugX Client Request"; flow:established,to_server; http.method; content:"POST"; http.header; content:"1|3a 20|"; content:"2|3a 20|"; distance:0; content:"3|3a 20|"; distance:0; pcre:"/^(?P<vname>[^\r\n\x3a]+)(?P<n1>[0-4])\x3a\x20\d+\r\n(?P=vname)(?P<n2>((?!(?P=n1))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?P<n3>((?!((?P=n1)|(?P=n2)))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?:(?!((?P=n1)|(?P=n2)))[0-4])\x3a\x20\d+\r\n/m"; http.header_names; content:!"Referer"; reference:md5,663d7774b6727a070b558676cee9fe43; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html; classtype:trojan-activity; sid:2018169; rev:6; metadata:created_at 2014_02_21, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-01-28"; flow:to_server,established; urilen:>82; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:"/counter/?id="; nocase; content:"&rnd="; nocase; pcre:"/\/counter\/\?id=[A-Z0-9_-]{60,}&rnd=\d{1,}$/i"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,d5c5cc9cae2e9a7a2d3a77efcb526e4c; classtype:trojan-activity; sid:2022483; rev:7; metadata:created_at 2016_02_02, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-01-28"; flow:to_server,established; urilen:>82; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:"/counter/?id="; nocase; content:"&rnd="; nocase; pcre:"/\/counter\/\?id=[A-Z0-9_-]{60,}&rnd=\d{1,}$/i"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,d5c5cc9cae2e9a7a2d3a77efcb526e4c; classtype:trojan-activity; sid:2022483; rev:7; metadata:created_at 2016_02_03, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GamesForum.InfoStealer Reporting to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum/"; pcre:"/^[0-9a-f]{32}\.php/R"; http.request_body; content:"Data="; fast_pattern; depth:5; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2014370; rev:5; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC sk1 and bn1 post parameters"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"bn1="; depth:4; fast_pattern; content:"&sk1="; pcre:"/^[A-F0-9]{30}/R"; classtype:command-and-control; sid:2014218; rev:7; metadata:created_at 2012_02_10, former_category MALWARE, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?cookie="; fast_pattern; content:"&type="; content:"&vid="; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021569; rev:4; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?cookie="; fast_pattern; content:"&type="; content:"&vid="; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021569; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"MSIE"; depth:4; http.host; content:!"www.msftncsi.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; classtype:trojan-activity; sid:2003657; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot CnC Beacon"; flow:established,to_server; urilen:31; http.uri; content:"/b/eve/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{24}$/Ri"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018096; rev:4; metadata:created_at 2014_02_10, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot CnC Beacon"; flow:established,to_server; urilen:31; http.uri; content:"/b/eve/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{24}$/Ri"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018096; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/1/?"; fast_pattern; depth:4; isdataat:!2,relative; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2015976; rev:4; metadata:created_at 2012_12_03, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/1/?"; fast_pattern; depth:4; isdataat:!2,relative; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2015976; rev:4; metadata:created_at 2012_12_04, former_category MALWARE, updated_at 2020_08_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Win32.Socks.s HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"proc=[System Process]|0a|"; depth:22; reference:url,doc.emergingthreats.net/2008020; classtype:trojan-activity; sid:2008020; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GORGON APT Download Activity M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; bsize:10; file_data; content:"|24|X1=|27|GEX|27 2e|replace|28 27|G|27 2c 27|I|27 29 3b|sal|20|g|20 24|X1|3b|"; fast_pattern; reference:url,www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/; reference:md5,1cc6e550e2e414d143e835b0f5f53f41; classtype:trojan-activity; sid:2030706; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; within:4; content:"|00 00 00 00|"; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; within:20; reference:cve,2005-3277; reference:bugtraq,15136; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; classtype:attempted-user; sid:2002852; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003250; classtype:attempted-admin; sid:2003250; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon System Stats Report (I-variant)"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:"<CPUI>"; content:"</CPUI><"; within:27; content:"<MEMI>"; content:"</MEMI><"; within:27; pcre:"/^\x00\x00\x00[\x72-\x74]/"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2009052; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM SDBot HTTP Checkin"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|quem=dodoi&tit="; content:"&txt="; within:40; reference:url,doc.emergingthreats.net/2007914; classtype:trojan-activity; sid:2007914; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; within:20; content:"=="; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:2; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
+
+#alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; within:20; content:"=="; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:2; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
+
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banito/Agent.pb Pass Stealer Email Report Outbound"; flow:established,to_server; content:"Subject|3a| Vip Passw0rds|0d 0a 0d 0a|Victim Name |3a| "; content:"|0d 0a|######## ICQ PASSWORDS ########"; within:70; reference:url,doc.emergingthreats.net/2008551; classtype:trojan-activity; sid:2008551; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Shark Pass Stealer Email Report"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer "; content:"|0d 0a 0d 0a|Codesoft PW Stealer File "; distance:0; content:"filename=|22|"; distance:0; content:".log|22 0d 0a|"; within:20; reference:url,doc.emergingthreats.net/2007992; classtype:trojan-activity; sid:2007992; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; within:500; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; reference:url,doc.emergingthreats.net/2003328; classtype:web-application-attack; sid:2003328; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_20;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:2; metadata:created_at 2010_12_15, updated_at 2020_08_20;)
+
alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:to_client,established; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:3; metadata:created_at 2010_12_22, updated_at 2020_08_19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:2; metadata:created_at 2010_12_23, updated_at 2020_08_19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:to_server,established; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:3; metadata:created_at 2010_12_23, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_16, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_08_19;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:3; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:3; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/png"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/png/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; classtype:web-application-attack; sid:2008315; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/jpeg"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/jpeg/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; classtype:web-application-attack; sid:2008313; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/gif"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/gif/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; classtype:web-application-attack; sid:2008314; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; within:70; classtype:bad-unknown; sid:2015578; rev:3; metadata:created_at 2012_08_07, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; within:50; classtype:exploit-kit; sid:2015788; rev:3; metadata:created_at 2012_10_09, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_08_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; within:50; classtype:exploit-kit; sid:2015788; rev:3; metadata:created_at 2012_10_10, updated_at 2020_08_19;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:5; metadata:created_at 2011_01_05, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:9; metadata:created_at 2011_01_05, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Trojan Dropper purporting to be missing application page landing"; flow:established,from_server; content:"Unable to find |22|"; content:"|20|Please Click Here to install......"; within:85; classtype:trojan-activity; sid:2017301; rev:3; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.B Checkin"; flow:from_client,established; dsize:536<>1029; content:"|01 00 00 00|"; depth:4; content:!"|26|"; within:1; content:"|26|"; distance:1; within:1; content:"|26|"; distance:61; within:1; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:204; within:20; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:12; within:20; classtype:command-and-control; sid:2014601; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_08_19;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8080: (msg:"ET COINMINER PrimeCoinMiner.Protominer"; flow:established,to_server; content:"|01 27 00 00 05 00 00 00 09|"; depth:9; content:"node"; nocase; within:4; content:"Protominer"; distance:14; within:10; reference:md5,4cab48eec2b882ec33db2e2a13ecffe6; classtype:coin-mining; sid:2018014; rev:2; metadata:created_at 2014_01_27, former_category COINMINER, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080: (msg:"ET COINMINER PrimeCoinMiner.Protominer"; flow:established,to_server; content:"|01 27 00 00 05 00 00 00 09|"; depth:9; content:"node"; nocase; within:4; content:"Protominer"; distance:14; within:10; reference:md5,4cab48eec2b882ec33db2e2a13ecffe6; classtype:coin-mining; sid:2018014; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_27, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2020_08_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE LDPinch SMTP Password Report"; flow:established,to_server; content:"Subject|3a| Passes from"; nocase; fast_pattern; content:"application/octet-stream|3b|"; content:".bin"; within:100; reference:url,doc.emergingthreats.net/2008034; classtype:trojan-activity; sid:2008034; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
-alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system 2"; dsize:<200; content:"Microsoft Windows "; depth:40; content:"[Version"; within:10; content:"Copyright (c) 2009"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2018392; rev:2; metadata:created_at 2014_04_15, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system 2"; dsize:<200; content:"Microsoft Windows "; depth:40; content:"[Version"; within:10; content:"Copyright (c) 2009"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2018392; rev:2; metadata:created_at 2014_04_16, updated_at 2020_08_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.Karagany C&C Response"; flow:from_server,established; file_data; content:"work|3a|"; depth:5; content:"|7c|downexec|20|"; within:20; content:".jpg|3b 0d 0a|"; distance:0; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf; classtype:command-and-control; sid:2018629; rev:3; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.Karagany C&C Response"; flow:from_server,established; file_data; content:"work|3a|"; depth:5; content:"|7c|downexec|20|"; within:20; content:".jpg|3b 0d 0a|"; distance:0; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf; classtype:command-and-control; sid:2018629; rev:3; metadata:created_at 2014_07_01, former_category MALWARE, updated_at 2020_08_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert disenart.info"; flow:established,from_server; content:"|55 04 03|"; content:"|0c 0d|disenart.info"; within:15; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2020_08_20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"|01 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"|00|"; distance:1; within:1; content:"|00|"; distance:61; within:1; content:"|00 00 00 00 00|Windows|20|"; fast_pattern; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:12; within:20; classtype:command-and-control; sid:2014600; rev:7; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ShellBot.C retrieval"; flow:from_server,established; file_data; content:"my $processo"; content:"my @adms="; distance:0; content:"my @canais="; distance:0; content:"|23|gh|30|sts"; within:10; reference:md5,3e44252394078c8fd792da1583525d0c; reference:url,pastebin.com/0dAciksC; reference:url,pastebin.com/C0arvGxU; classtype:trojan-activity; sid:2018953; rev:3; metadata:created_at 2014_08_18, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ShellBot.C retrieval"; flow:from_server,established; file_data; content:"my $processo"; content:"my @adms="; distance:0; content:"my @canais="; distance:0; content:"|23|gh|30|sts"; within:10; reference:md5,3e44252394078c8fd792da1583525d0c; reference:url,pastebin.com/0dAciksC; reference:url,pastebin.com/C0arvGxU; classtype:trojan-activity; sid:2018953; rev:3; metadata:created_at 2014_08_19, updated_at 2020_08_19;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet to Server"; flow:established,to_server; dsize:20; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; within:4; flowbits:set,ET.onlinegames.ajok; reference:url,doc.emergingthreats.net/2008291; classtype:command-and-control; sid:2008291; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet from Server"; flow:established,from_server; flowbits:isset,ET.onlinegames.ajok; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; within:4; reference:url,doc.emergingthreats.net/2008292; classtype:command-and-control; sid:2008292; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 f3 e5 76 ad 16 4c 88 ff|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019069; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9a a1 97 0b 99 2b 46 07|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|03|GER"; distance:1; within:4; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019070; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:4; metadata:created_at 2010_12_27, updated_at 2020_08_20;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b2 a7 52 d6 65 0d 28 9f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019108; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 c0 04 78 81 0c 5a 2d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019109; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 15 14 ca 74 7c 3d 96|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019120; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Upatre C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 11 bb c5 32 1e 9d 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019121; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bc 2a 7f f9 ef 67 4e ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019122; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a5 72 6e 95 1a 1d 22|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019135; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 2d 8e ea 67 c4 08 ea|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019305; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8b 77 b3 d1 92 8c 7d 48|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019306; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b f5 c0 6b 03 3a 00 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,510b4db9aa400583e7927afa5f956179; classtype:trojan-activity; sid:2019307; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET TFTP TFTPGUI Long Transport Mode Buffer Overflow"; content:"|00 02|"; depth:2; content:"|00|"; within:50; content:!"|00|"; within:9; reference:url,www.exploit-db.com/exploits/12482/; reference:url,packetstormsecurity.org/files/view/96395/tftputilgui-dos.rb.txt; reference:url,securityfocus.com/bid/39872/; classtype:attempted-dos; sid:2012051; rev:3; metadata:created_at 2010_12_14, updated_at 2020_08_20;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FireEye.STX RAT Checkin"; flow:established,to_server; content:"GET /WinData.DLL?HELO-STX-1*"; depth:28; content:"$|0D 0A|"; within:40; reference:url,blog.fireeye.com/research/2012/04/spear-phished-by-fireeye.html; reference:md5,89217de164ffca0f0fed54a8003eb98f; classtype:command-and-control; sid:2014632; rev:3; metadata:created_at 2012_04_23, former_category MALWARE, updated_at 2020_08_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LinuxNet.perlbot Checkin Via IRC"; flow:to_server,established; content:"NICK|20 7c|GNU|7c 0a|"; depth:12; fast_pattern; content:"USER|20|GNU|20|"; within:9; pcre:"/(?:\d{1,3}\.){3}\d{1,3} (?:\d{1,3}\.){3}\d{1,3} \x3a(?:Linux|FreeBSD|SunOS)/R"; content:"|0a|JOIN|20|"; distance:0; classtype:command-and-control; sid:2019921; rev:3; metadata:created_at 2014_12_11, former_category MALWARE, updated_at 2020_08_19;)
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PCMan FTP Server 2.0.7 Remote Command Execution"; flow:to_server,established; content:"|65 82 a5 7c|"; fast_pattern; content:"|90 90 90 90 90|"; within:10; reference:url,exploit-db.com/exploits/36078; classtype:attempted-admin; sid:2020585; rev:3; metadata:created_at 2015_03_02, updated_at 2020_08_19;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle"; fast_pattern; content:"Driver"; within:12; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020530; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PCMan FTP Server 2.0.7 Remote Command Execution"; flow:to_server,established; content:"|65 82 a5 7c|"; fast_pattern; content:"|90 90 90 90 90|"; within:10; reference:url,exploit-db.com/exploits/36078; classtype:attempted-admin; sid:2020585; rev:3; metadata:created_at 2015_03_03, updated_at 2020_08_19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from Cisco ooh323"; flow:to_server,established; content:"|28 06|cisco|00|"; offset:14; depth:8; content:"|b8 00 00 27 05|ooh323|06|"; within:60; reference:url,videonationsltd.co.uk/2015/04/h-323-cisco-spam-calls/; classtype:misc-attack; sid:2021066; rev:2; metadata:created_at 2015_05_07, updated_at 2020_08_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/STDbot CnC Activity (UNK attack)"; flow:established,to_server; content:"PRIVMSG|20|"; content:"|20 3a|[UNK]Hitting|20|"; fast_pattern; distance:0; content:"!|0a|"; within:40; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022216; rev:3; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern:6,19; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:9; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; within:40; classtype:social-engineering; sid:2023239; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; within:50; classtype:social-engineering; sid:2023557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M2"; flow:from_server,established; file_data; content:"|76 7e 72 20 7e 20 3d 20 22 22 3b 20 7e 20 2b 3d|"; within:17; content:"0."; distance:0; pcre:"/^\d+[\x22\x27]/R"; content:"|27 3b 20 7e 20 2b 3d 20 27|"; within:500; content:"|27 3b 20 7e 20 2b 3d 20 27|"; within:500; classtype:trojan-activity; sid:2023598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell Download"; flow:established,to_client; file_data; content:"eval"; content:"mcrypt_decrypt"; within:30; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017640; rev:4; metadata:affected_product PHP, attack_target Web_Server, created_at 2013_10_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32/Nitol.B Checkin"; flow:established,to_server; dsize:>1000; content:"|88 88 08 00|"; depth:4; fast_pattern; content:"|2E|"; distance:1; within:1; content:"|2F 73|"; distance:2; within:2; content:"|00 00 00 00 00 00 00 00|"; within:15; reference:md5,f078e099b1f8afc7c43eb05b4badf9e7; classtype:command-and-control; sid:2021111; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_16, deployment Perimeter, former_category MALWARE, malware_family Nitol_DDoS, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (HAMAD versions)"; flow:established,to_server; dsize:<200; content:"|00|"; depth:4; content:"HAMAD"; fast_pattern; within:10; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,cc18ad38eccdf096f0ac5840f380ef4f; classtype:trojan-activity; sid:2025074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Bladabindi, malware_family njrat, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (HAMAD versions)"; flow:established,to_server; dsize:<200; content:"|00|"; depth:4; content:"HAMAD"; fast_pattern; within:10; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,cc18ad38eccdf096f0ac5840f380ef4f; classtype:trojan-activity; sid:2025074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Bladabindi, malware_family njrat, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|ll"; within:6; content:"TGltZV8"; within:30; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/s"; reference:md5,ce37b5b473377810bc76e0491533b4e7; classtype:command-and-control; sid:2025136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category MALWARE, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish M2 2016-10-27"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<script language=javascript>"; nocase; within:100; content:"window.location"; nocase; fast_pattern; within:200; classtype:credential-theft; sid:2032408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Botnet Nitol.B Checkin"; flow:established,to_server,no_stream; dsize:<400; content:"|00 00 77 00 00 00|"; depth:30; fast_pattern; content:"MHz"; within:350; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:120; classtype:command-and-control; sid:2025135; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category MALWARE, malware_family nitol, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Credit Mutuel de Bretagne (FR) Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Cr|c3 a9|dit Mutuel de Bretagne"; nocase; within:40; fast_pattern; content:"<form method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
alert smb $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE Shamoon v3 32bit Propagating Internally via SMB"; flow:to_server,established; content:"|00 00 00 00 00 00|"; within:60; content:"MZ"; distance:2; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|41 8A 14 02 8B 45|"; distance:0; content:"|32 14 30 88 16 3B CB 72|"; distance:1; within:8; fast_pattern; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know; classtype:trojan-activity; sid:2026732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2018_12_14, deployment Perimeter, former_category TROJAN, malware_family Shamoon, performance_impact Low, signature_severity Major, tag SMB, tag Worm, tag Wiper, updated_at 2020_08_19;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Atom Logger exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|["; content:"] - KEYLOG|20 7c 20|Atom Logger"; within:50; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026825; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
-
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Inbound PowerShell via Invoke-PSImage Stego"; flow:established,to_client; file_data; content:"|89 50 4e 47|"; depth:8; content:"c2FsIGEgTmV3LU9iamVjdDt"; within:75; fast_pattern; reference:url,github.com/peewpw/Invoke-PSImage/blob/master/Invoke-PSImage.ps1; classtype:trojan-activity; sid:2027085; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/DataMilk Stealer Communicating with CnC"; flow:established,to_server; content:"net|2e|tcp"; depth:15; content:"|2f|IModuleGetter"; within:40; fast_pattern; reference:url,app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e; classtype:command-and-control; sid:2027112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, malware_family DataMilk, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Explorer Shell CLSID COM Object Call Method Inbound via TCP"; flow:established,from_server; content:"explorer.exe|20|"; nocase; content:"shell|3a 3a 3a 7b|"; within:20; fast_pattern; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]\x7d/Ri"; classtype:trojan-activity; sid:2027201; rev:3; metadata:created_at 2019_04_15, former_category POLICY, updated_at 2020_08_19;)
-alert tcp any any -> $HOME_NET 135 (msg:"ET RPC DCERPC SVCCTL - Remote Service Control Manager Access"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00|"; content:"|13 00 0d 81 bb 7a 36 44 98 f1 35 ad 32 98 f0 38 00 10 03|"; within:100; classtype:attempted-user; sid:2027237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_22, deployment Perimeter, former_category RPC, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert tcp any any -> $HOME_NET 135 (msg:"ET RPC DCERPC SVCCTL - Remote Service Control Manager Access"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00|"; content:"|13 00 0d 81 bb 7a 36 44 98 f1 35 ad 32 98 f0 38 00 10 03|"; within:100; classtype:attempted-user; sid:2027237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_22, deployment Perimeter, former_category RPC, performance_impact Low, signature_severity Informational, updated_at 2020_08_19;)
alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)"; flow:established,to_server; content:"RCPT|20|TO"; content:"|24 7b|run|7b|"; within:12; fast_pattern; content:"|7d 7d 40|"; distance:0; reference:url,www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt; classtype:attempted-admin; sid:2027442; rev:4; metadata:attack_target SMTP_Server, created_at 2019_06_07, cve 2019_10149, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
alert udp $EXTERNAL_NET any -> any 11211 (msg:"ET DOS Possible Memcached DDoS Amplification Query (set)"; content:"|00 00 00 00 00 01 00|"; depth:7; fast_pattern; content:"|0d 0a|"; within:20; endswith; threshold: type both, count 100, seconds 60, track by_dst; flowbits:set,ET.memcached.ddos; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025401; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedControle Communicating with CnC "; flow:established,to_server; content:"SE_ND_CO_NN_EC|23|"; depth:15; fast_pattern; content:"|23|"; within:20; content:"|23|"; distance:0; endswith; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:command-and-control; sid:2026724; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
-
alert tcp $EXTERNAL_NET any -> any 3389 (msg:"ET POLICY Inbound RDP Connection with TLS Security Protocol Requested"; flow:established,to_server; dsize:<30; content:"|00 00|"; offset:1; depth:2; content:"|e0|"; distance:2; within:1; content:"|01 00 08 00 01 00 00 00|"; within:15; fast_pattern; endswith; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; classtype:bad-unknown; sid:2027412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
alert tcp $EXTERNAL_NET any -> any 3389 (msg:"ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested"; flow:established,to_server; content:"|00 00|"; offset:1; depth:2; content:"|e0|"; distance:2; within:1; content:"|01 00 08 00 00 00 00 00|"; within:15; fast_pattern; endswith; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; classtype:bad-unknown; sid:2027413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern; content:"|16|"; content:"|02|"; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0; content:"|00|"; distance:1; within:2; classtype:targeted-activity; sid:2023629; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Powershell Trojan)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 e6 05 e6 06 e6 17 3f|"; fast_pattern; reference:url,pastebin.com/7wYupkJL; reference:md5,4c5c9014f2d18f11ca62848876551323; classtype:domain-c2; sid:2023342; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_17, deployment Perimeter, former_category MALWARE, malware_family PowerShell, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"routestring"; fast_pattern; content:"ajax"; within:7; content:"render"; within:9; content:"widget_php"; within:13; http.request_body; content:"widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028825; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerSploit/PowerView SMTP Data Exfil"; flow:established,to_server; content:"Subject|3a 20|DC|3a|"; content:"|20|PC|3a|"; within:10; content:"|20|SRV|3a|"; within:10; content:"|20|DA|3a|"; within:10; content:"|20|AV|3a|"; within:10; content:"Full report"; distance:0; content:"Domain"; distance:0; content:"Domain Admins"; distance:0; content:"Antivirus Software"; distance:0; fast_pattern; classtype:command-and-control; sid:2029276; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Group 21 Payload CnC Checkin"; flow:established,to_server; dsize:<400; content:"|3a 3a|MAC|3a 3a|"; startswith; content:"|3a 3a|HOSTNAME/USERNAME|3a 3a|"; within:100; fast_pattern; content:"|3a 3a|U-FILE|3a 3a|"; within:100; reference:md5,6a271282fe97322d49e9692891332ad7; classtype:trojan-activity; sid:2035061; rev:3; metadata:created_at 2020_01_16, former_category MALWARE, updated_at 2020_08_19;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nexus Stealer CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:!"Mozilla"; http.request_body; content:"{"; startswith; content:"|7e 3b 5e 3b|Windows|20|"; within:50; fast_pattern; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; http.header_names; content:!"Referer"; reference:md5,8bd8582155ef003b8a24d341d75f1d7f; classtype:command-and-control; sid:2029298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_21, deployment Perimeter, former_category MALWARE, malware_family Nexus, signature_severity Major, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Embedded NTLM Hash Theft Code"; flow:established,to_client; file.data; content:"src="; nocase; content:"file|3a 2f 2f 2f 5c 5c|"; distance:0; nocase; fast_pattern; within:10; content:"|5f|C$|5f|"; nocase; within:50; content:"visibility|3a|"; nocase; within:50; content:"hidden"; within:8; content:"src="; pcre:"/^\s*[\x22\x27]\s*file\x3a\x2f\x2f\x2f\x5c\x5c[^\x20]+\x5cC\$\x5c\s*[\x22\x27]/Rsi"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:attempted-user; sid:2029329; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sarwent Initial Checkin CnC Response"; flow:established,from_server; flowbits:isset,ET.sarwent.1; http.stat_code; content:"200"; http.response_body; content:"|20|IP|20|"; pcre:"/^[^\x20-\x7e\r\n]/R"; content:"|20 2e 20 2e 20 2e 20 2e 20 2e 20|"; within:50; content:"DNS-"; distance:0; pcre:"/^[^\x20-\x7e\r\n]/R"; content:"|20 2e 20 2e 20 2e 20 3a 20|"; distance:0; pcre:"/^(?:[a-f0-9]{2}-){5}[a-f0-9]{2}/R"; content:"|0d 0a 20 20 20|DHCP|20|"; within:10; fast_pattern; classtype:command-and-control; sid:2029475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, malware_family Sarwent, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer - Uploading System Information"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&cc="; content:"&pc="; content:"&hash="; http.user_agent; content:"uploader"; bsize:8; http.header; content:"User-Agent|3a 20|uploader|0d 0a|"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"PK"; distance:0; http.header_names; content:!"Referer"; reference:md5,046dcdb20a8358faadc394e786820dd4; classtype:trojan-activity; sid:2034323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_08_19;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound MonetizeUs/LNKR Struct"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|28|function"; depth:50; content:"g=|22|"; distance:0; pcre:"/^[a-f0-9]{18}\x22/R"; content:"=|5b 22|mid=|22 2c 22|wid="; distance:0; fast_pattern; content:"|22|sid=|22 2c 22|tid="; within:30; content:"|22|rid="; distance:0; content:"monetizationsConfig|3a|"; distance:0; threshold:type limit, count 1, seconds 120, track by_src; reference:md5,0866447a440f1e01a391ccb1c0ab150d; classtype:command-and-control; sid:2029591; rev:2; metadata:affected_product Web_Browsers, created_at 2020_03_09, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
alert dns any any -> $HOME_NET any (msg:"ET MALWARE MalDoc Retrieving msiexec Commands via DNS TXT"; content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"|00 10|"; distance:0; content:"msiexec|20 2f|"; within:40; fast_pattern; nocase; reference:md5,029e926243feed488754cd21a69b5528; classtype:trojan-activity; sid:2029607; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/TrojanDownloader.Agent.SEB Reporting Network Info"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"x="; depth:2; content:"&info="; within:10; content:"&an=["; distance:0; content:"] WAN "; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3d0471796957b847decd635942e6cd10; classtype:command-and-control; sid:2029625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (plugin)"; flow:established,from_server; content:"plugin|7c 7c|"; depth:8; fast_pattern; content:"|7c 7c|"; within:100; isdataat:1000,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029699; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_08_19;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF_BASHLITE.SMB Dropping Files"; flow:established,to_server; http.uri; content:"/.ni|67 67|ers/bin"; fast_pattern; content:".sh"; within:5; http.user_agent; content:"Wget/"; depth:5; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/; classtype:trojan-activity; sid:2019747; rev:5; metadata:created_at 2014_11_19, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT UCM6202 1.0.18.13 - Remote Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=sendPasswordEmail&user_name="; startswith; fast_pattern; content:"|27|"; within:40; content:"|60 3b 60|"; within:100; reference:url,www.exploit-db.com/exploits/48247; classtype:attempted-admin; sid:2030206; rev:2; metadata:created_at 2020_05_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Konni Encrypted Stage 2 Payload Inbound via HTTP"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"MhyTiDJJJJ"; startswith; content:"JJJJJJJLeJJJJJJJJJJeI4"; within:150; fast_pattern; reference:md5,d41b09aa32633d77a8856dae33b3d7b9; classtype:command-and-control; sid:2030220; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Konni, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Godzilla Loader Base64 Filename"; flow:from_server,established; http.stat_code; content:"200"; http.cookie; content:"|47 4f 44 5a 49 4c 4c 41|"; file.data; content:"<div style=|22|display|3a|none|22 20|id=|22|"; depth:30; fast_pattern; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>[a-zA-Z0-9+/=]{28}/Rsi"; content:"</div>"; within:6; classtype:trojan-activity; sid:2022594; rev:5; metadata:created_at 2016_03_04, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Godzilla Loader Base64 Filename"; flow:from_server,established; http.stat_code; content:"200"; http.cookie; content:"|47 4f 44 5a 49 4c 4c 41|"; file.data; content:"<div style=|22|display|3a|none|22 20|id=|22|"; depth:30; fast_pattern; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>[a-zA-Z0-9+/=]{28}/Rsi"; content:"</div>"; within:6; classtype:trojan-activity; sid:2022594; rev:5; metadata:created_at 2016_03_05, updated_at 2020_08_19;)
+
+#alert tcp $HOME_NET any -> any 53 (msg:"ET INFO Suspicious HTTP GET Request on Port 53 Outbound"; flow:established,to_server; content:"GET|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030520; rev:2; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+
+#alert tcp any 53 -> [$HOME_NET,$HTTP_SERVERS,$DNS_SERVERS] any (msg:"ET INFO Suspicious HTTP GET Request on Port 53 Inbound"; flow:established,to_server; content:"GET|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030521; rev:2; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+
+#alert tcp $HOME_NET any -> any 53 (msg:"ET INFO Suspicious HTTP POST Request on Port 53 Outbound"; flow:established,to_server; content:"POST|20|"; startswith; content:"|20|HTTP|2f|"; within:50; classtype:bad-unknown; sid:2030522; rev:3; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+
+#alert tcp any 53 -> [$HOME_NET,$HTTP_SERVERS,$DNS_SERVERS] any (msg:"ET INFO Suspicious HTTP POST Request on Port 53 Inbound"; flow:established,to_server; content:"POST|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030523; rev:3; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Compound Refresh - Possible Phishing Redirect 2016-06-09"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta HTTP-Equiv="; nocase; content:"refresh"; nocase; distance:1; within:8; content:"content="; nocase; distance:0; content:"URL="; nocase; within:10; content:"text/javascript"; nocase; distance:0; content:"self.location.replace"; fast_pattern; nocase; distance:0; content:"window.location"; nocase; within:30; classtype:social-engineering; sid:2032388; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT SAP NetWeaver AS Directory Traversal Attempt Inbound (CVE-2020-6286)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<soapenv"; startswith; content:"<sessionID>"; distance:0; content:"../../../"; within:10; fast_pattern; reference:url,github.com/chipik/SAP_RECON/blob/master/RECON.py; reference:cve,2020-6286; classtype:attempted-user; sid:2030549; rev:2; metadata:created_at 2020_07_16, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Obfuscation 2016-03-17"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:30; content:"URL=data|3a|text/html|3b|base64,"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2027899; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Obfuscation 2016-03-17"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:30; content:"URL=data|3a|text/html|3b|base64,"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2027899; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Office 365 Phishing Landing 2016-08-24"; flow:established,from_server; threshold:type limit, track by_src, count 1, seconds 30; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name=|22|SiteID|22 20|content=|22 22|"; nocase; content:"<meta name=|22|ReqLC|22 20|content=|22|1033|22|"; fast_pattern; nocase; distance:0; content:"<meta name=|22|LocLC|22 20|content="; nocase; distance:0; content:"microsoftonline-p.com"; nocase; distance:0; content:"id=|22|credentials|22|"; nocase; distance:0; content:!"action=|22|/common/login|22|"; nocase; within:50; classtype:social-engineering; sid:2025673; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish - JS Redirect to PDF 2016-08-24"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script>"; nocase; content:"window.location.href"; nocase; distance:0; fast_pattern; content:".pdf"; nocase; distance:0; content:"</script>"; nocase; within:30; classtype:credential-theft; sid:2032402; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish 2016-10-27"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script type=|22|text/javascript|22|>"; nocase; within:50; content:"window.location"; nocase; fast_pattern; within:30; classtype:credential-theft; sid:2032407; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Email Settings Phish 2016-10-28"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<html><head><base target=|22|_blank|22|>"; depth:34; content:"Your report has been received"; nocase; distance:0; fast_pattern; content:"you will be notified once"; nocase; within:30; content:"problem is resolved"; nocase; within:30; content:"<br>----------------<br>"; nocase; distance:0; classtype:credential-theft; sid:2032409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Settings Error Phishing Landing Nov 16 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>An error"; nocase; fast_pattern; content:"settings is blocking"; nocase; within:50; content:"incoming emails"; nocase; within:50; content:"error in your SSL settings"; nocase; distance:0; classtype:social-engineering; sid:2025687; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Wembail Phish M2 2016-11-18"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>validationOK"; nocase; fast_pattern; content:"Process completed"; nocase; within:50; content:"previous Mail"; nocase; within:50; classtype:credential-theft; sid:2032412; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/NR42 Bot Parsing Config From Webpage"; flow:established,from_server; threshold:type both, track by_src, count 60, seconds 60; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<sendusername>"; fast_pattern; content:"</sendusername>"; within:30; content:"<guser>"; distance:0; content:"</guser>"; distance:0; content:"<files>"; distance:0; content:"</files>"; distance:0; content:"<cmdua>"; distance:0; content:"</cmdua>"; distance:0; content:"<cmdkmt>"; distance:0; reference:md5,32730022593ebd2c93126d34bc60b654; classtype:trojan-activity; sid:2024182; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_06, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] JS.Trojan-Downloader.Nemucod.yo HTTP POST (:Exec:)"; flow: established, to_server; threshold:type limit, track by_src, count 1, seconds 30; http.request_body; content:"|3a 3a 3a|Exec|3a 3a 3a|http"; depth:40; fast_pattern; content:"|3a|//"; within:4; content:".exe|3a 3a|"; within:100; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024701; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Internet, former_category TROJAN, malware_family Nemucod, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] JS.Trojan-Downloader.Nemucod.yo HTTP POST (:Exec:)"; flow: established, to_server; threshold:type limit, track by_src, count 1, seconds 30; http.request_body; content:"|3a 3a 3a|Exec|3a 3a 3a|http"; depth:40; fast_pattern; content:"|3a|//"; within:4; content:".exe|3a 3a|"; within:100; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024701; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Internet, former_category TROJAN, malware_family Nemucod, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoalaBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"User-Agent|3a|"; content:"KAMA NT"; within:50; fast_pattern; content:"BULLET|3b|"; within:20; content:"REGION|3b|"; within:20; http.request_body; pcre:"/^[A-Za-z0-9]{10,}[\-\)\(]{1,2}/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,523de838dd44cdd6f212d36c142d830c; classtype:command-and-control; sid:2024531; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category MALWARE, malware_family CoalaBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Data URI Inline Javascript Mar 07 2016"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022597; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Data URI Inline Javascript Mar 07 2016"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022597; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/xml.xml"; nocase; http_uri; content:"<request"; nocase; http_client_body; content:"<key "; nocase; http_client_body; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"Test PCA (1024 bit)"; within:50; classtype:trojan-activity; sid:2011541; rev:5; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a| "; http_header; nocase; pcre:"/User-Agent|3a|[^\n]+Windows-Update-Agent/Hsmi"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002948; classtype:policy-violation; sid:2002948; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt"; flow:to_client,established; content:"3C88113F-8CEC-48DC-A0E5-983EF9458687"; nocase; content:"OpenFile"; distance:0; nocase; reference:url,exploit-db.com/exploits/14309/; reference:url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt; reference:url,doc.emergingthreats.net/2011249; classtype:web-application-attack; sid:2011249; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; distance:0; content:".GetItem1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1;depth:1; content:"|01 00|";distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:7; metadata:created_at 2010_09_23, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013142; rev:4; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2020_08_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"D="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006610; classtype:web-application-attack; sid:2006610; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103091; rev:6; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; fast_pattern; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:13; metadata:created_at 2010_09_23, updated_at 2022_03_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:command-and-control; sid:2009297; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; http_client_body; content:"&affid="; http_client_body; content:"="; http_client_body; content:"&subid="; http_client_body; content:"=="; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:command-and-control; sid:2008442; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&s="; http_client_body; content:"&h="; http_client_body; content:"&d="; http_client_body; content:"&panic"; http_client_body; content:"&ie="; http_client_body; content:"&input="; http_client_body; content:"&c="; http_client_body; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&hAssunto=infect-"; http_client_body; content:"&hCorpo="; http_client_body; content:"&hPara="; http_client_body; reference:url,doc.emergingthreats.net/2008984; classtype:trojan-activity; sid:2008984; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller (empty command)"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010788; classtype:trojan-activity; sid:2010788; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"EnableExecuteProtectionSupport"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012777; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 3"; flow:established,to_server; content:"POST"; http_method; nocase; content:"data=mIqWm8"; http_client_body; depth:11; classtype:command-and-control; sid:2014428; rev:7; metadata:created_at 2012_03_26, former_category MALWARE, updated_at 2020_08_20;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"F5DF8D65-559D-4b75-8562-5302BD2F5F20"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014422; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"13149882-F480-4F6B-8C6A-0764F75B99ED"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0="; http_client_body; depth:9; fast_pattern; content:"%3D%0D%0A"; http_client_body; offset:109; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:command-and-control; sid:2014347; rev:6; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2020_08_20;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"13149882-F480-4F6B-8C6A-0764F75B99ED"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014453; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 1"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/"; urilen:1; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.google.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:85; fast_pattern; content:"PREF=ID="; http_cookie; depth:8; classtype:trojan-activity; sid:2013349; rev:5; metadata:created_at 2011_08_04, updated_at 2022_03_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 2"; flow:to_server,established; content:"GET"; content:"/whois/usgoodluck.com"; http_uri; fast_pattern:only; urilen:21; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.whois-search.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:91; classtype:trojan-activity; sid:2013350; rev:4; metadata:created_at 2011_08_04, updated_at 2020_08_20;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CRAZYTALK4Lib.CrazyTalk4"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014452; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/Intel"; flow:established,to_client; content:"|0d 0a 0d 0a CA FE BA BE|"; content:"|CE FA ED FE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014514; rev:8; metadata:created_at 2012_04_05, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/Intel"; flow:established,to_client; content:"|0d 0a 0d 0a CA FE BA BE|"; content:"|CE FA ED FE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014514; rev:8; metadata:created_at 2012_04_06, updated_at 2020_08_19;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Response"; flow:established; content:"|00 01 00 01|core_channel_"; offset:11; depth:17; classtype:successful-user; sid:2014533; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Response"; flow:established; content:"|00 01 00 01|stdapi_"; offset:11; depth:11; classtype:successful-user; sid:2014532; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Request"; flow:established; content:"|00 01 00 01|core_channel_"; offset:12; depth:17; classtype:successful-user; sid:2014531; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Request"; flow:established; content:"|00 01 00 01|stdapi_"; offset:12; depth:11; classtype:successful-user; sid:2014530; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:20; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Response"; flow:established; content:"|00 01 00 01|core_channel_"; offset:11; depth:17; classtype:successful-user; sid:2014533; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Pro Update Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<root><clnt>"; http_client_body; content:"</clnt><code>CheckUpdate</code>"; http_client_body; nocase; fast_pattern; pcre:"/<root><clnt>\d{8}-\d{4}-\d{4}-\d{4}-[0-9A-F]{12}</clnt><code>CheckUpdate</code>/P"; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009533; classtype:trojan-activity; sid:2009533; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Response"; flow:established; content:"|00 01 00 01|stdapi_"; offset:11; depth:11; classtype:successful-user; sid:2014532; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Request"; flow:established; content:"|00 01 00 01|core_channel_"; offset:12; depth:17; classtype:successful-user; sid:2014531; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; content:"var g_szURL = |22|http|3a 2f 2f|"; content:"var g_szFolder = |22|"; content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Request"; flow:established; content:"|00 01 00 01|stdapi_"; offset:12; depth:11; classtype:successful-user; sid:2014530; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; content:"hcp|3a|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2014105; rev:5; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:command-and-control; sid:2013440; rev:7; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:16; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DriveBy, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:26; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Asynchronous WinHTTP"; http_user_agent; depth:20; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:command-and-control; sid:2015753; rev:4; metadata:created_at 2012_10_01, former_category MALWARE, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server; content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:20; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:".definition|28|"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f5078f3(2|3)-c551-11d3-89b9-0000f81fe221/si"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:20; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type|3a20|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015922; rev:7; metadata:created_at 2012_11_24, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|X-ID|3a 20|"; fast_pattern; pcre:"/^X-ID\x3a\x20\d+\r?$/Hm"; classtype:command-and-control; sid:2014014; rev:7; metadata:created_at 2011_12_09, former_category MALWARE, updated_at 2022_03_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:exploit-kit; sid:2017547; rev:4; metadata:created_at 2013_10_01, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; fast_pattern:only; nocase; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui"; reference:url,doc.emergingthreats.net/2010565; classtype:command-and-control; sid:2010565; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+
alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:20; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure June 27 2013"; flow:established,from_server; file_data; content:"<applet"; content:"<param value=|22|1|22| name=|22|WindowSize|22|>"; fast_pattern; distance:0; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017075; rev:6; metadata:created_at 2013_06_28, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download disguised as ASCII"; flow:established,from_server; file_data; content:"|34 44 35 41|"; depth:4; content:"|35 30 34 35 30 30|"; distance:0; classtype:trojan-activity; sid:2017962; rev:5; metadata:created_at 2014_01_13, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 3"; flow:from_server,established; file_data; content:"c=rdl&u="; depth:8; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,96255178f15033362c81fb6d9b9c3ce4; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015904; rev:7; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2020_08_20;)
+
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell ASPXShell - Title"; flow:established,to_client; file_data; content:"<title>"; content:"ASPX Shell"; fast_pattern; nocase; content:"</title>"; distance:0; classtype:trojan-activity; sid:2017183; rev:5; metadata:created_at 2013_07_24, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?fixtool="; fast_pattern; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 1"; flow:established,to_server; dsize:51; content:"|03 00 30 01 01 00|"; fast_pattern; depth:6; flowbits:set,ET.Tesch; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018478; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2020_08_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake org)"; flow:established,from_server; content:"|06 03 55 04 0a|"; content:!"|03|cnc"; distance:1; within:4; pcre:"/^.{2}(?P<fake_org>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org)/Rs"; classtype:trojan-activity; sid:2018005; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2020_08_19;)
+#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.software; content:"libssh-"; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:11; metadata:created_at 2010_07_30, updated_at 2021_08_27;)
+
+#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH2 Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.software; content:"libssh2_"; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:4; metadata:created_at 2014_07_17, updated_at 2021_08_27;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=systempack"; classtype:trojan-activity; sid:2011991; rev:4; metadata:created_at 2010_12_01, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"|22|pack.exe|22|"; classtype:trojan-activity; sid:2012208; rev:6; metadata:created_at 2011_01_21, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini softupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=softupdate"; classtype:trojan-activity; sid:2012227; rev:7; metadata:created_at 2011_01_24, updated_at 2020_08_20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Active Connections|0d|"; content:"Proto"; content:"Local Address"; content:"Foreign Address"; content:"State"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019003; rev:3; metadata:created_at 2014_08_25, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV download (AntiSpyWareSetup.exe)"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=AntiSpy"; nocase; content:"etup.exe"; nocase; classtype:trojan-activity; sid:2012318; rev:7; metadata:created_at 2011_02_18, updated_at 2020_08_20;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Quotation Mark Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; content:"|22|"; distance:0; pcre:"/^USER [^\r\n]*?\x22/"; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011488; rev:3; metadata:created_at 2010_09_28, former_category FTP, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinese Bootkit Checkin"; flow:established,to_server; content:".aspx"; http_uri; content:"a=Windows"; nocase; http_uri; content:"&b="; http_uri; content:"&c="; http_uri; content:"&f="; http_uri; content:"&k="; pcre:"/c=[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}/iU"; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:command-and-control; sid:2012631; rev:6; metadata:created_at 2011_04_05, former_category MALWARE, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; content:".exe"; within:32; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; classtype:trojan-activity; sid:2013770; rev:6; metadata:created_at 2011_10_12, updated_at 2020_08_20;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake org)"; flow:established,from_server; content:"|06 03 55 04 0a|"; content:!"|03|cnc"; distance:1; within:4; pcre:"/^.{2}(?P<fake_org>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org)/Rs"; classtype:trojan-activity; sid:2018005; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MALWARE, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2020_08_19;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Active Connections|0d|"; content:"Proto"; content:"Local Address"; content:"Foreign Address"; content:"State"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019003; rev:3; metadata:created_at 2014_08_26, updated_at 2020_08_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Flashpack Redirect Method 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; content:"fvers="; fast_pattern; http_client_body; content:"osa="; http_client_body; classtype:trojan-activity; sid:2019134; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Quotation Mark Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; content:"|22|"; distance:0; pcre:"/^USER [^\r\n]*?\x22/"; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011488; rev:3; metadata:created_at 2010_09_29, former_category FTP, updated_at 2020_08_19;)
+
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"class=|22|green_class|22|"; pcre:"/^[^>\r\n<]+>[A-Za-z]{70}/R"; classtype:exploit-kit; sid:2019643; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SweetOrange EK Landing Nov 19 2014"; flow:established,from_server; file_data; content:"|6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b|"; classtype:exploit-kit; sid:2019751; rev:7; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; pcre:"/^\/[a-f0-9]{64}\.swf$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:exploit-kit; sid:2019770; rev:6; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; pcre:"/\d\.js\?get_message(?:=-?\d+?)?$/U"; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+?\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020212; rev:7; metadata:created_at 2015_01_20, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015501; rev:7; metadata:created_at 2012_07_21, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/image\.gif$/U"; classtype:exploit-kit; sid:2016279; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/U"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+\.html\r?$/RHmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:7; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Ui"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020731; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; http_raw_header; distance:0; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Pmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020732; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Cmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020733; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00msg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019216; rev:4; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:exploit-kit; sid:2022869; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs"; content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|do.tntcentral.mobi"; fast_pattern:only; tls.fingerprint:"75:02:e5:5d:eb:4d:19:b9:6e:a9:61:26:34:82:4b:2f:b6:ad:96:6d"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018760; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|daznukhurebkolsek.net"; distance:1; within:22; tls.fingerprint:"b6:d7:85:2a:e1:ca:32:5f:77:28:d4:64:12:44:8b:01:41:94:0b:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018807; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|expert-256bitssl.com"; distance:1; within:21; tls.fingerprint:"ca:2e:43:5b:b8:83:60:81:ff:a6:1c:90:2d:b0:5a:4e:0e:11:c7:8f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018913; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|siefrra1967ga@outlook.com"; distance:1; within:26; tls.fingerprint:"b5:ff:48:e0:d2:15:2e:04:83:f1:8d:50:60:41:46:7a:55:d1:fb:a8"; reference:url,sslbl.abuse.ch; reference:md5,7832ac3ad8275695b8051ab70432e161; classtype:domain-c2; sid:2018917; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; tls.fingerprint:"b2:ca:f5:a1:82:79:c1:cb:10:da:17:4c:58:1a:71:38:ff:8b:0c:f2"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018940; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023198; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023199; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Route Table"; content:"Active Routes|3a|"; fast_pattern; content:"Network Destination"; content:"Netmask"; content:"Gateway"; content:"Interface"; content:"Metric"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019082; rev:3; metadata:created_at 2014_08_28, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ";flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023273; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"MlADchNaR0LGZ4NWpdLGZ4N";flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023275; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"azTEhyWNbKGpdLGZ4NWpdLG";flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023276; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:exploit-kit; sid:2023307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:exploit-kit; sid:2023473; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, malware_family DNSEK, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test: 3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious SCF File Inbound"; flow:to_client,established; file_data; content:"[shell]"; nocase; content:"iconfile"; nocase; distance:0; pcre:"/^\s*=\s*\x5c\x5c/Rs"; reference:url,defensecode.com/news_article.php?id=21; classtype:attempted-user; sid:2024303; rev:3; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Private message on non-standard port"; flow:to_server,established; dsize:<128; content:"PRIVMSG "; depth:8; content:!".twitch.tv"; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; classtype:trojan-activity; sid:2000347; rev:17; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B643"; flow:established,from_server; file_data; content:"|4e6f636e636f4d7a49334e6a6370|";pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
-
alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA DDoS Handshake Success"; dsize:6; flow:established,to_server; content:"|18 17 e9 e9 e9 e9|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:2024382; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_19;)
-alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA Botnet C2 Host Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:command-and-control; sid:2024383; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA Botnet C2 Host Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:command-and-control; sid:2024383; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:to_server,established; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:3; metadata:attack_target IoT, created_at 2017_06_16, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert"; flow:established,to_client; content:"|30 82|"; depth:300; content:"|a0 03 02 01 02 02|"; distance:6; within:6; content:"|63 50 61 6e 65 6c 2c 20 49 6e 63|"; distance:60; within:120; fast_pattern; flowbits:set,FB346039_0; flowbits:noalert; classtype:command-and-control; sid:2024772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing Sept 14 2015"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; fast_pattern:9,20; content:"<title>TRADE FILE</title>"; nocase; distance:0; content:"Sign In With Your Correct Email"; nocase; distance:0; classtype:social-engineering; sid:2025690; rev:5; metadata:created_at 2015_09_15, former_category CURRENT_EVENTS, updated_at 2020_08_19;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert"; flow:established,to_client; content:"|30 82|"; depth:300; content:"|a0 03 02 01 02 02|"; distance:6; within:6; content:"|63 50 61 6e 65 6c 2c 20 49 6e 63|"; distance:60; within:120; fast_pattern; flowbits:set,FB346039_0; flowbits:noalert; classtype:command-and-control; sid:2024772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M1 Oct 24 2017"; flow:established,from_server; file_data; content:"InjectionString"; fast_pattern; content:"setRequestHeader"; nocase; pcre:"/^\s*\(\s*[\x22\x27]Content\-Type/Ri"; content:"onreadystatechange"; nocase; distance:0; content:"readyState"; nocase; distance:0; pcre:"/^\s*==\s*4/Ri"; content:"status"; nocase; distance:0; pcre:"/^\s*==\s*200/Ri"; content:"navigator"; nocase; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024911; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_and_Server, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded"; flow: established,from_server; file_data; content:"TVqQA"; pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs"; pcre:"/[^A-Za-z0-9+/]TVqQA/"; reference:md5,49aca228674651cba776be727bdb7e60; classtype:trojan-activity; sid:2018856; rev:12; metadata:created_at 2014_07_31, updated_at 2020_08_19;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; pcre:"/^[\x01-\x4c]$/R"; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:command-and-control; sid:2018283; rev:7; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2020_08_19;)
-
alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET ADWARE_PUP [PTsecurity] DeathBot.Java (Minecraft Spambot)"; flow:established, to_server; dsize:<256; content:"|00 00 00|"; depth:3; content:"|01 78 9c|"; distance:1; within:3; fast_pattern; byte_jump:1,3,from_beginning,post_offset 2; isdataat:1, relative; isdataat:!2,relative; threshold:type limit, track by_src, count 1, seconds 30; classtype:pup-activity; sid:2024793; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; classtype:attempted-user; sid:2010245; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING RPCTOUCH MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"NTLMSSP|00 03 00 00 00 01 00 01 00|"; distance:0; fast_pattern; content:"|00 00 00 00 49 00 00 00|"; distance:4; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 49 00 00 00|"; within:8; content:"|00 00 00 00 00 00 00 00 00|"; distance:4; within:9; endswith; classtype:trojan-activity; sid:2024214; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Office Doc CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/im"; http_uri; content:"g"; distance:0; http_uri; content:".php?id="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"MSOffice"; http_header; content:!"Outlook"; http_header; pcre:"/\/im(?:age|g)\.php\?id=\d+$/U"; reference:md5,27cd0a3db18fbb6d316fb4542c3a51f3; classtype:command-and-control; sid:2020860; rev:6; metadata:created_at 2015_04_07, former_category MALWARE, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017023; rev:7; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:exploit-kit; sid:2016498; rev:11; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Office Doc CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/im"; http_uri; content:"g"; distance:0; http_uri; content:".php?id="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"MSOffice"; http_header; content:!"Outlook"; http_header; pcre:"/\/im(?:age|g)\.php\?id=\d+$/U"; reference:md5,27cd0a3db18fbb6d316fb4542c3a51f3; classtype:command-and-control; sid:2020860; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023742; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
alert udp any any -> $HOME_NET 50000 (msg:"ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)"; dsize:18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:2024376; rev:3; metadata:attack_target Client_and_Server, created_at 2017_06_12, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 2"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:"shell"; nocase; pcre:"/^\W/Rs"; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious UA (Windows)"; flow:established,to_server; http.user_agent; content:"Windows"; bsize:7; http.header; content:"User-Agent|3a 20|Windows|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2028879; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_08_20;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer CnC Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1$/Rsi"; content:"=1"; endswith; http.request_body; content:"ping|7c|"; bsize:5; fast_pattern; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029145; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.QQPass.OZV Variant Checkin"; flow:established,to_server; http.uri; content:"/cpa"; content:".asp?mac="; distance:2; within:9; content:"&os="; distance:0; content:"&ip="; distance:0; content:"&dz="; distance:0; content:"&ver="; distance:0; reference:md5,12ff8df1941f941bab531f60a5a97556; classtype:command-and-control; sid:2029244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) Pico/";startswith; classtype:trojan-activity; sid:2029306; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, updated_at 2020_08_19;)
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
-
alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"kulkarni.bounceme.net"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"byfleur.myftp.org"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (KtulhuBrowser)"; flow:established,to_server; http.user_agent; bsize:13; content:"KtulhuBrowser"; nocase; classtype:bad-unknown; sid:2029750; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_08_19;)
-alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService OSInfo response"; id:1; ttl:<0; content:"100|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030056; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+#alert udp $HOME_NET 1234 -> $EXTERNAL_NET any (msg:"ET MALWARE NAZAR EYService File exfiltrate response"; id:1; content:"---"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030057; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (www. netikus .net)"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:15; content:"www.netikus.net"; fast_pattern; http.uri; bsize:13; content:"/show_ip.html"; classtype:external-ip-check; sid:2030187; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matiex Keylogger Exfil Via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; content:"|20|Matiex|20|Keylogger|20|"; fast_pattern; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|document|22 3b 20|filename=|22|MatiexPasswords.txt|22 0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1289205457559547910; reference:md5,1275d29213c2580894371739beb16148; classtype:command-and-control; sid:2030633; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M1 May 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"signon_form="; depth:12; nocase; content:"trusteeCompatible="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"card-nickname="; nocase; distance:0; fast_pattern; content:"enter_sol="; nocase; distance:0; classtype:credential-theft; sid:2024326; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;)
-
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE CobaltStrike DNS Beacon Response"; content:"|81 80 00 01 00 01|"; depth:6; offset:2; content:"|c0 0c 00 01 00 01 00 00 00 00 00 04 00 00 00 00|"; threshold: type both, count 10, seconds 90, track by_dst; content:!"|02|l2|06|nessus|03|org"; content:!"trr|03|dns|07|nextdns|02|io"; content:!"|08|cloudapp|03|net"; reference:url,www.youtube.com/watch?v=zAB5G-QOyx8; classtype:targeted-activity; sid:2026040; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M1 May 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"signon_form="; depth:12; nocase; content:"trusteeCompatible="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"card-nickname="; nocase; distance:0; fast_pattern; content:"enter_sol="; nocase; distance:0; classtype:credential-theft; sid:2024326; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY [401TRG] DropBox Access via API (SNI)"; flow:established,to_server; tls.sni; content:"content.dropboxapi.com"; nocase; reference:url,github.com/dropbox/dbxcli; classtype:policy-violation; sid:2030702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Informational, updated_at 2020_08_19;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; tls.cert_subject; content:"CN=*.onion."; nocase; pcre:"/^(?:sh|lu|to)/Ri"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/main.php"; fast_pattern; http.request_body; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/s"; http.connection; content:"Keep-Alive"; http.content_len; byte_test:0,<,110,0,string,dec; byte_test:0,>=,100,0,string,dec; http.header_names; content:!"Referer"; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:command-and-control; sid:2022538; rev:7; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/main.php"; fast_pattern; http.request_body; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/s"; http.connection; content:"Keep-Alive"; http.content_len; byte_test:0,<,110,0,string,dec; byte_test:0,>=,100,0,string,dec; http.header_names; content:!"Referer"; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:command-and-control; sid:2022538; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO NetSupport Remote Admin Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NetSupport Manager"; depth:18; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,54c0e7593d94c03a2b7909e6a459ce14; classtype:trojan-activity; sid:2035892; rev:4; metadata:created_at 2015_08_27, former_category POLICY, updated_at 2020_08_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY libwww-perl User-Agent"; flow:established,to_server; http.user_agent; content:"libwww-perl/"; depth:12; nocase; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:5; metadata:created_at 2011_06_14, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Size Under 30K Size - Potentially Hostile"; flow:established,to_client; http.content_type; content:"application/java-archive"; depth:24; fast_pattern; http.content_len; byte_test:0,<=,30000,0,string,dec; file.data; content:"PK"; within:2; classtype:bad-unknown; sid:2017639; rev:8; metadata:created_at 2013_10_28, updated_at 2020_08_20;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lets Encrypt Free SSL Cert Observed with IDN/Punycode Domain - Possible Phishing"; flow:established,from_server; tls.cert_subject; content:"xn--"; tls.cert_issuer; content:"O=Let's Encrypt"; reference:url,isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024227; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Ratenjay POST with System Information"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NetSupport Manager/1.3"; depth:22; http.request_body; content:"CMD="; depth:4; content:"CLIENT_ADDR="; distance:0; fast_pattern; content:"PORT="; distance:0; content:"MACADDRESS="; distance:0; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,78c80a33f77d5efd69969b5ddf93e348; classtype:trojan-activity; sid:2035894; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Ratenjay, performance_impact Moderate, signature_severity Major, updated_at 2020_08_20;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lets Encrypt Free SSL Cert Observed with IDN/Punycode Domain - Possible Phishing"; flow:established,from_server; tls.cert_subject; content:"xn--"; tls.cert_issuer; content:"O=Let's Encrypt"; reference:url,isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024227; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request contains pw"; flow:established,to_server; http.header_names; content:"pw"; nocase; classtype:policy-violation; sid:2012870; rev:4; metadata:created_at 2011_05_26, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; flow:established,to_server; http.uri; content:".asp|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010592; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010592; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI"; flow:established,to_server; tls.sni; content:"check.torproject.org"; nocase; classtype:external-ip-check; sid:2017928; rev:4; metadata:created_at 2014_01_03, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI"; flow:established,to_server; tls.sni; content:"check.torproject.org"; nocase; classtype:external-ip-check; sid:2017928; rev:4; metadata:created_at 2014_01_04, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)"; flow:to_server,established; http.uri; content:"?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011141; classtype:attempted-recon; sid:2011141; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt"; flow:established,to_server; http.uri; content:"/system32/"; nocase; reference:url,doc.emergingthreats.net/2009362; classtype:attempted-recon; sid:2009362; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; dns.query; content:"epmhyca5ol6plmx3"; nocase; depth:16; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:4; metadata:created_at 2015_04_08, former_category TROJAN, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; dns.query; content:"epmhyca5ol6plmx3"; nocase; depth:16; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Majestic12 User-Agent Request Outbound"; flow:established,to_server; http.user_agent; content:"MJ12bot/"; classtype:trojan-activity; sid:2013256; rev:5; metadata:created_at 2011_07_12, updated_at 2020_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)"; dns.query; content:"7tno4hib47vlep5o"; nocase; depth:16; reference:md5,9377710d4787d1a9ee1c724dce8bf13a; classtype:trojan-activity; sid:2024106; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_09, former_category TROJAN, signature_severity Major, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)"; dns.query; content:"7tno4hib47vlep5o"; nocase; depth:16; reference:md5,9377710d4787d1a9ee1c724dce8bf13a; classtype:trojan-activity; sid:2024106; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET"; flow:established,to_server; http.uri; content:"UDID"; pcre:"/[0-9a-f]{40}[^0-9a-f]/"; http.user_agent; content:"|20|CFNetwork/"; fast_pattern; content:"|20|Darwin/"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013290; rev:5; metadata:created_at 2011_07_19, updated_at 2020_08_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Gadu-Gadu Chat Client Checkin via HTTP"; flow:established,to_server; http.uri; content:"/appsvc/appmsg"; nocase; content:"fmnumber="; nocase; content:"&version="; nocase; content:"&fmt="; nocase; content:"&lastmsg="; nocase; reference:url,doc.emergingthreats.net/2007866; classtype:trojan-activity; sid:2007866; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Phishing - Form submitted to submit-form Form Hosting"; flow:established,to_server; http.method; content:"POST"; http.host; content:"submit-form.com"; endswith; classtype:credential-theft; sid:2030707; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_20, deployment Perimeter, former_category HUNTING, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Phishing - Form submitted to submit-form Form Hosting"; flow:established,to_server; http.method; content:"POST"; http.host; content:"submit-form.com"; endswith; classtype:credential-theft; sid:2030707; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_20, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn-gov.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030720; rev:1; metadata:created_at 2020_08_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_08_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn-gov.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030720; rev:1; metadata:attack_target Client_and_Server, created_at 2020_08_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_08_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST to .php on Appspot Hosting - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; isdataat:!1,relative; http.host; content:".appspot.com"; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030708; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category HUNTING, signature_severity Major, tag Phishing, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST to .php on Appspot Hosting - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; isdataat:!1,relative; http.host; content:".appspot.com"; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030708; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_08_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GET Request to Appspot Hosting (set)"; flow:established,to_server; flowbits:set,ET.appspothosted; flowbits:noalert; http.method; content:"GET"; http.host; content:".appspot.com"; fast_pattern; endswith; classtype:social-engineering; sid:2030709; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, updated_at 2020_08_21;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>LinkedIn Login"; nocase; fast_pattern; classtype:social-engineering; sid:2030714; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Personal cloud storage - Microsoft OneDrive"; nocase; fast_pattern; classtype:social-engineering; sid:2030715; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Personal cloud storage - Microsoft OneDrive"; nocase; fast_pattern; classtype:social-engineering; sid:2030715; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"window.location.href|20|=|20 22|index1.php?EmailAdd=|22 20|+ hash.split('#')[1]|3b|"; nocase; fast_pattern; classtype:social-engineering; sid:2030716; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mekotio HTTP Method (111SA)"; flow:established,to_server; http.method; content:"111SA"; fast_pattern; reference:url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/; classtype:trojan-activity; sid:2030719; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_21;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=BitRAT"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=BitRAT"; nocase; endswith; reference:url,krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/; classtype:domain-c2; sid:2030724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_22, deployment Perimeter, former_category MALWARE, malware_family BitRAT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=BitRAT"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=BitRAT"; nocase; endswith; reference:url,krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/; classtype:domain-c2; sid:2030724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_22, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DeathStalker/Janicab CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action=add&cn="; fast_pattern; content:"&un="; distance:0; content:"&v="; distance:0; content:"&av="; distance:0; content:"&an="; distance:0; reference:url,securelist.com/deathstalker-mercenary-triumvirate/98177/; classtype:command-and-control; sid:2030725; rev:1; metadata:created_at 2020_08_24, deployment Perimeter, former_category MALWARE, malware_family Janicab, signature_severity Major, tag APT, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Zebrocy Downloader Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/buildings.php"; endswith; fast_pattern; http.content_len; content:"11"; bsize:2; http.host; pcre:"/(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a31e3b8d2f5e0369be8f3dbb7e23120b; reference:url,twitter.com/Vishnyak0v/status/1269651391980736513; classtype:trojan-activity; sid:2030728; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njRAT CnC Command (ll)"; flow:established,to_server; dsize:<350; content:"|00|ll"; depth:8; fast_pattern; content:"Win|20|"; distance:0; pcre:"/^\d{1,5}\x00ll/i"; reference:md5,ac7b1fdc679fdbd3cb0cd8a3e30ecddb; classtype:command-and-control; sid:2021176; rev:5; metadata:created_at 2015_06_02, former_category MALWARE, updated_at 2020_08_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njRAT CnC Command (ll)"; flow:established,to_server; dsize:<350; content:"|00|ll"; depth:8; fast_pattern; content:"Win|20|"; distance:0; pcre:"/^\d{1,5}\x00ll/i"; reference:md5,ac7b1fdc679fdbd3cb0cd8a3e30ecddb; classtype:command-and-control; sid:2021176; rev:5; metadata:created_at 2015_06_02, former_category MALWARE, updated_at 2020_08_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Observed"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Cookie|3a 20|"; fast_pattern; pcre:"/^[a-zA-Z0-9/+]{171}=/R"; http.header_names; content:!"Referer"; reference:md5,d3f53580f7ce72caf9be799106ad89ca; classtype:targeted-activity; sid:2033713; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BankAustria Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"online.bankaustria.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024949; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BankAustria Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"online.bankaustria.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024949; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert dns $HOME_NET any -> any any (msg:"ET PHISHING BankAustria Phishing Domain Nov 03 2017"; dns.query; content:"online.bankaustria.at."; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024946; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.gdn) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".gdn"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/"; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023458; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-03"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"emailphone="; depth:11; nocase; fast_pattern; content:"&emailphone2="; nocase; distance:0; classtype:credential-theft; sid:2025099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-03"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"emailphone="; depth:11; nocase; fast_pattern; content:"&emailphone2="; nocase; distance:0; classtype:credential-theft; sid:2025099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Wordpress Redirect - Possible Phishing Landing (set) Jan 7"; flow:to_server,established; flowbits:set,ET.wpphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; fast_pattern; http.header_names; content:!"Referer"; classtype:social-engineering; sid:2025696; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2016_01_07, deployment Perimeter, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, tag Wordpress, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Wordpress Redirect - Possible Phishing Landing (set) Jan 7"; flow:to_server,established; flowbits:set,ET.wpphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; fast_pattern; http.header_names; content:!"Referer"; classtype:social-engineering; sid:2025696; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-04"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025115; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-04"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025115; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY localtunnel Sucessful Connection Setup"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b 22|port|22 3a|"; content:"|22|max_conn_count|22 3a|"; distance:0; content:"|22|id|22 3a|"; distance:0; content:"|22|url|22 3a|"; distance:0; content:"localtunnel.me|22 7d|"; distance:0; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025117; rev:2; metadata:attack_target Client_and_Server, created_at 2017_12_04, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_24;)
-alert udp $HOME_NET any -> any any (msg:"ET MALWARE MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS Lookup)"; dns.query; content:"cxkefbwo7qcmlelb"; nocase; depth:16; reference:md5,e69b3a5b8fccd8607e08dd6d34ae99a9; classtype:trojan-activity; sid:2025121; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2020_08_24;)
-
alert http any any -> $HOME_NET 52869 (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/picdesc.xml"; http.header; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; reference:url,blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/; reference:cve,CVE-2014-8361; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb; reference:url,www.exploit-db.com/exploits/37169/; classtype:attempted-user; sid:2025132; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category EXPLOIT, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; http.uri; content:"/im"; content:"?id="; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+(?:(?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; fast_pattern; pcre:"/ms-?office/"; http.host; content:!".money-media.com"; content:!"ad.payclick.it"; content:!"sellercore.com"; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:8; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco de la Nacion Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"transaccion="; depth:12; nocase; content:"&HrTrx="; nocase; distance:0; content:"&validar="; nocase; distance:0; content:"&txtNumeroTarjeta="; nocase; distance:0; classtype:credential-theft; sid:2032405; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; http.uri; content:"/im"; content:"?id="; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+(?:(?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; fast_pattern; pcre:"/ms-?office/"; http.host; content:!".money-media.com"; content:!"ad.payclick.it"; content:!"sellercore.com"; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:8; metadata:created_at 2015_08_19, former_category TROJAN, updated_at 2020_08_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish M1 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"GALX="; depth:5; nocase; content:"&continue="; nocase; distance:0; content:"&checkConnection="; nocase; distance:0; fast_pattern; content:"&checkedDomains="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&rmShown="; nocase; distance:0; classtype:credential-theft; sid:2032404; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Shutdown Phishing Landing 2017-12-11"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>"; nocase; depth:300; content:"Secure Email Server|20 3a 3a|"; fast_pattern; nocase; within:100; classtype:social-engineering; sid:2025678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2015-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031859; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bot.Sezin CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?machine_id="; fast_pattern; content:"&x64"; distance:0; content:"&version="; distance:0; content:"&video_card="; distance:0; content:"&cpu="; distance:0; content:"&junk="; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,73611bd5d1d0ad865cd26b003aa525b4; classtype:command-and-control; sid:2025148; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Bot_Sezin, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic L33bo Phish - URI Contents (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php?"; content:"sslchannel="; distance:0; fast_pattern; content:"sessionid="; content:"securessl="; classtype:credential-theft; sid:2031863; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qtloader encrypted check-in Oct 19 M1"; flow:established,to_server; http.request_body; content:"|2c 45 32 4d f1 38 55|"; depth:7; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024908; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/notify/"; pcre:"/\/notify\/(?:single|mass)$/i"; http.request_body; content:"defacer|3d|"; depth:8; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; classtype:trojan-activity; sid:2001616; rev:15; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-20"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ma="; depth:3; nocase; content:"&mp="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031865; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.YesMaster CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.header; content:"x-user-agent|3a 20|YesMaster|0d 0a|"; fast_pattern; http.header_names; content:"|0d 0a|x-user-agent|0d 0a|"; content:"|0d 0a|x-whoami|0d 0a|"; content:"|0d 0a|x-pwd|0d 0a|"; content:"|0d 0a|x-hostname|0d 0a|"; content:"|0d 0a|x-isadm|0d 0a|"; content:"|0d 0a|x-is64Env|0d 0a|"; content:!"User-Agent"; reference:md5,4941501aca63cb8bdc86dadeffc9c29c; classtype:command-and-control; sid:2025157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category MALWARE, malware_family YesMaster, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Oct 16 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_csrf="; depth:6; nocase; content:"&locale.x="; nocase; distance:0; content:"&processSignin="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024846; rev:4; metadata:created_at 2017_10_16, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Oct 16 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_csrf="; depth:6; nocase; content:"&locale.x="; nocase; distance:0; content:"&processSignin="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024846; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Financial Phish Landing 2017-12-21"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"jQuery(function($)"; nocase; fast_pattern; content:"#dob"; nocase; distance:0; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#ssn"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#sortcode"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; classtype:social-engineering; sid:2025663; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Activity"; flow:established,to_server; http.uri; content:".php?mac="; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yobit Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&psw1="; nocase; distance:0; content:"&psw2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025174; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yobit Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&psw1="; nocase; distance:0; content:"&psw2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025174; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HitBTC Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__csrf__="; depth:9; nocase; content:"&utc_offset_hours="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2025175; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Liqui Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login_type%5Bemail%5D="; depth:22; nocase; content:"&login_type%5Bpassword%5D="; nocase; distance:0; content:"&login_type%5BtwoFactorKey%5D="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025176; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HitBTC Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__csrf__="; depth:9; nocase; content:"&utc_offset_hours="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2025175; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 9"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025178; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2020_08_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Liqui Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login_type%5Bemail%5D="; depth:22; nocase; content:"&login_type%5Bpassword%5D="; nocase; distance:0; content:"&login_type%5BtwoFactorKey%5D="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025176; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Chase Phishing Landing 2016-03-23"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"document.write"; pcre:"/^\s*?\(\s*?unescape\s*?\(/Rsi"; content:"|25 32 45 25 36 33 25 36 38 25 36 31 25 37 33 25 36 35 25 32 45 25 36 33 25 36 46 25 36 44|"; fast_pattern; classtype:social-engineering; sid:2032375; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 9"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025178; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Landing 2016-03-29"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Login.php?sslchannel="; depth:22; fast_pattern; content:"&sessionid="; distance:0; http.cookie; content:"PHPSESSID"; classtype:social-engineering; sid:2032376; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PhishMe.com Phishing Landing Exercise"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"_phishme.com_session_id="; file.data; content:"<!-- ORGANIZATION LOGO"; nocase; fast_pattern; classtype:social-engineering; sid:2022730; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name=|22|description|22 20|content=|22 78 50 61 79 50 61 6c 5f 32 30 31 37|"; content:"|43 61 5a 61 4e 6f 56 61 31 36 33|"; within:50; fast_pattern; classtype:social-engineering; sid:2023712; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-01-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; fast_pattern; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025180; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Phishing Landing 2016-12-19"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3B|base64"; nocase; content:"PCFET0NUWVBFIEhUTUw"; nocase; distance:0; content:"PHRpdGxlPlNpZ24gSW48L3RpdGxlPg"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2032415; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-01-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; fast_pattern; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025180; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Obfuscation 2016-02-26"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"eval(unescape(|27|"; nocase; content:"%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74"; fast_pattern; nocase; distance:0; content:"eval(unescape(|27|%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; distance:0; reference:url,www.proofpoint.com/sites/default/files/proofpoint-obfuscation-techniques-phishing-attacks-threat-insight-en-v1.pdf; classtype:social-engineering; sid:2032372; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oilrig Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?version="; fast_pattern; pcre:"/^[0-9]+lu[0-9]+d[0-9]+$/Ri"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub; classtype:command-and-control; sid:2025182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, malware_family OilRig, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - POST structure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&c="; content:"&p1="; content:"&p2="; content:"&p3="; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/"; classtype:attempted-user; sid:2015906; rev:4; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/module.php?module=osTicket&file=../"; fast_pattern; reference:url,packetstormsecurity.org/files/view/95646/osticket-lfi.txt; classtype:web-application-attack; sid:2011941; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox/Docusign Phish 2016-10-28"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.request_body; content:"pro="; depth:4; nocase; fast_pattern; classtype:credential-theft; sid:2032410; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/module.php?module=osTicket&file=../"; fast_pattern; reference:url,packetstormsecurity.org/files/view/95646/osticket-lfi.txt; classtype:web-application-attack; sid:2011941; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Possible Trojan.Downloader UserAgent (binary_getter)"; flow:established,to_server; http.user_agent; content:"binary_getter"; depth:13; classtype:bad-unknown; sid:2025203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Trojan.Downloader VBA Script obfuscation (binary_getter)"; flow:established,to_client; threshold:type limit, track by_src, count 1, seconds 30; http.stat_code; content:"200"; file.data; content:"(Chr((((asc(Mid("; depth:300; content:",1,1))-65))*25+(asc(Mid("; within:100; content:",2,1))-65)-"; within:100; reference:md5,bad07f85a7baaeaa8aeb72997712aa98; classtype:trojan-activity; sid:2025202; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MoneroPay Ransomware Payment Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/paid?id="; fast_pattern; pcre:"/^[a-f0-9]{16}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; content:!"Connection"; content:!"Referer"; reference:md5,14ea53020b4d0cb5acbea0bf2207f3f6; classtype:trojan-activity; sid:2025204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MoneroPay Ransomware Payment Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/paid?id="; fast_pattern; pcre:"/^[a-f0-9]{16}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; content:!"Connection"; content:!"Referer"; reference:md5,14ea53020b4d0cb5acbea0bf2207f3f6; classtype:trojan-activity; sid:2025204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Gozi/Ursnif Payload v14"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|d9 2c c6 af f6 26 56 bb 73 f5 c4 68 0f 90 d9 d4|"; depth:16; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2025205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_17, deployment Perimeter, former_category TROJAN, malware_family ursnif, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Formbook 0.3 Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla"; depth:7; http.request_body; content:"dat="; depth:4; nocase; fast_pattern; pcre:"/^[a-z0-9_\/+-]{1000}/Ri"; reference:md5,6886a2ebbde724f156a8f8dc17a6639c; classtype:command-and-control; sid:2024436; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category MALWARE, malware_family Password_Stealer, signature_severity Major, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 20 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"x1="; depth:3; nocase; fast_pattern; content:"&x2="; nocase; distance:0; classtype:credential-theft; sid:2025013; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 20 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"x1="; depth:3; nocase; fast_pattern; content:"&x2="; nocase; distance:0; classtype:credential-theft; sid:2025013; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS.ARS Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?os=windows"; nocase; fast_pattern; content:"&user="; distance:0; content:"&av="; distance:0; content:"&fw="; distance:0; content:"&hwid="; distance:0; content:"&x="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/B_H101/status/954984729329184768; classtype:command-and-control; sid:2025230; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rodecap/Travle/PYLOT CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/5.0"; fast_pattern; bsize:11; http.request_body; content:"l"; depth:1; content:"=OTl"; within:8; content:"&e"; distance:0; content:"="; within:6; content:"&m"; distance:0; content:"="; within:6; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,ba6dcea82f59799d86111fa28ae95641; reference:url,securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455; classtype:command-and-control; sid:2025234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, malware_family travle, malware_family PYLOT, malware_family Rodecap, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Compromised Wordpress - Generic Phishing Landing 2018-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; content:"?cmd=login_submit&id="; nocase; distance:0; fast_pattern; content:"&session="; nocase; distance:64; within:9; isdataat:!65,relative; classtype:social-engineering; sid:2025236; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Compromised Wordpress - Generic Phishing Landing 2018-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; content:"?cmd=login_submit&id="; nocase; distance:0; fast_pattern; content:"&session="; nocase; distance:64; within:9; isdataat:!65,relative; classtype:social-engineering; sid:2025236; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SamMiner CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?act=hi&uid="; fast_pattern; content:"&ver="; content:"&dotnetver="; content:"&onwork="; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:command-and-control; sid:2025235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/TooEasy Miner CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?p="; http.user_agent; content:"curl/"; depth:5; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|msg|22|"; content:"|0d 0a|Downloading files|0d 0a|"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,dc62dd14321dfa9f14c094a7b1e20979; classtype:command-and-control; sid:2025251; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user"; nocase; pcre:!"/^agent/PRi"; content:"pass"; nocase; fast_pattern; classtype:credential-theft; sid:2024555; rev:8; metadata:created_at 2016_01_14, former_category CURRENT_EVENTS, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user"; nocase; pcre:!"/^agent/PRi"; content:"pass"; nocase; fast_pattern; classtype:credential-theft; sid:2024555; rev:8; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GandCrab Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?token="; fast_pattern; pcre:"/^[0-9]{2,6}$/R"; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Rs"; http.content_len; byte_test:0,>,200,0,string,dec; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie"; reference:md5,aedf80c426fb649bb258e430a3830d85; classtype:command-and-control; sid:2025254; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category MALWARE, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GandCrab Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?token="; fast_pattern; pcre:"/^[0-9]{2,6}$/R"; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Rs"; http.content_len; byte_test:0,>,200,0,string,dec; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie"; reference:md5,aedf80c426fb649bb258e430a3830d85; classtype:command-and-control; sid:2025254; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.php?user="; fast_pattern; content:"&hwid="; distance:0; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,485069677e997ff6ce193be7258c783f; classtype:command-and-control; sid:2025266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.php?user="; fast_pattern; content:"&hwid="; distance:0; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,485069677e997ff6ce193be7258c783f; classtype:command-and-control; sid:2025266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kb/"; depth:4; fast_pattern; pcre:"/^\d{4,8}$/R"; http.user_agent; content:!"Microsoft Outlook"; http.header_names; content:!"Referer"; content:"User-Agent"; content:!"Accept"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025120; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Smoke_Loader, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Flashpoint] Possible CVE-2018-4878 Check-in"; flow:established,to_server; http.uri; content:"?id="; nocase; content:"&fp_vs="; nocase; distance:0; fast_pattern; content:"&os_vs="; nocase; distance:0; reference:url,www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/; reference:cve,2018-4878; classtype:trojan-activity; sid:2025305; rev:4; metadata:created_at 2018_02_02, cve cve_2018_4878, former_category TROJAN, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"|20|Java/1.5."; nocase; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011581; rev:11; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2020_08_24;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HMRC Phish Oct 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name="; depth:5; nocase; content:"&email="; nocase; distance:0; content:"&ccname="; nocase; distance:0; fast_pattern; content:"&ccn"; nocase; distance:0; content:"&ccexp="; nocase; distance:0; content:"&secode="; nocase; distance:0; content:"&sort"; nocase; distance:0; classtype:credential-theft; sid:2024850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HMRC Phish Oct 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name="; depth:5; nocase; content:"&email="; nocase; distance:0; content:"&ccname="; nocase; distance:0; fast_pattern; content:"&ccn"; nocase; distance:0; content:"&ccexp="; nocase; distance:0; content:"&secode="; nocase; distance:0; content:"&sort"; nocase; distance:0; classtype:credential-theft; sid:2024850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyEtherWallet Phishing Landing - SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=xn--myeth"; depth:12; fast_pattern; classtype:social-engineering; sid:2025317; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Ebay Phishing Landing 2018-02-07"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.host; content:"signin.eby.de."; depth:14; pcre:"/^[a-z0-9]{15}\./R"; classtype:social-engineering; sid:2025321; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shurl0ckr Ransomware CnC (kdvm5fd6tn6jsbwh .onion .to in DNS Lookup)"; dns.query; content:"kdvm5fd6tn6jsbwh"; nocase; depth:16; classtype:command-and-control; sid:2025332; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_08, deployment Perimeter, former_category MALWARE, malware_family Shurl0ckr, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shurl0ckr Ransomware CnC (kdvm5fd6tn6jsbwh .onion .to in DNS Lookup)"; dns.query; content:"kdvm5fd6tn6jsbwh"; nocase; depth:16; classtype:command-and-control; sid:2025332; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_08, deployment Perimeter, former_category MALWARE, malware_family Shurl0ckr, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action="; content:"&hwid="; distance:0; content:"&access="; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:command-and-control; sid:2025344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_12, deployment Perimeter, former_category MALWARE, malware_family Ars_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.BIC Variant CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?response="; content:"&cpu="; distance:0; content:"&gpu="; distance:0; content:"&ram="; distance:0; content:"&name="; distance:0; content:"&os="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; reference:md5,C6C781F0ED065476A4297C2AC96A6D83; classtype:command-and-control; sid:2025359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category MALWARE, malware_family Agent_BIC, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M1 Feb 13 2017"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"jQuery(function($)"; nocase; content:"cc-number"; within:50; nocase; fast_pattern; content:"formatCardNumber"; within:50; content:"cc-exp"; nocase; distance:0; content:"formatCardExpiry"; within:50; content:"cc-cvc"; nocase; distance:0; content:"formatCardCVC"; within:50; classtype:social-engineering; sid:2025658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing M1 2017-02-13"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"jQuery(function($)"; nocase; content:"cc-number"; within:50; nocase; fast_pattern; content:"formatCardNumber"; within:50; content:"cc-exp"; nocase; distance:0; content:"formatCardExpiry"; within:50; content:"cc-cvc"; nocase; distance:0; content:"formatCardCVC"; within:50; classtype:social-engineering; sid:2025658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cli"; depth:4; http.header; content:"Side|3a 20|upload"; http.request_body; content:"JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJ"; fast_pattern; reference:url,blogs.securiteam.com/index.php/archives/3171; reference:cve,2017-1000353; reference:url,research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/; classtype:attempted-user; sid:2025376; rev:3; metadata:created_at 2018_02_21, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_24;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE SteamStealer DNS Lookup (steamdesktop)"; dns.query; content:"steamdesktop.com"; nocase; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spoofed MSIE 7 User-Agent Likely Ponmocup"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|en-US)"; fast_pattern; http.host; content:!"google-analytics.com"; content:!"mail.ru"; content:!"79xs.com"; content:!"paoshuba.cc"; content:!"dajiadu.net"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012801; rev:8; metadata:created_at 2011_05_10, former_category TROJAN, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spoofed MSIE 7 User-Agent Likely Ponmocup"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|en-US)"; fast_pattern; http.host; content:!"google-analytics.com"; content:!"mail.ru"; content:!"79xs.com"; content:!"paoshuba.cc"; content:!"dajiadu.net"; reference:md5,8494d82ddb37a3780a41da22c07c59dc; reference:url,otx.alienvault.com/indicator/domain/medialogger.ru; reference:url,otx.alienvault.com/pulse/5cc049114824559b525887ec; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012801; rev:8; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_08_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-02-26 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"formID="; depth:7; nocase; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031866; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-08"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&eps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031867; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Secondary Flash Request Seen (no alert)"; flow:established,to_server; flowbits:set,ET.SecondaryFlash.Req; flowbits:noalert; http.referer; content:"/[[DYNAMIC]]/1"; fast_pattern; http.header_names; content:"x-flash-version"; classtype:trojan-activity; sid:2025411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_09, deployment Perimeter, former_category INFO, signature_severity Major, tag Sundown_EK, updated_at 2020_08_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-12"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psw="; nocase; distance:0; classtype:credential-theft; sid:2025417; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-12"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psw="; nocase; distance:0; classtype:credential-theft; sid:2025417; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful O2 Phish 2018-03-12"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.request_body; content:"sendTo="; depth:7; nocase; content:"www.o2.co.uk"; nocase; distance:0; content:"&fu="; nocase; distance:0; classtype:credential-theft; sid:2025419; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful O2 Phish 2018-03-12"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.request_body; content:"sendTo="; depth:7; nocase; content:"www.o2.co.uk"; nocase; distance:0; content:"&fu="; nocase; distance:0; classtype:credential-theft; sid:2025419; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2018-03-12"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"save-username="; depth:14; nocase; content:"&origin=cob&userPrefs="; nocase; distance:0; content:"&jsenabled="; nocase; distance:0; content:"&LOB="; nocase; distance:0; content:"&loginMode="; nocase; distance:0; content:"&serviceType="; nocase; distance:0; content:"&screenid="; nocase; distance:0; content:"&origination="; nocase; distance:0; content:"&TPB="; nocase; distance:0; content:"&msgId="; nocase; distance:0; content:"&platform="; nocase; distance:0; content:"&alternatesignon="; nocase; distance:0; content:"&destination="; nocase; distance:0; content:"&j_username="; nocase; distance:0; content:"&j_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025420; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2018-03-12"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"save-username="; depth:14; nocase; content:"&origin=cob&userPrefs="; nocase; distance:0; content:"&jsenabled="; nocase; distance:0; content:"&LOB="; nocase; distance:0; content:"&loginMode="; nocase; distance:0; content:"&serviceType="; nocase; distance:0; content:"&screenid="; nocase; distance:0; content:"&origination="; nocase; distance:0; content:"&TPB="; nocase; distance:0; content:"&msgId="; nocase; distance:0; content:"&platform="; nocase; distance:0; content:"&alternatesignon="; nocase; distance:0; content:"&destination="; nocase; distance:0; content:"&j_username="; nocase; distance:0; content:"&j_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025420; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; nocase; depth:3; content:"|25|40"; distance:0; content:"&pas="; nocase; distance:0; classtype:credential-theft; sid:2025354; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; nocase; depth:3; content:"|25|40"; distance:0; content:"&pas="; nocase; distance:0; classtype:credential-theft; sid:2025354; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-13"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"o1="; depth:3; nocase; content:"&o2="; nocase; distance:0; content:"&o3="; nocase; distance:0; content:"&o4="; nocase; distance:0; content:"&o5="; nocase; distance:0; content:"&o6="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025425; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-13"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"o1="; depth:3; nocase; content:"&o2="; nocase; distance:0; content:"&o3="; nocase; distance:0; content:"&o4="; nocase; distance:0; content:"&o5="; nocase; distance:0; content:"&o6="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025425; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Dec 13 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Page Redirection"; nocase; fast_pattern; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; classtype:social-engineering; sid:2023638; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com 2016-06-22"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"Passw"; nocase; content:"sign in"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032394; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Dec 13 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Page Redirection"; nocase; fast_pattern; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; classtype:social-engineering; sid:2023638; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MikroTik RouterOS Chimay Red Remote Code Execution Probe"; flow:to_server,established; urilen:8; http.method; content:"POST"; http.uri; content:"/jsproxy"; fast_pattern; http.header; content:"Content-Length|3a 20|"; depth:16; reference:url,www.exploit-db.com/exploits/44284/; reference:url,www.exploit-db.com/exploits/44283/; classtype:attempted-admin; sid:2025426; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_03_13, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti loader installed successfully request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/install.php?affid="; depth:19; http.request_body; content:"|64 61 74 61 3d|"; depth:5; content:"|30 31 30|"; distance:64; within:3; fast_pattern; content:"|31|"; distance:1; within:1; classtype:trojan-activity; sid:2012513; rev:5; metadata:created_at 2011_03_16, former_category TROJAN, updated_at 2020_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehh.to"; nocase; endswith; classtype:domain-c2; sid:2030733; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehh.to"; nocase; endswith; classtype:domain-c2; sid:2030733; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaeho.ws"; nocase; endswith; classtype:domain-c2; sid:2030734; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaeho.ws"; nocase; endswith; classtype:domain-c2; sid:2030734; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehr.top"; nocase; endswith; classtype:domain-c2; sid:2030735; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehr.top"; nocase; endswith; classtype:domain-c2; sid:2030735; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehr.ws"; nocase; endswith; classtype:domain-c2; sid:2030736; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehr.ws"; nocase; endswith; classtype:domain-c2; sid:2030736; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehz.top"; nocase; endswith; classtype:domain-c2; sid:2030737; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehz.top"; nocase; endswith; classtype:domain-c2; sid:2030737; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugh.to"; nocase; endswith; classtype:domain-c2; sid:2030738; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugh.to"; nocase; endswith; classtype:domain-c2; sid:2030738; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugo.ws"; nocase; endswith; classtype:domain-c2; sid:2030739; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugo.ws"; nocase; endswith; classtype:domain-c2; sid:2030739; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugr.top"; nocase; endswith; classtype:domain-c2; sid:2030740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugr.top"; nocase; endswith; classtype:domain-c2; sid:2030740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugr.ws"; nocase; endswith; classtype:domain-c2; sid:2030741; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugr.ws"; nocase; endswith; classtype:domain-c2; sid:2030741; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugz.top"; nocase; endswith; classtype:domain-c2; sid:2030742; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugz.top"; nocase; endswith; classtype:domain-c2; sid:2030742; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuh.to"; nocase; endswith; classtype:domain-c2; sid:2030743; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuh.to"; nocase; endswith; classtype:domain-c2; sid:2030743; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuo.ws"; nocase; endswith; classtype:domain-c2; sid:2030744; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuo.ws"; nocase; endswith; classtype:domain-c2; sid:2030744; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnur.top"; nocase; endswith; classtype:domain-c2; sid:2030745; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnur.top"; nocase; endswith; classtype:domain-c2; sid:2030745; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuz.top"; nocase; endswith; classtype:domain-c2; sid:2030746; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuz.top"; nocase; endswith; classtype:domain-c2; sid:2030746; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuh.to"; nocase; endswith; classtype:domain-c2; sid:2030747; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuh.to"; nocase; endswith; classtype:domain-c2; sid:2030747; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuo.ws"; nocase; endswith; classtype:domain-c2; sid:2030748; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuo.ws"; nocase; endswith; classtype:domain-c2; sid:2030748; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuur.top"; nocase; endswith; classtype:domain-c2; sid:2030749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuur.top"; nocase; endswith; classtype:domain-c2; sid:2030749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuz.top"; nocase; endswith; classtype:domain-c2; sid:2030750; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuz.top"; nocase; endswith; classtype:domain-c2; sid:2030750; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbh.to"; nocase; endswith; classtype:domain-c2; sid:2030751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbh.to"; nocase; endswith; classtype:domain-c2; sid:2030751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbo.ws"; nocase; endswith; classtype:domain-c2; sid:2030752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbo.ws"; nocase; endswith; classtype:domain-c2; sid:2030752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbr.top"; nocase; endswith; classtype:domain-c2; sid:2030753; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbr.top"; nocase; endswith; classtype:domain-c2; sid:2030753; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbz.top"; nocase; endswith; classtype:domain-c2; sid:2030754; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbz.top"; nocase; endswith; classtype:domain-c2; sid:2030754; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaeh.to"; nocase; endswith; classtype:domain-c2; sid:2030755; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaeh.to"; nocase; endswith; classtype:domain-c2; sid:2030755; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaeo.ws"; nocase; endswith; classtype:domain-c2; sid:2030756; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaeo.ws"; nocase; endswith; classtype:domain-c2; sid:2030756; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaer.top"; nocase; endswith; classtype:domain-c2; sid:2030757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaer.top"; nocase; endswith; classtype:domain-c2; sid:2030757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaer.ws"; nocase; endswith; classtype:domain-c2; sid:2030758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaer.ws"; nocase; endswith; classtype:domain-c2; sid:2030758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaez.top"; nocase; endswith; classtype:domain-c2; sid:2030759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaez.top"; nocase; endswith; classtype:domain-c2; sid:2030759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjh.to"; nocase; endswith; classtype:domain-c2; sid:2030760; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjh.to"; nocase; endswith; classtype:domain-c2; sid:2030760; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjo.ws"; nocase; endswith; classtype:domain-c2; sid:2030761; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjo.ws"; nocase; endswith; classtype:domain-c2; sid:2030761; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjr.top"; nocase; endswith; classtype:domain-c2; sid:2030762; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjr.top"; nocase; endswith; classtype:domain-c2; sid:2030762; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjr.ws"; nocase; endswith; classtype:domain-c2; sid:2030763; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjr.ws"; nocase; endswith; classtype:domain-c2; sid:2030763; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjz.top"; nocase; endswith; classtype:domain-c2; sid:2030764; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjz.top"; nocase; endswith; classtype:domain-c2; sid:2030764; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgieh.to"; nocase; endswith; classtype:domain-c2; sid:2030765; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgieh.to"; nocase; endswith; classtype:domain-c2; sid:2030765; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgieo.ws"; nocase; endswith; classtype:domain-c2; sid:2030766; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgieo.ws"; nocase; endswith; classtype:domain-c2; sid:2030766; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgier.top"; nocase; endswith; classtype:domain-c2; sid:2030767; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgier.top"; nocase; endswith; classtype:domain-c2; sid:2030767; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgier.ws"; nocase; endswith; classtype:domain-c2; sid:2030768; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgier.ws"; nocase; endswith; classtype:domain-c2; sid:2030768; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgiez.top"; nocase; endswith; classtype:domain-c2; sid:2030769; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgiez.top"; nocase; endswith; classtype:domain-c2; sid:2030769; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiih.to"; nocase; endswith; classtype:domain-c2; sid:2030770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiih.to"; nocase; endswith; classtype:domain-c2; sid:2030770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiio.ws"; nocase; endswith; classtype:domain-c2; sid:2030771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiio.ws"; nocase; endswith; classtype:domain-c2; sid:2030771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiir.top"; nocase; endswith; classtype:domain-c2; sid:2030772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiir.top"; nocase; endswith; classtype:domain-c2; sid:2030772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiir.ws"; nocase; endswith; classtype:domain-c2; sid:2030773; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiir.ws"; nocase; endswith; classtype:domain-c2; sid:2030773; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiiz.top"; nocase; endswith; classtype:domain-c2; sid:2030774; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiiz.top"; nocase; endswith; classtype:domain-c2; sid:2030774; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfzth.to"; nocase; endswith; classtype:domain-c2; sid:2030775; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfzth.to"; nocase; endswith; classtype:domain-c2; sid:2030775; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfzto.ws"; nocase; endswith; classtype:domain-c2; sid:2030776; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfzto.ws"; nocase; endswith; classtype:domain-c2; sid:2030776; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfztr.top"; nocase; endswith; classtype:domain-c2; sid:2030777; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfztr.top"; nocase; endswith; classtype:domain-c2; sid:2030777; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfztz.top"; nocase; endswith; classtype:domain-c2; sid:2030778; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfztz.top"; nocase; endswith; classtype:domain-c2; sid:2030778; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooh.to"; nocase; endswith; classtype:domain-c2; sid:2030779; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooh.to"; nocase; endswith; classtype:domain-c2; sid:2030779; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooo.ws"; nocase; endswith; classtype:domain-c2; sid:2030780; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooo.ws"; nocase; endswith; classtype:domain-c2; sid:2030780; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokoor.top"; nocase; endswith; classtype:domain-c2; sid:2030781; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokoor.top"; nocase; endswith; classtype:domain-c2; sid:2030781; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooz.top"; nocase; endswith; classtype:domain-c2; sid:2030782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooz.top"; nocase; endswith; classtype:domain-c2; sid:2030782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoh.to"; nocase; endswith; classtype:domain-c2; sid:2030783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoh.to"; nocase; endswith; classtype:domain-c2; sid:2030783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoo.ws"; nocase; endswith; classtype:domain-c2; sid:2030784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoo.ws"; nocase; endswith; classtype:domain-c2; sid:2030784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuor.top"; nocase; endswith; classtype:domain-c2; sid:2030785; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuor.top"; nocase; endswith; classtype:domain-c2; sid:2030785; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuor.ws"; nocase; endswith; classtype:domain-c2; sid:2030786; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuor.ws"; nocase; endswith; classtype:domain-c2; sid:2030786; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoz.top"; nocase; endswith; classtype:domain-c2; sid:2030787; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoz.top"; nocase; endswith; classtype:domain-c2; sid:2030787; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"tldrbox.ws"; nocase; endswith; classtype:domain-c2; sid:2030788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"tldrbox.ws"; nocase; endswith; classtype:domain-c2; sid:2030788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"tldrnet.top"; nocase; endswith; classtype:domain-c2; sid:2030789; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"tldrnet.top"; nocase; endswith; classtype:domain-c2; sid:2030789; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdh.to"; nocase; endswith; classtype:domain-c2; sid:2030790; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdh.to"; nocase; endswith; classtype:domain-c2; sid:2030790; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdo.ws"; nocase; endswith; classtype:domain-c2; sid:2030791; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdo.ws"; nocase; endswith; classtype:domain-c2; sid:2030791; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdr.top"; nocase; endswith; classtype:domain-c2; sid:2030792; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdr.top"; nocase; endswith; classtype:domain-c2; sid:2030792; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdr.ws"; nocase; endswith; classtype:domain-c2; sid:2030793; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdr.ws"; nocase; endswith; classtype:domain-c2; sid:2030793; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdz.top"; nocase; endswith; classtype:domain-c2; sid:2030794; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdz.top"; nocase; endswith; classtype:domain-c2; sid:2030794; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (=Mozilla)"; flow:established,to_server; http.header; content:"User-Agent|3a|=Mozilla/5"; fast_pattern; classtype:trojan-activity; sid:2025456; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_03_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AES Crypto Observed in Javascript - Possible Phishing Landing M1 Dec 28 2015"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:social-engineering; sid:2025657; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AES Crypto Observed in Javascript - Possible Phishing Landing M1 Dec 28 2015"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:social-engineering; sid:2025657; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M2"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/vstudio"; fast_pattern; http.host; content:"msdn.microsoft.com"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025439; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category TROJAN, malware_family Smoke_Loader, signature_severity Major, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M3"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/visualstudio/"; fast_pattern; http.host; content:"www.microsoft.com"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025440; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category TROJAN, malware_family Smoke_Loader, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 10"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/\d+\/$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:command-and-control; sid:2025441; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category MALWARE, malware_family Smoke_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 10"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/\d+\/$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:command-and-control; sid:2025441; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category MALWARE, malware_family Smoke_Loader, signature_severity Major, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Emotet Certificate Observed M2"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=California, L=SneHose, O=Googls, OU=IT, CN=fff"; reference:md5,8430d8cf1b1edd6c49092a7dd6412a8a; classtype:trojan-activity; sid:2035063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2022_02_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] W32/Rodecap.StealRat C2 Payload (GIF)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|47 49 46 38 39 61 10 00 10 00 91 00 00 f7 f7 f7 ff ff ff c0 c0 c0 00 00 00 21 f9 04 00 00 00 00 5f 05 95 95 96 96 96 96 92 92 92 92 6d 92 92 92 2a 2a 2a 2a 2a 2a 2a 2a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a|"; depth:92; classtype:command-and-control; sid:2025457; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] W32/Rodecap.StealRat C2 Payload (GIF)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|47 49 46 38 39 61 10 00 10 00 91 00 00 f7 f7 f7 ff ff ff c0 c0 c0 00 00 00 21 f9 04 00 00 00 00 5f 05 95 95 96 96 96 96 92 92 92 92 6d 92 92 92 2a 2a 2a 2a 2a 2a 2a 2a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a|"; depth:92; classtype:command-and-control; sid:2025457; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO NYU Internet HTTP/SSL Census Scan"; flow:to_server,established; http.user_agent; content:"NYU Internet Census (https://scan.lol|3b 20|research@scan.lol)"; reference:url,scan.lol; classtype:network-scan; sid:2025460; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_04_03, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NYU Internet Census UA Inbound"; http.user_agent; content:"NYU Internet Census"; depth:19; reference:url,scan.lol; classtype:network-scan; sid:2025461; rev:3; metadata:created_at 2018_04_03, deployment Perimeter, deployment Datacenter, former_category SCAN, signature_severity Informational, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trickbot C2 (networkDll module)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"boundary=Arasfjasu7|0d 0a|"; http.request_body; content:"name=|22|proclist|22|"; http.header_names; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2032217; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-08 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"bassimo"; depth:7; nocase; fast_pattern; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; classtype:credential-theft; sid:2031860; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pontoeb CnC"; flow:established,to_server; http.user_agent; content:"N0PE"; depth:4; fast_pattern; http.request_body; content:"mode="; depth:5; reference:md5,1a44b59105e584bac969408f9617133f; reference:url,urlhaus.abuse.ch/url/4452/; classtype:command-and-control; sid:2025484; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_04_11, deployment Perimeter, former_category MALWARE, malware_family Pontoeb, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Iron/Maktub Locker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"{|22|encry|22 3a 22|"; depth:10; fast_pattern; content:"|22|randk|22 3a 22|"; distance:0; content:"|22|guid|22 3a 22|"; distance:0; content:"|22|start|22 3a 22|"; distance:0; content:"|22|market|22 3a 22|"; distance:0; http.header_names; content:!"Referer"; reference:md5,1e60050db59e3d977d2a928fff3d34a6; reference:url,bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html; classtype:command-and-control; sid:2025486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_12, deployment Perimeter, former_category MALWARE, malware_family Iron_Locker, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Iron/Maktub Locker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"{|22|encry|22 3a 22|"; depth:10; fast_pattern; content:"|22|randk|22 3a 22|"; distance:0; content:"|22|guid|22 3a 22|"; distance:0; content:"|22|start|22 3a 22|"; distance:0; content:"|22|market|22 3a 22|"; distance:0; http.header_names; content:!"Referer"; reference:md5,1e60050db59e3d977d2a928fff3d34a6; reference:url,bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html; classtype:command-and-control; sid:2025486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_12, deployment Perimeter, former_category MALWARE, malware_family Iron_Locker, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CoreBot C2)"; flow:established,from_server; tls.cert_subject; content:"CN=ok.investments"; fast_pattern; nocase; reference:md5,75368c9240a3c238aa3b5518906a3cdb; classtype:command-and-control; sid:2025485; rev:4; metadata:created_at 2018_04_11, former_category MALWARE, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CoreBot C2)"; flow:established,from_server; tls.cert_subject; content:"CN=ok.investments"; fast_pattern; nocase; reference:md5,75368c9240a3c238aa3b5518906a3cdb; classtype:domain-c2; sid:2025485; rev:4; metadata:attack_target Client_and_Server, created_at 2018_04_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/user/register"; http.request_body; content:"drupal"; pcre:"/(%23|#)(access_callback|pre_render|post_render|lazy_builder)/i"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025494; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_13, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Keylogger Data Exfiltration Detected M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Key|3a 20|"; content:"|0d 0a|"; distance:8; within:2; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\n/i"; http.request_body; content:"|00 2b 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00[\x00-\x01]\x00.\x00.{4}\x01\x00.\x00{3}.{48}\x05\x00{3}/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024319; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"gender="; depth:7; nocase; fast_pattern; content:"&name1="; nocase; distance:0; content:"&name2="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&submitForm="; nocase; distance:0; classtype:credential-theft; sid:2024184; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com"; flow:established,to_server; http.host; content:"myip.dnsomatic.com"; bsize:18; classtype:external-ip-check; sid:2016754; rev:4; metadata:created_at 2013_04_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_25;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halkbank Phish M1 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"tc="; depth:3; nocase; content:"&sms="; nocase; distance:0; fast_pattern; content:"&LoginType="; nocase; distance:0; content:"&CustomerType="; nocase; distance:0; classtype:credential-theft; sid:2025503; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IcedID/Emotet Certificate Observed M1"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Texas, L=Phenix, O=Yahos, OU=IT, CN=foror2"; reference:md5,8430d8cf1b1edd6c49092a7dd6412a8a; classtype:trojan-activity; sid:2035051; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, malware_family IcedID, signature_severity Major, tag Emotet, tag IcedID, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halkbank Phish M2 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"FakeCustomerName="; depth:17; nocase; fast_pattern; content:"&LoginType="; nocase; distance:0; content:"&CustomerType="; nocase; distance:0; classtype:credential-theft; sid:2025504; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"gender="; depth:7; nocase; fast_pattern; content:"&name1="; nocase; distance:0; content:"&name2="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&submitForm="; nocase; distance:0; classtype:credential-theft; sid:2024184; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DenizBank Phish 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&tc="; nocase; content:"&sms="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; fast_pattern; content:"&login_parola_card="; nocase; distance:0; classtype:credential-theft; sid:2025506; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com"; flow:established,to_server; http.host; content:"myip.dnsomatic.com"; bsize:18; classtype:external-ip-check; sid:2016754; rev:4; metadata:created_at 2013_04_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dyoravdkiavfkbkx in DNS Lookup)"; dns.query; content:"dyoravdkiavfkbkx";depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025507; rev:3; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halkbank Phish M1 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"tc="; depth:3; nocase; content:"&sms="; nocase; distance:0; fast_pattern; content:"&LoginType="; nocase; distance:0; content:"&CustomerType="; nocase; distance:0; classtype:credential-theft; sid:2025503; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dypmoywmjrevboat in DNS Lookup)"; dns.query; content:"dypmoywmjrevboat";depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025508; rev:3; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halkbank Phish M2 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"FakeCustomerName="; depth:17; nocase; fast_pattern; content:"&LoginType="; nocase; distance:0; content:"&CustomerType="; nocase; distance:0; classtype:credential-theft; sid:2025504; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (jjjooyeohgghgtwn in DNS Lookup)"; dns.query; content:"jjjooyeohgghgtwn";depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025509; rev:3; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DenizBank Phish 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&tc="; nocase; content:"&sms="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; fast_pattern; content:"&login_parola_card="; nocase; distance:0; classtype:credential-theft; sid:2025506; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (lvanwwbyabcfevyi in DNS Lookup)"; dns.query; content:"lvanwwbyabcfevyi";depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025510; rev:3; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2020_08_25;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (uxwavkmttywsuynt in DNS Lookup)"; dns.query; content:"uxwavkmttywsuynt";depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025511; rev:3; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2020_08_25;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (yaynawvtuqcarjwc in DNS Lookup)"; dns.query; content:"yaynawvtuqcarjwc";depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025512; rev:3; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2020_08_25;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-04-17"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ui="; depth:3; nocase; content:"&pw="; nocase; distance:0; fast_pattern; pcre:"/^ui=[^&]+&pw=/i"; classtype:credential-theft; sid:2025513; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-04-17"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ui="; depth:3; nocase; content:"&pw="; nocase; distance:0; fast_pattern; pcre:"/^ui=[^&]+&pw=/i"; classtype:credential-theft; sid:2025513; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; http.user_agent; content:"Morfeus"; nocase; depth:7; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2003466; rev:16; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G1 Stealer/GravityRAT Uploading File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Value=11&FileName="; fast_pattern; content:"&FileSize="; distance:0; content:"&Macid="; distance:0; content:"&UserCode="; distance:0; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025538; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Aug 21 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&UserName="; nocase; content:"&Password="; nocase; distance:0; fast_pattern; http.host; content:!"absolutdata.com"; content:!"absolutresearch.com"; classtype:credential-theft; sid:2025026; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Aug 21 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&UserName="; nocase; content:"&Password="; nocase; distance:0; fast_pattern; http.host; content:!"absolutdata.com"; content:!"absolutresearch.com"; classtype:credential-theft; sid:2025026; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Rogue LoJack Asset Tracking Agent"; flow:established,to_server; urilen:1; threshold: type limit, count 2, seconds 300, track by_src; http.method; content:"POST"; http.header; content:"TagId|3a 20|"; fast_pattern; content:!".namequery.com|0d 0a|"; reference:url,asert.arbornetworks.com/lojack-becomes-a-double-agent/amp/; classtype:misc-attack; sid:2025553; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; nocase; depth:4; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns.query; content:"3whyfziey2vr41yq";depth:16; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; nocase; depth:4; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IRS Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pww="; nocase; distance:0; fast_pattern; content:"&image.x="; nocase; distance:0; content:"&image.y="; nocase; distance:0; classtype:credential-theft; sid:2025562; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IRS Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pww="; nocase; distance:0; fast_pattern; content:"&image.x="; nocase; distance:0; content:"&image.y="; nocase; distance:0; classtype:credential-theft; sid:2025562; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible TSB Bank Phishing Landing 2018-05-07"; flow:established,to_server; http.method; content:"GET"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:social-engineering; sid:2025563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible TSB Bank Phishing Landing 2018-05-07"; flow:established,to_server; http.method; content:"GET"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:social-engineering; sid:2025563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful TSB Bank Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:credential-theft; sid:2025564; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful TSB Bank Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:credential-theft; sid:2025564; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"us="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2025565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"us="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2025565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"us1="; depth:4; nocase; content:"&ps1="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2025566; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"us1="; depth:4; nocase; content:"&ps1="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2025566; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> $HTTP_SERVERS 8161 (msg:"ET WEB_SPECIFIC_APPS Apache ActiveMQ File Upload RCE (CVE-2016-3088)"; flow:established,to_server; http.method; content:"MOVE"; http.header; content:"Destination|3a 20|"; reference:cve,2016-3088; reference:url,www.exploit-db.com/exploits/42283/; classtype:attempted-admin; sid:2025574; rev:3; metadata:attack_target Web_Server, created_at 2018_05_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InfoBot)"; flow:to_server,established; http.user_agent; content:"InfoBot"; nocase; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-16 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; nocase; content:"&pwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025579; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-16 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; nocase; content:"&pwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025579; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Karmen Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"data.php?id="; fast_pattern; pcre:"/\.php\?id=[A-Za-z0-9]{10,20}(?:&key=[A-Za-z0-9]{10,30})?$/i"; http.header; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,05427ed1c477cc01910eb9adbf35068d; classtype:command-and-control; sid:2024239; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category MALWARE, malware_family Karmen_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Karmen Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"data.php?id="; fast_pattern; pcre:"/\.php\?id=[A-Za-z0-9]{10,20}(?:&key=[A-Za-z0-9]{10,30})?$/i"; http.header; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,05427ed1c477cc01910eb9adbf35068d; classtype:command-and-control; sid:2024239; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category MALWARE, malware_family Karmen_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin via HTTP"; flow:established,to_server; http.user_agent; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; fast_pattern; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:command-and-control; sid:2021336; rev:6; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2015_06_23, deployment Perimeter, former_category MALWARE, malware_family DDoS_XOR, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pterodo.CL CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"versiya="; depth:8; content:"&comp="; distance:0; content:"&sysinfo="; distance:0; fast_pattern; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Referer"; content:!"Cache"; reference:md5,46C4A755E80EE4DF590C87C98115A5C7; classtype:command-and-control; sid:2034343; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family Pterodo, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin via HTTP"; flow:established,to_server; http.user_agent; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; fast_pattern; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:command-and-control; sid:2021336; rev:6; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2015_06_24, deployment Perimeter, former_category MALWARE, malware_family DDoS_XOR, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTPie User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"HTTPie/"; depth:7; reference:url,httpie.org; classtype:attempted-recon; sid:2025584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aurora/OneKeyLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?generate="; fast_pattern; content:"/-"; distance:0; content:"&hwid="; distance:0; http.header_names; content:!"Referer"; reference:md5,31d65e315115c823f619a381576984f8; classtype:command-and-control; sid:2025586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_30, deployment Perimeter, former_category MALWARE, malware_family Aurora, malware_family OneKeyLocker, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aurora/OneKeyLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?generate="; fast_pattern; content:"/-"; distance:0; content:"&hwid="; distance:0; http.header_names; content:!"Referer"; reference:md5,31d65e315115c823f619a381576984f8; classtype:command-and-control; sid:2025586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_30, deployment Perimeter, former_category MALWARE, malware_family Aurora, malware_family OneKeyLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-31"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; content:"&psw="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025587; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-31"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; content:"&psw="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025587; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-06-11"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"gate="; depth:5; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&push="; nocase; distance:0; classtype:credential-theft; sid:2025588; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-06-11"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"gate="; depth:5; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&push="; nocase; distance:0; classtype:credential-theft; sid:2025588; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet CnC Checkin (POST)"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"POST"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; depth:65; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2035053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_11, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-06-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025591; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-06-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025591; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Paypal Phish Kit Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2e 2e 2e 2e 21 5b 31 5d 20 53 2f 4d 2f 41 2f 49 2f 4c 2f 4d 2f 41 2f 58 21 2e 2e 2e 2e|"; classtype:social-engineering; sid:2025592; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackshadesRAT Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/alive.php?"; nocase; content:"key="; nocase; content:"pcuser="; nocase; content:"pcname="; nocase; content:"hwid="; nocase; content:"country="; nocase; reference:url,threatexpert.com/report.aspx?md5=85a9f25c9b6614a8ad16dd7f3363a247; classtype:trojan-activity; sid:2012587; rev:6; metadata:created_at 2011_03_28, former_category TROJAN, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackshadesRAT Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/alive.php?"; nocase; content:"key="; nocase; content:"pcuser="; nocase; content:"pcname="; nocase; content:"hwid="; nocase; content:"country="; nocase; reference:md5,85a9f25c9b6614a8ad16dd7f3363a247; classtype:trojan-activity; sid:2012587; rev:6; metadata:created_at 2011_03_28, former_category TROJAN, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M2"; flow:to_server,established; http.header; content:"BwYXNzdGhydSgn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025593; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_06_14, deployment Datacenter, former_category WEB_SERVER, malware_family weevely, signature_severity Major, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"background|3a|url(Logon_Files/"; nocase; fast_pattern; content:"href=|22|Logon_Files/"; nocase; distance:0; content:"<title>Capitalone"; nocase; distance:0; content:"href=|22|Logon_Files/"; nocase; distance:0; classtype:social-engineering; sid:2025618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING US Bank Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"href=|22|index|25|5D_files/"; nocase; content:"src=|22|index|25|5D_files/"; nocase; distance:0; fast_pattern; content:"<title>PersonalID Step"; nocase; distance:0; classtype:social-engineering; sid:2025619; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING US Bank Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"href=|22|index|25|5D_files/"; nocase; content:"src=|22|index|25|5D_files/"; nocase; distance:0; fast_pattern; content:"<title>PersonalID Step"; nocase; distance:0; classtype:social-engineering; sid:2025619; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING American Express Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>American Express"; nocase; content:"href=|22|./index_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./index_files/"; nocase; distance:0; classtype:social-engineering; sid:2025620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING HM Revenue Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>HM Revenue"; nocase; content:"href=|22|file/"; nocase; distance:0; fast_pattern; content:"<h1>Tax Refund"; nocase; distance:0; content:"<!-- DEVELOPMENT ONLY -->"; nocase; distance:0; classtype:social-engineering; sid:2025621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Kit Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|7c 20 7c 5c 2f 7c 20 7c 20 2f 20 5f 5f 7c 20 5f 5f 2f 20 5f 20 5c 20 27 5f 5f 7c 20 20 5c 5f 5f 5f 20 5c 7c 20 27 5f 20 5c 7c 20 7c 20 7c 20 7c|"; content:"|68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 30 30 37 4d 72 53 70 79|"; distance:0; fast_pattern; content:"|73 72 63 3d 22 4a 73 5f 53 70 79 2f|"; distance:0; classtype:social-engineering; sid:2025622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Kit Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|7c 20 7c 5c 2f 7c 20 7c 20 2f 20 5f 5f 7c 20 5f 5f 2f 20 5f 20 5c 20 27 5f 5f 7c 20 20 5c 5f 5f 5f 20 5c 7c 20 27 5f 20 5c 7c 20 7c 20 7c 20 7c|"; content:"|68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 30 30 37 4d 72 53 70 79|"; distance:0; fast_pattern; content:"|73 72 63 3d 22 4a 73 5f 53 70 79 2f|"; distance:0; classtype:social-engineering; sid:2025622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<meta name=|22|generator|22 20|content=|22|WYSIWYG|22|"; nocase; content:"<link href=|22|Untitled1.css|22|"; nocase; distance:0; fast_pattern; content:"<div id=|22|wb_Image1|22 20|style=|22|position|3a|absolute|3b|left|3a|"; nocase; distance:0; content:"<div id=|22|wb_Form1|22 20|style=|22|position|3a|absolute|3b|left|3a|"; nocase; distance:0; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|password|22 20|id=|22|Editbox2|22|"; nocase; distance:0; classtype:social-engineering; sid:2025623; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin iThemes Security SQL Injection"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php"; content:"&orderby="; fast_pattern; pcre:"/&orderby=(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/i"; classtype:web-application-attack; sid:2025738; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_06_25, cve cve_2018_12636, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [eSentire] Successful Generic Phish 2018-06-15"; flow:to_server,established; flowbits:isset,ET.genericphish; http.header; content:"accessToFile="; nocase; fast_pattern; content:"&fileAccess="; nocase; distance:0; content:"&encryptedCookie="; nocase; distance:0; content:"&connecting="; nocase; distance:0; classtype:credential-theft; sid:2025628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [eSentire] Successful Generic Phish 2018-06-15"; flow:to_server,established; flowbits:isset,ET.genericphish; http.header; content:"accessToFile="; nocase; fast_pattern; content:"&fileAccess="; nocase; distance:0; content:"&encryptedCookie="; nocase; distance:0; content:"&connecting="; nocase; distance:0; classtype:credential-theft; sid:2025628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [eSentire] Successful Personalized Phish 2018-06-15"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?email="; nocase; content:"&password="; nocase; distance:0; http.header; content:"accessToFile="; nocase; fast_pattern; content:"&fileAccess="; nocase; distance:0; content:"&encryptedCookie="; nocase; distance:0; content:"&connecting="; nocase; distance:0; classtype:credential-theft; sid:2025629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [eSentire] Successful Personalized Phish 2018-06-15"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?email="; nocase; content:"&password="; nocase; distance:0; http.header; content:"accessToFile="; nocase; fast_pattern; content:"&fileAccess="; nocase; distance:0; content:"&encryptedCookie="; nocase; distance:0; content:"&connecting="; nocase; distance:0; classtype:credential-theft; sid:2025629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 2"; flow:established,to_server; http.uri; content:"/_config/query_servers/cmd"; reference:cve,2017-12636; classtype:attempted-user; sid:2025741; rev:3; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B - OS Command Injection"; flow:established,to_server; http.uri; content:"/login.cgi?cli="; pcre:"/^[ a-zA-Z0-9+_]*[\x27\x3b]/Ri"; reference:url,exploit-db.com/exploits/44760/; classtype:attempted-user; sid:2025756; rev:3; metadata:attack_target IoT, created_at 2018_06_27, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; http.method; content:"head"; nocase; content:!"HEAD"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:4; metadata:created_at 2012_03_14, former_category POLICY, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; http.method; content:"head"; nocase; content:!"HEAD"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:4; metadata:created_at 2012_03_15, former_category POLICY, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Arbitrary File Deletion 1"; flow:established,to_server; http.uri; content:"/wp-admin/post.php?post="; http.request_body; content:"action=editattachment&_wpnonce="; fast_pattern; content:"&thumb=../../"; reference:url,exploit-db.com/exploits/44949/; classtype:attempted-user; sid:2025757; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2018_06_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco Adaptive Security Appliance - Path Traversal"; flow:established,to_server; http.uri; content:"+CSCOE+/files/file_list.json?path=+CSCOE+"; fast_pattern; http.uri.raw; content:"../"; reference:url,exploit-db.com/exploits/44956/; reference:cve,2018-0296; classtype:attempted-user; sid:2025764; rev:2; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Paradise Ransomware Check-in"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"v1="; depth:3; content:"v2="; distance:0; content:"start_e="; distance:0; content:"end_e="; distance:0; content:"files_count="; distance:0; fast_pattern; content:"key="; distance:0; http.header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; content:!"User-Agent"; classtype:trojan-activity; sid:2025631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_29, deployment Perimeter, former_category TROJAN, malware_family Paradise, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Paradise Ransomware Check-in"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"v1="; depth:3; content:"v2="; distance:0; content:"start_e="; distance:0; content:"end_e="; distance:0; content:"files_count="; distance:0; fast_pattern; content:"key="; distance:0; http.header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; content:!"User-Agent"; classtype:trojan-activity; sid:2025631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_29, deployment Perimeter, former_category MALWARE, malware_family Paradise, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-06-29"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"em="; depth:3; nocase; content:"&ps="; nocase; distance:0; classtype:credential-theft; sid:2025632; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-06-29"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"em="; depth:3; nocase; content:"&ps="; nocase; distance:0; classtype:credential-theft; sid:2025632; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"destination="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/destination=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:3; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ntop-ng Authentication Bypass via Session ID Guessing"; flow:established,to_server; threshold: type threshold, track by_dst, count 255, seconds 10; http.uri; content:"/lua/network_load.lua"; fast_pattern; http.cookie; content:"session="; content:"user="; reference:cve,2018-12520; reference:url,exploit-db.com/exploits/44973/; classtype:attempted-recon; sid:2025780; rev:3; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category SCAN, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 2"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"POST"; nocase; http.header; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:command-and-control; sid:2014411; rev:13; metadata:created_at 2012_03_22, former_category MALWARE, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 2"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"POST"; nocase; http.header; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:md5,99FAB94FD824737393F5184685E8EDF2; classtype:command-and-control; sid:2014411; rev:13; metadata:created_at 2012_03_22, former_category MALWARE, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ADB Broadband Authorization Bypass"; flow:established,to_server; http.uri; content:"/ui/dboard/settings/management/"; fast_pattern; http.uri.raw; content:"/management//"; reference:cve,2018-13109; reference:url,exploit-db.com/exploits/44982/; classtype:web-application-attack; sid:2025785; rev:2; metadata:attack_target IoT, created_at 2018_07_05, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Airties AIR5444TT - Cross-Site Scripting"; flow:established,to_server; http.uri; content:"/top.html?page=main&productboardtype="; fast_pattern; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,exploit-db.com/exploits/44986/; reference:cve,2018-8738; classtype:attempted-user; sid:2025789; rev:3; metadata:attack_target Web_Server, created_at 2018_07_06, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M1 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name"; nocase; content:"mail"; nocase; content:"Password"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032366; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M2 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; nocase; content:"mail"; nocase; content:"Password"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032367; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M3 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032368; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M4 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name"; nocase; content:"mail"; nocase; content:"Passw0rd"; fast_pattern; nocase; content:"<div class=|22|wsite-form-field|22|"; classtype:social-engineering; sid:2032369; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus P2P Variant Check-in"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/update"; fast_pattern; http.host; pcre:"/^[a-z0-9]+\.(?:biz|com|net|org)/"; http.header_names; content:!"User-Agent"; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018667; rev:5; metadata:created_at 2014_07_11, former_category TROJAN, updated_at 2020_08_25;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DIR601 2.02 Credential Disclosure"; flow:established,to_server; http.uri; content:"/my_cgi.cgi"; http.request_body; content:"request=no_auth"; content:"request=load_settings"; content:"table_name=admin_user"; fast_pattern; content:"table_name=user_user"; content:"table_name=wireless_settings"; content:"table_name=wireless_security"; content:"table_name=wireless_wpa_settings"; reference:url,exploit-db.com/exploits/45002/; classtype:attempted-recon; sid:2025823; rev:3; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Unix"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>/bin/sh"; content:"<string>-c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025837; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2020_08_25;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>cmd</string>"; content:"<string>/c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025838; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>cmd</string>"; content:"<string>/c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025838; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Berbew Check-in"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:".NET CLR 00000000"; classtype:trojan-activity; sid:2017128; rev:8; metadata:created_at 2013_07_10, former_category TROJAN, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Berbew Check-in"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:".NET CLR 00000000"; classtype:trojan-activity; sid:2017128; rev:8; metadata:created_at 2013_07_11, former_category TROJAN, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Job Manager Stored Cross-Site Scripting"; flow:established,to_server; http.uri; content:"/?step=|00|"; content:"submit-job-form"; fast_pattern; content:"enctype=|22|multipart/form-data|22|"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,exploit-db.com/exploits/45031/; classtype:attempted-user; sid:2025839; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic YWRtaW46YWRtaW4="; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025855; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.anubiscode.fun"; nocase; endswith; classtype:domain-c2; sid:2030729; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, malware_family AnubisStealer, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.anubiscode.fun"; nocase; endswith; classtype:domain-c2; sid:2030729; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, malware_family AnubisStealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; content:".exe"; fast_pattern; pcre:"/^(?:\?[0-9])?/R"; pcre:"/\/wp-(?:content|admin|includes)\//"; http.header_names; content:!"Referer"; reference:md5,adabe1b995e6633dee19fdd2fdc4957a; classtype:trojan-activity; sid:2021697; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Wordpress, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-07-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pswd="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025863; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-07-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pswd="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025863; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-07-19"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025864; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-07-19"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025864; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XML External Entity Information Disclosure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22 20|encoding="; content:"<!DOCTYPE"; content:"<!ENTITY"; content:"SYSTEM |22|file|3a|///etc/"; fast_pattern; reference:url,owasp.org/index.php/XML_External_Entity_(XXE)_Processing; classtype:attempted-recon; sid:2025877; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-07-30"; flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 30; http.method; content:"GET"; http.uri; content:"/customer-IDPP00"; fast_pattern; content:"/myaccount/signin/"; nocase; distance:0; classtype:social-engineering; sid:2025919; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Volexity - JS Sniffer Data Theft Beacon Detected"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"=WyJ1cmw"; distance:0; fast_pattern; reference:url,www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/; classtype:trojan-activity; sid:2025880; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_23, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Volexity - JS Sniffer Data Theft Beacon Detected"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"=WyJ1cmw"; distance:0; fast_pattern; reference:url,www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/; classtype:trojan-activity; sid:2025880; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Stealer, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check whatismyip.com Automation Page"; flow:established,to_server; http.uri; content:"/automation/n09230945.asp"; reference:url,doc.emergingthreats.net/2008985; classtype:attempted-recon; sid:2008985; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (icanhazip. com in HTTP Host)"; flow:established,to_server; http.host; content:"icanhazip.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:attempted-recon; sid:2017398; rev:6; metadata:created_at 2013_08_30, former_category POLICY, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-01"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"&t2="; nocase; distance:0; content:"&t3="; nocase; distance:0; content:"&t4="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025932; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-01"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"&t2="; nocase; distance:0; content:"&t3="; nocase; distance:0; content:"&t4="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025932; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Downloader (JEUSD) CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|upload|22 3b 20|filename=|22|temp.gif|22 0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,blogs.360.cn/blog/apt-c-26/; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; classtype:command-and-control; sid:2025991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Downloader (JEUSD) CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|upload|22 3b 20|filename=|22|temp.gif|22 0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,blogs.360.cn/blog/apt-c-26/; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048a; classtype:command-and-control; sid:2025991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP_CONNECT_)"; flow:established,to_server; http.user_agent; content:"HTTP_Connect_"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; classtype:bad-unknown; sid:2007821; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 11"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Referer|0d 0a|User-Agent"; reference:md5,d110be58537aa8420a9c25f4879ca77b; classtype:command-and-control; sid:2025993; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family Sharik, malware_family Smoke_Loader, malware_family SmokeLoader, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 11"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Referer|0d 0a|User-Agent"; reference:md5,d110be58537aa8420a9c25f4879ca77b; classtype:command-and-control; sid:2025993; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family Sharik, malware_family Smoke_Loader, malware_family SmokeLoader, signature_severity Major, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Spy.Agent.PMJ (MICROPSIA)"; flow:established, to_server; http.method; content:"POST"; http.request_body; content:"daenerys="; depth:9; fast_pattern; content:"betriebssystem="; distance:0; content:"anwendung="; distance:0; content:"AV="; distance:0; content:"frankie="; distance:0; classtype:trojan-activity; sid:2025994; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba (Banking Trojan) HTTP Header"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; depth:64; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_len; byte_test:0,>,1000,0,string,dec; byte_test:0,<,2000,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; classtype:trojan-activity; sid:2026001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Tinba, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish Phish 2018-08-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"a="; depth:2; nocase; content:"|25|40"; distance:0; content:"&b="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2026006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish Phish 2018-08-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"a="; depth:2; nocase; content:"|25|40"; distance:0; content:"&b="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2026006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> $HOME_NET any (msg:"ET SCAN Geutebrueck re_porter 7.8.974.20 Information Disclosure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/statistics/gscsetup.xml"; reference:cve,2018-15534; reference:url,exploit-db.com/exploits/45240/; classtype:attempted-recon; sid:2026008; rev:2; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Linux)"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; http.request_body; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; content:".deb"; content:"/var/lib/sdn/uploads"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026029; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts ognl inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:"ognl|2E|"; distance:0;fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026031; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_08_25;)
-
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts inbound .getWriter OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:".getWriter"; fast_pattern; distance:0; reference:cve,2018-11776; classtype:attempted-admin; sid:2026032; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts java.lang inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:"java|2E|lang"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026033; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Monero Miner CnC Channel Secondary Domain Lookup"; threshold:type limit, track by_src, count 1, seconds 300; dns.query; content:"mylog.icu"; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:command-and-control; sid:2026098; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aura Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"{KIARA}"; fast_pattern; http.request_body; content:"id="; depth:3; content:"&guid="; http.header_names; content:!"Referer"; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:command-and-control; sid:2026099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aura Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"{KIARA}"; fast_pattern; http.request_body; content:"id="; depth:3; content:"&guid="; http.header_names; content:!"Referer"; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:command-and-control; sid:2026099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Eredel Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; content:"&os="; content:"&cookie="; content:"&pswd="; fast_pattern; content:"&telegram="; content:"&version=v"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,4b5e27e843e1b26aedec66f9e87c9960; classtype:command-and-control; sid:2025982; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category MALWARE, malware_family Eredel, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection M2"; flow:to_server,established; http.uri; content:"/cgi_system?cmd=saveconfig"; http.request_body; content:"bfolder="; pcre:"/(?:\x60|\x24)/"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026108; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.logsbanks.xyz"; nocase; endswith; classtype:domain-c2; sid:2030730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, malware_family AnubisStealer, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.logsbanks.xyz"; nocase; endswith; classtype:domain-c2; sid:2030730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, malware_family AnubisStealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x57|5c|x53|5c|x63|5c|x72|5c|x69|5c|x70|5c|x74|5c|x2E|5c|x53|5c|x68|5c|x65|5c|x6C|5c|x6C"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category TROJAN, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x73|5c|x79|5c|x73|5c|x74|5c|x65|5c|x6D|5c|x2E|5c|x6E|5c|x65|5c|x74|5c|x2E|5c|x77|5c|x65|5c|x62|5c|x63|5c|x6C|5c|x69|5c|x65|5c|x6E|5c|x74|5c|x29|5c|x2E|5c|x64|5c|x6F|5c|x77|5c|x6E|5c|x6C|5c|x6F|5c|x61|5c|x64|5c|x66|5c|x69|5c|x6C|5c|x65|5c|x28"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category TROJAN, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_08_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2026360; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2026360; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-24"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"account="; depth:8; nocase; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2026362; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-24"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"account="; depth:8; nocase; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2026362; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; pcre:"/\.(?:bmp|png|gif|jpg)$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http.request_body; content:"wfKD6iudumBkmp"; depth:14; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.content_type; content:"multipart/form-data"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2025638; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_04, deployment Perimeter, former_category MALWARE, malware_family GandCrab, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; pcre:"/\.(?:bmp|png|gif|jpg)$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http.request_body; content:"wfKD6iudumBkmp"; depth:14; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.content_type; content:"multipart/form-data"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2025638; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_04, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS_D0wnl0ad3r Screenshot Upload"; flow:to_server,established; http.method; content:"POST"; http.header; content:"boundary=MS_D0wnl0ad3r"; reference:md5,f40248a592ed711d95eb8b48b31a1ed8; classtype:trojan-activity; sid:2026361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_24, deployment Perimeter, former_category TROJAN, malware_family Downloader, signature_severity Major, updated_at 2020_08_25;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hello Peppa! Scan Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"=die(|27|Hello, Peppa!|27|"; fast_pattern; reference:url,isc.sans.edu/diary/rss/23860; classtype:attempted-recon; sid:2026464; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category SCAN, malware_family Hello_Peppa, performance_impact Moderate, signature_severity Major, updated_at 2020_08_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"|25|40"; distance:0; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026466; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"|25|40"; distance:0; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026466; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware End Activity"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|End"; distance:0; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aEnd(?:\x3a[0-9]{1,5})?$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026473; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category TROJAN, malware_family Kraken_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware End Activity"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|End"; distance:0; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aEnd(?:\x3a[0-9]{1,5})?$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026473; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M1 2018-10-12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flashplayer_down.php?clickid="; fast_pattern; pcre:"/^[a-z0-9]{6,15}$/Ri"; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:coin-mining; sid:2026474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SocEng, tag CoinMinerCampaign, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M1 2018-10-12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flashplayer_down.php?clickid="; fast_pattern; pcre:"/^[a-z0-9]{6,15}$/Ri"; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:coin-mining; sid:2026474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Coinminer, tag SocEng, tag CoinMinerCampaign, updated_at 2020_08_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.6.0_"; content:!"211"; within:3; reference:url,www.oracle.com/technetwork/articles/javase/overview-156328.html; classtype:bad-unknown; sid:2011582; rev:55; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.6.0_"; content:!"211"; within:3; reference:url,www.oracle.com/technetwork/articles/javase/overview-156328.html; classtype:bad-unknown; sid:2011582; rev:55; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-16"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; pcre:"/^id=[^&%]+%40[^&]+&pass=/i"; classtype:credential-theft; sid:2026492; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-16"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; pcre:"/^id=[^&%]+%40[^&]+&pass=/i"; classtype:credential-theft; sid:2026492; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (302) 2016-12-16"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a|"; nocase; pcre:"/^\s*(?:\./|\.\./)*(?:s(?:e(?:curity(?:-check|cvv)|rver|condpage)|uccess)|l(?:o(?:ad(?:ing|er)|g(?:off))|iamg)|d(?:e(?:livery|tails)|one|hl)|i(?:d(?:entity)?|ndex2|i)|p(?:ro(?:cess(?:ing)?|file)|hone|ass|in|ayment)|w(?:e(?:iter|bsc)|ait)|t(?:hanky[o0]u|racking)|v(?:alidate|erify?|bv)|L(?:oginVerification|L1|2|ogin2)|f(?:orward|irst|in(?:al|ish))|b(?:illing2?|ank)|e(?:rror|xcel|nd)|questions|1loader|account|recova|confirm|outlook|update(?:bill|card)?|good|SS|verification|qes|upgrade2?|activation|check(?:ing)?|ex|indexx|warning|re(?:name|try))\./Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2029657; rev:28; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, performance_impact Significant, signature_severity Major, tag Phishing, updated_at 2020_08_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (302) 2016-12-16"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a|"; nocase; pcre:"/^\s*(?:\./|\.\./)*(?:s(?:e(?:curity(?:-check|cvv)|rver|condpage)|uccess)|l(?:o(?:ad(?:ing|er)|g(?:off))|iamg)|d(?:e(?:livery|tails)|one|hl)|i(?:d(?:entity)?|ndex2|i)|p(?:ro(?:cess(?:ing)?|file)|hone|ass|in|ayment)|w(?:e(?:iter|bsc)|ait)|t(?:hanky[o0]u|racking)|v(?:alidate|erify?|bv)|L(?:oginVerification|L1|2|ogin2)|f(?:orward|irst|in(?:al|ish))|b(?:illing2?|ank)|e(?:rror|xcel|nd)|questions|1loader|account|recova|confirm|outlook|update(?:bill|card)?|good|SS|verification|qes|upgrade2?|activation|check(?:ing)?|ex|indexx|warning|re(?:name|try))\./Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2029657; rev:28; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-16"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026493; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-16"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026493; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Credential POST to Ngrok.io"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ngrok.io"; fast_pattern; classtype:credential-theft; sid:2026516; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Credential POST to Ngrok.io"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ngrok.io"; fast_pattern; classtype:credential-theft; sid:2026516; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Payment Domain (gandcrab in DNS Lookup)"; dns.query; content:"gandcrab"; depth:8; nocase; pcre:"/^[a-z0-9]{8}/R"; classtype:trojan-activity; sid:2025496; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_08_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Chacha.DDoS/Xor.DDoS Stage 2 CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"LuaSocket|20|"; depth:10; fast_pattern; http.request_body; content:"macaddress="; depth:11; content:"&device="; distance:0; content:"&type="; distance:0; content:"&version="; distance:0; http.connection; content:"close,|20|TE"; depth:9; http.header_names; content:"TE|0d 0a 0d 0a|"; content:!"Referer"; reference:url,www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/; classtype:command-and-control; sid:2026523; rev:2; metadata:affected_product Linux, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family ChaChaDDoS, malware_family XorDDoS, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2020_08_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-18"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2026518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-18"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2026518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows XP)"; flow:to_server,established; http.user_agent; content:"Windows XP"; depth:10; classtype:bad-unknown; sid:2026519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Packity Proxy Connection"; flow:established,to_server; http.start; content:"CONNECT /PROVIDER/PROXY2 HTTP/1.1|0d 0a|Host|3a 20|"; startswith; fast_pattern; content:"|0d 0a|Proxy-Authorization|3a 20|Basic "; distance:0; content:"=|0d 0a|"; distance:119; within:3; reference:md5,9d245ac24d0dad591d01d2ef52da3ead; classtype:bad-unknown; sid:2030800; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_08_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-22"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; pcre:"/^id=[^&]+&ps=/i"; classtype:credential-theft; sid:2026530; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-22"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; pcre:"/^id=[^&]+&ps=/i"; classtype:credential-theft; sid:2026530; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT28 DOC Uploader SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=mvtband.net"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; tls.cert_serial; content:"03:04:FF:5D:C9:BB:AC:50:C1:7B:3E:4C:1C:68:26:15:F0:3E"; reference:md5,9b10685b774a783eabfecdb6119a8aa3; classtype:targeted-activity; sid:2026539; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT28, updated_at 2020_08_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sharik/Smoke Fake 404 Response with Payload Location"; flow:established,from_server; http.stat_code; content:"404"; file.data; content:"|00 00|Location|3a 20|"; depth:12; fast_pattern; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category TROJAN, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag Fake_404, updated_at 2020_08_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Cryptocurrency Exchange Phish (set) 2018-10-25"; flow:established,to_server; flowbits:set,ET.Cryptocurrency_Phish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"private_key="; depth:12; nocase; fast_pattern; classtype:credential-theft; sid:2026554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Cryptocurrency Exchange Phish (set) 2018-10-25"; flow:established,to_server; flowbits:set,ET.Cryptocurrency_Phish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"private_key="; depth:12; nocase; fast_pattern; classtype:credential-theft; sid:2026554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M1"; flow:established,to_server; threshold: type both, count 1, seconds 30, track by_dst; http.method; content:"GET"; http.uri; content:".aspx"; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Win32|29|"; fast_pattern; http.cookie; pcre:"/^[A-F0-9]{50,}$/"; http.header_names; content:"Date"; content:"Connection"; content:"Pragma"; content:"Cache-Control"; reference:url,blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html; classtype:command-and-control; sid:2026565; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Kraken.v2 HTTP Pattern"; flow:established,to_server; http.user_agent; content:"Kraken web request agent/"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,e1aee9ef64d71e0c9bb8eee9742efdef; reference:url,securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/; classtype:trojan-activity; sid:2026588; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_09, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 CnC)"; flow:from_server,established; tls.cert_issuer; content:"C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd"; tls.cert_serial; content:"00:BD:98:61:EE:0E:3E:D9:1D"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:command-and-control; sid:2026589; rev:2; metadata:created_at 2018_11_13, former_category MALWARE, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 CnC)"; flow:from_server,established; tls.cert_issuer; content:"C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd"; tls.cert_serial; content:"00:BD:98:61:EE:0E:3E:D9:1D"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026589; rev:2; metadata:attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=gooqleasadservices.com"; tls.cert_serial; content:"3E:B7:66:78:6D:FB:52:ED:59:7A:DD:25:52:47:04:A8"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=gooqleasadservices.com"; tls.cert_serial; content:"3E:B7:66:78:6D:FB:52:ED:59:7A:DD:25:52:47:04:A8"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"C=RU, OU=Domain Control Validated, CN=www.magento.name"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026602; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"C=RU, OU=Domain Control Validated, CN=www.magento.name"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026602; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 5 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=localhost.localdomain"; tls.cert_serial; content:"00:FF:A1:F0:8C:C1:45:51:3E"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026603; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 5 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=localhost.localdomain"; tls.cert_serial; content:"00:FF:A1:F0:8C:C1:45:51:3E"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026603; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege Escalation M1 (Enable Registration)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin-ajax.php"; http.request_body; content:"action=wpgdprc_"; fast_pattern; content:"users_can_register|22|,|22|value|22 3a 22|1"; distance:0; reference:url,www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/; classtype:attempted-admin; sid:2026605; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag PrivilegeEsc, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Baby Coin syschk CnC Communication"; flow:to_server,established; http.method; content:"POST"; http.content_type; content:"multipart / form-data|3b 20|boundary = --------------------------- 7dab371b0124"; fast_pattern; bsize:74; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.alyac.co.kr/1640; classtype:command-and-control; sid:2026609; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT29)"; flow:from_server,established; tls.cert_subject; content:"CN=pandorasong.com"; classtype:targeted-activity; sid:2026618; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT29, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT29)"; flow:from_server,established; tls.cert_subject; content:"CN=pandorasong.com"; classtype:domain-c2; sid:2026618; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT29, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hades APT Downloader Attempting to Retrieve Stage 2 Payload"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/check/index"; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; reference:url,research.checkpoint.com/new-strain-of-olympic-destroyer-droppers/; classtype:targeted-activity; sid:2026619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag Hades, updated_at 2020_08_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Renos/Artro Trojan Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; content:"=v"; pcre:"/\.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$/"; http.user_agent; content:"wget"; nocase; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:command-and-control; sid:2013186; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kraken C2 Domain Observed (kraken656kn6wyyx in DNS Lookup)"; dns.query; content:"kraken656kn6wyyx";depth:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1030.pdf; classtype:command-and-control; sid:2026640; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Renos/Artro Trojan Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; content:"=v"; pcre:"/\.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$/"; http.user_agent; content:"wget"; nocase; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer"; reference:md5,01ca25570659c2e1b8b887a3229ef421; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:command-and-control; sid:2013186; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HackTool.Linux.SSHBRUTE.A Haiduc Initial Compromise C2 POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/info.php"; http.user_agent; content:"curl/"; fast_pattern; http.request_body; content:"info="; depth:5; content:"&data="; distance:0; classtype:command-and-control; sid:2026642; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cookie Based BackDoor Used in Drupal Attacks"; flow:established,to_server; http.cookie; content:"preg_replace"; nocase; reference:url,www.kahusecurity.com/posts/drupal_7_sql_injection_info.html; classtype:attempted-user; sid:2019627; rev:4; metadata:created_at 2014_11_03, former_category WEB_SERVER, updated_at 2020_08_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) HttpHeader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"AAAAAA"; endswith; http.header; content:"Accept|3a 20|*/*"; depth:11; content:"Accept-Encoding|3a 20|gzip, deflate"; within:32; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"; within:192; content:"Host|3a 20|r.photo.store.qq.com"; fast_pattern; within:28; content:"Connection|3a 20|Keep-Alive"; within:24; isdataat:!3,relative; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2026688; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Stealer, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) HttpHeader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"AAAAAA"; endswith; http.header; content:"Accept|3a 20|*/*"; depth:11; content:"Accept-Encoding|3a 20|gzip, deflate"; within:32; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"; within:192; content:"Host|3a 20|r.photo.store.qq.com"; fast_pattern; within:28; content:"Connection|3a 20|Keep-Alive"; within:24; isdataat:!3,relative; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2026688; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Stealer, signature_severity Major, tag Ransomware, updated_at 2020_08_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.jsf"; http.request_body; content:"java.util.HashMap"; content:"javax.management.openmbean.TabularDataSupport"; reference:cve,2017-12557; reference:url,www.exploit-db.com/exploits/45952; classtype:web-application-attack; sid:2026719; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_12_10, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanaBot Harvesting Email Addresses 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e.php?s=itfullemail&n="; fast_pattern; content:"&b="; distance:0; content:"&_="; distance:0; reference:url,www.bleepingcomputer.com/news/security/danabot-banking-trojan-gets-into-spam-business/; classtype:trojan-activity; sid:2026721; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_11, deployment Perimeter, former_category TROJAN, malware_family Danabot, signature_severity Major, updated_at 2020_08_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?sys="; content:"&c_type="; distance:0; content:"&dis_type="; distance:0; fast_pattern; content:"&num="; distance:0; content:"&user="; distance:0; content:"&ver="; distance:0; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:command-and-control; sid:2026725; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_12_13, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Satan, performance_impact Low, signature_severity Major, tag Multi_Platform, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?sys="; content:"&c_type="; distance:0; content:"&dis_type="; distance:0; fast_pattern; content:"&num="; distance:0; content:"&user="; distance:0; content:"&ver="; distance:0; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:command-and-control; sid:2026725; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2020_08_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Fake Login - Possible Phishing - 2018-12-31"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fakeLogin="; depth:10; nocase; content:"&fakePassword="; nocase; distance:0; fast_pattern; classtype:suspicious-login; sid:2026746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_12_31, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Fake Login - Possible Phishing - 2018-12-31"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fakeLogin="; depth:10; nocase; content:"&fakePassword="; nocase; distance:0; fast_pattern; classtype:suspicious-login; sid:2026746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_12_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Generic Login - Possible Successful Phish 2019-01-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"myusername="; depth:11; nocase; content:"&mypassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Generic Login - Possible Successful Phish 2019-01-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"myusername="; depth:11; nocase; content:"&mypassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO maas.io Image Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Maas.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"maas/2.3."; http.host; content:"images.maas.io"; classtype:trojan-activity; sid:2026747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_02, former_category INFO, signature_severity Informational, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL APT28 Zebrocy/Zekapab Reporting to CnC M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?res="; http.request_body; content:"data="; depth:5; content:"Host+Name%3A"; distance:0; content:"OS+Name%3A"; distance:0; content:"OS+Configuration%3A"; distance:0; content:"Original+Install+Date%3A"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, malware_family Zekapab, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bynamail="; depth:9; nocase; content:"&bynapass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032414; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id_name="; fast_pattern; http.user_agent; content:"Go-http-client/"; depth:15; http.request_body; content:"attach="; depth:7; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Sofacy, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant Downloader Error POST"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; depth:15; http.host; content:"google.com"; depth:10; http.request_body; content:"project=%"; depth:9; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 2 - CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmp/Cobra_"; fast_pattern; content:!"&"; content:!"."; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:command-and-control; sid:2026766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_08_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; tls.cert_serial; content:"0E:06:ED:F2:C3:91"; classtype:command-and-control; sid:2026616; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; tls.cert_serial; content:"0E:06:ED:F2:C3:91"; classtype:domain-c2; sid:2026616; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper RAT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=checksolutions.pw"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,43e7274b6d42aef8ceae298b67927aec; classtype:command-and-control; sid:2026767; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_09, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper RAT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=checksolutions.pw"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,43e7274b6d42aef8ceae298b67927aec; classtype:domain-c2; sid:2026767; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_09, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag RAT, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader 7zip Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/support.html"; fast_pattern; http.host; content:"www.7-zip.org"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,9bea24aadc1061d39ec15707a1f9b87b; classtype:trojan-activity; sid:2026805; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category TROJAN, malware_family Sharik, malware_family SmokeLoader, signature_severity Major, updated_at 2020_08_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon M2"; flow:established,to_server; threshold: type both, count 5, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?TIe="; fast_pattern; pcre:"/^[a-zA-Z0-9\x21\x2a\x2f\x2e\x3b\x3a\x5b\x5d\x7b\x7d]+$/R"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer"; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:md5,cc58dd8592555ff6275196e62af3242e; reference:md5,8d42c01180be7588a2a68ad96dd0cf85; classtype:command-and-control; sid:2025198; rev:4; metadata:created_at 2018_01_11, former_category MALWARE, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon M2"; flow:established,to_server; threshold: type both, count 5, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?TIe="; fast_pattern; pcre:"/^[a-zA-Z0-9\x21\x2a\x2f\x2e\x3b\x3a\x5b\x5d\x7b\x7d]+$/R"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer"; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:md5,cc58dd8592555ff6275196e62af3242e; reference:md5,8d42c01180be7588a2a68ad96dd0cf85; classtype:command-and-control; sid:2025198; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kibana Attempted LFI Exploitation (CVE-2018-17246)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/console/api_server?sense_version="; depth:38; fast_pattern; content:"SENSE_VERSION&apis="; pcre:"/^(?:\.\.\/){2,}/R"; reference:url,www.bleepingcomputer.com/news/security/file-inclusion-bug-in-kibana-console-for-elasticsearch-gets-exploit-code/; classtype:attempted-user; sid:2026739; rev:4; metadata:attack_target Web_Server, created_at 2018_12_19, cve 2018_17246, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE W32/Emotet CnC Checkin"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.cookie; pcre:"/^[0-9]{3,5}\s*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/i"; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Cookie|3a 20|"; http.header_names; content:"|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; depth:40; fast_pattern; content:!"Referer"; content:!"Accept"; reference:md5,d51ce75c66d1ac9f071b45b67fb8066c; classtype:command-and-control; sid:2035052; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_04, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER jQuery File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; http.request_body; content:"name=|22|files|22 3b|"; content:"<?php"; nocase; reference:url,github.com/lcashdol/Exploits/tree/master/CVE-2018-9206; reference:cve,2018-9206; classtype:web-application-attack; sid:2026552; rev:4; metadata:affected_product PHP, attack_target Server, created_at 2018_10_25, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_08_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Python Eval Compile seen in HTTP Request Headers"; flow:established,to_server; http.header; content:"eval(compile("; reference:url,sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html; classtype:bad-unknown; sid:2026848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_08_27;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/certificate_handle2.htm?type="; http.request_body; content:"page=self_generator.htm&totalRules="; depth:35; fast_pattern; content:"|25 32 37 25 32 34 25 32 38|"; distance:0; reference:url,seclists.org/fulldisclosure/2019/Jan/54; classtype:trojan-activity; sid:2026860; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_01_29, cve 2019_1652, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2019-01-29"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"off8900="; depth:8; nocase; content:"&offpa738="; nocase; distance:0; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2029668; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2019-01-29"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"off8900="; depth:8; nocase; content:"&offpa738="; nocase; distance:0; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2029668; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-01-30"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"passwd="; depth:7; nocase; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2031868; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Pando Client User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Pando/"; reference:url,doc.emergingthreats.net/bin/view/Main/2008625; classtype:policy-violation; sid:2008625; rev:8; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Grandoreiro CnC Activity (vbs)"; flow:established,to_server; urilen:15<>21; http.method; content:"GET"; http.uri; content:"/spain/index.php"; endswith; fast_pattern; reference:url,app.any.run/tasks/aa328aa8-e521-429f-9c42-9583f7e87c76/; reference:md5,2cb39126dd8f22ffdf2ad2b679405653; classtype:command-and-control; sid:2030807; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:created_at 2020_08_27, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_27;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:affected_product Pulse_Secure, created_at 2020_08_27, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Babax Stealer Exfil via Telegram"; flow:established,to_server; http.request_line; content:"POST /bot"; startswith; content:"/sendDocument?chat_id="; distance:0; content:"&caption=%E2%98%A0%EF%B8%8F%20Brought%20you%20by%20Babax"; fast_pattern; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"|2e|logs|22 0d 0a|Content-Type|3a 20|application/x-ms-dos-executable|0d 0a 0d 0a|PK"; reference:md5,7413dfd6fc0eed1927e1d44c23b80571; reference:url,twitter.com/Pyhoma07/status/1279758745560584195; classtype:command-and-control; sid:2030805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Babax, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE GoldenSpy Domain Observed"; dns.query; content:"ningzhidata.com"; nocase; endswith; reference:url,trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf; classtype:trojan-activity; sid:2030803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; pcre:"/^mail=[^\x25]+\x2540[^&]+&pass=[^&]+$/i"; classtype:credential-theft; sid:2026902; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; pcre:"/^mail=[^\x25]+\x2540[^&]+&pass=[^&]+$/i"; classtype:credential-theft; sid:2026902; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"a="; depth:2; nocase; content:"|25|40"; distance:0; content:"&b="; nocase; fast_pattern; distance:0; pcre:"/^a=[^\x25]+\x2540[^&]+&b=[^&]+/i"; classtype:credential-theft; sid:2026903; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"a="; depth:2; nocase; content:"|25|40"; distance:0; content:"&b="; nocase; fast_pattern; distance:0; pcre:"/^a=[^\x25]+\x2540[^&]+&b=[^&]+/i"; classtype:credential-theft; sid:2026903; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&epass="; nocase; fast_pattern; distance:0; pcre:"/^email=[^\x25]+\x2540[^&]+&epass=[^&]+/i"; classtype:credential-theft; sid:2026905; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&epass="; nocase; fast_pattern; distance:0; pcre:"/^email=[^\x25]+\x2540[^&]+&epass=[^&]+/i"; classtype:credential-theft; sid:2026905; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious SSN Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&ssn="; nocase; classtype:trojan-activity; sid:2026908; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious SSN Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&ssn="; nocase; classtype:trojan-activity; sid:2026908; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious CVV Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&cvv="; nocase; classtype:trojan-activity; sid:2026909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious CVV Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&cvv="; nocase; classtype:trojan-activity; sid:2026909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?b9zd1="; fast_pattern; content:"&cid="; distance:0; content:"&sid="; distance:0; content:"&v_id="; distance:0; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026910; rev:2; metadata:affected_product Mac_OSX, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sd/?c="; depth:7; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; content:"&u="; distance:0; content:"&s="; distance:0; content:"&o="; distance:0; content:"&b="; distance:0; pcre:"/^\d{3,15}$/R"; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026913; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS SFML User-Agent (libsfml-network) "; flow:established,to_server; http.user_agent; content:"libsfml-network/"; depth:16; fast_pattern; reference:url,github.com/SFML; classtype:trojan-activity; sid:2026914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS SFML User-Agent (libsfml-network)"; flow:established,to_server; http.user_agent; content:"libsfml-network/"; depth:16; fast_pattern; reference:url,github.com/SFML; classtype:trojan-activity; sid:2026914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DirectsX CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"AAAAAAAAAAAAAA"; pcre:"/^\/(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.header; content:"X-MU-Session-ID|3a 20|"; fast_pattern; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2026916; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family DirectsX, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (LazarusGroup CnC)"; flow:from_server,established; tls.cert_serial; content:"01:90:17:98:AF:94:1C:5E"; classtype:command-and-control; sid:2026944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (LazarusGroup CnC)"; flow:from_server,established; tls.cert_serial; content:"01:90:17:98:AF:94:1C:5E"; classtype:domain-c2; sid:2026944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Lazarus, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup Datper CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hp.php?"; depth:8; fast_pattern; pcre:"/^[a-z]{3,10}=[a-z0-9]+$/R"; http.accept; content:"*/*"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,blogs.jpcert.or.jp/ja/2019/02/tick-activity.html; classtype:command-and-control; sid:2026947; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer Malicious Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/d1833/"; depth:7; fast_pattern; content:"/?software="; distance:0; content:"&title="; content:"&clickid="; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:trojan-activity; sid:2026986; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category TROJAN, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Agent.NZH CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"File not found.|0a 3c 21 2d 2d|"; within:30; fast_pattern; content:"-->";distance:0; classtype:command-and-control; sid:2026987; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Spy.RTM/Redaman IP Check"; flow: established, to_server; http.method; content:"GET"; http.uri; content:"/index_small.php"; fast_pattern; endswith; http.header; content:"Cache-Control|3a 20|no-cache"; depth:24; content:"Connection|3a 20|Close"; within:19; content:"Pragma|3a 20|no-cache"; within:18; content:"Accept|3a 20|text/html, application/xhtml+xml, */*"; within:47; content:"Accept-Language|3a 20|en-US"; within:24; content:"Host|3a 20|"; within:8; isdataat:!35,relative; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:trojan-activity; sid:2027025; rev:3; metadata:created_at 2019_03_04, former_category TROJAN, updated_at 2020_08_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)"; flow:established,to_server; http.user_agent; content:"Clever Internet Suite"; classtype:trojan-activity; sid:2027045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_05, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?images/"; pcre:"/(?:\/GponForm\/diag_FORM\?images\/|\.html\?images\/)/i"; http.request_body; content:"XWebPageName=diag&diag"; depth:22; fast_pattern; reference:url,www.vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:attempted-admin; sid:2027063; rev:2; metadata:attack_target IoT, created_at 2019_03_06, cve 2018_10561, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-03-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Eml="; depth:4; fast_pattern; content:"&Password="; distance:0; classtype:credential-theft; sid:2027046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-03-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Eml="; depth:4; fast_pattern; content:"&Password="; distance:0; classtype:credential-theft; sid:2027046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Mailbox Phish 2019-03-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"akoko="; depth:6; nocase; content:"|25|40"; distance:0; content:"&ekeji="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029670; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Mailbox Phish 2019-03-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"akoko="; depth:6; nocase; content:"|25|40"; distance:0; content:"&ekeji="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029670; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO [eSentire] Possible Kali Linux Updates"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"APT-HTTP|2f|"; http.host; content:"kali.org"; fast_pattern; pcre:"/^[a-z0-9.]+\.kali\.org/"; classtype:policy-violation; sid:2025627; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2019-03-11"; flow:established,to_server; http.method; content:"POST"; http.header; content:".php?userid="; fast_pattern; content:"@"; distance:0; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&password="; nocase; distance:0; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2029671; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2019-03-11"; flow:established,to_server; http.method; content:"POST"; http.header; content:".php?userid="; fast_pattern; content:"@"; distance:0; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&password="; nocase; distance:0; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2029671; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PirateBay Phish - Possibly PirateMatryoshka Related"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c|p|3e|In order to continue the install"; content:"enter your Piratebay user and pass below"; distance:0; content:"If u don't have an PirateBay"; distance:0; fast_pattern; reference:url,securelist.com/piratebay-malware/89740/; classtype:social-engineering; sid:2027081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_13, deployment Perimeter, former_category PHISHING, malware_family PirateMatryoshka, performance_impact Low, signature_severity Major, tag Phish, updated_at 2020_08_28;)
alert http $HOME_NET any -> any any (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; threshold: type both, count 1, seconds 300, track by_src; http.header; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:14; metadata:created_at 2010_07_30, updated_at 2020_08_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt"; flow:established,to_server; http.accept; content:"../"; reference:url,github.com/mpgn/CVE-2019-5418; classtype:web-application-attack; sid:2027096; rev:3; metadata:attack_target Web_Server, created_at 2019_03_18, cve 2019_5418, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_08_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt"; flow:established,to_server; http.accept; content:"../"; reference:url,github.com/mpgn/CVE-2019-5418; classtype:web-application-attack; sid:2027096; rev:3; metadata:attack_target Web_Server, created_at 2019_03_19, cve 2019_5418, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_08_28;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZTE ZXV10 H108L Router Root RCE Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getpage.gch?pid="; depth:17; content:"&Host=|3b|"; distance:0; fast_pattern; content:"&DataBlockSize="; distance:0; reference:url,github.com/stasinopoulos/ZTExploit/blob/master/ZTExploit_Source/ztexploit.py; classtype:attempted-user; sid:2027098; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gootkit CnC)"; flow:from_server,established; content:"|82 1c|ws.diminishedvalueoregon.com"; tls.cert_serial; content:"0E:1F:E3:45:FC:89"; classtype:command-and-control; sid:2027101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_19, deployment Perimeter, former_category MALWARE, malware_family Gootkit, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gootkit CnC)"; flow:from_server,established; content:"|82 1c|ws.diminishedvalueoregon.com"; tls.cert_serial; content:"0E:1F:E3:45:FC:89"; classtype:domain-c2; sid:2027101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_19, deployment Perimeter, former_category MALWARE, malware_family Gootkit, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] -> $HOME_NET any (msg:"ET MALWARE Win32/Emotet CnC Checkin Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; depth:24; http.content_len; content:"132"; file.data; content:"|78 63 e0 c7 31 a5 dd f1 f4 55 30 e4 67 f7 ab f2 c6 68 a2 26|"; fast_pattern; reference:md5,129ed9c08c8ba6dc62d48ff2c3fc6a50; reference:md5,4ca520895d86beb6f8cab93639f26f50; classtype:command-and-control; sid:2035054; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Emotet, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"cookies.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027103; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"screenshot."; distance:26; within:300; nocase; fast_pattern; pcre:"/^(?:(?:jp|pn)g|bmp)/Ri"; classtype:trojan-activity; sid:2027107; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoinMiner Performing System Checkin"; flow:established,to_server; http.uri; content:"/ReportSpeed"; endswith; fast_pattern; http.request_body; content:"|2c 22|GpuDriver|22 3a 22|"; content:"|2c 22|OSName|22 3a 22|"; content:"|2c 22|DiskSpace|22 3a 22|"; reference:md5,0bdfccd5aab30f98e212abde79d923ef; classtype:coin-mining; sid:2030812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoinMiner Performing System Checkin"; flow:established,to_server; http.uri; content:"/ReportSpeed"; endswith; fast_pattern; http.request_body; content:"|2c 22|GpuDriver|22 3a 22|"; content:"|2c 22|OSName|22 3a 22|"; content:"|2c 22|DiskSpace|22 3a 22|"; reference:md5,0bdfccd5aab30f98e212abde79d923ef; classtype:coin-mining; sid:2030812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE C3Pool CoinMiner Setup Script Download"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"echo C3Pool mining setup script v%VERSION%."; depth:200; fast_pattern; reference:md5,57d01da1ecf73b6ac9564c180e1363c6; classtype:coin-mining; sid:2030813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_08_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE C3Pool CoinMiner Setup Script Download"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"echo C3Pool mining setup script v%VERSION%."; depth:200; fast_pattern; reference:md5,57d01da1ecf73b6ac9564c180e1363c6; classtype:coin-mining; sid:2030813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_08_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fedex Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>FedEx|20 7c 20|"; fast_pattern; classtype:social-engineering; sid:2030810; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Hentai)"; flow:established,to_server; http.user_agent; content:"Hentai"; nocase; depth:6; pcre:"/^Hentai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027127; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil PDF Retrieving Emotet Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?InvoiceType=Regular&date="; fast_pattern; pcre:"/\/[A-Za-z0-9]{2,8}[-_][a-zA-Z0-9-_]+\/\?InvoiceType=Regular&date=[0-9-_]+$/"; reference:md5,136dca58d0a0802c7abfce8dce4b7526; classtype:trojan-activity; sid:2035060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_28;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"csrss.exe"; content:"explorer.exe"; fast_pattern; content:"svchost.exe"; content:"lsass.exe"; classtype:trojan-activity; sid:2027117; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Suspicious_POST_body, updated_at 2020_08_28;)
alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MassLogger Client Data Exfil SMTP"; flow:established,to_server; content:"Subject|3a 20|MassLogger|20 7c 20|"; fast_pattern; reference:md5,862b6b45307a816ac1e3321ec66b212d; classtype:command-and-control; sid:2030809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category MALWARE, malware_family MassLogger, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Flash Exploit Attempt"; flow:established,to_server; urilen:38; http.uri; content:"/?s="; depth:4; fast_pattern; pcre:"/^\/\?s=[a-f0-9]{32}[a-z]{2}$/"; http.header; content:"/?s="; content:"|0d 0a|"; distance:34; within:2; content:"x-flash-version|3a|"; http.referer; pcre:"/^http\:\/\/[^\r\n\x2f]+\/\?s=[a-f0-9]{32}[a-z]{2}$/i"; classtype:exploit-kit; sid:2027145; rev:3; metadata:affected_product Adobe_Flash, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Spelevo_EK, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trickbot Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\.[A-F0-9]{32}\//"; http.header; content:"Accept|3a 20|*/*"; depth:12; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b 20|Windows NT 6.1|3b|"; distance:0; content:"Host|3a 20|"; distance:0; pcre:"/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])/R"; content:"Connection|3a 20|close"; distance:0; content:"Content-Type|3a 20|multipart/form-data|3b| boundary="; distance:0; content:"Content-Length|3a 20|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; http.request_body; pcre:"/Content-Disposition\x3a\x20form-data\x3b\s*name=\x22(?:source|formdata|billinfo|cardinfo)\x22/m"; content:"=|22|billinfo|22|"; fast_pattern; classtype:trojan-activity; sid:2026738; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_19, deployment Perimeter, former_category TROJAN, malware_family TrickBot, signature_severity Major, updated_at 2020_08_28;)
-
alert http any any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; http.request_body; content:"ttcp_ip="; content:"-h"; distance:0; content:"&ttcp_num="; fast_pattern; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2027153; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/BasBanke CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"data=NewClient"; depth:14; fast_pattern; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,79cf391a3ae2477cd804c68850dba80d; reference:url,securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/; classtype:command-and-control; sid:2027154; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_04_04, deployment Perimeter, former_category MOBILE_MALWARE, malware_family BasBanke, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/BasBanke CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"data=NewClient"; depth:14; fast_pattern; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,79cf391a3ae2477cd804c68850dba80d; reference:url,securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/; classtype:command-and-control; sid:2027154; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_04_04, deployment Perimeter, former_category MOBILE_MALWARE, malware_family BasBanke, tag Banker, updated_at 2020_08_28, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AHK/BKDR_HTV.ZKGD-A Fake HTTP 500 Containing Encoded Commands Inbound"; flow:established,from_server; http.header; content:"charset=UTF-8"; http.response_line; content:"HTTP|2f|1.0|20|500|20|Internal|20|Server|20|Error"; file.data; content:"500|20|Internal|20|Server|20|Error|3c 21 2d 2d|"; fast_pattern; pcre:"/^[A-F0-9]+\x2d\x2d\x3e(?:\r\n)?$/R"; reference:url,blog.trendmicro.co.jp/archives/19054; classtype:trojan-activity; sid:2027156; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category TROJAN, malware_family BKDR_HTV_ZKGD_A, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request with Double Cache-Control"; flow:established,to_server; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|Cache-Control|3a 20|no-cache"; classtype:trojan-activity; sid:2027207; rev:2; metadata:created_at 2019_04_16, updated_at 2020_08_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING JS Obfuscation - Possible Phishing 2016-03-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"%75%6E%65%73%63%61%70%65%3D%66%75%6E%63%74%69%6F%6E"; fast_pattern; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%32%36%22%2C%20%22%67%22%29%2C%20%22%26%22%29%3B"; distance:0; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%33%42%22%2C%20%22%67%22%29%2C%20%22%3B%22%29%3B"; distance:0; content:"%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65"; distance:0; content:"%72%65%70%6C%61%63%65%28%27%3C%21%2D%2D%3F%2D%2D%3E%3C%3F%27%2C%27%3C%21%2D%2D%3F%2D%2D%3E%27%29%29%3B"; distance:0; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022578; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING JS Obfuscation - Possible Phishing 2016-03-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"%75%6E%65%73%63%61%70%65%3D%66%75%6E%63%74%69%6F%6E"; fast_pattern; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%32%36%22%2C%20%22%67%22%29%2C%20%22%26%22%29%3B"; distance:0; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%33%42%22%2C%20%22%67%22%29%2C%20%22%3B%22%29%3B"; distance:0; content:"%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65"; distance:0; content:"%72%65%70%6C%61%63%65%28%27%3C%21%2D%2D%3F%2D%2D%3E%3C%3F%27%2C%27%3C%21%2D%2D%3F%2D%2D%3E%27%29%29%3B"; distance:0; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022578; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"domainoutlet.site"; distance:0; nocase; fast_pattern; pcre:"/^CN=(?:help|g(?:ui(?:de|ld)|round))\.domainoutlet\.site$/"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"domainoutlet.site"; distance:0; nocase; fast_pattern; pcre:"/^CN=(?:help|g(?:ui(?:de|ld)|round))\.domainoutlet\.site$/"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"drivethrough.top"; distance:0; nocase; fast_pattern; content:"CN="; pcre:"/^CN=(?:(?:jasper|qwe|alter|car|param|bike|genwar)\.)?drivethrough\.top$/s"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"drivethrough.top"; distance:0; nocase; fast_pattern; content:"CN="; pcre:"/^CN=(?:(?:jasper|qwe|alter|car|param|bike|genwar)\.)?drivethrough\.top$/s"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"drinkeatgood.space"; distance:0; nocase; fast_pattern; content:"CN="; pcre:"/^CN=(?:(?:justin|digest)\.)?drinkeatgood\.space$/s"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"drinkeatgood.space"; distance:0; nocase; fast_pattern; content:"CN="; pcre:"/^CN=(?:(?:justin|digest)\.)?drinkeatgood\.space$/s"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Cobalt Strike payload"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Content-Length|3a 20|"; content:"|0d 0a|"; distance:5; within:4; file.data; content:"|fc e8 00 00 00 00 eb|"; depth:7; fast_pattern; classtype:targeted-activity; sid:2024771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish Jan 14 2016"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; content:!"domain=.facebook.com|3b|"; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba|ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)|u(?:s(?:bank|aa|ps)|ps)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)|yahoo(?:mail)?|1(?:26|63)|keybank|qq)\.com|i(?:n(?:t(?:ertekgroup\.org|uit\.com)|vestorjunkie\.com|g\.nl)|c(?:icibank\.com|scards\.nl)|mpots\.gouv\.fr|rs\.gov)|c(?:(?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel)\.com|om(?:mbank\.com\.au|cast\.net)|redit-agricole\.fr)|b(?:a(?:nkofamerica\.com|rclays\.co\.uk)|(?:igpond|t)\.com|luewin\.ch)|o(?:(?:utlook|ffice)\.com|range\.(?:co\.uk|fr)|nline\.hmrc\.gov\.uk)|s(?:(?:(?:aatchiar|untrus)t|c)\.com|ecure\.lcl\.fr|parkasse\.de)|h(?:a(?:lifax(?:-online)?\.co\.uk|waiiantel\.net)|otmail\.com)|p(?:(?:rimelocation|aypal)\.com|ostbank\.de)|l(?:i(?:nkedin|ve)\.com|abanquepostale\.fr)|we(?:llsfargo\.com|stpac\.co\.nz)|etisalat\.ae)\/?/Ri"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2025005; rev:15; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish Jan 14 2016"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; content:!"domain=.facebook.com|3b|"; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba|ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)|u(?:s(?:bank|aa|ps)|ps)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)|yahoo(?:mail)?|1(?:26|63)|keybank|qq)\.com|i(?:n(?:t(?:ertekgroup\.org|uit\.com)|vestorjunkie\.com|g\.nl)|c(?:icibank\.com|scards\.nl)|mpots\.gouv\.fr|rs\.gov)|c(?:(?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel)\.com|om(?:mbank\.com\.au|cast\.net)|redit-agricole\.fr)|b(?:a(?:nkofamerica\.com|rclays\.co\.uk)|(?:igpond|t)\.com|luewin\.ch)|o(?:(?:utlook|ffice)\.com|range\.(?:co\.uk|fr)|nline\.hmrc\.gov\.uk)|s(?:(?:(?:aatchiar|untrus)t|c)\.com|ecure\.lcl\.fr|parkasse\.de)|h(?:a(?:lifax(?:-online)?\.co\.uk|waiiantel\.net)|otmail\.com)|p(?:(?:rimelocation|aypal)\.com|ostbank\.de)|l(?:i(?:nkedin|ve)\.com|abanquepostale\.fr)|we(?:llsfargo\.com|stpac\.co\.nz)|etisalat\.ae)\/?/Ri"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2025005; rev:15; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"stop|20|IKEEXT"; content:"copy|20|wlbsctrl.dll"; content:"|5c|Windows|5c|System32|5c|wlbsctrl.dll"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027232; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command Inbound via HTTP M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"stop|20|"; content:"copy|20|TSVIPSrv.dll"; content:"|5c|Windows|5c|System32|5c|TSVIPSrv.dll"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027236; rev:3; metadata:created_at 2019_04_22, former_category ATTACK_RESPONSE, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ud="; depth:3; nocase; content:"|25|40"; distance:0; content:"&pd="; nocase; fast_pattern; distance:0; pcre:"/^ud=[^&]*&pd=[^&]*/i"; classtype:credential-theft; sid:2026904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ud="; depth:3; nocase; content:"|25|40"; distance:0; content:"&pd="; nocase; fast_pattern; distance:0; pcre:"/^ud=[^&]*&pd=[^&]*/i"; classtype:credential-theft; sid:2026904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command (UTF-16) Inbound via HTTP M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|00|s|00|t|00|o|00|p|00 20 00|"; content:"|00|c|00|o|00|p|00|y|00 20 00|T|00|S|00|V|00|I|00|P|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; content:"|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5c 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027238; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_22, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Mozilla_Firefox_Cookies) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"Mozilla_Firefox_Cookies"; distance:26; within:100; nocase; fast_pattern; classtype:trojan-activity; sid:2027278; rev:2; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Beapy CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?ID="; content:"&GUID="; distance:0; content:"&MAC="; distance:0; content:"&OS=Win"; distance:0; content:"&BIT="; distance:0; content:"&CARD="; distance:0; fast_pattern; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Referer"; reference:md5,21e49843502325b063b4d52e8c297f79; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027147; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/Beapy CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mac="; content:"&av="; distance:0; content:"&os="; distance:0; content:"&ver="; distance:0; content:"&bit="; distance:0; content:"bit&flag2="; distance:0; fast_pattern; content:"&domain="; distance:0; content:"&user="; distance:0; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027148; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/Beapy CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?id="; content:"&mac="; distance:0; content:"&OS="; distance:0; content:"&BIT="; distance:0; content:"bit&IT="; distance:0; fast_pattern; content:"&VER="; distance:0; content:"&mpass="; distance:0; http.user_agent; content:"Python-urllib/"; depth:14; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Python, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Megumin v2 Stealer User-Agent"; flow:established,to_server; http.user_agent; content:"Megumin/2."; depth:10; reference:md5,7310e691d1d32b18114b5f0a8105e082; classtype:trojan-activity; sid:2027293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Megumin, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2019-04-30 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; content:"|25|40"; distance:0; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027294; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern"; flow:established,to_server; http.method; content:"POST"; http.header; content:"boundary=1BEF0A57BE110FD467A"; fast_pattern; reference:md5,dd5e5142ba2ab5f31e5518396c45ba1f; classtype:trojan-activity; sid:2034813; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2020_08_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2019-04-30 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; content:"|25|40"; distance:0; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027294; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WinRAR WinAce Containing CVE-2018-20250 Inbound - Path Traversal leading to RCE"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"**ACE**"; offset:7; depth:7; fast_pattern; content:"|00|"; distance:0; pcre:"/^(?:(\S\:\\){2,}|\S\:\\\S\:\S\:|S\:\\\\\\([0-9]{1,3}\.){3}[0-9]{1,3}|\S\:\\\\\\([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/R"; classtype:attempted-admin; sid:2027310; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_05_01, cve 2018_20250, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, tag WinRAR, tag ACE, updated_at 2020_08_28;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M2"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"descriptorByName/"; distance:0; content:"checkScript"; distance:0; content:"|40|ASTTest"; distance:0; content:"Runtime|2e|getRuntime|28 29 2e|exec|28 22|"; distance:0; content:"|22 29 7d 29 0a|"; distance:0; http.header_names; content:!"Referer"; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027350; rev:3; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"aptgetgxqs3secda";depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027351; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2020_08_28;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"rapid7cpfqnwxodo";depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027352; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2020_08_28;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Almashreq Executing New Processes"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"MS|20|Web|20|Services|20|Client|20|Protocol"; http.request_body; content:"<?xml"; depth:5; content:"<Message>X1|20|is|20|running|20|in|20|PC"; distance:0; fast_pattern; content:"<|2f|Message>"; distance:0; http.header_names; content:"SOAPAction"; content:!"Referer"; classtype:trojan-activity; sid:2027354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_13, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Interac Phish 2019-05-15"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029674; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Interac Phish 2019-05-15"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029674; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys Smart WiFi Information Disclosure Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/JNAP/"; depth:6; http.header; content:"X-JNAP-Action|3a 20|http|3a 2f 2f|"; fast_pattern; pcre:"/^(?:www\.)?(cisco|linksys)\.com\/jnap\//Ri"; http.request_body; content:"|7b 7d|"; depth:2; reference:url,raw.githubusercontent.com/zeropwn/Linksys-Smart-WiFi-Information-Disclosure/master/nss.py; classtype:attempted-recon; sid:2027357; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_05_16, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTA.BabyShark Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/expres.php?op="; fast_pattern; pcre:"/^\d/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.referer; content:".hta"; reference:md5,94b60cf91e550e1d981aaf9962d52e18; classtype:command-and-control; sid:2027365; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family BabyShark, signature_severity Major, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET Minimal HTTP Headers Flowbit Set"; flow:established,to_server; flowbits:set,min.gethttp; flowbits:noalert; http.method; content:"GET"; http.header_names; content:!"Accept"; content:!"If-"; content:!"Referer"; content:!"User-Agent"; content:!"Content"; classtype:bad-unknown; sid:2016537; rev:4; metadata:created_at 2013_03_05, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET Minimal HTTP Headers Flowbit Set"; flow:established,to_server; flowbits:set,min.gethttp; flowbits:noalert; http.method; content:"GET"; http.header_names; content:!"Accept"; content:!"If-"; content:!"Referer"; content:!"User-Agent"; content:!"Content"; classtype:bad-unknown; sid:2016537; rev:4; metadata:created_at 2013_03_06, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-05-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; depth:4; nocase; content:"&pwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027371; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_21, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-05-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; depth:4; nocase; content:"&pwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027371; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKEIE Minimal Headers (flowbit set)"; flow:to_server,established; flowbits:set,FakeIEMinimal; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019344; rev:7; metadata:created_at 2014_10_03, former_category CURRENT_EVENTS, updated_at 2020_08_28;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Vobfus Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3f|"; offset:2; depth:20; pcre:"/^\/[a-zA-Z0-9]{1,19}\/?\?[abdefijhgv\x22](?:\x7C\x2d?\d+?[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14})?$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE|20|"; fast_pattern; http.host; content:!"www.pinterest.com"; http.header_names; content:!"Accept-Language"; content:!"Referer"; reference:md5,3ed744b12a77359576af10a265154081; reference:md5,a2049adc2834d797b37f45382608f2b4; classtype:command-and-control; sid:2018958; rev:20; metadata:created_at 2013_03_25, former_category MALWARE, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:2<>5; flowbits:set,ET.Onelouder.bin; flowbits:noalert; http.method; content:"GET"; http.uri; pcre:"/^\/(?P<n>\d)(?P=n){1,2}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept-Language"; classtype:trojan-activity; sid:2018981; rev:6; metadata:created_at 2014_08_21, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:2<>5; flowbits:set,ET.Onelouder.bin; flowbits:noalert; http.method; content:"GET"; http.uri; pcre:"/^\/(?P<n>\d)(?P=n){1,2}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept-Language"; classtype:trojan-activity; sid:2018981; rev:6; metadata:created_at 2014_08_22, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:1<>7; flowbits:set,ET.OneLouderHeader; flowbits:noalert; http.uri; pcre:"/\/\d+$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Accept-Language"; content:!"Referer"; classtype:trojan-activity; sid:2018983; rev:9; metadata:created_at 2014_08_21, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:1<>7; flowbits:set,ET.OneLouderHeader; flowbits:noalert; http.uri; pcre:"/\/\d+$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Accept-Language"; content:!"Referer"; classtype:trojan-activity; sid:2018983; rev:9; metadata:created_at 2014_08_22, updated_at 2020_08_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Geodo Checkin"; flow:established,to_server; urilen:16<>20; http.method; content:"POST"; http.uri; content:"/"; offset:8; depth:2; content:"/"; offset:16; depth:3; pcre:"/^\/[a-f0-9]{7,8}\/[a-f0-9]{7,8}\/$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,fa50062b7763487b3dd6f9ed0a2f3549; reference:url,pastebin.com/qnLmpKuQ; classtype:command-and-control; sid:2018496; rev:11; metadata:created_at 2014_05_21, former_category MALWARE, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Geodo Checkin"; flow:established,to_server; urilen:16<>20; http.method; content:"POST"; http.uri; content:"/"; offset:8; depth:2; content:"/"; offset:16; depth:3; pcre:"/^\/[a-f0-9]{7,8}\/[a-f0-9]{7,8}\/$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,fa50062b7763487b3dd6f9ed0a2f3549; reference:url,pastebin.com/qnLmpKuQ; classtype:command-and-control; sid:2018496; rev:11; metadata:created_at 2014_05_22, former_category MALWARE, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; http.method; content:"post"; nocase; fast_pattern; content:!"POST"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:6; metadata:created_at 2012_03_14, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; http.method; content:"post"; nocase; fast_pattern; content:!"POST"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:6; metadata:created_at 2012_03_15, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/UD/act?1"; depth:9; nocase; http.request_body; content:"<u|3a|GetSecurityKeys|20|"; fast_pattern; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027375; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2019_05_23, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS ShellWindows/AddInProcess Win10 DeviceGuardBypass Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b|9BA05972-F6A8-11CF-A442-00A0C90A8F39|7d|"; nocase; fast_pattern; content:"AddInProcess"; content:"|2f|guid|3a|"; distance:0; content:"|2f|pid|3a|"; distance:0; content:"Windows|5c 5c|Microsoft.Net|5c 5c|"; distance:0; classtype:trojan-activity; sid:2027378; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag DeviceGuard, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Cache-Control"; content:!"Pragma"; content:!"Referer"; content:!"User-Agent"; http.start; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:command-and-control; sid:2023083; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Cache-Control"; content:!"Pragma"; content:!"Referer"; content:!"User-Agent"; http.start; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:command-and-control; sid:2023083; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ProtonBot User-Agent"; flow:established,to_server; http.user_agent; content:"Proton Browser"; fast_pattern; http.header_names; content:!"Referer"; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:trojan-activity; sid:2027384; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category TROJAN, malware_family ProtonBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Fedex/DHL Phish (set) 2018-10-22"; flow:established,to_server; flowbits:set,ET.Fedex_DHL_Phish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"epass="; depth:6; nocase; content:!"&"; distance:0; classtype:credential-theft; sid:2026529; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})([\r\n](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/i"; reference:md5,41c33fdb9a95353a3b109393543f90dd; classtype:command-and-control; sid:2016223; rev:12; metadata:created_at 2012_03_29, former_category MALWARE, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Fedex/DHL Phish (set) 2018-10-22"; flow:established,to_server; flowbits:set,ET.Fedex_DHL_Phish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"epass="; depth:6; nocase; content:!"&"; distance:0; classtype:credential-theft; sid:2026529; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 25 40 20|Page|20|Language=|22|Jscript|22 25 3e 3c 25|eval|28|"; fast_pattern; content:"FromBase64String"; distance:0; nocase; content:"|25 3e|"; distance:0; classtype:trojan-activity; sid:2027393; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_05_29, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Internet Connectivity Check via Network GUID Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|GetTypeFromCLSID"; nocase; content:"|5b|Guid|5d 27 7b|DCB00C01-570F-4A9B-8D69-199FDBA5723B|7d 27 29 29|.IsConnectedToInternet"; distance:0; nocase; fast_pattern; reference:md5,036180b14dce975a055e62902e5f3567; classtype:trojan-activity; sid:2027394; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin Post"; flow:established,to_server; content:"|0d 0a 0d 0a|a="; fast_pattern; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; classtype:command-and-control; sid:2017948; rev:4; metadata:created_at 2014_01_09, former_category MALWARE, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin"; flow:established,to_server; http.header; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a[03478]+/mi"; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.start; content:"POST / HTTP/1.1|0d 0a|User-Agent|3a 20|"; depth:29; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; classtype:command-and-control; sid:2035047; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_24, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WIN32/KOVTER.B Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.host; content:!".foxitservice.com"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:50; fast_pattern; content:!"Referer"; content:!"Accept"; reference:md5,7943a103d7b79f87843655e6b2f8e80c; classtype:command-and-control; sid:2020181; rev:10; metadata:created_at 2015_01_14, former_category MALWARE, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin Post"; flow:established,to_server; content:"|0d 0a 0d 0a|a="; fast_pattern; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; classtype:command-and-control; sid:2017948; rev:4; metadata:created_at 2014_01_10, former_category MALWARE, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ECSHOP user.php SQL INJECTION via Referer"; flow:established,to_server; http.uri; content:"/user.php"; http.referer; content:"SELECT"; nocase; content:"UNION"; nocase; content:",4,5,6,7,8,0x"; fast_pattern; reference:url,github.com/theLSA/ecshop-getshell; reference:url,github.com/Hzllaga/EcShop_RCE_Scanner/; reference:url,xz.aliyun.com/t/2689?from=groupmessage; classtype:web-application-attack; sid:2027416; rev:2; metadata:attack_target Web_Server, created_at 2019_05_31, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG-P Variant CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jpg"; pcre:"/_[A-F0-9]{12}&filename=\w{1,20}\.jpg$/i"; http.request_body; content:"|00 3a 00 7c 00|d|00|i|00|s|00|k|00|"; depth:15; fast_pattern; reference:url,speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt; classtype:command-and-control; sid:2027432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_04, deployment Perimeter, former_category MALWARE, malware_family ICEFOG_P, performance_impact Low, signature_severity Major, tag APT, tag IceFog, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-06-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&CcNumber="; nocase; fast_pattern; content:"&month="; nocase; content:"&year="; nocase; content:"&cvv"; nocase; classtype:credential-theft; sid:2029675; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-06-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&CcNumber="; nocase; fast_pattern; content:"&month="; nocase; content:"&year="; nocase; content:"&cvv"; nocase; classtype:credential-theft; sid:2029675; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PLATINUM Steganographic HTTP Response Page Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 21|--1234567890--"; fast_pattern; content:"|3c|td|20|bgcolor=|22|"; distance:0; content:"|3c|td|20|align=|22|"; distance:0; content:"|20 20 20 20 09|"; distance:0; content:"|20 20 20 20|"; distance:0; content:"--1234567890--|3e|"; distance:0; reference:url,securelist.com/platinum-is-back/91135/; classtype:trojan-activity; sid:2027434; rev:3; metadata:created_at 2019_06_05, former_category TROJAN, malware_family PLATINUM, tag T1001, tag data_obfuscation, tag T1140, tag deobfuscate_decode_payload, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WSHRAT Credential Dump Module Download Command Inbound"; flow:established,from_server; flowbits:isset,ET.WSHRAT.1; http.stat_code; content:"200"; file.data; content:"get-pass-offline|7c|"; depth:17; fast_pattern; classtype:trojan-activity; sid:2027449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, malware_family WSHRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"BURAN"; fast_pattern; bsize:5; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027446; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, malware_family Buran, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"BURAN"; fast_pattern; bsize:5; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027446; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Encoded Wide PowerShell (IEX) in Certificate Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"-----BEGIN|20|CERTIFICATE-----|0d 0a|YVFCb"; depth:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-2725-exploited-and-certificate-files-used-for-obfuscation-to-deliver-monero-miner/; classtype:trojan-activity; sid:2027462; rev:2; metadata:created_at 2019_06_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-05-14"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&psw="; nocase; distance:0; fast_pattern; pcre:"/^uname=[^&]+&psw=/i"; classtype:credential-theft; sid:2031869; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad"; flow:established,to_server; http.uri; content:"/gate.php"; nocase; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category TROJAN, malware_family Zeus, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Encoded Wide PowerShell (IEX) in Certificate Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"-----BEGIN|20|CERTIFICATE-----|0d 0a|YVFCb"; depth:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-2725-exploited-and-certificate-files-used-for-obfuscation-to-deliver-monero-miner/; classtype:trojan-activity; sid:2027462; rev:2; metadata:created_at 2019_06_12, cve CVE_2019_2725, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)"; flow:from_server,established; tls.cert_serial; content:"BF:98:15:9B:69:48:D8:F8"; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag FIN8, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Request to gate.php Dotted-Quad"; flow:established,to_server; http.uri; content:"/gate.php"; nocase; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)"; flow:from_server,established; tls.cert_serial; content:"9F:E8:45:03:13:A0:52:D7"; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag FIN8, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)"; flow:from_server,established; tls.cert_serial; content:"BF:98:15:9B:69:48:D8:F8"; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:domain-c2; sid:2027463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag FIN8, updated_at 2020_08_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)"; flow:from_server,established; tls.cert_serial; content:"9F:E8:45:03:13:A0:52:D7"; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:domain-c2; sid:2027464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag FIN8, updated_at 2020_08_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vools Variant CnC Checkin"; flow:established,to_server; http.uri; content:".html?mac="; fast_pattern; content:"&ip="; distance:0; content:"&host="; distance:0; content:"&tick="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/; classtype:command-and-control; sid:2027470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family Vools, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Observed FxCodeShell Web Shell Password"; flow:established,to_server; http.request_body; content:"FxxkMyLie1836710Aa"; classtype:trojan-activity; sid:2027514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2019_06_25, deployment Perimeter, former_category WEB_SERVER, malware_family FxCodeShell, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned EWE Telecom Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login-tk.ewe.de/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned EWE Telecom Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login-tk.ewe.de/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned La Banque Postale FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://voscomptesenligne.labanquepostale.fr/"; distance:4; within:46; fast_pattern; classtype:social-engineering; sid:2027520; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned La Banque Postale FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://voscomptesenligne.labanquepostale.fr/"; distance:4; within:46; fast_pattern; classtype:social-engineering; sid:2027520; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ATB Bank Online Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.atbonline.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027521; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ATB Bank Online Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.atbonline.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027521; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned RBC Royal Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www1.royalbank.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027522; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned RBC Royal Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www1.royalbank.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027522; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cibc.mobi/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027523; rev:2; metadata:created_at 2019_06_26, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cibc.mobi/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027523; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://ib.absa.co.za/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://ib.absa.co.za/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.instagram.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027525; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.instagram.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027525; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://instagram.com/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://instagram.com/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Spotify Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.spotify.com/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Spotify Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.spotify.com/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ADP Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://runpayroll.adp.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ADP Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://runpayroll.adp.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Westpac Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://bank.westpac.co.nz/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Westpac Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://bank.westpac.co.nz/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Simplii Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://mobile.simplii.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027530; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Simplii Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://mobile.simplii.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027530; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cibconline.cibc.com/"; distance:4; within:33; fast_pattern; classtype:social-engineering; sid:2027531; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cibconline.cibc.com/"; distance:4; within:33; fast_pattern; classtype:social-engineering; sid:2027531; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Chase Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://secure05c.chase.com/"; distance:4; within:29; fast_pattern; classtype:social-engineering; sid:2027532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Chase Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://secure05c.chase.com/"; distance:4; within:29; fast_pattern; classtype:social-engineering; sid:2027532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Scotiabank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.scotiaonline.scotiabank.com/"; distance:4; within:41; fast_pattern; classtype:social-engineering; sid:2027533; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Scotiabank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.scotiaonline.scotiabank.com/"; distance:4; within:41; fast_pattern; classtype:social-engineering; sid:2027533; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cox.com/"; distance:4; within:21; fast_pattern; classtype:social-engineering; sid:2027534; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cox.com/"; distance:4; within:21; fast_pattern; classtype:social-engineering; sid:2027534; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://idm.xfinity.com/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027536; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://idm.xfinity.com/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027536; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telstra Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.my.telstra.com.au/"; distance:4; within:31; fast_pattern; classtype:social-engineering; sid:2027537; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telstra Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.my.telstra.com.au/"; distance:4; within:31; fast_pattern; classtype:social-engineering; sid:2027537; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login.xfinity.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027538; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login.xfinity.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027538; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Itscom Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://webmail.itscom.net/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027539; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Itscom Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://webmail.itscom.net/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027539; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://staticweb.bankofamerica.com/"; distance:4; within:37; fast_pattern; classtype:social-engineering; sid:2027540; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://staticweb.bankofamerica.com/"; distance:4; within:37; fast_pattern; classtype:social-engineering; sid:2027540; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.bankofamerica.com/"; distance:4; within:31; fast_pattern; classtype:social-engineering; sid:2027541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.bankofamerica.com/"; distance:4; within:31; fast_pattern; classtype:social-engineering; sid:2027541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://secure.bankofamerica.com/"; distance:4; within:34; fast_pattern; classtype:social-engineering; sid:2027542; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://secure.bankofamerica.com/"; distance:4; within:34; fast_pattern; classtype:social-engineering; sid:2027542; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Microsoft Office Apps Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://odc.officeapps.live.com/"; distance:4; within:33; fast_pattern; classtype:social-engineering; sid:2027543; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Microsoft Office Apps Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://odc.officeapps.live.com/"; distance:4; within:33; fast_pattern; classtype:social-engineering; sid:2027543; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://accounts.login.idm.telekom.com/"; distance:4; within:40; fast_pattern; classtype:social-engineering; sid:2027544; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://accounts.login.idm.telekom.com/"; distance:4; within:40; fast_pattern; classtype:social-engineering; sid:2027544; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Fidelity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login.fidelity.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Fidelity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login.fidelity.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Societe Generale FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://particuliers.societegenerale.fr/"; distance:4; within:41; fast_pattern; classtype:social-engineering; sid:2027546; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Societe Generale FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://particuliers.societegenerale.fr/"; distance:4; within:41; fast_pattern; classtype:social-engineering; sid:2027546; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Impots Gouv FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from cfspart.impots.gouv.fr"; within:500; classtype:social-engineering; sid:2027547; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Impots Gouv FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from cfspart.impots.gouv.fr"; within:500; classtype:social-engineering; sid:2027547; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Godaddy Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from sso.godaddy.com"; within:500; classtype:social-engineering; sid:2027548; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Godaddy Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from sso.godaddy.com"; within:500; classtype:social-engineering; sid:2027548; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Dropbox Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.dropbox.com"; within:500; classtype:social-engineering; sid:2027549; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Dropbox Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.dropbox.com"; within:500; classtype:social-engineering; sid:2027549; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned American Express Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from online.americanexpress.com"; within:500; classtype:social-engineering; sid:2027550; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned American Express Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from online.americanexpress.com"; within:500; classtype:social-engineering; sid:2027550; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from ib.absa.co.za"; within:500; classtype:social-engineering; sid:2027551; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from ib.absa.co.za"; within:500; classtype:social-engineering; sid:2027551; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Match Dating Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from secure.match.com"; within:500; classtype:social-engineering; sid:2027552; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Match Dating Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from secure.match.com"; within:500; classtype:social-engineering; sid:2027552; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from accounts.login.idm.telekom.com"; within:500; classtype:social-engineering; sid:2027553; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from accounts.login.idm.telekom.com"; within:500; classtype:social-engineering; sid:2027553; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned South State Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.southstatebank.com"; within:500; classtype:social-engineering; sid:2027554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned South State Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.southstatebank.com"; within:500; classtype:social-engineering; sid:2027554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Google Tools Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from tools.google.com"; within:500; classtype:social-engineering; sid:2027555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Google Tools Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from tools.google.com"; within:500; classtype:social-engineering; sid:2027555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Yahoo Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from login.yahoo.com"; within:500; classtype:social-engineering; sid:2027556; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Yahoo Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from login.yahoo.com"; within:500; classtype:social-engineering; sid:2027556; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Discover Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from card.discover.com"; within:500; classtype:social-engineering; sid:2027557; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Discover Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from card.discover.com"; within:500; classtype:social-engineering; sid:2027557; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Linkedin Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.linkedin.com"; within:500; classtype:social-engineering; sid:2027558; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Linkedin Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.linkedin.com"; within:500; classtype:social-engineering; sid:2027558; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned NAB Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from ib.nab.com.au"; within:500; classtype:social-engineering; sid:2027559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned NAB Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from ib.nab.com.au"; within:500; classtype:social-engineering; sid:2027559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Ziggo NL Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.ziggo.nl"; within:500; classtype:social-engineering; sid:2027560; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Ziggo NL Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.ziggo.nl"; within:500; classtype:social-engineering; sid:2027560; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Goth Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 20 47 4f 54 48 20 42 4f 59 20 43 4c 49 51 55 45 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 20 2d 2d 3e|"; classtype:social-engineering; sid:2027563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Zeus365 Encoding"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 68 74 6d 6c 20 65 6e 63 72 79 70 74 69 6f 6e 20 70 72 6f 76 69 64 65 64 20 62 79 20 7a 65 75 73 33 36 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2027562; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Zeus365 Encoding"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 68 74 6d 6c 20 65 6e 63 72 79 70 74 69 6f 6e 20 70 72 6f 76 69 64 65 64 20 62 79 20 7a 65 75 73 33 36 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2027562; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/struts2"; http.content_type; content:"|25 7b 28 23|"; isdataat:500,relative; content:"cmd.exe"; fast_pattern; content:"@java.lang.System@getProperty(|27|os.name|27|)"; reference:cve,2017-9805; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027516; rev:2; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING SSL/TLS Certificate Observed (Lucy Phishing Awareness Default Certificate)"; flow:established,to_client; tls.cert_issuer; content:"C=CH, ST=Thalwil, L=Thalwil, O=LUCY Phishing GmbH, OU=LUCY Phishing GmbH"; reference:url,cdn.riskiq.com/wp-content/uploads/2019/06/Gift-Cardsharks-Intelligence-Report-2019-RiskIQ.pdf; reference:url,lucysecurity.com; classtype:misc-activity; sid:2027621; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful France Ministry of Action and Public Accounts Phish 2019-07-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"rfr="; nocase; content:"&teledec="; nocase; fast_pattern; content:"&spi="; nocase; content:"&AK09="; nocase; classtype:credential-theft; sid:2027679; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful France Ministry of Action and Public Accounts Phish 2019-07-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"rfr="; nocase; content:"&teledec="; nocase; fast_pattern; content:"&spi="; nocase; content:"&AK09="; nocase; classtype:credential-theft; sid:2027679; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING France Ministry of Action and Public Accounts Phish Landing"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"cardcc|27 29|.mask|28 20 22|9999"; fast_pattern; content:"<title>Remboursement<|2f|title>"; distance:0; content:"id=|22|impotsgouv|22|"; distance:0; classtype:social-engineering; sid:2027680; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING France Ministry of Action and Public Accounts Phish Landing"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"cardcc|27 29|.mask|28 20 22|9999"; fast_pattern; content:"<title>Remboursement<|2f|title>"; distance:0; content:"id=|22|impotsgouv|22|"; distance:0; classtype:social-engineering; sid:2027680; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Command Output to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=res&R="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Command Output to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=res&R="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Registering with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=reg&UU="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?Tok="; content:"&newsUID="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-07-09"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&epass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031870; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA/TrojanDownloader.Agent.PAC Retreiving Malicious VBScript"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/open?id="; fast_pattern; depth:9; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,7489fb981cd054c665e442dfea8ef203; reference:url,blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html; classtype:trojan-activity; sid:2027697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.VBScript Requesting Instruction from CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/open?topics=s9"; fast_pattern; depth:15; pcre:"/^[0-9]{3}$/R"; http.header_names; content:!"Referer"; reference:md5,7489fb981cd054c665e442dfea8ef203; reference:url,blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html; classtype:command-and-control; sid:2027698; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"%DESKTOP%|5c 3b|*.txt|3a|*.dat|3a|*wallet*.*|3a|*2fa*.*|3a|*backup*.*|3a|*code*.*|3a|*password*.*|3a|*auth*.*|3a|*google*.*|3a|*utc*.*|3a|*UTC*.*|3a|*crypt*.*|3a|*key*.*|3b|"; fast_pattern; classtype:trojan-activity; sid:2035911; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Megumin, updated_at 2020_08_31;)
+
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b 20|name=|22|cp_appbooking_pform_process|22|"; fast_pattern; content:"form-data|3b 20|name=|22|email_1|22 0d 0a 0d 0a 3c|script|3e|"; distance:0; reference:cve,CVE-2019-13505; reference:url,github.com/ivoschyk-cs/CVE-s/blob/master/Appointment%20Hour%20Booking%20%E2%80%93%20WordPress%20Booking%20Plugin%20--%20stored%20XSS; classtype:web-application-attack; sid:2027706; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2019_07_12, deployment Internet, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=srv75"; tls.cert_issuer; content:"CN=srv75"; tls.cert_serial; content:"00:D2:68:75:C1:88:0D:92:50"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proyecto RAT Variant - Yopmail Login attempt (set)"; flow:established,to_server; flowbits:set,ET.Proyecto.YopmailLogin; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/es/inbox.php?login="; content:"&p="; content:"&d=&ctrl=&scrl=&spam=true&yf="; distance:1; within:29; fast_pattern; http.host; content:"www.yopmail.com"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,295d31fd532ed0257149b191146b5236; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:trojan-activity; sid:2027734; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA"; flow:to_server,established; http.user_agent; content:"|3c 7c 3e|"; fast_pattern; content:"|3c 7c 3e|"; distance:0; reference:md5,d2e799904582f03281060689f5447585; reference:url,www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf; classtype:command-and-control; sid:2017994; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2014_01_21, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family H_worm, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA"; flow:to_server,established; http.user_agent; content:"|3c 7c 3e|"; fast_pattern; content:"|3c 7c 3e|"; distance:0; reference:md5,d2e799904582f03281060689f5447585; reference:url,www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf; classtype:command-and-control; sid:2017994; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2014_01_22, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family H_worm, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ketrican CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx?a1="; fast_pattern; pcre:"/^[a-f0-9]{8}$/R"; http.request_body; content:"AA"; depth:2; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.content_len; content:"88"; reference:url,www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf; reference:md5,e46d8f510c09f09e2e6b958b84190d8b; reference:md5,03a2f5ea0cea83e77770a4018c4469ab; classtype:command-and-control; sid:2027728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ketrican, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell JPEG Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|FF D8 FF E0|"; depth:4; content:"JFIF"; distance:2; within:4; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:attempted-admin; sid:2027737; rev:2; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_08_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LooCipher Ransomware Onion Domain"; dns.query; content:"hcwyo5rfapkytajg"; nocase; depth:16; reference:md5,0c7e59536a7be4a446bbe8b4f22e5880; classtype:trojan-activity; sid:2027754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag LooCipher, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LooCipher Ransomware Onion Domain"; dns.query; content:"hcwyo5rfapkytajg"; nocase; depth:16; reference:md5,0c7e59536a7be4a446bbe8b4f22e5880; classtype:trojan-activity; sid:2027754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, tag LooCipher, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeamBot CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?gate&hwid="; content:"&id="; content:"&pwd="; content:"&info="; content:"|7b 22|os|22 3a 22|"; distance:0; content:"Windows"; within:50; content:"comment|22 3a 22|hTV_bot_[v"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,99d4feab94f7cda70110a1dc98f470d3; classtype:command-and-control; sid:2026851; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, malware_family TeamBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated LordEK Landing M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<html>|0d 0a|<head>|0d 0a|<|2f|head>|0d 0a|<body>|0d 0a 20 20 20 20|<script>|0d 0a|var|20|"; depth:60; fast_pattern; pcre:"/^(?P<vars>[a-z0-9]{1,20})\s*=\s*new\s*Array\x3b\r\n(?:(?P=vars)\[\d{1,3}\]\s*=\s*\d{4,12}\x3b\r\n){5,40}/Ri"; content:"String.fromCharCode|28|"; nocase; content:"document.write|28|"; nocase; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:exploit-kit; sid:2027787; rev:3; metadata:created_at 2019_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family LordEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Covenant Framework Default HTTP Beacon"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; content:"|0d 0a 0d 0a|i="; fast_pattern; http.method; content:"POST"; http.uri; content:"/en-us/"; depth:7; http.request_body; content:"i="; depth:2; content:"&data="; distance:0; content:"&session="; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027792; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Covenant Framework Default HTTP Beacon"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; content:"|0d 0a 0d 0a|i="; fast_pattern; http.method; content:"POST"; http.uri; content:"/en-us/"; depth:7; http.request_body; content:"i="; depth:2; content:"&data="; distance:0; content:"&session="; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027792; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Covenant Framework HTTP Beacon"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.request_body; content:"=eyJHVUlEIjoi"; fast_pattern; pcre:"/^.+(IlR5cGUiO|JUeXBlIj|iVHlwZSI6)/R"; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Covenant Framework HTTP Beacon"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.request_body; content:"=eyJHVUlEIjoi"; fast_pattern; pcre:"/^.+(IlR5cGUiO|JUeXBlIj|iVHlwZSI6)/R"; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:!"SlimBrowser"; http.host; content:!".taobao.com"; content:!".dict.cn"; content:!".avg.com"; content:!".weather.hao.360.cn"; content:!"es.f.360.cn"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; fast_pattern; classtype:trojan-activity; sid:2012612; rev:18; metadata:created_at 2011_03_31, former_category TROJAN, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT XHR POST Request - Possible Form Grabber Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"info="; depth:5; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; content:"&hostname="; distance:0; fast_pattern; content:"&key="; distance:0; http.content_type; content:"application|2f|x-www-form-urlencoded"; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027818; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_31;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FreakzBrothers X"; nocase; fast_pattern; classtype:web-application-activity; sid:2030815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_31, deployment Perimeter, signature_severity Major, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FreakzBrothers X"; nocase; fast_pattern; classtype:web-application-activity; sid:2030815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FreakzBrothers X"; nocase; fast_pattern; classtype:web-application-activity; sid:2030816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_31, deployment Perimeter, signature_severity Critical, updated_at 2020_08_31;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FreakzBrothers X"; nocase; fast_pattern; classtype:web-application-activity; sid:2030816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Caixa Phishing Landing"; flow:established,to_client; file.data; content:"<title>int_e_r-n___et___B_aNking---- :::____CAIXA"; nocase; fast_pattern; classtype:social-engineering; sid:2030817; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT Related - BLACKCOFFEE Command Delimiters in HTTP Response M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"SBM1cr0Soft"; fast_pattern; reference:url,content.fireeye.com/apt-41/rpt-apt41; classtype:targeted-activity; sid:2027859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category MALWARE, malware_family BLACKCOFFEE, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Anonisma Paypal Phishing Uri Structure 2015-12-29"; flow:to_server,established; http.uri; content:".php?cmd=_"; nocase; fast_pattern; content:"account_limited="; distance:0; nocase; content:"&session="; nocase; distance:0; pcre:"/=[a-f0-9]{32}&session=[a-f0-9]{40}$/i"; classtype:social-engineering; sid:2031861; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_31;)
+
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; threshold:type limit, track by_src, count 2, seconds 360; http.user_agent; content:"Microsoft Internet Explorer"; depth:28; http.host; content:!"bbc.co.uk"; content:!"vmware.com"; content:!"rc.itsupport247.net"; content:!"msn.com"; content:!"msn.es"; content:!"live.com"; content:!"gocyberlink.com"; content:!"ultraedit.com"; content:!"windowsupdate.com"; content:!"cyberlink.com"; content:!"lenovo.com"; content:!"itsupport247.net"; content:!"msn.co.uk"; content:!"support.weixin.qq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:37; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Pre-Auth Messages Payload Buffer Overflow (CVE-2018-13381)"; flow:established,to_server; http.request_body; content:"&msg=%26%23%3c"; fast_pattern; nocase; pcre:"/(?:\%3C){1000}/Ri"; http.start; content:"POST /message HTTP/1.1"; reference:cve,CVE-2018-13381; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027884; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity"; flow: established,to_server; http.uri; content:"/Bundling/SskUpdater"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; classtype:pup-activity; sid:2001731; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware User-Agent (UCmore) "; flow: to_server,established; http.user_agent; content:"|20|UCmore"; reference:url,doc.emergingthreats.net/2001736; classtype:pup-activity; sid:2001736; rev:273; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware User-Agent (UCmore)"; flow: to_server,established; http.user_agent; content:"|20|UCmore"; reference:url,doc.emergingthreats.net/2001736; classtype:pup-activity; sid:2001736; rev:273; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Enhance My Search Spyware User-Agent (HelperH)"; flow: established,to_server; http.user_agent; content:"HelperH"; reference:url,doc.emergingthreats.net/2001746; classtype:pup-activity; sid:2001746; rev:37; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Grandstreet Interactive Spyware User-Agent (IEP)"; flow: to_server,established; http.user_agent; content:"IEP"; depth:3; reference:url,doc.emergingthreats.net/2002021; classtype:pup-activity; sid:2002021; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopathomeselect.com Spyware User-Agent (WebDownloader)"; flow: to_server,established; http.user_agent; content:"WebDownloader"; reference:url,doc.emergingthreats.net/2002038; classtype:pup-activity; sid:2002038; rev:251; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopathomeselect .com Spyware User-Agent (WebDownloader)"; flow: to_server,established; http.user_agent; content:"WebDownloader"; reference:url,doc.emergingthreats.net/2002038; classtype:pup-activity; sid:2002038; rev:251; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; http.uri; content:"/protector.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:pup-activity; sid:2002092; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)"; flow:established,to_server; http.user_agent; content:"iWin|20|"; depth:5; reference:url,doc.emergingthreats.net/2008558; classtype:pup-activity; sid:2008558; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ezday.co.kr Related Spyware User-Agent (Ezshop)"; flow:established,to_server; http.user_agent; content:"Ezshop"; reference:url,doc.emergingthreats.net/2008594; classtype:pup-activity; sid:2008594; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ezday.co .kr Related Spyware User-Agent (Ezshop)"; flow:established,to_server; http.user_agent; content:"Ezshop"; reference:url,doc.emergingthreats.net/2008594; classtype:pup-activity; sid:2008594; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan.FakeAV.SystemDefender Checkin"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php?"; nocase; content:"action=stat&wmid="; nocase; content:"&event="; nocase; content:"&uid="; nocase; content:"&i1"; nocase; content:"&i2"; nocase; reference:url,doc.emergingthreats.net/2008732; reference:md5,4d1df7240837832853c8b87606f3dfc2; classtype:pup-activity; sid:2008732; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AgavaDwnl) - Possibly Xema"; flow:established,to_server; http.user_agent; content:"AgavaDwnl"; reference:url,doc.emergingthreats.net/2009445; classtype:pup-activity; sid:2009445; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader Checkin - Downloads Rogue Adware "; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"AreaID="; nocase; content:"MediaID="; nocase; content:"AdNo="; nocase; content:"OriginalityID="; nocase; content:"Url"; nocase; content:"Mac="; nocase; content:"Version="; nocase; content:"ValidateCode="; nocase; content:"ParentName="; nocase; reference:url,doc.emergingthreats.net/2009526; classtype:pup-activity; sid:2009526; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader Checkin - Downloads Rogue Adware"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"AreaID="; nocase; content:"MediaID="; nocase; content:"AdNo="; nocase; content:"OriginalityID="; nocase; content:"Url"; nocase; content:"Mac="; nocase; content:"Version="; nocase; content:"ValidateCode="; nocase; content:"ParentName="; nocase; reference:url,doc.emergingthreats.net/2009526; classtype:pup-activity; sid:2009526; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (_TEST_)"; flow: to_server,established; http.user_agent; content:"_TEST_"; nocase; reference:url,doc.emergingthreats.net/2009545; classtype:unknown; sid:2009545; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (TALWinInetHTTPClient)"; flow:to_server,established; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; fast_pattern; bsize:46; classtype:pup-activity; sid:2011283; rev:6; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ASKTOOLBAR.DLL Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/toolbarv/askBarCfg?"; nocase; content:"v="; nocase; content:"e="; nocase; reference:url,threatexpert.com/report.aspx?md5=3f6413475b1466964498c8450de4062f; classtype:pup-activity; sid:2012000; rev:5; metadata:created_at 2010_12_07, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ASKTOOLBAR.DLL Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/toolbarv/askBarCfg?"; nocase; content:"v="; nocase; content:"e="; nocase; reference:md5,3f6413475b1466964498c8450de4062f; classtype:pup-activity; sid:2012000; rev:5; metadata:created_at 2010_12_07, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AdVantage)"; flow:established,to_server; http.user_agent; content:"AdVantage"; startswith; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:pup-activity; sid:2012104; rev:6; metadata:created_at 2010_12_27, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdVantage Malware URL Infection Report"; flow:established,to_server; http.uri; content:"cfg_ver="; nocase; content:"hwd="; nocase; content:"campaign="; nocase; content:"ver="; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:pup-activity; sid:2012105; rev:5; metadata:created_at 2010_12_27, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (0xa10xa1HttpClient)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 a1 a1|HttpClient|0d 0a|"; nocase; classtype:pup-activity; sid:2012298; rev:5; metadata:created_at 2011_02_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (0xa10xa1HttpClient)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 a1 a1|HttpClient|0d 0a|"; nocase; classtype:pup-activity; sid:2012298; rev:5; metadata:created_at 2011_02_07, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lowercase mozilla/2.0 User-Agent Likely Malware"; flow:established,to_server; http.user_agent; content:"mozilla/2.0"; depth:11; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B; classtype:pup-activity; sid:2012642; rev:9; metadata:created_at 2011_04_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible FakeAV Binary Download"; flow:established,to_client; http.header; content:"filename=|22|"; nocase; content:"antiv"; fast_pattern; nocase; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv[^\n]+\.exe/i"; classtype:pup-activity; sid:2012753; rev:8; metadata:created_at 2011_04_29, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RogueAntiSpyware.AntiVirusPro Checkin"; flow:established,to_server; http.uri; content:"php?type=stats&affid="; content:"&subid="; content:"&version="; content:"&adwareok"; reference:url,www.threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; classtype:pup-activity; sid:2013149; rev:4; metadata:created_at 2011_06_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RogueAntiSpyware.AntiVirusPro Checkin"; flow:established,to_server; http.uri; content:"php?type=stats&affid="; content:"&subid="; content:"&version="; content:"&adwareok"; reference:md5,8d1b47452307259f1e191e16ed23cd35; classtype:pup-activity; sid:2013149; rev:4; metadata:created_at 2011_06_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidetab or Related Trojan Checkin"; flow:established,to_server; http.uri; content:"/install.asp?"; content:"version="; content:"&id="; content:"&mac="; http.header; content:".co.kr|0d 0a|"; classtype:pup-activity; sid:2013182; rev:3; metadata:created_at 2011_07_04, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; http.user_agent; content:"MM|20|"; startswith; pcre:"/^MM \d\.\d+$/"; classtype:pup-activity; sid:2013388; rev:6; metadata:created_at 2011_08_10, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (go-diva)"; flow:to_server,established; http.user_agent; content:"go-diva"; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:pup-activity; sid:2013452; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (go-diva)"; flow:to_server,established; http.user_agent; content:"go-diva"; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:pup-activity; sid:2013452; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 1"; flow:established,to_server; http.uri; content:"?gname="; content:"&pid="; content:"&m="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; reference:url,www.threatexpert.com/report.aspx?md5=81a119f7f47663c03053e76146f54fe9; classtype:pup-activity; sid:2013556; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 1"; flow:established,to_server; http.uri; content:"?gname="; content:"&pid="; content:"&m="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; reference:md5,81a119f7f47663c03053e76146f54fe9; classtype:pup-activity; sid:2013556; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 2"; flow:established,to_server; http.uri; content:"inst.php?"; content:"pcode="; content:"&ucode="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; classtype:pup-activity; sid:2013557; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tool.InstallToolbar.24 Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; content:"TbId="; nocase; content:"TUID="; nocase; content:"Action_Type="; nocase; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:pup-activity; sid:2014060; rev:6; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Gen5 Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cmd/report.php?"; nocase; content:"PartnerId="; nocase; content:"OfferId="; nocase; content:"action="; nocase; content:"program="; nocase; reference:url,threatexpert.com/report.aspx?md5=90410d783f6321c8684ccb9ff0613a51; classtype:pup-activity; sid:2014071; rev:6; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Gen5 Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cmd/report.php?"; nocase; content:"PartnerId="; nocase; content:"OfferId="; nocase; content:"action="; nocase; content:"program="; nocase; reference:md5,90410d783f6321c8684ccb9ff0613a51; classtype:pup-activity; sid:2014071; rev:6; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OpenCandy Adware Checkin"; flow:established,to_server; http.uri; content:"clientv="; content:"&cltzone="; content:"&mstime="; content:"&os="; content:"&product_key="; http.host; content:"opencandy.com"; fast_pattern; classtype:pup-activity; sid:2014122; rev:6; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/MediaGet Checkin"; flow:established,to_server; http.request_body; content:"<mediagetInstaller statVersion="; content:"mediagetIsAlreadyInstalled="; classtype:pup-activity; sid:2014192; rev:5; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameplayLabs.Adware Installer Checkin"; flow:established,to_server; http.uri; content:"/install.xml?pid="; http.header; content:"gameplaylabs.com|0d 0a|"; classtype:pup-activity; sid:2014249; rev:6; metadata:created_at 2012_02_20, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameplayLabs.Adware Installer Checkin"; flow:established,to_server; http.uri; content:"/install.xml?pid="; http.header; content:"gameplaylabs.com|0d 0a|"; classtype:pup-activity; sid:2014249; rev:6; metadata:created_at 2012_02_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PlaySushi User-Agent"; flow:established,to_server; http.user_agent; content:"psi|20|"; startswith; reference:md5,039815a7cb0b7ee52b753a9b79006f97; classtype:pup-activity; sid:2014261; rev:4; metadata:created_at 2012_02_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware Checkin"; flow:established,to_server; http.uri; content:"/inst.asp?d="; content:"&cl="; content:"&l="; content:"&e="; content:"&v="; content:"&uid="; content:"&time="; content:"&win="; content:"&ac="; content:"&ti="; content:"&xv="; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:pup-activity; sid:2014339; rev:4; metadata:created_at 2012_03_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware Checkin"; flow:established,to_server; http.uri; content:"/inst.asp?d="; content:"&cl="; content:"&l="; content:"&e="; content:"&v="; content:"&uid="; content:"&time="; content:"&win="; content:"&ac="; content:"&ti="; content:"&xv="; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:pup-activity; sid:2014339; rev:4; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware User Agent"; flow:established,to_server; http.user_agent; content:"zz_"; depth:3; pcre:"/^[a-z0-9]{1,3}\s*[0-9]\.[0-9]{1,2}\.[0-9]{2,4}/Ri"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:pup-activity; sid:2014340; rev:8; metadata:created_at 2012_03_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware User Agent"; flow:established,to_server; http.user_agent; content:"zz_"; depth:3; pcre:"/^[a-z0-9]{1,3}\s*[0-9]\.[0-9]{1,2}\.[0-9]{2,4}/Ri"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:pup-activity; sid:2014340; rev:8; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP W32/MediaGet.Adware Installer Download"; flow:established,to_client; flowbits:isnotset,ET.Adobe.Site.Download; http.header.raw; content:"Set-Cookie|3A 20 |MediagetDownloaderInfo=installer"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:pup-activity; sid:2014353; rev:8; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SoftonicDownloader.Adware User Agent"; flow:established,to_server; http.user_agent; content:"Softonic Downloader/"; reference:md5,1047b186bb2822dbb5907cd743069261; classtype:pup-activity; sid:2014355; rev:5; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/LoudMo.Adware Checkin"; flow:established,to_server; http.uri; content:"/?aff="; http.host; content:"www.gamebound.com"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:pup-activity; sid:2014400; rev:5; metadata:created_at 2012_03_19, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/LoudMo.Adware Checkin"; flow:established,to_server; http.uri; content:"/?aff="; http.host; content:"www.gamebound.com"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:pup-activity; sid:2014400; rev:5; metadata:created_at 2012_03_20, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/FakeAV.Kraddare Checkin UA"; flow:established,to_server; http.user_agent; content:"pcsetup_"; pcre:"/^\w+pcsetup_\w+/"; reference:url,www.scumware.org/report/update.best-pc.co.kr; classtype:pup-activity; sid:2014583; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/rdc/rnd.php"; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:pup-activity; sid:2014767; rev:7; metadata:created_at 2012_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames Checkin"; flow:established,to_server; http.uri; content:"/game"; content:"/diary/item/"; http.user_agent; content:"getURLDown"; bsize:10; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015017; rev:6; metadata:created_at 2012_07_03, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames Checkin"; flow:established,to_server; http.uri; content:"/game"; content:"/diary/item/"; http.user_agent; content:"getURLDown"; bsize:10; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015017; rev:6; metadata:created_at 2012_07_04, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP suspicious User-Agent (vb wininet)"; flow:established,to_server; http.user_agent; content:"vb|20 20 20|wininet"; depth:12; classtype:pup-activity; sid:2016069; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP suspicious User-Agent (vb wininet)"; flow:established,to_server; http.user_agent; content:"vb|20 20 20|wininet"; depth:12; classtype:pup-activity; sid:2016069; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Eorezo.Adware CnC Beacon"; flow:established,to_server; http.uri; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern; content:"&x_format="; content:"&x_pub_id="; content:"&tag="; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest.5)"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99; classtype:pup-activity; sid:2016546; rev:5; metadata:created_at 2013_03_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Eorezo.Adware CnC Beacon"; flow:established,to_server; http.uri; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern; content:"&x_format="; content:"&x_pub_id="; content:"&tag="; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest.5)"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99; classtype:pup-activity; sid:2016546; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; http.uri; content:"?data="; content:"&version="; distance:0; http.user_agent; content:"win32"; depth:5; fast_pattern; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:pup-activity; sid:2016780; rev:6; metadata:created_at 2013_04_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; http.uri; content:"?data="; content:"&version="; distance:0; http.user_agent; content:"win32"; depth:5; fast_pattern; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:pup-activity; sid:2016780; rev:6; metadata:created_at 2013_04_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.MSIL.Solimba.b GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/dmr/access/"; http.user_agent; content:"DownloadMR"; nocase; depth:10; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:pup-activity; sid:2016905; rev:6; metadata:created_at 2013_05_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.MSIL.Solimba.b POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/dmr/exception"; http.user_agent; content:"DownloadMR"; depth:10; nocase; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:pup-activity; sid:2016906; rev:6; metadata:created_at 2013_05_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Smart-RTP"; flow: established,to_server; http.user_agent; content:"Smart-RTP"; depth:9; nocase; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; classtype:pup-activity; sid:2016915; rev:7; metadata:created_at 2013_05_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Smart-RTP"; flow: established,to_server; http.user_agent; content:"Smart-RTP"; depth:9; nocase; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:md5,a80f33c94c44556caa2ef46cd5eb863c; classtype:pup-activity; sid:2016915; rev:7; metadata:created_at 2013_05_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA"; flow: established,to_server; http.user_agent; content:"Custom_56562_HttpClient/VER_STR_COMMA"; depth:37; nocase; classtype:pup-activity; sid:2016916; rev:5; metadata:created_at 2013_05_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA"; flow: established,to_server; http.user_agent; content:"Custom_56562_HttpClient/VER_STR_COMMA"; depth:37; nocase; classtype:pup-activity; sid:2016916; rev:5; metadata:created_at 2013_05_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware pricepeep Adware.Shopper.297"; flow: established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/logger/software/hit/"; nocase; content:"/?v."; nocase; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:pup-activity; sid:2016917; rev:4; metadata:created_at 2013_05_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware pricepeep Adware.Shopper.297"; flow: established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/logger/software/hit/"; nocase; content:"/?v."; nocase; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:pup-activity; sid:2016917; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_05_23, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Gamevance.AV Checkin"; flow:established,to_server; http.uri; content:"/aj/"; fast_pattern; content:".php?p="; http.header_names; content:!"Referer"; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:pup-activity; sid:2017136; rev:7; metadata:created_at 2013_07_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Gamevance.AV Checkin"; flow:established,to_server; http.uri; content:"/aj/"; fast_pattern; content:".php?p="; http.header_names; content:!"Referer"; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:pup-activity; sid:2017136; rev:7; metadata:created_at 2013_07_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Crossrider Spyware Checkin"; flow:established,to_server; http.uri; content:"/updater/"; depth:9; content:"/update.json?rnd="; distance:32; within:18; http.header_names; content:!"User-Agent"; classtype:pup-activity; sid:2017196; rev:6; metadata:created_at 2013_07_25, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Crossrider Spyware Checkin"; flow:established,to_server; http.uri; content:"/updater/"; depth:9; content:"/update.json?rnd="; distance:32; within:18; http.header_names; content:!"User-Agent"; classtype:pup-activity; sid:2017196; rev:6; metadata:created_at 2013_07_26, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Wajam.Adware Successful Install"; flow:established,to_server; http.uri; content:"/wajam_install.exe?aid="; http.user_agent; content:"NSIS_Inetc"; startswith; classtype:pup-activity; sid:2017561; rev:6; metadata:created_at 2013_10_04, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Wajam.Adware Successful Install"; flow:established,to_server; http.uri; content:"/wajam_install.exe?aid="; http.user_agent; content:"NSIS_Inetc"; startswith; classtype:pup-activity; sid:2017561; rev:6; metadata:created_at 2013_10_05, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/?step_id="; content:"&publisher_id="; content:"&page_id="; content:"&country_code="; content:"&browser_id="; content:"&download_id="; content:"&hardware_id="; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:pup-activity; sid:2017911; rev:4; metadata:created_at 2013_12_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/?step_id="; content:"&publisher_id="; content:"&page_id="; content:"&country_code="; content:"&browser_id="; content:"&download_id="; content:"&hardware_id="; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:pup-activity; sid:2017911; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?report_version="; http.request_body; content:"data="; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:pup-activity; sid:2017912; rev:4; metadata:created_at 2013_12_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?report_version="; http.request_body; content:"data="; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:pup-activity; sid:2017912; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; http.uri; content:"/updater/"; http.user_agent; content:"UpdaterResponse"; depth:15; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018024; rev:5; metadata:created_at 2014_01_27, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; http.uri; content:"/updater/"; http.user_agent; content:"UpdaterResponse"; depth:15; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018024; rev:5; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/AdLoad.Downloader Download"; flow:established,to_server; http.uri; content:"/v"; content:"&product_name="; content:"&installer_file_name="; pcre:"/\x2Fv[0-9]{3,4}[\x2F\x3F]/"; reference:url,malwaretips.com/blogs/trojandownloader-win32-adload-da-virus/; classtype:pup-activity; sid:2018048; rev:5; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BetterInstaller"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?v="; content:"&uid="; content:"&muid="; pcre:"/[a-f0-9]{32}\?v=/i"; reference:md5,efa0bed2695446eab679083a9f0f89c6; classtype:pup-activity; sid:2018195; rev:5; metadata:created_at 2014_01_15, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"&OSversion="; content:"&Slv="; content:"&Sysid="; content:"&Sysid1="; content:"&admin="; content:"&browser="; content:"&exe="; content:"&ffver="; content:"&lang_DfltUser="; content:"&ver="; content:"&ts="; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:pup-activity; sid:2018324; rev:4; metadata:created_at 2014_03_26, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"&OSversion="; content:"&Slv="; content:"&Sysid="; content:"&Sysid1="; content:"&admin="; content:"&browser="; content:"&exe="; content:"&ffver="; content:"&lang_DfltUser="; content:"&ver="; content:"&ts="; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:pup-activity; sid:2018324; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Amonetize.Downloader Executable Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bundle/"; content:"/?p="; http.user_agent; content:"zz_afi"; depth:6; reference:md5,23246f740cffc0bd9eb5be2e7703568a; classtype:pup-activity; sid:2018333; rev:6; metadata:created_at 2014_03_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PullUpdate.Adware CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"?v="; fast_pattern; pcre:"/^\/[a-z]{2}\x3Fv\x3D[0-9]$/"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,129563c2ab034af094422db408d7d74f; classtype:pup-activity; sid:2018368; rev:7; metadata:created_at 2014_04_07, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PullUpdate.Adware CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"?v="; fast_pattern; pcre:"/^\/[a-z]{2}\x3Fv\x3D[0-9]$/"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,129563c2ab034af094422db408d7d74f; classtype:pup-activity; sid:2018368; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_04_07, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.MultiInstaller"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"?s1="; fast_pattern; pcre:"/^\/(?:info|entrance|start|debug)\?s1=[a-f0-9]{100,}$/"; http.header_names; content:!"Referer"; reference:md5,26973eeddb4781225b7c23d2d9cce996; reference:md5,a74b1602a50b9c7d3262e3f80a6a2e68; classtype:pup-activity; sid:2018512; rev:8; metadata:created_at 2014_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/DownloadGuide.A"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/1/dg/3"; fast_pattern; http.request_body; content:"{|22|BuildId|22 3a|"; content:"|22|Campaign|22|"; content:"|22|TrackBackUrl|22|"; http.content_type; content:"application/json"; startswith; http.header_names; content:!"Referer"; reference:md5,37b91123a58a48975770241445392aeb; classtype:pup-activity; sid:2018513; rev:6; metadata:created_at 2014_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32.SoftPulse Checkin"; flow: established, to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla|29|"; depth:20; http.request_body; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; content:"|22|machine_ID|22 3a 22|"; distance:0; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:pup-activity; sid:2018557; rev:8; metadata:created_at 2014_06_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32.SoftPulse Checkin"; flow: established, to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla|29|"; depth:20; http.request_body; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; content:"|22|machine_ID|22 3a 22|"; distance:0; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:pup-activity; sid:2018557; rev:8; metadata:created_at 2014_06_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.MultiInstaller checkin 2"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"/entrance?s1="; depth:13; pcre:"/^\/entrance\?s1=[a-f0-9]{100,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c610d46d97c1b80f027f56d227a003f7; classtype:pup-activity; sid:2018590; rev:4; metadata:created_at 2014_06_20, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OptimizerPro Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/op?sid="; content:"&dt="; distance:0; content:"&gid="; distance:0; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,eba3a996f5b014b2d410f4bf32b8530b; classtype:pup-activity; sid:2018742; rev:5; metadata:created_at 2013_12_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SearchSuite Install CnC Beacon"; flow:established,to_server; urilen:23; http.method; content:"POST"; http.uri; content:"/install_statistics.php"; fast_pattern; depth:23; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE|3B 20|Win32)"; startswith; http.request_body; content:"XML="; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:pup-activity; sid:2018753; rev:4; metadata:created_at 2014_07_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SearchSuite Install CnC Beacon"; flow:established,to_server; urilen:23; http.method; content:"POST"; http.uri; content:"/install_statistics.php"; fast_pattern; depth:23; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE|3B 20|Win32)"; startswith; http.request_body; content:"XML="; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:pup-activity; sid:2018753; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.A checkin"; flow:to_server,established; http.uri; content:"get/?ver="; content:"&aid="; distance:0; content:"&hid="; distance:0; content:"&rid="; distance:0; content:"&data="; distance:0; content:"&report="; distance:0; pcre:"/^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report=/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f9556acf36168414ad7d5650eeee7972; reference:md5,69e28b658520528a1473f51e62698c87; classtype:pup-activity; sid:2018867; rev:4; metadata:created_at 2014_08_01, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maxpower-static/templates/"; depth:27; http.header_names; content:!"Referer"; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:pup-activity; sid:2019143; rev:7; metadata:created_at 2014_07_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MAC/Conduit Component Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/installer?dp="; content:"&sdp="; content:"&f="; content:"&id="; content:"&v="; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019144; rev:4; metadata:created_at 2014_09_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MAC/Conduit Component Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/installer?dp="; content:"&sdp="; content:"&f="; content:"&id="; content:"&v="; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019144; rev:4; metadata:created_at 2014_09_10, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SoftPulse.H Checkin"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/__dmp__/"; fast_pattern; http.request_body; content:"data={"; depth:6; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Referer"; reference:md5,6424fb3317b4be3d00e4d489122c9a48; classtype:pup-activity; sid:2019228; rev:6; metadata:created_at 2014_09_24, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/MultiPlug.Adware Adfraud Traffic"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"/?rmbs="; within:8; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"; bsize:108; http.header_names; content:!"Referer|0d 0a|"; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:pup-activity; sid:2020457; rev:4; metadata:created_at 2015_02_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/WinWrapper.Adware Initial Install Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.cgi?act="; fast_pattern; content:"&appid="; content:"&ts="; content:"&dlip="; content:"&dlid="; content:"&proto="; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; http.header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020627; rev:7; metadata:created_at 2015_03_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/WinWrapper.Adware Initial Install Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.cgi?act="; fast_pattern; content:"&appid="; content:"&ts="; content:"&dlip="; content:"&dlid="; content:"&proto="; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; http.header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020627; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api.cgi?act="; fast_pattern; content:"&appid="; content:"&proto="; http.user_agent; content:"WinWrapper"; depth:10; http.request_body; content:"{|22|appId|22 3a 22|"; content:"|22|uuId|22 3a 22|"; http.header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020628; rev:6; metadata:created_at 2015_03_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api.cgi?act="; fast_pattern; content:"&appid="; content:"&proto="; http.user_agent; content:"WinWrapper"; depth:10; http.request_body; content:"{|22|appId|22 3a 22|"; content:"|22|uuId|22 3a 22|"; http.header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020628; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MALWARE W32/WinWrapper.Adware User-Agent"; flow:established,to_server; http.user_agent; content:"WinWrapper"; depth:10; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020629; rev:6; metadata:created_at 2015_03_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/log/?"; fast_pattern; content:"="; distance:1; within:1; content:"&d="; distance:0; content:"&o="; content:"&r="; content:"&s="; content:"&t="; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:pup-activity; sid:2020701; rev:4; metadata:created_at 2015_03_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/log/?"; fast_pattern; content:"="; distance:1; within:1; content:"&d="; distance:0; content:"&o="; content:"&r="; content:"&s="; content:"&t="; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:pup-activity; sid:2020701; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/AdWare.Sendori User-Agent"; flow:established,to_server; http.user_agent; content:"Sendori-Client"; depth:14; reference:url,isc.sans.edu/forums/diary/Suspect+Sendori+software/16466; reference:md5,aee8ddf3b36d60d33c571ee798b6bad6; classtype:pup-activity; sid:2020881; rev:5; metadata:created_at 2015_04_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sentry_version="; content:"&sentry_client="; distance:0; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:pup-activity; sid:2021027; rev:4; metadata:created_at 2015_04_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sentry_version="; content:"&sentry_client="; distance:0; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:pup-activity; sid:2021027; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; bsize:20; http.request_body; content:"postInstallReport"; fast_pattern; content:"machineId|22 3a 22|"; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:pup-activity; sid:2021094; rev:5; metadata:created_at 2015_05_13, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; bsize:20; http.request_body; content:"postInstallReport"; fast_pattern; content:"machineId|22 3a 22|"; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:pup-activity; sid:2021094; rev:5; metadata:created_at 2015_05_14, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.GigaClicks Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ver/"; content:"/sid/"; http.request_body; content:"instlog="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,942fd71fb26b874502f3ba8546e6c164; classtype:pup-activity; sid:2021099; rev:4; metadata:created_at 2015_05_15, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/Conduit.SearchProtect.O CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?uid="; content:"&affid="; distance:0; content:"&inst_date="; distance:0; fast_pattern; content:"&prod="; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,525917c79e22fa9bc54da36b94437a46; classtype:pup-activity; sid:2021173; rev:4; metadata:created_at 2015_05_29, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/Conduit.SearchProtect.O CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?uid="; content:"&affid="; distance:0; content:"&inst_date="; distance:0; fast_pattern; content:"&prod="; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,525917c79e22fa9bc54da36b94437a46; classtype:pup-activity; sid:2021173; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.A PUP CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v2/"; depth:4; fast_pattern; pcre:"/^\/v2\/(?:(?:(?:intro_impr|s)ession|l(?:aunch|og)|exit)/$|c(?:(?:dn_(?:success|check)|ancel)/$|lick/))/"; http.header_names; content:"X-Crypto-Version"; content:!"User-Agent"; reference:md5,a54f78d0fe6d1a1a09c22a71646c24b3; classtype:pup-activity; sid:2021282; rev:5; metadata:created_at 2015_06_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware User-Agent"; flow:established,to_server; http.user_agent; content:"Installer(ref=["; fast_pattern; content:"|3b|windows="; distance:0; content:"|3b|uac="; distance:0; content:"|3b|elevated="; distance:0; content:"|3b|dotnet="; distance:0; content:"|3b|startTime="; distance:0; content:"|3b|pid="; distance:0; classtype:pup-activity; sid:2021564; rev:5; metadata:created_at 2015_07_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?pcrc="; depth:7; fast_pattern; content:"&v="; pcre:"/^\/\?pcrc=\d+&v=[\d.]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a34236628ea04e10430e20ac2b9d7ad2; classtype:pup-activity; sid:2021618; rev:6; metadata:created_at 2015_08_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?pcrc="; depth:7; fast_pattern; content:"&v="; pcre:"/^\/\?pcrc=\d+&v=[\d.]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a34236628ea04e10430e20ac2b9d7ad2; classtype:pup-activity; sid:2021618; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 2"; flow:established,to_server; http.uri; content:"/?v="; depth:4; content:"&pcrc="; distance:0; content:"&LSVRDT="; distance:0; fast_pattern; content:"&ty="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; classtype:pup-activity; sid:2021619; rev:5; metadata:created_at 2015_08_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 2"; flow:established,to_server; http.uri; content:"/?v="; depth:4; content:"&pcrc="; distance:0; content:"&LSVRDT="; distance:0; fast_pattern; content:"&ty="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; classtype:pup-activity; sid:2021619; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; content:"&pcrc="; content:"&LUDT="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:pup-activity; sid:2021643; rev:4; metadata:created_at 2015_08_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; content:"&pcrc="; content:"&LUDT="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:pup-activity; sid:2021643; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUA Boxore User-Agent"; flow:to_server,established; http.user_agent; content:"BoxoreClent"; depth:11; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5cb2e8a9b6935f228623c69f1b17669d; classtype:pup-activity; sid:2021700; rev:5; metadata:created_at 2015_08_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Fake Flash Player Download Oct 20"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/"; content:"/FMP.dmg?download_browser="; distance:0; fast_pattern; content:"&app_id="; distance:0; content:"&campaign="; distance:0; content:"&cargoType="; distance:0; content:"&oname=FMP.dmg"; distance:0; classtype:pup-activity; sid:2021984; rev:4; metadata:created_at 2015_10_20, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Fake Flash Player Download Oct 20"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/"; content:"/FMP.dmg?download_browser="; distance:0; fast_pattern; content:"&app_id="; distance:0; content:"&campaign="; distance:0; content:"&cargoType="; distance:0; content:"&oname=FMP.dmg"; distance:0; classtype:pup-activity; sid:2021984; rev:4; metadata:created_at 2015_10_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PPI User-Agent (InstallCapital)"; flow:to_server,established; http.user_agent; content:"InstallCapital"; startswith; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:command-and-control; sid:2022246; rev:5; metadata:created_at 2015_12_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PPI User-Agent (InstallCapital)"; flow:to_server,established; http.user_agent; content:"InstallCapital"; startswith; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:command-and-control; sid:2022246; rev:5; metadata:created_at 2015_12_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; fast_pattern; content:"&pcrc="; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,038da581f99c88a4ee6700de440a54ca; classtype:pup-activity; sid:2022354; rev:4; metadata:created_at 2016_01_13, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; fast_pattern; content:"&pcrc="; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,038da581f99c88a4ee6700de440a54ca; classtype:pup-activity; sid:2022354; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/v"; depth:2; content:".asp"; pcre:"/\/v\d\/[^.]+\.asp$/i"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; bsize:38; reference:md5,84fcdf1cd6dc3ee71686835f9489752c; classtype:pup-activity; sid:2022694; rev:4; metadata:created_at 2016_04_01, former_category ADWARE_PUP, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?alpha="; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/"; http.user_agent; content:"NSIS_Inetc"; depth:10; fast_pattern; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:pup-activity; sid:2022850; rev:5; metadata:created_at 2016_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MSIL/Adload.AT Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do"; fast_pattern; content:"source="; content:"&event="; content:"&implementation_id="; content:"user_id="; content:"&useragent="; content:"&sgn="; content:"&subid2="; content:"&ts="; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d15069e44ec849ab26bcefffe6867f10; reference:md5,4ececc2f027a096c2100ec1125d0d151; classtype:pup-activity; sid:2022893; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, former_category ADWARE_PUP, malware_family MSIL_Adload, signature_severity Major, tag Adware, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MSIL/Adload.AT Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do"; fast_pattern; content:"source="; content:"&event="; content:"&implementation_id="; content:"user_id="; content:"&useragent="; content:"&sgn="; content:"&subid2="; content:"&ts="; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d15069e44ec849ab26bcefffe6867f10; reference:md5,4ececc2f027a096c2100ec1125d0d151; classtype:pup-activity; sid:2022893; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, former_category ADWARE_PUP, malware_family MSIL_Adload, signature_severity Major, tag Adware, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LoadMoney Checkin 5"; flow:established,to_server; http.method; content:"POST"; http.user_agent; pcre:"/^Downloader\s\d+\.\d+$/"; content:"Downloader|20|"; startswith; http.request_body; content:"|0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2022987; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_27, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; http.method; content:"GET"; http.uri; content:"/?q="; fast_pattern; depth:4; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/"; http.uri.raw; content:"+"; http.host; content:!"map24.com"; content:!"aptrk.com"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,6b95ddc5238cc0576db7b206af13339e; classtype:pup-activity; sid:2023707; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, former_category ADWARE_PUP, malware_family PUA, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 1"; flow:established,to_server; http.uri; content:"/get_xml?"; fast_pattern; pcre:"/\/get_xml\?(?:file_id|stb)=/i"; http.user_agent; content:"tiny-dl"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024250; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 1"; flow:established,to_server; http.uri; content:"/get_xml?"; fast_pattern; pcre:"/\/get_xml\?(?:file_id|stb)=/i"; http.user_agent; content:"tiny-dl"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024250; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 2"; flow:established,to_server; http.uri; content:"/download.php?id="; fast_pattern; content:"&f="; http.user_agent; content:"tiny-dl"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024251; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 2"; flow:established,to_server; http.uri; content:"/download.php?id="; fast_pattern; content:"&f="; http.user_agent; content:"tiny-dl"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024251; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 4"; flow:to_server,established; http.uri; content:"/get_file_info.php?id="; fast_pattern; http.user_agent; content:"tiny-dl"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_22, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 4"; flow:to_server,established; http.uri; content:"/get_file_info.php?id="; fast_pattern; http.user_agent; content:"tiny-dl"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_23, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 8"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&chromeLog="; fast_pattern; content:"&ffLog="; distance:0; content:"&operaLog="; distance:0; content:"¬Admin="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024257; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 2"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/launch_info"; http.user_agent; content:"Downloader|20|"; depth:11; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024259; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 2"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/launch_info"; http.user_agent; content:"Downloader|20|"; depth:11; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024259; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 4"; flow:established,to_server; http.uri; content:"/data_files="; depth:12; fast_pattern; content:"&rnd="; distance:0; http.user_agent; content:"Downloader 1"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024262; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ProxyGearPro Proxy Tool PUA"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"Proxy|20|Gear|20|Pro/"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8889db7b4ef74c9302c12781a92a23a; classtype:pup-activity; sid:2024484; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; flowbits:isset,ETPTadmoney; http.stat_code; content:"200"; file.data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12;depth:4; classtype:pup-activity; sid:2024699; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Internet, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
-
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious Adware Chrome Extension Detected (1)"; flow:to_server,established; http.uri; content:"/hostedsearch?"; fast_pattern; content:"subid"; distance:0; content:"&keyword="; distance:0; http.header; content:"User-Agent|3a 20|"; content:"Upgrade-Insecure-Requests|3a 20|"; content:"Accept"; content:"Connection|3a 20|"; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious Adware Chrome Extension Detected (2)"; flow:to_server,established; http.uri; content:"/?keyword="; fast_pattern; content:"&id="; distance:0; content:"&sysid="; distance:0; http.header; content:"User-Agent|3a 20|"; content:"Upgrade-Insecure-Requests|3a 20|"; content:"Accept"; content:"Connection|3a 20|"; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024727; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lavasoft PUA/Adware Client Install"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/event-stat?ProductID="; fast_pattern; content:"&Type=StubStart"; distance:0; http.host; content:"lavasoft.com"; classtype:pup-activity; sid:2025537; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Adware, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WiseCleaner Installed (PUA)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?p=install_statistics"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|Maxthon)"; http.host; content:"wisecleaner.net"; fast_pattern; reference:url,wisecleaner.com; reference:md5,cd6e96207ea60b3e6e46c393fdcc9e0c; classtype:pup-activity; sid:2025589; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_12, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WiseCleaner Installed (PUA)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?p=install_statistics"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|Maxthon)"; http.host; content:"wisecleaner.net"; fast_pattern; reference:url,wisecleaner.com; reference:md5,cd6e96207ea60b3e6e46c393fdcc9e0c; classtype:pup-activity; sid:2025589; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antibody Software Installed (PUA)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"version.php?ver="; nocase; content:"&newinstall="; nocase; distance:0; http.user_agent; content:"Embarcadero URI Client/1.0"; http.host; content:"antibody-software.com"; fast_pattern; reference:url,antibody-software.com; reference:md5,8e22d630b992f9cb4d7f6b0aceebb37f; classtype:pup-activity; sid:2025590; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_12, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre User-Agent"; flow:established,to_server; http.user_agent; content:"onlymacros"; depth:10; endswith; reference:md5,b4ddb47165bf5362f0b33ed907b1ee08; classtype:command-and-control; sid:2030818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Upatre, updated_at 2020_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Zonebac Traffic Redirect"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; http.request_body; content:"ic="; startswith; fast_pattern; content:"&fb="; distance:0; reference:md5,23ad5529074fa0fba3258b155440659f; classtype:pup-activity; sid:2030821; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Zonebac Traffic Redirect"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; http.request_body; content:"ic="; startswith; fast_pattern; content:"&fb="; distance:0; reference:md5,23ad5529074fa0fba3258b155440659f; classtype:pup-activity; sid:2030821; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_01, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS Office Macro Dridex Download URI Jan 7 2015"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pops"; offset:1; fast_pattern; content:".php"; within:5; pcre:"/^\/[^\x2f]+\/pops[a-z]?\.php$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2020148; rev:6; metadata:created_at 2015_01_07, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/dana/home.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:5; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_21, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_22, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_21, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_22, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2012-4792 EIP in URI M1"; flow:established,to_server; http.uri.raw; content:"/%E0%B4%8C%E1%88%92"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:4; metadata:created_at 2012_12_31, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2012-4792 EIP in URI M2"; flow:established,to_server; http.uri.raw; content:"/%E0%B4%8C%E1%82%AB"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:5; metadata:created_at 2013_01_08, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aurora Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?generate="; fast_pattern; content:"/"; distance:0; content:"&hwid="; distance:0; reference:md5,2409c058a86cd8743abb10a5735ef487; classtype:command-and-control; sid:2025931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_30, deployment Perimeter, former_category MALWARE, malware_family Aurora_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aurora Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?generate="; fast_pattern; content:"/"; distance:0; content:"&hwid="; distance:0; reference:md5,2409c058a86cd8743abb10a5735ef487; classtype:command-and-control; sid:2025931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_30, deployment Perimeter, former_category MALWARE, malware_family Aurora_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - Coinminer Download"; flow:established,to_server; urilen:39; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/WPSystem/dl.php?a="; depth:38; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c5d5608df7519c44358fa87bd046b553; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:coin-mining; sid:2027894; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - Coinminer Download"; flow:established,to_server; urilen:39; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/WPSystem/dl.php?a="; depth:38; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c5d5608df7519c44358fa87bd046b553; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:coin-mining; sid:2027894; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, tag Stealer, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with ps PowerShell Command Output"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|48 61 6e 64 6c 65 73 20 20 4e 50 4d 28 4b 29 20 20 20 20 50 4d 28 4b 29 20 20 20 20 20 20 57 53 28 4b 29|"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; classtype:trojan-activity; sid:2027210; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, performance_impact Low, tag T1086, tag T1057, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete HTTP CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"namepc="; content:"nadir="; content:"menrut0="; content:"menfile0="; fast_pattern; content:"mens0="; http.header_names; content:!"Referer"; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:command-and-control; sid:2027887; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; content:"select password"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018288; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_17, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; content:"select password"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018288; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_18, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt 2"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; pcre:"/id\=[^\r\n]*?(?:select|delete|union|update|insert)/i"; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018289; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_17, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt 2"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; pcre:"/id\=[^\r\n]*?(?:select|delete|union|update|insert)/i"; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018289; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_18, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Player malware binary requested"; flow:established,to_server; http.uri; content:"&filename=Flash Player|20|"; content:".exe"; classtype:trojan-activity; sid:2017123; rev:5; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeUpdate - URI - /styles/javaupdate.css"; flow:established,to_server; http.uri; content:"/styles/javaupdate.css"; classtype:trojan-activity; sid:2017845; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - URI - windows-firewall.png"; flow:established,to_server; http.uri; content:"windows-firewall.png"; classtype:trojan-activity; sid:2019598; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - URI - windows-firewall.png"; flow:established,to_server; http.uri; content:"windows-firewall.png"; classtype:trojan-activity; sid:2019598; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Windows Security Warning - png"; flow:established,to_server; http.uri; content:"gp-warning-img.png"; classtype:trojan-activity; sid:2020711; rev:4; metadata:created_at 2015_03_19, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BalkanDoor CnC Checkin - Server Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"[CFG]|0d 0a|di="; fast_pattern; depth:10; content:"|0d 0a|cn="; content:"|0d 0a|du="; content:"|0d 0a|int="; content:"|0d 0a|rip="; content:"|0d 0a|rpo="; content:"|0d 0a|scr_dur="; content:"|0d 0a|scr_int="; reference:url,www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/; reference:md5,f70ef75fb0a51b05c43aaec973ac0bc1; classtype:command-and-control; sid:2027898; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/../dana/html5acc/guacamole/../"; depth:39; fast_pattern; isdataat:10,relative; reference:url,packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html; reference:cve,CVE-2019-11510; classtype:trojan-activity; sid:2027904; rev:3; metadata:created_at 2019_08_22, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/../dana/html5acc/guacamole/../"; depth:39; fast_pattern; isdataat:10,relative; reference:url,packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html; reference:cve,CVE-2019-11510; classtype:trojan-activity; sid:2027904; rev:3; metadata:affected_product Pulse_Secure, created_at 2019_08_22, former_category EXPLOIT, updated_at 2020_09_01;)
alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE TwoFace WebShell Detected"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx"; http.cookie; content:"data=pro#=#"; fast_pattern; reference:url,www.emanueledelucia.net/a-dive-into-apt34-aka-oilrig-aka-cobalt-gypsy-twoface-webshell/; classtype:targeted-activity; sid:2027903; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2019_08_22, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; http.uri; content:"/servlet/JavascriptProbe"; nocase; content:"documentElement=true"; nocase; content:"regexp=true"; nocase; content:"frames=true"; reference:url,www.securityfocus.com/bid/34454/info; reference:url,doc.emergingthreats.net/2010622; classtype:web-application-attack; sid:2010622; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for utu.dat Likely Ponmocup checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/update/utu.dat"; reference:url,www.threatexpert.com/report.aspx?md5=6fd8cdee653c0fde769e6c48d65e28bd; classtype:command-and-control; sid:2013913; rev:5; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for utu.dat Likely Ponmocup checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/update/utu.dat"; reference:md5,6fd8cdee653c0fde769e6c48d65e28bd; classtype:command-and-control; sid:2013913; rev:5; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2020_09_01;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; http.uri; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http.request_body; content:"SNI="; content:"&UME="; fast_pattern; content:"&IVR="; content:"&st="; reference:md5,eec2828cb4a9032ab1177bb472f1977b; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan; classtype:command-and-control; sid:2027771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ArtraDownloader, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-08-23"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usuario="; fast_pattern; content:"&clave="; distance:0; classtype:credential-theft; sid:2027911; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-08-23"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usuario="; fast_pattern; content:"&clave="; distance:0; classtype:credential-theft; sid:2027911; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Secutech Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1="; fast_pattern; content:"&ds2="; distance:0; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027909; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AOX Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/ReadAllTracks.php"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"{|22|contacts|22 3a|"; depth:12; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/; classtype:trojan-activity; sid:2027920; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AOX Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/ReadAllTracks.php"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"{|22|contacts|22 3a|"; depth:12; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/; classtype:trojan-activity; sid:2027920; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_27, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LYCEUM MSIL/DanBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?id="; http.header; content:"Accept-Enconding|3a 20|gzip,deflate"; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|&|29|"; reference:md5,9df776b9933fbf95e3d462e04729d074; classtype:command-and-control; sid:2027921; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, malware_family DanBot, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-08-29"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&get=Zaloguj"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029677; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-08-29"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&get=Zaloguj"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029677; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - *.tar.gz in POST body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:".tar.gz"; nocase; classtype:bad-unknown; sid:2016992; rev:4; metadata:created_at 2013_06_08, updated_at 2020_09_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Domen SocEng Redirect - Landing Page Observed"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var|20|_0x"; content:"=|20 5b 27|Mobile|27 5d 3b|"; content:"|2f 2f 20|All|20 7c 20|Mobile|20 7c 20|Desktop"; content:"|2f 2f 20|1|20|-|20|Browser|20|Update|20 7c 20|2|20|-|20|Font"; fast_pattern; content:"var|20|_0x"; distance:0; classtype:social-engineering; sid:2027935; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, malware_family SocEng, malware_family Domen, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (bridges.torproject .org in DNS lookup)"; dns.query; content:"bridges.torproject.org"; depth:22; nocase; reference:url,www.torproject.org/docs/bridges.html.en; reference:md5,2e3f7f9b3b4c29aceccab693aeccfa5a; classtype:external-ip-check; sid:2017925; rev:6; metadata:created_at 2014_01_03, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (bridges.torproject .org in DNS lookup)"; dns.query; content:"bridges.torproject.org"; depth:22; nocase; reference:url,www.torproject.org/docs/bridges.html.en; reference:md5,2e3f7f9b3b4c29aceccab693aeccfa5a; classtype:external-ip-check; sid:2017925; rev:6; metadata:created_at 2014_01_04, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET INFO Query for a Suspicious *.noc.su domain"; dns.query; content:".noc.su"; fast_pattern; classtype:bad-unknown; sid:2012901; rev:5; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; dns.query; content:"ianxz6zefk72ulzz.onion"; depth:22; classtype:policy-violation; sid:2013016; rev:5; metadata:created_at 2011_06_13, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TR/Spy.Gen checkin via dns ANY query"; dns.query; content:"ianxz6zefk72ulzz.onion"; depth:22; reference:url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c; reference:url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon; reference:url,www.threatexpert.com/report.aspx?md5=2519bdb5459bc9f59f59cd7ccb147d23; classtype:command-and-control; sid:2013516; rev:4; metadata:created_at 2011_09_01, former_category MALWARE, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TR/Spy.Gen checkin via dns ANY query"; dns.query; content:"ianxz6zefk72ulzz.onion"; depth:22; reference:url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon; reference:url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c; reference:md5,2519bdb5459bc9f59f59cd7ccb147d23; classtype:command-and-control; sid:2013516; rev:4; metadata:created_at 2011_09_02, former_category MALWARE, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET POLICY Query to a *.opengw.net Open VPN Relay Domain"; dns.query; content:".opengw.net"; nocase; fast_pattern; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:8; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insdet.com"; dns.query; content:"insdet.com"; depth:10; nocase; fast_pattern; classtype:trojan-activity; sid:2016607; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely CryptoWall .onion Proxy DNS lookup"; dns.query; content:"kpai7ycr7jxqkilp"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2018609; rev:4; metadata:created_at 2014_06_26, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely CryptoWall .onion Proxy DNS lookup"; dns.query; content:"kpai7ycr7jxqkilp"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2018609; rev:4; metadata:created_at 2014_06_27, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET POLICY tor4u tor2web .onion Proxy DNS lookup"; dns.query; content:"tor4u.net"; depth:9; nocase; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018875; rev:4; metadata:created_at 2014_08_01, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely CryptoWall 2.0 .onion Proxy domain lookup"; dns.query; content:"paytordmbdekmizq"; depth:16; fast_pattern; nocase; reference:url,malware-traffic-analysis.net/2014/11/14/index.html; classtype:trojan-activity; sid:2019736; rev:4; metadata:created_at 2014_11_18, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Known OphionLocker Domain"; dns.query; content:"smu743glzfrxsqcl"; depth:16; fast_pattern; nocase; reference:url,f-secure.com/weblog/archives/00002777.html; reference:md5,e17da8702b71dfb0ee94dbc9e22eed8d; classtype:trojan-activity; sid:2019934; rev:4; metadata:created_at 2014_12_12, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Known OphionLocker Domain"; dns.query; content:"smu743glzfrxsqcl"; depth:16; fast_pattern; nocase; reference:url,f-secure.com/weblog/archives/00002777.html; reference:md5,e17da8702b71dfb0ee94dbc9e22eed8d; classtype:trojan-activity; sid:2019934; rev:4; metadata:created_at 2014_12_13, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain"; dns.query; content:"ymleyd4xs3it55m7"; depth:16; fast_pattern; nocase; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019984; rev:5; metadata:created_at 2014_12_19, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain"; dns.query; content:"ymleyd4xs3it55m7"; depth:16; fast_pattern; nocase; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019984; rev:5; metadata:created_at 2014_12_20, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Spy.Obator .onion Proxy Domain"; dns.query; content:"t2upiokua37wq2cx"; depth:16; nocase; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3671; classtype:trojan-activity; sid:2020168; rev:4; metadata:created_at 2015_01_12, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Spy.Obator .onion Proxy Domain"; dns.query; content:"t2upiokua37wq2cx"; depth:16; nocase; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3671; classtype:trojan-activity; sid:2020168; rev:4; metadata:created_at 2015_01_13, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptowall 3.0 .onion Proxy Domain"; dns.query; content:"paytoc4gtpn5czl2"; depth:16; nocase; fast_pattern; reference:url,malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html; classtype:trojan-activity; sid:2020182; rev:4; metadata:created_at 2015_01_14, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptowall 3.0 .onion Proxy Domain"; dns.query; content:"paytoc4gtpn5czl2"; depth:16; nocase; fast_pattern; reference:url,malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html; classtype:trojan-activity; sid:2020182; rev:4; metadata:created_at 2015_01_15, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"3fdzgtam4qk625n6"; depth:16; nocase; fast_pattern; reference:md5,adb0de790bd3fb88490a60f0dddd90fa; classtype:trojan-activity; sid:2020358; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy Domain"; dns.query; content:"mmc65z4xsgbcbazl"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020684; rev:5; metadata:created_at 2015_03_12, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (iezqmd4s2fflmh7n)"; dns.query; content:"iezqmd4s2fflmh7n"; depth:16; fast_pattern; nocase; reference:md5,1d578c11069c7446ca6d05ff7623a972; classtype:trojan-activity; sid:2020740; rev:4; metadata:created_at 2015_03_24, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (iezqmd4s2fflmh7n)"; dns.query; content:"iezqmd4s2fflmh7n"; depth:16; fast_pattern; nocase; reference:md5,1d578c11069c7446ca6d05ff7623a972; classtype:trojan-activity; sid:2020740; rev:4; metadata:created_at 2015_03_25, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (llgerw4plyyff446)"; dns.query; content:"llgerw4plyyff446"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020762; rev:4; metadata:created_at 2015_03_26, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (llgerw4plyyff446)"; dns.query; content:"llgerw4plyyff446"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020762; rev:4; metadata:created_at 2015_03_27, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Filecoder Ransomware Variant .onion Proxy Domain (tkj3higtqlvohs7z)"; dns.query; content:"tkj3higtqlvohs7z"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020942; rev:5; metadata:created_at 2015_04_16, former_category TROJAN, malware_family Filecoder, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Filecoder Ransomware Variant .onion Proxy Domain (tkj3higtqlvohs7z)"; dns.query; content:"tkj3higtqlvohs7z"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020942; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, malware_family Filecoder, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor .onion Proxy Domain (l7gbml27czk3kvr5)"; dns.query; content:"l7gbml27czk3kvr5"; depth:16; fast_pattern; nocase; reference:md5,83c0b99427c026aad36b0d8204377702; classtype:trojan-activity; sid:2020739; rev:5; metadata:created_at 2015_03_24, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor .onion Proxy Domain (l7gbml27czk3kvr5)"; dns.query; content:"l7gbml27czk3kvr5"; depth:16; fast_pattern; nocase; reference:md5,83c0b99427c026aad36b0d8204377702; classtype:trojan-activity; sid:2020739; rev:5; metadata:created_at 2015_03_25, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (zoqowm4kzz4cvvvl)"; dns.query; content:"zoqowm4kzz4cvvvl"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020958; rev:4; metadata:created_at 2015_04_21, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE MewsSpy/NionSpy .onion Proxy Domain (z3mm6cupmtw5b2xx)"; dns.query; content:"z3mm6cupmtw5b2xx"; depth:16; nocase; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector; classtype:trojan-activity; sid:2021019; rev:4; metadata:created_at 2015_04_28, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (iq3ahijcfeont3xx)"; dns.query; content:"iq3ahijcfeont3xx"; depth:16; fast_pattern; nocase; reference:md5,c3e567e9f45d0b4c1396f3d646598204; classtype:trojan-activity; sid:2021084; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (iq3ahijcfeont3xx)"; dns.query; content:"iq3ahijcfeont3xx"; depth:16; fast_pattern; nocase; reference:md5,c3e567e9f45d0b4c1396f3d646598204; classtype:trojan-activity; sid:2021084; rev:4; metadata:created_at 2015_05_09, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (toxicola7qwv37qj)"; dns.query; content:"toxicola7qwv37qj"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; classtype:trojan-activity; sid:2021204; rev:4; metadata:created_at 2015_06_08, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (toxicola7qwv37qj)"; dns.query; content:"toxicola7qwv37qj"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; classtype:trojan-activity; sid:2021204; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Ascrirac .onion proxy Domain (5sse6j4kdaeh3yus)"; dns.query; content:"5sse6j4kdaeh3yus"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021317; rev:4; metadata:created_at 2015_06_22, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain"; dns.query; content:"decryptoraveidf7"; depth:16; nocase; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021545; rev:4; metadata:created_at 2015_07_28, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain"; dns.query; content:"encryptor3awk6px"; depth:16; nocase; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021547; rev:4; metadata:created_at 2015_07_28, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain"; dns.query; content:"encryptor3awk6px"; depth:16; nocase; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021547; rev:4; metadata:created_at 2015_07_29, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup messagewild"; dns.query; content:"messagewild.com"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2021642; rev:4; metadata:created_at 2015_08_17, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup messagewild"; dns.query; content:"messagewild.com"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2021642; rev:4; metadata:created_at 2015_08_18, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (kb63vhjuk3wh4ex7)"; dns.query; content:"kb63vhjuk3wh4ex7"; depth:16; nocase; fast_pattern; reference:md5,a9f29924410a14dea1eef8d75fed3b39; reference:url,www.malware-traffic-analysis.net/2015/08/24/index2.html; classtype:trojan-activity; sid:2021711; rev:4; metadata:created_at 2015_08_25, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; dns.query; content:"7vhbukzxypxh3xfy"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2021850; rev:4; metadata:created_at 2015_09_30, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (4nauizsaaopuj3qj)"; dns.query; content:"4nauizsaaopuj3qj"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022398; rev:4; metadata:created_at 2016_01_21, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (4nauizsaaopuj3qj)"; dns.query; content:"4nauizsaaopuj3qj"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022398; rev:4; metadata:created_at 2016_01_22, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(yez2o5lwqkmlv5lc)"; dns.query; content:"yez2o5lwqkmlv5lc"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022490; rev:4; metadata:created_at 2016_02_04, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(fwgrhsao3aoml7ej)"; dns.query; content:"fwgrhsao3aoml7ej"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022501; rev:4; metadata:created_at 2016_02_10, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Payment DNS Lookup"; dns.query; content:"javajvlsworf3574"; depth:16; nocase; fast_pattern; reference:md5,ff50a331feec575b505976cb0506ebfd; classtype:trojan-activity; sid:2022507; rev:4; metadata:created_at 2016_02_11, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Payment DNS Lookup"; dns.query; content:"javajvlsworf3574"; depth:16; nocase; fast_pattern; reference:md5,ff50a331feec575b505976cb0506ebfd; classtype:trojan-activity; sid:2022507; rev:4; metadata:created_at 2016_02_12, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"twbers4hmi6dx65f"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/02b21d4a90a2a50506711a9c120b1e51f77084eba25688f7db2b9571037465dc?environmentId=1; classtype:trojan-activity; sid:2022560; rev:4; metadata:created_at 2016_02_22, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"twbers4hmi6dx65f"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/02b21d4a90a2a50506711a9c120b1e51f77084eba25688f7db2b9571037465dc?environmentId=1; classtype:trojan-activity; sid:2022560; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"i3ezlvkoi7fwyood"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022589; rev:4; metadata:created_at 2016_03_02, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"i3ezlvkoi7fwyood"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022589; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"lpholfnvwbukqwye"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022590; rev:4; metadata:created_at 2016_03_02, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"lpholfnvwbukqwye"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022590; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 1"; dns.query; content:"lclebb6kvohlkcml"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022598; rev:4; metadata:created_at 2016_03_07, former_category MALWARE, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 1"; dns.query; content:"lclebb6kvohlkcml"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022598; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 2"; dns.query; content:"bmacyzmea723xyaz"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022599; rev:4; metadata:created_at 2016_03_07, former_category MALWARE, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 2"; dns.query; content:"bmacyzmea723xyaz"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022599; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 3"; dns.query; content:"nejdtkok7oz5kjoc"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022600; rev:4; metadata:created_at 2016_03_07, former_category MALWARE, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 3"; dns.query; content:"nejdtkok7oz5kjoc"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 4"; dns.query; content:"fiwf4kwysm4dpw5l"; depth:16; fast_pattern; nocase; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/; classtype:command-and-control; sid:2022601; rev:4; metadata:created_at 2016_03_07, former_category MALWARE, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 4"; dns.query; content:"fiwf4kwysm4dpw5l"; depth:16; fast_pattern; nocase; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/; classtype:command-and-control; sid:2022601; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(k7tlx3ghr3m4n2tu)"; dns.query; content:"k7tlx3ghr3m4n2tu"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022614; rev:4; metadata:created_at 2016_03_14, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(k7tlx3ghr3m4n2tu)"; dns.query; content:"k7tlx3ghr3m4n2tu"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022614; rev:4; metadata:created_at 2016_03_15, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky Payment)"; dns.query; content:"32kl2rwsjvqjeui7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022660; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_25, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky Payment)"; dns.query; content:"32kl2rwsjvqjeui7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022660; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TeslaCrypt Payment)"; dns.query; content:"kkd47eh4hdjshb5t"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022661; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_25, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TeslaCrypt Payment)"; dns.query; content:"kkd47eh4hdjshb5t"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022661; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"rzss2zfue73dfvmj"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022662; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_25, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"rzss2zfue73dfvmj"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022662; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"vrvis6ndra5jeggj"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022664; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_25, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"vrvis6ndra5jeggj"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022664; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky Possible Payment Page"; dns.query; content:"25z5g623wpqpdwis"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022680; rev:4; metadata:created_at 2016_03_28, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky Possible Payment Page"; dns.query; content:"25z5g623wpqpdwis"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022680; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"stgg5jv6mqiibmax"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022728; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"stgg5jv6mqiibmax"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022728; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"ahsqbeospcdrngfv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022761; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"ahsqbeospcdrngfv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022761; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"rrcspgfghsjnklts"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022777; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"rrcspgfghsjnklts"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022777; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky Domain"; dns.query; content:"ycvcjbhgkmsiyhdd"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022778; rev:4; metadata:created_at 2016_05_03, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"bddadevlpkwrrmud"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022870; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"bddadevlpkwrrmud"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022870; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (mphtadhci5mrdlju)"; dns.query; content:"mphtadhci5mrdlju"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022917; rev:4; metadata:created_at 2016_06_27, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (mphtadhci5mrdlju)"; dns.query; content:"mphtadhci5mrdlju"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022917; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"kvyatmujksksbcgx"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"kvyatmujksksbcgx"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"mz7oyb3v32vshcvk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023001; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"mz7oyb3v32vshcvk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023001; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"xhrnfffaixawpuob"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023002; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"xhrnfffaixawpuob"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023002; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"zjfq4lnfbs7pncr5"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"zjfq4lnfbs7pncr5"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (5n7y4yihirccftc5)"; dns.query; content:"5n7y4yihirccftc5"; depth:16; fast_pattern; nocase; reference:md5,d7cb55e90dee7777fe7b77b079d51513; classtype:trojan-activity; sid:2023084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, malware_family Ransomware, malware_family Locky, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (5n7y4yihirccftc5)"; dns.query; content:"5n7y4yihirccftc5"; depth:16; fast_pattern; nocase; reference:md5,d7cb55e90dee7777fe7b77b079d51513; classtype:trojan-activity; sid:2023084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"fpashgkepwtoqdjg"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023178; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"fpashgkepwtoqdjg"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023178; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:"vrympoqs5ra34nfo"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023179; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:"vrympoqs5ra34nfo"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023179; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"fqoapcjolfwwenqx"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023261; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"fqoapcjolfwwenqx"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023261; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH TorrenLocker Payment Domain Detected"; dns.query; content:"4w5wihkwyhsav2ha"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023327; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky Payment Domain Detected"; dns.query; content:"jhomitevd2abj3fk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023329; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ffoqr3ug7m726zou"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023425; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ffoqr3ug7m726zou"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023425; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"lfdachijzuwx4bc4"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023426; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"lfdachijzuwx4bc4"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023426; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ojmekzw4mujvqeju"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023427; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ojmekzw4mujvqeju"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023427; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"xrhwryizf5mui7a5"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023428; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"xrhwryizf5mui7a5"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023428; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"avsxrcoq2q5fgrw2"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023579; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"avsxrcoq2q5fgrw2"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023579; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"fnmi62725zfti2vy"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023580; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"fnmi62725zfti2vy"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023580; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ftoxmpdipwobp4qy"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023581; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ftoxmpdipwobp4qy"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023581; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"pe2cku7pebkpgeko"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023582; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"pe2cku7pebkpgeko"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023582; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"p27dokhpz2n7nvgr"; depth:16; nocase; fast_pattern; reference:md5,c2f7595a1c394f1dac2e418815c54fd2; classtype:trojan-activity; sid:2023690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, malware_family Ransomware_Cerber, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"p27dokhpz2n7nvgr"; depth:16; nocase; fast_pattern; reference:md5,c2f7595a1c394f1dac2e418815c54fd2; classtype:trojan-activity; sid:2023690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"qcwbrevxrotoepsp"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"qcwbrevxrotoepsp"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"ztuw5bvuuapzdfya"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"ztuw5bvuuapzdfya"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"xqraoaoaph4d545r"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024118; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"xqraoaoaph4d545r"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024118; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"underdj5ziov3ic7"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024119; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"underdj5ziov3ic7"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024119; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:"x5sbb5gesp6kzwsh"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; reference:md5,f09e72e3c1c36192b22e15b59a13ee1c; reference:url,blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html; classtype:command-and-control; sid:2023998; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family Torrentlocker, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:"x5sbb5gesp6kzwsh"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; reference:md5,f09e72e3c1c36192b22e15b59a13ee1c; reference:url,blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html; classtype:command-and-control; sid:2023998; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family Torrentlocker, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"jpre3ta3x2csggd4"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024189; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"jpre3ta3x2csggd4"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024189; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"cmzr4dz3begkpwa2"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024190; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"cmzr4dz3begkpwa2"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024190; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"hjhqmbxyinislkkt"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024104; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Cerber, performance_impact Low, signature_severity Major, tag Ransomware_Cerber, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"hjhqmbxyinislkkt"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024104; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"z2luqg4xu5r6zm6o"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024263; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"z2luqg4xu5r6zm6o"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024263; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"zyuc6ucewfwgnhvg"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024264; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"zyuc6ucewfwgnhvg"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024264; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy DNS lookup July 31 2014"; dns.query; content:"zxjfcvfvhqfqsrpz"; depth:16; fast_pattern; nocase; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018893; rev:5; metadata:created_at 2014_08_04, former_category TROJAN, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy DNS lookup July 31 2014"; dns.query; content:"zxjfcvfvhqfqsrpz"; depth:16; fast_pattern; nocase; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018893; rev:5; metadata:created_at 2014_08_05, former_category TROJAN, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE UIWIX Ransomware .onion Payment Domain (4ujngbdqqm6t2c53)"; dns.query; content:"4ujngbdqqm6t2c53"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024323; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family UIWIX, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE UIWIX Ransomware .onion Payment Domain (4ujngbdqqm6t2c53)"; dns.query; content:"4ujngbdqqm6t2c53"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024323; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family UIWIX, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"iuieylpvfurcvmpk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2024437; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"iuieylpvfurcvmpk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2024437; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"cpawdrtxfjkwrkkl"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2024438; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"cpawdrtxfjkwrkkl"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2024438; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"qfjhpgbefuhenjp7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024439; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Cerber, performance_impact Low, signature_severity Major, tag Ransomware_Cerber, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"qfjhpgbefuhenjp7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024439; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"xpcx6erilkjced3j"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024440; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Cerber, performance_impact Low, signature_severity Major, tag Ransomware_Cerber, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"xpcx6erilkjced3j"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024440; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (Reyptson Ransomware CnC)"; dns.query; content:"37z2akkbd3vqphw5"; depth:16; nocase; fast_pattern; reference:md5,2f60c2dc9b89a78a450839ded2a1737a; classtype:command-and-control; sid:2024469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Reyptson, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (Reyptson Ransomware CnC)"; dns.query; content:"37z2akkbd3vqphw5"; depth:16; nocase; fast_pattern; reference:md5,2f60c2dc9b89a78a450839ded2a1737a; classtype:command-and-control; sid:2024469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Reyptson, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"wgxpsgshk3hbmyzb"; depth:16; fast_pattern; nocase; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024516; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_14, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"wgxpsgshk3hbmyzb"; depth:16; fast_pattern; nocase; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024516; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_14, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"tptbibuegry2nvuh"; depth:16; fast_pattern; nocase; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024517; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"tptbibuegry2nvuh"; depth:16; fast_pattern; nocase; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024517; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"fgb45ft3pqamyji7"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024518; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"fgb45ft3pqamyji7"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024518; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"gebdp3k7bolalnd4"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024519; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"gebdp3k7bolalnd4"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024519; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"2irbar3mjvbap6gt"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024520; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"2irbar3mjvbap6gt"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024520; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"qg6m5wo7h3id55ym"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024521; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"qg6m5wo7h3id55ym"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024521; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"xvnk7q32kmvcvx5x"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024522; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"xvnk7q32kmvcvx5x"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024522; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"xzfsqbdlb3cssp4t"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024523; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"xzfsqbdlb3cssp4t"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024523; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"wqfhdgpdelcgww4g"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024524; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"wqfhdgpdelcgww4g"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024524; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"yvvu3fqglfceuzfu"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category TROJAN, malware_family Crypton, malware_family Nemesis, performance_impact Low, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"yvvu3fqglfceuzfu"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Gryphon CnC Domain / GlobeImposter Payment Domain"; dns.query; content:"cr7icbfqm64hixta"; depth:16; nocase; fast_pattern; reference:md5,c714c3fe13e515a85774b03787ee9d85; classtype:command-and-control; sid:2024543; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category MALWARE, malware_family GlobeImposter, malware_family Gryphon, performance_impact Moderate, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"5pr6hirtlfan3j76"; depth:16; nocase; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2024603; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category TROJAN, malware_family Spora, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"5pr6hirtlfan3j76"; depth:16; nocase; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2024603; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"ilcmjtvnrw2hostl"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Internet, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"ilcmjtvnrw2hostl"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, deployment Internet, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"uvgnugc3nvdgboc2"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"uvgnugc3nvdgboc2"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vg6xusopmzu7m2ce"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vg6xusopmzu7m2ce"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vgyruvtmjabu7llq"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vgyruvtmjabu7llq"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vozupq6ewgxyn4ct"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024630; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vozupq6ewgxyn4ct"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024630; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vqrqlt4t2kcmyrkb"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024631; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vqrqlt4t2kcmyrkb"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024631; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vs74c53whr5kisk2"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024632; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vs74c53whr5kisk2"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024632; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vsy7udjnodbqwp7l"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024633; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vsy7udjnodbqwp7l"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024633; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vvuymthse6kj4vl4"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024634; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vvuymthse6kj4vl4"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024634; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cerber Ransomware Domain Detected"; dns.query; content:"oqwygprskqv65j72"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024635; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cerber Ransomware Domain Detected"; dns.query; content:"oqwygprskqv65j72"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024635; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cerber Ransomware Domain Detected"; dns.query; content:"toytyaclucomunit"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cerber Ransomware Domain Detected"; dns.query; content:"toytyaclucomunit"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.guide)"; dns.query; content:".onion.guide"; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024662; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.cab)"; dns.query; content:".onion.cab"; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018876; rev:6; metadata:created_at 2014_08_01, former_category POLICY, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Initial Check In"; dns.query; content:".grp"; nocase; offset:8; depth:4; content:".ping.adm"; fast_pattern; within:15; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022559; rev:4; metadata:created_at 2016_02_22, former_category MALWARE, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Initial Check In"; dns.query; content:".grp"; nocase; offset:8; depth:4; content:".ping.adm"; fast_pattern; within:15; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022559; rev:4; metadata:created_at 2016_02_23, former_category MALWARE, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".freemooon.org"; fast_pattern; pcre:"/^[a-z]{4,10}\.freemooon\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".freemooon.org"; fast_pattern; pcre:"/^[a-z]{4,10}\.freemooon\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".olimpian.org"; fast_pattern; pcre:"/[a-z]{4,10}\.olimpian\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".olimpian.org"; fast_pattern; pcre:"/[a-z]{4,10}\.olimpian\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".sunsay.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.sunsay\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022720; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".sunsay.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.sunsay\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022720; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".feellgood.org"; fast_pattern; pcre:"/[a-z]{4,11}\.feellgood\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022721; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".feellgood.org"; fast_pattern; pcre:"/[a-z]{4,11}\.feellgood\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022721; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".kinomix.org"; fast_pattern; pcre:"/[a-z]{4,11}\.kinomix\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".kinomix.org"; fast_pattern; pcre:"/[a-z]{4,11}\.kinomix\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".beneton.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.beneton\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022755; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".beneton.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.beneton\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022755; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".bigdoggi.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.bigdoggi\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".bigdoggi.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.bigdoggi\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".bjksfohseaguu.org"; fast_pattern; pcre:"/[a-z]{4,10}\.bjksfohseaguu\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022801; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".bjksfohseaguu.org"; fast_pattern; pcre:"/[a-z]{4,10}\.bjksfohseaguu\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022801; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".closedoors.net"; fast_pattern; pcre:"/[a-z]{4,10}\.closedoors\.net$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".closedoors.net"; fast_pattern; pcre:"/[a-z]{4,10}\.closedoors\.net$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 4"; dns.query; content:"iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024295; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M2"; dns.query; content:"avirus"; fast_pattern; nocase; isdataat:100,relative; content:!"spotify.com"; classtype:social-engineering; sid:2022691; rev:6; metadata:created_at 2016_03_30, former_category WEB_CLIENT, updated_at 2020_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains"; dns.query; content:"crpt"; fast_pattern; depth:4; pcre:"/^[a-zA-Z0-9]{12}/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020292; rev:4; metadata:created_at 2015_01_22, updated_at 2020_09_01;)
-
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M1 Feb 29"; dns.query; content:"helpdesk"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022575; rev:5; metadata:created_at 2016_02_29, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M1 Feb 29"; dns.query; content:"helpdesk"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022575; rev:5; metadata:created_at 2016_03_01, former_category WEB_CLIENT, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M1 Mar 3"; dns.query; content:"errorfound"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022591; rev:5; metadata:created_at 2016_03_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 4"; dns.query; content:"callasap"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022696; rev:5; metadata:created_at 2016_04_04, former_category WEB_CLIENT, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"method=counter&app_key="; depth:23; http.header_names; content:!"Referer|0d 0a|"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"method=counter&app_key="; depth:23; http.header_names; content:!"Referer|0d 0a|"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_18, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nitlove POS CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"nit_love"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html; classtype:command-and-control; sid:2021144; rev:4; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; http.user_agent; content:"Launcher"; nocase; content:!"EpicGamesLauncher"; depth:17; reference:url,doc.emergingthreats.net/2010645; classtype:policy-violation; sid:2010645; rev:10; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FR Carte Bleue / BCP Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ques="; depth:5; nocase; content:"&login="; nocase; distance:0; fast_pattern; content:"&motdepass"; nocase; distance:0; classtype:credential-theft; sid:2032403; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pterodo CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"versiya="; depth:8; fast_pattern; content:"&comp="; distance:0; content:"&id="; distance:0; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Referer"; content:!"Cache"; reference:md5,9d8daf70dff4d5bcf791d5f68ba01d7c; classtype:command-and-control; sid:2034345; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO McAfee AV Download - Set"; flow:established,to_server; flowbits:set,ET.Mcafee.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"McHttpH"; fast_pattern; http.host; content:"download.mcafee.com"; classtype:not-suspicious; sid:2027945; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2020_09_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; flowbits:isnotset,ET.Maas.Site.Download; flowbits:isnotset,ET.Mcafee.Site.Download; http.content_type; content:"text/plain"; nocase; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:24; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (set) 2016-03-01"; flow:to_server,established; flowbits:set,ET.applephish; flowbits:noalert; http.method; content:"POST"; http.header; content:"Referer|3a|"; http.request_body; content:"u="; depth:2; nocase; fast_pattern; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2027955; rev:4; metadata:created_at 2016_03_01, former_category PHISHING, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (set) 2016-03-01"; flow:to_server,established; flowbits:set,ET.applephish; flowbits:noalert; http.method; content:"POST"; http.header; content:"Referer|3a|"; http.request_body; content:"u="; depth:2; nocase; fast_pattern; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2027955; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert tls any any -> any any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2"; flow:established,to_server; tls.sni; content:"|5c 00|"; fast_pattern; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_01;)
alert http any any -> any any (msg:"ET MALWARE ELF/LiLocked Ransom Note in HTTP Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"ENCRYPTED|20|ALL|20|YOUR|20|SENSITIVE"; depth:200; content:"STRONG|20|ENCRYPTION"; distance:0; content:"BUY|20|A|20|DECRYPTION|20|KEY"; distance:0; fast_pattern; reference:url,www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/; classtype:trojan-activity; sid:2027968; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category TROJAN, malware_family LiLocked, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Joker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/api/report"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"eyJ"; depth:3; http.header_names; content:!"Referer|0d 0a|"; reference:md5,058865332bfae541e82b55e4a7e63aaf; reference:url,medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451; classtype:trojan-activity; sid:2027965; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_09_09, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Joker, signature_severity Critical, tag Android, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Joker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/api/report"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"eyJ"; depth:3; http.header_names; content:!"Referer|0d 0a|"; reference:md5,058865332bfae541e82b55e4a7e63aaf; reference:url,medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451; classtype:trojan-activity; sid:2027965; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_09_09, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Joker, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious HTTP POST to 404.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/404.php"; endswith; fast_pattern; classtype:misc-activity; sid:2030819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_01, deployment Perimeter, signature_severity Informational, updated_at 2020_11_12;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=mail.paolemahta.icu/emailAddress=root@mail.paolemahta.icu"; bsize:139; fast_pattern; reference:md5,4fd5867c45716f0a25c74f3510984cf2; reference:url,twitter.com/bryceabdo/status/1300787997755891712; classtype:command-and-control; sid:2030820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_01, deployment Perimeter, former_category MALWARE, malware_family Bazar, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=mail.paolemahta.icu/emailAddress=root@mail.paolemahta.icu"; bsize:139; fast_pattern; reference:md5,4fd5867c45716f0a25c74f3510984cf2; reference:url,twitter.com/bryceabdo/status/1300787997755891712; classtype:domain-c2; sid:2030820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_01, deployment Perimeter, former_category MALWARE, malware_family Bazar, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck CnC Activity"; flow:established,to_server; http.uri; content:"/ln/core.png?"; startswith; http.host; content:"t.amynx.com"; bsize:11; fast_pattern; reference:url,github.com/sophoslabs/IoCs/blob/master/Trojan-LDMiner.csv; classtype:command-and-control; sid:2030827; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Java/1."; http.host; pcre:"/\.(?:d(?:ns(?:d(?:ynamic\.(?:com|net)|\.(?:info|me))|api\.info|get\.org|53\.biz)|dns01\.com)|(?:f(?:lashserv|e100|tp21)|adultdns|mysq1|wow64)\.net|(?:(?:ima|voi)p01|(?:user|ole)32|kadm5)\.com|t(?:tl60\.(?:com|org)|empors\.com|ftpd\.net)|s(?:sh(?:01\.com|22\.net)|ql01\.com)|http(?:(?:s443|01)\.com|80\.info)|n(?:s360\.info|tdll\.net)|x(?:ns01\.com|64\.me)|craftx\.biz)(\x3a\d{1,5})?$/"; classtype:bad-unknown; sid:2016583; rev:6; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2020_09_02;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:established,from_server; tls.cert_serial; content:"0E:34:1C:D9:8B:86"; classtype:command-and-control; sid:2028566; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Sidewinder, updated_at 2020_09_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:established,from_server; tls.cert_serial; content:"0E:34:1C:D9:8B:86"; classtype:domain-c2; sid:2028566; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TransparentTribe APT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_isolated_codes/C0n_eections/"; fast_pattern; reference:url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA; classtype:targeted-activity; sid:2028570; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TransparentTribe, updated_at 2020_09_02;)
alert http any any -> $HOME_NET any (msg:"ET MALWARE Possible Tunna Proxy Closing Connection"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|Closing|20|the|20|connection|20|"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028583; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, signature_severity Major, updated_at 2020_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (O365 Profile)"; flow:established,to_server; http.uri; content:"/owa/?wa="; startswith; content:"&path=/calendar"; endswith; http.cookie; content:"MicrosoftApplicationsTelemetryDeviceId="; startswith; content:"|3b|ClientId="; distance:0; content:"|3b|MSPAuth="; distance:0; content:"|3b|xid="; distance:0; content:"|3b|wla42="; distance:0; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (O365 Profile)"; flow:established,to_server; http.uri; content:"/owa/?wa="; startswith; content:"&path=/calendar"; endswith; http.cookie; content:"MicrosoftApplicationsTelemetryDeviceId="; startswith; content:"|3b|ClientId="; distance:0; content:"|3b|MSPAuth="; distance:0; content:"|3b|xid="; distance:0; content:"|3b|wla42="; distance:0; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DLink DNS 320 Remote Code Execution (CVE-2019-16057)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/login_mgr.cgi"; fast_pattern; content:"cmd|3d|login"; distance:0; content:"&port="; distance:0; pcre:"/^\d{2,5}+(?!\&|\d)/R"; reference:cve,2019-16057; reference:url,blog.cystack.net/d-link-dns-320-rce/; classtype:attempted-admin; sid:2028603; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_09_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious BITS EXE DL From Dotted Quad"; flow:established,to_server; http.uri; content:".exe"; nocase; content:!".gvt1.com/"; http.user_agent; content:"Microsoft BITS/"; depth:15; fast_pattern; http.host; content:!"download.windowsupdate.com"; content:!"download.adobe.com"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2022858; rev:6; metadata:created_at 2016_06_03, former_category INFO, updated_at 2020_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.live)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.header; content:".live|0d 0a|Conne"; fast_pattern; http.host; content:!"parrot.live"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026514; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious XLS DDE rar Drop Attempt (.live)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.header; content:".live|0d 0a|Conne"; fast_pattern; http.host; content:!"parrot.live"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026514; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category MALWARE, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_02;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"Picker.aspx?PickerDialogType=Microsoft.SharePoint"; nocase; http.request_body; content:"ctl00|25|24PlaceHolderDialogBodySection|25|24ctl05|25|24hiddenSpanData|3d5f5f|"; nocase; fast_pattern; reference:url,www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability; classtype:attempted-admin; sid:2027345; rev:4; metadata:attack_target Web_Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tortoiseshell/HMH CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"&"; content:!"."; http.request_body; content:"ip="; depth:3; content:"#"; distance:0; content:"&os="; distance:0; content:"#"; distance:0; content:"&os_name="; distance:0; fast_pattern; content:"#"; distance:0; content:"&mac="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a194e3bf830104922295c37e6d19d9a2; reference:url,blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html; classtype:command-and-control; sid:2028618; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tortoiseshell/SysKit CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"&"; content:!"."; http.request_body; content:"ip="; depth:3; content:"#"; distance:0; content:"&os="; distance:0; content:"#"; distance:0; content:"&os_name="; distance:0; fast_pattern; content:"#"; distance:0; content:"&mac="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a194e3bf830104922295c37e6d19d9a2; reference:url,blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain; classtype:command-and-control; sid:2028618; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/GMERA.B CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/link.php?"; depth:10; fast_pattern; content:"&"; distance:0; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/R"; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website; classtype:command-and-control; sid:2028620; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Suspicious SSL Cert (Minerpool - CoinMining)"; flow:from_server,established; tls.cert_subject; content:"CN=eu.minerpool.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:coin-mining; sid:2028623; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_09_02;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DeadlyKiss APT)"; flow:established,from_server; tls.cert_subject; content:"CN=iluvshopping.com"; fast_pattern; tls.cert_serial; content:"27:93"; classtype:targeted-activity; sid:2028626; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DeadlyKiss, updated_at 2020_09_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DeadlyKiss APT)"; flow:established,from_server; tls.cert_subject; content:"CN=iluvshopping.com"; fast_pattern; tls.cert_serial; content:"27:93"; classtype:domain-c2; sid:2028626; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DeadlyKiss, updated_at 2020_09_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible DeadlyKiss APT CnC Domain Observed in DNS Query"; dns.query; content:"lowyat.biz"; nocase; endswith; classtype:targeted-activity; sid:2028627; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.AB or related Post-infection checkin"; flow:established,to_server; http.uri; content:"/work.php?"; nocase; content:"method="; nocase; content:"&port="; nocase; content:"&type="; nocase; content:"&winver="; nocase; reference:url,doc.emergingthreats.net/2008321; classtype:command-and-control; sid:2008321; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV get_product_domains.php"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/reports/get_product_domains.php?abbr="; content:"&pid="; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010242; classtype:trojan-activity; sid:2010242; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV get_product_domains.php"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/reports/get_product_domains.php?abbr="; content:"&pid="; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010242; classtype:trojan-activity; sid:2010242; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zhelatin npopup Update Detected"; flow:established,to_server; http.method; content:"POST"; depth:4; http.uri; content:"/server/npopup/"; nocase; http.request_body; content:"data="; nocase; content:"&key="; nocase; reference:url,doc.emergingthreats.net/2007787; classtype:trojan-activity; sid:2007787; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NBC Streaming Video"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".smil"; endswith; nocase; http.host; content:"video.nbcuni.com"; startswith; reference:url,doc.emergingthreats.net/2007764; classtype:policy-violation; sid:2007764; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - client exploited by Acrobat"; flow:established,to_server; http.uri; content:".php?exp=PDF"; classtype:exploit-kit; sid:2011815; rev:4; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2020_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by Acrobat"; flow:established,to_server; http.uri; content:".php?exp=PDF"; classtype:exploit-kit; sid:2011815; rev:4; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - client exploited by SMB"; flow:established,to_server; http.uri; content:".php?exp=SMB"; classtype:exploit-kit; sid:2011814; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2020_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by SMB"; flow:established,to_server; http.uri; content:".php?exp=SMB"; classtype:exploit-kit; sid:2011814; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli HTTP Checkin Activity"; flow: to_server,established; http.uri; content:"/getmac.asp?x="; content:"&y="; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/i"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:command-and-control; sid:2009215; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac Beacon Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.user_agent; content:"Mozilla"; bsize:7; http.request_body; content:"a="; nocase; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; reference:url,doc.emergingthreats.net/2008958; classtype:trojan-activity; sid:2008958; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac Beacon Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.user_agent; content:"Mozilla"; bsize:7; http.request_body; content:"a="; nocase; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; reference:url,doc.emergingthreats.net/2008958; classtype:trojan-activity; sid:2008958; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT exploit kit x/l.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/l.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011907; rev:4; metadata:created_at 2010_11_08, former_category EXPLOIT_KIT, updated_at 2020_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/l.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/l.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011907; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT exploit kit x/index.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/index.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011905; rev:4; metadata:created_at 2010_11_08, former_category EXPLOIT_KIT, updated_at 2020_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/index.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/index.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011905; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Phoenix Exploit Kit - PROPFIND AVI"; flow:established,to_server; http.method; content:"PROPFIND"; http.uri; content:".avi"; classtype:exploit-kit; sid:2011513; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2020_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Phoenix Exploit Kit - PROPFIND AVI"; flow:established,to_server; http.method; content:"PROPFIND"; http.uri; content:".avi"; classtype:exploit-kit; sid:2011513; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit - tmp/flash.swf"; flow:established,to_server; http.uri; content:"tmp/flash.swf"; classtype:exploit-kit; sid:2011514; rev:5; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2020_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - tmp/flash.swf"; flow:established,to_server; http.uri; content:"tmp/flash.swf"; classtype:exploit-kit; sid:2011514; rev:5; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit - collab.pdf"; flow:established,to_server; http.uri; content:"collab.pdf"; classtype:exploit-kit; sid:2011515; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2020_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - collab.pdf"; flow:established,to_server; http.uri; content:"collab.pdf"; classtype:exploit-kit; sid:2011515; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon"; flow:established,to_server; threshold: type both, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?cId="; fast_pattern; content:"&hos"; distance:0; content:"Name="; distance:0; content:"Info="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,2b07e054a1abb2941e5e70fba652a211; classtype:command-and-control; sid:2023400; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon"; flow:established,to_server; threshold: type both, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?cId="; fast_pattern; content:"&hos"; distance:0; content:"Name="; distance:0; content:"Info="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,2b07e054a1abb2941e5e70fba652a211; classtype:command-and-control; sid:2023400; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PLATINUM Dipsind CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ud7LDjtsTHe2tWeC8DYo8A**"; fast_pattern; reference:md5,0cc901350eaffb8f84b920691460921f; classtype:command-and-control; sid:2024369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Dipsind, malware_family PLATINUM, performance_impact Low, signature_severity Major, tag APT, tag PLATINUM, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PLATINUM Dipsind CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ud7LDjtsTHe2tWeC8DYo8A**"; fast_pattern; reference:md5,0cc901350eaffb8f84b920691460921f; classtype:command-and-control; sid:2024369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Dipsind, malware_family PLATINUM, signature_severity Major, tag APT, tag PLATINUM, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST to Free Webhost - Possible Successful Phish (site40 . net) Jul 18 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"site40.net"; endswith; fast_pattern; classtype:credential-theft; sid:2024470; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST to Free Webhost - Possible Successful Phish (site40 . net) Jul 18 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"site40.net"; endswith; fast_pattern; classtype:credential-theft; sid:2024470; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent (Opera/8.89)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Opera/8.89 (Windows NT 6.0|3b 20|U|3b 20|en)|0d0a|"; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009530; classtype:trojan-activity; sid:2009530; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showmyip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"showmyip."; reference:url,doc.emergingthreats.net/2008989; classtype:attempted-recon; sid:2008989; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TRR DNS over HTTPS detected"; flow:established,to_server; http.header; content:"application/dns-udpwireformat"; reference:url,tools.ietf.org/html/draft-ietf-doh-dns-over-https-02; classtype:policy-violation; sid:2025980; rev:3; metadata:created_at 2018_08_07, deployment Perimeter, former_category POLICY, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO TRR DNS over HTTPS detected"; flow:established,to_server; http.header; content:"application/dns-udpwireformat"; reference:url,tools.ietf.org/html/draft-ietf-doh-dns-over-https-02; classtype:misc-activity; sid:2025980; rev:3; metadata:created_at 2018_08_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent Generic CnC Pattern"; flow:established,to_server; http.uri; content:"/rest/v"; content:"/clients/client?"; distance:0; content:"&agent_id="; distance:0; fast_pattern; http.user_agent; content:!"Mozilla"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026436; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2020_09_02;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; http.uri; content:"/trackedevent.aspx?"; nocase; content:"ver="; nocase; content:"&ver="; nocase; content:"&rnd="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; classtype:pup-activity; sid:2003306; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andromeda Check-in Response"; flow:established,to_client; http.header; content:"Content-Length|3a 20|9|0d 0a|"; file.data; content:"|6C 95 32 CB|"; within:4; classtype:trojan-activity; sid:2015896; rev:5; metadata:created_at 2012_11_19, former_category TROJAN, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andromeda Check-in Response"; flow:established,to_client; http.header; content:"Content-Length|3a 20|9|0d 0a|"; file.data; content:"|6C 95 32 CB|"; within:4; classtype:trojan-activity; sid:2015896; rev:5; metadata:created_at 2012_11_20, former_category TROJAN, updated_at 2020_09_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY External Unencrypted Connection To Aanval Console"; flow:established,to_server; http.uri; content:"/aanval/flex/AanvalFlex"; nocase; reference:url,www.aanval.com; reference:url,doc.emergingthreats.net/bin/view/Main/2008561; classtype:misc-activity; sid:2008561; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011378; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011378; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011380; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011380; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011382; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011382; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/csstidy/css_optimiser.php?"; nocase; content:"url="; nocase; pcre:"/url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40515/; reference:url,cross-site-scripting.blogspot.com/2010/07/impresscms-121-final-reflected-cross.html; classtype:web-application-attack; sid:2011383; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/csstidy/css_optimiser.php?"; nocase; content:"url="; nocase; pcre:"/url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40515/; reference:url,cross-site-scripting.blogspot.com/2010/07/impresscms-121-final-reflected-cross.html; classtype:web-application-attack; sid:2011383; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/file_manager/special.php?"; nocase; content:"fm_includes_special="; nocase; pcre:"/fm_includes_special=\s*(?:ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/5609; reference:url,vupen.com/english/advisories/2009/2136; classtype:web-application-attack; sid:2011384; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/file_manager/special.php?"; nocase; content:"fm_includes_special="; nocase; pcre:"/fm_includes_special=\s*(?:ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/5609; reference:url,vupen.com/english/advisories/2009/2136; classtype:web-application-attack; sid:2011384; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_noticeboard"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/12427; classtype:web-application-attack; sid:2011385; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_noticeboard"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/12427; classtype:web-application-attack; sid:2011385; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_02;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004132; classtype:web-application-attack; sid:2004132; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/device.rsp?opt=user&cmd=list"; depth:29; fast_pattern; http.cookie; content:"uid=admin"; nocase; reference:url,github.com/ezelf/CVE-2018-9995_dvr_credentials; reference:cve,2018-9995; classtype:attempted-admin; sid:2027971; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Imposter USPS Domain"; flow:established,to_server; http.host; content:".usps.com."; fast_pattern; classtype:bad-unknown; sid:2015848; rev:5; metadata:created_at 2012_10_26, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Imposter USPS Domain"; flow:established,to_server; http.host; content:".usps.com."; fast_pattern; classtype:bad-unknown; sid:2015848; rev:5; metadata:created_at 2012_10_27, updated_at 2020_09_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Buffer Overflow in Builtin Web Server"; flow:established,to_server; urilen:>200; http.start; content:"GET|20 01 10 8f e2 11 ff|"; depth:10; fast_pattern; content:"aaaaaaaa"; distance:0; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:attempted-admin; sid:2027972; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; http.uri; content:"/debug.cgi"; http.header; content:"Authorization|3a 20|Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; classtype:attempted-admin; sid:2011669; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011794; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011794; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UNION SELECT"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2005177; classtype:web-application-attack; sid:2005177; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php?"; nocase; content:"gid="; nocase; pcre:"/gid\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42195; classtype:web-application-attack; sid:2011942; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php?"; nocase; content:"gid="; nocase; pcre:"/gid\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42195; classtype:web-application-attack; sid:2011942; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011943; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011943; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011944; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011944; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011946; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011946; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011947; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011947; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/includes/window_top.php?"; nocase; content:"theme_file="; nocase; pcre:"/theme_file=\s*(?:ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011948; rev:4; metadata:created_at 2010_11_19, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/includes/window_top.php?"; nocase; content:"theme_file="; nocase; pcre:"/theme_file=\s*(?:ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011948; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/control/common.php?"; nocase; content:"lang_file="; nocase; pcre:"/lang_file=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011949; rev:4; metadata:created_at 2010_11_19, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/control/common.php?"; nocase; content:"lang_file="; nocase; pcre:"/lang_file=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011949; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/header.php?"; nocase; content:"theme_file="; nocase; pcre:"/theme_file=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011950; rev:4; metadata:created_at 2010_11_19, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/header.php?"; nocase; content:"theme_file="; nocase; pcre:"/theme_file=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011950; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011932; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011934; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011945; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011945; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softbiz Article Directory Script sbiz_id Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/server/article_details.php?"; nocase; content:"sbiz_id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/14910/; classtype:web-application-attack; sid:2011987; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids SELECT"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004666; classtype:web-application-attack; sid:2004666; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012001; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012001; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012002; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012002; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012003; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012003; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012004; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012004; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012005; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012005; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Base/example_1.php?"; nocase; content:"GLOBALS[MM_ROOT_DIRECTORY]="; nocase; pcre:"/GLOBALS\[MM_ROOT_DIRECTORY\]=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15441/; classtype:web-application-attack; sid:2012006; rev:4; metadata:created_at 2010_12_10, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Base/example_1.php?"; nocase; content:"GLOBALS[MM_ROOT_DIRECTORY]="; nocase; pcre:"/GLOBALS\[MM_ROOT_DIRECTORY\]=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15441/; classtype:web-application-attack; sid:2012006; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; content:"skin_file="; nocase; pcre:"/skin_file=\s*(ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012007; rev:4; metadata:created_at 2010_12_10, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; content:"skin_file="; nocase; pcre:"/skin_file=\s*(ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012007; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Apache2 Memory Corruption Inbound (CVE-2020-9490)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Cache-Digest|3a 20|EA"; fast_pattern; pcre:"/^(?:8=|9BQQ==)\r?\n?/R"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2030&q=apache&can=1; reference:cve,2020-9490; classtype:attempted-admin; sid:2030830; rev:1; metadata:created_at 2020_09_03, cve CVE_2020_9490, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; content:"skin_file="; nocase; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012008; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-09-03"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"password="; depth:9; content:"&submit=Next"; fast_pattern; nocase; isdataat:!1,relative; pcre:"/^password=[^&]*&submit=Next$/i"; classtype:trojan-activity; sid:2031872; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; content:"skin_file="; nocase; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012008; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/feedlist/handler_image.php?"; nocase; content:"i="; nocase; pcre:"/i\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42197/; reference:url,johnleitch.net/Vulnerabilities/WordPress.Feed.List.2.61.01.Reflected.Cross-site.Scripting/56; classtype:web-application-attack; sid:2012009; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/feedlist/handler_image.php?"; nocase; content:"i="; nocase; pcre:"/i\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42197/; reference:url,johnleitch.net/Vulnerabilities/WordPress.Feed.List.2.61.01.Reflected.Cross-site.Scripting/56; classtype:web-application-attack; sid:2012009; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/includes/initsystem.php?"; nocase; content:"loader_file="; nocase; reference:url,secunia.com/advisories/42101/; classtype:web-application-attack; sid:2012010; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/includes/initsystem.php?"; nocase; content:"loader_file="; nocase; reference:url,secunia.com/advisories/42101/; classtype:web-application-attack; sid:2012010; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/fetchmailprefs.php?"; nocase; content:"actionID=fetchmail_prefs_save"; nocase; content:"fm_driver=imap"; nocase; content:"fm_id="; nocase; pcre:"/fm_id\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/94299/hordeimp-xss.txt; classtype:web-application-attack; sid:2012011; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/fetchmailprefs.php?"; nocase; content:"actionID=fetchmail_prefs_save"; nocase; content:"fm_driver=imap"; nocase; content:"fm_id="; nocase; pcre:"/fm_id\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/94299/hordeimp-xss.txt; classtype:web-application-attack; sid:2012011; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/api/download_launch.php?"; nocase; content:"filename="; nocase; reference:url,exploit-db.com/exploits/13966/; classtype:web-application-attack; sid:2012012; rev:4; metadata:created_at 2010_12_10, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/api/download_launch.php?"; nocase; content:"filename="; nocase; reference:url,exploit-db.com/exploits/13966/; classtype:web-application-attack; sid:2012012; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_smf/smf.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/view/95510/mambosmf-rfi.txt; classtype:web-application-attack; sid:2012013; rev:4; metadata:created_at 2010_12_10, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_smf/smf.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/view/95510/mambosmf-rfi.txt; classtype:web-application-attack; sid:2012013; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jimtawl"; nocase; content:"Itemid="; nocase; content:"task="; nocase; reference:url,expbase.com/WebApps/13388.html; reference:url,secunia.com/advisories/42324/; classtype:web-application-attack; sid:2012014; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jimtawl"; nocase; content:"Itemid="; nocase; content:"task="; nocase; reference:url,expbase.com/WebApps/13388.html; reference:url,secunia.com/advisories/42324/; classtype:web-application-attack; sid:2012014; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/viewver.php?"; nocase; content:"doc_root="; nocase; pcre:"/doc_root=\s*(?:ftps?|https?|php)\:\//i"; reference:url,expbase.com/WebApps/13387.html; reference:url,xforce.iss.net/xforce/xfdb/63343; classtype:web-application-attack; sid:2012015; rev:4; metadata:created_at 2010_12_10, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/viewver.php?"; nocase; content:"doc_root="; nocase; pcre:"/doc_root=\s*(?:ftps?|https?|php)\:\//i"; reference:url,expbase.com/WebApps/13387.html; reference:url,xforce.iss.net/xforce/xfdb/63343; classtype:web-application-attack; sid:2012015; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012016; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012016; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012017; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012017; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012018; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012018; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012019; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012019; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Malware Protection User-Agent Observed"; flow:to_server,established; http.user_agent; content:"MpCommunication"; depth:15; classtype:misc-activity; sid:2030835; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_03, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012020; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012020; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jSchool Advanced id_gallery Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"action=gallery.list"; nocase; content:"id_gallery="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/15595/; reference:url,secunia.com/advisories/42334/; classtype:web-application-attack; sid:2012021; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jSchool Advanced id_gallery Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"action=gallery.list"; nocase; content:"id_gallery="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/15595/; reference:url,secunia.com/advisories/42334/; classtype:web-application-attack; sid:2012021; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_cbe"; nocase; content:"task=userProfile"; nocase; content:"user="; nocase; content:"ajaxdirekt="; nocase; content:"tabname="; nocase; reference:url,exploit-db.com/exploits/15222/; classtype:web-application-attack; sid:2012022; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_cbe"; nocase; content:"task=userProfile"; nocase; content:"user="; nocase; content:"ajaxdirekt="; nocase; content:"tabname="; nocase; reference:url,exploit-db.com/exploits/15222/; classtype:web-application-attack; sid:2012022; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Forms/home_1?"; nocase; content:"HomeCurrent_Date="; nocase; pcre:"/HomeCurrent_Date\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42344/; reference:url,archives.neohapsis.com/archives/bugtraq/2010-11/0190.html; classtype:web-application-attack; sid:2012023; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Forms/home_1?"; nocase; content:"HomeCurrent_Date="; nocase; pcre:"/HomeCurrent_Date\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42344/; reference:url,archives.neohapsis.com/archives/bugtraq/2010-11/0190.html; classtype:web-application-attack; sid:2012023; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gbookmx/gbook.php?"; nocase; content:"newlangsel="; nocase; pcre:"/newlangsel=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/10986/; classtype:web-application-attack; sid:2012024; rev:4; metadata:created_at 2010_12_10, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gbookmx/gbook.php?"; nocase; content:"newlangsel="; nocase; pcre:"/newlangsel=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/10986/; classtype:web-application-attack; sid:2012024; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..//"; depth:200; http.method; content:"GET"; http.uri; content:"/download.php?"; nocase; content:"filesec=sitemap"; nocase; content:"filetype=text"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/95644/seopanel-disclose.txt; classtype:web-application-attack; sid:2012025; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..//"; depth:200; http.method; content:"GET"; http.uri; content:"/download.php?"; nocase; content:"filesec=sitemap"; nocase; content:"filetype=text"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/95644/seopanel-disclose.txt; classtype:web-application-attack; sid:2012025; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012026; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012026; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012027; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012027; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012028; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012028; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012029; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012029; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012030; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012030; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/includes/esqueletos/skel_null.php?"; nocase; content:"ABTPV_BLOQUE_CENTRAL="; nocase; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012032; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/includes/esqueletos/skel_null.php?"; nocase; content:"ABTPV_BLOQUE_CENTRAL="; nocase; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012032; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/login.php?"; nocase; content:"default_login_language="; nocase; reference:url,secunia.com/advisories/39144/; reference:url,1337db.com/exploits/11446; classtype:web-application-attack; sid:2012033; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/login.php?"; nocase; content:"default_login_language="; nocase; reference:url,secunia.com/advisories/39144/; reference:url,1337db.com/exploits/11446; classtype:web-application-attack; sid:2012033; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012034; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012034; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012035; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012035; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012036; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012036; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012037; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012037; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012038; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012038; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Car Portal car Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"page=en_Home"; nocase; content:"car="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/15135/; classtype:web-application-attack; sid:2012039; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Car Portal car Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"page=en_Home"; nocase; content:"car="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/15135/; classtype:web-application-attack; sid:2012039; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/en/front_content.php?"; nocase; content:"idart="; nocase; pcre:"/idart\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42440/; classtype:web-application-attack; sid:2012040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_10, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/en/front_content.php?"; nocase; content:"idart="; nocase; pcre:"/idart\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42440/; classtype:web-application-attack; sid:2012040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010018; classtype:web-application-attack; sid:2010018; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012073; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012073; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012074; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012074; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Goatzapszu Header from unknown Scanning Tool"; flow:established,to_server; http.header; content:"Goatzapszu|3a|"; nocase; classtype:attempted-recon; sid:2012077; rev:4; metadata:created_at 2010_12_18, updated_at 2020_09_04;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER Tomcat null byte directory listing attempt"; flow:to_server,established; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2102061; rev:8; metadata:created_at 2010_09_23, updated_at 2020_09_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Haxdoor Reporting User Activity"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"lang="; nocase; content:"&socksport="; nocase; content:"&httpport="; nocase; content:"&ver="; nocase; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; reference:url,doc.emergingthreats.net/2002790; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; classtype:trojan-activity; sid:2002790; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Haxdoor Reporting User Activity"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"lang="; nocase; content:"&socksport="; nocase; content:"&httpport="; nocase; content:"&ver="; nocase; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; reference:md5,e787c4437ff67061983cd08458f71c94; reference:md5,d86b9eaf9682d60cb8b928dc6ac40954; reference:md5,1777f0ffa890ebfcc7587957f2d08dca; reference:url,doc.emergingthreats.net/2002790; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; classtype:trojan-activity; sid:2002790; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon URL Infection Checkin Detected"; flow:established,to_server; http.uri; content:"?mac="; nocase; content:"&ver="; nocase; content:"&user="; nocase; content:"&md5="; nocase; content:"&pc="; nocase; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/i"; reference:url,doc.emergingthreats.net/2007592; classtype:command-and-control; sid:2007592; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M2"; flow:established,to_server; http.uri; content:"="; content:"%"; distance:0; content:"{"; distance:0; content:"getRunTime"; nocase; distance:0; fast_pattern; content:"exec"; nocase; pcre:"/=\s*\x25\s*\{\s*(?=.+?\bgetRunTime\b).+?\bexec\b/i"; classtype:attempted-admin; sid:2024815; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_06, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent STORMDDOS"; flow: established,to_server; http.user_agent; content:"STORMDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011480; rev:7; metadata:created_at 2010_09_28, former_category USER_AGENTS, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent STORMDDOS"; flow: established,to_server; http.user_agent; content:"STORMDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011480; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent IAMDDOS"; flow: established,to_server; http.user_agent; content:"IAMDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011481; rev:7; metadata:created_at 2010_09_28, former_category USER_AGENTS, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent IAMDDOS"; flow: established,to_server; http.user_agent; content:"IAMDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011481; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent YTDDOS"; flow: established,to_server; http.user_agent; content:"YTDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011483; rev:7; metadata:created_at 2010_09_28, former_category USER_AGENTS, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent YTDDOS"; flow: established,to_server; http.user_agent; content:"YTDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011483; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)"; flow:established,to_server; http.uri; content:".php"; http.request_body; content:"useRawIMoutput"; content:"IMresizedData"; content:"config_prefer_imagemagick"; fast_pattern; reference:cve,2018-1000207; reference:url,www.exploit-db.com/exploits/45055; classtype:attempted-admin; sid:2025930; rev:3; metadata:attack_target Web_Server, created_at 2018_08_01, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Kraddare Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"strID="; content:"strPC="; classtype:pup-activity; sid:2011492; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Kraddare Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"strID="; content:"strPC="; classtype:pup-activity; sid:2011492; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/dm-albums/template/album.php?"; nocase; content:"SECURITY_FILE="; nocase; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010025; classtype:web-application-attack; sid:2010025; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Cisco Jabber RCE Inbound (CVE-2020-3495)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CLIENT_REQUEST/"; http.request_body; content:".CallCppFunction|28|"; fast_pattern; reference:url,watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/; reference:cve,2020-3495; classtype:attempted-admin; sid:2030837; rev:1; metadata:created_at 2020_09_05, cve CVE_2020_3495, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_05;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pridecdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030838; rev:1; metadata:created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pridecdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030838; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ordercheck.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030839; rev:1; metadata:created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ordercheck.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030839; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apisquere.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030840; rev:2; metadata:created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apisquere.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030840; rev:2; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=quicdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030841; rev:1; metadata:created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=quicdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030841; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apienclave.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030842; rev:1; metadata:created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apienclave.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030842; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jquery-cycle.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030843; rev:1; metadata:created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jquery-cycle.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030843; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=b-metric.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030844; rev:1; metadata:created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=b-metric.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030844; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/NixScare Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"zipx=UEs"; startswith; fast_pattern; reference:md5,b04981c338165b27fc2e1e19c9713379; classtype:command-and-control; sid:2030845; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_07, deployment Perimeter, former_category MALWARE, malware_family NixScare, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_09;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005477; classtype:web-application-attack; sid:2005477; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"ASCII("; nocase;content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005478; classtype:web-application-attack; sid:2005478; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
-
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005479; classtype:web-application-attack; sid:2005479; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005480; classtype:web-application-attack; sid:2005480; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/chat/dac.php?"; nocase; content:"sendChatData="; nocase; reference:url,milw0rm.com/exploits/8268; reference:bugtraq,34213; reference:url,doc.emergingthreats.net/2009390; classtype:web-application-attack; sid:2009390; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt "; flow:established,to_server; http.uri; content:"/home.php?page=http\:"; nocase; reference:url,packetstormsecurity.org/0907-exploits/paid4mail-rfi.txt; reference:url,doc.emergingthreats.net/2009892; classtype:web-application-attack; sid:2009892; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt"; flow:established,to_server; http.uri; content:"/home.php?page=http\:"; nocase; reference:url,packetstormsecurity.org/0907-exploits/paid4mail-rfi.txt; reference:url,doc.emergingthreats.net/2009892; classtype:web-application-attack; sid:2009892; rev:6; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_09;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/admin/admin_words.php?"; nocase; content:"ModName="; nocase; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009073; classtype:web-application-attack; sid:2009073; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004223; classtype:web-application-attack; sid:2004223; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProjectButler RFI attempt "; flow:established,to_server; http.uri; content:"/pda_projects.php?offset=http\:"; nocase; reference:url,www.sans.org/top20/; reference:url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt; reference:url,doc.emergingthreats.net/2009887; classtype:web-application-attack; sid:2009887; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProjectButler RFI attempt"; flow:established,to_server; http.uri; content:"/pda_projects.php?offset=http\:"; nocase; reference:url,www.sans.org/top20/; reference:url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt; reference:url,doc.emergingthreats.net/2009887; classtype:web-application-attack; sid:2009887; rev:7; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/_footer.php?"; nocase; content:"skin_path="; nocase; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009320; classtype:web-application-attack; sid:2009320; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AlstraSoft AskMe que_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/forum_answer.php?"; nocase; content:"que_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,exploit-db.com/exploits/14979/; classtype:web-application-attack; sid:2011547; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/gnupg/json.php?"; nocase; content:"task=send_key"; nocase; content:"fingerprint="; nocase; pcre:"/fingerprint=\w*\;/i"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/gnupg/json.php?"; nocase; content:"task=send_key"; nocase; content:"fingerprint="; nocase; pcre:"/fingerprint=\w*\;/i"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:4; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/com_del.php?"; nocase; content:"class_path="; nocase; pcre:"/class_path=\s*(ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/13665; classtype:web-application-attack; sid:2011377; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/com_del.php?"; nocase; content:"class_path="; nocase; pcre:"/class_path=\s*(ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/13665; classtype:web-application-attack; sid:2011377; rev:4; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cacti/utilities.php"; nocase; content:"tail_lines="; nocase; content:"message_type="; nocase; content:"filter="; nocase; pcre:"/filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,42575; reference:cve,2010-2544; reference:cve,2010-2545; classtype:web-application-attack; sid:2011423; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011426; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011426; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,41204; classtype:web-application-attack; sid:2011428; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,41204; classtype:web-application-attack; sid:2011428; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011429; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011429; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011450; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011450; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jgrid"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/40987/; reference:url,exploit-db.com/exploits/14656/; classtype:web-application-attack; sid:2011451; rev:4; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jgrid"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/40987/; reference:url,exploit-db.com/exploits/14656/; classtype:web-application-attack; sid:2011451; rev:4; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/dailyview.php?"; nocase; content:"date="; nocase; pcre:"/date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,inj3ct0r.com/exploits/13770; classtype:web-application-attack; sid:2011452; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/dailyview.php?"; nocase; content:"date="; nocase; pcre:"/date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,inj3ct0r.com/exploits/13770; classtype:web-application-attack; sid:2011452; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/maincore.php?"; nocase; content:"folder_level="; nocase; reference:url,inj3ct0r.com/exploits/13709; classtype:web-application-attack; sid:2011453; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/maincore.php?"; nocase; content:"folder_level="; nocase; reference:url,inj3ct0r.com/exploits/13709; classtype:web-application-attack; sid:2011453; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/global.php?"; nocase; content:"db_servertype="; nocase; pcre:"/db_servertype=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14712/; classtype:web-application-attack; sid:2011454; rev:4; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/global.php?"; nocase; content:"db_servertype="; nocase; pcre:"/db_servertype=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14712/; classtype:web-application-attack; sid:2011454; rev:4; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit Attempt"; flow:established,to_server; http.uri; content:"/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011493; classtype:web-application-attack; sid:2011493; rev:6; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit Attempt"; flow:established,to_server; http.uri; content:"/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011493; classtype:web-application-attack; sid:2011493; rev:6; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit - possible Access to uploaded Files "; flow:established,to_server; http.uri; content:"/admin/plugins/videoReport/lib/tmp-upload-images"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011494; classtype:web-application-attack; sid:2011494; rev:6; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit - possible Access to uploaded Files"; flow:established,to_server; http.uri; content:"/admin/plugins/videoReport/lib/tmp-upload-images"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011494; classtype:web-application-attack; sid:2011494; rev:6; metadata:created_at 2010_09_29, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007277; classtype:web-application-attack; sid:2007277; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006650; classtype:web-application-attack; sid:2006650; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/esqueletos/skel_null.php?"; nocase; content:"ABTPV_BLOQUE_CENTRAL="; nocase; pcre:"/ABTPV_BLOQUE_CENTRAL=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012031; rev:4; metadata:created_at 2010_12_10, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/esqueletos/skel_null.php?"; nocase; content:"ABTPV_BLOQUE_CENTRAL="; nocase; pcre:"/ABTPV_BLOQUE_CENTRAL=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012031; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005834; classtype:web-application-attack; sid:2005834; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Accept-Language|3a 20|"; fast_pattern; pcre:"/^[a-zA-Z0-9]{20}/R"; reference:url,doc.emergingthreats.net/2007650; classtype:command-and-control; sid:2007650; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\x2E(p(hp|ng)|jpe?g|cgi|gif)\x3F(v\d{1,2}|pr)\x3D/"; http.user_agent; content:"chrome/9.0"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:command-and-control; sid:2014163; rev:11; metadata:created_at 2012_01_27, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\x2E(p(hp|ng)|jpe?g|cgi|gif)\x3F(v\d{1,2}|pr)\x3D/"; http.user_agent; content:"chrome/9.0"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:command-and-control; sid:2014163; rev:11; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2020_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)"; flow:established,to_server; http.uri; content:"/watch?v=iRXJXaLV0n4"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)|20|"; startswith; http.host; content:"www.youtube.com"; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Moderate, signature_severity Major, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)"; flow:established,to_server; http.uri; content:"/watch?v=iRXJXaLV0n4"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)|20|"; startswith; http.host; content:"www.youtube.com"; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo - Data Exfil"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".d.zhack.ca"; distance:20; within:11; endswith; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:url,github.com/ettic-team/dnsbin; classtype:command-and-control; sid:2028634; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_27, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ardeaCore/lib/core/ardeaInit.php?"; nocase; content:"pathForArdeaCore="; nocase; pcre:"/pathForArdeaCore=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,40811; reference:url,vupen.com/english/advisories/2010/1444; reference:url,exploit-db.com/exploits/13832/; reference:url,doc.emergingthreats.net/2011214; classtype:web-application-attack; sid:2011214; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Cosmu.xet CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"GoGo.ashx?Mac="; content:"&UserId="; content:"&Bate="; reference:url,www.threatexpert.com/report.aspx?md5=f39554f3afe92dca3597efc1f7709ad4; classtype:command-and-control; sid:2011278; rev:5; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Cosmu.xet CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"GoGo.ashx?Mac="; content:"&UserId="; content:"&Bate="; reference:md5,f39554f3afe92dca3597efc1f7709ad4; classtype:command-and-control; sid:2011278; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
alert http $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE Stuxnet index.php"; flow:to_server,established; http.uri; content:"/index.php?data=66a96e28"; nocase; reference:url,research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html; classtype:trojan-activity; sid:2011300; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Variant Downloader Activity (2)"; flow:established,to_server; http.uri; content:"/?rnd="; nocase; content:"&id="; pcre:"/\/\?rnd=\d+&id=\d+$/"; reference:url,www.threatexpert.com/report.aspx?md5=76cf08503cdd036850bcc4f29f64022f; reference:url,www.threatexpert.com/report.aspx?md5=579f2e29434218d62d31625d369cbc42; classtype:trojan-activity; sid:2011337; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Variant Downloader Activity (2)"; flow:established,to_server; http.uri; content:"/?rnd="; nocase; content:"&id="; pcre:"/\/\?rnd=\d+&id=\d+$/"; reference:md5,579f2e29434218d62d31625d369cbc42; reference:md5,76cf08503cdd036850bcc4f29f64022f; classtype:trojan-activity; sid:2011337; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeYak or Related Infection Checkin 1"; flow:established,to_server; http.uri; content:"&fff="; content:"&coid="; content:"do="; content:"&IP="; nocase; content:"lct="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:command-and-control; sid:2011396; rev:5; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Checkin"; flow:established,to_server; http.uri; content:".php?id="; nocase; content:"&ver="; nocase; content:"&up="; nocase; content:"&os="; nocase; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010791; classtype:command-and-control; sid:2011791; rev:6; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Checkin"; flow:established,to_server; http.uri; content:".php?id="; nocase; content:"&ver="; nocase; content:"&up="; nocase; content:"&os="; nocase; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,doc.emergingthreats.net/2010791; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011791; rev:6; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz or Rohimafo Reporting Listening Socket to CnC Server"; flow:established,to_server; http.uri; content:"/socks.php?"; nocase; content:"name="; nocase; content:"&port="; nocase; pcre:"/port=[1-9]{1,5}/i"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:command-and-control; sid:2011523; rev:5; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz or Rohimafo Reporting Listening Socket to CnC Server"; flow:established,to_server; http.uri; content:"/socks.php?"; nocase; content:"name="; nocase; content:"&port="; nocase; pcre:"/port=[1-9]{1,5}/i"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011523; rev:5; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/layout/layoutManager.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011666; classtype:web-application-attack; sid:2011666; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ASCII"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007480; classtype:web-application-attack; sid:2007480; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007481; classtype:web-application-attack; sid:2007481; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007481; classtype:web-application-attack; sid:2007481; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007482; classtype:web-application-attack; sid:2007482; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID DELETE"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007490; classtype:web-application-attack; sid:2007490; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ASCII"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007491; classtype:web-application-attack; sid:2007491; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ASCII"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007491; classtype:web-application-attack; sid:2007491; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007492; classtype:web-application-attack; sid:2007492; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Flex/index.template.html"; nocase; pcre:"/index.template.html.+(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:cve,2009-1879; reference:url,securitytracker.com/alerts/2009/Aug/1022748.html; reference:url,doc.emergingthreats.net/2010214; classtype:web-application-attack; sid:2010214; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aj Square RSS Reader url SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/EditUrl.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32413/; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008785; classtype:web-application-attack; sid:2008785; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aj Square RSS Reader url SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/EditUrl.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32413/; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008785; classtype:web-application-attack; sid:2008785; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AjaxPortal ajaxp_backend.php page Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ajaxp_backend.php?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/8341; reference:bugtraq,34338; reference:url,doc.emergingthreats.net/2009424; classtype:web-application-attack; sid:2009424; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid SELECT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004893; classtype:web-application-attack; sid:2004893; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UNION SELECT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004894; classtype:web-application-attack; sid:2004894; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UNION SELECT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004894; classtype:web-application-attack; sid:2004894; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid INSERT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004895; classtype:web-application-attack; sid:2004895; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006561; classtype:web-application-attack; sid:2006561; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006562; classtype:web-application-attack; sid:2006562; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006562; classtype:web-application-attack; sid:2006562; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006564; classtype:web-application-attack; sid:2006564; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005846; classtype:web-application-attack; sid:2005846; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.user_agent; content:"inspath [path disclosure finder"; startswith; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:5; metadata:created_at 2010_10_12, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.user_agent; content:"inspath [path disclosure finder"; startswith; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:5; metadata:created_at 2010_10_13, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid SELECT"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005847; classtype:web-application-attack; sid:2005847; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp SELECT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006087; classtype:web-application-attack; sid:2006087; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006088; classtype:web-application-attack; sid:2006088; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006088; classtype:web-application-attack; sid:2006088; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp INSERT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006089; classtype:web-application-attack; sid:2006089; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id SELECT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004385; classtype:web-application-attack; sid:2004385; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSTrojan FakeAV Dropper Activity Observed (1)"; flow:established,to_server; http.uri; content:"v="; nocase; content:"&step="; nocase; content:"&hostid="; nocase; reference:url,www.abuse.ch/?p=2740; reference:url,www.abuse.ch/?p=2796; reference:url,www.threatexpert.com/report.aspx?md5=c59cdd1366dd5c2f448c03738ec0dc88; reference:url,www.threatexpert.com/report.aspx?md5=b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011577; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSTrojan FakeAV Dropper Activity Observed (1)"; flow:established,to_server; http.uri; content:"v="; nocase; content:"&step="; nocase; content:"&hostid="; nocase; reference:url,www.abuse.ch/?p=2796; reference:url,www.abuse.ch/?p=2740; reference:md5,c59cdd1366dd5c2f448c03738ec0dc88; reference:md5,b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011577; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSTrojan FakeAV Dropper Activity Observed (2)"; flow:established,to_server; http.uri; content:"/getfile.php?r="; nocase; content:"&p="; nocase; pcre:"/\/getfile\.php\?r=-?\d+&p=/"; reference:url,www.abuse.ch/?p=2740; reference:url,www.abuse.ch/?p=2796; reference:url,www.threatexpert.com/report.aspx?md5=c59cdd1366dd5c2f448c03738ec0dc88; reference:url,www.threatexpert.com/report.aspx?md5=b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011578; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSTrojan FakeAV Dropper Activity Observed (2)"; flow:established,to_server; http.uri; content:"/getfile.php?r="; nocase; content:"&p="; nocase; pcre:"/\/getfile\.php\?r=-?\d+&p=/"; reference:url,www.abuse.ch/?p=2796; reference:url,www.abuse.ch/?p=2740; reference:md5,c59cdd1366dd5c2f448c03738ec0dc88; reference:md5,b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011578; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id INSERT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004387; classtype:web-application-attack; sid:2004387; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/header.php?"; nocase; content:"c_temp_path"; nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; reference:url,doc.emergingthreats.net/2009233; classtype:web-application-attack; sid:2009233; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; http.uri; content:"/manda.php?"; content:"id="; nocase; content:"&v="; nocase; pcre:"/\/manda\.php\?id=(-)?\d{8,10}&v=\w/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2010765; classtype:command-and-control; sid:2010765; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; http.uri; content:"/manda.php?"; content:"id="; nocase; content:"&v="; nocase; pcre:"/\/manda\.php\?id=(-)?\d{8,10}&v=\w/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,doc.emergingthreats.net/2010765; reference:md5,b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; classtype:command-and-control; sid:2010765; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/knowledgebase.php?"; nocase; content:"act=art"; nocase; content:"article_id="; nocase; pcre:"/(\?|&)article_id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt; reference:url,doc.emergingthreats.net/2010609; classtype:web-application-attack; sid:2010609; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004634; classtype:web-application-attack; sid:2004634; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005063; classtype:web-application-attack; sid:2005063; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005063; classtype:web-application-attack; sid:2005063; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005064; classtype:web-application-attack; sid:2005064; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005424; classtype:web-application-attack; sid:2005424; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005425; classtype:web-application-attack; sid:2005425; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005425; classtype:web-application-attack; sid:2005425; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005426; classtype:web-application-attack; sid:2005426; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_personel (id) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_personel"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlapersonel-sql.txt; reference:url,doc.emergingthreats.net/2010541; classtype:web-application-attack; sid:2010541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_joomportfolio (secid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_joomportfolio"; nocase; content:"secid="; nocase; pcre:"/(\?|&)secid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlaportfolio-sql.txt; reference:url,doc.emergingthreats.net/2010542; classtype:web-application-attack; sid:2010542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_joomportfolio (secid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_joomportfolio"; nocase; content:"secid="; nocase; pcre:"/(\?|&)secid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlaportfolio-sql.txt; reference:url,doc.emergingthreats.net/2010542; classtype:web-application-attack; sid:2010542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010555; classtype:web-application-attack; sid:2010555; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010556; classtype:web-application-attack; sid:2010556; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010557; classtype:web-application-attack; sid:2010557; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010558; classtype:web-application-attack; sid:2010558; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010559; classtype:web-application-attack; sid:2010559; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_kkcontent"; nocase; content:"catID="; nocase; pcre:"/(\?|&)catID=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt; reference:url,doc.emergingthreats.net/2010606; classtype:web-application-attack; sid:2010606; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/acomponents/com_mamboleto/mamboleto.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,xforce.iss.net/xforce/xfdb/54662; reference:url,www.exploit-db.com/exploits/10369; reference:url,doc.emergingthreats.net/2010620; classtype:web-application-attack; sid:2010620; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010636; classtype:web-application-attack; sid:2010636; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010637; classtype:web-application-attack; sid:2010637; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010638; classtype:web-application-attack; sid:2010638; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010639; classtype:web-application-attack; sid:2010639; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010640; classtype:web-application-attack; sid:2010640; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_mojo/wp-comments-post.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010659; classtype:web-application-attack; sid:2010659; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_mojo/wp-trackback.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010660; classtype:web-application-attack; sid:2010660; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010710; classtype:web-application-attack; sid:2010710; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010711; classtype:web-application-attack; sid:2010711; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010712; classtype:web-application-attack; sid:2010712; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010713; classtype:web-application-attack; sid:2010713; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010714; classtype:web-application-attack; sid:2010714; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010750; classtype:web-application-attack; sid:2010750; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010751; classtype:web-application-attack; sid:2010751; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010752; classtype:web-application-attack; sid:2010752; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010753; classtype:web-application-attack; sid:2010753; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010754; classtype:web-application-attack; sid:2010754; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_mediaslide/viewer.php?"; nocase; content:"path="; nocase; reference:bugtraq,37440; reference:url,doc.emergingthreats.net/2010780; classtype:web-application-attack; sid:2010780; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010805; classtype:web-application-attack; sid:2010805; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010806; classtype:web-application-attack; sid:2010806; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010807; classtype:web-application-attack; sid:2010807; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010808; classtype:web-application-attack; sid:2010808; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010809; classtype:web-application-attack; sid:2010809; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_intuit/models/intuit.php?"; nocase; content:"approval="; nocase; reference:url,www.exploit-db.com/exploits/10730; reference:url,doc.emergingthreats.net/2010833; classtype:web-application-attack; sid:2010833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010843; classtype:web-application-attack; sid:2010843; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010844; classtype:web-application-attack; sid:2010844; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010845; classtype:web-application-attack; sid:2010845; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010846; classtype:web-application-attack; sid:2010846; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010842; classtype:web-application-attack; sid:2010842; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_morfeoshow/morfeoshow.html.php?"; nocase; content:"user_id="; nocase; pcre:"/user_id\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,secdb.4sec.org/?s1=exp&sid=18773; reference:url,doc.emergingthreats.net/2010848; classtype:web-application-attack; sid:2010848; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010853; classtype:web-application-attack; sid:2010853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010854; classtype:web-application-attack; sid:2010854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010855; classtype:web-application-attack; sid:2010855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010856; classtype:web-application-attack; sid:2010856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010857; classtype:web-application-attack; sid:2010857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010924; classtype:web-application-attack; sid:2010924; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010925; classtype:web-application-attack; sid:2010925; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010926; classtype:web-application-attack; sid:2010926; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010927; classtype:web-application-attack; sid:2010927; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010928; classtype:web-application-attack; sid:2010928; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010947; classtype:web-application-attack; sid:2010947; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010948; classtype:web-application-attack; sid:2010948; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010949; classtype:web-application-attack; sid:2010949; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010950; classtype:web-application-attack; sid:2010950; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010951; classtype:web-application-attack; sid:2010951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jcollection&"; nocase; content:"controller="; nocase; reference:url,www.exploit-db.com/exploits/11088; reference:url,doc.emergingthreats.net/2010942; classtype:web-application-attack; sid:2010942; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?option=com_ccnewsletter&"; nocase; content:"controller="; nocase; reference:bugtraq,37987; reference:url,doc.emergingthreats.net/2010989; classtype:web-application-attack; sid:2010989; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010990; classtype:web-application-attack; sid:2010990; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010991; classtype:web-application-attack; sid:2010991; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010992; classtype:web-application-attack; sid:2010992; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010993; classtype:web-application-attack; sid:2010993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010994; classtype:web-application-attack; sid:2010994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010981; classtype:web-application-attack; sid:2010981; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010982; classtype:web-application-attack; sid:2010982; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010983; classtype:web-application-attack; sid:2010983; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010984; classtype:web-application-attack; sid:2010984; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010985; classtype:web-application-attack; sid:2010985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_communitypolls&"; nocase; content:"controller="; nocase; reference:url,www.exploit-db.com/exploits/11511; reference:url,doc.emergingthreats.net/2010996; classtype:web-application-attack; sid:2010996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011001; classtype:web-application-attack; sid:2011001; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011002; classtype:web-application-attack; sid:2011002; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011003; classtype:web-application-attack; sid:2011003; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011004; classtype:web-application-attack; sid:2011004; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011005; classtype:web-application-attack; sid:2011005; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011022; classtype:web-application-attack; sid:2011022; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011023; classtype:web-application-attack; sid:2011023; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011024; classtype:web-application-attack; sid:2011024; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011025; classtype:web-application-attack; sid:2011025; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011026; classtype:web-application-attack; sid:2011026; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_jcalpro/cal_popup.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt; reference:url,doc.emergingthreats.net/2011017; classtype:web-application-attack; sid:2011017; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_wgpicasa&"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/39467; reference:url,exploit-db.com/exploits/12230; reference:url,doc.emergingthreats.net/2011067; classtype:web-application-attack; sid:2011067; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011077; classtype:web-application-attack; sid:2011077; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011078; classtype:web-application-attack; sid:2011078; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011079; classtype:web-application-attack; sid:2011079; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011080; classtype:web-application-attack; sid:2011080; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011081; classtype:web-application-attack; sid:2011081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/administrator/components/com_jwmmxtd/admin.jwmmxtd.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11845; reference:url,doc.emergingthreats.net/2011131; classtype:web-application-attack; sid:2011131; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/administrator/components/com_universal/includes/config/config.html.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11865; reference:bugtraq,38949; reference:url,doc.emergingthreats.net/2011132; classtype:web-application-attack; sid:2011132; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/config.dadamail.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009383; classtype:web-application-attack; sid:2009383; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/config.dadamail.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//i"; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009384; classtype:web-application-attack; sid:2009384; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/com_ongumatimesheet20/lib/onguma.class.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,32095; reference:cve,CVE-2008-6347; reference:url,www.exploit-db.com/exploits/6976/; reference:url,doc.emergingthreats.net/2009391; classtype:web-application-attack; sid:2009391; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006760; classtype:web-application-attack; sid:2006760; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UNION SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006761; classtype:web-application-attack; sid:2006761; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category INSERT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006762; classtype:web-application-attack; sid:2006762; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category DELETE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006763; classtype:web-application-attack; sid:2006763; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ASCII"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006764; classtype:web-application-attack; sid:2006764; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006765; classtype:web-application-attack; sid:2006765; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006766; classtype:web-application-attack; sid:2006766; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UNION SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006767; classtype:web-application-attack; sid:2006767; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent INSERT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006768; classtype:web-application-attack; sid:2006768; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent DELETE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006769; classtype:web-application-attack; sid:2006769; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ASCII"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006770; classtype:web-application-attack; sid:2006770; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006771; classtype:web-application-attack; sid:2006771; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006772; classtype:web-application-attack; sid:2006772; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006773; classtype:web-application-attack; sid:2006773; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006774; classtype:web-application-attack; sid:2006774; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006775; classtype:web-application-attack; sid:2006775; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006776; classtype:web-application-attack; sid:2006776; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006777; classtype:web-application-attack; sid:2006777; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/adm/krgourl.php?"; nocase; content:"DOCUMENT_ROOT="; nocase; pcre:"/DOCUMENT_ROOT\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt; reference:url,doc.emergingthreats.net/2010475; classtype:web-application-attack; sid:2010475; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/customer.forumtopic.php?"; nocase; content:"forum_topic_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,2008-5590; reference:bugtraq,32672; reference:url,www.exploit-db.com/exploits/7368/; reference:url,doc.emergingthreats.net/2009198; classtype:web-application-attack; sid:2009198; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Automated Link Exchange Portal cat_id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/linking.page.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,29205; reference:url,milw0rm.com/exploits/5611; reference:url,doc.emergingthreats.net/2009658; classtype:web-application-attack; sid:2009658; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004641; classtype:web-application-attack; sid:2004641; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004642; classtype:web-application-attack; sid:2004642; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004643; classtype:web-application-attack; sid:2004643; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004644; classtype:web-application-attack; sid:2004644; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004645; classtype:web-application-attack; sid:2004645; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004646; classtype:web-application-attack; sid:2004646; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/engine/content/elements/menu.php?"; nocase; content:"CONFIG[AdminPath]="; nocase; pcre:"/CONFIG\[AdminPath\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/57688; reference:url,doc.emergingthreats.net/2010197; classtype:web-application-attack; sid:2010197; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004979; classtype:web-application-attack; sid:2004979; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UNION SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004980; classtype:web-application-attack; sid:2004980; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004981; classtype:web-application-attack; sid:2004981; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid DELETE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004982; classtype:web-application-attack; sid:2004982; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ASCII"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004983; classtype:web-application-attack; sid:2004983; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004984; classtype:web-application-attack; sid:2004984; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005796; classtype:web-application-attack; sid:2005796; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005797; classtype:web-application-attack; sid:2005797; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005798; classtype:web-application-attack; sid:2005798; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005799; classtype:web-application-attack; sid:2005799; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005800; classtype:web-application-attack; sid:2005800; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005801; classtype:web-application-attack; sid:2005801; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid SELECT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005069; classtype:web-application-attack; sid:2005069; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UNION SELECT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005070; classtype:web-application-attack; sid:2005070; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid INSERT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005071; classtype:web-application-attack; sid:2005071; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid DELETE"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005072; classtype:web-application-attack; sid:2005072; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ASCII"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005073; classtype:web-application-attack; sid:2005073; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005074; classtype:web-application-attack; sid:2005074; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w SELECT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005973; classtype:web-application-attack; sid:2005973; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UNION SELECT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005974; classtype:web-application-attack; sid:2005974; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w INSERT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005975; classtype:web-application-attack; sid:2005975; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w DELETE"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005976; classtype:web-application-attack; sid:2005976; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ASCII"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005977; classtype:web-application-attack; sid:2005977; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005978; classtype:web-application-attack; sid:2005978; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006315; classtype:web-application-attack; sid:2006315; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006316; classtype:web-application-attack; sid:2006316; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006317; classtype:web-application-attack; sid:2006317; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006318; classtype:web-application-attack; sid:2006318; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006319; classtype:web-application-attack; sid:2006319; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006320; classtype:web-application-attack; sid:2006320; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country SELECT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004523; classtype:web-application-attack; sid:2004523; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UNION SELECT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004524; classtype:web-application-attack; sid:2004524; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country INSERT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004525; classtype:web-application-attack; sid:2004525; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country DELETE"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004526; classtype:web-application-attack; sid:2004526; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country ASCII"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004527; classtype:web-application-attack; sid:2004527; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004528; classtype:web-application-attack; sid:2004528; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/include/unverified.inc.php?"; nocase; content:"template="; nocase; reference:bugtraq,27964; reference:url,juniper.net/security/auto/vulnerabilities/vuln27964.html; reference:url,www.exploit-db.com/exploits/5179/; reference:url,doc.emergingthreats.net/2009761; classtype:web-application-attack; sid:2009761; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007294; classtype:web-application-attack; sid:2007294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007295; classtype:web-application-attack; sid:2007295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id INSERT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007296; classtype:web-application-attack; sid:2007296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id DELETE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007297; classtype:web-application-attack; sid:2007297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ASCII"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007298; classtype:web-application-attack; sid:2007298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007299; classtype:web-application-attack; sid:2007299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007300; classtype:web-application-attack; sid:2007300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007301; classtype:web-application-attack; sid:2007301; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id INSERT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007302; classtype:web-application-attack; sid:2007302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id DELETE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007303; classtype:web-application-attack; sid:2007303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ASCII"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007304; classtype:web-application-attack; sid:2007304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007305; classtype:web-application-attack; sid:2007305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007306; classtype:web-application-attack; sid:2007306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007307; classtype:web-application-attack; sid:2007307; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id INSERT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007308; classtype:web-application-attack; sid:2007308; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id DELETE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007309; classtype:web-application-attack; sid:2007309; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ASCII"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007310; classtype:web-application-attack; sid:2007310; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007311; classtype:web-application-attack; sid:2007311; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007312; classtype:web-application-attack; sid:2007312; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007313; classtype:web-application-attack; sid:2007313; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid INSERT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007314; classtype:web-application-attack; sid:2007314; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid DELETE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007315; classtype:web-application-attack; sid:2007315; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ASCII"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007316; classtype:web-application-attack; sid:2007316; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007317; classtype:web-application-attack; sid:2007317; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007318; classtype:web-application-attack; sid:2007318; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007319; classtype:web-application-attack; sid:2007319; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid INSERT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007320; classtype:web-application-attack; sid:2007320; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid DELETE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007321; classtype:web-application-attack; sid:2007321; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ASCII"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007322; classtype:web-application-attack; sid:2007322; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007323; classtype:web-application-attack; sid:2007323; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007324; classtype:web-application-attack; sid:2007324; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007325; classtype:web-application-attack; sid:2007325; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid INSERT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007326; classtype:web-application-attack; sid:2007326; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid DELETE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007327; classtype:web-application-attack; sid:2007327; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ASCII"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007328; classtype:web-application-attack; sid:2007328; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007329; classtype:web-application-attack; sid:2007329; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id SELECT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007330; classtype:web-application-attack; sid:2007330; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007331; classtype:web-application-attack; sid:2007331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id INSERT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007332; classtype:web-application-attack; sid:2007332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id DELETE"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007333; classtype:web-application-attack; sid:2007333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ASCII"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007334; classtype:web-application-attack; sid:2007334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007335; classtype:web-application-attack; sid:2007335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/locms/smarty.php?"; nocase; content:"cwd="; nocase; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010023; classtype:web-application-attack; sid:2010023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/locms/smarty.php?"; nocase; content:"cwd="; nocase; pcre:"/cwd=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010024; classtype:web-application-attack; sid:2010024; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni SELECT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006657; classtype:web-application-attack; sid:2006657; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UNION SELECT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006658; classtype:web-application-attack; sid:2006658; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni INSERT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006659; classtype:web-application-attack; sid:2006659; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni DELETE"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006660; classtype:web-application-attack; sid:2006660; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ASCII"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006661; classtype:web-application-attack; sid:2006661; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006662; classtype:web-application-attack; sid:2006662; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci SELECT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006663; classtype:web-application-attack; sid:2006663; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UNION SELECT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006664; classtype:web-application-attack; sid:2006664; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci INSERT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006665; classtype:web-application-attack; sid:2006665; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci DELETE"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006666; classtype:web-application-attack; sid:2006666; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ASCII"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006667; classtype:web-application-attack; sid:2006667; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006668; classtype:web-application-attack; sid:2006668; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch SELECT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007362; classtype:web-application-attack; sid:2007362; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UNION SELECT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007364; classtype:web-application-attack; sid:2007364; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch INSERT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007363; classtype:web-application-attack; sid:2007363; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch DELETE"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007365; classtype:web-application-attack; sid:2007365; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ASCII"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007366; classtype:web-application-attack; sid:2007366; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007367; classtype:web-application-attack; sid:2007367; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007368; classtype:web-application-attack; sid:2007368; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007369; classtype:web-application-attack; sid:2007369; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007370; classtype:web-application-attack; sid:2007370; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007371; classtype:web-application-attack; sid:2007371; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007372; classtype:web-application-attack; sid:2007372; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007373; classtype:web-application-attack; sid:2007373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/smallaxe-0.3.1/inc/linkbar.php?"; nocase; content:"cfile="; nocase; pcre:"/cfile\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10676; reference:url,doc.emergingthreats.net/2011000; classtype:web-application-attack; sid:2011000; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lito Lite CMS cate.php cid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cate.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/7294/; reference:url,secunia.com/advisories/32910/; reference:url,doc.emergingthreats.net/2008927; classtype:web-application-attack; sid:2008927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid SELECT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006473; classtype:web-application-attack; sid:2006473; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UNION SELECT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006474; classtype:web-application-attack; sid:2006474; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid INSERT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006475; classtype:web-application-attack; sid:2006475; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006476; classtype:web-application-attack; sid:2006476; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid ASCII"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006477; classtype:web-application-attack; sid:2006477; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006478; classtype:web-application-attack; sid:2006478; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID SELECT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005829; classtype:web-application-attack; sid:2005829; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UNION SELECT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005830; classtype:web-application-attack; sid:2005830; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID INSERT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005831; classtype:web-application-attack; sid:2005831; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID DELETE"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005832; classtype:web-application-attack; sid:2005832; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID ASCII"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005833; classtype:web-application-attack; sid:2005833; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Loggix Project RFI Attempt"; flow:established,to_server; http.uri; content:"pathToIndex="; nocase; content:".php?"; nocase; pcre:"/\.php(\?|.*\x26)pathToIndex=(https?|ftps?)\:\/\/[^\x26\x3B]+\?\?/i"; reference:url,www.exploit-db.com/exploits/9729/; reference:url,doc.emergingthreats.net/2010530; classtype:web-application-attack; sid:2010530; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID SELECT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006321; classtype:web-application-attack; sid:2006321; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UNION SELECT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006322; classtype:web-application-attack; sid:2006322; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID INSERT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006323; classtype:web-application-attack; sid:2006323; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID DELETE"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006324; classtype:web-application-attack; sid:2006324; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ASCII"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006325; classtype:web-application-attack; sid:2006325; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006326; classtype:web-application-attack; sid:2006326; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/profiles/html/simpleSearch.do?name="; nocase; pcre:"/name=.+(IMG|SCRIPT|SRC|onkey|onmouse|onload)/i"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022945.html; reference:url,doc.emergingthreats.net/2009990; classtype:web-application-attack; sid:2009990; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004961; classtype:web-application-attack; sid:2004961; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004962; classtype:web-application-attack; sid:2004962; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004963; classtype:web-application-attack; sid:2004963; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004964; classtype:web-application-attack; sid:2004964; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004965; classtype:web-application-attack; sid:2004965; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004966; classtype:web-application-attack; sid:2004966; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id SELECT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004967; classtype:web-application-attack; sid:2004967; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004968; classtype:web-application-attack; sid:2004968; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id INSERT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004969; classtype:web-application-attack; sid:2004969; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id DELETE"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004970; classtype:web-application-attack; sid:2004970; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id ASCII"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004971; classtype:web-application-attack; sid:2004971; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004972; classtype:web-application-attack; sid:2004972; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005511; classtype:web-application-attack; sid:2005511; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005512; classtype:web-application-attack; sid:2005512; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005514; classtype:web-application-attack; sid:2005514; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005515; classtype:web-application-attack; sid:2005515; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005516; classtype:web-application-attack; sid:2005516; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005517; classtype:web-application-attack; sid:2005517; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006225; classtype:web-application-attack; sid:2006225; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006226; classtype:web-application-attack; sid:2006226; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006227; classtype:web-application-attack; sid:2006227; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006228; classtype:web-application-attack; sid:2006228; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006229; classtype:web-application-attack; sid:2006229; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006230; classtype:web-application-attack; sid:2006230; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006231; classtype:web-application-attack; sid:2006231; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006232; classtype:web-application-attack; sid:2006232; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006233; classtype:web-application-attack; sid:2006233; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006234; classtype:web-application-attack; sid:2006234; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006235; classtype:web-application-attack; sid:2006235; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006236; classtype:web-application-attack; sid:2006236; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012065; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012066; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Profi Einzelgebots Auktions System auktion_text.php Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/auktion/auktion_text.php?"; nocase; content:"id_auk="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12005/; classtype:web-application-attack; sid:2012068; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upgrade_unattended.php?"; nocase; content:"db_type="; nocase; reference:url,exploit-db.com/exploits/15736/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012069; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/upgrade_unattended.php?"; nocase; content:"db_type="; nocase; pcre:"/db_type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/15735/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012070; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/session.cgi?"; nocase; content:"sid="; nocase; content:"app=urchin.cgi"; nocase; content:"action=prop"; nocase; content:"rid="; nocase; content:"n="; nocase; content:"vid="; nocase; content:"dtc="; nocase; content:"cmd="; nocase; content:"gfid="; nocase; reference:url,exploit-db.com/exploits/15737/; classtype:web-application-attack; sid:2012071; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php?"; nocase; content:"v1="; nocase; pcre:"/v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42544; classtype:web-application-attack; sid:2012072; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006237; classtype:web-application-attack; sid:2006237; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006238; classtype:web-application-attack; sid:2006238; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006239; classtype:web-application-attack; sid:2006239; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006240; classtype:web-application-attack; sid:2006240; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006241; classtype:web-application-attack; sid:2006241; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006242; classtype:web-application-attack; sid:2006242; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006243; classtype:web-application-attack; sid:2006243; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006244; classtype:web-application-attack; sid:2006244; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006245; classtype:web-application-attack; sid:2006245; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006246; classtype:web-application-attack; sid:2006246; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006247; classtype:web-application-attack; sid:2006247; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006248; classtype:web-application-attack; sid:2006248; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/snippet.reflect.php?"; nocase; content:"reflect_base="; nocase; pcre:"/reflect_base=\s*(ftps?|https?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008897; classtype:web-application-attack; sid:2008897; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/snippet.reflect.php?"; nocase; content:"reflect_base="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008898; classtype:web-application-attack; sid:2008898; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/velid3/getid3.php?"; nocase; content:"determined_format[include]="; nocase; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011062; classtype:web-application-attack; sid:2011062; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/velid3/module.archive.gzip.php?"; nocase; content:"determined_format[include]="; nocase; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011063; classtype:web-application-attack; sid:2011063; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname SELECT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004427; classtype:web-application-attack; sid:2004427; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UNION SELECT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004428; classtype:web-application-attack; sid:2004428; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname INSERT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004429; classtype:web-application-attack; sid:2004429; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname DELETE"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004430; classtype:web-application-attack; sid:2004430; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname ASCII"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004431; classtype:web-application-attack; sid:2004431; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004432; classtype:web-application-attack; sid:2004432; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname SELECT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004433; classtype:web-application-attack; sid:2004433; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UNION SELECT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004434; classtype:web-application-attack; sid:2004434; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname INSERT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004435; classtype:web-application-attack; sid:2004435; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname DELETE"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004436; classtype:web-application-attack; sid:2004436; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname ASCII"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004437; classtype:web-application-attack; sid:2004437; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004438; classtype:web-application-attack; sid:2004438; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php SELECT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004766; classtype:web-application-attack; sid:2004766; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004767; classtype:web-application-attack; sid:2004767; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php INSERT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004768; classtype:web-application-attack; sid:2004768; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php DELETE"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004769; classtype:web-application-attack; sid:2004769; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php ASCII"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004770; classtype:web-application-attack; sid:2004770; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004771; classtype:web-application-attack; sid:2004771; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Mambo MOStlyCE Module Image Manager Utility Arbitrary File Upload Attempt"; flow:established,to_server; http.uri; content:"/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?"; nocase; content:"Command=FileUpload"; nocase; content:"/configuration.php"; nocase; content:"CurrentFolder="; nocase; reference:url,www.securityfocus.com/bid/27472/info; reference:url,doc.emergingthreats.net/2009937; classtype:web-application-attack; sid:2009937; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_viewfulllisting"; nocase; content:"listing_id="; nocase; pcre:"/(\?|&)listing_id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt; reference:url,doc.emergingthreats.net/2010605; classtype:web-application-attack; sid:2010605; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011091; classtype:web-application-attack; sid:2011091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011092; classtype:web-application-attack; sid:2011092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011093; classtype:web-application-attack; sid:2011093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011094; classtype:web-application-attack; sid:2011094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011095; classtype:web-application-attack; sid:2011095; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Maran PHP Shop id Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/prodshow.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32043; reference:url,frsirt.com/english/advisories/2008/2976; reference:url,doc.emergingthreats.net/2008837; classtype:web-application-attack; sid:2008837; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid SELECT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005141; classtype:web-application-attack; sid:2005141; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005142; classtype:web-application-attack; sid:2005142; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid INSERT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005143; classtype:web-application-attack; sid:2005143; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid DELETE"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005144; classtype:web-application-attack; sid:2005144; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ASCII"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005145; classtype:web-application-attack; sid:2005145; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005146; classtype:web-application-attack; sid:2005146; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/file_manager/special.php?"; nocase; content:"fm_includes_special="; nocase; pcre:"/fm_includes_special=\s*(ftps?|https?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/9350/; reference:url,vupen.com/english/advisories/2009/2136; reference:url,doc.emergingthreats.net/2011259; classtype:web-application-attack; sid:2011259; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1)"; flow:established,to_server; http.uri; content:"/includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009888; classtype:web-application-attack; sid:2009888; rev:7; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2)"; flow:established,to_server; http.uri; content:"/classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009889; classtype:web-application-attack; sid:2009889; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3)"; flow:established,to_server; http.uri; content:"/classes/class.thcsm_user.php?is_path=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009890; classtype:web-application-attack; sid:2009890; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4)"; flow:established,to_server; http.uri; content:"/modul/mod.users.php?thCMS_root=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009891; classtype:web-application-attack; sid:2009891; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/queuedMessage.do?"; nocase; content:"method=getQueueMessages&"; nocase; content:"queueMsgType="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011082; classtype:web-application-attack; sid:2011082; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/queuedMessage.do?"; nocase; content:"method=getQueueMessages&"; nocase; content:"QtnType="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011083; classtype:web-application-attack; sid:2011083; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004265; classtype:web-application-attack; sid:2004265; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004266; classtype:web-application-attack; sid:2004266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004267; classtype:web-application-attack; sid:2004267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004268; classtype:web-application-attack; sid:2004268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004269; classtype:web-application-attack; sid:2004269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004270; classtype:web-application-attack; sid:2004270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004271; classtype:web-application-attack; sid:2004271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004272; classtype:web-application-attack; sid:2004272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004273; classtype:web-application-attack; sid:2004273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004274; classtype:web-application-attack; sid:2004274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004275; classtype:web-application-attack; sid:2004275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004276; classtype:web-application-attack; sid:2004276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004277; classtype:web-application-attack; sid:2004277; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004278; classtype:web-application-attack; sid:2004278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004279; classtype:web-application-attack; sid:2004279; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004280; classtype:web-application-attack; sid:2004280; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004281; classtype:web-application-attack; sid:2004281; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004282; classtype:web-application-attack; sid:2004282; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004283; classtype:web-application-attack; sid:2004283; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004284; classtype:web-application-attack; sid:2004284; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004285; classtype:web-application-attack; sid:2004285; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004286; classtype:web-application-attack; sid:2004286; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004287; classtype:web-application-attack; sid:2004287; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004288; classtype:web-application-attack; sid:2004288; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004289; classtype:web-application-attack; sid:2004289; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004290; classtype:web-application-attack; sid:2004290; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004291; classtype:web-application-attack; sid:2004291; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004292; classtype:web-application-attack; sid:2004292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004293; classtype:web-application-attack; sid:2004293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004294; classtype:web-application-attack; sid:2004294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004295; classtype:web-application-attack; sid:2004295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004296; classtype:web-application-attack; sid:2004296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004297; classtype:web-application-attack; sid:2004297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004298; classtype:web-application-attack; sid:2004298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004299; classtype:web-application-attack; sid:2004299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004300; classtype:web-application-attack; sid:2004300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo SELECT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004301; classtype:web-application-attack; sid:2004301; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UNION SELECT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004302; classtype:web-application-attack; sid:2004302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo INSERT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004303; classtype:web-application-attack; sid:2004303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo DELETE"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004304; classtype:web-application-attack; sid:2004304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ASCII"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004305; classtype:web-application-attack; sid:2004305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004306; classtype:web-application-attack; sid:2004306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/centre.php?"; nocase; content:"padmin="; nocase; reference:url,vupen.com/english/advisories/2008/2938; reference:url,www.exploit-db.com/exploits/6846/; reference:url,doc.emergingthreats.net/2009330; classtype:web-application-attack; sid:2009330; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/infusions/last_seen_users_panel/last_seen_users_panel.php?"; nocase; content:"settings[locale]="; nocase; reference:url,osvdb.org/show/osvdb/56583; reference:url,www.exploit-db.com/exploits/9018/; reference:url,doc.emergingthreats.net/2010631; classtype:web-application-attack; sid:2010631; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyioSoft EasyBookMarker Parent parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bookmarker_backend.php?"; nocase; content:"Parent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32636/; reference:url,www.exploit-db.com/exploits/7053/; reference:url,doc.emergingthreats.net/2008835; classtype:web-application-attack; sid:2008835; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My PHP Dating id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/success_story.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,secunia.com/advisories/32268; reference:url,www.exploit-db.com/exploits/6754/; reference:url,doc.emergingthreats.net/2008672; classtype:web-application-attack; sid:2008672; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details SELECT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006627; classtype:web-application-attack; sid:2006627; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UNION SELECT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006628; classtype:web-application-attack; sid:2006628; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details INSERT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006629; classtype:web-application-attack; sid:2006629; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details DELETE"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006630; classtype:web-application-attack; sid:2006630; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details ASCII"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006631; classtype:web-application-attack; sid:2006631; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006632; classtype:web-application-attack; sid:2006632; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete SELECT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004612; classtype:web-application-attack; sid:2004612; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UNION SELECT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004613; classtype:web-application-attack; sid:2004613; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete INSERT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004614; classtype:web-application-attack; sid:2004614; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete DELETE"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004615; classtype:web-application-attack; sid:2004615; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete ASCII"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004616; classtype:web-application-attack; sid:2004616; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004617; classtype:web-application-attack; sid:2004617; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004095; classtype:web-application-attack; sid:2004095; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004096; classtype:web-application-attack; sid:2004096; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004097; classtype:web-application-attack; sid:2004097; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004098; classtype:web-application-attack; sid:2004098; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004099; classtype:web-application-attack; sid:2004099; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004100; classtype:web-application-attack; sid:2004100; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UNION SELECT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"UNION"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004743; classtype:web-application-attack; sid:2004743; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv SELECT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004742; classtype:web-application-attack; sid:2004742; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv INSERT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004744; classtype:web-application-attack; sid:2004744; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv DELETE"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004745; classtype:web-application-attack; sid:2004745; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv ASCII"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004746; classtype:web-application-attack; sid:2004746; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004747; classtype:web-application-attack; sid:2004747; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006880; classtype:web-application-attack; sid:2006880; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006881; classtype:web-application-attack; sid:2006881; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006882; classtype:web-application-attack; sid:2006882; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006883; classtype:web-application-attack; sid:2006883; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006884; classtype:web-application-attack; sid:2006884; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006885; classtype:web-application-attack; sid:2006885; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php SELECT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006736; classtype:web-application-attack; sid:2006736; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006737; classtype:web-application-attack; sid:2006737; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php INSERT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006738; classtype:web-application-attack; sid:2006738; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php DELETE"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006739; classtype:web-application-attack; sid:2006739; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php ASCII"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006740; classtype:web-application-attack; sid:2006740; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006741; classtype:web-application-attack; sid:2006741; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php SELECT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006742; classtype:web-application-attack; sid:2006742; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006743; classtype:web-application-attack; sid:2006743; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php INSERT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006744; classtype:web-application-attack; sid:2006744; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php DELETE"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006745; classtype:web-application-attack; sid:2006745; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php ASCII"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006746; classtype:web-application-attack; sid:2006746; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006747; classtype:web-application-attack; sid:2006747; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/deco/blanc/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012122; classtype:web-application-attack; sid:2012122; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/deco/blanc/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012123; classtype:web-application-attack; sid:2012123; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/blanc/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012124; classtype:web-application-attack; sid:2012124; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/blanc/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012125; classtype:web-application-attack; sid:2012125; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/default/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012126; classtype:web-application-attack; sid:2012126; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/default/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012127; classtype:web-application-attack; sid:2012127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/gold/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012128; classtype:web-application-attack; sid:2012128; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/gold/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012129; classtype:web-application-attack; sid:2012129; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pingsvr.php?"; nocase; content:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/view/96805/mybloggie216-rfi.txt; reference:url,doc.emergingthreats.net/2012130; classtype:web-application-attack; sid:2012130; rev:6; metadata:created_at 2010_12_30, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_seyret"; nocase; content:"task=videodirectlink"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/14172/; reference:url,doc.emergingthreats.net/2012131; classtype:web-application-attack; sid:2012131; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012159; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012161; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012162; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012163; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/accept-signups/accept-signups_submit.php?"; nocase; content:"email="; nocase; pcre:"/email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96928/wpsignups-xss.txt; classtype:web-application-attack; sid:2012164; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/blocks/file/controller.php?"; nocase; content:"DIR_FILES_BLOCK_TYPES_CORE="; nocase; pcre:"/DIR_FILES_BLOCK_TYPES_CORE=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,45669; classtype:web-application-attack; sid:2012165; rev:6; metadata:created_at 2011_01_07, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/com_xmovie/helpers/img.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/96996/xmovie-fli.txt; classtype:web-application-attack; sid:2012166; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ndCMS editor.aspx index Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/express_edit/editor.aspx?"; nocase; content:"index="; nocase; content:"AND"; nocase; content:"IF"; nocase; pcre:"/AND.*IF\(/i"; reference:url,exploit-db.com/exploits/15124/; classtype:web-application-attack; sid:2012167; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak Variant CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hst="; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:md5,dfd424684f3a5c44ff425c7fe425ca8b; classtype:command-and-control; sid:2030853; rev:1; metadata:created_at 2020_09_11, former_category MALWARE, performance_impact Low, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/tiki-jsplugin.php?"; nocase; content:"plugin="; nocase; content:"language="; nocase; reference:url,johnleitch.net/Vulnerabilities/Tiki.Wiki.CMS.Groupware.5.2.Local.File.Inclusion/46; classtype:web-application-attack; sid:2012168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php SELECT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006748; classtype:web-application-attack; sid:2006748; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006749; classtype:web-application-attack; sid:2006749; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php DELETE"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006751; classtype:web-application-attack; sid:2006751; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php ASCII"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006752; classtype:web-application-attack; sid:2006752; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006753; classtype:web-application-attack; sid:2006753; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006754; classtype:web-application-attack; sid:2006754; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006755; classtype:web-application-attack; sid:2006755; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006756; classtype:web-application-attack; sid:2006756; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006757; classtype:web-application-attack; sid:2006757; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006758; classtype:web-application-attack; sid:2006758; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006759; classtype:web-application-attack; sid:2006759; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007288; classtype:web-application-attack; sid:2007288; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007289; classtype:web-application-attack; sid:2007289; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007290; classtype:web-application-attack; sid:2007290; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007291; classtype:web-application-attack; sid:2007291; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007292; classtype:web-application-attack; sid:2007292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007293; classtype:web-application-attack; sid:2007293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012181; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/media.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:6; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/xmlrpc/server.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/libs/PLUGINADMIN.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012185; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/profile/user.php?"; nocase; content:"aXconf[default_language]="; nocase; reference:url,exploit-db.com/exploits/15938/; classtype:web-application-attack; sid:2012186; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/bizdir/bizdir.cgi?"; nocase; content:"f_srch="; nocase; pcre:"/f_srch\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96613/bizdir510-xss.txt; classtype:web-application-attack; sid:2012187; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/English_manual_version_2.php?"; nocase; content:"client="; nocase; pcre:"/client\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012190; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/zimplit.php?"; nocase; content:"action=load"; nocase; content:"file="; nocase; pcre:"/file\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012191; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scan"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:"varhttp|3A|/"; nocase; content:"wwwhttp|3A|/"; nocase; content:"htmlhttp|3A|/"; nocase; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011809; rev:7; metadata:created_at 2010_10_13, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012212; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012211; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012213; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012214; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/tagcloud.swf?"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012216; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/op/op.Login.php?"; nocase; content:"login="; nocase; content:"sesstheme="; nocase; content:"lang="; nocase; reference:bugtraq,37828; classtype:web-application-attack; sid:2012217; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/tagcloud-ru.swf"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012220; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/environ"; flow:established,to_server; http.uri; content:"/proc/self/environ"; nocase; classtype:web-application-attack; sid:2012230; rev:6; metadata:created_at 2011_01_25, updated_at 2020_09_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/send.php"; http.header; content:"facebook.com"; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Opera 8.11 UA related to Trojan Activity"; flow:established,to_server; http.header; content:"|20|HTTP/1.0|0d 0a|"; content:"|0d 0a|User-Agent|3a 20|opera/8.11|0d 0a|"; classtype:trojan-activity; sid:2012315; rev:4; metadata:created_at 2011_02_18, former_category USER_AGENTS, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/customer_ftp.php?"; nocase; content:"id="; nocase; pcre:"/id=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/16051/; classtype:web-application-attack; sid:2012334; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coupon Script bus parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"page=viewbus"; nocase; content:"bus="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/16034/; classtype:web-application-attack; sid:2012335; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/cultbooking.php?"; nocase; content:"lang="; nocase; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012336; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cultbooking.php?"; nocase; content:"lang="; nocase; pcre:"/lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012337; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012338; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012339; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012340; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012341; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012342; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/active_auctions.php?"; nocase; content:"lan="; nocase; reference:url,johnleitch.net/Vulnerabilities/WeBid.0.8.5P1.Local.File.Inclusion/63; classtype:web-application-attack; sid:2012343; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lib/addressbook.php?"; nocase; content:"basedir="; nocase; pcre:"/basedir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12369/; classtype:web-application-attack; sid:2012344; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_frontenduseraccess"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/43137/; reference:url,securityhome.eu/exploits/exploit.php?eid=17879866924d479451d88fa8.02873909; classtype:web-application-attack; sid:2012345; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012346; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012347; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Services id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012348; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012349; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012350; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/SearchCenter/Pages/AllResults.aspx?"; nocase; content:"k="; nocase; pcre:"/k\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98029/enp-xss.txt; classtype:web-application-attack; sid:2012351; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Classified ads software cid parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/browsecats.php?"; nocase; content:"cid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/16062/; classtype:web-application-attack; sid:2012352; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/audio/getid3/demos/demo.browse.php?"; nocase; content:"showfile="; nocase; pcre:"/showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97834/WordPressAudio0.5.1-xss.txt; classtype:web-application-attack; sid:2012353; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/gradebook/open_document.php?"; nocase; content:"file="; reference:bugtraq,46173; classtype:web-application-attack; sid:2012354; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php?"; nocase; content:"PHPCOVERAGE_HOME"; nocase; pcre:"/PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98053/Moodle2.0.1-xss.txt; classtype:web-application-attack; sid:2012355; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/js/modalbox/tests/functional/_ajax_method_get.php?"; nocase; content:"param="; nocase; pcre:"/param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97826/WordPressFeaturedContent0.0.1-xss.txt; classtype:web-application-attack; sid:2012356; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_xgallery/helpers/img.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/96864/joomlaxgallery-lfi.txt; classtype:web-application-attack; sid:2012357; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPCMS modelid Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flash_upload.php?"; nocase; content:"modelid="; nocase; content:"ORDER"; nocase; content:"BY"; nocase; pcre:"/ORDER.+BY/i"; reference:bugtraq,45933; classtype:web-application-attack; sid:2012358; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Reimageplus Ransomware Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"enfiniql2buev6o.m.pipedream.net"; bsize:31; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:domain-c2; sid:2030851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2020_09_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Reimageplus Ransomware Checkin"; flow:established,to_server; http.request_line; content:"GET /?computer_name="; startswith; content:"&userName="; content:"&allow=ransom HTTP/1.1"; endswith; fast_pattern; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:command-and-control; sid:2030852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (QiHoo Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8"; bsize:85; content:!"application/signed-exchange"; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 4.1.1|3b 20|Nexus 7 Build/JRO03D) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Safari"; bsize:123; content:!"Safari/535.19"; http.cookie; content:"__guid="; depth:7; content:"|3b|opqopq="; distance:0; fast_pattern; content:"|3b|QiHooGUID="; distance:0; content:"|3b|"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; classtype:command-and-control; sid:2032746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012359; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012360; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012361; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012362; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012363; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012364; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012365; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012366; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012367; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012368; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/com_swmenupro/ImageManager/Classes/ImageManager.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/view/95505/joomlaswmenupro-rfi.txt; classtype:web-application-attack; sid:2012369; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/explanation.php?"; nocase; content:"explain"; nocase; pcre:"/explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012370; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/modules/boonex/custom_rss/post_mod_crss.php?"; nocase; content:"relocate"; nocase; pcre:"/relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012371; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ColdUserGroup LibraryID Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.cfm?"; nocase; content:"actcfug=LibraryView"; nocase; content:"LibraryID="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/14935/; classtype:web-application-attack; sid:2012372; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/util/barcode.php?"; nocase; content:"type="; nocase; reference:url,packetstormsecurity.org/files/view/98424/horde-lfi.txt; classtype:web-application-attack; sid:2012373; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012374; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012375; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012376; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012377; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012378; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TelebidAuctionScript aid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allauctions.php?"; nocase; content:"aid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,packetstormsecurity.org/files/view/82724/telebidauction-sql.txt; classtype:web-application-attack; sid:2012379; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/core/themes.php?"; nocase; content:"L_failedopentheme="; nocase; pcre:"/L_failedopentheme\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98143/podcastgenerator-xss.txt; classtype:web-application-attack; sid:2012380; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/itechd.php?"; nocase; content:"productid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/9497; classtype:web-application-attack; sid:2012381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; http.uri; content:"awstats.cgi"; nocase; content:"config="; nocase; content:"pluginmode=rawlog"; nocase; content:"configdir=|5C 5C|"; nocase; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:4; metadata:created_at 2011_03_01, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"stconf.nsf/WebMessage"; nocase; content:"OpenView"; nocase; content:"messageString="; nocase; pcre:"/messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012394; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"stconf.nsf"; nocase; content:"unescape"; nocase; fast_pattern; pcre:"/stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape/i"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012395; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Cewolf DOS attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Cewolf?"; nocase; pcre:"/\&(width|height)\=([2-9][0-9][0-9][0-9]*)/i"; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079547.html; classtype:web-application-attack; sid:2012406; rev:5; metadata:created_at 2011_03_01, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; pcre:"/post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012411; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012412; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012413; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012414; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012415; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012416; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012417; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1"; flow:established,to_server; http.uri; content:"/shipping/methods/fedex_v7/label_mgr/js_include.php?"; nocase; content:"form="; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012418; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2"; flow:established,to_server; http.uri; content:"/shipping/pages/popup_shipping/js_include.php?"; nocase; content:"form="; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012419; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ScriptResource.axd"; nocase; content:!"&t="; nocase; content:!"&|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6; metadata:created_at 2010_10_13, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/i"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id DELETE"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004364; classtype:web-application-attack; sid:2004364; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/public/code/cp_html2xhtmlbasic.php?"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; classtype:web-application-attack; sid:2010080; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?dn"; nocase; content:"&flrdr="; fast_pattern; nocase; content:"&nxte="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2008639; classtype:trojan-activity; sid:2008639; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98)"; flow:established,to_server; http.user_agent; content:"Win98"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008070; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/update?id="; http.header; content:"X-Status|3A|"; content:"X-Size|3A|"; content:"X-Sn|3A|"; fast_pattern; classtype:trojan-activity; sid:2014232; rev:5; metadata:created_at 2012_02_16, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_21, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Web_Client_Attacks, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/entman/index.cfm"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011360; rev:7; metadata:created_at 2010_09_28, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 60; http.user_agent; content:"|20|Netsparker)"; reference:url,www.mavitunasecurity.com/communityedition/; classtype:attempted-recon; sid:2011029; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_pro_desk"; nocase; content:"include_file="; nocase; pcre:"/(\.\.\/){1}/"; reference:url,secunia.com/advisories/32523/; reference:url,www.exploit-db.com/exploits/6980/; reference:url,doc.emergingthreats.net/2008822; classtype:web-application-attack; sid:2008822; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bINSERT\b.*?INTO\b/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010077; classtype:web-application-attack; sid:2010077; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"UPDATE"; nocase; distance:0; content:"SET"; nocase; distance:0; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bUPDATE\b.*?SET\b/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010078; classtype:web-application-attack; sid:2010078; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; http.user_agent; content:"FDM 3."; depth:6; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; classtype:policy-violation; sid:2011712; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO User-Agent (python-requests) Inbound to Webserver"; flow:established,to_server; http.user_agent; content:"python-requests/"; classtype:attempted-recon; sid:2017515; rev:6; metadata:created_at 2013_09_25, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; classtype:web-application-attack; sid:2004532; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; classtype:web-application-attack; sid:2004533; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; classtype:web-application-attack; sid:2004534; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; classtype:web-application-attack; sid:2004535; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:1; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; classtype:web-application-attack; sid:2004536; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; classtype:web-application-attack; sid:2004537; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; classtype:web-application-attack; sid:2004538; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; classtype:web-application-attack; sid:2004539; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; classtype:web-application-attack; sid:2004540; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; classtype:web-application-attack; sid:2004541; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; http.user_agent; content:"Windows 3.1"; fast_pattern; content:!"Cisco AnyConnect VPN Agent"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013"; flow:established,to_server; urilen:>64; flowbits:set,et.exploitkitlanding; http.uri; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){64}$/"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017603; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; http.uri; content:"/timthumb.php?"; content:!"webshot=1"; distance:0; content:"src="; distance:0; content:"http"; distance:0; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/i"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:exploit-kit; sid:2014846; rev:14; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS .exe Downloaded from SVN/HTTP on GoogleCode"; flow:established,to_server; http.uri; content:"/svn/"; nocase; content:".exe"; distance:0; nocase; fast_pattern; http.host; content:".googlecode.com"; endswith; classtype:trojan-activity; sid:2018191; rev:4; metadata:created_at 2014_02_27, former_category CURRENT_EVENTS, updated_at 2020_09_13;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Custom Contact Forms DB Upload/Download Auth Bypass"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-post.php?"; nocase; content:"page=ccf_settings"; nocase; fast_pattern; http.request_body; pcre:"/ccf_(?:(?:clear|merge)_im|ex)port/i"; reference:url,blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html; classtype:web-application-attack; sid:2018975; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_08_21, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected"; flow:established,to_server; threshold:type limit, count 10, seconds 60, track by_src; http.user_agent; content:"Mozilla/5.0 SF"; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; classtype:attempted-recon; sid:2010953; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to_server; http.user_agent; content:"bsqlbf"; nocase; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; classtype:web-application-activity; sid:2008362; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WebShag Web Application Scan Detected"; flow:to_server,established; http.user_agent; content:"webshag"; reference:url,www.scrt.ch/pages_en/outils.html; classtype:attempted-recon; sid:2009158; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; http.method; content:"GET"; http.header; content:"C|3a|/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; classtype:attempted-recon; sid:2011028; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.uni.cc domain"; flow:to_server,established; http.host; content:".uni.cc"; endswith; classtype:bad-unknown; sid:2013438; rev:5; metadata:created_at 2011_08_19, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET"; flow:established,to_server; http.uri; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; pcre:"/\WUPDATE\s+[A-Za-z0-9$_].*?\WSET\s+[A-Za-z0-9$_].*?\x3d/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006447; classtype:web-application-attack; sid:2006447; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; urilen:22; http.method; content:"POST"; http.uri; content:"/cgi-bin/setup_dns.exe"; http.request_body; content:"getpage=|2e 2e|/html/setup/dns.htm"; depth:29; fast_pattern; content:"resolver|3a|settings/nameserver1="; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:6; metadata:created_at 2015_04_08, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Aribitrary File Upload Vulnerability in WP Mobile Detector"; flow:from_client,established; http.uri; content:"/wp-content/plugins/wp-mobile-detector/"; content:"resize.php?src=http"; fast_pattern; reference:url,pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/; classtype:attempted-user; sid:2022860; rev:4; metadata:created_at 2016_06_03, updated_at 2020_09_14;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; flowbits:set,ET.GOOTKIT; http.method; content:"GET"; http.uri; content:"/ftp"; nocase; http.header; content:!"www.trendmicro.com"; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest"; nocase; startswith; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Variant Downloader Activity (3)"; flow:established,to_server; http.uri; content:"/?id"; nocase; content:"&rnd="; pcre:"/\/\?id(\d+)?&rnd=\d+$/"; http.header; content:!"Windows NT"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,438bcb3c4a304b65419674ce8775d8a3; classtype:trojan-activity; sid:2011338; rev:6; metadata:created_at 2010_09_28, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Felismus CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?V="; fast_pattern; content:"&U="; distance:0; http.header; content:"Windows NT"; content:"Referer|3a|"; content:".php|0d 0a|"; distance:0; http.header_names; content:!"Accept-"; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:command-and-control; sid:2024176; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Felismus, signature_severity Major, tag Felismus, tag c2, updated_at 2020_09_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery photo_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gallery_photo.php?"; nocase; content:"photo_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; reference:url,doc.emergingthreats.net/2008831; classtype:web-application-attack; sid:2008831; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BetMore Site Suite mainx_a.php bid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mainx_a.php?"; nocase; content:"x="; nocase; content:"xid="; nocase; content:"bid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/15999/; classtype:web-application-attack; sid:2012219; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Phish 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&from_main_page="; nocase; distance:0; fast_pattern; content:"&version="; nocase; distance:0; content:"&autologin="; nocase; distance:0; content:"&client="; nocase; distance:0; content:"&uiWebPath="; nocase; distance:0; classtype:credential-theft; sid:2032465; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Verified by Visa Phish Jan 30 2014"; flow:established,to_server; http.uri; content:"/vbv.php"; fast_pattern; http.request_body; content:"password="; classtype:credential-theft; sid:2018044; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; flowbits:set,ET.PROPFIND; flowbits:noalert; http.method; content:"PROPFIND"; nocase; classtype:misc-activity; sid:2011456; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; http.stat_code; content:"404"; http.stat_msg; content:"Not Found"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BTWebClient UA uTorrent in use"; flow:established,to_server; http.user_agent; content:"BTWebClient"; classtype:policy-violation; sid:2012247; rev:6; metadata:created_at 2011_01_27, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (rTorrent)"; flow:to_server,established; http.user_agent; content:"rtorrent/"; depth:9; reference:url,libtorrent.rakshasa.no; reference:url,doc.emergingthreats.net/2011705; classtype:policy-violation; sid:2011705; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/hnmain.inc.php3?"; nocase; content:"config[incdir]="; nocase; distance:0; pcre:"/^\s*(ftps?|https?|php)\:\//Ri"; reference:url,inj3ct0r.com/exploits/11731; reference:url,exploit-db.com/exploits/12160; reference:url,doc.emergingthreats.net/2011161; classtype:web-application-attack; sid:2011161; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz"; flow:established,to_client; http.cookie; content:"snkz="; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/R"; classtype:trojan-activity; sid:2018141; rev:5; metadata:created_at 2014_02_15, former_category TROJAN, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Libtorrent User-Agent"; flow:to_server,established; http.user_agent; content:"libtorrent"; nocase; classtype:policy-violation; sid:2012390; rev:6; metadata:created_at 2011_02_27, former_category P2P, updated_at 2020_09_14;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Outbound WebShell GIF"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"GIF89a"; depth:6; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2027738; rev:3; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_09_14;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Outbound WebShell JPEG"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|FF D8 FF E0|"; depth:4; content:"JFIF"; distance:2; within:4; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2027739; rev:3; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client HTTP Request"; flow:to_server,established; http.uri; content:"/trackerphp/announce.php?"; nocase; content:"?port="; nocase; content:"&peer_id="; reference:url,doc.emergingthreats.net/bin/view/Main/2006375; classtype:trojan-activity; sid:2006375; rev:8; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Install"; flow: to_server,established; http.uri; content:"/morpheus/morpheus.exe"; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001035; classtype:policy-violation; sid:2001035; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Install ini Download"; flow: to_server,established; http.uri; content:"/morpheus/morpheus_sm.ini"; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001036; classtype:policy-violation; sid:2001036; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Update Request"; flow: to_server,established; http.uri; content:"/gwebcache/gcache.asg?hostfile="; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001037; classtype:policy-violation; sid:2001037; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Client Install"; flow: to_server,established; http.uri; content:"/ycontent/stats.php?version="; nocase; content:"EVENT=InstallBegin"; nocase; reference:url,doc.emergingthreats.net/2002659; classtype:policy-violation; sid:2002659; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Acunetix Version 6 Crawl/Scan Detected"; flow:to_server,established; threshold: type threshold, track by_dst, count 2, seconds 5; http.uri; content:"/acunetix-wvs-test-for-some-inexistent-file"; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2008571; classtype:attempted-recon; sid:2008571; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Scan in Progress"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 60; http.uri; content:"/Netsparker-"; reference:url,www.mavitunasecurity.com/communityedition/; reference:url,doc.emergingthreats.net/2011030; classtype:attempted-recon; sid:2011030; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004546; classtype:web-application-attack; sid:2004546; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/imc/login.jsf"; nocase; content:"loginForm"; nocase; content:"javax.faces.ViewState="; nocase; pcre:"/ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,securitytracker.com/alerts/2010/May/1024022.html; reference:url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02; reference:url,doc.emergingthreats.net/2011145; classtype:web-application-attack; sid:2011145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase; content:"email|3D|"; nocase; content:"hostname|3D|"; nocase; content:"default|5F|domain|3D|"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/37248/info; reference:url,doc.emergingthreats.net/2010462; classtype:web-application-attack; sid:2010462; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"onmouseover="; nocase; reference:url,www.w3schools.com/jsref/jsref_onmouseover.asp; reference:url,doc.emergingthreats.net/2009715; classtype:web-application-attack; sid:2009715; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010460; classtype:attempted-user; sid:2010460; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cmd.exe"; nocase; reference:url,doc.emergingthreats.net/2009361; classtype:attempted-recon; sid:2009361; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/support_param.html/config"; nocase; content:"Admin_Name=&Admin_Phone="; nocase; content:"Product_URL="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply/i"; reference:url,dsecrg.com/pages/vul/show.php?id=148; reference:cve,2009-2684; reference:url,doc.emergingthreats.net/2010919; classtype:web-application-attack; sid:2010919; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; http.uri; content:".aspx|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010593; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010593; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_cmdshell"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,doc.emergingthreats.net/2009815; classtype:web-application-attack; sid:2009815; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_servicecontrol"; nocase; pcre:"/(start|stop|continue|pause|querystate)/i"; reference:url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/; reference:url,doc.emergingthreats.net/2009816; classtype:web-application-attack; sid:2009816; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"sp_adduser"; nocase; reference:url,technet.microsoft.com/en-us/library/ms181422.aspx; reference:url,doc.emergingthreats.net/2009817; classtype:web-application-attack; sid:2009817; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_reg"; nocase; pcre:"/xp_reg(read|write|delete)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009818; classtype:web-application-attack; sid:2009818; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_fileexist"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.dugger-it.com/articles/xp_fileexist.asp; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009819; classtype:web-application-attack; sid:2009819; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_enumerrorlogs"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009820; classtype:web-application-attack; sid:2009820; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_readerrorlogs"; nocase; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005; reference:url,doc.emergingthreats.net/2009822; classtype:web-application-attack; sid:2009822; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_"; nocase; content:"_enum"; nocase; pcre:"/(xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,msdn.microsoft.com/en-us/library/ms173792.aspx; reference:url,doc.emergingthreats.net/2009823; classtype:web-application-attack; sid:2009823; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011142; classtype:attempted-recon; sid:2011142; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011143; classtype:attempted-recon; sid:2011143; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011144; classtype:attempted-recon; sid:2011144; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=https|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009152; classtype:web-application-attack; sid:2009152; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTP)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftp|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009153; classtype:web-application-attack; sid:2009153; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftps\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009155; classtype:web-application-attack; sid:2009155; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM"; flow:established,to_server; http.uri; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006443; classtype:web-application-attack; sid:2006443; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006444; classtype:web-application-attack; sid:2006444; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar)"; flow:established,to_server; http.uri; content:"varchar("; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2008175; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (exec)"; flow:established,to_server; http.uri; content:"exec("; nocase; reference:url,doc.emergingthreats.net/2008176; classtype:attempted-admin; sid:2008176; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare)"; flow:established,to_server; http.uri; content:"DECLARE|20|"; nocase; content:"CHAR("; nocase; content:"CAST("; nocase; reference:url,doc.emergingthreats.net/2008467; classtype:attempted-admin; sid:2008467; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible ALTER SQL Injection Attempt"; flow:to_server,established; http.uri; content:"ALTER"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_alter.asp; reference:url,doc.emergingthreats.net/2010084; classtype:web-application-attack; sid:2010084; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible DROP SQL Injection Attempt"; flow:to_server,established; http.uri; content:"DROP"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_drop.asp; reference:url,doc.emergingthreats.net/2010085; classtype:web-application-attack; sid:2010085; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI"; flow:to_server,established; http.uri; content:"CREATE"; nocase; pcre:"/^\s+(database|procedure|table|column|directory)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/Sql/sql_create_db.asp; reference:url,doc.emergingthreats.net/2010086; classtype:web-application-attack; sid:2010086; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"CUR"; nocase; distance:0; pcre:"/^(?:DATE|TIME)/Ri"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime; reference:url,doc.emergingthreats.net/2010966; classtype:web-application-attack; sid:2010966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"TABLES"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/4.1/en/show-tables.html; reference:url,doc.emergingthreats.net/2010967; classtype:web-application-attack; sid:2010967; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"VALUES"; nocase; distance:0; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,en.wikipedia.org/wiki/Insert_(SQL); reference:url,doc.emergingthreats.net/2011039; classtype:web-application-attack; sid:2011039; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MassLogger Domain in TLS SNI (ecigroup-tw .com)"; flow:established,to_server; tls.sni; content:"ecigroup-tw.com"; bsize:15; reference:url,twitter.com/James_inthe_box/status/1305509852362338304; reference:url,app.any.run/tasks/010a8af5-97bd-4e27-961d-8d202a9d6f29/; reference:md5,0a838f0ecff085eb611e41acf78a9682; classtype:trojan-activity; sid:2030879; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (enoyq5xy70oq .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"enoyq5xy70oq.x.pipedream.net"; bsize:28; reference:md5,033abc4e8a618e545e4e84e0504f853d; classtype:coin-mining; sid:2030872; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources"; flow:established,to_server; http.uri; content:"BENCHMARK("; nocase; content:")"; pcre:"/BENCHMARK\x28[0-9].+\x29/i"; reference:url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark; reference:url,doc.emergingthreats.net/2011041; classtype:web-application-attack; sid:2011041; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"CONCAT"; nocase; pcre:"/SELECT.+CONCAT/i"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function"; flow:established,to_server; http.uri; content:"REVERSE"; nocase; pcre:"/[^\w]REVERSE[^\w]?\(/i"; reference:url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html; reference:url,doc.emergingthreats.net/2011122; classtype:web-application-attack; sid:2011122; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_layouts/help.aspx"; nocase; content:"cid0="; nocase; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20415; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:cve,2010-0817; reference:url,doc.emergingthreats.net/2011073; classtype:web-application-attack; sid:2011073; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt"; flow:established,to_server; http.uri; content:"/utility.cgi?testType="; nocase; content:"IP="; nocase; content:"|7C 7C|"; pcre:"/\x7C\x7C.+[a-z]/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023051.html; reference:url,www.securityfocus.com/archive/1/507263; reference:url,www.securityfocus.com/bid/36722/info; reference:url,doc.emergingthreats.net/2010159; classtype:attempted-admin; sid:2010159; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004386; classtype:web-application-attack; sid:2004386; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012160; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"INSTR"; nocase; pcre:"/SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010284; classtype:web-application-attack; sid:2010284; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SUBSTR"; nocase; pcre:"/SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010285; classtype:web-application-attack; sid:2010285; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; http.uri; content:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; classtype:pup-activity; sid:2003060; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_14;)
+
+alert http any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; http.uri; content:"/prxjdg.cgi"; nocase; reference:url,doc.emergingthreats.net/2003047; classtype:policy-violation; sid:2003047; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprecon Web Server Fingerprint Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/etc/passwd?format="; content:"><script>alert('xss')"; content:"traversal="; reference:url,www.computec.ch/projekte/httprecon/; reference:url,doc.emergingthreats.net/2008627; classtype:attempted-recon; sid:2008627; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/.adSensePostNotThereNoNobook"; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008617; classtype:attempted-recon; sid:2008617; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Backend Data Miner Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/actSensePostNotThereNoNotive"; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008629; classtype:attempted-recon; sid:2008629; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|0D 0A|Location|3A|"; nocase; reference:url,www.secureworks.com/ctu/advisories/SWRX-2010-001/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20737; reference:cve,2008-7257; reference:url,doc.emergingthreats.net/2011763; classtype:web-application-attack; sid:2011763; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Asp-Audit Web Scan Detected"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"STYLE=x|3a|e/**/xpression(alert('asp-audit'))>"; reference:url,www.hacker-soft.net/Soft/Soft_2895.htm; reference:url,wiki.remote-exploit.org/backtrack/wiki/asp-audit; reference:url,doc.emergingthreats.net/2009479; classtype:attempted-recon; sid:2009479; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .pl source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".pl~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009949; classtype:web-application-attack; sid:2009949; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".inc~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; classtype:web-application-attack; sid:2009950; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .conf source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".conf~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009951; classtype:web-application-attack; sid:2009951; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .asp source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009952; classtype:web-application-attack; sid:2009952; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .aspx source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".aspx~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009953; classtype:web-application-attack; sid:2009953; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .cgi source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".cgi~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2010820; classtype:web-application-attack; sid:2010820; rev:9; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Bicololo Response 1"; flow:established,to_client; http.cookie; content:"ci_session="; file.data; content:"ne_unik"; fast_pattern; within:7; endswith; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016947; rev:4; metadata:created_at 2013_05_31, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M10"; flow:established,to_server; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6."; startswith; content:"|3b 20|"; distance:1; within:2; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,8000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; content:"Referer|0d 0a|"; distance:0; reference:md5,ba2e4a231652f8a492feb937b1e96e71; classtype:trojan-activity; sid:2030868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, signature_severity Major, updated_at 2020_09_14;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=peernew.com"; nocase; endswith; reference:md5,f3ead1eef8ee0d3b4aceaef10b7b4a9c; classtype:domain-c2; sid:2030867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Zimbra Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Zimbra Web Client Sign In"; fast_pattern; classtype:social-engineering; sid:2030869; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_09_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoLang Dropper Domain (en7dftkjiipor .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"en7dftkjiipor.x.pipedream.net"; bsize:29; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:md5,a1de4ff7292f4557a7b133d90e2ec538; classtype:domain-c2; sid:2030873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (endpsbn1u6m8f .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"endpsbn1u6m8f.x.pipedream.net"; bsize:29; reference:md5,0789fc10c0b2e34b4d780b147ae98759; classtype:coin-mining; sid:2030874; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (en24zuggh3ywlj .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"en24zuggh3ywlj.x.pipedream.net"; bsize:30; reference:md5,785a7a47010d58638b874f29c4a1f0ad; classtype:coin-mining; sid:2030875; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".d.requestbin.net"; distance:20; within:17; endswith; reference:md5,887648a50d31ed3f5f2f7bbe0d7eb35a; reference:url,requestbin.net/dns; classtype:command-and-control; sid:2030876; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo (requestbin .net) - Data Inbound"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".i.requestbin.net"; distance:20; within:17; endswith; reference:md5,887648a50d31ed3f5f2f7bbe0d7eb35a; reference:url,requestbin.net/dns; classtype:command-and-control; sid:2030877; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Phish M1 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"location="; depth:9; nocase; content:"&langa="; nocase; distance:0; content:"&ext="; nocase; distance:0; content:"&hold="; nocase; distance:0; content:"&djj="; nocase; distance:0; content:"&dmm="; nocase; distance:0; content:"&daa="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; fast_pattern; content:"&expiry="; nocase; distance:0; content:"&cvc="; nocase; distance:0; classtype:credential-theft; sid:2032466; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sage Ransomware Checkin"; flow:established,from_server; flowbits:isset,ET.Sage.Primer; http.header; content:"Content-Length|3a 20|1|0d 0a|"; file.data; content:"k"; within:1; endswith; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:command-and-control; sid:2023767; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Sage, signature_severity Major, tag Ransomware, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; http.header; content:"Content-Length|3a 20|3|0d 0a|"; fast_pattern; http.content_type; content:"application/x-msdownload"; bsize:24; file.data; content:"|3d 28 28|"; within:3; endswith; classtype:exploit-kit; sid:2023768; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Poste Italiane Phish Jun 08 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/foo-autenticazione.php"; fast_pattern; endswith; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2024370; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Broken/Filtered Payload Download Jun 19 2017"; flow:established,from_server; http.header; content:"Content-Length|3a 20|8|0d 0a|"; fast_pattern; file.data; content:"|6e 6f 62 69 6e 72 65 74|"; within:8; endswith; classtype:exploit-kit; sid:2024414; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FF-RAT Stage 1 CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?hdr_ctx="; fast_pattern; pcre:"/\.php\?hdr_ctx=[0-9]{1,5}_[0-9]{1,5}$/"; http.user_agent; content:"Mozilla/5.0"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html; classtype:command-and-control; sid:2024419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LockPOS CnC"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"lock"; fast_pattern; endswith; http.request_body; content:"|00 00 00|"; offset:1; depth:3; reference:md5,0ad35a566cfb60959576835ede75983b; reference:url,www.arbornetworks.com/blog/asert/lockpos-joins-flock/; classtype:command-and-control; sid:2024461; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category MALWARE, malware_family PoS, signature_severity Major, tag POS, tag LockPOS, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in DNS Lookup)"; dns.query; content:"formyip.com"; endswith; classtype:external-ip-check; sid:2024830; rev:4; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dragonfly APT Activity HTTP URI OPTIONS"; flow:established,to_server; http.method; content:"OPTIONS"; http.uri; content:"/ame_icon.png"; fast_pattern; endswith; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024899; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com in DNS Lookup)"; dns.query; content:"handbrakestore.com"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024890; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (eltima .in in DNS Lookup)"; dns.query; content:"eltima.in"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024888; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc in DNS Lookup)"; dns.query; content:"handbrake.cc"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024892; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M5 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/server.armel"; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024928; rev:4; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic 000webhostapp.com Phish 2017-10-27"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; classtype:credential-theft; sid:2029664; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING 401TRG Successful Multi-Email Phish - Observed in Docusign/Dropbox/Onedrive/Gdrive Nov 02 2017"; flow:to_server, established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"pasuma"; nocase; depth:100; fast_pattern; content:"name"; nocase; classtype:credential-theft; sid:2024942; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M4"; dns.query; content:"cbk99.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024933; rev:5; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M5"; dns.query; content:"bbk80.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024934; rev:5; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (cba4a6e5d3c956548a337c52388473f1 .com in DNS Lookup)"; dns.query; content:"cba4a6e5d3c956548a337c52388473f1.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024956; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (0a0074066c49886a39b5a3072582f5d6 .net in DNS Lookup)"; dns.query; content:"0a0074066c49886a39b5a3072582f5d6.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024957; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (73780fbd309561e201a4aee9914d882d .org in DNS Lookup)"; dns.query; content:"73780fbd309561e201a4aee9914d882d.org"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024958; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (dcb5684707f6c66492aaa9f7d9bfb5a6 .biz in DNS Lookup)"; dns.query; content:"dcb5684707f6c66492aaa9f7d9bfb5a6.biz"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024959; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (322ffbbc7c1b312c2f9d942f20422f8d .com in DNS Lookup)"; dns.query; content:"322ffbbc7c1b312c2f9d942f20422f8d.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024960; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (18bca7c5fd709ac468ba148c590ef6bf .net in DNS Lookup)"; dns.query; content:"18bca7c5fd709ac468ba148c590ef6bf.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024961; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (aaafc94b3a37b75ae9cb60afc42e86fe .org in DNS Lookup)"; dns.query; content:"aaafc94b3a37b75ae9cb60afc42e86fe.org"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024962; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (c13a856f4a879a89e9a638207efd6c94 .biz in DNS Lookup)"; dns.query; content:"c13a856f4a879a89e9a638207efd6c94.biz"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024963; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M6"; dns.query; content:"bbk86.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024935; rev:4; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M7"; dns.query; content:"ha859.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024936; rev:4; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (2fa3c2fa16c47d9b9bff8986a42b048f .com in DNS Lookup)"; dns.query; content:"2fa3c2fa16c47d9b9bff8986a42b048f.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024964; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (3ec9b600789b3bacf2c72ebae142a9c3 .net in DNS Lookup)"; dns.query; content:"3ec9b600789b3bacf2c72ebae142a9c3.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024965; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (tashdqdxp .com in DNS Lookup)"; dns.query; content:"tashdqdxp.com"; endswith; classtype:trojan-activity; sid:2024986; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (weryhstui .com in DNS Lookup)"; dns.query; content:"weryhstui.com"; endswith; classtype:trojan-activity; sid:2024987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (fyoutside .com in DNS Lookup)"; dns.query; content:"fyoutside.com"; endswith; classtype:trojan-activity; sid:2024988; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (olinaodi .com in DNS Lookup)"; dns.query; content:"olinaodi.com"; endswith; classtype:trojan-activity; sid:2024989; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible barclays .co. uk Phishing Domain 2016-06-22"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"barclays.co.uk"; fast_pattern; isdataat:20,relative; content:!".exit"; endswith; classtype:social-engineering; sid:2032445; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Amazon Phishing Domain 2016-06-21"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"amazon.com"; fast_pattern; isdataat:20,relative; content:!".exit"; endswith; classtype:social-engineering; sid:2032444; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to .tk domain Aug 26 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".tk"; endswith; fast_pattern; classtype:credential-theft; sid:2023137; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 1"; dns.query; content:"loaderclientarea24.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025014; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 2"; dns.query; content:"loaderclientarea22.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025015; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 3"; dns.query; content:"loaderclientarea20.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025016; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 4"; dns.query; content:"loaderclientarea15.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025017; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Shiz.fxm/Agent-TBT Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE 2.0|3b|"; depth:34; fast_pattern; http.referer; content:"http://www.google.com"; depth:21; endswith; classtype:command-and-control; sid:2013435; rev:6; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2020_09_14;)
+
+alert http any any -> any any (msg:"ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wpad.dat"; fast_pattern; endswith; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022913; rev:5; metadata:created_at 2016_06_23, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; dns.query; content:".su"; nocase; endswith; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:4; metadata:created_at 2012_01_31, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; dns.query; content:".3322.org"; nocase; endswith; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:9; metadata:created_at 2011_01_12, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vflooder.C Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"google.com"; fast_pattern; depth:10; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2021337; rev:5; metadata:created_at 2015_06_24, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup"; dns.query; content:"ilo.brenz.pl"; nocase; endswith; classtype:trojan-activity; sid:2012730; rev:7; metadata:created_at 2011_04_27, former_category TROJAN, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)"; flow:established,to_server; threshold:type both,track by_src,count 2,seconds 10; http.start; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; depth:36; endswith; classtype:bad-unknown; sid:2018430; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pw domain"; flow:established,to_server; http.host; content:".pw"; fast_pattern; endswith; content:!"u.pw"; depth:4; endswith; classtype:bad-unknown; sid:2016777; rev:14; metadata:created_at 2013_04_20, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xtrat.A Checkin"; flow:established,to_server; http.uri; content:".functions"; fast_pattern; endswith; pcre:"/^\/\d+\.functions$/"; http.host; content:!"microsoft.com"; http.header_names; content:!"Referer"; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2016275; rev:12; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 2"; flow:established,to_server; urilen:>1; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:2,2,Tinba.Pivot,relative; byte_test:2,=,Tinba.Pivot,2,relative; byte_test:2,!=,Tinba.Pivot,5,relative; http.method; content:"POST"; http.uri; content:"/"; endswith; http.content_len; byte_test:0,>,99,0,string,dec; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; fast_pattern; content:!"User-Agent"; content:!"Accept"; reference:md5,7af6d8de2759b8cc534ffd72fdd8a654; classtype:command-and-control; sid:2020418; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; http.host; content:"checkip.dyndns.org"; fast_pattern; depth:18; endswith; classtype:external-ip-check; sid:2021378; rev:5; metadata:created_at 2015_07_02, former_category POLICY, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Download from dotted-quad Host"; flow:established,to_server; http.uri; content:".exe"; endswith; nocase; http.host; content:"."; offset:1; depth:3; content:"."; within:4; content:"."; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2016141; rev:7; metadata:created_at 2013_01_03, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-Clicker"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Session"; depth:7; endswith; nocase; reference:url,doc.emergingthreats.net/2009512; classtype:trojan-activity; sid:2009512; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV.Rean Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; pcre:"/\/\d{10}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)"; fast_pattern; endswith; http.protocol; content:"HTTP/1.0"; reference:md5,0a998a070beb287524f9be6dd650c959; classtype:command-and-control; sid:2013339; rev:8; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check"; flow:established,to_server; urilen:1; http.user_agent; content:"|3b 20|MSIE|20|"; fast_pattern; http.host; content:"www.google.com"; depth:14; endswith; http.accept; content:"*/*"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:59; endswith; classtype:trojan-activity; sid:2018242; rev:7; metadata:created_at 2014_03_10, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.host; content:"api.wipmania.com"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; classtype:trojan-activity; sid:2015800; rev:10; metadata:created_at 2012_10_13, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Installer)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Installer"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008184; classtype:trojan-activity; sid:2008184; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain"; dns.query; content:".flnet.org"; nocase; endswith; classtype:bad-unknown; sid:2014500; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P possible torrent download"; flow:established,to_server; http.uri; content:".torrent"; nocase; endswith; http.host; content:!"mapfactor.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:10; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious double Server Header"; flow:from_server,established; http.header_names; content:"|0d 0a|Server|0d 0a|"; content:"Server|0d 0a|"; distance:0; http.response_line; content:"HTTP/1.1 200"; depth:12; endswith; classtype:trojan-activity; sid:2012707; rev:7; metadata:created_at 2011_04_22, former_category MALWARE, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)"; flow:established,to_client; http.response_line; content:"HTTP/1.1 405 Method Not Allowed"; depth:31; endswith; nocase; file.data; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010520; classtype:web-application-attack; sid:2010520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent Containing .exe"; flow:established,to_server; http.uri; content:!"CTX_"; http.header; content:!"lnssatt.exe"; http.user_agent; content:".exe"; nocase; endswith; fast_pattern; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; content:!"vsee.exe"; nocase; http.host; content:!"gfi.com"; content:!"pandasoftware.com"; classtype:trojan-activity; sid:2013224; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag User_Agent, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net"; flow:established,to_server; http.host; content:".3322.net"; endswith; classtype:misc-activity; sid:2014788; rev:9; metadata:created_at 2012_05_19, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org"; dns.query; content:"networksecurityx.hopto.org"; endswith; reference:md5,37782108e8b7f331a6fdeabef9c8a774; reference:md5,10fa9c6c27e6eb512d12dee8181e182f; classtype:trojan-activity; sid:2018008; rev:6; metadata:created_at 2014_01_24, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dtdns.net Domain"; dns.query; content:".dtdns.net"; nocase; endswith; classtype:bad-unknown; sid:2014492; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.dtdns.net domain"; flow:to_server,established; http.host; content:".dtdns.net"; endswith; classtype:bad-unknown; sid:2013684; rev:6; metadata:created_at 2011_09_22, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns.net Domain"; flow:established,to_server; http.host; content:".dtdns.net"; endswith; classtype:bad-unknown; sid:2014493; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kelihos.F EXE Download Common Structure"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/^(?:\/[a-z]+\d*?)?\/\d?\w+\d*?\.exe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,f5bcc28e7868a68e473373d684a8c54a; classtype:trojan-activity; sid:2017598; rev:12; metadata:created_at 2013_10_15, updated_at 2020_09_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain (mcdnn .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"mcdnn.me"; bsize:8; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030881; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain (mcdnn .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mcdnn.net"; bsize:9; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030882; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Exfil Domain (imags .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"imags.pw"; bsize:8; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:trojan-activity; sid:2030883; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:!"driftmania"; http.user_agent; content:"Mozilla"; depth:7; http.host; content:!"coreftp.com"; http.request_body; content:"data="; depth:5; fast_pattern; pcre:"/^[A-F0-9]{100,}$/R"; http.header_names; content:!"Referer"; reference:md5,a3440b6117f3783989683753c9f394dd; classtype:command-and-control; sid:2022504; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Alphacrypt, malware_family TeslaCrypt, signature_severity Major, tag Ransomware, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain"; dns.query; content:".myftp.biz"; nocase; endswith; classtype:bad-unknown; sid:2013823; rev:5; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Headers - Likely CnC Beacon"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Connection|0d 0a|"; depth:28; content:!"Referer"; content:!"Accept-"; content:"User-Agent|0d 0a 0d 0a|"; endswith; classtype:command-and-control; sid:2019755; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_11_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY IP Check Domain (iplogger .org in DNS Lookup)"; dns.query; content:"iplogger.org"; endswith; classtype:policy-violation; sid:2035948; rev:4; metadata:created_at 2017_11_27, former_category POLICY, updated_at 2020_09_15;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (iplogger .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"iplogger.org"; endswith; nocase; classtype:policy-violation; sid:2035949; rev:4; metadata:created_at 2017_11_27, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod_articles"; depth:13; fast_pattern; content:"/"; endswith; http.header_names; content:"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:md5,9a705a2c25a8b30de80e59dbb9adab83; classtype:command-and-control; sid:2018644; rev:6; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fareit Checkin 2"; flow:to_server,established; urilen:20; http.method; content:"POST"; http.uri; content:"/forum/viewtopic.php"; endswith; http.user_agent; content:"Windows 98)"; endswith; fast_pattern; http.content_type; content:"application/octet-stream"; reference:md5,10baa5250610fc2b5b2cdf932f2007c0; classtype:command-and-control; sid:2016550; rev:8; metadata:created_at 2013_01_12, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - www.ip.cn"; flow:established,to_server; http.host; content:"www.ip.cn"; depth:9; endswith; classtype:external-ip-check; sid:2021600; rev:5; metadata:created_at 2015_08_06, former_category POLICY, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8800.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".8800.org"; endswith; classtype:misc-activity; sid:2014784; rev:8; metadata:created_at 2012_05_18, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Hostile Domain .ntkrnlpa.info Lookup"; dns.query; content:".ntkrnlpa.info"; nocase; endswith; classtype:trojan-activity; sid:2012729; rev:6; metadata:created_at 2011_04_27, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.VBKrypt.cugq/Umbra Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bot.php"; nocase; fast_pattern; endswith; http.request_body; content:"mode="; nocase; pcre:"/^\d/Ri"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya; classtype:command-and-control; sid:2018518; rev:10; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin"; flow:established,to_server; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z-_]+?\.(php|html)$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016553; rev:6; metadata:created_at 2013_03_08, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com"; flow:established,to_server; http.host; content:".mooo.com"; endswith; classtype:bad-unknown; sid:2015634; rev:6; metadata:created_at 2012_08_16, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Simda.C Checkin"; flow:established,to_server; http.uri; content:"/?"; nocase; http.uri.raw; content:"=%96%"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Trident/4.0|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 3.0.04506.590|3b 20|.NET CLR 3.0.04506.648|3b 20|.NET CLR 3.5.21022|3b 20|.NET CLR 3.0.4506.2152|3b 20|.NET CLR 3.5.30729)"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,10642e1067aca9f04ca874c02aabda5c; classtype:command-and-control; sid:2016300; rev:7; metadata:created_at 2012_07_20, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Jorgee Scan"; flow:established,to_server; threshold: type limit, track by_dst, count 3, seconds 60; http.method; content:"HEAD"; http.user_agent; content:"Mozilla/5.0 Jorgee"; depth:18; endswith; fast_pattern; reference:url,www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/; classtype:trojan-activity; sid:2024265; rev:6; metadata:created_at 2015_06_26, former_category WEB_SERVER, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query Domain .bit"; dns.query; content:".bit"; nocase; endswith; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:5; metadata:created_at 2013_10_30, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.top domain - Likely Hostile"; threshold:type limit, track by_src, count 1, seconds 30; dns.query; content:".top"; nocase; endswith; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org"; dns.query; content:".8866.org"; endswith; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:8; metadata:created_at 2011_04_28, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak HTTP CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"PHPSESSID="; depth:10; fast_pattern; pcre:"/^[A-F0-9]{32}$/R"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; depth:24; endswith; http.header_names; content:!"IBM-PROXY-WTE"; nocase; classtype:command-and-control; sid:2022225; rev:10; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Pift DNS TXT CnC Lookup ppift.net"; dns.query; content:"ppift.net"; nocase; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015460; rev:6; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup fasternation"; dns.query; content:"fasternation.net"; nocase; endswith; classtype:trojan-activity; sid:2019695; rev:4; metadata:created_at 2014_11_12, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (ddnservice11.ru)"; dns.query; content:"ddnservice11.ru"; nocase; endswith; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020065; rev:5; metadata:created_at 2014_12_24, former_category MALWARE, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.3d-game.com Domain"; dns.query; content:".3d-game.com"; nocase; endswith; classtype:bad-unknown; sid:2014478; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork DNS Tunneling (nsn1.winodwsupdates .me)"; dns.query; content:".nsn1.winodwsupdates.me"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025072; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Domain (randreports .org in DNS Lookup)"; dns.query; content:"randreports.org"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025073; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Domain (rannd .org in DNS Lookup)"; dns.query; content:"rannd.org"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025081; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cz.cc Domain"; dns.query; content:".cz.cc"; endswith; nocase; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:6; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.cc domain"; flow:established,to_server; http.host; content:".co.cc"; endswith; classtype:bad-unknown; sid:2011374; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Hopto.org"; flow:established,to_server; http.host; content:".hopto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018216; rev:5; metadata:created_at 2014_03_05, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.cu.cc domain"; dns.query; content:".cu.cc"; nocase; endswith; classtype:bad-unknown; sid:2013172; rev:5; metadata:created_at 2011_07_02, former_category HUNTING, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.osa.pl domain"; flow:established,to_server; http.host; content:".osa.pl"; endswith; classtype:bad-unknown; sid:2014037; rev:6; metadata:created_at 2011_12_22, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to Free Hosting Domain (freevnn . com)"; dns.query; content:".freevnn.com"; nocase; endswith; reference:md5,18c1c99412549815bdb89c36316243a7; classtype:bad-unknown; sid:2024235; rev:5; metadata:created_at 2017_04_21, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic .bin download from Dotted Quad"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; endswith; http.user_agent; content:!"McAfee Agent"; content:!"NetClient/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; classtype:trojan-activity; sid:2018752; rev:12; metadata:created_at 2014_07_23, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Variant Domain (blacklister .nl in DNS Lookup)"; dns.query; content:"blacklister.nl"; nocase; endswith; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025079; rev:5; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Variant Domain (bigboatreps .pw in DNS Lookup)"; dns.query; content:"bigboatreps.pw"; nocase; endswith; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025078; rev:5; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs Common POST Header Structure"; flow:established,to_server; urilen:10<>20; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:!"NSIS|5f|Inetc |28|Mozilla|29|"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; endswith; http.content_len; byte_test:0,<=,400,0,string,dec; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:62; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,d11a453d4de6e6fd991967d67947c0d7; classtype:trojan-activity; sid:2021995; rev:5; metadata:created_at 2015_10_23, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (API-Guide test program) Used by Several trojans"; flow:established,to_server; http.user_agent; content:"API-Guide test program"; depth:22; nocase; endswith; reference:url,doc.emergingthreats.net/2007826; classtype:trojan-activity; sid:2007826; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP request for resource ending in .scr"; flow:established,to_server; http.uri; content:".scr"; endswith; fast_pattern; http.host; content:!"kaspersky.com"; classtype:misc-activity; sid:2018231; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_03_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GET to Google with specific HTTP lib likely Cycbot/Bifrose/Kryptic checking Internet connection"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.google.com"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Connection|0d 0a|Host|0d 0a|Pragma|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:command-and-control; sid:2012645; rev:7; metadata:created_at 2011_04_06, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake AV Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; endswith; http.request_body; content:"data="; fast_pattern; depth:5; pcre:"/^data=[a-zA-Z0-9+\/]{64}/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2011912; rev:9; metadata:created_at 2010_11_09, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; depth:30; http.request_body; content:"data="; depth:5; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|Host|0d 0a|"; depth:30; content:"User-Agent|0d 0a|"; distance:0; content:"Content-Length|0d 0a|"; distance:0; classtype:trojan-activity; sid:2012627; rev:5; metadata:created_at 2011_04_04, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; dns.query; content:".xxx"; nocase; endswith; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:4; metadata:created_at 2011_03_21, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jadtree Downloader rar"; flow:established,to_server; http.uri; content:".rar"; nocase; endswith; http.user_agent; bsize:4; pcre:"/^\d{4}$/"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:5; metadata:created_at 2014_01_30, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (GeneralDownloadApplication)"; flow:to_server,established; http.user_agent; content:"GeneralDownloadApplication"; depth:26; endswith; classtype:pup-activity; sid:2025092; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.vv.cc domain"; flow:to_server,established; http.host; content:".vv.cc"; endswith; classtype:bad-unknown; sid:2012827; rev:8; metadata:created_at 2011_05_19, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; http.uri; content:"/ip.txt"; nocase; endswith; fast_pattern; http.header; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; http.user_agent; content:!"Mozilla"; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:6; metadata:created_at 2013_05_31, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.suroot.com Domain"; flow:established,to_server; http.host; content:".suroot.com"; endswith; classtype:bad-unknown; sid:2014511; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; http.host; content:".xxx"; endswith; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:6; metadata:created_at 2011_04_20, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2web)"; dns.query; content:".tor2web"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2015576; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Myvnc.com"; flow:established,to_server; http.host; content:".myvnc.com"; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018213; rev:5; metadata:created_at 2014_03_05, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?v"; content:"&tq="; pcre:"/\.(jpg|png|gif)\?v[0-9]{1,2}=[0-9]+&tq=/"; http.user_agent; content:"mozilla/2.0"; fast_pattern; depth:11; endswith; classtype:command-and-control; sid:2012939; rev:10; metadata:created_at 2011_06_07, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kelihos.F EXE Download Common Structure 2"; flow:established,to_server; http.uri; content:"od"; offset:2; depth:2; nocase; content:".exe"; nocase; endswith; fast_pattern; pcre:"/^\/[mp]od[12]\/[^\/]+?\.exe$/i"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent"; reference:md5,9db28205c8dd40efcf7f61e155a96de5; classtype:trojan-activity; sid:2018395; rev:7; metadata:created_at 2014_04_16, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup intohave"; dns.query; content:"intohave.com"; nocase; endswith; classtype:trojan-activity; sid:2019694; rev:4; metadata:created_at 2014_11_12, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"post="; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.content_type; content:"application/x-www-form-urlencoded"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022280; rev:5; metadata:created_at 2015_12_18, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Symmi Remote File Injector Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/ggu.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; depth:11; endswith; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:command-and-control; sid:2016967; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_06_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.bbsindex.com Domain"; dns.query; content:".bbsindex.com"; nocase; endswith; classtype:bad-unknown; sid:2014484; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".mooo.com"; nocase; endswith; classtype:misc-activity; sid:2015633; rev:5; metadata:created_at 2012_08_16, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.co.tv domain"; dns.query; content:".co.tv"; nocase; endswith; classtype:bad-unknown; sid:2012956; rev:6; metadata:created_at 2011_06_08, former_category HUNTING, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Mozilla/3.0"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0"; fast_pattern; depth:11; endswith; classtype:trojan-activity; sid:2012619; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_04_01, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (RLMultySocket)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"RLMultySocket"; depth:13; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008603; classtype:trojan-activity; sid:2008603; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (forkinvestpay.com)"; dns.query; content:"forkinvestpay.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022045; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.to)"; dns.query; content:".onion.to"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020116; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to Browser Coinminer (crypto-loot[.]com)"; dns.query; content:"crypto-loot.com"; endswith; classtype:coin-mining; sid:2024828; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01"; flow:established,to_server; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".exe"; endswith; nocase; pcre:"/\/[0-9]{2}\.exe$/i"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,8bdc81393a4fcfaf6d1b8dc01486f2f0; classtype:trojan-activity; sid:2022482; rev:5; metadata:created_at 2016_02_03, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish Sept 1 M2 2015-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"challengetype="; fast_pattern; content:"&phoneNumber="; nocase; content:"&recEmail="; nocase; classtype:credential-theft; sid:2031826; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org"; flow:established,to_server; http.host; content:".3322.org"; endswith; classtype:misc-activity; sid:2013213; rev:8; metadata:created_at 2011_07_06, updated_at 2020_09_15;)
+
+alert dns any any -> any any (msg:"ET POLICY possible Xiaomi phone data leakage DNS"; dns.query; content:"api.account.xiaomi.com"; nocase; endswith; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018918; rev:4; metadata:created_at 2014_08_11, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.connection; content:"Close"; endswith; http.content_type; content:"octet/binary"; endswith; http.header_names; content:!"Referer"; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:command-and-control; sid:2019891; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, malware_family Dridex, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 4"; dns.query; content:"bigdata.advmob.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023518; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain"; flow:established,to_server; http.host; content:".sytes.net"; endswith; classtype:bad-unknown; sid:2018219; rev:9; metadata:created_at 2012_03_05, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; dns.query; content:"client-lb.dropbox.com"; nocase; endswith; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:4; metadata:created_at 2015_02_25, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 42"; dns.query; content:"www.37513.cn"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022452; rev:4; metadata:created_at 2016_01_27, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 4."; fast_pattern; nocase; http.host; content:!".weatherbug.com"; endswith; content:!".wxbug.com"; endswith; classtype:policy-violation; sid:2016871; rev:7; metadata:created_at 2013_05_21, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 3"; dns.query; content:"bigdata.adfuture.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023517; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 2"; dns.query; content:"bigdata.adsunflower.com"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023516; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (check.torproject .org in DNS lookup)"; dns.query; content:"check.torproject.org"; nocase; endswith; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:external-ip-check; sid:2017926; rev:6; metadata:created_at 2014_01_04, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.tk domain"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; content:!".tcl.tk"; content:!"tcl.tk"; depth:6; endswith; classtype:bad-unknown; sid:2012810; rev:12; metadata:created_at 2011_05_15, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ipinfo.io"; flow:established,to_server; http.host; content:"ipinfo.io"; depth:9; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:external-ip-check; sid:2020716; rev:6; metadata:created_at 2015_03_20, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; http.user_agent; content:"Twisted PageGetter"; depth:18; endswith; http.host; content:"swupdate.openvpn.net"; fast_pattern; depth:20; endswith; classtype:policy-violation; sid:2014799; rev:5; metadata:created_at 2012_05_22, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)"; dns.query; content:"myip.opendns.com"; nocase; endswith; classtype:external-ip-check; sid:2023472; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)"; dns.query; content:"ipapi.co"; nocase; endswith; classtype:external-ip-check; sid:2024527; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 2"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/userinfo.php"; fast_pattern; http.request_body; pcre:"/[\x80-\xff]/"; http.content_type; content:"www-form-urlencoded"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:command-and-control; sid:2022769; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.tc domain"; flow:established,to_server; http.host; content:".tc"; endswith; classtype:bad-unknown; sid:2013535; rev:7; metadata:created_at 2011_09_06, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ipecho.net"; flow:established,to_server; http.host; content:"ipecho.net"; depth:10; endswith; classtype:external-ip-check; sid:2022351; rev:5; metadata:created_at 2016_01_12, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent HTTPGET"; flow:established,to_server; http.user_agent; content:"HTTPGET"; depth:7; http.host; content:!"autodesk.com"; endswith; content:!"rsa.com"; endswith; content:!"consumersentinel.gov"; endswith; content:!"technet.microsoft.com"; endswith; content:!"metropolis.com"; endswith; content:!"www.catalog.update.microsoft.com"; endswith; classtype:trojan-activity; sid:2013508; rev:14; metadata:created_at 2011_08_31, former_category TROJAN, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in DNS Lookup)"; dns.query; content:"l2.io"; endswith; classtype:external-ip-check; sid:2024831; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MageCart JS Retrieval"; flow:established,to_server; http.uri; content:"/122002/assets/js/widget.js"; bsize:27; fast_pattern; http.host; content:"mcdnn"; startswith; pcre:"/\.(?:me|net)$/WR"; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030884; rev:1; metadata:created_at 2020_09_15, former_category MALWARE, performance_impact Low, updated_at 2020_11_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; http.user_agent; content:"SOGOU_UPDATER"; nocase; depth:13; endswith; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY .onion proxy Domain (onion .plus in DNS Lookup)"; dns.query; content:"onion.plus"; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025095; rev:4; metadata:created_at 2017_12_01, former_category POLICY, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com)"; dns.query; content:"wh47f2as19.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020869; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion .casa in DNS Lookup)"; dns.query; content:"onion.casa"; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025096; rev:4; metadata:created_at 2017_12_01, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Jetpack/Twentyfifteen Possible XSS Request"; flow:established,to_server; http.uri; content:"/genericons/example.html"; endswith; fast_pattern; reference:url,blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html; classtype:web-application-attack; sid:2021062; rev:5; metadata:created_at 2015_05_07, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com)"; dns.query; content:"7hwr34n18.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020844; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 9d 26 66 9a 26 66 9d 42 70 9d 31 10 ed 26 66 98 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MageCart Exfil URI"; flow:established,to_server; http.uri; content:"/502.jsp"; fast_pattern; http.host; content:"imags.pw"; endswith; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:trojan-activity; sid:2030885; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 66 8b 30 61 8b 30 66 ef 26 66 9c 46 16 8b 30 63 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 96 26 66 98 40 70 9d 30 11 e8 40 70 9d 34 70 9c 47|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 3b 70 9d 35 16 8b 30 66 ea 45 16 8b 30 62 8b 31 11|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 6d 8b 30 63 ed 26 66 9d 47 13 ed 26 66 99 26 67 ea|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 99 26 66 9c 47 70 9d 35 70 9d 34 70 9d 3a 17 ec 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029445; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 34 70 9d 31 11 8b 30 63 8b 30 62 8b 30 6c ec 41 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029446; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 62 8b 30 67 ea 26 66 98 26 66 99 26 66 97 41 17 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029447; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 46 70 9d 36 70 9d 37 70 9d 37 17 8b 30 60 8b 30 62 8b 30 61 8b 31 11|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 10 8b 30 60 8b 30 61 8b 30 61 ec 26 66 9b 26 66 99 26 66 9a 26 67 ea|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 eb 26 66 9b 26 66 9a 26 66 9a 41 70 9d 36 70 9d 34 70 9d 37 70 9c 47|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029466; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 40 70 9d 32 14 e8 47 17 8b 30 65 ef 26 67 ea|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 16 8b 30 64 ef 45 11 ec 26 66 9e 42 70 9c 47|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029483; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 ed 26 66 9f 42 13 ea 41 70 9d 33 14 8b 31 11|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M19"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 41 11 8b 30 65 8b 30 6d 8b 30 61 8b 30 61 8b 30 63 ec 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 17 ea 26 66 9e 26 66 96 26 66 9a 26 66 9a 26 66 98 41 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 ec 47 70 9d 33 70 9d 3b 70 9d 37 70 9d 37 70 9d 35 17 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.AR Variant Winifixer.com Related Checkin URL"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?affid="; nocase; content:"&uid="; nocase; distance:0; content:"&tm="; nocase; distance:0; http.user_agent; content:"Internet Explorer"; bsize:17; fast_pattern; reference:url,doc.emergingthreats.net/2008277; classtype:command-and-control; sid:2008277; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FakeXPA Checkin URL"; flow:established,to_server; http.uri; content:"/firstrun.php?product="; nocase; fast_pattern; content:"&aff="; nocase; distance:0; content:"&update="; nocase; distance:0; http.user_agent; content:"Mozilla"; bsize:7; reference:url,doc.emergingthreats.net/2008152; classtype:command-and-control; sid:2008152; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/Feebs.kw Worm User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Mozilla/4.7 [en] (WinNT"; depth:23; fast_pattern; reference:url,doc.emergingthreats.net/2007767; classtype:trojan-activity; sid:2007767; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Installed OK)"; flow:established,to_server; http.user_agent; content:"Installed OK"; startswith; nocase; reference:md5,16035440878ec6e93d82c2aeea508630; classtype:bad-unknown; sid:2030880; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla/3.0 (compatible)"; depth:24; endswith; http.host; content:!".hddstatus.com"; endswith; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; http.uri; content:"/"; content:".exe"; distance:1; within:8; fast_pattern; endswith; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/"; http.header; content:!"koggames"; http.host; content:!"download.bitdefender.com"; endswith; content:!".appspot.com"; endswith; content:!"kaspersky.com"; endswith; content:!".sophosxl.net"; endswith; http.header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:12; metadata:created_at 2014_11_15, former_category CURRENT_EVENTS, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gdn Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gdn"; fast_pattern; endswith; classtype:bad-unknown; sid:2025097; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gq domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gq"; fast_pattern; endswith; classtype:bad-unknown; sid:2025100; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ga Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ga"; fast_pattern; endswith; classtype:bad-unknown; sid:2025101; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ml Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ml"; fast_pattern; endswith; classtype:bad-unknown; sid:2025102; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.cf Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".cf"; fast_pattern; endswith; classtype:bad-unknown; sid:2025103; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ga Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".ga"; nocase; endswith; classtype:bad-unknown; sid:2025105; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ml Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".ml"; nocase; endswith; classtype:bad-unknown; sid:2025106; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cf Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".cf"; nocase; endswith; classtype:bad-unknown; sid:2025107; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gq Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".gq"; nocase; endswith; classtype:bad-unknown; sid:2025104; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ga) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".ga"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025109; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gq) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".gq"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025108; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ml) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".ml"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025110; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.cf) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".cf"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025111; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gdn) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".gdn"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025112; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Connection Setup Attempt"; flow:established,to_server; http.host; content:"localtunnel.me"; fast_pattern; endswith; http.header_names; content:"|0d 0a|host|0d 0a|accept"; depth:14; content:!"User-Agent"; content:!"Host"; content:!"Referer"; content:!"Accept"; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025116; rev:4; metadata:attack_target Client_and_Server, created_at 2017_12_04, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SluttyPutty Maldoc User-Agent"; flow:established,to_server; http.user_agent; content:"come-tome"; depth:9; endswith; classtype:trojan-activity; sid:2025118; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, signature_severity Major, tag MalDoc, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPSEL File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mipsel"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025122; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPS File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mips"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025123; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".arm"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025124; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM7 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".arm7"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025125; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO x86 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025126; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO m68k File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".m68k"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025127; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SPARC File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".sparc"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025128; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO POWERPC File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".powerpc"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025129; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO X86_64 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86_64"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025130; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUPERH File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".superh"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025131; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in DNS Lookup)"; dns.query; content:".localtunnel.me"; endswith; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025138; rev:4; metadata:created_at 2017_12_06, former_category POLICY, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in TLS SNI)"; flow:established,to_server; tls.sni; content:".localtunnel.me"; endswith; nocase; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025139; rev:4; metadata:created_at 2017_12_06, former_category POLICY, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY possible OnePlus phone data leakage DNS"; dns.query; content:"open.oneplus.net"; nocase; endswith; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025133; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_12_06, deployment Perimeter, former_category POLICY, malware_family Android_OnePlus, signature_severity Minor, tag Android, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Injected WP Keylogger/Coinminer Domain Detected (cloudflare .solutions in DNS Lookup)"; dns.query; content:"cloudflare.solutions"; endswith; reference:url,blog.sucuri.net/2017/12/cloudflare-solutions-keylogger-on-thousands-of-infected-wordpress-sites.html; classtype:coin-mining; sid:2025141; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Client_Endpoint, created_at 2017_12_07, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; byte_test:0,<,100,0,string,dec; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; depth:51; fast_pattern; reference:md5,5b0e06e3e896d541264a03abef5f30c7; classtype:command-and-control; sid:2025142; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/NxRansomware C2 Domain Detected (0cf5ff34 .ngrok .io in DNS Lookup)"; dns.query; content:"0cf5ff34.ngrok.io"; endswith; reference:url,twitter.com/struppigel/status/940239612324319232; classtype:command-and-control; sid:2025143; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=Te"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:command-and-control; sid:2025147; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Downloader_Small_BIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)"; dns.query; content:"curlmyip.net"; nocase; endswith; reference:md5,c375012865b94fa037d23c555e6c2772; classtype:external-ip-check; sid:2025154; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2017_12_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; dns.query; content:".gr.com"; endswith; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:5; metadata:created_at 2017_12_12, former_category HUNTING, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ema="; depth:4; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031864; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zeus Panda CnC Domain (in DNS Lookup)"; dns.query; content:"pprulispikosqcsiwef.info"; nocase; endswith; reference:md5,20adfac68ced5225c9021bc051e66d18; classtype:command-and-control; sid:2025177; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_29, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qasar Variant Domain (datapeople-cn .com in DNS Lookup)"; dns.query; content:"datapeople-cn.com"; endswith; reference:url,twitter.com/blu3_team/status/947858470816112640; classtype:trojan-activity; sid:2025179; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category TROJAN, malware_family Qasar_Rat, performance_impact Moderate, signature_severity Major, tag Patchwork, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jul 2017"; dns.query; content:"ab1abad1d0c2a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024713; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Aug 2017"; dns.query; content:"ab8cee60c2d.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024714; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Sep 2017"; dns.query; content:"ab1145b758c30.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Oct 2017"; dns.query; content:"ab890e964c34.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Nov 2017"; dns.query; content:"ab3d685a0c37.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024717; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Dec 2017"; dns.query; content:"ab70a139cc3a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024718; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jan 2018"; dns.query; content:"ab3c2b0d28ba6.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Feb 2018"; dns.query; content:"ab99c24c0ba9.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Mar 2018"; dns.query; content:"ab2e1b782bad.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024818; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Apr 2018"; dns.query; content:"ab253af862bb0.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024819; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA May 2018"; dns.query; content:"ab2d02b02bb3.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024820; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jun 2018"; dns.query; content:"ab1b0eaa24bb6.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024821; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jul 2018"; dns.query; content:"abf09fc5abba.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024822; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Aug 2018"; dns.query; content:"abce85a51bbd.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024823; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Sep 2018"; dns.query; content:"abccc097dbc0.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024824; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Oct 2018"; dns.query; content:"ab33b8aa69bc4.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024825; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Nov 2018"; dns.query; content:"ab693f4c0bc7.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024826; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Dec 2018"; dns.query; content:"ab23660730bca.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024827; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Feb 2017"; dns.query; content:"ab6d54340c1a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024708; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Mar 2017"; dns.query; content:"aba9a949bc1d.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024709; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Apr 2017"; dns.query; content:"ab2da3d400c20.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024710; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA May 2017"; dns.query; content:"ab3520430c23.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024711; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jun 2017"; dns.query; content:"ab1c403220c27.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024712; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Python Monero Miner CnC DNS Query"; dns.query; content:".zsw8.cc"; endswith; pcre:"/^[a-z]\./"; reference:url,f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar; classtype:command-and-control; sid:2025183; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Cryptominer, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ml)"; flow:established,to_client; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.gdn)"; flow:established,to_client; tls.cert_subject; content:".gdn"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025190; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.gq)"; flow:established,to_client; tls.cert_subject; content:".gq"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025191; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ga)"; flow:established,to_client; tls.cert_subject; content:".ga"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025192; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.cf)"; flow:established,to_client; tls.cert_subject; content:".cf"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025193; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)"; flow:established,to_client; tls.cert_subject; content:".xyz"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025194; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Mami CnC Checkin"; flow:established,to_server; http.header; content:"User-Agent|3a 20 0d 0a|"; fast_pattern; http.request_body; content:"r="; depth:2; content:"&rc="; distance:0; http.request_line; content:"POST|20|/|20|HTTP/1.1"; depth:15; endswith; http.header_names; content:!"Referer"; reference:url,objective-see.com/blog/blog_0x26.html; reference:md5,8482fc5dbc6e00da151bea3eba61e360; classtype:command-and-control; sid:2025199; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_14, deployment Perimeter, former_category MALWARE, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evrial Domain (cryptoclipper .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"cryptoclipper.ru"; endswith; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025201; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Chrome Extension Domain Request (change-request .info in DNS Lookup)"; dns.query; content:"change-request.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025216; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (nyoogle .info in DNS Lookup)"; dns.query; content:"nyoogle.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025217; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (lite-bookmarks .info in DNS Lookup)"; dns.query; content:"lite-bookmarks.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025219; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Evrial Domain (projectevrial .ru in DNS Lookup)"; dns.query; content:"projectevrial.ru"; nocase; endswith; classtype:trojan-activity; sid:2025228; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category TROJAN, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Evrial Domain (cryptoclipper .ru in DNS Lookup)"; dns.query; content:"cryptoclipper.ru"; endswith; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025256; rev:4; metadata:created_at 2018_01_29, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evrial Domain (projectevrial .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"projectevrial.ru"; endswith; nocase; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025257; rev:4; metadata:created_at 2018_01_29, former_category TROJAN, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Marcher.U DNS Lookup"; dns.query; content:"sagdzusghcsh.top"; nocase; endswith; reference:md5,ccefe18d7b9bc31a8673b9bf82104f48; classtype:trojan-activity; sid:2025273; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_01_30, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Marcher, signature_severity Major, tag Android, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTraffic Initial Redirect M1"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/for/77/?d="; nocase; content:"&mykeys="; nocase; distance:0; http.host; content:"superasdc.pw"; depth:12; endswith; fast_pattern; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025287; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTraffic Initial Redirect M2"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/for/77/?d="; nocase; content:"&mykeys="; nocase; distance:0; http.host; content:"caforyn.pw"; depth:10; endswith; fast_pattern; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025288; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; dns.query; content:"getfreshnews.com"; nocase; endswith; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu"; endswith; classtype:credential-theft; sid:2025333; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report -|20|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:19; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:command-and-control; sid:2025375; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_21, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for .bin with BITS/ User-Agent"; flow:established,to_server; http.uri; content:".bin"; endswith; http.user_agent; content:"Microsoft BITS/"; depth:15; fast_pattern; http.host; content:!"microsoft.com"; content:!"pdfcomplete.com"; content:!"mymitchell.com"; content:!"azureedge.net"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2024420; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Princess Ransomware Payment Domain (royal25fphqilqft in DNS Lookup)"; dns.query; content:"royal25fphqilqft"; nocase; endswith; classtype:trojan-activity; sid:2025404; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_02, deployment Perimeter, former_category MALWARE, malware_family Princess_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (politiaromana .bit in DNS Lookup)"; dns.query; content:"politiaromana.bit"; nocase; endswith; classtype:command-and-control; sid:2025405; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (gdcb .bit in DNS Lookup)"; dns.query; content:"gdcb.bit"; nocase; endswith; classtype:command-and-control; sid:2025407; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (malwarehunterteam .bit in DNS Lookup)"; dns.query; content:"malwarehunterteam.bit"; nocase; endswith; classtype:command-and-control; sid:2025406; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bancos Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.instrumentshigh.com.br"; nocase; endswith; reference:md5,f8b2e89717f77633c7d112c98f2d22ab; classtype:domain-c2; sid:2025433; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_03_14, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (stickies .pro in DNS Lookup)"; dns.query; content:"stickies.pro"; nocase; endswith; reference:url,www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025218; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)"; dns.query; content:".000webhostapp.com"; nocase; endswith; classtype:not-suspicious; sid:2026657; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)"; flow:established,to_client; tls.cert_subject; content:"CN=*.000webhostapp.com"; nocase; endswith; classtype:not-suspicious; sid:2026658; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Sofacy CnC Domain (ndpmedia24 .com in DNS Lookup)"; dns.query; content:"ndpmedia24.com"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency; classtype:targeted-activity; sid:2025434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category MALWARE, malware_family Sofacy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. sx)"; dns.query; content:".onion.sx"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025446; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. pw)"; dns.query; content:".onion.pw"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns.query; content:"xmr.pool.minergate.com"; nocase; endswith; classtype:trojan-activity; sid:2025451; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Coinminer, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (chlenaverasiskihe .sex in DNS Lookup)"; dns.query; content:"chlenaverasiskihe.sex"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025454; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/InnaputRAT CnC DNS Lookup (ninjagames .top)"; dns.query; content:"ninjagames.top"; nocase; endswith; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:command-and-control; sid:2025462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family InnaputRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/InnaputRAT CnC DNS Lookup (ajdhsfhiudsfhsi .top)"; dns.query; content:"ajdhsfhiudsfhsi.top"; nocase; endswith; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:command-and-control; sid:2025463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family InnaputRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus.D Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".js"; endswith; http.user_agent; content:"curl/"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025464; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (ssl .arkouthrie .com)"; dns.query; content:"ssl.arkouthrie.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025466; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (s3 .hiahornber .com)"; dns.query; content:"s3.hiahornber.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025467; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (widget .shoreoa .com)"; dns.query; content:"widget.shoreoa.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025468; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&bit="; content:"&info=Windows|3a 20|"; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:command-and-control; sid:2025470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category MALWARE, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot CnC Task Status"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&taskId="; distance:0; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:command-and-control; sid:2025471; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category MALWARE, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP APN/Ask Toolbar PUA/PUP User-Agent"; flow:established,to_server; http.user_agent; content:"TBNotifier"; depth:10; fast_pattern; endswith; classtype:pup-activity; sid:2025400; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE LokiBot Fake 404 Response"; flow:established,from_server; flowbits:isset,ET.LokiBot; http.stat_code; content:"404"; file.data; content:"|08 00 00 00 00 00 00 00|File not found."; depth:23; fast_pattern; endswith; reference:md5,CA427D578AFA51B262272C78D1C04AB9; classtype:trojan-activity; sid:2025483; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_10, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?confirmation"; fast_pattern; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&pass_input="; nocase; distance:0; classtype:credential-theft; sid:2025505; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Observed Coin-Hive In Browser Mining Domain (coin-hive .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"coin-hive.com"; endswith; classtype:trojan-activity; sid:2025535; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family CoinMiner, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Malicious SSL Cert (Coin-Hive In Browser Mining)"; flow:established,to_client; tls.cert_subject; content:"CN=*.coin-hive.com"; nocase; endswith; classtype:coin-mining; sid:2025536; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (msoftupdates .com in DNS Lookup)"; dns.query; content:"msoftupdates.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025542; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (msoftupdates .eu in DNS Lookup)"; dns.query; content:"msoftupdates.eu"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025543; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (mylogisoft .com in DNS Lookup)"; dns.query; content:"mylogisoft.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025544; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M1"; http.host; content:".bit"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M2"; http.host; content:".coin"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"ransomware.bit"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025452; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"zonealarm.bit"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025453; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"carder.bit"; endswith; reference:md5,9faf6dedd3e0cd018d2e45bc8855bd4a; classtype:trojan-activity; sid:2025546; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedLeaves HOGFISH APT Implant CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php"; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|.NET4.0C|3b 20|.NET4.0E)"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; http.connection; content:"Keep-Alive"; http.content_len; byte_test:0,<,110,0,string,dec; http.header_names; content:!"Referer"; content:!"Accept-Encoding"; content:!"Content-Type"; reference:md5,2d9ac00470a104b9841d851ddf33cad7; reference:md5,627b903657b28f3a2e388393103722c8; reference:url,www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf; classtype:targeted-activity; sid:2025557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT10, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .myq-see .com DDNS Domain"; dns.query; content:".myq-see.com"; nocase; endswith; classtype:policy-violation; sid:2025560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Ransomware Domain (y5mogzal2w25p6bn .ml in DNS Lookup)"; dns.query; content:"y5mogzal2w25p6bn.ml"; endswith; reference:md5,5f1ab58f0639b5e43fca508eb0d4f97e; classtype:trojan-activity; sid:2025567; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) 2016-02-27"; flow:to_server,established; flowbits:set,ET.bofaphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"formID="; depth:7; nocase; classtype:credential-theft; sid:2027958; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Hello, World"; fast_pattern; endswith; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:4; metadata:attack_target IoT, created_at 2018_05_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag GPON, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending Machine Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"infobot"; depth:7; endswith; http.request_body; content:"|7b 22|bits|22 3a 20 22|"; depth:10; content:"|22|cpun|22 3a 20 22|"; distance:0; http.header_names; content:!"Referer"; reference:md5,3549c3af4417a344b5cbf53dbe7ab36c; classtype:trojan-activity; sid:2025577; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rarog Stealer CnC Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/check.php"; endswith; fast_pattern; http.request_body; content:"m="; depth:2; pcre:"/^m=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/si"; http.header_names; content:!"Referer"; reference:md5,b38a63aea75bcf06fed11067cc75cc7e; classtype:command-and-control; sid:2025580; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Malicious SSL Cert (Coinhive URL Shortener)"; flow:established,to_client; tls.cert_subject; content:"CN=cnhv.co"; nocase; endswith; reference:url,blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shorteners.html; classtype:coin-mining; sid:2025582; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_05_22, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:social-engineering; sid:2022486; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"POST"; http.header; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:credential-theft; sid:2022487; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header INetSim"; flow:established,from_server; http.content_type; content:"x-msdos-program"; file.data; content:"MZ|0a|Sinkholed|0a|"; depth:13; fast_pattern; endswith; classtype:trojan-activity; sid:2025585; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; http.method; content:"POST"; nocase; http.host; content:!"nvidia.com"; endswith; content:!"dc.services.visualstudio.com"; endswith; content:!".avg.com"; endswith; content:!"bitdefender.net"; endswith; content:!"svc.iolo.com"; endswith; content:!".lavasoft.com"; endswith; content:!"canonicalizer.ucsuri.tcs"; http.request_body; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; classtype:trojan-activity; sid:2011341; rev:17; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031412; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, malware_family Formbook, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Donut Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Expect|3a 20|100-continue|0d 0a|"; http.request_body; content:"pc_id="; depth:6; content:"pc_key="; distance:0; content:"win_ver="; fast_pattern; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; classtype:command-and-control; sid:2025595; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_19, deployment Perimeter, former_category MALWARE, malware_family Donut, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BackSwap Trojan C2 Domain Observed (debasuin .nl in DNS Lookup)"; dns.query; content:"debasuin.nl"; endswith; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:command-and-control; sid:2025596; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BackSwap Trojan C2 Domain Observed (debasuin .nl in TLS SNI)"; flow:established,to_server; tls.sni; content:"debasuin.nl"; endswith; nocase; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:command-and-control; sid:2025597; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".gif"; fast_pattern; endswith; content:!"__utm.gif"; endswith; http.host; content:!".tealiumiq.com"; content:!"snackly.co"; content:!"otf.msn.com"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:17; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (tpddata .com in DNS Lookup)"; dns.query; content:"tpddata.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025599; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (tpddata .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"tpddata.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025600; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .anlway .com in DNS Lookup)"; dns.query; content:"www.anlway.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025601; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .anlway .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.anlway.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025602; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in DNS Lookup)"; dns.query; content:"www.ap8898.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025603; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.ap8898.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .apshenyihl .com in DNS Lookup)"; dns.query; content:"www.apshenyihl.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025605; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .apshenyihl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.apshenyihl.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] VBS Retrieving Malicious Payload"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".php1"; endswith; fast_pattern; pcre:"/\/[0-9]{10}.php1$/"; http.user_agent; content:"Microsoft BITS/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,aa56a1de9b91446c66d53f12f797bef5; classtype:trojan-activity; sid:2025626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_10;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (WiFi Password Change)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"LAN_WLAN"; fast_pattern; content:"IEEE11iAuthenticationMode"; content:"IEEE11iEncryptionModes"; content:"X_TP_PreSharedKey="; content:"X_TP_GroupKeyUpdateInterval"; reference:url,exploit-db.com/exploits/44781/; classtype:web-application-attack; sid:2025755; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (DMZ enable and Disable)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"DMZ_HOST_CFG"; fast_pattern; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025751; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Add Port Forwarding)"; flow:established,to_server; http.uri; content:"/cgi?3"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"IP_CONN_PORTTRIGGERING"; content:"openProtocol"; content:"openPort="; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025750; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blind Server-Side Request Forgery"; flow:established,to_server; http.uri; content:"/xmlrpc/pingback"; endswith; http.request_body; content:"<methodCall>"; content:"<methodName>pingback.ping</methodName>"; fast_pattern; content:"<value>http://"; content:"<value>http://"; distance:0; reference:url,exploit-db.com/raw/44945/; classtype:attempted-user; sid:2025759; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_06_27, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN HP Enterprise VAN SDN Controller"; flow:established,to_server; http.uri; content:"/sdn/ui/app/rs/hpws/config"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-recon; sid:2025760; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category SCAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"!<arch>|0a|debian-binary"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025763; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025636; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution"; flow:established,to_server; http.uri; content:"/admin/moduleinterface.php"; fast_pattern; endswith; http.request_body; content:"<?php system($_GET["; reference:cve,2018-1000094; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-user; sid:2025782; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Trade - Information Disclosure"; flow:established,to_server; http.uri; content:"/dashboard/deposit"; fast_pattern; endswith; reference:cve,2018-12905; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-recon; sid:2025783; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopNx - Arbitrary File Upload"; flow:established,to_server; http.uri; content:"/api/media"; fast_pattern; endswith; http.request_body; content:"<script"; reference:cve,2018-12519; reference:url,exploit-db.com/exploits/44978/; classtype:web-application-attack; sid:2025784; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 1"; dns.query; content:"goldncup.com"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025639; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 2"; dns.query; content:"glancelove.com"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025640; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 3"; dns.query; content:"autoandroidup.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025641; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 4"; dns.query; content:"mobilestoreupdat.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025642; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 5"; dns.query; content:"updatemobapp.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025643; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PolarisOffice Insecure Library Loading"; flow:to_server; http.method; content:"GET"; http.uri; content:"puiframeworkproresenu.dll"; endswith; reference:cve,2018-12589; classtype:attempted-user; sid:2025792; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category WEB_CLIENT, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rostpay Downloader User-Agent"; flow:established,to_server; http.user_agent; content:"Rostpay Downloader"; nocase; depth:18; endswith; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:".dtd|22|>"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025841; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE html PUBLIC |22|-//W3C//DTD XHTML 1.0 Transitional//EN|22|"; pcre:"/^[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025842; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE data SYSTEM"; pcre:"/^[^>]+\x22\s*ftp\x3a\x2f\x2f/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025843; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE data SYSTEM"; pcre:"/^[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; content:"<data>&send|3b|</data>"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025844; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup"; dns.query; content:"ios-certificate-update.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025727; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2"; dns.query; content:"al-enayah.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025728; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3"; dns.query; content:"voguextra.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025729; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4"; dns.query; content:"techwach.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025730; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5"; dns.query; content:"wpitcher.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025731; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Gemini/2.0)"; flow:established,to_server; http.user_agent; content:"Gemini/2.0"; depth:10; fast_pattern; endswith; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025889; rev:3; metadata:attack_target Server, created_at 2018_07_25, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Hakai/2.0)"; flow:established,to_server; http.user_agent; content:"Hakai/2.0"; depth:9; fast_pattern; endswith; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025890; rev:4; metadata:attack_target Server, created_at 2018_07_25, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE OilRig QUADAGENT CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"www.cpuproc.com"; endswith; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:command-and-control; sid:2025891; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 6"; dns.query; content:"ios-certificate-whatsapp.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025896; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 7"; dns.query; content:"hytechmart.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025897; rev:4; metadata:created_at 2018_07_25, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 8"; dns.query; content:"appswonder.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025898; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 9"; dns.query; content:"referfile.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025899; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 10"; dns.query; content:"hiltrox.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025900; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 11"; dns.query; content:"scrollayer.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025901; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 12"; dns.query; content:"twitck.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025902; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 14"; dns.query; content:"nfinx.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025904; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 15"; dns.query; content:"metclix.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025905; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 16"; dns.query; content:"capsnit.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025906; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malvertising EK Redirect to EK M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?id="; isdataat:!5,relative; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.referer; content:".php?JBOSSESSION="; fast_pattern; classtype:exploit-kit; sid:2025913; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin"; flow:established,to_server; urilen:<100; http.method; content:"POST"; http.request_body; content:"|81 b2 a8 97 7e a3 1b 91|"; depth:8; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:command-and-control; sid:2025923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 4"; dns.query; content:"euiro8966.organiccrap.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025927; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 3"; dns.query; content:"kted56erhg.dynssl.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025926; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 2"; dns.query; content:"www.hosting.tempors.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025925; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 1"; dns.query; content:"jennifer998.lookin.at"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025924; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 5"; dns.query; content:"games.my-homeip.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025928; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 1"; dns.query; content:"banca-movil.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025933; rev:4; metadata:affected_product Android, affected_product iOS, attack_target Mobile_Client, created_at 2018_08_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 2"; dns.query; content:"pine-sales.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025934; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 3"; dns.query; content:"ecommerce-ads.org"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025935; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 4"; dns.query; content:"bytlo.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025936; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 5"; dns.query; content:"ticket-selections.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025937; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 6"; dns.query; content:"onlineshopzm.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025938; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 7"; dns.query; content:"zednewszm.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025939; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 8"; dns.query; content:"zm-banks.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025940; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 9"; dns.query; content:"zm-weather.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025941; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 10"; dns.query; content:"znothernkivu.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025942; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 11"; dns.query; content:"afriquenouvelle.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025943; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 12"; dns.query; content:"allafricaninfo.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025944; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 13"; dns.query; content:"centrasia-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025945; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 14"; dns.query; content:"mystulchik.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025946; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 15"; dns.query; content:"odnoklass-profile.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025947; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 16"; dns.query; content:"sputnik-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025948; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 17"; dns.query; content:"tengrinews.co"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025949; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 18"; dns.query; content:"sergek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025950; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 19"; dns.query; content:"egov-sergek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025951; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 20"; dns.query; content:"egov-segek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025952; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 21"; dns.query; content:"mykaspi.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025953; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 22"; dns.query; content:"kaspi-payment.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025954; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 24"; dns.query; content:"e-sveiciens.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025955; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 25"; dns.query; content:"klientuserviss.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025956; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 26"; dns.query; content:"kurjerserviss.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025957; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 27"; dns.query; content:"reklamas.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025958; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 28"; dns.query; content:"legyelvodas.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025959; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 29"; dns.query; content:"theastafrican.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025960; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 30"; dns.query; content:"ajelnews.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025961; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 31"; dns.query; content:"akhbara-aalawsat.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025962; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 32"; dns.query; content:"akhbar-arabia.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025963; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 33"; dns.query; content:"gulf-news.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025964; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 34"; dns.query; content:"eltiempo-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025965; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 35"; dns.query; content:"arabnews365.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025966; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 36"; dns.query; content:"arabworldnews.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025967; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 37"; dns.query; content:"breaking-extranews.online"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025968; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 38"; dns.query; content:"breaking-news.co"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025969; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 39"; dns.query; content:"breakingnewsasia.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025970; rev:4; metadata:created_at 2018_08_03, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 40"; dns.query; content:"breakthenews.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025971; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/data/collectdata-new.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|a|22 3a|"; depth:5; content:"|22|b|22 3a|[{|22|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025987; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, tag Android, updated_at 2020_09_16, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/newuser.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|imei|22 3a|"; depth:8; content:"|22|tag|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:command-and-control; sid:2025988; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, signature_severity Major, tag Android, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/data/fcollectdata.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|category|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b603017bbcee17a76f5b0ee478d2d935; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025989; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, tag Android, updated_at 2020_09_16, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Panda Banker C2)"; flow:established,to_client; tls.cert_subject; content:"CN=uiaoduiiej.chimkent.su"; nocase; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:domain-c2; sid:2025995; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Panda Banker Injects)"; flow:established,to_client; tls.cert_subject; content:"CN=urimchi3dt4.website"; nocase; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:domain-c2; sid:2025996; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Panda Banker C2 Domain (uiaoduiiej .chimkent .su in DNS Lookup)"; dns.query; content:"uiaoduiiej.chimkent.su"; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025997; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker C2 Domain (uiaoduiiej .chimkent .su in TLS SNI)"; flow:established,to_server; tls.sni; content:"uiaoduiiej.chimkent.su"; endswith; nocase; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Panda Banker Injects Domain (urimchi3dt4 .website in DNS Lookup)"; dns.query; content:"urimchi3dt4.website"; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2025999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker Injects Domain (urimchi3dt4 .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"urimchi3dt4.website"; endswith; nocase; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2026000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (bigboss .x24hr .com)"; dns.query; content:"bigboss.x24hr.com"; nocase; fast_pattern; endswith; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026021; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category TROJAN, malware_family BISKVIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (secured-links .org)"; dns.query; content:"secured-links.org"; nocase; fast_pattern; endswith; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026022; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category TROJAN, malware_family BISKVIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Payload Download Nov 11 2014"; flow:established,to_server; http.uri; content:"/bin.exe"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2019696; rev:5; metadata:created_at 2014_11_12, former_category CURRENT_EVENTS, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor 2"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; content:".deb|0d 0a|"; http.request_body; content:"|7f|ELF"; depth:4; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026030; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category SCAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.FakeEzQ.kr Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"MyAgent"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,7afebc844a3313eb2a89b3028fbba7a6; reference:url,otx.alienvault.com/pulse/5b8844d6db17df1779153624; classtype:command-and-control; sid:2026071; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in DNS Lookup)"; dns.query; content:"www.megaopac.host"; endswith; reference:url,twitter.com/serhack_/status/1037026672787304450; classtype:trojan-activity; sid:2026072; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2018_09_04, deployment Perimeter, former_category TROJAN, malware_family Stealer, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.megaopac.host"; endswith; nocase; reference:url,twitter.com/serhack_/status/1037026672787304450; classtype:trojan-activity; sid:2026073; rev:4; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2018_09_04, former_category TROJAN, malware_family Stealer, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig CnC DNS Lookup (defender-update .com)"; dns.query; content:"defender-update.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig CnC DNS Lookup (windowspatch .com)"; dns.query; content:"windowspatch.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026080; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pser?"; depth:6; fast_pattern; pcre:"/^[A-F0-9]{10,}(?:BBZ|BBY)[A-F0-9]{,1000}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026081; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tahw?"; depth:6; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/khc?"; depth:5; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aura Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"{KIARA}"; depth:7; endswith; fast_pattern; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026100; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSIL/Peppy User-Agent"; flow:established,to_server; http.user_agent; content:"onedru/"; depth:7; endswith; fast_pattern; reference:md5,ebffb046d0e12b46ba5f27c0176b01c5; classtype:trojan-activity; sid:2026101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_07, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Tor/Noscript JS Bypass"; flow:established,to_client; http.content_type; content:"text/html|3b|/json"; depth:15; endswith; reference:url,twitter.com/Zerodium/status/1039127214602641409; classtype:trojan-activity; sid:2026109; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=baways.com"; nocase; endswith; reference:url,riskiq.com/blog/labs/magecart-british-airways-breach; classtype:domain-c2; sid:2026110; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_11, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil)"; flow:established,to_client; tls.cert_subject; content:"CN=info-stat.ws"; nocase; endswith; reference:url,bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script; classtype:domain-c2; sid:2026112; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Android Device Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/generate_204"; fast_pattern; endswith; http.host; content:"connectivitycheck.gstatic.com"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Cache"; content:!"Referer"; classtype:policy-violation; sid:2036220; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_09_14, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Minor, tag Connectivity_Check, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)"; flow:from_server,established; tls.cert_subject; content:"CN=ipinfo.io"; nocase; endswith; classtype:external-ip-check; sid:2025330; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=neweggstats.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-newegg; classtype:domain-c2; sid:2026215; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in DNS Lookup)"; dns.query; content:"1jve.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026115; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"1jve.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026116; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in DNS Lookup)"; dns.query; content:"clarke-taylor.life"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026117; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in TLS SNI)"; flow:established,to_server; tls.sni; content:"clarke-taylor.life"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026118; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in DNS Lookup)"; dns.query; content:"hcttmail.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026119; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hcttmail.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026120; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in DNS Lookup)"; dns.query; content:"mail-presidency.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026121; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-presidency.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026122; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in DNS Lookup)"; dns.query; content:"aamir-khan.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026123; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"aamir-khan.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026124; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in DNS Lookup)"; dns.query; content:"daario-naharis.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026125; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"daario-naharis.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026126; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in DNS Lookup)"; dns.query; content:"help-live.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026127; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"help-live.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026128; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in DNS Lookup)"; dns.query; content:"margaery-tyrell.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026129; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"margaery-tyrell.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026130; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in DNS Lookup)"; dns.query; content:"accaunts-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026131; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accaunts-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026132; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in DNS Lookup)"; dns.query; content:"dachfunny.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026133; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"dachfunny.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026134; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in DNS Lookup)"; dns.query; content:"help-sec.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026135; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"help-sec.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026136; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in DNS Lookup)"; dns.query; content:"maria-bouchard.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026137; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"maria-bouchard.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026138; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in DNS Lookup)"; dns.query; content:"account-gocgle.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026139; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"account-gocgle.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026140; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in DNS Lookup)"; dns.query; content:"dachfunny.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026141; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"dachfunny.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026142; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in DNS Lookup)"; dns.query; content:"heyapp.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026143; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"heyapp.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026144; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in DNS Lookup)"; dns.query; content:"marklavi.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026145; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"marklavi.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026146; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in DNS Lookup)"; dns.query; content:"account-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026147; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"account-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026148; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in DNS Lookup)"; dns.query; content:"dardash.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026149; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026150; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in DNS Lookup)"; dns.query; content:"hitmesanjjoy.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026151; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"hitmesanjjoy.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026152; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in DNS Lookup)"; dns.query; content:"mary-crawley.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026153; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mary-crawley.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026154; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in DNS Lookup)"; dns.query; content:"accountforuser.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026155; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountforuser.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026156; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in DNS Lookup)"; dns.query; content:"dardash.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026157; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026158; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in DNS Lookup)"; dns.query; content:"hoopoechat.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026159; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hoopoechat.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026160; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in DNS Lookup)"; dns.query; content:"masuka.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026161; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"masuka.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026162; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in DNS Lookup)"; dns.query; content:"accountforusers.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026163; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountforusers.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026164; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in DNS Lookup)"; dns.query; content:"dardash.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026165; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026166; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in DNS Lookup)"; dns.query; content:"hotimael.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026167; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hotimael.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026168; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in DNS Lookup)"; dns.query; content:"matthew-stevens.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026169; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"matthew-stevens.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026170; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in DNS Lookup)"; dns.query; content:"accounts-gocgle.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026171; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accounts-gocgle.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026172; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in DNS Lookup)"; dns.query; content:"dardash.live"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026173; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.live"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026174; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in DNS Lookup)"; dns.query; content:"hotmailme.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026175; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"hotmailme.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026176; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in DNS Lookup)"; dns.query; content:"mauricefischer.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026177; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"mauricefischer.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026178; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in DNS Lookup)"; dns.query; content:"accounts-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026179; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accounts-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026180; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in DNS Lookup)"; dns.query; content:"david-mclean.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026181; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"david-mclean.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026182; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in DNS Lookup)"; dns.query; content:"italk-chat.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026183; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"italk-chat.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026184; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in DNS Lookup)"; dns.query; content:"max-eleanor.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026185; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"max-eleanor.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026186; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in DNS Lookup)"; dns.query; content:"accountusers.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026187; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountusers.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026188; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in DNS Lookup)"; dns.query; content:"david-moris.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026189; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"david-moris.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026190; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in DNS Lookup)"; dns.query; content:"italk-chat.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026191; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"italk-chat.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026192; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in DNS Lookup)"; dns.query; content:"max-mayfield.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026193; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"max-mayfield.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026194; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in DNS Lookup)"; dns.query; content:"accuant-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026195; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accuant-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026196; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in DNS Lookup)"; dns.query; content:"davina-claire.xyz"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026197; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"davina-claire.xyz"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026198; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in DNS Lookup)"; dns.query; content:"jack-wagner.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026199; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"jack-wagner.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026200; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in DNS Lookup)"; dns.query; content:"maxlight.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026201; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxlight.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026202; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in DNS Lookup)"; dns.query; content:"activedardash.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026203; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"activedardash.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026204; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in DNS Lookup)"; dns.query; content:"davos-seaworth.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026205; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"davos-seaworth.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026206; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in DNS Lookup)"; dns.query; content:"james-charles.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026207; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"james-charles.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026208; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in DNS Lookup)"; dns.query; content:"mediauploader.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026209; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"mediauploader.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026210; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in DNS Lookup)"; dns.query; content:"alain.ps"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026211; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in TLS SNI)"; flow:established,to_server; tls.sni; content:"alain.ps"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026212; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in DNS Lookup)"; dns.query; content:"debra-morgan.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026213; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"debra-morgan.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026214; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot Blockchain Based CnC DNS Lookup (musl .lib)"; dns.query; content:"musl.lib"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026323; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot/Satori CnC DNS Lookup (ukrainianhorseriding .com)"; dns.query; content:"ukrainianhorseriding.com"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026324; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot/Satori CnC DNS Lookup (rippr .cc)"; dns.query; content:"rippr.cc"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026325; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (censys .xyz)"; dns.query; content:"censys.xyz"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026326; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (leakingprivacy .tk)"; dns.query; content:"leakingprivacy.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026327; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (realnewstime .xyz)"; dns.query; content:"realnewstime.xyz"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (scanaan .tk)"; dns.query; content:"scanaan.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026329; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (blockbitcoin .com)"; dns.query; content:"blockbitcoin.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026330; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (vfk2k5s5tfjr27tz .tk)"; dns.query; content:"vfk2k5s5tfjr27tz.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (3g2upl4pq6kufc4m .tk)"; dns.query; content:"3g2upl4pq6kufc4m.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in DNS Lookup)"; dns.query; content:"jimmykudo.online"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026217; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"jimmykudo.online"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026218; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in DNS Lookup)"; dns.query; content:"meet-me.chat"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026219; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in TLS SNI)"; flow:established,to_server; tls.sni; content:"meet-me.chat"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026220; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in DNS Lookup)"; dns.query; content:"alisonparker.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026221; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"alisonparker.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026222; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in DNS Lookup)"; dns.query; content:"donna-paulsen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026223; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"donna-paulsen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026224; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"android-settings.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026225; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in DNS Lookup)"; dns.query; content:"android-settings.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026226; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in DNS Lookup)"; dns.query; content:"easyshow.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026227; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"easyshow.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026228; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in DNS Lookup)"; dns.query; content:"jon-snow.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026229; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"jon-snow.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026230; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in DNS Lookup)"; dns.query; content:"men-ana.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026231; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"men-ana.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026232; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in DNS Lookup)"; dns.query; content:"apkapps.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026233; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"apkapps.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026234; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in DNS Lookup)"; dns.query; content:"eleanor-guthrie.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026235; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"eleanor-guthrie.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026236; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in DNS Lookup)"; dns.query; content:"jorah-mormont.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026237; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"jorah-mormont.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026238; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in DNS Lookup)"; dns.query; content:"michael-keaton.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026239; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"michael-keaton.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026240; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in DNS Lookup)"; dns.query; content:"apkapps.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026241; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"apkapps.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026242; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in DNS Lookup)"; dns.query; content:"eleanorguthrie.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026243; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"eleanorguthrie.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026244; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in DNS Lookup)"; dns.query; content:"joycebyers.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026245; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"joycebyers.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026246; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in DNS Lookup)"; dns.query; content:"miranda-barlow.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026247; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"miranda-barlow.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026248; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in DNS Lookup)"; dns.query; content:"appchecker.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026249; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"appchecker.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026250; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in DNS Lookup)"; dns.query; content:"engin-altan.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026251; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"engin-altan.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026252; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in DNS Lookup)"; dns.query; content:"juana.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026253; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"juana.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026254; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in DNS Lookup)"; dns.query; content:"miwakosato.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026255; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"miwakosato.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026256; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in DNS Lookup)"; dns.query; content:"appuree.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026257; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"appuree.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026258; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in DNS Lookup)"; dns.query; content:"esofiezo.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026259; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"esofiezo.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026260; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in DNS Lookup)"; dns.query; content:"kaniel-outis.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026261; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"kaniel-outis.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026262; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in DNS Lookup)"; dns.query; content:"mofa-help.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026263; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"mofa-help.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026264; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in DNS Lookup)"; dns.query; content:"arthursaito.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026265; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"arthursaito.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026266; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in DNS Lookup)"; dns.query; content:"everyservices.space"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026267; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"everyservices.space"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026268; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in DNS Lookup)"; dns.query; content:"karenwheeler.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026269; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"karenwheeler.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026270; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in DNS Lookup)"; dns.query; content:"moneymotion.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026271; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"moneymotion.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026272; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in DNS Lookup)"; dns.query; content:"aryastark.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026273; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aryastark.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026274; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in DNS Lookup)"; dns.query; content:"exvsnomy.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026275; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"exvsnomy.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026276; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in DNS Lookup)"; dns.query; content:"kate-austen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026277; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"kate-austen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026278; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in DNS Lookup)"; dns.query; content:"myboon.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026279; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"myboon.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026280; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in DNS Lookup)"; dns.query; content:"aslaug-sigurd.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026281; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aslaug-sigurd.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026282; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in DNS Lookup)"; dns.query; content:"ezofiezo.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026283; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"ezofiezo.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026284; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in DNS Lookup)"; dns.query; content:"katesacker.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026285; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"katesacker.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026286; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in DNS Lookup)"; dns.query; content:"mygift.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026287; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"mygift.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026288; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in DNS Lookup)"; dns.query; content:"assets-acc.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026289; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"assets-acc.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026290; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in DNS Lookup)"; dns.query; content:"face-book-support.email"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026291; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in TLS SNI)"; flow:established,to_server; tls.sni; content:"face-book-support.email"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026292; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in DNS Lookup)"; dns.query; content:"katie.party"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026293; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in TLS SNI)"; flow:established,to_server; tls.sni; content:"katie.party"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026294; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in DNS Lookup)"; dns.query; content:"mygift.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026295; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"mygift.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026296; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in DNS Lookup)"; dns.query; content:"bbc-learning.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026297; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"bbc-learning.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026298; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in DNS Lookup)"; dns.query; content:"fasebcck.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026299; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebcck.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026300; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in DNS Lookup)"; dns.query; content:"kik-com.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026301; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"kik-com.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026302; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in DNS Lookup)"; dns.query; content:"namybotter.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026303; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"namybotter.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026304; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in DNS Lookup)"; dns.query; content:"bellamy-bob.life"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026305; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in TLS SNI)"; flow:established,to_server; tls.sni; content:"bellamy-bob.life"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026306; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in DNS Lookup)"; dns.query; content:"fasebock.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026307; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebock.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026308; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in DNS Lookup)"; dns.query; content:"kristy-milligan.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026309; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"kristy-milligan.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026310; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in DNS Lookup)"; dns.query; content:"namyyeatop.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026311; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"namyyeatop.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026312; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in DNS Lookup)"; dns.query; content:"bestbitloly.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026313; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"bestbitloly.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026314; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in DNS Lookup)"; dns.query; content:"fasebook.cam"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026315; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebook.cam"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026316; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in DNS Lookup)"; dns.query; content:"lagertha-lothbrok.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026317; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lagertha-lothbrok.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026318; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in DNS Lookup)"; dns.query; content:"natemunson.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026319; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"natemunson.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026320; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in DNS Lookup)"; dns.query; content:"billy-bones.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026321; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"billy-bones.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026322; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (up .jkc8 .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip.aspx"; endswith; http.user_agent; content:"sjd32DSKJF9Ssf"; depth:14; fast_pattern; http.host; content:"up.jkc8.com"; http.header_names; content:!"Referer"; reference:md5,5a7526db56f812e62302912a1c20edd2; classtype:external-ip-check; sid:2026216; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in DNS Lookup)"; dns.query; content:"fasebookvideo.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026339; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebookvideo.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026340; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in DNS Lookup)"; dns.query; content:"leonard-kim.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026341; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"leonard-kim.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026342; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in DNS Lookup)"; dns.query; content:"new.filetea.me"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026343; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"new.filetea.me"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026344; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in DNS Lookup)"; dns.query; content:"bitgames.world"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026345; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in TLS SNI)"; flow:established,to_server; tls.sni; content:"bitgames.world"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026346; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in DNS Lookup)"; dns.query; content:"fatehmedia.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026347; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"fatehmedia.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026348; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in DNS Lookup)"; dns.query; content:"leslie-barnes.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026349; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"leslie-barnes.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026350; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in DNS Lookup)"; dns.query; content:"nightchat.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026351; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"nightchat.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026352; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in DNS Lookup)"; dns.query; content:"black-honey.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026353; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"black-honey.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026354; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in DNS Lookup)"; dns.query; content:"firesky.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026355; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"firesky.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026356; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in DNS Lookup)"; dns.query; content:"lets-see.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026357; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"lets-see.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026358; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in DNS Lookup)"; dns.query; content:"nightchat.live"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026359; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"nightchat.live"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026364; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in DNS Lookup)"; dns.query; content:"bob-turco.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026365; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"bob-turco.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026366; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in DNS Lookup)"; dns.query; content:"flirtymania.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026367; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"flirtymania.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026368; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in DNS Lookup)"; dns.query; content:"lexi-branson.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026369; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"lexi-branson.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026370; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in DNS Lookup)"; dns.query; content:"nissour-beton.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026371; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"nissour-beton.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026372; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in DNS Lookup)"; dns.query; content:"buymicrosft.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026373; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"buymicrosft.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026374; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in DNS Lookup)"; dns.query; content:"freya.miranda-barlow.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026375; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"freya.miranda-barlow.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026376; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in DNS Lookup)"; dns.query; content:"lincoln-blake.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026377; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"lincoln-blake.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026378; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in DNS Lookup)"; dns.query; content:"octavia-blake.world"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026379; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in TLS SNI)"; flow:established,to_server; tls.sni; content:"octavia-blake.world"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026380; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in DNS Lookup)"; dns.query; content:"camilleoconnell.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026381; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"camilleoconnell.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026382; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in DNS Lookup)"; dns.query; content:"geny-wise.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026383; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"geny-wise.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026384; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in DNS Lookup)"; dns.query; content:"lindamullins.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026385; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lindamullins.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026386; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in DNS Lookup)"; dns.query; content:"olivia-hartman.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026387; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"olivia-hartman.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026388; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in DNS Lookup)"; dns.query; content:"caroline-nina.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026389; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"caroline-nina.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026390; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in DNS Lookup)"; dns.query; content:"gmailservice.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026391; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"gmailservice.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026392; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in DNS Lookup)"; dns.query; content:"liz-keen.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026393; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"liz-keen.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026394; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in DNS Lookup)"; dns.query; content:"oriential.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026395; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"oriential.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026396; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in DNS Lookup)"; dns.query; content:"cassy-gray.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026397; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"cassy-gray.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026398; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in DNS Lookup)"; dns.query; content:"graceygretchen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026399; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"graceygretchen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026400; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in DNS Lookup)"; dns.query; content:"login-yohoo.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026401; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"login-yohoo.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026402; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in DNS Lookup)"; dns.query; content:"ososezo.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026403; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"ososezo.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026404; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in DNS Lookup)"; dns.query; content:"cecilia-dobrev.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026405; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cecilia-dobrev.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026406; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in DNS Lookup)"; dns.query; content:"hareyupnow.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026407; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"hareyupnow.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026408; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in DNS Lookup)"; dns.query; content:"lord-varys.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026409; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lord-varys.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026410; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2018-09-27 M2"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:".php?Email="; nocase; fast_pattern; content:"@"; distance:0; classtype:credential-theft; sid:2029666; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic 000webhostapp.com POST 2018-09-27 (set)"; flow:to_server,established; flowbits:set,ET.000webhostpost; flowbits:noalert; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; classtype:misc-activity; sid:2026420; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK SWF Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; content:".swf"; distance:26; within:4; endswith; pcre:"/\/(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.swf$/i"; http.header; content:"/"; content:".html"; distance:26; within:5; content:"x-flash-version|3a 20|"; http.referer; pcre:"/^.+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html$/i"; http.cookie; content:"token="; depth:6; fast_pattern; pcre:"/^[a-f0-9]{32}$/Ri"; classtype:exploit-kit; sid:2026426; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (curl53)"; flow:established,to_server; http.user_agent; content:"curl53"; depth:6; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/09/vpnfilter-part-3.html; classtype:trojan-activity; sid:2026428; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_10_01, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VPNFilter htpx Module C2 Request"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"curl53"; depth:6; fast_pattern; endswith; http.header_names; content:"Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a 0d 0a|"; reference:url,blog.talosintelligence.com/2018/09/vpnfilter-part-3.html; classtype:command-and-control; sid:2026429; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family VPNFilter, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.TW Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.tw"; endswith; classtype:credential-theft; sid:2026430; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Reaper (APT37) DNS Lookup (kmbr1 .nitesbr1 .org)"; dns.query; content:"kmbr1.nitesbr1.org"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:targeted-activity; sid:2026432; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family Final1stspy, malware_family DOGCALL, performance_impact Low, signature_severity Major, tag APT37, tag Reaper, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Final1stspy CnC Checkin (Reaper/APT37 Stage 1 Payload)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?MachineId="; content:"&InfoSo="; distance:0; content:"&Index="; distance:0; content:"&Account="; distance:0; content:"&List="; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.user_agent; content:"Host|20|Process|20|Update"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:targeted-activity; sid:2026431; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family Final1stspy, performance_impact Low, signature_severity Major, tag APT37, tag ReaperGroup, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Malformed Double Accept Header"; flow:established,to_server; http.user_agent; content:!"-DRM"; http.host; content:!"buhphone.ru"; content:!"www.backupmaker.com"; content:!"ati.com"; content:!"amd.com"; endswith; http.accept; content:"Accept|3a 20|"; fast_pattern; reference:url,doc.emergingthreats.net/2008975; classtype:policy-violation; sid:2008975; rev:18; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in DNS Lookup)"; dns.query; content:"ososezo.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026442; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"ososezo.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026443; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in DNS Lookup)"; dns.query; content:"cecilia-gilbert.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026444; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cecilia-gilbert.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026445; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in DNS Lookup)"; dns.query; content:"harper-monty.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026446; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"harper-monty.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026447; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in DNS Lookup)"; dns.query; content:"lyanna-stark.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026448; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lyanna-stark.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026449; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in DNS Lookup)"; dns.query; content:"parrotchat.co"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026450; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"parrotchat.co"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026451; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in DNS Lookup)"; dns.query; content:"cerseilannister.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026452; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"cerseilannister.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026453; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in DNS Lookup)"; dns.query; content:"harrykane.online"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026454; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"harrykane.online"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026455; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in DNS Lookup)"; dns.query; content:"mail-accout.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026456; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-accout.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026457; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in DNS Lookup)"; dns.query; content:"pmi-pna.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026458; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"pmi-pna.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026459; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=www.windowsdriversupd.com"; nocase; endswith; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:domain-c2; sid:2026467; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_10_10, deployment Perimeter, former_category MALWARE, malware_family Gadwats, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banker, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=www.windowswsusonline.com"; nocase; endswith; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:domain-c2; sid:2026468; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_10_10, deployment Perimeter, former_category MALWARE, malware_family Gadwats, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banker, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FruityArmor DNS Lookup (weekendstrips .net)"; dns.query; content:"weekendstrips.net"; nocase; fast_pattern; endswith; reference:url,securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/; classtype:trojan-activity; sid:2026469; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag FruityArmor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FruityArmor DNS Lookup (shelves-design .com)"; dns.query; content:"shelves-design.com"; nocase; fast_pattern; endswith; reference:url,securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/; classtype:trojan-activity; sid:2026470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag FruityArmor, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M2 2018-10-12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flashplayer_down.php"; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:coin-mining; sid:2026475; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Coinminer, tag SocEng, tag CoinMinerCampaign, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in DNS Lookup)"; dns.query; content:"chat-often.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026476; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"chat-often.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026477; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in DNS Lookup)"; dns.query; content:"harvey-ross.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026478; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"harvey-ross.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026479; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in DNS Lookup)"; dns.query; content:"mail-goog1e.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026480; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-goog1e.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026481; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in DNS Lookup)"; dns.query; content:"pml-help.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026482; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"pml-help.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026483; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in DNS Lookup)"; dns.query; content:"christopher.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026484; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"christopher.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026485; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious XLS DDE rar Drop Fake 404 Response"; flow:established,to_client; flowbits:isset,ET.xls.dde.drop; http.stat_code; content:"200"; file.data; content:"<h1>404 Not Found</h1><span>The resource requested could not be found on this server!</span>"; endswith; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows 10)"; flow:to_server,established; http.user_agent; content:"Windows 10"; depth:10; http.host; content:!"google-analytics.com"; endswith; classtype:bad-unknown; sid:2026521; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious EXE Download Content-Type image/jpeg"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; flowbits:set,ET.http.binary; http.content_type; content:"image/jpeg"; depth:10; endswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:policy-violation; sid:2026537; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Domain Observed in SNI (samwinchester .club)"; flow:established,to_server; tls.sni; content:"samwinchester.club"; endswith; nocase; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover CnC Checkin"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_dst; http.method; content:"POST"; http.uri; content:"/api/hazard/"; depth:12; fast_pattern; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026547; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Response M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"common|20|soon"; depth:11; fast_pattern; endswith; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026548; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Response M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"loub"; depth:4; fast_pattern; endswith; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026549; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Reporting Infected System Information and RAT Version"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_dst; http.method; content:"POST"; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.request_body; content:"|3a|1.0.2|0d 0a 2d 2d 2d 2d 2d|"; fast_pattern; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026551; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware Initial Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check"; fast_pattern; endswith; pcre:"/^\/d[0-9]?\.php\?check$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026541; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Server Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?servers"; fast_pattern; endswith; pcre:"/^\/d[0-9]?\.php\?servers$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026542; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Server Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check="; fast_pattern; pcre:"/^\/[a-z]\.php\?check=[a-f0-9]{32}$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026543; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish to zap-webspace.com Webhost 2018-10-25"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".zap-webspace.com"; endswith; fast_pattern; classtype:credential-theft; sid:2026553; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (IEhook)"; flow:established,to_server; http.user_agent; content:"IEhook"; depth:6; endswith; fast_pattern; reference:md5,f0483493bcb352bd2f474b52f3b2f273; classtype:trojan-activity; sid:2026558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Creating Docker Container"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/containers/create"; endswith; http.user_agent; content:"Docker-Client"; depth:13; fast_pattern; http.request_body; content:"|7b 22|Hostname|22 3a 22|"; depth:13; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/; classtype:trojan-activity; sid:2026561; rev:4; metadata:attack_target Server, created_at 2018_10_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Requesting Redirect/Inject List"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/red/info.php"; depth:13; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026562; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Receiving Exit Instruction"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"EXIT|3b|"; depth:5; fast_pattern; endswith; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026564; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrueBot/Silence.Downloader CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|C|3a 5c|"; content:".DAT|22 3b 0d 0a|"; distance:0; content:"|0d 0a|Host Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|0d 0a|OS Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|0d 0a|OS Version|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:command-and-control; sid:2026559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category MALWARE, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrueBot/Silence.Downloader Keep-Alive"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?dns="; fast_pattern; pcre:"/^[a-f0-9]{8}$/Rs"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity; sid:2026560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?m="; fast_pattern; content:"&i="; distance:0; content:"&p="; distance:0; pcre:"/\.aspx\?m=[A-F0-9]{3,40}&i=[A-F0-9]{3,40}&p=[A-F0-9]{3,40}$/i"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; endswith; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/ja/2018/10/tscookie-1.html; classtype:command-and-control; sid:2026568; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_01, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29/WellMess CnC Activity"; flow:established,to_server; content:"+++|0d 0a|"; fast_pattern; urilen:1; http.method; content:"POST"; http.cookie; content:"+++"; endswith; http.request_body; pcre:"/^(?:[\x3a\x2c\x2e]?[A-Za-z0-9]{1,8}[\x3a\x2c\x2e]?[\x3a\x2c\x2e]?\s*){50,}$/si"; http.header_names; content:!"Referer"; reference:md5,861879f402fe3080ab058c0c88536be4; reference:url,ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf; classtype:trojan-activity; sid:2030534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, malware_family WellMess, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/GPlayed (sub1 .tdsworker .ru in DNS Lookup)"; dns.query; content:"sub1.tdsworker.ru"; endswith; reference:url,blog.talosintelligence.com/2018/10/gplayerbanker.html; classtype:trojan-activity; sid:2026566; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_11_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GPlayed, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET to Puu.sh for TXT File with Minimal Headers"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".txt"; nocase; endswith; http.host; content:"puu.sh"; depth:6; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2026569; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_11_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/putty.exe"; nocase; endswith; http.host; content:!"the.earth.li"; classtype:bad-unknown; sid:2026570; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT33/CharmingKitten JS/HTA Stage 1 CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?anti="; content:"&cliname="; distance:0; fast_pattern; http.accept; content:"*/*"; endswith; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Cache"; content:!"Referer"; reference:md5,e15b3d2c39888fe459dc2d9c8dec331d; classtype:targeted-activity; sid:2026575; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT33/CharmingKitten Retrieving New Payload (flowbit set)"; flow:established,to_server; flowbits:set,ET.APT33CharmingKitten.1; http.method; content:"GET"; http.uri; content:"/images/static/content/"; depth:23; fast_pattern; endswith; http.header_names; content:!"Cache"; content:!"Accept"; content:!"Referer"; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026577; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M1"; dns.query; content:"mynetwork.ddns.net"; nocase; fast_pattern; endswith; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026573; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M2"; dns.query; content:"mypsh.ddns.net"; nocase; fast_pattern; endswith; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026574; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 12"; flow:established,to_server; urilen:<6; http.method; content:"POST"; http.uri; content:"/"; endswith; content:!"."; content:!"&"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; depth:2; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Host|0d 0a|Referer|0d 0a|User-Agent"; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:command-and-control; sid:2026555; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category MALWARE, malware_family Sharik, malware_family SmokeLoader, signature_severity Major, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArrobarLoader CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"4RR0B4R 4 X0T4 D4 TU4 M4E"; fast_pattern; http.request_body; content:"0"; endswith; http.header_names; content:!"Referer"; content:!"Cache"; reference:md5,3d7436bcf635a7e56a785c9d26ed3767; classtype:command-and-control; sid:2026528; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category MALWARE, malware_family ArrobarLoader, performance_impact Low, signature_severity Major, tag Loader, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=magento.si-shell.net"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=onlinestatus.site"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=s3-us-west.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026593; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=maxijs.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=allacarts.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026595; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=googiecloud.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026596; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=braintform.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026597; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=onlineshopsecurity.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026598; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=magecreativetech.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026599; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=busnguard.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026600; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=cloud-privacy.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026601; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/upload.cfm?action=upload"; nocase; fast_pattern; endswith; reference:cve,2018-15961; reference:url,volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/; classtype:attempted-user; sid:2026604; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag CVE_2018_15961, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JunkMiner Downloader Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Microsoft Windows"; depth:17; fast_pattern; endswith; http.request_body; content:"&JSONQUERY="; depth:11; content:"&SHA1="; distance:0; content:"&SHA2="; distance:0; content:"&SHA3="; distance:0; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026608; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_14, deployment Perimeter, former_category MALWARE, malware_family JunkMiner, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Mystery Baby syschk CnC Communication"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart / form-data|3b 20|boundary = -------- 1650502037"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/m/1963; classtype:command-and-control; sid:2026614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif Inject Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=opzioni.at"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns.query; content:"scsnewstoday.com"; nocase; fast_pattern; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026611; rev:4; metadata:attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DragonFly, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns.query; content:"thyssenkrupp-marinesystems.org"; nocase; fast_pattern; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026612; rev:4; metadata:attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DragonFly, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT29 Domain in DNS Lookup (pandorasong .com)"; dns.query; content:"pandorasong.com"; nocase; fast_pattern; endswith; reference:url,twitter.com/DrunkBinary/status/1063075530180886529; classtype:targeted-activity; sid:2026617; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT29, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hades APT Domain in DNS Lookup (findupdatems .com)"; dns.query; content:"findupdatems.com"; nocase; fast_pattern; endswith; reference:url,twitter.com/DrunkBinary/status/1063075530180886529; classtype:targeted-activity; sid:2026620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag HadesAPT, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkGate CNC Checkin"; flow:established,to_server; urilen:1; flowbits:set,ET.DarkGate.1; http.method; content:"POST"; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|Synapse|29|"; endswith; fast_pattern; http.request_body; content:"id="; depth:3; content:"&data="; distance:0; content:"&action="; distance:0; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:command-and-control; sid:2026629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category MALWARE, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DarkGate CnC Requesting Data Exfiltration from Bot"; flow:established,from_server; flowbits:isset,ET.DarkGate.1; http.stat_code; content:"200"; file.data; content:"getbotdata"; depth:10; fast_pattern; endswith; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:command-and-control; sid:2026630; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category MALWARE, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (akamai .la)"; dns.query; content:"akamai.la"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (hardwarenet .cc)"; dns.query; content:"hardwarenet.cc"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (awsamazon.cc)"; dns.query; content:"awsamazon.cc"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026633; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (battlenet .la)"; dns.query; content:"battlenet.la"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026634; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"gazanew.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026621; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcu.pw"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026622; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"hostingcloud.science"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026623; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"mining711.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026624; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"src-ips.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026625; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcip.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in TLS SNI"; flow:established,to_server; tls.sni; content:"srcip.com"; endswith; nocase; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026627; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcips.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026628; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (cdn-ampproject .com)"; dns.query; content:"cdn-ampproject.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026645; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (bootstraplink .com)"; dns.query; content:"bootstraplink.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026646; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (sskimresources .com)"; dns.query; content:"sskimresources.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026647; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (widgets-wp .com)"; dns.query; content:"widgets-wp.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=srv6"; nocase; endswith; tls.cert_serial; content:"E2:56:45:9F:06:BC:8C:B9"; classtype:domain-c2; sid:2026666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=debian"; nocase; endswith; tls.cert_serial; content:"B6:9B:45:06:EE:69:DE:58"; classtype:domain-c2; sid:2026667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=debian"; nocase; endswith; tls.cert_serial; content:"CB:E2:F0:46:19:AE:BE:40"; classtype:domain-c2; sid:2026668; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=srv4"; nocase; endswith; tls.cert_serial; content:"86:80:0E:21:37:91:42:A3"; classtype:domain-c2; sid:2026669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=amorenvena.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:domain-c2; sid:2026678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, malware_family POWERSTAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=andresocana.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:domain-c2; sid:2026679; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, malware_family POWERSTAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSpionage Requesting Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Login?id=Fy"; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:targeted-activity; sid:2026681; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNSpionage, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".0ffice36o.com"; nocase; endswith; reference:md5,c00c9f6ebf2979292d524acff19dd306; classtype:command-and-control; sid:2026557; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to Bit.ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|bit.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:bad-unknown; sid:2026674; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for MageCart Data Exfil Domain"; dns.query; content:"g-analytics.com"; nocase; depth:15; endswith; reference:url,www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions; classtype:trojan-activity; sid:2026685; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for MageCart Data Exfil Domain"; dns.query; content:"jquery-js.com"; nocase; endswith; reference:url,www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions; classtype:trojan-activity; sid:2026686; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"bizsonet.ayar.biz"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026689; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"bizsonet.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"client-message.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026691; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"client-screenfonts.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"docsdriver.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"grsvps.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026694; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"pqexport.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026695; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"scaurri.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026696; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"secozco.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026697; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"sharedriver.pw"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026698; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"sharedriver.us"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026699; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"tempdomain8899.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026700; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"world-paper.net"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026701; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"zwfaxi.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Group/More_Eggs CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=safesecurefiles.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:domain-c2; sid:2026703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursa Loader CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; http.request_body; pcre:"/^[a-z]{1,10}=[A-Z]+(?:&[a-z]{1,10}=[A-Z]+){2,}$/s"; http.request_line; content:"POST / HTTP/1.0"; depth:15; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; reference:md5,d05af060e3e104dea638f17c4bceb5ac; classtype:command-and-control; sid:2026756; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Ursa_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=afgdhjkrm.pw"; nocase; endswith; reference:md5,603dc6ff2a0f28cdf7693050a62f2355; classtype:domain-c2; sid:2026769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID WebSocket Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data2.php?"; pcre:"/^[A-F0-9]{16}$/R"; http.header; content:"Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,b17a729efb71d1781405c6c00052c85e; classtype:trojan-activity; sid:2026673; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category TROJAN, malware_family IcedID, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MongoLock Variant CnC Domain (s .rapid7 .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"s.rapid7.xyz"; endswith; reference:md5,fa64390d7ffa4ee604dd944bbcf0bc09; classtype:command-and-control; sid:2026722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donot (APT-C-35) Stage 1 Requesting Persistence Setup File"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/pushBatch"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip,|20|deflate"; depth:13; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:"User-Agent"; content:!"Referer"; content:!"Cache"; reference:url,ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/; classtype:targeted-activity; sid:2026728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Donot, tag APT_C_35, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donot (APT-C-35) Stage 1 Requesting Main Payload"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/pushAgent"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip,|20|deflate"; depth:13; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:"User-Agent"; content:!"Referer"; content:!"Cache"; reference:url,ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/; classtype:targeted-activity; sid:2026729; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Donot, tag APT_C_35, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shamoon V3 CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?selection="; http.user_agent; content:"Mozilla/13.0|20 28|MSIE|20|7.0|3b 20|Windows|20|NT|20|6.0|29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/; classtype:command-and-control; sid:2026730; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, performance_impact Low, signature_severity Major, tag APT, tag Wiper, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=vesecase.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026770; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_18, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Domain (gandcrab .bit)"; dns.query; content:"gandcrab.bit"; nocase; endswith; reference:md5,023f078d5eb70bcbf4c5ad5b87df9710; classtype:trojan-activity; sid:2026737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_18, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Free Hosting Domain (.free .bg)"; dns.query; content:".free.bg"; nocase; endswith; classtype:policy-violation; sid:2026742; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_21, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.pointsoft.pw"; nocase; endswith; reference:md5,5b7244c47104f169b0840440cdede788; classtype:domain-c2; sid:2026771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_21, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)"; flow:established,to_client; tls.cert_subject; content:"CN=ident.me"; nocase; endswith; classtype:external-ip-check; sid:2026743; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Windshift APT Related Domain 1"; dns.query; content:"flux2key.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x3B.html; classtype:targeted-activity; sid:2026744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_27, deployment Perimeter, former_category MALWARE, malware_family Windshift, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Windshift APT Related Domain 2"; dns.query; content:"string2me.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x3B.html; classtype:targeted-activity; sid:2026745; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_27, deployment Perimeter, former_category MALWARE, malware_family Windshift, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; depth:15; http.request_body; content:"project=%3C%230%3E"; depth:18; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026755; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SedUploader)"; flow:established,to_client; tls.cert_subject; content:"CN=photopoststories.com"; nocase; endswith; classtype:domain-c2; sid:2026757; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via vtransmit .com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip.php"; depth:10; endswith; http.host; content:"vtransmit.com"; depth:13; fast_pattern; endswith; classtype:external-ip-check; sid:2026761; rev:4; metadata:attack_target Client_and_Server, created_at 2019_01_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Operation Cobra Venom Stage 1 DNS Lookup"; dns.query; content:"my-homework.890m.com"; nocase; fast_pattern; endswith; reference:url,blog.alyac.co.kr/2066; classtype:trojan-activity; sid:2026763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - CnC Checkin"; flow:established,to_server; urilen:>14; http.method; content:"GET"; http.uri; content:"/board.php?v=a"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:command-and-control; sid:2026764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - File Decode Completed"; flow:established,to_server; urilen:>14; http.method; content:"GET"; http.uri; content:"/board.php?v=e"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:trojan-activity; sid:2026765; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 1"; dns.query; content:"0ffice365.agency"; nocase; endswith; classtype:targeted-activity; sid:2026775; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 2"; dns.query; content:"0nedrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026776; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 3"; dns.query; content:"corewindows.agency"; nocase; endswith; classtype:targeted-activity; sid:2026777; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 4"; dns.query; content:"microsoftonline.agency"; nocase; endswith; classtype:targeted-activity; sid:2026778; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 5"; dns.query; content:"onedrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026779; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 6"; dns.query; content:"sharepoint.agency"; nocase; endswith; classtype:targeted-activity; sid:2026780; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 7"; dns.query; content:"skydrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026781; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 8"; dns.query; content:"0ffice365.life"; nocase; endswith; classtype:targeted-activity; sid:2026782; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 9"; dns.query; content:"0ffice365.services"; nocase; endswith; classtype:targeted-activity; sid:2026783; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 10"; dns.query; content:"skydrive.services"; nocase; endswith; classtype:targeted-activity; sid:2026784; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 11"; dns.query; content:"akdns.live"; nocase; endswith; classtype:targeted-activity; sid:2026785; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 12"; dns.query; content:"akamaiedge.live"; nocase; endswith; classtype:targeted-activity; sid:2026786; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 13"; dns.query; content:"akamaiedge.services"; nocase; endswith; classtype:targeted-activity; sid:2026787; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 14"; dns.query; content:"edgekey.live"; nocase; endswith; classtype:targeted-activity; sid:2026788; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 15"; dns.query; content:"akamaized.live"; nocase; endswith; classtype:targeted-activity; sid:2026789; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 16"; dns.query; content:"trafficmanager.live"; nocase; endswith; classtype:targeted-activity; sid:2026790; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 17"; dns.query; content:"cloudfronts.services"; nocase; endswith; classtype:targeted-activity; sid:2026791; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 18"; dns.query; content:"hotmai1.com"; nocase; endswith; classtype:targeted-activity; sid:2026792; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 19"; dns.query; content:"microsoftonline.services"; nocase; endswith; classtype:targeted-activity; sid:2026793; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 20"; dns.query; content:"nsatc.agency"; nocase; endswith; classtype:targeted-activity; sid:2026794; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 21"; dns.query; content:"phicdn.world"; nocase; endswith; classtype:targeted-activity; sid:2026795; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 22"; dns.query; content:"t-msedge.world"; nocase; endswith; classtype:targeted-activity; sid:2026796; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 23"; dns.query; content:"akadns.live"; nocase; endswith; classtype:targeted-activity; sid:2026797; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 24"; dns.query; content:"azureedge.today"; nocase; endswith; classtype:targeted-activity; sid:2026798; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=memail.mea.com.lb"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026800; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=webmail.finance.gov.lb"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026801; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=mail.apc.gov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026802; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=mail.mgov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026803; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=adpvpn.adpolice.gov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026804; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ServHelper RAT CnC Domain Observed in SNI"; flow:established,to_server; tls.sni; content:"arhidsfderm.pw"; endswith; nocase; reference:md5,43e7274b6d42aef8ceae298b67927aec; classtype:command-and-control; sid:2026768; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Awad Bot CnC Domain (hawad .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hawad.000webhostapp.com"; endswith; reference:md5,5872fde3bf4b5a30a64837a35d1ec5fd; classtype:command-and-control; sid:2026799; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category MALWARE, malware_family AwadBot, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 25"; dns.query; content:"data-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026812; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 26"; dns.query; content:"asimov-win-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026813; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 27"; dns.query; content:"iecvlist-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026814; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 28"; dns.query; content:"onecs-live.services"; nocase; endswith; classtype:targeted-activity; sid:2026815; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cryptor Ransomware CnC Domain (e3kok4ekzalzapsf .onion .ws in TLS SNI)"; flow:established,to_server; tls.sni; content:"e3kok4ekzalzapsf.onion.ws"; endswith; reference:md5,4b6f0113007cddea4ad31237add23786; classtype:command-and-control; sid:2026806; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family CryptorRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TrumpHead Ransomware CnC Domain (6bbsjnrzv2uvp7bp .onion .pet in TLS SNI)"; flow:established,to_server; tls.sni; content:"6bbsjnrzv2uvp7bp.onion.pet"; endswith; reference:md5,49fdb7e267c00249e736aad5258788d2; classtype:command-and-control; sid:2026807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family TrumpHeadRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. pet))"; flow:established,to_client; tls.cert_subject; content:"CN=*.onion.pet"; nocase; endswith; classtype:policy-violation; sid:2026808; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .pet)"; dns.query; content:".onion.pet"; nocase; endswith; classtype:policy-violation; sid:2026809; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .ws)"; dns.query; content:".onion.ws"; nocase; endswith; classtype:policy-violation; sid:2026810; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. ws))"; flow:established,to_client; tls.cert_subject; content:"CN=*.onion.ws"; nocase; endswith; classtype:policy-violation; sid:2026811; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PS/PowerRatankba CnC DNS Lookup"; dns.query; content:"ecombox.store"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family POWERRATANKBA, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, tag PowerShell, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PS/PowerRatankba CnC DNS Lookup"; dns.query; content:"bodyshoppechiropractic.com"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026818; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family POWERRATANKBA, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, tag PowerShell, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERRATANKBA CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ecombox.store"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:domain-c2; sid:2026817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag Lazarus, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=givemejs.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:domain-c2; sid:2026819; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=content-delivery.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:domain-c2; sid:2026820; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MageCart CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"cdn-content.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026821; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MageCart CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"deliveryjs.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026822; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (areadozemode .space in DNS Lookup)"; dns.query; content:"areadozemode.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026828; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_01_22, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Anubis, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (selectnew25mode .space in DNS Lookup)"; dns.query; content:"selectnew25mode.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026829; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (twethujsnu .cc in DNS Lookup)"; dns.query; content:"twethujsnu.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026830; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (project2anub .xyz in DNS Lookup)"; dns.query; content:"project2anub.xyz"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026831; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (taiprotectsq .xyz in DNS Lookup)"; dns.query; content:"taiprotectsq.xyz"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026832; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (uwannaplaygame .space in DNS Lookup)"; dns.query; content:"uwannaplaygame.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026833; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (projectpredator .space in DNS Lookup)"; dns.query; content:"projectpredator.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026834; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (nihaobrazzzahit .top in DNS Lookup)"; dns.query; content:"nihaobrazzzahit.top"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026835; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (aserogeege .space in DNS Lookup)"; dns.query; content:"aserogeege.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026836; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (hdfuckedin18 .top in DNS Lookup)"; dns.query; content:"hdfuckedin18.top"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026837; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dingpsounda .space in DNS Lookup)"; dns.query; content:"dingpsounda.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026838; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wantddantiprot .space in DNS Lookup)"; dns.query; content:"wantddantiprot.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026839; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (privateanbshouse .space in DNS Lookup)"; dns.query; content:"privateanbshouse.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026840; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (seconddoxed .space in DNS Lookup)"; dns.query; content:"seconddoxed.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026841; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (firstdoxed .space in DNS Lookup)"; dns.query; content:"firstdoxed.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026842; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (oauth3 .html5100 .com in DNS Lookup)"; dns.query; content:"oauth3.html5100.com"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026843; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dosandiq .space in DNS Lookup)"; dns.query; content:"dosandiq.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026844; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (protect4juls .space in DNS Lookup)"; dns.query; content:"protect4juls.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026845; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wijariief .space in DNS Lookup)"; dns.query; content:"wijariief.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026846; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (scradm .in in DNS Lookup)"; dns.query; content:"scradm.in"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026847; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+
+alert http any any -> $HOME_NET any (msg:"ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement"; flow:established,to_server; http.user_agent; content:"Microsoft|20|WinRM|20|Client"; depth:22; fast_pattern; endswith; reference:url,attack.mitre.org/techniques/T1028/; classtype:bad-unknown; sid:2026850; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_23, deployment Internal, former_category USER_AGENTS, performance_impact Low, signature_severity Major, tag WinRM, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"nolkbacteria.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026855; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"2searea0.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026856; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"touristsila1.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026857; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Donot Group/APT-C-35 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=.sessions4life.pw"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026859; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_28, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=driverconnectsearch.info"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,2bd9a6ea29182f5ec6acafe032fbeaab; classtype:domain-c2; sid:2026861; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_29, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zepakab CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Seven DSert SHA2 CA"; nocase; endswith; tls.cert_issuer; content:"C=US, ST=Some-State, O=Seven Ltd, CN=Seven DSert SHA2 CA"; reference:url,blog.yoroi.company/research/sofacys-zepakab-downloader-spotted-in-the-wild/; classtype:domain-c2; sid:2026864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_31, deployment Perimeter, former_category MALWARE, malware_family Zekapab, malware_family Zepakab, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Skypool Coin Mining Pool DNS Lookup"; dns.query; content:"skypool.org"; nocase; endswith; reference:md5,2a0a5e1ed928eb01e322dd3680a13eba; classtype:policy-violation; sid:2026867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=syn.browserstime.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=check.webhop.org"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=office.windown-update.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026871; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=check.homeip.net"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026872; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=e.browsersyn.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026873; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=word.webhop.info"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026874; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cortana.homelinux.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026875; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Peppy/KeeOIL Google User-Agent (google/dance)"; flow:established,to_server; http.user_agent; content:"google/dance"; depth:14; fast_pattern; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026883; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peppy/KeeOIL Google Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"google/dance"; depth:12; fast_pattern; endswith; http.host; content:"www.google.com"; depth:14; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026884; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category TROJAN, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, tag Connectivity_Check, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Peppy/KeeOIL User-Agent (ekeoil)"; flow:established,to_server; http.user_agent; content:"ekeoil/"; depth:7; fast_pattern; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.icu domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".icu"; fast_pattern; endswith; classtype:bad-unknown; sid:2026887; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .icu Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".icu"; nocase; endswith; classtype:bad-unknown; sid:2026888; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.icu) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".icu"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2026889; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)"; flow:established,to_client; tls.cert_subject; content:".icu"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2026890; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via iplocation.com"; flow:established,to_server; tls.sni; content:"iplocation.com"; endswith; nocase; classtype:external-ip-check; sid:2026892; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_07, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CDC Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"NCDC-19-PoS"; depth:11; endswith; classtype:policy-violation; sid:2026893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_08, deployment Perimeter, former_category MALWARE, malware_family CDCRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/rpt"; pcre:"/\/rpt\d/"; http.user_agent; content:!"Mozilla"; depth:7; http.host; content:!".apple.com"; endswith; content:!".pandora.com"; endswith; content:!"microsoft.com"; endswith; reference:url,doc.emergingthreats.net/2008233; classtype:command-and-control; sid:2008233; rev:18; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known External IP Lookup Service Domain in SNI"; flow:to_server,established; tls.sni; content:"whatismyipaddress.com"; endswith; classtype:external-ip-check; sid:2026896; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY IP Logger Redirect Domain in SNI"; flow:to_server,established; tls.sni; content:"maper.info"; endswith; classtype:policy-violation; sid:2026897; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SomeTimes)"; flow:established,to_server; http.user_agent; content:"SomeTimes"; depth:9; endswith; fast_pattern; reference:md5,a86d4e17389a37bfc291f4a8da51a9b8; classtype:trojan-activity; sid:2026898; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.CO Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.co"; endswith; classtype:credential-theft; sid:2026894; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.BR Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.br"; endswith; classtype:credential-theft; sid:2026895; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE BrushaLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"traderserviceinfo.info"; endswith; classtype:command-and-control; sid:2026900; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Astaroth User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|SLCC1)"; depth:57; endswith; reference:md5,589d2d33825a0329f61406f0af709469; reference:url,www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research; classtype:trojan-activity; sid:2026906; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Astaroth, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cayosin/Mirai CnC Domain in DNS Lookup"; dns.query; content:"hostnamepxssy.club"; nocase; endswith; reference:url,perchsecurity.com/perch-news/threat-report-sunday-february-3rd-2019/; classtype:command-and-control; sid:2026915; rev:3; metadata:created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Punto Loader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/klog.php"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"text|2f|html|3b|q=0|2e|7|2c 20 2a 2f 2a 3b|q=1"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category MALWARE, malware_family Punto, performance_impact Low, signature_severity Major, tag Loader, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FBot Downloader Generic GET for ARM Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fbot.arm"; depth:9; fast_pattern; content:".u"; endswith; pcre:"/^\/fbot\.arm\d{1}\.u$/i"; http.protocol; content:"HTTP/1.0"; reference:url,blog.netlab.360.com/the-new-developments-of-the-fbot-en/; classtype:trojan-activity; sid:2026951; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_21, deployment Perimeter, former_category TROJAN, malware_family Fbot, performance_impact Low, signature_severity Major, tag Downloader, tag DDoS, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"cheapairlinediscount.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026953; rev:3; metadata:created_at 2019_02_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"emailerservo.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026954; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"fazadminmessae.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026955; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"housecleaning.press"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026956; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"hrent.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026957; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"irepare.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026958; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"macmall.fun"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026959; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"managerdriver.website"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026960; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mantorsagcoloms.club"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026961; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mediaaplayer.win"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026962; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mobileshoper.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026963; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"ppservice.stream"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026964; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"searchidriverip.space"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026965; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servemai.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026966; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servemaining.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026967; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serveselitmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026968; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serveselitmailer.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026969; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailelit.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026970; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailerpro.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026971; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailerprogres.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026972; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servespromail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026973; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servicemaile.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026974; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serviveemail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026975; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servoemail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026976; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servomail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026977; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"progresservesmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026978; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"proservesmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026979; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"proservesmailing.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026980; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BabyShark CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"fmchr.in"; endswith; reference:url,unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/; classtype:command-and-control; sid:2026981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_25, deployment Perimeter, former_category MALWARE, malware_family BabyShark, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nuuo NVR RCE Attempt (CVE-2018-15716)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_handle.php?cmd=getupgradinginfo"; fast_pattern; endswith; classtype:attempted-admin; sid:2026982; rev:3; metadata:created_at 2019_02_26, cve 2018_15716, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup/Patchwork CnC DNS Lookup"; dns.query; content:"aroundtheworld123.net"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026983; rev:4; metadata:created_at 2019_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup/Patchwork CnC DNS Lookup"; dns.query; content:"frameworksupport.net"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dittm.org"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/ba8f6e93-3815-f047-d2e7-0d9e39303c50; classtype:domain-c2; sid:2026997; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=google-analytics.is"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/ba8f6e93-3815-f047-d2e7-0d9e39303c50; classtype:domain-c2; sid:2026998; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=whoama.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2026999; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdnnote.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027000; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=checkfreedom.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027001; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=connectionstatistics.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=conveeir.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027003; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=countryers.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027004; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=countryflagonline.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027005; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=crowlock.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027006; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=i-checkme.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027007; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=magedefacto.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027008; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mageenergy.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027009; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mnewage.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027010; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=my-that.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027011; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=phatem.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=s1all.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027013; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=scripteco.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027014; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=secureqbrowser.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027015; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=security-mage.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027016; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sysproperties.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027017; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=teflag.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027018; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=topstatshop.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027019; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=usvalidly.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027020; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=validlyglobal.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027021; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=youlikedme.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027022; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=zstatonline.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027023; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Address Lookup DNS Query (2ip .ua)"; dns.query; content:"2ip.ua"; nocase; endswith; reference:md5,81bfa5fe9d0147c8df47a51a1cd4b7c4; classtype:external-ip-check; sid:2027026; rev:3; metadata:created_at 2019_03_04, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup/Patchwork CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=car.drivethrough.top"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026827; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_21, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, tag APT_C_35, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cayosin Botnet User-Agent Observed M1"; flow:established,to_server; http.user_agent; content:"Cayosin/2.0"; depth:11; fast_pattern; endswith; classtype:trojan-activity; sid:2026876; rev:5; metadata:affected_product Linux, attack_target Server, created_at 2019_02_04, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cayosin Botnet User-Agent Observed M2"; flow:established,to_server; http.user_agent; content:"Cock/2.0"; depth:8; fast_pattern; endswith; classtype:trojan-activity; sid:2026877; rev:5; metadata:affected_product Linux, attack_target Server, created_at 2019_02_04, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"|2f|"; depth:1; content:"--"; content:"|5c|"; content:"-service.html"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Python, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC DNS Query"; dns.query; content:"win10-update.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027054; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC DNS Query"; dns.query; content:"win7-update.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder CnC DNS Query"; dns.query; content:"cdn-load.net"; nocase; endswith; reference:url,s.tencent.com/research/report/659.html; classtype:command-and-control; sid:2027056; rev:3; metadata:attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag Sidewinder, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FIN6 StealerOne CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"contactlistsagregator.com"; endswith; reference:url,usa.visa.com/content/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf; classtype:command-and-control; sid:2027058; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family StealerOne, performance_impact Low, signature_severity Major, tag FIN6, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN6 StealerOne CnC DNS Query"; dns.query; content:"akamaitechnologies.kz"; nocase; endswith; reference:url,usa.visa.com/content/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf; classtype:command-and-control; sid:2027059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family StealerOne, performance_impact Low, signature_severity Major, tag FIN6, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getInfoAfterInstall"; fast_pattern; endswith; http.user_agent; content:"Firef0x"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/applyingpoliciesrules"; fast_pattern; endswith; http.user_agent; content:"Firef0x"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027061; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 JEShell CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=stream.playnetflix.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027068; rev:3; metadata:affected_product Java, attack_target Client_and_Server, created_at 2019_03_07, deployment Perimeter, former_category MALWARE, malware_family JEShell, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; http.host; content:".su"; endswith; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014170; rev:6; metadata:created_at 2012_01_31, former_category POLICY, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Wget Request for Executable"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; nocase; http.user_agent; content:"Wget/"; depth:5; fast_pattern; classtype:bad-unknown; sid:2027076; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_12, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_11_11;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 13"; dns.query; content:"32player.com"; depth:12; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025903; rev:5; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|1|2f|0|2f|0"; endswith; pcre:"/^\/[A-F0-9]{30,60}\/1\/0\/0$/"; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Retadup Success Response from CnC"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|donnn|3a 3a|"; depth:9; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PirateMatryoshka CnC DNS Query"; dns.query; content:"mobilekey.pw"; nocase; endswith; reference:url,securelist.com/piratebay-malware/89740/; classtype:command-and-control; sid:2027080; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family PirateMatryoshka, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ciscoupdt.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/ddb59d8cc93688bbf4925c7d27462b70e53225cb/; classtype:domain-c2; sid:2027082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Dorv InfoStealer CnC DNS Query"; dns.query; content:"googleservice-info.ru"; nocase; endswith; reference:md5,888864c2ea27babf978d5feda40b3b2f; reference:url,twitter.com/wdsecurity/status/1105992405629583362; classtype:command-and-control; sid:2027088; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Win32_Dorv, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rdfs.cgi"; depth:17; endswith; fast_pattern; http.request_body; content:"Client="; depth:7; content:"|3b|"; distance:0; content:"&Download="; distance:0; classtype:attempted-admin; sid:2027090; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 File Inclusion"; flow:established,to_server; content:"&src=|2e 2e 2f 2e 2e 2f 2e 2e 2f|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/cgi-bin/login.cgi"; depth:18; endswith; classtype:attempted-user; sid:2027091; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"&ping_IPAddr="; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6077; classtype:attempted-user; sid:2027093; rev:3; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dnslookup.cgi"; depth:14; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"host_name="; depth:10; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6334; classtype:attempted-user; sid:2027094; rev:3; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WAP54Gv3 Remote Debug Root Shell Exploitation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/debug.cgi"; depth:10; endswith; http.request_body; content:"data1=|3b|"; depth:7; fast_pattern; content:"&command="; distance:0; reference:url,seclists.org/bugtraq/2010/Jun/93; classtype:attempted-user; sid:2027095; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=poladidlei.website"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/008d33ce2e5d3583d8ebb115f72b250975757018/; classtype:domain-c2; sid:2027086; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PlugX Common Header Struct"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a 20|61456|0d 0a|"; fast_pattern; http.user_agent; content:!"Dickson/"; depth:8; http.host; content:!".googleapis.com"; endswith; http.content_len; content:!"61456"; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:9; metadata:created_at 2014_03_06, former_category TROJAN, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request to Dotted Quad"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.ip.request; flowbits:noalert; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"UA-CPU"; content:!"Cookie"; content:!"Referer"; content:!"Accept-Language"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:misc-activity; sid:2022054; rev:6; metadata:created_at 2015_11_10, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowHammer DNS Lookup"; dns.query; content:"asushotfix.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027109; rev:3; metadata:created_at 2019_03_25, former_category TROJAN, malware_family ShadowHammer, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible ShadowHammer DNS Lookup"; dns.query; content:"simplexoj.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027111; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category TROJAN, malware_family ShadowHammer, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible ShadowHammer DNS Lookup"; dns.query; content:"homeabcd.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category TROJAN, malware_family ShadowHammer, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ShadowHammer CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asushotfix.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,securelist.com/operation-shadowhammer/89992/; classtype:domain-c2; sid:2027116; rev:3; metadata:attack_target Client_and_Server, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag ShadowHammer, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JasperLoader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?b="; content:"&v="; distance:0; content:"&psver="; distance:0; fast_pattern; isdataat:!2,relative; http.connection; content:"Keep-Alive"; depth:10; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept"; classtype:command-and-control; sid:2027100; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_03_19, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUA Related User-Agent (WINTERNET)"; flow:established,to_server; http.user_agent; content:"WINTERNET"; depth:9; endswith; fast_pattern; reference:md5,feeb9efd6b724d772768cd89d3c30380; classtype:pup-activity; sid:2027141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_29, former_category USER_AGENTS, tag User_Agent, tag PUA, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Mozilla 6.0)"; flow:established,to_server; http.user_agent; content:"Mozilla 6.0"; depth:11; endswith; classtype:bad-unknown; sid:2027142; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_01, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kribat-A Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Command"; depth:7; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,78184ca66e1774598b96188f977f0687; classtype:trojan-activity; sid:2027024; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Password Submitted to *.000webhostapp.com"; flow:established,to_server; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.request_body; content:"password="; nocase; classtype:credential-theft; sid:2027146; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Request for Payload (TA505 Related)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".tmp"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.start; content:".tmp|20|HTTP/1."; fast_pattern; content:"|0d 0a|Host|3a 20|"; distance:1; within:8; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:25; classtype:trojan-activity; sid:2027143; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK/BKDR_HTV.ZKGD-A CnC Checkin"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&string="; depth:8; fast_pattern; pcre:"/^[A-F0-9]+$/R"; http.content_type; content:"|20|Charset=UTF-8"; endswith; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.co.jp/archives/19054; classtype:command-and-control; sid:2027155; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category MALWARE, malware_family BKDR_HTV_ZKGD_A, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pedraz12ziniphoto.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/16e06a88dbb10c75077780d4baed6d0b2733f985/; classtype:domain-c2; sid:2027157; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_05, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.ga"; nocase; endswith; classtype:trojan-activity; sid:2027158; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.gq"; nocase; endswith; classtype:trojan-activity; sid:2027159; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.ml"; nocase; endswith; classtype:trojan-activity; sid:2027160; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"daitalh.gq"; nocase; endswith; classtype:trojan-activity; sid:2027161; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"daitalh.ml"; nocase; endswith; classtype:trojan-activity; sid:2027162; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.cf"; nocase; endswith; classtype:trojan-activity; sid:2027163; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.ml"; nocase; endswith; classtype:trojan-activity; sid:2027164; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.tk"; nocase; endswith; classtype:trojan-activity; sid:2027165; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"paltyr.tk"; nocase; endswith; classtype:trojan-activity; sid:2027166; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (DonotGroup Android CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=justin.drinkeatgood.space"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027195; rev:3; metadata:affected_product Android, attack_target Client_and_Server, created_at 2019_04_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Check myexternalip.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"myexternalip.com"; depth:16; endswith; classtype:external-ip-check; sid:2019980; rev:6; metadata:created_at 2014_12_20, former_category POLICY, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-04-12"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ur="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027196; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Unk.IoT IPCamera Exploit Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sysTimeCfgEx"; fast_pattern; endswith; http.request_body; content:"systemdate="; depth:11; nocase; content:"&systemtime="; nocase; content:"&dwTimeZone"; nocase; content:"&updatemode="; nocase; content:"&ntpHost="; nocase; content:"&ntpPort="; nocase; content:"&timezonecon="; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/zom3y3/status/1115481065701830657/photo/1; classtype:trojan-activity; sid:2027194; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc)"; dns.query; content:"tiny.cc"; nocase; endswith; classtype:trojan-activity; sid:2027199; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc)"; flow:from_server,established; tls.cert_subject; content:"CN=tiny.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2027200; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (time-loss .dns05 .com)"; dns.query; content:"time-loss.dns05.com"; nocase; endswith; reference:url,securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/; classtype:command-and-control; sid:2027208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category MALWARE, tag DustySky, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (dji-msi .2waky .com)"; dns.query; content:"dji-msi.2waky.com"; nocase; endswith; reference:url,securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/; classtype:command-and-control; sid:2027209; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category MALWARE, tag DustySky, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup (drivethrough .top)"; dns.query; content:"drivethrough.top"; nocase; endswith; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027217; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, former_category MALWARE, malware_family YTY_Framework, malware_family StealJob, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup (drinkeatgood .space)"; dns.query; content:"drinkeatgood.space"; nocase; endswith; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027218; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, malware_family StealJob, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CoreDn/BLINDINGCAN Activity)"; flow:established,to_client; tls.cert_subject; content:"CN=www.curiofirenze.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=microsoftonline-secure-login.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027221; rev:4; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (xsecuremail .com)"; dns.query; content:"xsecuremail.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027224; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (wipro365 .com)"; dns.query; content:"wipro365.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027225; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (microsoftonline-secure-login .com)"; dns.query; content:"microsoftonline-secure-login.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027226; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Windows Phone PUA.Redpher (myservicessapps .com in DNS Lookup)"; dns.query; content:"myservicessapps.com"; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/pua-microsoft-store-porn-gambling; classtype:trojan-activity; sid:2027220; rev:4; metadata:attack_target Mobile_Client, created_at 2019_04_18, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (secure-message .online)"; dns.query; content:"secure-message.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027227; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypt-email .online)"; dns.query; content:"encrypt-email.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027228; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (secured-mail .online)"; dns.query; content:"secured-mail.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027229; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (internal-message .app)"; dns.query; content:"internal-message.app"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027230; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypted-message .cloud)"; dns.query; content:"encrypted-message.cloud"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027231; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealerNeko CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"country="; depth:8; content:"&cc="; content:"&autof="; content:"&cookies="; content:"&filezilla="; fast_pattern; content:"&passwords="; content:"&telegram="; content:"&wallet="; content:"winver="; content:"&pidgin="; http.header_names; content:!"Referer"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027239; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, malware_family StealerNeko, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; dns.query; content:"kuternull.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; dns.query; content:"rimrun.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *.myddns.me Domain"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".myddns.me"; nocase; endswith; classtype:policy-violation; sid:2027287; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Powershell Empire POST M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.cookie; content:"session="; depth:8; http.header_names; content:"Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2027283; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Empire, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Powershell Empire GET M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; content:"session="; depth:8; http.header_names; content:"Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2027284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Empire, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myddns.me Domain"; flow:established,to_server; http.host; content:".myddns.me"; endswith; classtype:policy-violation; sid:2027288; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns.query; content:"pxybomb.icu"; nocase; endswith; classtype:trojan-activity; sid:2027285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Monero, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"data-backup.online"; nocase; endswith; classtype:command-and-control; sid:2027290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"fontsupdate.com"; nocase; endswith; classtype:command-and-control; sid:2027291; rev:3; metadata:created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"akamaihub.stream"; nocase; endswith; classtype:command-and-control; sid:2027292; rev:3; metadata:created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Novaloader Stage 2 VBS Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cabaco2.txt"; fast_pattern; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; reference:url,www.zscaler.com/blogs/research/novaloader-yet-another-brazilian-banking-malware-family; reference:md5,4ef89349a52f9fcf9a139736e236217e; classtype:trojan-activity; sid:2027289; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_29, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Novaloader, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.autoddns .com Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".autoddns.com"; nocase; endswith; classtype:policy-violation; sid:2027299; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.autoddns.com Domain"; flow:established,to_server; http.host; content:".autoddns.com"; endswith; classtype:policy-violation; sid:2027300; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:"coldfart.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027280; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"mystrylust.pw"; nocase; endswith; classtype:command-and-control; sid:2027295; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Stage 2 CnC Domain in DNS Lookup"; dns.query; content:"new.listenmusic.pw"; nocase; endswith; classtype:command-and-control; sid:2027296; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup Stage 2 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=new.listenmusic.pw"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027297; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mystrylust.pw"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027298; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"houusha33.icu"; nocase; endswith; classtype:command-and-control; sid:2027304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"joisff333.icu"; nocase; endswith; classtype:command-and-control; sid:2027305; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"aasdkkkdsa3442.icu"; nocase; endswith; classtype:command-and-control; sid:2027306; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"fjiisiis33.icu"; nocase; endswith; classtype:command-and-control; sid:2027307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"afsafasdarm.icu"; nocase; endswith; classtype:command-and-control; sid:2027308; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"cdnavupdate.icu"; nocase; endswith; classtype:command-and-control; sid:2027309; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE AridViper CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"tatsumifoughtogre.club"; endswith; classtype:targeted-activity; sid:2027312; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_SNI, tag AridViper, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Krypton Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Client"; depth:6; endswith; http.request_body; content:"id="; depth:3; content:"&message="; distance:0; fast_pattern; reference:md5,825afad02d07063689b7b59e8cf46809; classtype:command-and-control; sid:2027313; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_03, deployment Perimeter, former_category MALWARE, malware_family Krypton, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IcedID Fake Resume Server in DNS Lookup"; dns.query; content:"browse-resumes.com"; nocase; endswith; classtype:trojan-activity; sid:2027314; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_03, former_category TROJAN, malware_family IcedID, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (ReactGet Group)"; dns.query; content:"ebitbr.com"; depth:10; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027317; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, malware_family MirrorThief, malware_family ReactGet, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ReactGet Group)"; flow:established,to_client; tls.cert_subject; content:"CN=ebitbr.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:domain-c2; sid:2027318; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_06, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, malware_family ReactGet, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (Mirrorthief Group)"; dns.query; content:"cloudmetric-analytics.com"; depth:25; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027321; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Mirrortheif group)"; flow:established,to_client; tls.cert_subject; content:"CN=cloudmetric-analytics.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:domain-c2; sid:2027322; rev:4; metadata:attack_target Client_and_Server, created_at 2019_05_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/rest/tinymce/1/macro/preview"; fast_pattern; endswith; http.request_body; content:"|22|contentId|22|"; depth:20; content:"|22|_template|22 3a|"; distance:0; reference:url,packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html; classtype:attempted-admin; sid:2027333; rev:4; metadata:created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%3D"; endswith; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,156e021f890dd6eb6f271c2ad9b0316e; classtype:command-and-control; sid:2035056; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,*/*|3b|q=0.8"; depth:74; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,430,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:130; reference:md5,4ca520895d86beb6f8cab93639f26f50; classtype:command-and-control; sid:2035055; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,bda5b754bb079eec4389a9f43d16c903; classtype:command-and-control; sid:2035058; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%2F"; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,bda5b754bb079eec4389a9f43d16c903; classtype:command-and-control; sid:2035059; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Pre-auth User Information Leakage"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/search/index?q="; distance:0; isdataat:1,relative; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; reference:url,github.com/rapid7/metasploit-framework/pull/11466; classtype:web-application-attack; sid:2027348; rev:4; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=magento-analytics.com"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.netlab.360.com/ongoing-credit-card-data-leak/; classtype:domain-c2; sid:2027342; rev:5; metadata:attack_target Client_and_Server, created_at 2019_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MirrorThief CnC Domain in DNS Lookup"; dns.query; content:"magento-analytics.com"; nocase; endswith; reference:url,blog.netlab.360.com/ongoing-credit-card-data-leak/; classtype:command-and-control; sid:2027343; rev:5; metadata:attack_target Client_Endpoint, created_at 2019_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jqueryextd.at"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.netlab.360.com/xin-yong-qia-shu-ju-xie-lou-chi-xu-jin-xing-zhong/; classtype:domain-c2; sid:2027355; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_15, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MirrorThief CnC in DNS Lookup"; dns.query; content:"jqueryextd.at"; nocase; endswith; reference:url,blog.netlab.360.com/xin-yong-qia-shu-ju-xie-lou-chi-xu-jin-xing-zhong/; classtype:command-and-control; sid:2027356; rev:3; metadata:created_at 2019_05_15, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CyberArk Enterprise Password Vault XXE Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/PasswordVault/auth/saml/"; fast_pattern; endswith; http.request_body; content:"SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1F"; depth:41; reference:url,www.exploit-db.com/exploits/46828; classtype:attempted-admin; sid:2027358; rev:4; metadata:created_at 2019_05_16, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User-Agent Downloading ZIP"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".zip"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2027360; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_17;)
+
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech Plead CnC in DNS Lookup"; dns.query; content:"ssmailer.com"; nocase; endswith; pcre:"/^[a-z0-9\-\.]{1,60}\.ssmailer\.com$/"; reference:url,www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/; classtype:command-and-control; sid:2027362; rev:3; metadata:created_at 2019_05_17, deployment Perimeter, former_category MALWARE, malware_family Plead, performance_impact Low, signature_severity Major, tag APT, tag BlackTech, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (dns-report .com)"; dns.query; content:"dns-report.com"; nocase; endswith; pcre:"/^[a-z0-9\-\.]{1,60}\.dns-report\.com$/"; classtype:bad-unknown; sid:2027363; rev:3; metadata:created_at 2019_05_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious shell .now .sh Domain"; dns.query; content:"shell.now.sh"; nocase; endswith; reference:url,www.lacework.com/blog-attacks-exploiting-confluence; classtype:misc-attack; sid:2027367; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_19, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821"; http.method; content:"POST"; http.uri; content:"/servlet/UploadServlet"; depth:22; endswith; fast_pattern; http.header; content:"Destination-Dir|3a 20|tftpRoot"; http.request_body; content:"String(|22|/bin/"; content:"new Socket(|22|"; distance:0; content:"Runtime.getRuntime().exec("; distance:0; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header_names; content:!"Referer"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce; classtype:web-application-attack; sid:2027368; rev:4; metadata:attack_target Server, created_at 2019_05_20, cve 2019_1821, deployment Perimeter, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/^\/[A-Za-z0-9]+(?:\/[A-F0-9]+){3,}$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a11)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; depth:3; endswith; http.start; content:"P/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,17bd012f145bba62b4e58b376d8002d3; classtype:command-and-control; sid:2022609; rev:5; metadata:created_at 2016_03_10, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in"; flow:established,to_server; urilen:<134; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; depth:24; content:!"Accept-"; nocase; content:!"Referer"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:18; metadata:created_at 2014_05_05, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Check-in"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z]+\/)?$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; pcre:"/^Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows\x20NT\x20\d+\.\d+\x3b\x20SV1\x29$/"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; classtype:trojan-activity; sid:2019881; rev:6; metadata:created_at 2014_12_06, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - iplocation .truevue .org"; flow:established,to_server; http.host; content:"iplocation.truevue.org"; fast_pattern; depth:22; endswith; classtype:external-ip-check; sid:2027372; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to External IP Lookup Domain ( iplocation .truevue .org)"; dns.query; content:"iplocation.truevue.org"; nocase; endswith; classtype:external-ip-check; sid:2027373; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT DNS Lookup (bulk .fun)"; dns.query; content:"bulk.fun"; nocase; endswith; classtype:targeted-activity; sid:2034146; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_05_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shade Ransomware Payment Domain in DNS Lookup"; dns.query; content:"cryptsen7f043rr6.onion"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/; classtype:trojan-activity; sid:2027379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_24, deployment Perimeter, former_category MALWARE, malware_family Shade, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Matrix Ransomware Sending Encrypted Filelist"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; endswith; http.request_body; content:"name=|22|uploadfile|22 3b 20|filename=|22|C|3a 5c|"; content:"|0d 0a|[ALL]|0d 0a|"; distance:0; content:"|0d 0a|[ALL_END]|0d 0a 0d 0a|[PRIORITY]|0d 0a|"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,e5293a4da4b67be6ff2893f88c8ef757; classtype:trojan-activity; sid:2024178; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Matrix, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible EXE Download Request to ngrok"; flow:established,to_server; http.uri; content:".exe"; endswith; http.host; content:".ngrok.io"; endswith; fast_pattern; classtype:policy-violation; sid:2027391; rev:4; metadata:created_at 2019_05_28, deployment Perimeter, former_category POLICY, signature_severity Major, tag Suspicious_Download, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ProtonBot Stealer Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"-"; distance:8; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"&clip=get"; distance:12; within:9; endswith; http.user_agent; content:"Proton Browser"; fast_pattern; http.header_names; content:!"Referer"; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:trojan-activity; sid:2027383; rev:3; metadata:created_at 2019_05_28, former_category TROJAN, malware_family ProtonBot, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".microsofts.org"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027385; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".kaspresksy.com"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027386; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".tencentchat.net"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:unknown; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Node XMLHTTP User-Agent"; flow:established,to_server; http.user_agent; content:"node-XMLHttpRequest"; depth:19; endswith; nocase; fast_pattern; classtype:unknown; sid:2027388; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (php)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"|0d 0a 0d 0a|php"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^php.{0,500}[\x80-\xff]/s"; http.header_names; content:!"Content-Type"; content:!"Referer"; content:!"Cookie:"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022901; rev:5; metadata:created_at 2016_06_15, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT ScanBox Framework used in WateringHole Attacks Initial (POST)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"seed="; fast_pattern; content:"&referrer="; content:"&agent="; content:"&location="; content:"&toplocation="; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:exploit-kit; sid:2019094; rev:8; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SeaDuke CnC Beacon"; flow:established,to_server; content:"|0d 0a 0d 0a|Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/"; http.header_names; content:!"Accept"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:targeted-activity; sid:2021413; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Content-Type\x3a[^\r\n]+\r\n)?(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; http.request_body; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/"; http.accept; content:"text/html, application/xhtml+xml, */*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; classtype:command-and-control; sid:2021418; rev:12; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".doc"; fast_pattern; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; classtype:bad-unknown; sid:2025162; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic - Mozilla 4.0 EXE Request"; flow:established,to_server; urilen:6<>15; http.uri; content:".exe"; endswith; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; classtype:unknown; sid:2020705; rev:7; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Payload Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|29 20|A"; endswith; http.request_body; content:"filename=|22|"; content:"|3a 5c|Windows|5c|"; distance:1; within:10; pcre:"/^[A-F0-9]{8}_[A-F0-9]{8}\.sql/Ri"; content:"|00|.|00|i|00|n|00|k|00|"; distance:0; fast_pattern; http.request_line; content:".php|20|HTTP/1.0"; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027398; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Major, tag APT, tag DarkHotel, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"pwsmbx.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027399; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, tag DarkHotel, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"reuqest-userauth.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027400; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"vgmtx.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027401; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, tag DarkHotel, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"schooltillhungryprocess.com"; nocase; endswith; classtype:targeted-activity; sid:2027406; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"maylaytravelgroup.com"; nocase; endswith; classtype:targeted-activity; sid:2027407; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"reasonwithusefulpolicy.com"; nocase; endswith; classtype:targeted-activity; sid:2027408; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"streetunderrelevantpeople.com"; nocase; endswith; classtype:targeted-activity; sid:2027409; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"experiencewithweakkid.com"; nocase; endswith; classtype:targeted-activity; sid:2027410; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"systembeforeniceparent.com"; nocase; endswith; classtype:targeted-activity; sid:2027411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Request"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.shmyip.com"; fast_pattern; endswith; reference:md5,0b14eedcc9e847a2d20abf409c8b505f; classtype:external-ip-check; sid:2027430; rev:3; metadata:created_at 2019_06_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Sending System Information"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?e="; depth:4; content:"&&t="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.cookie; content:"id="; depth:3; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:73; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027441; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (BURAN)"; flow:established,to_server; http.user_agent; content:"BURAN"; depth:5; endswith; classtype:trojan-activity; sid:2027443; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (GHOST)"; flow:established,to_server; http.user_agent; content:"GHOST"; depth:5; endswith; classtype:trojan-activity; sid:2027444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"GHOST"; depth:5; endswith; fast_pattern; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027445; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027450; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027451; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"telemerty-cdn-cloud.host"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027465; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"cdn-amaznet.club"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027466; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"reservecdn.pro"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027467; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"wsuswin10.us"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027468; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"telemetry.host"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027469; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Bicololo Response 2"; flow:established,to_client; flowbits:isset,ET.Bicololo.Request; http.cookie; content:"ci_session="; fast_pattern; file.data; content:"ok"; depth:2; endswith; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016948; rev:5; metadata:created_at 2013_05_31, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 3"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".php"; endswith; pcre:"/\/[a-z-_]{75,}\.php$/"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE|20|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016809; rev:8; metadata:created_at 2013_05_02, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zberp receiving config via image file - SET"; flow:to_server,established; flowbits:set,ET.Zberp; flowbits:noalert; http.uri; content:".jpg"; endswith; http.request_line; content:".jpg HTTP/1."; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021381; rev:10; metadata:created_at 2015_07_06, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ww1-filecloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027472; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn-imgcloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027473; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=font-assets.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027474; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=wix-cloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027475; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=js-cloudhost.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027476; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chafer Win32/TREKX Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b|"; content:"TREK"; distance:0; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rs"; http.content_type; content:"multipart|2f|form-data|3b|"; http.content_len; byte_test:0,<=,255,0,string,dec; http.header_names; content:!"Referer"; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027479; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family TREKX, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chafer Win32/TREKX Uploading to CnC (Modified CAB)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b|"; content:"TREC"; distance:0; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rs"; http.content_type; content:"multipart|2f|form-data|3b|"; http.content_len; byte_test:0,>=,256,0,string,dec; http.header_names; content:!"Referer"; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027480; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family TREKX, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"nvidia-services.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027481; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"sabre-css.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027482; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"sabre-airlinesolutions.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027483; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (YourUserAgent)"; flow:established,to_server; http.user_agent; content:"YourUserAgent"; depth:13; fast_pattern; endswith; reference:md5,c1ca718e7304bf28b5c96559cbf69a06; classtype:bad-unknown; sid:2027484; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=unfrocked.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2027485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User Agent Executable Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2019935; rev:7; metadata:created_at 2014_12_15, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag AutoIt, updated_at 2020_09_17;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidsmedia .com in DNS Lookup)"; dns.query; content:"androidsmedia.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027490; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidssystem .com in DNS Lookup)"; dns.query; content:"androidssystem.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027491; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (secandroid .com in DNS Lookup)"; dns.query; content:"secandroid.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027492; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediadownload .space in DNS Lookup)"; dns.query; content:"mediadownload.space"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027493; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediamobilereg .com in DNS Lookup)"; dns.query; content:"mediamobilereg.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027494; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (sharpion .org in DNS Lookup)"; dns.query; content:"sharpion.org"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027495; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (shileyfetwell .com in DNS Lookup)"; dns.query; content:"shileyfetwell.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027496; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.header; content:!"GeoVision"; http.user_agent; content:"|20|MSIE 5."; fast_pattern; nocase; http.host; content:!".microsoft.com"; endswith; content:!".trendmicro.com"; endswith; content:!".sony.net"; endswith; content:!".weather.com"; endswith; content:!".yahoo.com"; endswith; content:!".dellfix.com"; endswith; content:!".oncenter.com"; endswith; classtype:policy-violation; sid:2016870; rev:15; metadata:created_at 2013_05_21, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Turla Domain (vision2030 .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"vision2030.tk"; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments; classtype:targeted-activity; sid:2027501; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla DNS Lookup (vision2030 .cf)"; dns.query; content:"vision2030.cf"; nocase; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments; classtype:targeted-activity; sid:2027502; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/key?k="; depth:11; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.user_agent; content:"Mozilla|20|4.0|20 2f 20|Chrome"; depth:20; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; pcre:"/^[^\x20-\x7e\r\n]{2}$/R"; reference:md5,7f5f7de558fd2ef2a195b3a507c11ff2; classtype:command-and-control; sid:2027497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Danabot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Plurox CnC Domain in DNS Lookup"; dns.query; content:"webdynamicname.com"; nocase; endswith; classtype:command-and-control; sid:2027498; rev:3; metadata:created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Plurox, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Plurox CnC Domain in DNS Lookup"; dns.query; content:"obuhov2k.beget.tech"; nocase; endswith; classtype:command-and-control; sid:2027499; rev:3; metadata:created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Plurox, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot UA Observed"; flow:established,to_server; http.user_agent; content:"Mozilla|20|4.0|20 2f 20|Chrome"; depth:20; fast_pattern; endswith; reference:md5,7f5f7de558fd2ef2a195b3a507c11ff2; classtype:trojan-activity; sid:2027500; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Client Request (set)"; flow:established,to_server; flowbits:set,ET.Linux.Ngioweb; flowbits:noalert; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:59.0|29 20|Gecko/20100101 Firefox/59.0"; endswith; http.start; content:"GET|20|/min.js?h=aWQ9"; depth:18; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027507; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Hello, World)"; flow:established,to_server; http.user_agent; content:"Hello, World"; depth:12; endswith; classtype:bad-unknown; sid:2027503; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Hello-World)"; flow:established,to_server; http.user_agent; content:"Hello-World"; depth:11; endswith; classtype:bad-unknown; sid:2027504; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious UA (Skuxray)"; flow:established,to_server; http.user_agent; content:"Skuxray"; depth:7; endswith; reference:md5,cc46f255297ef0366dd447bbcde841ac; classtype:bad-unknown; sid:2027505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category TROJAN, malware_family Skuxray, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HYDSEVEN VBS CnC Host Information Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Authorization|3a 20|SUQ6"; fast_pattern; http.accept; content:"*.*"; depth:3; endswith; reference:url,www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html; reference:url,www.lac.co.jp/lacwatch/pdf/20190619_cecreport_sp.pdf; classtype:command-and-control; sid:2027515; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT CnC Domain in DNS Lookup"; dns.query; content:"sessions4life.pw"; nocase; endswith; classtype:targeted-activity; sid:2027564; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"adfs-ssl.com"; nocase; endswith; classtype:command-and-control; sid:2027567; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"b2bmerchant.online"; nocase; endswith; classtype:command-and-control; sid:2027568; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"bhnetwork.online"; nocase; endswith; classtype:command-and-control; sid:2027569; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cert-ssl.com"; nocase; endswith; classtype:command-and-control; sid:2027570; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cisco-vpn-client.com"; nocase; endswith; classtype:command-and-control; sid:2027571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cisco-vpn.online"; nocase; endswith; classtype:command-and-control; sid:2027572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"corporate-ciscovpn.com"; nocase; endswith; classtype:command-and-control; sid:2027573; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ducacorp.com"; nocase; endswith; classtype:command-and-control; sid:2027574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"efaxmakeronline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027575; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Quasar CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Quasar Server CA"; nocase; fast_pattern; endswith; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/f87d2aff4148f98f014460ab709c77587ea1e430/; classtype:domain-c2; sid:2027619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, malware_family Quasar, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag RAT, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=tupeska.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"backupnet.ddns.net"; nocase; endswith; classtype:targeted-activity; sid:2027622; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"hyperservice.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027623; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"mynetwork.cf"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027624; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"mywinnetwork.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027625; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"remote-server.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027626; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"remserver.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027627; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"securityupdated.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027628; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"servhost.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027629; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"service-avant.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027630; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"srvhost.servehttp.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027631; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"fucksaudi.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027632; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"googlechromehost.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027633; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"younesadams.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027634; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"teamnj.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027635; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"bistbotsproxies.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027636; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"hellocookies.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027637; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"n3tc4t.hopto.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027638; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"newhost.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027639; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"njrat12.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027640; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"svcexplores.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027641; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"trojan1117.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027642; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"update-sec.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027643; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"windowsx.sytes.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027644; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"wwwgooglecom.sytes.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027645; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"xtreme.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027646; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"za158155.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027647; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (Ave, Caesar!)"; flow:established,to_server; http.user_agent; content:"Ave,|20|Caesar!"; depth:12; fast_pattern; endswith; classtype:bad-unknown; sid:2027648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_28, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (zwt)"; flow:established,to_server; http.user_agent; content:"zwt"; depth:3; endswith; classtype:bad-unknown; sid:2027649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_01, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (My Agent)"; flow:established,to_server; http.user_agent; content:"My Agent"; depth:8; endswith; classtype:bad-unknown; sid:2027650; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_01, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (helegedada .github .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"helegedada.github.io"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027662; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (dd .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"dd.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027663; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (d .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"d.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (c .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"c.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027665; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (dd .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dd.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027666; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (d .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"d.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027667; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (c .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"c.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027668; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"www.kemostarlogistics.co.ke"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027651; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"www.terryhill.top"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027652; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"mail.jaguarline.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027653; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 CnC in DNS Lookup"; dns.query; content:"search.webstie.net"; nocase; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027654; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 CnC in DNS Lookup"; dns.query; content:"dns.domain-resolve.org"; nocase; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027655; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif POSTing Log Message to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_logs.php"; depth:19; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027656; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif Submitting Output of Command to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_cmd_res.php"; depth:22; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027657; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cl_client_cmd.php"; depth:18; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_online.php"; depth:21; endswith; http.request_body; content:"Q29tcHV0ZXJOYW1lPV"; depth:18; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; reference:md5,516ad28f8fa161f086be7ca122351edf; classtype:targeted-activity; sid:2027659; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Tripoli Related CnC Checkin"; flow:established,to_server; http.user_agent; content:"30909D51946D672A48B1729580088C4F"; depth:32; fast_pattern; endswith; reference:url,research.checkpoint.com/operation-tripoli/; classtype:command-and-control; sid:2027661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Turla/APT34 CnC Domain Domain (dubaiexpo2020 .cf in TLS SNI)"; flow:established,to_server; tls.sni; content:"dubaiexpo2020.cf"; endswith; reference:md5,4079500faa93e32a2622e1593ad94738; classtype:targeted-activity; sid:2027669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family APT34, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Turla/APT34 CnC Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft.updatemeltdownkb7234.com"; nocase; endswith; reference:md5,2a8672b0fd29dc3b6f49935691b648bc; classtype:domain-c2; sid:2027670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family APT34, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Malicious Server in DNS Lookup (updatecache .com)"; dns.query; content:"updatecache.com"; nocase; endswith; classtype:trojan-activity; sid:2027678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Custom Firefox UA Observed (Firefox...)"; flow:established,to_server; http.user_agent; content:"Firefox..."; depth:10; fast_pattern; endswith; classtype:bad-unknown; sid:2027686; rev:3; metadata:created_at 2019_07_04, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jokerlol.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027687; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kusasukusa.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027688; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"tracker-visitors.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027689; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jquery-web.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027690; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jquery-stats.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027691; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jsreload.pw"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027692; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=started"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027701; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Done"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=done"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027702; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"cloudflare-dns.com"; endswith; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/json-format; classtype:misc-activity; sid:2027695; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; http.user_agent; content:"Python-urllib/"; nocase; depth:14; http.host; content:!"dropbox.com"; endswith; content:!"downloads.ironport.com"; endswith; content:!".ubuntu.com"; endswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:9; metadata:created_at 2011_06_14, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC POST"; flow:to_server,established; urilen:>40; http.method; content:"POST"; http.uri; content:"/?"; depth:2; content:"AAAAAAAAAA"; distance:0; pcre:"/^\/\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Accept|3a 20|Accept|3a|*/*|0d 0a|"; depth:20; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.5|3b 20|Windows NT 5.0)"; depth:50; endswith; http.request_body; content:"AAAAAAAAAAAAAAAAAAAA"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC GET"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/?"; depth:2; content:"AAAAAAAAAA"; distance:0; pcre:"/^\/\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Accept|3a 20|Accept|3a|*/*|0d 0a|"; depth:20; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.5|3b 20|Windows NT 5.0)"; depth:50; endswith; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027710; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure/ContactAdministrators"; fast_pattern; content:".jspa"; endswith; http.request_body; content:"subject="; content:"|2e|forName"; distance:0; content:"java.lang.Runtime"; distance:2; within:23; content:"|2e|getMethod"; distance:2; within:16; content:"getRuntime"; distance:1; within:16; content:"|2e|exec"; distance:0; content:"|2e|waitFor"; distance:0; reference:url,medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f; reference:url,confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html; reference:cve,CVE-2019-11581; classtype:attempted-admin; sid:2027711; rev:5; metadata:attack_target Web_Server, created_at 2019_07_15, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (single dash)"; flow:to_server,established; http.user_agent; content:"-"; depth:1; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007880; classtype:trojan-activity; sid:2007880; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/uploadplugin.action"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file_"; content:"Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a 50 4b 03 04|"; distance:0; reference:url,www.corben.io/atlassian-crowd-rce/; reference:cve,CVE-2019-11580; classtype:attempted-admin; sid:2027712; rev:3; metadata:attack_target Web_Server, created_at 2019_07_16, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SLUB Domain in DNS Lookup"; dns.query; content:"toni132.pen.io"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use/; classtype:trojan-activity; sid:2027722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound) (CVE-2019-1579)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/sslmgr"; endswith; nocase; http.request_body; content:"scep-profile-name=%"; depth:19; fast_pattern; pcre:"/^[0-9]+/R"; reference:url,blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html; classtype:attempted-admin; sid:2027723; rev:4; metadata:attack_target Server, created_at 2019_07_18, cve cve_2019_1579, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_11;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"gamework.ddns.net"; nocase; depth:17; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027724; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"workan.ddns.net"; nocase; depth:15; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027725; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"clsass.ddns.net"; nocase; depth:15; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027726; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"kotl.space"; nocase; depth:10; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027727; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Disposable Email Provider Domain in DNS Lookup (www .yopmail .com)"; dns.query; content:"www.yopmail.com"; nocase; depth:15; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:policy-violation; sid:2027733; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=nurlamurla.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027740; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_22, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"subarnakan.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027741; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"asilofsen.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027742; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"manrodoerkes.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027743; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"ashkidiore.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027744; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"druhanostex.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027745; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"kapintarama.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"moreflorecast.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027747; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"preploadert.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027748; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"troxymuntisex.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"nduropasture.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027750; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=nlgyscgika"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=nlgyscgika"; classtype:domain-c2; sid:2027753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (Quick Macros)"; flow:established,to_server; http.user_agent; content:"Quick|20|Macros"; depth:12; endswith; reference:md5,aa682f5d4a17307539a2bc7048be0745; classtype:trojan-activity; sid:2027755; rev:3; metadata:created_at 2019_07_24, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Lookup"; dns.query; content:"b0t.to"; depth:6; nocase; endswith; classtype:command-and-control; sid:2027756; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Commercial Proxy Provider geosurf .io)"; flow:established,to_client; tls.cert_subject; content:"C=IL, L=Tel Aviv, O=BI Science (2009) Ltd, OU=WEB, CN=*.geosurf.io"; endswith; fast_pattern; classtype:policy-violation; sid:2027760; rev:3; metadata:created_at 2019_07_26, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)"; flow:established,to_client; threshold: type limit, track by_dst, count 1, seconds 600; tls.cert_subject; content:"C=DE, O=philandro Software GmbH, CN=AnyNet Relay"; endswith; fast_pattern; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027761; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8866.org"; flow:established,to_server; http.host; content:"8866.org"; endswith; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:7; metadata:created_at 2011_07_06, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 2"; flow:established,to_server; urilen:>100; flowbits:set,ET.Anunanak.HTTP.2; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http.method; content:"POST"; http.uri; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a 0d 0a|"; depth:60; endswith; reference:url,www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf; reference:md5,cd22fa7c9d9e61b4aeac6acd10790d10; reference:md5,82332d2a0cf8330f8de608865508713d; classtype:targeted-activity; sid:2020029; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/newsocks5.php"; depth:14; fast_pattern; endswith; http.user_agent; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|10.0|3b 20|Win64"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; content:!"Connection"; reference:md5,03b6c8d49c70df01afc0765f8fa51d0c; classtype:command-and-control; sid:2028920; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category MALWARE, malware_family Phoriex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (www .net .cn)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static/customercare/yourip.asp"; depth:31; endswith; fast_pattern; http.host; content:"www.net.cn"; reference:md5,51bdd385ab780d1efd1a62129f066edf; classtype:external-ip-check; sid:2027786; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.sh"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"mail.protonmail.sh"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027773; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"mailprotonmail.ch"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027774; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"mailprotonmail.com"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027775; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.direct"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.gmbh"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027777; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.systems"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027778; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"prtn.app"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027779; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.team"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027780; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.support"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027781; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"user.protonmail.support"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027782; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"prtn.xyz"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027783; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"secure-protonmail.com"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027784; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"my.secure-protonmail.com"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027785; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (agent)"; flow:established,to_server; http.header; content:!"cn.patch.battlenet.com.cn"; http.user_agent; content:"agent"; depth:5; http.host; content:!".battle.net"; content:!".blizzard.com"; endswith; content:!"blz"; depth:3; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; classtype:trojan-activity; sid:2001891; rev:24; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=linddiederich462.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027799; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=lambada.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uberalles.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .itraffic .click in DNS Lookup)"; dns.query; content:"purple.itraffic.click"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027804; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .m-ads .net in DNS Lookup)"; dns.query; content:"purple.m-ads.net"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027805; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (drproxy .pro in DNS Lookup)"; dns.query; content:"drproxy.pro"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027806; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adm.php"; fast_pattern; endswith; http.request_body; content:"k="; depth:2; pcre:"/^\d{5,10}$/R"; http.accept_lang; content:"en-US|3b|q=0.5,en|3b|q=0.3"; http.header_names; content:!"Referer"; content:"Content"; content:"User-Agent"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"artisticday.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027819; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"astonishingwill.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027820; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"directfood.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027821; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"gradualrain.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027822; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"proapp.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027823; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"provincialwake.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027824; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"shrek.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027825; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"thinstop.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027826; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"entreprisecommande.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027827; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Generic Style UA Observed (My_App)"; flow:established,to_server; http.user_agent; content:"My_App"; depth:6; fast_pattern; endswith; reference:md5,2978dbadd8fda7d842298fbd476b47b2; classtype:bad-unknown; sid:2027833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"emp.web2tor.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"bruhitsnot.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"bruhitsnot.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027851; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"emptiness.web2tor.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027852; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"version2.ilove26.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027853; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"luckyhere.mashiro.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027854; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"imtesting.shiina.ga"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027855; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"ggwp.emptiness.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027856; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Mirai.shiina CnC Domain in DNS Query"; dns.query; content:"shiina.mashiro.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027857; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup getip.pw"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"getip.pw"; fast_pattern; endswith; classtype:external-ip-check; sid:2027860; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP Variant CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"abc="; depth:4; pcre:"/^[a-z0-9/%=]{100,}$/Ri"; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2027861; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Requesting Brute Force List (flowbit set)"; flow:established,to_server; flowbits:set,ET.PhpMyAdminBrute.1; threshold:type limit, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:"?worker=php_b"; fast_pattern; endswith; http.user_agent; content:"Ubuntu|3b 20|Linux|20|x86_64"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1c315f9487ad20c3ac72747f13968507; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:trojan-activity; sid:2033717; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category MALWARE, malware_family PhpMyAdminBrute, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gw?worker="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1b8052d60de7ce8a9d281cf43d8d3091; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/knock?worker="; fast_pattern; content:"&os="; content:"&version="; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,bcb7d4fdee2023ad62132ebdf794baa4; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033719; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .biz TLD"; dns.query; content:".biz"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027863; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .okinawa TLD"; dns.query; content:".okinawa"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027864; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .cloud TLD"; dns.query; content:".cloud"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027865; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .desi TLD"; dns.query; content:".desi"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027866; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .life TLD"; dns.query; content:".life"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027867; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .work TLD"; dns.query; content:".work"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027868; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .ryukyu TLD"; dns.query; content:".ryukyu"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027869; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .world TLD"; dns.query; content:".world"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027870; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .fit TLD"; dns.query; content:".fit"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027871; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.okinawa Domain"; flow:established,to_server; http.host; content:".okinawa"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027873; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.cloud Domain"; flow:established,to_server; http.host; content:".cloud"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027874; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.desi Domain"; flow:established,to_server; http.host; content:".desi"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027875; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.life Domain"; flow:established,to_server; http.host; content:".life"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027876; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.work Domain"; flow:established,to_server; http.host; content:".work"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027877; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.ryukyu Domain"; flow:established,to_server; http.host; content:".ryukyu"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027878; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.world Domain"; flow:established,to_server; http.host; content:".world"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027879; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.fit Domain"; flow:established,to_server; http.host; content:".fit"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027880; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027881; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027882; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; depth:18; fast_pattern; endswith; http.request_body; content:"ajax=1"; content:"&username="; content:"&credential="; content:"&magic="; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:4; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"Internet Explorer 6.0"; depth:21; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; classtype:pup-activity; sid:2007860; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Explorer)"; flow:established,to_server; http.user_agent; content:"Explorer"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; classtype:pup-activity; sid:2007921; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:27; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; classtype:pup-activity; sid:2007929; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP)"; flow:to_server,established; http.user_agent; content:"HTTP"; depth:4; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:pup-activity; sid:2007943; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Wget User-Agent (wget 3.0) - Likely Hostile"; flow:established,to_server; http.user_agent; content:"wget 3.0"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007961; classtype:pup-activity; sid:2007961; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (compatible ICS))"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; endswith; http.host; content:!".iobit.com"; content:!".microsoft.com"; content:!".cnn.com"; content:!".wunderground.com"; content:!".weatherbug.com"; content:!"iobit.com.s3.amazonaws.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; classtype:pup-activity; sid:2008038; rev:15; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (My Session)"; flow:to_server,established; http.user_agent; content:"My Session"; nocase; depth:10; http.host; content:!".windows.net"; endswith; reference:url,doc.emergingthreats.net/2010677; classtype:pup-activity; sid:2010677; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"x"; depth:1; endswith; http.host; content:!"update.aida64.com"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; classtype:pup-activity; sid:2013017; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTTP Connection to go2000.cn - Common Malware Checkin Server"; flow:established,to_server; http.host; content:"go2000.cn"; endswith; reference:url,www.mywot.com/en/scorecard/go2000.cn; classtype:pup-activity; sid:2013422; rev:6; metadata:created_at 2011_08_18, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; http.uri; content:"/dmresources/instructions"; fast_pattern; content:".dat"; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; depth:20; http.protocol; content:"HTTP/1.0"; endswith; http.header_names; content:!"Referer"; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; classtype:pup-activity; sid:2017992; rev:11; metadata:created_at 2014_01_20, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Optimizer Pro Adware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/OptimizerPro.exe"; nocase; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:pup-activity; sid:2018743; rev:6; metadata:created_at 2014_07_21, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PicColor Adware CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?d="; content:"&format=json"; endswith; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,6b173406ffccaa6d0287b795f8de2073; classtype:pup-activity; sid:2020948; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_20, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/DownloadAssistant.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/launch/"; endswith; http.header_names; content:"X-Crypto-Version"; fast_pattern; content:!"User-Agent"; content:!"Referer"; reference:md5,62a4d32dcb1c495c5583488638452ff9; classtype:pup-activity; sid:2021283; rev:7; metadata:created_at 2015_06_16, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCAcceleratePro PUA/Adware User-Agent"; flow:established,to_server; http.user_agent; content:"PCAcceleratePro"; depth:15; endswith; classtype:pup-activity; sid:2022828; rev:6; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/q/"; depth:3; fast_pattern; http.request_body; content:"q="; depth:2; pcre:"/^[a-zA-Z0-9_-]+$/R"; http.connection; content:"close"; nocase; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,f0e02ba660cfcb122b89bc780a6555ac; classtype:pup-activity; sid:2025094; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Internet, former_category ADWARE_PUP, malware_family Adposhel, performance_impact Moderate, signature_severity Major, tag Adware, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Observed Malicious SSL Cert (OSX/Calender 2 Mining)"; flow:established,to_client; tls.cert_subject; content:"CN=*.qbix.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x2B.html; classtype:pup-activity; sid:2025424; rev:4; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2018_03_12, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (maraukog .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"maraukog.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (acinster .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"acinster.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (aclassigned .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aclassigned.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025489; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (efishedo .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"efishedo.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025490; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (enclosely .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"enclosely.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (insupposity .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"insupposity.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025492; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (suggedin .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"suggedin.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025493; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (suggedin .info in DNS Lookup)"; dns.query; content:"suggedin.info"; nocase; endswith; reference:md5,dc2c0b6a8824f5ababf18913ad6d0793; classtype:pup-activity; sid:2025531; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for LNKR js file M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lnkr5.min.js"; endswith; fast_pattern; http.header_names; content:"User-Agent"; content:"Referer"; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027422; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for LNKR js file M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lnkr30_nt.min.js"; endswith; fast_pattern; http.header_names; content:"User-Agent"; content:"Referer"; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027423; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed OSX/PremierOpinionD Collection Domain in TLS SNI"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; tls.sni; content:"oss-content.securestudies.com"; endswith; reference:url,www.airoav.com/mitm-voicefive; classtype:pup-activity; sid:2027694; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category ADWARE_PUP, malware_family PremierOpinionD, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly Reporting Details to CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?ver="; content:"&t="; distance:0; content:"&domain="; distance:0; content:"&file="; distance:0; content:"&ext="; distance:0; content:"&cache="; distance:0; content:"&res1="; distance:0; http.user_agent; content:"VCSoapClient"; depth:12; fast_pattern; endswith; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027830; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_09_17;)
+
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Kryptik.XSY Data Exfil via SMTP"; flow:established,to_server; content:"|0d 0a|Subject: PW_"; content:"filename|3d 22|PW_"; content:"_"; distance:0; content:"_"; distance:4; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:".html|22 0d 0a 0d 0a|VGltZTog"; distance:2; within:18; fast_pattern; reference:md5,61181c9665789225439d04d6eef5527f; classtype:command-and-control; sid:2030887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<40; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/\/[a-z0-9]+\/[a-z0-9]+\.exe$/i"; http.header; content:!"MstarUpdate"; http.user_agent; content:!"Mozilla/"; http.host; content:!".bitdefender.com"; content:!".homestead.com"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:2020826; rev:10; metadata:created_at 2015_04_01, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - Exfiltration Activity"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/WPSecurity/up.php"; depth:37; fast_pattern; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploadfile|22 3b 20|filename|3d 22|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:18; within:47; http.content_type; content:"multipart/form-data|3b|"; reference:md5,7e52633ffa2c3aee03e8b26f03e07cc4; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:trojan-activity; sid:2027895; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category TROJAN, malware_family Clipsa, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - CnC Checkin"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/WPSecurity/load.php"; depth:39; fast_pattern; endswith; http.request_body; pcre:"/^[a-zA-Z0-9]+$/"; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; byte_test:0,<=,400,0,string,dec; http.header_names; content:!"Referer"; reference:md5,7e52633ffa2c3aee03e8b26f03e07cc4; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:command-and-control; sid:2027893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category MALWARE, malware_family Clipsa, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTTP-TUNNEL detected"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?crap"; startswith; fast_pattern; threshold:type limit, track by_src,count 5, seconds 30; classtype:policy-violation; sid:2030886; rev:1; metadata:created_at 2020_09_17, former_category POLICY, signature_severity Informational, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"routingzen.com"; nocase; depth:14; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027693; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http any any -> any 10000 (msg:"ET WEB_SERVER Webmin RCE CVE-2019-15107"; flow:to_server,established; content:"/password_change.cgi"; depth:20; fast_pattern; endswith; http.method; content:"POST"; http.request_body; content:"|7c|"; reference:url,blog.firosolutions.com/exploits/webmin/; reference:cve,2019-15107; classtype:attempted-admin; sid:2027896; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_08_18, deployment Perimeter, deployment Internal, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Critical, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/down.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027900; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/vers.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027901; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/64.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027902; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipaddress .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myip"; depth:5; endswith; http.host; content:"api.ipaddress.com"; depth:17; fast_pattern; endswith; classtype:external-ip-check; sid:2027905; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Geo IP Lookup (api .db-ip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2027915; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Alpha Stealer v1.5 PWS Exfil via HTTP"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[A-Za-z]+?/Rsi"; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:0; content:"Screen.jpg"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a55bd3cc5caa47cb45355e9f79d4fc47; classtype:trojan-activity; sid:2027917; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category TROJAN, malware_family Alpha_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET 853 -> $HOME_NET any (msg:"ET POLICY Quad9 DNS Over TLS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=California, L=Berkeley, O=Quad9, CN=*.quad9.net"; endswith; fast_pattern; reference:md5,1e686b56ccbcb28667698389703bb13a; classtype:policy-violation; sid:2027918; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed External IP Lookup Domain (ipconfig .cf in TLS SNI)"; flow:established,to_server; tls.sni; content:"ipconfig.cf"; endswith; classtype:external-ip-check; sid:2027919; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SFR Account Phish 2015-09-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&execution="; content:"eventId=submit&username="; fast_pattern; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031824; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish - Phone Number 2015-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Phone="; depth:6; fast_pattern; classtype:credential-theft; sid:2031825; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Account Phish 2015-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"userid="; depth:7; fast_pattern; content:"&emailadd="; distance:0; content:"&passwd="; distance:0; content:"&dept="; distance:0; content:"&submit="; distance:0; classtype:credential-theft; sid:2031827; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish 2015-09-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"fp_syslang="; depth:11; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&pin="; nocase; distance:0; classtype:credential-theft; sid:2031829; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful ViewDocsOnline Phish 2015-09-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"action=login®_username="; nocase; depth:26; fast_pattern; content:"®_password="; nocase; distance:0; classtype:credential-theft; sid:2031830; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful LinkedIn Phish 2015-09-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"a="; depth:2; nocase; content:"&Action.CorpUser.Signon="; fast_pattern; nocase; distance:0; content:"&CorporateSignonAccessChannel="; nocase; distance:0; content:"&UserType="; nocase; distance:0; classtype:credential-theft; sid:2031831; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish Gmail Recovery Information 2015-10-01"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&PhoneNumber="; nocase; fast_pattern; content:"&RecoveryEmail="; nocase; distance:0; content:"&signIn=Continue"; nocase; distance:0; classtype:credential-theft; sid:2031835; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Update Credential Phish 2015-10-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Username="; nocase; content:"password="; nocase; distance:0; content:"password2="; nocase; distance:0; content:"&Submit=Continue"; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2031836; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2015-10-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"user="; depth:5; fast_pattern; nocase; content:"&pass="; nocase; distance:0; content:"&Submit=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2031837; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Update Phish 2015-10-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"user="; depth:5; nocase; fast_pattern; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2031838; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Samsung Portal Phish 2015-10-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"LOGIN_ID="; nocase; fast_pattern; depth:9; content:"&LOGIN_PWD="; nocase; distance:0; content:"&recaptcha_check="; nocase; distance:0; classtype:credential-theft; sid:2031839; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"EM="; depth:3; content:"&PS="; nocase; distance:0; content:"&btnLogin=+Log+In"; nocase; distance:0; fast_pattern; reference:md5,ce07d8a671e2132f404e13ff8e1959b5; classtype:credential-theft; sid:2031840; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2015-09-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login_email="; nocase; depth:12; fast_pattern; content:"&login_password="; nocase; distance:0; content:"=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2031833; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish 2015-10-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ide_hf_0="; depth:9; fast_pattern; nocase; content:"&pin1="; distance:0; nocase; content:"&submitButton=Next"; distance:0; nocase; classtype:credential-theft; sid:2031841; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Zimbra Account Phish 2015-10-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"textinput="; depth:10; nocase; fast_pattern; content:"&passwordinput="; nocase; distance:0; content:"&client=preferred"; nocase; distance:0; classtype:credential-theft; sid:2031842; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"1="; depth:2; nocase; content:"&submit.x=Login"; nocase; distance:0; fast_pattern; content:"&hostname="; nocase; distance:0; classtype:credential-theft; sid:2031843; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"_fn="; depth:4; nocase; content:"&_birthd="; nocase; distance:0; fast_pattern; content:"&_countr="; nocase; distance:0; content:"&hostname="; nocase; distance:0; classtype:credential-theft; sid:2031844; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"_fulln="; depth:7; nocase; content:"&_ccn="; nocase; distance:0; fast_pattern; content:"&_ssn1="; nocase; distance:0; content:"&hostname="; nocase; distance:0; classtype:credential-theft; sid:2031845; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"_bkid="; depth:6; nocase; content:"&_bkpass="; nocase; distance:0; fast_pattern; content:"&_accn="; nocase; distance:0; content:"&hostname="; nocase; distance:0; classtype:credential-theft; sid:2031846; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Docusign Phish 2015-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"__EVENTTARGET="; depth:14; nocase; fast_pattern; content:"txtDocuLogin="; nocase; distance:0; content:"txtDocuPassword="; nocase; distance:0; classtype:credential-theft; sid:2031847; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IBC Bank Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&emailpass="; nocase; distance:0; content:"&AccountType="; nocase; distance:0; classtype:credential-theft; sid:2031848; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Zimbra Phish 2015-10-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"loginOp="; nocase; depth:8; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&client="; nocase; distance:0; classtype:credential-theft; sid:2031849; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_10_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NatWest Bank Phish 2015-11-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"fname="; nocase; depth:6; fast_pattern; content:"&address="; nocase; distance:0; content:"&ccnumber="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2031850; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-11-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&UserID="; nocase; fast_pattern; content:"&Password="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; classtype:credential-theft; sid:2031851; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2015-11-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"cont="; depth:5; nocase; fast_pattern; content:"&signup_data="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; content:"&remember_me="; nocase; distance:0; classtype:credential-theft; sid:2031852; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful UPS Phish 2015-11-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&returnto="; nocase; fast_pattern; content:"&connectWithFB="; nocase; distance:0; content:"&cancelAction="; nocase; distance:0; content:"&loginAction="; nocase; distance:0; content:"&uid="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031853; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful LCL Bank Phish 2015-11-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"compteId="; depth:9; nocase; fast_pattern; content:"&identifiant="; nocase; distance:0; content:"&identifiantRouting="; nocase; distance:0; content:"&postClavierXor="; nocase; distance:0; classtype:credential-theft; sid:2031854; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tradekey Phish 2015-11-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"redirect_url="; depth:13; fast_pattern; nocase; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&remember_me="; nocase; distance:0; classtype:credential-theft; sid:2031857; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Hinet Phish 2015-11-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"usertype="; depth:9; fast_pattern; nocase; content:"&https="; nocase; distance:0; content:"&mailid="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031858; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Squirrelmail Phishing 2015-11-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login_username="; fast_pattern; nocase; depth:15; content:"&secretkey="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2031896; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Natwest Bank Phish 2015-11-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"DBIDedit="; depth:9; nocase; fast_pattern; content:"&pin="; nocase; content:"&password="; nocase; content:"&cardnum="; nocase; classtype:credential-theft; sid:2031897; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2015-11-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"question"; depth:8; nocase; fast_pattern; content:"&answer"; nocase; content:"&Email"; nocase; content:"&continue="; nocase; classtype:credential-theft; sid:2031898; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M2 2015-11-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"page=details"; depth:12; nocase; fast_pattern; content:"&acctnum"; nocase; content:"&cvv"; nocase; content:"&submit="; nocase; classtype:credential-theft; sid:2031899; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Webmail Phishing M2 2015-11-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"username="; depth:9; nocase; content:"&counter="; nocase; content:"&browser="; nocase; content:"&password="; nocase; fast_pattern; classtype:credential-theft; sid:2031900; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wildblue Phishing M1 2015-11-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"counter="; depth:8; nocase; fast_pattern; content:"&browser="; nocase; content:"&username="; nocase; content:"&password="; nocase; content:"&source="; nocase; classtype:credential-theft; sid:2031901; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wildblue Phishing M2 2015-11-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"isInvBilling="; depth:13; nocase; fast_pattern; content:"&counter="; nocase; content:"&browser="; nocase; content:"&password="; nocase; content:"&nameoncard="; nocase; content:"&card_num="; nocase; classtype:credential-theft; sid:2031902; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Xoom Phishing 2015-11-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"_username="; nocase; fast_pattern; content:"_password="; distance:0; nocase; content:"_password="; distance:0; nocase; content:"&ioBlackBox="; distance:0; nocase; classtype:credential-theft; sid:2031903; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Trademe Phish M3 2015-11-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"pin="; depth:4; nocase; fast_pattern; content:"&set=+Submit+"; nocase; classtype:credential-theft; sid:2031904; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2015-11-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&.save="; distance:0; nocase; classtype:credential-theft; sid:2031905; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M2 2015-12-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email"; depth:5; fast_pattern; nocase; content:"&emailpass"; distance:0; nocase; content:"&NextButton="; distance:0; nocase; classtype:credential-theft; sid:2031907; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Anonisma Phish 2015-12-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Anonisma"; depth:8; fast_pattern; nocase; content:"&Anonisma"; distance:0; nocase; classtype:credential-theft; sid:2031908; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halifax Bank Phish M1 2015-12-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login="; depth:6; nocase; content:"&password="; fast_pattern; nocase; distance:0; content:"&form6="; nocase; distance:0; classtype:credential-theft; sid:2031910; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish M2 2015-12-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"continue="; nocase; fast_pattern; content:"&Email="; nocase; distance:0; content:"&Passwd="; nocase; distance:0; content:"&challengetype="; nocase; distance:0; content:"&Phone+Number="; nocase; distance:0; content:"Download+Document"; nocase; distance:0; classtype:credential-theft; sid:2031911; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish M1 2015-12-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"uname="; depth:6; nocase; fast_pattern; content:"&passe="; nocase; distance:0; content:"&AccountValidator="; nocase; distance:0; content:"&AccountType="; nocase; distance:0; classtype:credential-theft; sid:2031912; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish M2 2015-12-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"uname="; depth:6; nocase; fast_pattern; content:"&passe="; nocase; distance:0; content:"&fname="; nocase; distance:0; content:"&add="; nocase; distance:0; classtype:credential-theft; sid:2031913; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PHOEN!X Apple Phish M1 2015-12-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; nocase; depth:7; fast_pattern; content:"pass="; nocase; distance:0; content:"&submit.x=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2031914; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-01-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"t1="; nocase; depth:3; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&ip="; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032422; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IRS Phish (set) 2016-01-23"; flow:to_server,established; flowbits:set,ET.irs.phish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ssn1="; nocase; fast_pattern; content:"ssn2="; nocase; content:"ssn3="; nocase; content:"address="; nocase; content:"city="; nocase; content:"state="; nocase; classtype:credential-theft; sid:2032423; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Workspace Phish 2016-01-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"appvars="; depth:8; content:"&username="; nocase; distance:0; content:"&password="; fast_pattern; nocase; distance:0; classtype:credential-theft; sid:2032424; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Navy Federal Credit Union Phish 2016-02-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"SMENC="; depth:6; content:"&user="; nocase; distance:0; content:"&password="; fast_pattern; nocase; distance:0; content:"&signin=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032425; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish M1 2016-02-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"SMENC="; depth:6; content:"&user="; nocase; distance:0; content:"&password="; fast_pattern; nocase; distance:0; content:"&signin=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032426; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish M2 2016-02-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"SMENC="; depth:6; content:"&user="; nocase; distance:0; content:"&password="; fast_pattern; nocase; distance:0; content:"&signin=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032427; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Credential Phish 2016-02-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"PasswordSeparationSignIn"; nocase; content:"&Email="; nocase; content:"&Pass"; fast_pattern; nocase; distance:0; classtype:credential-theft; sid:2032428; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Maersk Phishing 2016-02-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:".php?"; nocase; pcre:"/\x0d\x0aReferer\x3a\x20[^\r\n]+?=[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\r\n/i"; http.request_body; content:"username="; content:"&secretkey="; fast_pattern; nocase; distance:0; classtype:credential-theft; sid:2032429; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FR Gmail Phish M1 2016-03-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mailfrom="; depth:9; fast_pattern; nocase; content:"&email="; nocase; distance:0; content:"&mdp="; nocase; distance:0; classtype:credential-theft; sid:2032430; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FR Gmail Phish M2 2016-03-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"nom="; depth:4; fast_pattern; nocase; content:"&email="; nocase; distance:0; content:"&motdepasse"; nocase; distance:0; classtype:credential-theft; sid:2032431; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email System Manager Phish 2016-04-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"userid="; nocase; depth:7; fast_pattern; content:"&Pass"; nocase; distance:0; content:"save=Download"; nocase; distance:0; classtype:credential-theft; sid:2032432; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2016-01-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Email="; nocase; depth:6; fast_pattern; content:"&Password="; nocase; distance:0; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032421; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_01_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Account Update Phish 2016-05-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Email="; nocase; depth:6; fast_pattern; content:"&Password="; nocase; distance:0; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2031915; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_05_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sign PDF Phish 2016-05-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Email="; nocase; depth:6; fast_pattern; content:"&Password="; nocase; distance:0; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032433; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2016-05-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Email="; nocase; depth:6; fast_pattern; content:"&Password="; nocase; distance:0; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032434; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Shared Document Phish 2016-06-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032435; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ebay Phish 2016-06-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032436; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish M2 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032437; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Square Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032438; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Navy Federal Phish 2016-06-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032439; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Earthlink Phish 2016-06-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032440; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Christian Mingle Phish 2016-06-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032441; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Maybank2u Phish 2016-06-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032442; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Xfinity/Comcast Phish 2016-06-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032443; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Singtel Phish 2016-06-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032446; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email Termination Phish 2016-06-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032447; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful H&M Revenue Phish M2 2016-06-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032448; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Encrypted Email Phish M2 2016-06-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032449; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Standard Bank Phish 2016-06-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032450; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish M1 2016-06-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032451; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish M2 2016-06-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logn="; fast_pattern; nocase; depth:5; content:"&passd="; nocase; distance:0; content:"&submit=CONTINUE"; nocase; distance:0; classtype:credential-theft; sid:2032452; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Synchronize Email Account Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"u="; depth:2; content:"&p1="; nocase; distance:0; content:"&B1=Synchronize+My+Account"; fast_pattern; nocase; distance:0; classtype:credential-theft; sid:2032453; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Account Upgrade Phish 2016-07-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form1=Y&aaa="; depth:12; fast_pattern; content:"&ccc="; nocase; distance:0; content:"&ddd="; nocase; distance:0; classtype:credential-theft; sid:2032454; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Earthlink Phish 2016-07-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|22|formid|22 0d 0a 0d 0a|form1"; content:"|22|Email|22|"; nocase; distance:0; content:"|22|password|22|"; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2032455; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Account Upgrade Phish 2016-07-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login="; fast_pattern; nocase; depth:6; content:"&password="; nocase; distance:0; content:"&commit=Login"; nocase; distance:0; classtype:credential-theft; sid:2032456; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Intuit Phish 2016-08-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"stonenet"; nocase; depth:8; fast_pattern; content:"&stonenet"; nocase; distance:0; content:"&SignIn="; nocase; distance:0; classtype:credential-theft; sid:2032457; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Tectite Web Form Submission - Possible Successful Phish"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"bad_url="; depth:8; fast_pattern; content:"&subject="; nocase; distance:0; content:"&recipients="; nocase; distance:0; content:"&env_report="; nocase; distance:0; content:"REMOTE_USER"; nocase; distance:0; content:"&good_url="; nocase; distance:0; classtype:credential-theft; sid:2032458; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-08-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"__EVENTTARGET="; depth:14; fast_pattern; content:"EVENTVALIDATION"; nocase; distance:0; content:"&user"; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&btnSubmit=Track"; nocase; distance:0; classtype:credential-theft; sid:2032459; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-08-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login="; depth:6; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&tel="; nocase; distance:0; classtype:credential-theft; sid:2032460; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish 2015-11-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"continue=http"; depth:13; nocase; fast_pattern; content:"&bgresponse="; nocase; distance:0; content:"&phoneNumber="; nocase; distance:0; content:"&answer="; nocase; distance:0; classtype:credential-theft; sid:2031895; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2015-09-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"type="; depth:5; nocase; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"=Sign+in"; fast_pattern; nocase; distance:0; classtype:credential-theft; sid:2031889; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Docusign/Outlook Phish 2016-08-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"loginfmt="; depth:9; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&PPFT="; nocase; distance:0; classtype:credential-theft; sid:2032484; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Docusign Phish M2 2016-08-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"loginfmt="; depth:9; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&PPFT="; nocase; distance:0; classtype:credential-theft; sid:2032485; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Comcast Phish 2016-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"user="; depth:5; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&ndpd"; nocase; distance:0; content:"&nucaptcha"; nocase; distance:0; classtype:credential-theft; sid:2032486; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish 2016-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Email="; depth:6; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&ctlWorkflow"; nocase; distance:0; content:"btnSubmit.x"; nocase; distance:0; classtype:credential-theft; sid:2032487; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Renewal Phish 2016-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&submit=Submit+To+Renew"; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2032488; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"userid="; depth:7; nocase; fast_pattern; content:"&formtext"; nocase; distance:0; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032489; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Deactivation Phish 2016-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"pass="; depth:5; nocase; content:"&re-pass="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; classtype:credential-theft; sid:2032490; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Universal Webmail Phish 2016-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"referer="; depth:8; nocase; content:"&email="; distance:0; content:"&username="; distance:0; content:"&password="; distance:0; content:"&confirmpassword="; distance:0; fast_pattern; classtype:credential-theft; sid:2032491; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tata Communications Phish 2016-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"_user="; depth:6; nocase; fast_pattern; content:"&_pass="; nocase; distance:0; content:"&button=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032492; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish 2016-08-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&ctx="; nocase; distance:0; content:"&flowToken="; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032493; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish 2016-08-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"userid="; depth:7; fast_pattern; content:"&password="; nocase; distance:0; content:"pin1="; nocase; distance:0; content:"&submitButton="; nocase; distance:0; classtype:credential-theft; sid:2032494; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Westpac Bank Phish 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"usename="; depth:8; nocase; fast_pattern; content:"&psword="; nocase; distance:0; content:"&Submit=Login"; nocase; distance:0; classtype:credential-theft; sid:2032495; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"first_name="; depth:11; nocase; fast_pattern; content:"&middle_initial="; nocase; distance:0; content:"&last_name="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; content:"&employer_name="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&phone_area_code="; nocase; distance:0; classtype:credential-theft; sid:2032496; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HealthEquity Phish 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"__LASTFOCUS="; depth:12; nocase; fast_pattern; content:"&__EVENTTARGET="; nocase; distance:0; content:"&__EVENTARGUMENT="; nocase; distance:0; content:"&__VIEWSTATE="; nocase; distance:0; content:"&__VIEWSTATEGENERATOR="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032497; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Payment Phish 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"location="; depth:9; nocase; fast_pattern; content:"&ccnum="; nocase; distance:0; content:"&kontonum="; nocase; distance:0; content:"&sortecode="; nocase; distance:0; classtype:credential-theft; sid:2032498; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook WebApp Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"app=o365&realm="; depth:15; nocase; fast_pattern; content:"&name="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032499; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Validator Phish M1 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"loginOp=login&"; depth:14; nocase; fast_pattern; content:"&user"; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2032500; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"apple_id="; nocase; fast_pattern; content:"&apple_pwd="; nocase; distance:0; classtype:credential-theft; sid:2032501; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Mailbox Quota Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:".php?email="; http.request_body; content:"login="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2032502; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2016-09-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&pass"; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032503; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish M1 2016-09-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"countrycode="; depth:12; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&.persistent="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; classtype:credential-theft; sid:2032504; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&name="; nocase; distance:0; content:"&.persistent="; nocase; distance:0; content:"&_crumb="; nocase; distance:0; content:"&_ts="; nocase; distance:0; content:"&_format="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; classtype:credential-theft; sid:2032506; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"country="; depth:8; nocase; content:"&email="; nocase; distance:0; content:"&addresszip="; nocase; distance:0; content:"&vehicle=Car"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032507; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Western Union Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&txtCaptcha="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032508; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; nocase; content:"pass="; nocase; distance:0; content:"&signin=Sign+In"; nocase; distance:0; fast_pattern; content:"&session_redirect="; nocase; distance:0; content:"&fromEmail="; nocase; distance:0; content:"&sourceAlias="; nocase; distance:0; classtype:credential-theft; sid:2032544; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Australia Bank 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&pass"; nocase; distance:0; content:"name="; nocase; distance:0; content:"&birth_dd="; nocase; distance:0; fast_pattern; content:"&pwd="; nocase; distance:0; content:"&cc_type="; nocase; distance:0; content:"&nabid="; nocase; distance:0; classtype:social-engineering; sid:2032545; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Made In China Phish 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"x0r1="; depth:5; nocase; fast_pattern; content:"&x0r2="; nocase; distance:0; classtype:credential-theft; sid:2032546; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"phoneNumber="; depth:12; nocase; fast_pattern; content:"&recEmail="; nocase; distance:0; content:"&submitChallenge="; nocase; distance:0; classtype:credential-theft; sid:2032547; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"dmn3="; depth:5; nocase; content:"&dmn4="; nocase; distance:0; content:"&dmn"; nocase; distance:0; content:"&merc.x=1"; nocase; distance:0; fast_pattern; content:"&merc.y="; nocase; distance:0; classtype:credential-theft; sid:2032548; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form-data|3b 20|name=|22|cn|22|"; nocase; content:"form-data|3b 20|name=|22|em|22|"; nocase; distance:0; content:"form-data|3b 20|name=|22|ey|22|"; nocase; distance:0; content:"form-data|3b 20|name=|22|cv|22|"; nocase; distance:0; fast_pattern; content:"form-data|3b 20|name=|22|cf|22|"; nocase; distance:0; http.content_type; content:"multipart/form-data"; startswith; classtype:credential-theft; sid:2032549; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"fname="; depth:6; nocase; content:"&lname="; nocase; distance:0; content:"&dob_month="; nocase; distance:0; fast_pattern; content:"&adds1="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2032550; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Keybank Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"sUserId="; depth:8; nocase; content:"&pass"; nocase; distance:0; content:"&SSN"; nocase; distance:0; fast_pattern; content:"&Birth"; nocase; distance:0; content:"&DL="; nocase; distance:0; content:"&Email"; nocase; distance:0; content:"&EmailP"; nocase; distance:0; classtype:credential-theft; sid:2032551; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish M2 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"continue=http"; depth:13; nocase; content:"&bgresponse="; nocase; distance:0; content:"&phoneNumber="; nocase; distance:0; content:"&submitChallenge=Continue"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032552; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Payment Phish M1 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"front="; depth:6; nocase; content:"&hind="; nocase; distance:0; content:"&CreditNumber="; nocase; distance:0; content:"&cardType="; nocase; distance:0; fast_pattern; content:"&CVV="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&country="; nocase; distance:0; classtype:credential-theft; sid:2032553; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Emirate Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; content:"&pass="; nocase; distance:0; content:"&NextButton=Update"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032554; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Hotmail Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; content:"&pass"; nocase; distance:0; content:"&realm="; nocase; distance:0; content:"&anchor="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032555; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish M2 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"emailId="; depth:8; nocase; content:"&userName="; nocase; distance:0; content:"&fbUserId="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032557; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"account="; depth:8; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2032558; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"current_hidden="; depth:15; nocase; content:"&anrede="; nocase; distance:0; content:"&legitimations="; nocase; distance:0; fast_pattern; content:"&vorname="; nocase; distance:0; content:"&zuname="; nocase; distance:0; content:"&strasse_nr="; nocase; distance:0; content:"&blz="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&handy="; nocase; distance:0; content:"&ort="; nocase; distance:0; content:"&geburtsdatum="; nocase; distance:0; content:"&geburtsort="; nocase; distance:0; content:"&telefon="; nocase; distance:0; content:"&konto-nr="; nocase; distance:0; content:"&postleitzahl="; nocase; distance:0; content:"&email="; nocase; distance:0; classtype:credential-theft; sid:2032559; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish M2 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"first="; depth:6; nocase; fast_pattern; content:"&last="; nocase; distance:0; content:"&day"; nocase; distance:0; content:"&mon"; nocase; distance:0; content:"&yea"; nocase; distance:0; content:"&addr"; nocase; distance:0; content:"&addr"; nocase; distance:0; content:"&country"; nocase; distance:0; content:"&st"; nocase; distance:0; content:"&submit.x="; nocase; distance:0; classtype:credential-theft; sid:2032560; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Personalized Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:"adobe"; nocase; content:".php?"; distance:0; nocase; content:"email="; distance:0; nocase; http.request_body; content:"email="; depth:6; nocase; content:"&epass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032562; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Webmail Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:".php?rand="; nocase; content:"InboxLightaspx"; nocase; distance:0; content:"&fid"; nocase; distance:0; content:"&email="; content:"Content-Length|3a 20|"; content:"|0d 0a|"; within:4; http.cookie; content:"PHPSESSID="; http.request_body; content:"epass="; depth:6; nocase; fast_pattern; classtype:credential-theft; sid:2032563; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"destination="; depth:12; nocase; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&btnSignon="; nocase; distance:0; content:"&screenid="; nocase; distance:0; content:"&origination="; nocase; distance:0; classtype:credential-theft; sid:2032564; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"formselect1="; depth:12; nocase; fast_pattern; content:"&id="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032565; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"usumaki_mail="; depth:13; nocase; fast_pattern; content:"&usumaki_pass="; nocase; distance:0; classtype:credential-theft; sid:2032566; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"usumaki_name="; depth:13; nocase; fast_pattern; content:"_adrs="; nocase; distance:0; content:"_zpcd="; nocase; distance:0; content:"_city="; nocase; distance:0; content:"_phone="; nocase; distance:0; content:"_cntr="; nocase; distance:0; content:"_holder="; nocase; distance:0; content:"_ccvn="; nocase; distance:0; content:"_exp_"; nocase; distance:0; content:"_cvv"; nocase; distance:0; content:"_pass="; nocase; distance:0; classtype:credential-theft; sid:2032567; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful View Invoice Phish M1 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&formtext2="; nocase; distance:0; fast_pattern; content:"&formbutton1="; nocase; distance:0; classtype:credential-theft; sid:2032569; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful View Invoice Phish M2 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"GALX="; depth:5; nocase; content:"&continue="; nocase; distance:0; content:"&service="; nocase; distance:0; content:"&_utf8="; nocase; distance:0; content:"&bgresponse="; nocase; distance:0; content:"&pstMsg="; nocase; distance:0; content:"&dnConn="; nocase; distance:0; content:"&checkConnection="; nocase; distance:0; fast_pattern; content:"&checkedDomains="; nocase; distance:0; content:"&Passwd="; nocase; distance:0; content:"&signIn="; nocase; distance:0; content:"&rmShown="; nocase; distance:0; classtype:credential-theft; sid:2032570; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"email_mobile="; depth:13; nocase; fast_pattern; content:"&pass_mobile="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032571; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M4 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"sort_code="; depth:10; nocase; content:"&sc_number="; nocase; distance:0; content:"&vbv_date="; nocase; distance:0; fast_pattern; content:"&up-vbv="; nocase; distance:0; classtype:credential-theft; sid:2032572; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"LOB="; depth:4; nocase; content:"&origination="; nocase; distance:0; content:"&inboxItemId="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&continue="; nocase; distance:0; classtype:credential-theft; sid:2032576; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"theAuxValue="; depth:12; nocase; fast_pattern; content:"&inframe="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&_birthd="; nocase; distance:0; content:"&_birthm="; nocase; distance:0; content:"&_birthy="; nocase; distance:0; content:"&_add1="; nocase; distance:0; content:"&_add2="; nocase; distance:0; content:"&_countr="; nocase; distance:0; content:"&_ct="; nocase; distance:0; content:"&_st="; nocase; distance:0; content:"&_zipc="; nocase; distance:0; content:"&_ph="; nocase; distance:0; classtype:credential-theft; sid:2032577; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"_fulln="; depth:7; nocase; fast_pattern; content:"&_ccn="; nocase; distance:0; content:"&_ccv="; nocase; distance:0; content:"&_expm="; nocase; distance:0; content:"&_expy="; nocase; distance:0; content:"&_3d="; nocase; distance:0; content:"&_sortc="; nocase; distance:0; content:"&_ssn1="; nocase; distance:0; content:"&_ssn2="; nocase; distance:0; content:"&_ssn3="; nocase; distance:0; classtype:credential-theft; sid:2032578; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized DHL Phish 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:".php?userid="; http.request_body; content:"epass="; depth:6; nocase; fast_pattern; classtype:credential-theft; sid:2032580; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:"?email="; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&frmLogin%3AbtnLogin1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032581; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Phish 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname="; depth:6; nocase; content:"&day="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&billing="; nocase; distance:0; fast_pattern; content:"&city="; nocase; distance:0; content:"&county="; nocase; distance:0; content:"&postcode="; nocase; distance:0; content:"&mobile="; nocase; distance:0; classtype:credential-theft; sid:2032582; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HBL Bank Phish M2 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"loginid="; depth:8; nocase; content:"&question="; nocase; distance:0; content:"&ans="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&empass="; nocase; distance:0; fast_pattern; content:"&tpass="; nocase; distance:0; content:"&form7="; nocase; distance:0; classtype:credential-theft; sid:2032584; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&lang="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&default_persistent="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032585; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&Pswds="; nocase; distance:0; fast_pattern; content:"&vehicle=Sign+in"; nocase; distance:0; classtype:credential-theft; sid:2032586; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Mail Phish 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:".src="; depth:5; nocase; content:"&.tries="; nocase; distance:0; content:"&.yplus="; nocase; distance:0; content:"&.chldID="; nocase; distance:0; content:"&pkg="; nocase; distance:0; content:"&hasMsgr="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032587; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PNC Bank Phish M1 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"hiddenAcctTypeLetter="; depth:21; nocase; fast_pattern; content:"&origin="; nocase; distance:0; content:"&userId="; nocase; distance:0; content:"&AccountDrop="; nocase; distance:0; classtype:credential-theft; sid:2032588; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PNC Bank Phish M2 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"account_state="; depth:14; nocase; content:"&online_id="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&passcode="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&emailpass="; nocase; distance:0; fast_pattern; content:"&cardname="; nocase; distance:0; content:"&ccnumber="; nocase; distance:0; content:"&mexpcc="; nocase; distance:0; classtype:credential-theft; sid:2032589; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname="; depth:6; nocase; content:"&lname="; nocase; distance:0; content:"&c_type="; nocase; distance:0; content:"&c_valid="; nocase; distance:0; content:"&MonthYear="; nocase; distance:0; content:"&cvn="; nocase; distance:0; content:"&login_email="; nocase; distance:0; fast_pattern; content:"&login_password="; nocase; distance:0; classtype:credential-theft; sid:2032593; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"on1="; depth:4; nocase; content:"&on2="; nocase; distance:0; fast_pattern; content:"&on3="; nocase; distance:0; content:"&on4="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032595; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Live Email Account Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&login="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&type="; nocase; distance:0; content:"&PPFT="; nocase; distance:0; content:"&PPSX="; nocase; distance:0; content:"&NewUser="; nocase; distance:0; content:"&LoginOptions="; nocase; distance:0; content:"&FoundMSAs="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032596; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"donnee1="; depth:8; nocase; content:"&donnee2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032598; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NAB Bank Phish M2 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&userid2="; nocase; distance:0; content:"&password2="; nocase; distance:0; fast_pattern; content:"&firstname="; nocase; distance:0; content:"&Bday="; nocase; distance:0; content:"&Bmonth="; nocase; distance:0; content:"&Byear="; nocase; distance:0; content:"&ccnumber="; nocase; distance:0; content:"&expMonth="; nocase; distance:0; content:"&expYear="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032600; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Bank (FR) Phish M2 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"pass="; depth:5; nocase; content:"&userid="; nocase; distance:0; content:"&CCCRYC2="; nocase; distance:0; fast_pattern; content:"&civ="; nocase; distance:0; content:"&pnm="; nocase; distance:0; content:"&nom="; nocase; distance:0; content:"&adr="; nocase; distance:0; content:"&cty="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&cpp="; nocase; distance:0; content:"&ccn="; nocase; distance:0; content:"&exm="; nocase; distance:0; content:"&exy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032601; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Bank (FR) Phish M3 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"origine="; depth:8; nocase; content:"&situationTravail="; nocase; distance:0; content:"&canal="; nocase; distance:0; content:"&typeAuthentification="; nocase; distance:0; content:"&idUnique="; nocase; distance:0; content:"&agricole="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&userid="; nocase; distance:0; content:"&cp="; nocase; distance:0; content:"&CCCRYC2="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032602; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized DHL Phish 2016-10-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:"email="; http.cookie; content:"PHPSESSID="; http.request_body; content:"epass="; depth:6; nocase; fast_pattern; classtype:credential-theft; sid:2032603; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful EC21 B2B Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"nextUrl="; depth:8; nocase; content:"&inq_gubun="; nocase; distance:0; fast_pattern; content:"&FBIn="; nocase; distance:0; content:"&fEmail="; nocase; distance:0; content:"&em="; nocase; distance:0; content:"&pw="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032604; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Earthlink Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"page="; depth:5; nocase; content:"&start="; nocase; distance:0; content:"&tzoffset="; nocase; distance:0; fast_pattern; content:"&screenSize="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&okey_x.x="; nocase; distance:0; content:"&okey_x.y="; nocase; distance:0; content:"&okey_x="; nocase; distance:0; classtype:credential-theft; sid:2032605; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful UBS Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"CHname="; depth:7; nocase; content:"&userFields.userFieldsAccountNumber"; nocase; distance:0; content:"&card1="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; content:"&expirydate1="; nocase; distance:0; content:"&expirydate2="; nocase; distance:0; content:"&acctnumber"; nocase; distance:0; fast_pattern; content:"&dateofbirth1="; nocase; distance:0; content:"&issuerAnswer="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&AcsCookie="; nocase; distance:0; content:"&ChangeLocale="; nocase; distance:0; content:"&CustData="; nocase; distance:0; content:"&Locale="; nocase; distance:0; classtype:credential-theft; sid:2032606; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Connect Phish M1 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"theAccountName="; depth:15; nocase; fast_pattern; content:"&theAccountPW="; nocase; distance:0; content:"&theAuxValue="; nocase; distance:0; content:"&inframe="; nocase; distance:0; classtype:credential-theft; sid:2032607; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful LCL Banque et Assurance (FR) Phish 2016-10-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"card="; depth:5; nocase; content:"&MM="; nocase; distance:0; content:"&YYYY="; distance:0; fast_pattern; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032609; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish 2016-10-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"nom="; depth:4; nocase; content:"&prenom="; nocase; distance:0; content:"&dob1="; nocase; distance:0; content:"&passe="; nocase; distance:0; content:"&adresse="; nocase; distance:0; content:"&adresse2="; nocase; distance:0; fast_pattern; content:"&ville="; nocase; distance:0; content:"&postale="; nocase; distance:0; content:"&tele="; nocase; distance:0; classtype:credential-theft; sid:2032610; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish 2016-10-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"safe1="; depth:6; nocase; fast_pattern; content:"&safe2="; nocase; distance:0; content:!"&"; distance:0; classtype:credential-theft; sid:2032611; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"login="; depth:6; nocase; content:"&username="; nocase; distance:0; fast_pattern; content:"&password="; nocase; distance:0; content:"&pn="; nocase; distance:0; content:"&vi="; nocase; distance:0; classtype:credential-theft; sid:2032612; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"formimage1.x="; depth:13; nocase; content:"&formimage1.y="; nocase; distance:0; fast_pattern; content:"&userid="; nocase; distance:0; content:"&formtext2="; nocase; distance:0; classtype:credential-theft; sid:2032613; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Outlook Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:"/?email="; fast_pattern; pcre:"/\/\?email=[a-zA-Z0-9+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}\x0d\x0a/i"; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2032614; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Danske Bank Phish (DA) 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&pcode="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&_wpcmWpid="; nocase; distance:0; fast_pattern; content:"&wpcmVal="; nocase; distance:0; classtype:credential-theft; sid:2032616; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue Phish 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"form-data|3b 20|name=|22|email|22|"; content:"form-data|3b 20|name=|22|ccname|22|"; fast_pattern; content:"form-data|3b 20|name=|22|ccn"; content:"form-data|3b 20|name=|22|ccexp|22|"; content:"form-data|3b 20|name=|22|secode|22|"; http.content_type; content:"multipart/form-data|3b|"; startswith; classtype:credential-theft; sid:2032579; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"authmethod="; depth:11; nocase; content:"&locale="; nocase; distance:0; content:"&pagegentime="; nocase; distance:0; content:"&LOB="; nocase; distance:0; content:"&hiddenuri="; nocase; distance:0; content:"&usr_name="; nocase; distance:0; content:"&usr_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032617; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&pswds="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032618; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Phish 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"authURL="; depth:8; nocase; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&RememberMe="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032619; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Payment Phish M1 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"location="; depth:9; nocase; fast_pattern; content:"&langa="; nocase; distance:0; content:"&ext="; nocase; distance:0; content:"&hold="; nocase; distance:0; content:"&djj="; nocase; distance:0; content:"&dmm="; nocase; distance:0; content:"&daa="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&expiry="; nocase; distance:0; content:"&cvc="; nocase; distance:0; content:"&language="; nocase; distance:0; classtype:credential-theft; sid:2032620; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Payment Phish M2 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"vbpass="; depth:7; nocase; content:"&userEmail="; nocase; distance:0; fast_pattern; content:"&accNum="; nocase; distance:0; classtype:credential-theft; sid:2032621; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"nabil1="; depth:7; nocase; fast_pattern; content:"&nabil2="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2032622; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"nabil-fn="; depth:9; nocase; fast_pattern; content:"&nabil-ln="; nocase; distance:0; content:"&nabil-"; nocase; distance:0; content:"&nabil-"; nocase; distance:0; content:"&nabil-"; nocase; distance:0; content:"&nabil-"; nocase; distance:0; classtype:credential-theft; sid:2032623; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Docusign Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:"docu"; nocase; http.request_body; content:"e-mail="; depth:7; nocase; content:"&passwd="; nocase; distance:0; content:"&RelayState="; nocase; distance:0; fast_pattern; content:"&="; nocase; distance:0; classtype:credential-theft; sid:2032624; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email Settings Error Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&Submit=Submit+report"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032626; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"browserData="; depth:12; nocase; fast_pattern; content:"&org.apache.struts.taglib.html.TOKEN="; nocase; distance:0; content:"&jsEnabled="; nocase; distance:0; content:"&userid="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2032627; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M2 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"browserData="; depth:12; nocase; fast_pattern; content:"&org.apache.struts.taglib.html.TOKEN="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&card="; nocase; distance:0; content:"&expdate="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&pin1="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2032628; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"country="; depth:8; nocase; content:"&email="; nocase; distance:0; content:"&addresszip="; nocase; distance:0; fast_pattern; content:"&mobile="; nocase; distance:0; classtype:credential-theft; sid:2032629; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Passwd="; nocase; distance:0; content:"&type="; nocase; distance:0; content:"&fspost="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032630; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic PDF Online Phish (set) 2016-10-11"; flow:to_server,established; flowbits:set,ET.GenericPDFOnline.Phish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&submit="; nocase; distance:0; endswith; classtype:credential-theft; sid:2032631; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2021_06_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"_nossn="; depth:7; nocase; content:"&lobIndicator="; nocase; distance:0; fast_pattern; content:"&userid="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; classtype:credential-theft; sid:2032556; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse (DE) Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; content:"&Anrede="; nocase; distance:0; content:"&Titel="; nocase; distance:0; content:"&Vorname="; nocase; distance:0; content:"&Name="; nocase; distance:0; content:"&LegitimationsID="; nocase; distance:0; fast_pattern; content:"&PIN="; nocase; distance:0; content:"&Strabe="; nocase; distance:0; content:"&Postleitzah="; nocase; distance:0; content:"&PLZ="; nocase; distance:0; content:"&Wohnort="; nocase; distance:0; content:"&Geburtsdatum="; nocase; distance:0; content:"&Handy="; nocase; distance:0; content:"&Telefon="; nocase; distance:0; content:"&KontoNr="; nocase; distance:0; content:"&Datum="; nocase; distance:0; classtype:credential-theft; sid:2032632; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ourtime.com Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&ioBlackBox="; nocase; distance:0; fast_pattern; content:"&FromLocation="; nocase; distance:0; content:"ourtime.com"; nocase; distance:0; classtype:credential-theft; sid:2032642; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Live Email Account Phish 2016-11-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Username="; depth:9; nocase; content:"&login="; nocase; distance:0; content:"&Password="; nocase; distance:0; content:"&type="; nocase; distance:0; content:"&PPFT="; nocase; distance:0; content:"&PPSX="; nocase; distance:0; content:"&NewUser="; nocase; distance:0; content:"&LoginOptions="; nocase; distance:0; fast_pattern; content:"&FoundMSAs="; nocase; distance:0; content:"&fspost="; nocase; distance:0; classtype:credential-theft; sid:2032645; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish M1 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"emailadd="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&phoneno="; nocase; distance:0; classtype:credential-theft; sid:2032646; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish M2 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&addresszip="; nocase; distance:0; fast_pattern; content:"&mobile="; nocase; distance:0; classtype:credential-theft; sid:2032647; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (2 of 3) Phish 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Passwd="; depth:7; nocase; fast_pattern; content:"&signIn="; nocase; distance:0; content:"&PersistentCookie="; nocase; distance:0; content:"&rmShown="; nocase; distance:0; classtype:credential-theft; sid:2032649; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-12-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"jar1="; depth:5; nocase; content:"&jar2="; nocase; distance:0; content:"&jar3="; nocase; distance:0; content:"&jar4="; nocase; distance:0; content:"&jar5="; nocase; distance:0; content:"&login=Next"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032651; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"type="; depth:5; nocase; content:"&email="; nocase; distance:0; content:"&tel="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032653; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"login="; depth:6; nocase; content:"&countrycode="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; content:"&_crumb="; nocase; distance:0; content:"&_format="; nocase; distance:0; content:"&_uuid="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; classtype:credential-theft; sid:2032654; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&epass="; nocase; distance:0; content:"&ephone="; nocase; distance:0; fast_pattern; content:"&I1="; nocase; distance:0; classtype:credential-theft; sid:2032655; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook (TR) Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"kadi="; depth:5; nocase; content:"&sifre="; nocase; distance:0; fast_pattern; content:"&button.x="; nocase; distance:0; content:"&button.y="; nocase; distance:0; content:"&button=Submit"; nocase; distance:0; classtype:credential-theft; sid:2032656; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Stripe Phish 2016-12-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"winners1="; depth:9; nocase; fast_pattern; content:"&winners"; nocase; distance:0; content:"&submit.x="; nocase; distance:0; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2032657; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-12-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:"link"; nocase; http.request_body; content:"session_key="; depth:12; nocase; content:"&session_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Spyus Phish (Multiple Brands) M1 2016-12-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"&spyus_email="; nocase; fast_pattern; content:"&spyus_pwd="; nocase; distance:0; classtype:credential-theft; sid:2032659; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Spyus Phish (Multiple Brands) M2 2016-12-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"&spyus_ccnum="; nocase; fast_pattern; content:"&spyus_cvv="; nocase; distance:0; content:"&spyus_ssn="; nocase; distance:0; content:"&spyus_3d="; nocase; distance:0; classtype:credential-theft; sid:2032660; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ebay Phish 2016-12-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"MfcISAPICommand=SignInWelcome"; depth:29; nocase; fast_pattern; content:"&bhid="; nocase; distance:0; content:"&UsingSSL="; nocase; distance:0; content:"&userid="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&keepMeSignInOption="; nocase; distance:0; classtype:credential-theft; sid:2032661; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Telstra Refund Phish 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"first_name="; depth:11; nocase; content:"&name_on_card="; nocase; distance:0; content:"&card_number="; nocase; distance:0; content:"&exp_month="; nocase; distance:0; content:"&card_veri_number="; nocase; distance:0; content:"&billing_adress="; nocase; distance:0; content:"&driver_licence="; nocase; distance:0; fast_pattern; content:"&ccNum="; nocase; distance:0; content:"&ccCVC="; nocase; distance:0; classtype:credential-theft; sid:2032662; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Connect Phish M1 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"logquz="; depth:7; nocase; fast_pattern; content:"&pq2="; nocase; distance:0; content:"&1.Continue.x="; nocase; distance:0; classtype:credential-theft; sid:2032663; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Connect Phish M2 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"cc="; depth:3; nocase; content:"&cvv="; nocase; distance:0; fast_pattern; content:"&mois="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&vbv="; nocase; distance:0; content:"&1.Continue.x="; nocase; distance:0; classtype:credential-theft; sid:2032664; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Connect Phish M3 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"ad1="; depth:4; nocase; content:"&mm="; nocase; distance:0; content:"&dd="; nocase; distance:0; content:"&yy="; nocase; distance:0; content:"&ad2="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&phon="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; content:"&1.Continue.x="; nocase; distance:0; classtype:credential-theft; sid:2032665; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"first_name="; depth:11; nocase; fast_pattern; content:"&last_name="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&country="; nocase; distance:0; classtype:credential-theft; sid:2032641; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M1 Phish 2016-12-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"RelayState="; depth:11; nocase; fast_pattern; content:"&uiq="; nocase; distance:0; classtype:credential-theft; sid:2032668; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email"; depth:5; nocase; content:"&Passwd="; nocase; distance:0; content:"&PhnNum="; nocase; distance:0; fast_pattern; content:"sign"; nocase; distance:0; content:"In"; nocase; distance:0; classtype:credential-theft; sid:2032709; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Etisalat Phish 2016-12-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"usa="; depth:4; nocase; content:"&passe="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032728; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dubai Islamic Internet Bank Phish 2016-12-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"phone="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&passwordemail="; nocase; distance:0; fast_pattern; content:"&form6="; nocase; distance:0; classtype:credential-theft; sid:2032729; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-12-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"EmailAddress="; depth:13; nocase; content:"&EmailPassword="; nocase; distance:0; fast_pattern; content:"&Button"; nocase; distance:0; content:"View+Document"; nocase; distance:0; classtype:credential-theft; sid:2032730; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse (DE) Phish 2016-12-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Address="; depth:8; nocase; content:"&PLZ-Ort="; nocase; distance:0; fast_pattern; content:"&Telefon-Handy="; nocase; distance:0; content:"&E-mail="; nocase; distance:0; content:"&Geburtsdatum="; nocase; distance:0; content:"&Name="; nocase; distance:0; content:"&Anmeldename="; nocase; distance:0; content:"&Anrede="; nocase; distance:0; content:"&PIN="; nocase; distance:0; classtype:credential-theft; sid:2032731; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Account Upgrade Phish 2016-12-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Language="; nocase; distance:0; content:"&Upgrade="; nocase; distance:0; content:"&Name="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&host="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&rpassword="; nocase; distance:0; fast_pattern; content:"&dateofbirth="; nocase; distance:0; classtype:credential-theft; sid:2032733; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Protected PDF (Excel Template) Phish 2016-12-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&.save="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032734; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ebay Phish M1 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"ru="; depth:3; nocase; content:"&businessType="; nocase; distance:0; content:"&countryId="; nocase; distance:0; content:"&businessname="; nocase; distance:0; fast_pattern; content:"&address"; nocase; distance:0; content:"&cily="; nocase; distance:0; content:"®io="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2032735; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ebay Phish M2 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"ctype="; depth:6; nocase; content:"&nameoncard="; nocase; distance:0; content:"&creditCardNumber="; nocase; distance:0; fast_pattern; content:"&cvvNumber="; nocase; distance:0; content:"&expMonth="; nocase; distance:0; content:"&expYear="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&sc="; nocase; distance:0; content:"&ccn="; nocase; distance:0; content:"&birth_day="; nocase; distance:0; classtype:credential-theft; sid:2032736; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"destination="; depth:12; nocase; content:"&j_username="; nocase; distance:0; content:"&j_password="; nocase; distance:0; fast_pattern; content:"&LOB="; nocase; distance:0; classtype:credential-theft; sid:2032737; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Phish (Multiple Brands) 2016-08-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:".php?"; content:"_Product-UserID&userid="; http.request_body; content:"epass="; depth:6; nocase; fast_pattern; classtype:credential-theft; sid:2032695; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish 2016-11-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname="; depth:6; nocase; content:"&USAA="; nocase; distance:0; fast_pattern; content:"&ssn"; nocase; distance:0; content:"&pin"; nocase; distance:0; classtype:credential-theft; sid:2032716; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Editbox1="; depth:9; nocase; fast_pattern; content:"Editbox2="; nocase; distance:0; content:"&="; nocase; distance:0; pcre:"/^Editbox1=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032701; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"EM="; depth:3; nocase; content:"&PS="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; fast_pattern; pcre:"/^EM=[^%]+(?:@|%40)[^&]+&/i"; classtype:credential-theft; sid:2032702; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"e="; depth:2; nocase; content:"&p="; nocase; distance:0; content:"&Button1="; nocase; distance:0; fast_pattern; pcre:"/^e=[^%]+(?:@|%40)[^&]+&/i"; classtype:credential-theft; sid:2032705; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"yhid_1="; depth:7; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2032697; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"__VIEWSTATEENCRYPTED="; depth:21; nocase; fast_pattern; content:"&__EVENTVALIDATION="; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032707; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&epas="; nocase; content:"&tel="; nocase; classtype:credential-theft; sid:2032690; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish (Google/Dropbox/Netflix) 2015-07-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&Email="; content:"&Passwd="; distance:0; content:"&signIn="; distance:0; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; classtype:credential-theft; sid:2031882; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful SWF/XML Phish 2016-05-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&Email="; content:"&Passwd="; distance:0; content:"&signIn="; distance:0; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; classtype:credential-theft; sid:2032679; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Credential Phish Oct 1 2015"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"formtext1="; depth:10; nocase; fast_pattern; content:"&formtext2="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2031564; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-03-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form-data|3b 20|name=|22|formid|22|"; content:"form-data|3b 20|name=|22|User"; nocase; distance:0; content:"form-data|3b 20|name=|22|Pas"; fast_pattern; nocase; distance:0; http.content_type; content:"multipart/form-data"; startswith; classtype:credential-theft; sid:2032676; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-12-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:!"chronicle.com"; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&login=Log"; nocase; distance:0; classtype:credential-theft; sid:2032724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2015-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"firstname="; depth:10; fast_pattern; nocase; content:"&address"; distance:0; nocase; content:"&longcard="; distance:0; nocase; content:"&ccdate="; distance:0; nocase; classtype:credential-theft; sid:2031909; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Outlook Web App Phish 2016-12-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"destination="; depth:12; nocase; content:"&flags="; nocase; distance:0; content:"&forcedownlevel="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&passwordText="; nocase; distance:0; fast_pattern; content:"&isUtf8="; nocase; distance:0; classtype:credential-theft; sid:2032732; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-02-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"appleId="; depth:8; fast_pattern; nocase; content:"Pass"; nocase; distance:0; classtype:credential-theft; sid:2032675; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Banking Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"formtext1="; depth:10; nocase; content:"&formtext2="; nocase; distance:0; content:"&formtext3="; nocase; distance:0; content:"&formtext4="; nocase; distance:0; content:"&formtext5="; nocase; distance:0; content:"&formtext6="; nocase; distance:0; content:"&formtext7="; nocase; distance:0; content:"&formtext8="; nocase; distance:0; content:"&formtext9="; nocase; distance:0; content:"&formtext10="; nocase; distance:0; fast_pattern; content:"&formselect1="; nocase; distance:0; content:"&formselect2="; nocase; distance:0; content:"&formselect3="; nocase; distance:0; content:"&formselect4="; nocase; distance:0; content:"&formselect5="; nocase; distance:0; classtype:credential-theft; sid:2032714; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2015-11-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"cmd=_flow&"; fast_pattern; nocase; content:"cc_brand="; nocase; content:"myAllTextSubmitID="; nocase; content:"cc_country_code="; nocase; content:"add.x=Confirm&"; nocase; content:"form_charset=UTF-8"; nocase; classtype:credential-theft; sid:2031894; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish M2 2016-08-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.host; content:!"english4it.com.ua"; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&mobile="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032694; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo/CIBC Bank Phish M1 2015-08-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"userid="; depth:7; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&Submit=Submit"; nocase; distance:0; classtype:credential-theft; sid:2031887; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Shipping Document Phish 2015-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; fast_pattern; content:"&name="; distance:0; content:"&signup=signup"; distance:0; classtype:credential-theft; sid:2031892; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Docusign/O365 Phish 2016-07-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"UserName="; depth:9; content:"&Password"; nocase; distance:0; fast_pattern; content:"&AuthMethod=FormsAuth"; nocase; distance:0; classtype:credential-theft; sid:2032687; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Email Phish 2016-07-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:".php?email="; fast_pattern; http.request_body; content:"email="; nocase; depth:6; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032688; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_07_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish to Compromised Wordpress Site 2016-03-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; content:".php"; content:!"/wp-admin/admin-ajax.php"; endswith; depth:24; http.request_body; content:"&user"; fast_pattern; nocase; content:"&pass"; nocase; distance:0; content:"&email"; nocase; distance:0; classtype:credential-theft; sid:2032677; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"userid="; depth:7; fast_pattern; nocase; content:"&idpassword="; distance:0; nocase; content:"&name="; distance:0; nocase; content:"&address="; distance:0; nocase; classtype:credential-theft; sid:2031891; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-02-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form-data|3b 20|name=|22|Email|22|"; nocase; content:"form-data|3b 20|name=|22|Password|22|"; fast_pattern; nocase; distance:0; content:"Track"; nocase; distance:0; classtype:credential-theft; sid:2032673; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Brand Phish 2016-12-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&formtext"; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; fast_pattern; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032720; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Telstra Phish M2 2015-09-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&first_name="; nocase; distance:0; content:"&emailaddress="; nocase; distance:0; classtype:credential-theft; sid:2031890; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Account Phish 2015-08-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&destination="; fast_pattern; content:"&userid="; distance:0; content:"&password="; distance:0; content:"&continue=Sign+On"; distance:0; classtype:credential-theft; sid:2031883; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"account="; depth:8; fast_pattern; content:"&password="; distance:0; content:"&x="; distance:0; content:"&y="; distance:0; classtype:credential-theft; sid:2031884; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Key Bank Phish M1 2015-08-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"requester=login&"; depth:16; fast_pattern; content:"&userid="; distance:0; content:"&password="; distance:0; content:"&btnSubmit="; distance:0; classtype:credential-theft; sid:2031885; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Key Bank Phish M2 2015-08-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"__EVENTTARGET=btnValidateSignon&"; depth:32; fast_pattern; content:"&userid="; distance:0; content:"&password="; distance:0; content:"&email="; distance:0; classtype:credential-theft; sid:2031886; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Phish 2015-08-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; fast_pattern; content:"&passwd="; distance:0; content:"&Upgrade="; nocase; distance:0; classtype:credential-theft; sid:2031888; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"cybersecnet.co.za"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027922; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"cybersecnet.org"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027923; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"excsrvcdn.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027924; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"online-analytic.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027925; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"web-traffic.info"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027926; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"web-statistics.info"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027927; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"dnscachecloud.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027928; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"dnscloudservice.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027929; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"opendnscloud.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027930; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK - Unexpected Victim Location Server Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Sea|20|for|20|a|20|life"; startswith; fast_pattern; endswith; classtype:exploit-kit; sid:2027934; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RigEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"solkoptions.host"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026858; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .to TLD"; dns.query; content:".to"; endswith; fast_pattern; classtype:bad-unknown; sid:2027757; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query; content:".cc"; endswith; fast_pattern; classtype:bad-unknown; sid:2027758; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a Suspicious *.vv.cc domain"; dns.query; content:".vv.cc"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2012826; rev:5; metadata:created_at 2011_05_19, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.be Domain"; dns.query; content:".co.be"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013124; rev:7; metadata:created_at 2011_06_29, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .net.tf Domain"; dns.query; content:".net.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013847; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .eu.tf Domain"; dns.query; content:".eu.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013848; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .int.tf Domain"; dns.query; content:".int.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013849; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .edu.tf Domain"; dns.query; content:".edu.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013850; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .us.tf Domain"; dns.query; content:".us.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013851; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ca.tf Domain"; dns.query; content:".ca.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013852; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .bg.tf Domain"; dns.query; content:".bg.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013853; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ru.tf Domain"; dns.query; content:".ru.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013854; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .pl.tf Domain"; dns.query; content:".pl.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013855; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .cz.tf Domain"; dns.query; content:".cz.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013856; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .de.tf Domain"; dns.query; content:".de.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013857; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .at.tf Domain"; dns.query; content:".at.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013858; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ch.tf Domain"; dns.query; content:".ch.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013859; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .sg.tf Domain"; dns.query; content:".sg.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013860; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .nl.ai Domain"; dns.query; content:".nl.ai"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013861; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .xe.cx Domain"; dns.query; content:".xe.cx"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013862; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .noip.cn Domain"; dns.query; content:".noip.cn"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013970; rev:5; metadata:created_at 2011_11_28, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; dns.query; content:"gongfu-android.com"; depth:18; endswith; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:command-and-control; sid:2013023; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ch.vu Domain"; dns.query; content:".ch.vu"; fast_pattern; nocase; endswith; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:8; metadata:created_at 2012_02_28, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; dns.query; content:".ez-dns.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013845; rev:6; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain"; dns.query; content:".dyndns-web.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013863; rev:7; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain"; dns.query; content:".dyndns-at-home.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013971; rev:7; metadata:created_at 2011_11_28, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4irc.com Domain"; dns.query; content:".4irc.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014480; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0ne.com Domain"; dns.query; content:".b0ne.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014482; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.chatnook.com Domain"; dns.query; content:".chatnook.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014486; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain"; dns.query; content:".darktech.org"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014488; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.deaftone.com Domain"; dns.query; content:".deaftone.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014490; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.effers.com Domain"; dns.query; content:".effers.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014494; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.net Domain"; dns.query; content:".etowns.net"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014496; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.org Domain"; dns.query; content:".etowns.org"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014498; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gotgeeks.com Domain"; dns.query; content:".gotgeeks.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014502; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.scieron.com Domain"; dns.query; content:".scieron.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014504; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.slyip.com Domain"; dns.query; content:".slyip.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014506; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.suroot.com Domain"; dns.query; content:".suroot.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014510; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.2288.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".2288.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014779; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".3322.net"; fast_pattern; endswith; classtype:misc-activity; sid:2014781; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.6600.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".6600.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014782; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.7766.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".7766.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014783; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.9966.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".9966.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014786; rev:9; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com"; dns.query; content:".dns-stuff.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014868; rev:6; metadata:created_at 2012_06_07, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; dns.query; content:".onion"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:5; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.be.ma domain"; dns.query; content:".be.ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2012902; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for a Suspicious *.upas.su domain"; dns.query; content:".upas.su"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2015550; rev:5; metadata:created_at 2012_07_31, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY TOR .exit Pseudo TLD DNS Query"; dns.query; content:".exit"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014941; rev:7; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.cc Domain"; dns.query; content:".co.cc"; fast_pattern; nocase; endswith; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:7; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; dns.query; content:"provide.yourtrap.com"; depth:20; fast_pattern; nocase; endswith; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:command-and-control; sid:2016135; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Chewbacca CnC Server"; dns.query; content:"5ji235jysrvwfgmb.onion"; depth:22; fast_pattern; endswith; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,usa.visa.com/download/merchants/Alert-ChewbaccaMalware-030614.pdf; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:command-and-control; sid:2018114; rev:5; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns.query; content:"jmxkowzoen.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018267; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbasic.com Domain"; dns.query; content:".mrbasic.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2018366; rev:6; metadata:created_at 2014_04_05, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; dns.query; content:"tun.vpnoverdns.com"; depth:18; fast_pattern; nocase; endswith; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:6; metadata:created_at 2014_05_02, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Possible User trying to visit POSHCODER.A .onion link outside of torbrowser"; dns.query; content:"zpwibfsmoowehdsm.onion"; depth:22; nocase; endswith; reference:md5,01f4b1d9b2aafb86d5ccfa00e277fb9d; classtype:trojan-activity; sid:2018679; rev:5; metadata:created_at 2014_07_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; dns.query; content:".passinggas.net"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018810; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myredirect.us Domain (Sitelutions)"; dns.query; content:".myredirect.us"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018812; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.rr.nu Domain (Sitelutions)"; dns.query; content:".rr.nu"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018814; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.kwik.to Domain (Sitelutions)"; dns.query; content:".kwik.to"; nocase; endswith; fast_pattern; classtype:bad-unknown; sid:2018816; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myfw.us Domain (Sitelutions)"; dns.query; content:".myfw.us"; nocase; endswith; fast_pattern; classtype:bad-unknown; sid:2018818; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *ontheweb.nu Domain (Sitelutions)"; dns.query; content:".ontheweb.nu"; nocase; endswith; classtype:bad-unknown; sid:2018820; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *isthebe.st Domain (Sitelutions)"; dns.query; content:".isthebe.st"; nocase; endswith; classtype:bad-unknown; sid:2018822; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *byinter.net Domain (Sitelutions)"; dns.query; content:".byinter.net"; nocase; endswith; classtype:bad-unknown; sid:2018824; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *findhere.org Domain (Sitelutions)"; dns.query; content:".findhere.org"; nocase; endswith; classtype:bad-unknown; sid:2018826; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *onthenetas.com Domain (Sitelutions)"; dns.query; content:".onthenetas.com"; nocase; endswith; classtype:bad-unknown; sid:2018828; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *uglyas.com Domain (Sitelutions)"; dns.query; content:".uglyas.com"; nocase; endswith; classtype:bad-unknown; sid:2018830; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *assexyas.com Domain (Sitelutions)"; dns.query; content:".assexyas.com"; nocase; endswith; classtype:bad-unknown; sid:2018832; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *passas.us Domain (Sitelutions)"; dns.query; content:".passas.us"; nocase; endswith; classtype:bad-unknown; sid:2018834; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *atthissite.com Domain (Sitelutions)"; dns.query; content:"athissite.com"; nocase; endswith; classtype:bad-unknown; sid:2018836; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *athersite.com Domain (Sitelutions)"; dns.query; content:"athersite.com"; nocase; endswith; classtype:bad-unknown; sid:2018838; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *isgre.at Domain (Sitelutions)"; dns.query; content:".isgre.at"; nocase; endswith; classtype:bad-unknown; sid:2018840; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *lookin.at Domain (Sitelutions)"; dns.query; content:".lookin.at"; nocase; endswith; classtype:bad-unknown; sid:2018842; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *bestdeals.at Domain (Sitelutions)"; dns.query; content:".bestdeals.at"; nocase; endswith; classtype:bad-unknown; sid:2018844; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *lowestprices Domain (Sitelutions)"; dns.query; content:".lowestprices.at"; nocase; endswith; classtype:bad-unknown; sid:2018846; rev:7; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a Suspicious *.orge.pl Domain"; dns.query; content:".orge.pl"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013843; rev:6; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Query to Known CnC Domain msnsolution.nicaze.net"; dns.query; content:"icaze.net"; depth:9; fast_pattern; endswith; reference:md5,89332c92d0360095e2dda8385d400258; classtype:command-and-control; sid:2014139; rev:8; metadata:created_at 2012_01_21, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (sektori.org)"; dns.query; content:"sektori.org"; depth:11; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014573; rev:9; metadata:created_at 2012_04_16, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.bestcomputeradvisor.com"; dns.query; content:".bestcomputeradvisor.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015599; rev:8; metadata:created_at 2012_08_10, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"chrom-update.online"; nocase; endswith; classtype:command-and-control; sid:2027936; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"mnmnmnmnmnmn.club"; nocase; endswith; classtype:command-and-control; sid:2027937; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"asasasqwqq.xyz"; nocase; endswith; classtype:command-and-control; sid:2027938; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.guest-access.net"; dns.query; content:".guest-access.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015602; rev:8; metadata:created_at 2012_08_10, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Known Reveton Domain whatwillber.com"; dns.query; content:"whatwillber.com"; depth:15; nocase; endswith; classtype:bad-unknown; sid:2015875; rev:9; metadata:created_at 2012_11_09, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup msonlinelive.com"; dns.query; content:"msonlinelive.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019586; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup malwarecheck.info"; dns.query; content:"malwarecheck.info"; depth:17; fast_pattern; nocase; endswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:targeted-activity; sid:2019640; rev:5; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/WireLurker DNS Query Domain www.comeinbaby.com"; dns.query; content:"comeinbaby.com"; depth:14; fast_pattern; nocase; endswith; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019667; rev:7; metadata:created_at 2014_11_07, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/WireLurker DNS Query Domain manhuaba.com.cn"; dns.query; content:"manhuaba.com.cn"; depth:15; fast_pattern; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019718; rev:5; metadata:created_at 2014_11_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious cvredirect.no-ip.net Domain - CoinLocker Domain"; dns.query; content:"cvredirect.no-ip.net"; depth:20; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019788; rev:6; metadata:created_at 2014_11_24, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious cvredirect.ddns.net Domain - CoinLocker Domain"; dns.query; content:"cvredirect.ddns.net"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019790; rev:6; metadata:created_at 2014_11_24, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup adobeincorp.com"; dns.query; content:"adobeincorp.com"; depth:15; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019565; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"doosan-job.com"; depth:14; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019851; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"downloadsservers.com"; depth:20; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019852; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"drivercenterupdate.com"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019853; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"easyresumecreatorpro.com"; depth:24; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019854; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"googleproductupdate.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019855; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"googleproductupdate.net"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019856; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftactiveservices.com"; depth:27; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019858; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftmiddleast.com"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019859; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowsserverupdate.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019869; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowssecurityupdate.com"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019868; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"northropgrumman.net"; depth:19; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019865; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftwindowsupdate.net"; depth:26; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019864; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowscentralupdate.com"; depth:24; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019867; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"teledyne-jobs.com"; depth:17; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019866; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftserverupdate.com"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019861; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftonlineupdates.com"; depth:26; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019860; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftwindowsresources.com"; depth:29; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019863; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowsupdateserver.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019870; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"gesunddurchsjahr.de"; depth:19; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019871; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkmalware.org"; dns.query; content:"checkmalware.org"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019582; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup updatesoftware24.com"; dns.query; content:"updatesoftware24.com"; depth:20; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019580; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup windows-updater.com"; dns.query; content:"windows-updater.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019581; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftupdateserver.net"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019862; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup updatepc.org"; dns.query; content:"updatepc.org"; depth:12; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019579; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup testsnetcontrol.com"; dns.query; content:"testsnetcontrol.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019578; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup testservice24.net"; dns.query; content:"testservice24.net"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019577; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup symanttec.org"; dns.query; content:"symanttec.org"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019576; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup securitypractic.com"; dns.query; content:"securitypractic.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019575; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup secnetcontrol.com"; dns.query; content:"secnetcontrol.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019574; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup scanmalware.info"; dns.query; content:"scanmalware.info"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019573; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup microsof-update.com"; dns.query; content:"microsof-update.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019572; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup microsofi.org"; dns.query; content:"microsofi.org"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019571; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkwinframe.com"; dns.query; content:"checkwinframe.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019568; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup check-fix.com"; dns.query; content:"check-fix.com"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019569; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup adawareblock.com"; dns.query; content:"adawareblock.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019564; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup azureon-line.com"; dns.query; content:"azureon-line.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019566; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkmalware.info"; dns.query; content:"checkmalware.info"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019567; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"kundenpflege.menrad.de"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019857; rev:7; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas ecolines.es"; dns.query; content:"ecolines.es"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019912; rev:6; metadata:created_at 2014_12_11, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas blackberry-support.herokuapp.com"; dns.query; content:"blackberry-support.herokuapp.com"; depth:32; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019913; rev:6; metadata:created_at 2014_12_11, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Invisible Internet Project Domain (I2P)"; dns.query; content:".i2p"; endswith; fast_pattern; reference:url,geti2p.net; classtype:policy-violation; sid:2019988; rev:6; metadata:created_at 2014_12_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (great-codes.com)"; dns.query; content:"great-codes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020035; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (adguard.name)"; dns.query; content:"adguard.name"; depth:12; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020036; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (coral-trevel.com)"; dns.query; content:"coral-trevel.com"; depth:16; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020037; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (ddnservice10.ru)"; dns.query; content:"ddnservice10.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020038; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (paradise-plaza.com)"; dns.query; content:"paradise-plaza.com"; depth:18; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020039; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (worldnewsonline.pw)"; dns.query; content:"worldnewsonline.pw"; depth:18; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020040; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (update-java.net)"; dns.query; content:"update-java.net"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; reference:md5,0ad4892ead67e65ec3dd4c978fce7d92; classtype:targeted-activity; sid:2020041; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (allwayshappy.ru)"; dns.query; content:"allwayshappy.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020044; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (deadwalk32.ru)"; dns.query; content:"deadwalk32.ru"; depth:13; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020047; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (doubleclickads.net)"; dns.query; content:"doubleclickads.net"; depth:18; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020048; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (octoberpics.ru)"; dns.query; content:"octoberpics.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020054; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (server38.info)"; dns.query; content:"server38.info"; depth:13; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020057; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (ssl-server24.ru)"; dns.query; content:"ssl-server24.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020058; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeterplanet.ru)"; dns.query; content:"tweeterplanet.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020059; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (updatemyhost.ru)"; dns.query; content:"updatemyhost.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020061; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (walkingdead32.ru)"; dns.query; content:"walkingdead32.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020062; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (worldnews247.net)"; dns.query; content:"worldnews247.net"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020063; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (financialnewsonline.pw)"; dns.query; content:"financialnewsonline.pw"; depth:22; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020066; rev:6; metadata:created_at 2014_12_24, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hong Kong SWC Attack DNS Lookup (aoemvp.com)"; dns.query; content:"aoemvp.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:trojan-activity; sid:2020171; rev:5; metadata:created_at 2015_01_13, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p-netdb.innovatio.no)"; dns.query; content:"i2p-netdb.innovatio.no"; depth:22; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020189; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p.mooo.com)"; dns.query; content:"i2p.mooo.com"; depth:12; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020190; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (netdb.i2p2.no)"; dns.query; content:"netdb.i2p2.no"; depth:13; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020191; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (reseed.i2p-projekt.de)"; dns.query; content:"reseed.i2p-projekt.de"; depth:21; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020192; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (uk.reseed.i2p2.no)"; dns.query; content:"uk.reseed.i2p2.no"; depth:17; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020193; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (us.reseed.i2p2.no)"; dns.query; content:"us.reseed.i2p2.no"; depth:17; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020194; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (apple.dynamic-dns.net)"; dns.query; content:"apple.dynamic-dns.net"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020244; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (autocar.ServeUser.com)"; dns.query; content:"autocar.ServeUser.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020245; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (coastnews.darktech.org)"; dns.query; content:"coastnews.darktech.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020249; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (demon.4irc.com)"; dns.query; content:"demon.4irc.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020250; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.ddns.info)"; dns.query; content:"logoff.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020259; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (yellowblog.flnet.org)"; dns.query; content:"yellowblog.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020279; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious tolotor.com Domain - Possible CryptoWall Activity"; dns.query; content:"tolotor.com"; depth:11; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020284; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (pstcmedia.com)"; dns.query; content:"pstcmedia.com"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020444; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (mixedwork.com)"; dns.query; content:"mixedwork.com"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020445; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (ahmedfaiez.info)"; dns.query; content:"ahmedfaiez.info"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020446; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (flushupdate.com)"; dns.query; content:"flushupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020447; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (flushupate.com)"; dns.query; content:"flushupate.com"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020448; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (ineltdriver.com)"; dns.query; content:"ineltdriver.com"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020449; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (mediahitech.info)"; dns.query; content:"mediahitech.info"; depth:16; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020450; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (plmedgroup.com)"; dns.query; content:"plmedgroup.com"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020451; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (advtravel.info)"; dns.query; content:"advtravel.info"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020452; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (fpupdate.info)"; dns.query; content:"fpupdate.info"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020453; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (linksis.info)"; dns.query; content:"linksis.info"; depth:12; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020454; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (linkedim.in)"; dns.query; content:"linkedim.in"; depth:11; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020459; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (androcity.com)"; dns.query; content:"androcity.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020461; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (liptona.net)"; dns.query; content:"liptona.net"; depth:11; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020462; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (nauss-lab.com)"; dns.query; content:"nauss-lab.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020464; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (nice-mobiles.com)"; dns.query; content:"nice-mobiles.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020465; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (facebook-emoticons.bitblogoo.com)"; dns.query; content:"facebook-emoticons.bitblogoo.com"; depth:32; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020466; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (abuhmaid.net)"; dns.query; content:"abuhmaid.net"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020467; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (blogging-host.info)"; dns.query; content:"blogging-host.info"; depth:18; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020468; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (tvgate.rocks)"; dns.query; content:"tvgate.rocks"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020469; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (iwork-sys.com)"; dns.query; content:"iwork-sys.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020472; rev:6; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE 9002 RAT C&C DNS request"; dns.query; content:"cache.dnsde.com"; depth:15; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2020713; rev:5; metadata:created_at 2015_03_19, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (saveweb.wink.ws)"; dns.query; content:"saveweb.wink.ws"; depth:15; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020814; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (carima2012.site90.com)"; dns.query; content:"carima2012.site90.com"; depth:21; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020815; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (explorerdotnt.info)"; dns.query; content:"explorerdotnt.info"; depth:18; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020816; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (dotnetexplorer.info)"; dns.query; content:"dotnetexplorer.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020817; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (dotntexplorere.info)"; dns.query; content:"dotntexplorere.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020818; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (xploreredotnet.info)"; dns.query; content:"xploreredotnet.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020819; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (erdotntexplore.info)"; dns.query; content:"erdotntexplore.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020820; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)"; threshold:type limit,track by_src,count 3,seconds 60; dns.query; content:"aa.hostasa.org"; depth:14; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021326; rev:6; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns1.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns1.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021327; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns2.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns2.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021328; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns3.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021329; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns4.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns4.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021330; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (gh.dsaj2a1.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"gh.dsaj2a1.org"; depth:14; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021331; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (navert0p.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"navert0p.com"; depth:12; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021332; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (wangzongfacai.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"wangzongfacai.com"; depth:17; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021333; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"gggatat456.com"; depth:14; fast_pattern; nocase; endswith; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"xxxatat456.com"; depth:14; fast_pattern; nocase; endswith; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; dns.query; content:"tinduongpho.com"; depth:15; fast_pattern; endswith; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_07_14, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (v8.f1122.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"v8.f1122.org"; depth:12; fast_pattern; nocase; endswith; classtype:trojan-activity; sid:2021443; rev:5; metadata:created_at 2015_07_20, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/IptabLesX C2 Domain Lookup (GroUndHog.MapSnode.CoM)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"GroUndHog.MapSnode.CoM"; depth:22; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2021444; rev:5; metadata:created_at 2015_07_20, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (drometic.suroot.com)"; dns.query; content:"drometic.suroot.com"; depth:19; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021576; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (docume.sysbloger.com)"; dns.query; content:"docume.sysbloger.com"; depth:20; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021577; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (ohio.sysbloger.com)"; dns.query; content:"ohio.sysbloger.com"; depth:18; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021578; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (specs.dnsrd.com)"; dns.query; content:"specs.dnsrd.com"; depth:15; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021579; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (np3.Jkub.com)"; dns.query; content:"np3.Jkub.com"; depth:12; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021580; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (ns8.ddns1.com)"; dns.query; content:"ns8.ddns1.com"; depth:13; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021581; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (books.mrface.com)"; dns.query; content:"books.mrface.com"; depth:16; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021582; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (kieti.ipsecsl.net)"; dns.query; content:"kieti.ipsecsl.net"; depth:17; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021583; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; threshold:type limit,track by_src,count 3,seconds 60; dns.query; content:"s-p-o-o-f-e-d.h-o-s-t.name"; depth:26; fast_pattern; nocase; endswith; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:5; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger DNSTunnel DNS Lookup (xssok.blogspot.com)"; dns.query; content:"xssok.blogspot.com"; depth:18; nocase; endswith; fast_pattern; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021788; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Gh0ST/PlugX/Various Backdoors DNS Lookup (gameofthrones.ddns.net)"; dns.query; content:"gameofthrones.ddns.net"; depth:22; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021792; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Likely PlugX DNS Lookup (chrome.servehttp.com)"; dns.query; content:"chrome.servehttp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021793; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Backdoor.GTalkTrojan DNS Lookup (update.gtalklite.com)"; dns.query; content:"update.gtalklite.com"; depth:20; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021794; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger HTTPBrowser DNS Lookup (trendmicro-update.org)"; dns.query; content:"trendmicro-update.org"; depth:21; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021795; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.icloud-analysis.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021806; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.icloud-diagnostics.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021807; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.crash-analytics.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021808; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Naikon DNS Lookup (greensky27.vicp.net)"; dns.query; content:"greensky27.vicp.net"; depth:19; nocase; endswith; fast_pattern; reference:url,threatconnect.com/camerashy-resources/; classtype:trojan-activity; sid:2021831; rev:5; metadata:created_at 2015_09_24, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; dns.query; content:"aps.kemoge.net"; depth:14; fast_pattern; nocase; endswith; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (googlemanage.com)"; dns.query; content:"googlemanage.com"; depth:16; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021935; rev:5; metadata:created_at 2015_10_08, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (websecexp.com)"; dns.query; content:"websecexp.com"; depth:13; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021960; rev:5; metadata:created_at 2015_10_16, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX DNS Lookup (mailsecurityservice.com)"; dns.query; content:"mailsecurityservice.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2015/10/targeted-attacks-ngo-burma/; classtype:trojan-activity; sid:2021962; rev:5; metadata:created_at 2015_10_16, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup"; dns.query; content:"softupdates.info"; depth:16; nocase; endswith; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:targeted-activity; sid:2022121; rev:5; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup"; dns.query; content:"drivres-update.info"; depth:19; nocase; endswith; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:targeted-activity; sid:2022122; rev:5; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (alhadath.mobi)"; dns.query; content:"alhadath.mobi"; depth:13; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022148; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (big-windowss.com)"; dns.query; content:"big-windowss.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022149; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (cacheupdate14.com)"; dns.query; content:"cacheupdate14.com"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022150; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-a.space)"; dns.query; content:"fbstatic-a.space"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022151; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-a.xyz)"; dns.query; content:"fbstatic-a.xyz"; depth:14; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022152; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-akamaihd.com)"; dns.query; content:"fbstatic-akamaihd.com"; depth:21; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022153; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (gmailtagmanager.com)"; dns.query; content:"gmailtagmanager.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022154; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (haaretz.link)"; dns.query; content:"haaretz.link"; depth:12; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022155; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (haaretz-news.com)"; dns.query; content:"haaretz-news.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022156; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (heartax.info)"; dns.query; content:"heartax.info"; depth:12; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022157; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (img.gmailtagmanager.com)"; dns.query; content:"img.gmailtagmanager.com"; depth:23; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022158; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (kernel4windows.in)"; dns.query; content:"kernel4windows.in"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022159; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (main.windowskernel14.com)"; dns.query; content:"main.windowskernel14.com"; depth:24; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022160; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (micro-windows.in)"; dns.query; content:"micro-windows.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022161; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate15.com)"; dns.query; content:"mswordupdate15.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022162; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate16.com)"; dns.query; content:"mswordupdate16.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022163; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate17.com)"; dns.query; content:"mswordupdate17.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022164; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mywindows24.in)"; dns.query; content:"mywindows24.in"; depth:14; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022165; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patch7-windows.com)"; dns.query; content:"patch7-windows.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022166; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patch8-windows.com)"; dns.query; content:"patch8-windows.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022167; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patchthiswindows.com)"; dns.query; content:"patchthiswindows.com"; depth:20; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022168; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (u.mywindows24.in)"; dns.query; content:"u.mywindows24.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022169; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (walla.link)"; dns.query; content:"walla.link"; depth:10; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022170; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (wethearservice.com)"; dns.query; content:"wethearservice.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022171; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (wheatherserviceapi.info)"; dns.query; content:"wheatherserviceapi.info"; depth:23; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022172; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowkernel.com)"; dns.query; content:"windowkernel.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022173; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-10patch.in)"; dns.query; content:"windows-10patch.in"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022174; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows24-kernel.in)"; dns.query; content:"windows24-kernel.in"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022175; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-drive20.com)"; dns.query; content:"windows-drive20.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022176; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-india.in)"; dns.query; content:"windows-india.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022177; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowskernel.in)"; dns.query; content:"windowskernel.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022178; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-kernel.in)"; dns.query; content:"windows-kernel.in"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022179; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowskernel14.com)"; dns.query; content:"windowskernel14.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022180; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowslayer.in)"; dns.query; content:"windowslayer.in"; depth:15; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022181; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-my50.com)"; dns.query; content:"windows-my50.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022182; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowssup.in)"; dns.query; content:"windowssup.in"; depth:13; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022183; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowsupup.com)"; dns.query; content:"windowsupup.com"; depth:15; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022184; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (inocnation.com)"; dns.query; content:"inocnation.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022273; rev:5; metadata:created_at 2015_12_17, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilGrab or APT.9002 DNS Lookup (secvies.com)"; dns.query; content:"secvies.com"; depth:11; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:targeted-activity; sid:2022355; rev:6; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TrochilusRAT DNS Lookup (security-centers.com)"; dns.query; content:"security-centers.com"; depth:20; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022356; rev:6; metadata:created_at 2016_01_13, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsip.ru Domain"; dns.query; content:".dnsip.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022382; rev:5; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyn-dns.ru Domain"; dns.query; content:".dyn-dns.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022383; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsalias.ru Domain"; dns.query; content:".dnsalias.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022381; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dns-free.ru Domain"; dns.query; content:".dns-free.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022384; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (aynfksddnnfwkd)"; dns.query; content:".aynfksddnnfwkd"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022399; rev:5; metadata:created_at 2016_01_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (krfdnhfnsai3d)"; dns.query; content:".krfdnhfnsai3d"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022400; rev:5; metadata:created_at 2016_01_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 1"; dns.query; content:"9i7ffdgvffibow7.vrnserver.ru"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022411; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 6"; dns.query; content:"admin.spdns.org"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022416; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 15"; dns.query; content:"dolat.websurprisemail.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022425; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 16"; dns.query; content:"dolet.websurprisemail.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022426; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 17"; dns.query; content:"economy.spdns.de"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022427; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 20"; dns.query; content:"firefox.spdns.de"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022430; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 24"; dns.query; content:"github.ignorelist.com"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022434; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 25"; dns.query; content:"islam.youtubesitegroup.com"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022435; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 26"; dns.query; content:"kissecurity.firewall-gateway.net"; depth:32; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022436; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 27"; dns.query; content:"liumingzhen.myftp.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022437; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 33"; dns.query; content:"opero.spdns.org"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022443; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 34"; dns.query; content:"otcgk.border.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022444; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 41"; dns.query; content:"webmail.yourturbe.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022451; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns.query; content:"www.googmail.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022455; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns.query; content:"www.gorlan.cloudns.pro"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022456; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns.query; content:"www.uyghur.25u.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022457; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 44"; dns.query; content:"zjhao.dtdns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022461; rev:6; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CustomRAT DNS lookup"; dns.query; content:"www729448908.f3322.org"; depth:22; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022473; rev:5; metadata:created_at 2016_01_29, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.ae.am domain"; dns.query; content:".ae.am"; fast_pattern; endswith; classtype:bad-unknown; sid:2012900; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.qc.cx domain"; dns.query; content:".qc.cx"; fast_pattern; endswith; classtype:bad-unknown; sid:2012903; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (updates.absentvodka.com)"; dns.query; content:"updates.absentvodka.com"; depth:23; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022555; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (updates.mintylinux.com)"; dns.query; content:"updates.mintylinux.com"; depth:22; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022556; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (eggstrawdinarry.mylittlerepo.com)"; dns.query; content:"eggstrawdinarry.mylittlerepo.com"; depth:32; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022557; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (linuxmint.kernel-org.org)"; dns.query; content:"linuxmint.kernel-org.org"; depth:24; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022558; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suckfly/Nidiran Backdoor DNS Lookup"; dns.query; content:"microsoft-security-center.com"; depth:29; nocase; endswith; fast_pattern; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120123-5521-99; classtype:trojan-activity; sid:2022626; rev:5; metadata:created_at 2016_03_16, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.com)"; dns.query; content:".ngrok.com"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022641; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.io)"; dns.query; content:".ngrok.io"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022642; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.neokred domain - Likely Hostile"; dns.query; content:".neokred.org"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022643; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerShell/Agent.A DNS Lookup (go0gIe.com)"; dns.query; content:"go0gIe.com"; depth:10; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:trojan-activity; sid:2022835; rev:5; metadata:created_at 2016_05_24, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious dynapoint.pw Domain"; dns.query; content:"dynapoint.pw"; depth:12; endswith; fast_pattern; classtype:bad-unknown; sid:2022876; rev:5; metadata:created_at 2016_06_08, former_category HUNTING, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpovider.org)"; dns.query; content:".torpovider.org"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019981; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.org)"; dns.query; content:".torgateway.org"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019983; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bladetor.com)"; dns.query; content:".bladetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020107; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bonytor.com)"; dns.query; content:".bonytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020108; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bortor.com)"; dns.query; content:".bortor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020109; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (browsetor.com)"; dns.query; content:".browsetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020110; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (door2tor.org)"; dns.query; content:".door2tor.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020111; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (enter2tor.com)"; dns.query; content:".enter2tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020112; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (jamator.com)"; dns.query; content:".jamator.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020113; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion2web.com)"; dns.query; content:".onion2web.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020114; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.lt)"; dns.query; content:".onion.lt"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020115; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay2tor.com)"; dns.query; content:".pay2tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020117; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay4tor.com)"; dns.query; content:".pay4tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020118; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (payrobotor.com)"; dns.query; content:".payrobotor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020119; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (poltornik.com)"; dns.query; content:".poltornik.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020120; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (slavetor.com)"; dns.query; content:".slavetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020121; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tanktor.com)"; dns.query; content:".tanktor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020122; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2pay.com)"; dns.query; content:".tor2pay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020123; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2www.com)"; dns.query; content:".tor2www.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020124; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (toralpacho.com)"; dns.query; content:".toralpacho.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020127; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torbama.com)"; dns.query; content:".torbama.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020128; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torchek.com)"; dns.query; content:".torchek.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020129; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torexplorer.com)"; dns.query; content:".torexplorer.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020130; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforlove.com)"; dns.query; content:".torforlove.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020131; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torjam.com)"; dns.query; content:".torjam.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020132; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpacho.com)"; dns.query; content:".torpacho.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020134; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycash.com)"; dns.query; content:".torpaycash.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020135; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycnf.com)"; dns.query; content:".torpaycnf.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020136; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayeur.com)"; dns.query; content:".torpayeur.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020137; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayusd.com)"; dns.query; content:".torpayusd.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020138; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torprivatebrowsing.org)"; dns.query; content:".torprivatebrowsing.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020139; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsanctions.com)"; dns.query; content:".torsanctions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020140; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsona.com)"; dns.query; content:".torsona.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020141; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torvsusd.com)"; dns.query; content:".torvsusd.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020142; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwild.com)"; dns.query; content:".torwild.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020143; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwinner.com)"; dns.query; content:".torwinner.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020144; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (totortoweb.com)"; dns.query; content:".totortoweb.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020145; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (vtorchike.com)"; dns.query; content:".vtorchike.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020146; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (walterwtor.com)"; dns.query; content:".walterwtor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020147; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforall.com)"; dns.query; content:".torforall.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020183; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torman2.com)"; dns.query; content:".torman2.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020184; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwoman.com)"; dns.query; content:".torwoman.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020185; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torroadsters.com)"; dns.query; content:".torroadsters.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020186; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.gq)"; dns.query; content:".onion.gq"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020211; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaysolutions.com)"; dns.query; content:".torpaysolutions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020374; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayoptions.com)"; dns.query; content:".torpayoptions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020375; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torinvestment2.com)"; dns.query; content:".torinvestment2.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020376; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwillsmith.com)"; dns.query; content:".torwillsmith.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020377; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstorpay22.com)"; dns.query; content:".optionstorpay22.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020390; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bananator.com)"; dns.query; content:".bananator.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020391; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (monsterbbc.com)"; dns.query; content:".monsterbbc.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020395; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tostotor.com)"; dns.query; content:".tostotor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020400; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (trusteetor.com)"; dns.query; content:".trusteetor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020401; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionstopaytor33.com)"; dns.query; content:".solutionstopaytor33.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020402; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.am)"; dns.query; content:".onion.am"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020404; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (batmantor.com)"; dns.query; content:".batmantor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020405; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (dogotor.com)"; dns.query; content:".dogotor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020406; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.glass)"; dns.query; content:".onion.glass"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020574; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_26, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.direct)"; dns.query; content:".onion.direct"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020577; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_26, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion Proxy Domain (connect2tor.org)"; dns.query; content:"connect2tor.org"; depth:15; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020617; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torstorm.org)"; dns.query; content:".torstorm.org"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020618; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bolistatapay.com)"; dns.query; content:".bolistatapay.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020619; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (sshowmethemoney.com)"; dns.query; content:".sshowmethemoney.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020620; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstopaytos.com)"; dns.query; content:".optionstopaytos.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020639; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (cheetosnotburitos.com)"; dns.query; content:".cheetosnotburitos.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020640; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionsketchupay.com)"; dns.query; content:".optionsketchupay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020641; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionsaccountor.com)"; dns.query; content:".solutionsaccountor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020642; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4free.org)"; dns.query; content:".tor4free.org"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020686; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tordomain.org)"; dns.query; content:".tordomain.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020703; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (welcome2tor.org)"; dns.query; content:".welcome2tor.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020704; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (clusterpaytor.com)"; dns.query; content:".clusterpaytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021190; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_06_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (statepaytor.com)"; dns.query; content:".statepaytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021191; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_06_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (paypartnerstodo.com)"; dns.query; content:".paypartnerstodo.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022041; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (allepohelpto.com)"; dns.query; content:".allepohelpto.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022042; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (marketcryptopartners.com)"; dns.query; content:".marketcryptopartners.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022043; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (partnersinvestpayto.com)"; dns.query; content:".partnersinvestpayto.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022044; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (effectwaytopay.com)"; dns.query; content:".effectwaytopay.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022046; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tormaster.fr)"; dns.query; content:".tormaster.fr"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022645; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.li)"; dns.query; content:".torgateway.li"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022646; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (khh5cmzh5q7yp7th)"; dns.query; content:".khh5cmzh5q7yp7th"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022947; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Keydnap DNS Query to CnC"; dns.query; content:"g5wcesdfjzne7255.onion.to"; depth:25; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022950; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Keydnap DNS Query to CnC"; dns.query; content:"r2elajikcosf7zee.onion.to"; depth:25; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022951; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; dns.query; content:"tmdxiawceahpbhmb.com"; depth:20; nocase; endswith; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (rapidcomments.com)"; dns.query; content:"rapidcomments.com"; depth:17; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023020; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (bikessport.com)"; dns.query; content:"bikessport.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023021; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (flowershop22.110mb.com)"; dns.query; content:"flowershop22.110mb.com"; depth:22; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; classtype:trojan-activity; sid:2023023; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (wildhorses.awardspace.info)"; dns.query; content:"wildhorses.awardspace.info"; depth:26; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023024; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel DNS Lookup (apply-wsu.ebizx.net)"; dns.query; content:"apply-wsu.ebizx.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:targeted-activity; sid:2023059; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel DNS Lookup (apply.ebizx.net)"; dns.query; content:"apply.ebizx.net"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:targeted-activity; sid:2023060; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (aalaan .tv)"; dns.query; content:"aalaan.tv"; depth:9; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023093; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (accounts .mx)"; dns.query; content:"accounts.mx"; depth:11; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023094; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (alawaeltech .com)"; dns.query; content:"alawaeltech.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023096; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (alljazeera .co)"; dns.query; content:"alljazeera.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023097; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrararabiya .co)"; dns.query; content:"asrararabiya.co"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023098; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrararablya .com)"; dns.query; content:"asrararablya.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023099; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrarrarabiya .com)"; dns.query; content:"asrarrarabiya.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023100; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bahrainsms .co)"; dns.query; content:"bahrainsms.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023101; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bulbazaur .com)"; dns.query; content:"bulbazaur.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023103; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (cnn-africa .co)"; dns.query; content:"cnn-africa.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023105; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (damanhealth .online)"; dns.query; content:"damanhealth.online"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023106; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (emiratesfoundation .net)"; dns.query; content:"emiratesfoundation.net"; depth:22; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023107; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (fb-accounts .com)"; dns.query; content:"fb-accounts.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023108; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (icloudcacher .com)"; dns.query; content:"icloudcacher.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023110; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (icrcworld .com)"; dns.query; content:"icrcworld.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023111; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (manoraonline .net)"; dns.query; content:"manoraonline.net"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023112; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mz-vodacom .info)"; dns.query; content:"mz-vodacom.info"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023113; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (newtarrifs .net)"; dns.query; content:"newtarrifs.net"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023114; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (ooredoodeals .com)"; dns.query; content:"ooredoodeals.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023115; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (pickuchu .com)"; dns.query; content:"pickuchu.com"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023116; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (redcrossworld .com)"; dns.query; content:"redcrossworld.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023117; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (sabafon .info)"; dns.query; content:"sabafon.info"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023118; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smser .net)"; dns.query; content:"smser.net"; depth:9; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023119; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (sms .webadv.co)"; dns.query; content:"sms.webadv.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023120; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (topcontactco .com)"; dns.query; content:"topcontactco.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023121; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (tpcontact .co.uk)"; dns.query; content:"tpcontact.co.uk"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023122; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (track-your-fedex-package .org)"; dns.query; content:"track-your-fedex-package.org"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023123; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkishairines .info)"; dns.query; content:"turkishairines.info"; depth:19; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023125; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (uaenews .online)"; dns.query; content:"uaenews.online"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023126; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (univision .click)"; dns.query; content:"univision.click"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023127; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (whatsapp-app .com)"; dns.query; content:"whatsapp-app.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023129; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (y0utube .com.mx)"; dns.query; content:"y0utube.com.mx"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023130; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (bigcrashcar.net)"; dns.query; content:"bigcrashcar.net"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2023142; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (collge .myq-see.com)"; dns.query; content:"collge.myq-see.com"; depth:18; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023257; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (sara2011 .no-ip.biz)"; dns.query; content:"sara2011.no-ip.biz"; depth:18; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023258; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (wininit .myq-see.com)"; dns.query; content:"wininit.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023260; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (appleupdate .com)"; dns.query; content:"appleupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023299; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (apple-iclouds .net)"; dns.query; content:"apple-iclouds.net"; depth:17; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023300; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (itunes-helper .net)"; dns.query; content:"itunes-helper.net"; depth:17; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023301; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns.query; content:"bonmawp.at"; depth:10; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023331; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns.query; content:"wallymac.com"; depth:12; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023332; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed AgentTesla Domain Request"; dns.query; content:"agenttesla.com"; depth:14; nocase; endswith; fast_pattern; reference:md5,32f3fa6b80904946621551399be32207; classtype:trojan-activity; sid:2023354; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, malware_family Keylogger, malware_family AgentTesla, malware_family Backdoor, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsoftsupp .com)"; dns.query; content:"microsoftsupp.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023355; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (aljazeera-news .com)"; dns.query; content:"aljazeera-news.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023356; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (ausameetings .com)"; dns.query; content:"ausameetings.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023357; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (bbc-press .org)"; dns.query; content:"bbc-press.org"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023358; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (cnnpolitics .eu)"; dns.query; content:"cnnpolitics.eu"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023359; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dailyforeignnews .com)"; dns.query; content:"dailyforeignnews.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023360; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dailypoliticsnews .com)"; dns.query; content:"dailypoliticsnews.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023361; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (defenceiq .us)"; dns.query; content:"defenceiq.us"; depth:12; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023362; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (defencereview .eu)"; dns.query; content:"defencereview.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023363; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (diplomatnews .org)"; dns.query; content:"diplomatnews.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023364; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (euronews24 .info)"; dns.query; content:"euronews24.info"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023365; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (euroreport24 .com)"; dns.query; content:"euroreport24.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023366; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (kg-news .org)"; dns.query; content:"kg-news.org"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023367; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (military-info .eu)"; dns.query; content:"military-info.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023368; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (militaryadviser .org)"; dns.query; content:"militaryadviser.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023369; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (militaryobserver .net)"; dns.query; content:"militaryobserver.net"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nato-hq .com)"; dns.query; content:"nato-hq.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023371; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nato-news .com)"; dns.query; content:"nato-news.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023372; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (natoint .com)"; dns.query; content:"natoint.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023373; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (natopress .com)"; dns.query; content:"natopress.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023374; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (osce-info .com)"; dns.query; content:"osce-info.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023375; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (osce-press .org)"; dns.query; content:"osce-press.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023376; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (pakistan-mofa .net)"; dns.query; content:"pakistan-mofa.net"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023377; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (politicalreview .eu)"; dns.query; content:"politicalreview.eu"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023378; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (politicsinform .com)"; dns.query; content:"politicsinform.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023379; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (reuters-press .com)"; dns.query; content:"reuters-press.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (shurl .biz)"; dns.query; content:"shurl.biz"; depth:9; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023381; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (stratforglobal .net)"; dns.query; content:"stratforglobal.net"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (thediplomat-press .com)"; dns.query; content:"thediplomat-press.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023383; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (theguardiannews .org)"; dns.query; content:"theguardiannews.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023384; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (trend-news .org)"; dns.query; content:"trend-news.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023385; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (unian-news .info)"; dns.query; content:"unian-news.info"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023386; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (unitednationsnews .eu)"; dns.query; content:"unitednationsnews.eu"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023387; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (virusdefender .org)"; dns.query; content:"virusdefender.org"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023388; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (worldmilitarynews .org)"; dns.query; content:"worldmilitarynews.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023389; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (worldpoliticsnews .org)"; dns.query; content:"worldpoliticsnews.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023390; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (capisp .com)"; dns.query; content:"capisp.com"; depth:10; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023391; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dataclen .org)"; dns.query; content:"dataclen.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023392; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (mscoresvw .com)"; dns.query; content:"mscoresvw.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023393; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (windowscheckupdater .net)"; dns.query; content:"windowscheckupdater.net"; depth:23; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023394; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (acledit .com)"; dns.query; content:"acledit.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023395; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (biocpl .org)"; dns.query; content:"biocpl.org"; depth:10; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023396; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; dns.query; content:"info2t.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_10_24, deployment Perimeter, malware_family AndroRAT, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (ciscohelpcenter .com)"; dns.query; content:"ciscohelpcenter.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023407; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (timezoneutc .com)"; dns.query; content:"timezoneutc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023408; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (inteldrv64 .com)"; dns.query; content:"inteldrv64.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023409; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (advpdxapi .com)"; dns.query; content:"advpdxapi.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023410; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (cloudflarecdn .com)"; dns.query; content:"cloudflarecdn.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023411; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (driversupdate .info)"; dns.query; content:"driversupdate.info"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (kenlynton .com)"; dns.query; content:"kenlynton.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsoftdriver .com)"; dns.query; content:"microsoftdriver.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsofthelpcenter .info)"; dns.query; content:"microsofthelpcenter.info"; depth:24; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023415; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nortonupdate .org)"; dns.query; content:"nortonupdate.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023416; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (softwaresupportsv .com)"; dns.query; content:"softwaresupportsv.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023417; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (symantecsupport .org)"; dns.query; content:"symantecsupport.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023418; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updatecenter .name)"; dns.query; content:"updatecenter.name"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023419; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updatesystems .net)"; dns.query; content:"updatesystems.net"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023420; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updmanager .com)"; dns.query; content:"updmanager.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023421; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (windowsappstore .net)"; dns.query; content:"windowsappstore.net"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023422; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"securityprotectingcorp.com"; depth:26; nocase; endswith; fast_pattern; classtype:targeted-activity; sid:2023658; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_03, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query"; dns.query; content:"bigdata.adups.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023515; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 5"; dns.query; content:"rebootv5.adsunflower.com"; depth:24; nocase; endswith; fast_pattern; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023519; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .about.jkub.com)"; dns.query; content:"www.about.jkub.com"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023523; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .eleven.mypop3.org)"; dns.query; content:"www.eleven.mypop3.org"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023524; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .backus.myftp.name)"; dns.query; content:"www.backus.myftp.name"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (tibetvoices .com)"; dns.query; content:"tibetvoices.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023526; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (anonym.to)"; dns.query; content:".anonym.to"; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2023597; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"microsoftfont.com"; depth:17; nocase; endswith; fast_pattern; classtype:targeted-activity; sid:2023666; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"xpknpxmywqsr.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023601; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"bwhrdaumwuvn.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023603; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"bpmsfckfkrpr.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023604; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"oornsduuwjli.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023605; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"kedbuffigfjs.online"; depth:19; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023632; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"srrys.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023633; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"kciap.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023635; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"mziep.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023636; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"tr069.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023637; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv602 .ddns.net)"; dns.query; content:"srv602.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023642; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (updatesync .com)"; dns.query; content:"updatesync.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023643; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (svnservices .com)"; dns.query; content:"svnservices.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023644; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (mynetenergy .com)"; dns.query; content:"mynetenergy.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023645; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (windriversupport .com)"; dns.query; content:"windriversupport.com"; depth:20; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023646; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (truecrypte .org)"; dns.query; content:"truecrypte.org"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023647; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (edicupd002 .com)"; dns.query; content:"edicupd002.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023648; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (jourrapid .com)"; dns.query; content:"jourrapid.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023649; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (true-crypte .website)"; dns.query; content:"true-crypte.website"; depth:19; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023650; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (myrappid .com)"; dns.query; content:"myrappid.com"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023651; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice.B DNS Lookup (appexsrv .net)"; dns.query; content:"appexsrv.net"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023344; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family DealersChoice_B, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"globalresearching.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023659; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"shcserv.com"; depth:11; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023660; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"adobeupgradeflash.com"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023661; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"gpufps.com"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023662; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"adobe-flash-updates.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023663; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"versiontask.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023664; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"webcdelivery.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023665; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/SEDNIT Uploader Variant DNS Lookup"; dns.query; content:"postlkwarn.com"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023667; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns.query; content:"rockybalboa.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"spora.bz"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; classtype:trojan-activity; sid:2023728; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup (gtranm .com)"; dns.query; content:"gtranm.com"; depth:10; nocase; endswith; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:targeted-activity; sid:2023761; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_24, former_category MALWARE, malware_family APT28_DealersChoice, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup (zpfgr .com)"; dns.query; content:"zpfgr.com"; depth:9; nocase; endswith; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:targeted-activity; sid:2023762; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_24, former_category MALWARE, malware_family APT28_DealersChoice, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX Backdoor Quimitchin DNS Lookup"; dns.query; content:"eidk.hopto.org"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/; reference:md5,e4744b9f927dc8048a19dca15590660c; classtype:trojan-activity; sid:2023763; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, malware_family Quimitchin, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (webfile .myq-see.com)"; dns.query; content:"webfile.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023777; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadmyhost .zapto.org)"; dns.query; content:"downloadmyhost.zapto.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023778; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (help2014 .linkpc.net)"; dns.query; content:"help2014.linkpc.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023779; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (safara .sytes.net)"; dns.query; content:"safara.sytes.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023780; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (exportball .servegame.org)"; dns.query; content:"exportball.servegame.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023781; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (viewnet .better-than.tv)"; dns.query; content:"viewnet.better-than.tv"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023782; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (down .downloadoneyoutube.co.vu)"; dns.query; content:"down.downloadoneyoutube.co.vu"; depth:29; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023783; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (netstreamag .publicvm.com)"; dns.query; content:"netstreamag.publicvm.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023784; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (subsidiaryohio .linkpc.net)"; dns.query; content:"subsidiaryohio.linkpc.net"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023786; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (helpyoume .linkpc.net)"; dns.query; content:"helpyoume.linkpc.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023787; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadtesting .com)"; dns.query; content:"downloadtesting.com"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023788; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (gameoolines .com)"; dns.query; content:"gameoolines.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023789; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (onlinesoft .space)"; dns.query; content:"onlinesoft.space"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023790; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (newphoneapp .com)"; dns.query; content:"newphoneapp.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023791; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (gamestoplay .bid)"; dns.query; content:"gamestoplay.bid"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023792; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (smartsftp .pw)"; dns.query; content:"smartsftp.pw"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023793; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (galaxysupdates .com)"; dns.query; content:"galaxysupdates.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023794; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (galaxy-s .com)"; dns.query; content:"galaxy-s.com"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023795; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (datasamsung .com)"; dns.query; content:"datasamsung.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023796; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (progsupdate .com)"; dns.query; content:"progsupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023797; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (topgamse .com)"; dns.query; content:"topgamse.com"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023798; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (bandtester .com)"; dns.query; content:"bandtester.com"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023799; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (speedbind .com)"; dns.query; content:"speedbind.com"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023800; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (ukgames .tech)"; dns.query; content:"ukgames.tech"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023801; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (wallanews .publicvm.com)"; dns.query; content:"wallanews.publicvm.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023802; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (wallanews .sytes.net)"; dns.query; content:"wallanews.sytes.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023803; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (noredirecto .redirectme.net)"; dns.query; content:"noredirecto.redirectme.net"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (dynamicipaddress .linkpc.net)"; dns.query; content:"dynamicipaddress.linkpc.net"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023805; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadlog .linkpc.net)"; dns.query; content:"downloadlog.linkpc.net"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (havan .qhigh.com)"; dns.query; content:"havan.qhigh.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023807; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (kolabdown .sytes.net)"; dns.query; content:"kolabdown.sytes.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023808; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (rotter2 .publicvm.com)"; dns.query; content:"rotter2.publicvm.com"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023809; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (ftpserverit .otzo.com)"; dns.query; content:"ftpserverit.otzo.com"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE iKittens OSX MacDownloader DNS Lookup (officialswebsites .info)"; dns.query; content:"officialswebsites.info"; depth:22; nocase; endswith; fast_pattern; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:trojan-activity; sid:2023877; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family MacDownloader, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"spora.biz"; depth:9; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (websecuranalityc.com)"; dns.query; content:"websecuranalityc.com"; depth:20; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023894; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (liveskansys.com)"; dns.query; content:"liveskansys.com"; depth:15; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023895; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (iusacell-movil .com.mx)"; dns.query; content:"iusacell-movil.com.mx"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023898; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smsmensaje .mx)"; dns.query; content:"smsmensaje.mx"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023899; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (zkdef09i7ola.net)"; dns.query; content:"zkdef09i7ola.net"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023932; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family Qadars, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"androidbak.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"droidback.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"endpointup.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"goodydaddy.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (chrome-up .date)"; dns.query; content:"chrome-up.date"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023953; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (timezone .live)"; dns.query; content:"timezone.live"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023954; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (servicesystem .serveirc.com)"; dns.query; content:"servicesystem.serveirc.com"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023955; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (analytics-google .org)"; dns.query; content:"analytics-google.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023956; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (com-adm .in)"; dns.query; content:"com-adm.in"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023957; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (microsoftexplorerservices .cloud)"; dns.query; content:"microsoftexplorerservices.cloud"; depth:31; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023958; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (msservice .site)"; dns.query; content:"msservice.site"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023959; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (com-ho .me)"; dns.query; content:"com-ho.me"; depth:9; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023960; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (ntg-sa .com)"; dns.query; content:"ntg-sa.com"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023961; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (briefl .ink)"; dns.query; content:"briefl.ink"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023962; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 1"; dns.query; content:"backup.microsoftappstore.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023968; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 2"; dns.query; content:"dataserver.cmonkey3.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023969; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 3"; dns.query; content:"google-helps.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023970; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 4"; dns.query; content:"kpupdate.amz80.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 5"; dns.query; content:"mail-help.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 6"; dns.query; content:"mail-issue.top"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023973; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 7"; dns.query; content:"microsoftupdating.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023974; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 8"; dns.query; content:"microsoftwww.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023975; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 9"; dns.query; content:"ns1.ccccc.work"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023976; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 10"; dns.query; content:"ns1.superman0x58.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023977; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 11"; dns.query; content:"ns1.xssr.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023978; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 12"; dns.query; content:"ns2.ccccc.work"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023979; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 13"; dns.query; content:"ns2.superman0x58.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023980; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 14"; dns.query; content:"ns2.xssr.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023981; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 15"; dns.query; content:"qr1.3jd90dsj3df.website"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023982; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 16"; dns.query; content:"r4.microsoftupdating.org"; depth:24; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023983; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 17"; dns.query; content:"rouji.xssr.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023984; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 18"; dns.query; content:"t2z0n9.microsoftappstore.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023985; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 19"; dns.query; content:"temp.mail-issue.top"; depth:19; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023986; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 20"; dns.query; content:"time-service.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023987; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 21"; dns.query; content:"update.microsoftwww.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 22"; dns.query; content:"updatecz.mykorean.net"; depth:21; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023989; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 23"; dns.query; content:"uriupdate.newsbs.net"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023990; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 24"; dns.query; content:"wwgooglewww.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023991; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 25"; dns.query; content:"www.microsoftwww.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023992; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 26"; dns.query; content:"wwwgooglewww.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023993; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 27"; dns.query; content:"zy.xssr.org"; depth:11; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023994; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FakeM SSL DNS Lookup (islamhood .net)"; dns.query; content:"islamhood.net"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2024005; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, malware_family FakeM_SSL, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (63ghdye17.com)"; dns.query; content:"63ghdye17.com"; depth:13; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020839; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_03, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (2kjb7.net)"; dns.query; content:"2kjb7.net"; depth:9; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024105; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (1e100 .tech)"; dns.query; content:"1e100.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024143; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (1m100 .tech)"; dns.query; content:"1m100.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024144; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (ads-youtube .online)"; dns.query; content:"ads-youtube.online"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024145; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (akamaitechnology .com)"; dns.query; content:"akamaitechnology.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024146; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (alkamaihd .net)"; dns.query; content:"alkamaihd.net"; depth:13; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024147; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (azurewebsites .tech)"; dns.query; content:"azurewebsites.tech"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024148; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (broadcast-microsoft .tech)"; dns.query; content:"broadcast-microsoft.tech"; depth:24; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024149; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (chromeupdates .online)"; dns.query; content:"chromeupdates.online"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024150; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (cloudmicrosoft .net)"; dns.query; content:"cloudmicrosoft.net"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024151; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (dnsserv .host)"; dns.query; content:"dnsserv.host"; depth:12; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024152; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (elasticbeanstalk .tech)"; dns.query; content:"elasticbeanstalk.tech"; depth:21; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024153; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (fdgdsg .xyz)"; dns.query; content:"fdgdsg.xyz"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024154; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (jguery .net)"; dns.query; content:"jguery.net"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024155; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (jguery .online)"; dns.query; content:"jguery.online"; depth:13; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024156; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (microsoft-ds .com)"; dns.query; content:"microsoft-ds.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024157; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (microsoft-security .host)"; dns.query; content:"microsoft-security.host"; depth:23; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024158; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (nameserver .win)"; dns.query; content:"nameserver.win"; depth:14; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024159; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (newsfeeds-microsoft .press)"; dns.query; content:"newsfeeds-microsoft.press"; depth:25; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024160; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (owa-microsoft .online)"; dns.query; content:"owa-microsoft.online"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024161; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (primeminister-goverment-techcenter .tech)"; dns.query; content:"primeminister-goverment-techcenter.tech"; depth:39; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024162; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (qoldenlines .net)"; dns.query; content:"qoldenlines.net"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024163; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (sharepoint-microsoft .co)"; dns.query; content:"sharepoint-microsoft.co"; depth:23; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024164; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (ssl-gstatic .online)"; dns.query; content:"ssl-gstatic.online"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024165; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (trendmicro .tech)"; dns.query; content:"trendmicro.tech"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024166; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns.query; content:"ntp.gtpnet.ir"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024244; rev:5; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla Snake OSX DNS Lookup (car-service .effers.com)"; dns.query; content:"car-service.effers.com"; depth:22; nocase; endswith; fast_pattern; reference:url,blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/; classtype:targeted-activity; sid:2024271; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category TROJAN, malware_family Turla, malware_family Snake, performance_impact Low, signature_severity Critical, tag APT, tag RUAPT, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Proton.B DNS Lookup"; dns.query; content:"handbrake.biz"; depth:13; nocase; endswith; fast_pattern; reference:url,objective-see.com/blog/blog_0x1D.html; classtype:trojan-activity; sid:2024284; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, malware_family OSX_Proton, performance_impact Low, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla SHIRIME DNS Lookup"; dns.query; content:"tnsc.webredirect.org"; depth:20; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html; classtype:targeted-activity; sid:2024286; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, malware_family Turla, malware_family SHIRIME, performance_impact Low, tag APT, tag 0day, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (fkksjobnn43 . org)"; dns.query; content:"fkksjobnn43.org"; depth:15; fast_pattern; endswith; nocase; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024289; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"check.paidprefund.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024330; rev:6; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"syn.timeizu.net"; depth:15; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024331; rev:6; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"blog.docksugs.org"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024332; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"news.lightpress.info"; depth:20; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024333; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"mobile.pagmobiles.info"; depth:22; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024334; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (orhangazitur . com)"; dns.query; content:"orhangazitur.com"; depth:16; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024339; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT SUSPICIOUS DNS Request for Grey Advertising Often Leading to EK"; dns.query; content:"roughted.com"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:exploit-kit; sid:2024349; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (secure-access10 .mx)"; dns.query; content:"secure-access10.mx"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024405; rev:5; metadata:created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (network190 .com)"; dns.query; content:"network190.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024406; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mymensaje-sms .com)"; dns.query; content:"mymensaje-sms.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024407; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smscentro .com)"; dns.query; content:"smscentro.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024408; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (ideas-telcel .com.mx)"; dns.query; content:"ideas-telcel.com.mx"; depth:19; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024409; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (twiitter .com.mx)"; dns.query; content:"twiitter.com.mx"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024410; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (resume .immigrantlol .com)"; dns.query; content:"resume.immigrantlol.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024458; rev:5; metadata:created_at 2017_07_12, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (job .yoyakuweb .technology)"; dns.query; content:"job.yoyakuweb.technology"; depth:24; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024457; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (vps2java .securitytactics .com)"; dns.query; content:"vps2java.securitytactics.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024456; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (macos .exoticlol .com)"; dns.query; content:"macos.exoticlol.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024459; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (css .google-statics .com)"; dns.query; content:"css.google-statics.com"; depth:22; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024460; rev:5; metadata:created_at 2017_07_12, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Fenrir Ransomware CnC Domain"; dns.query; content:"fenrir-ransomware.000webhostapp.com"; depth:35; nocase; endswith; fast_pattern; reference:md5,a5ecf27bfab7fbb1ace3ec9a390b23bd; classtype:command-and-control; sid:2024467; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Fenrir, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpres.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024472; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpress.net"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024473; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpress.org"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024474; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpross.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024475; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"datalink.one"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"secuerserver.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024477; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"vnews.hk"; depth:8; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024479; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shifr Ransomware CnC DNS Query (v5t5z6a55ksmt3oh)"; dns.query; content:".v5t5z6a55ksmt3oh"; fast_pattern; endswith; nocase; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:command-and-control; sid:2024491; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shifr Ransomware CnC DNS Query (ojdue4474qghybjb)"; dns.query; content:".ojdue4474qghybjb"; fast_pattern; endswith; nocase; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:command-and-control; sid:2024492; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Matryoshka DNS Lookup 1 (winupdate64 . com)"; dns.query; content:"winupdate64.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024495; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, malware_family Matryoshka, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Matryoshka DNS Lookup 2 (twiter-statics . info)"; dns.query; content:"twiter.statics.info"; depth:19; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity; sid:2024496; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, malware_family Matryoshka, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Cobalt Strike DNS Lookup (cloudflare-analyse . com)"; threshold:type limit, track by_src, count 1, seconds 60; dns.query; content:"cloudflare.analyse.com"; depth:22; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:targeted-activity; sid:2024497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ISMAgent DNS Tunneling (microsoft-publisher . com)"; threshold:type limit, track by_src, count 1, seconds 60; dns.query; content:"microsoft-publisher.com"; depth:23; nocase; endswith; fast_pattern; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024504; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category TROJAN, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Reborn/Ovidiy Stealer CnC Domain"; dns.query; content:"stealur.info"; depth:12; nocase; endswith; fast_pattern; reference:md5,4daca05b0015efeaacebc58d007c32c4; classtype:command-and-control; sid:2024506; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_31, deployment Perimeter, former_category MALWARE, malware_family Reborn_Stealer, malware_family Ovidiy_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; dns.query; content:"updatmaster.top"; depth:15; fast_pattern; endswith; nocase; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_08_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LokiBot Related DNS query"; dns.query; content:"coffeinoffice.xyz"; depth:17; fast_pattern; nocase; endswith; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024488; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_07_21, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LokiBot Related DNS query"; dns.query; content:"french-cooking.com"; depth:18; fast_pattern; nocase; endswith; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024487; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_07_21, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Mughthesec/SafeFinder/OperatorMac DNS Query Observed"; dns.query; content:"api.mughthesec.com"; depth:18; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2024529; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category TROJAN, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Mughthesec/SafeFinder/OperatorMac Rogue Search Engine DNS Query Observed"; dns.query; content:"default27061330-a.akamaihd.net"; depth:30; nocase; endswith; fast_pattern; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:2024530; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category TROJAN, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 1"; dns.query; content:"nylalobghyhirgh.com"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024588; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 2"; dns.query; content:"ribotqtonut.com"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024589; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 3"; dns.query; content:"jkvmdmjyfcvkf.com"; depth:17; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024590; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 4"; dns.query; content:"bafyvoruzgjitwr.com"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024591; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 5"; dns.query; content:"xmponmzmxkxkh.com"; depth:17; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024592; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 6"; dns.query; content:"tczafklirkl.com"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024593; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 7"; dns.query; content:"notped.com"; depth:10; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 8"; dns.query; content:"dnsgogle.com"; depth:12; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024595; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 9"; dns.query; content:"operatingbox.com"; depth:16; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024596; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 10"; dns.query; content:"paniesx.com"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 11"; dns.query; content:"techniciantext.com"; depth:18; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024598; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; dns.query; content:"axclick.store"; depth:13; fast_pattern; endswith; nocase; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_08_28, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_WireX, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT12 THREEBYTE DNS Lookup"; dns.query; content:"bsksac.au-syd.mybluemix.net"; depth:27; nocase; endswith; fast_pattern; reference:url,blog.macnica.net/blog/2017/08/post-fb81.html; classtype:targeted-activity; sid:2024619; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category MALWARE, malware_family THREEBYTE, performance_impact Low, signature_severity Major, tag APT, tag APT12, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ISMAgent DNS Lookup (msoffice-cdn . com)"; dns.query; content:"msoffice-cdn.com"; depth:16; nocase; endswith; fast_pattern; reference:md5,812d3c4fddf9bb81d507397345a29bb0; reference:url,www.clearskysec.com/ismagent/; classtype:trojan-activity; sid:2024620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gazer DNS query observed (soligro . com)"; dns.query; content:"soligro.com"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024641; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category TROJAN, malware_family Gazer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gazer DNS query observed (mydreamhoroscope . com)"; dns.query; content:"mydreamhoroscope.com"; depth:20; fast_pattern; endswith; nocase; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024642; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category TROJAN, malware_family Gazer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4pay.com)"; dns.query; content:".tor4pay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020126; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torminater.com)"; dns.query; content:".torminater.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020133; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.city)"; dns.query; content:".onion.city"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020430; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgate.es)"; dns.query; content:".torgate.es"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022644; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Zloader CnC Domain Detected"; dns.query; content:".chinaandkoreacriminalaffairs"; fast_pattern; endswith; nocase; reference:md5,7a57fcc1afab791f9995fbc479fe340e; classtype:command-and-control; sid:2024680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zloader, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"lookingpersonals.top"; depth:20; fast_pattern; endswith; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024728; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (chromup)"; dns.query; content:"chromup.com"; depth:11; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024730; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (securityupdated)"; dns.query; content:"securityupdated.com"; depth:19; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor / NanoCore CnC (microsoftupdated)"; dns.query; content:"microsoftupdated.net"; depth:20; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024733; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (syn.broadcaster)"; dns.query; content:"syn.broadcaster.rocks"; depth:21; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024734; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; dns.query; content:"b1k51.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; dns.query; content:"b1j3aas.life"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; dns.query; content:"wechaatt.gdn"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; dns.query; content:"10as05.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; dns.query; content:"ch0ck4.life"; depth:11; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; dns.query; content:"fatur1s.life"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; dns.query; content:"b5k31.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; dns.query; content:"erd0.gdn"; depth:8; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; dns.query; content:"b1v2a5.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; dns.query; content:"b1502b.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; dns.query; content:"elsssee.gdn"; depth:11; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; dns.query; content:"kvp41.life"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; dns.query; content:"servertestapi.ltd"; depth:17; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; dns.query; content:"taxii.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; dns.query; content:"p0w3r.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; dns.query; content:"4r3a.gdn"; depth:8; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (googlmail)"; threshold: type both, track by_src, count 1, seconds 5; dns.query; content:"googlmail.net"; depth:13; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS request for Monero mining pool"; dns.query; content:"pool.minexmr.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2017_09_monero_malware.txt; reference:url,www.welivesecurity.com/2017/09/28/monero-money-mining-malware/; classtype:trojan-activity; sid:2024789; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 1"; dns.query; content:"download.ns360.info"; depth:19; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024803; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 2"; dns.query; content:"update.craftx.biz"; depth:17; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 3"; dns.query; content:"mozilla.tftpd.net"; depth:17; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024805; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 4"; dns.query; content:"checkupdates.flashserv.net"; depth:26; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Netsolhost SSL Proxying - Possible Phishing Nov 24 2015"; dns.query; content:"secure.netsolhost.com"; depth:21; nocase; endswith; fast_pattern; classtype:social-engineering; sid:2022136; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"ssrsec.com"; depth:10; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024854; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"sqlmapff.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024856; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"outerlol.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024858; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"microsoftsec.com"; depth:16; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024860; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"martianlol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024862; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"dnslog.mobi"; depth:11; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024865; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"alienlol.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024867; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"yoyakuweb.technology"; depth:20; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024869; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"exoticlol.com"; depth:13; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024870; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (google-statics .com)"; dns.query; content:"google-statics.com"; depth:18; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024871; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (google-searching .com)"; dns.query; content:"google-searching.com"; depth:20; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024872; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"awsstatics.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024873; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"immigrantlol.com"; depth:16; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024874; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M1"; dns.query; content:"hl852.com"; depth:9; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024921; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M2"; dns.query; content:"hl859.com"; depth:9; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024922; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M3"; dns.query; content:"hi8520.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024923; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (myhomemusic. com)"; dns.query; content:"myhomemusic.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023022; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, former_category TROJAN, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup"; dns.query; content:"myhomemusic.com"; depth:15; nocase; endswith; fast_pattern; reference:md5,985eba97e12c3e5bce9221631fb66d68; reference:url,researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/; classtype:command-and-control; sid:2022842; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious e5b57288.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"e5b57288.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023229; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+
+alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 33db9538.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"33db9538.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023227; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+
+alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 9507c4e8.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"9507c4e8.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023228; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+
+alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 54dfa1cb.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"54dfa1cb.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023230; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KHRAT DragonOK DNS Lookup (inter-ctrip .com)"; dns.query; content:"inter-ctrip.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.forcepoint.com/blog/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor; classtype:trojan-activity; sid:2024108; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Lookup of Malware Domain twothousands.cm Likely Infection"; dns.query; content:"twothousands.cm"; depth:15; fast_pattern; endswith; nocase; classtype:pup-activity; sid:2012176; rev:6; metadata:created_at 2011_01_13, former_category ADWARE_PUP, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (startupfraction)"; dns.query; content:"startupfraction.com"; depth:19; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024722; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (search.feedvertizus)"; dns.query; content:"search.feedvertizus.com"; depth:23; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024723; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (opurie)"; dns.query; content:"opurie.com"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024725; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query Targeted Tibetan Android Malware C2 Domain"; dns.query; content:"android.uyghur.dnsd.me"; depth:22; nocase; fast_pattern; endswith; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:command-and-control; sid:2016711; rev:7; metadata:created_at 2013_04_04, former_category MOBILE_MALWARE, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a .tk domain - Likely Hostile"; dns.query; content:".tk"; fast_pattern; nocase; endswith; content:!"www.google.tk"; classtype:bad-unknown; sid:2012811; rev:7; metadata:created_at 2011_05_15, former_category DNS, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)"; dns.query; content:".29a.de"; nocase; fast_pattern; endswith; pcre:"/^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.29a\.de$/"; reference:url,morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick; classtype:trojan-activity; sid:2021416; rev:5; metadata:created_at 2015_07_15, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Maldoc CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/software-protection/app.php"; startswith; fast_pattern; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:url,blog.telsy.com/zebrocy-dropbox-remote-injection/; classtype:targeted-activity; sid:2027939; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Evil Eye Android Malware Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:65.0) Gecko/20100101 Firefox/65.0"; depth:78; http.request_body; content:"{|22|device_id|22 3a 22|"; depth:14; fast_pattern; http.accept_lang; content:"zh-CN"; depth:5; endswith; reference:url,www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/; classtype:trojan-activity; sid:2027940; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".serveo.net"; nocase; endswith; classtype:policy-violation; sid:2027942; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".pagekite.net"; nocase; endswith; classtype:policy-violation; sid:2027943; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Australia Bank Phish 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Yes="; depth:4; nocase; content:"&PRIMARY_CUR_TYPE_CODE="; nocase; distance:0; fast_pattern; content:"&PRIMARY_PRV_APT_NUM="; nocase; distance:0; content:"&PRIMARY_PRV_STREET_NUM="; nocase; distance:0; content:"&PRIMARY_PRV_STREET_NAME="; nocase; distance:0; content:"&PRIMARY_PRV_STATE="; nocase; distance:0; content:"&PRIMARY_PRV_POST_CODE="; nocase; distance:0; content:"&APP_NAB_PRI_PRV_COUNTRY="; nocase; distance:0; content:"&PRIMARY_PRV_MTHS_AT_RES.year="; nocase; distance:0; content:"&PRIMARY_PRV_MTHS_AT_RES.month="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&exp_month="; nocase; distance:0; content:"&exp_year="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032721; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Laturo Stealer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.header; content:"Os|3a 20|WIN_"; nocase; fast_pattern; content:"Hwid|3a 20|"; nocase; content:"Elevated|3a 20|"; nocase; content:"Arch|3a 20|"; nocase; content:"Special|3a 20|"; nocase; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,06a1eaa62d8de97aec8a151f2ca6569b; classtype:command-and-control; sid:2027944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_04, deployment Perimeter, former_category MALWARE, malware_family Laturo, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Cloudflare DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:misc-activity; sid:2027671; rev:5; metadata:created_at 2019_07_03, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Glupteba CnC Domain (venoxcontrol .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"venoxcontrol.com"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"okonewacon.com"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027947; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"bigtext.club"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"blackempirebuild.com"; nocase; depth:20; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027949; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"clubhouse.site"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027950; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"nxtfdata.xyz"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027951; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"lienews.world"; nocase; depth:13; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027952; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"phonemus.net"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027953; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"takebad1.com"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http any any -> any any (msg:"ET MALWARE HTTP Request for Possible ELF/LiLocked Ransomware Note"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"README.lilocked"; fast_pattern; endswith; reference:url,www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/; classtype:trojan-activity; sid:2027967; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, malware_family LiLocked, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible PHP.MAILER WebShell Generic Request Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/start_cache1.php"; fast_pattern; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/; classtype:trojan-activity; sid:2027969; rev:3; metadata:attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible PHP.MAILER WebShell Register Shutdown Function Request Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"r=register_shutdown_function"; startswith; fast_pattern; content:"&d="; distance:0; content:"&s="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/; classtype:trojan-activity; sid:2027970; rev:3; metadata:attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/svchost.exe"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2016696; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious explorer.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/explorer.exe"; nocase; endswith; fast_pattern; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious winlogin.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/winlogon.exe"; nocase; endswith; fast_pattern; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious services.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/services.exe"; nocase; endswith; fast_pattern; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious smss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/smss.exe"; nocase; endswith; fast_pattern; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious csrss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/csrss.exe"; nocase; fast_pattern; endswith; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious rundll32.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/rundll32.exe"; nocase; fast_pattern; endswith; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious lsass.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/lsass.exe"; nocase; endswith; fast_pattern; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=trans-pre.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.secrss.com/articles/13390; classtype:domain-c2; sid:2028567; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=trans-can.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.secrss.com/articles/13390; classtype:domain-c2; sid:2028568; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception Group CnC Observed in DNS Query (ms-check-new-update .com)"; dns.query; content:"ms-check-new-update.com"; nocase; endswith; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031674; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Absent)"; flow:established,to_server; http.user_agent; content:"Absent"; depth:6; endswith; classtype:bad-unknown; sid:2028571; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Maldoc CnC Checkin"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"relay=y"; startswith; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Connection"; content:!"Accept"; reference:url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA; classtype:targeted-activity; sid:2028569; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TransparentTribe, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=suport.worldupdate.site"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:domain-c2; sid:2028584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=full.devinelive.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:domain-c2; sid:2028585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"suport.worldupdate.site"; nocase; endswith; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028586; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"full.devinelive.top"; nocase; endswith; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028587; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"roundworld.club"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"postnews.club"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028593; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"fstyline.xyz"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"weekdanys.com"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028595; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-09-17 1)"; flow:established,to_client; tls.cert_subject; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=dapoerwedding.com"; endswith; fast_pattern; reference:url,twitter.com/jeFF0Falltrades/status/1173300902242988032; reference:md5,db51f2715c81c4357d11d69ac96bf582; classtype:domain-c2; sid:2028596; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"contextjs.info"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028606; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"nexcesscdh.net"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028607; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"ossmaxcdn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028608; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"contextjs.info"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028609; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magento-order.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028610; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BundledInstaller PUA/PUP Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.host; content:"down.freefullversion.org"; depth:24; fast_pattern; reference:md5,8edee795e16433717eab784938060198; classtype:pup-activity; sid:2028613; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_09_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.online)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.host; content:".online"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.club)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.host; content:".club"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026490; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Facebook Phishing Domain in DNS Lookup"; dns.query; content:"www.oitunmy.com"; nocase; depth:15; endswith; reference:url,twitter.com/bomccss/status/1175173176596152320; classtype:credential-theft; sid:2028616; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"bsodsupport.icu"; nocase; endswith; classtype:domain-c2; sid:2028614; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"en-content.com"; nocase; endswith; pcre:"/(?:^|\.)en-content\.com$/"; classtype:domain-c2; sid:2028615; rev:3; metadata:created_at 2019_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tortoiseshell/HMH Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asmx/GetUpdate?val="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a194e3bf830104922295c37e6d19d9a2; reference:url,blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html; classtype:command-and-control; sid:2028617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/GMERA.A CnC Domain (appstockfolio .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"appstockfolio.com"; depth:17; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website; classtype:domain-c2; sid:2028619; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=skillsnew.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (cmyip.com in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"cmyip.com"; fast_pattern; endswith; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:9; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"windsecdown.info"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028637; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category MALWARE, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"downloadsecurity.info"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category MALWARE, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"tratatata.space"; nocase; endswith; reference:md5,e5eeb5560fcea89abdfb3ea8ec2091ec; classtype:command-and-control; sid:2028640; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"rmedia15.ru"; nocase; endswith; reference:md5,3f9f8a007ad6982b14fb74d4583bdd4b; classtype:command-and-control; sid:2028641; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".connectioncdn.com"; nocase; endswith; classtype:trojan-activity; sid:2028649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_04, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WSFuzzer Web Application Fuzzing"; flow:to_server,established; http.uri; content:"/ServiceDefinition"; fast_pattern; http.user_agent; content:"Python-urllib/"; depth:14; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; classtype:attempted-recon; sid:2008628; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Esion CnC Checkin"; flow:established,to_server; http.uri; content:"/bot/gate.php"; fast_pattern; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-052510-1535-99&tabid=2; classtype:command-and-control; sid:2013211; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com"; flow:established,to_server; http.header; content:"myip.ozymo.com"; fast_pattern; nocase; classtype:external-ip-check; sid:2013217; rev:4; metadata:created_at 2011_07_06, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; http.uri; content:"/upload/UploadFiles.aspx?askId="; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Rebate Informer User-Agent (REBATEINF)"; flow: established,to_server; http.user_agent; content:"REBATEINF"; fast_pattern; startswith; reference:url,www.rebategiant.com; classtype:trojan-activity; sid:2014030; rev:4; metadata:created_at 2011_12_20, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iebar Spyware User Agent (iebar)"; flow:established,to_server; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"|3b 20|iebar"; fast_pattern; reference:url,doc.emergingthreats.net/2007583; classtype:trojan-activity; sid:2007583; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Ixeshe"; flow:to_server,established; http.header; content:"User-Agent|3a 20|User-Agent|3a 20|"; nocase; http.uri; content:"/ym/Attachments?YY="; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2012/03/dirty-rat.html; classtype:trojan-activity; sid:2014410; rev:7; metadata:created_at 2012_03_22, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAvCn-A Checkin 1"; flow:established,to_server; urilen:10; http.method; content:"GET"; nocase; http.uri; content:"/support/s"; fast_pattern; http.user_agent; content:"Internet Explorer"; bsize:17; classtype:command-and-control; sid:2014855; rev:5; metadata:created_at 2012_06_05, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"type="; content:"lien_2="; fast_pattern; nocase; pcre:"/lien_2=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:7; metadata:created_at 2011_09_19, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce)"; flow:established,to_server; http.uri; content:"~1"; fast_pattern; pcre:"/([\*\?]~1|~1\.?[\*\?]|\/~1\/)/"; reference:url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf; classtype:network-scan; sid:2015023; rev:5; metadata:created_at 2012_07_04, updated_at 2020_09_17;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; http.uri; content:"/net/?u="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.0)"; startswith; http.host; content:"net"; startswith; content:"net.net"; distance:2; within:7; endswith; pcre:"/^net[0-4]{2}net\.net$/i"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; http.user_agent; content:"PTX"; endswith; fast_pattern; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:6; metadata:created_at 2011_10_19, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User-Agent 2"; flow:established,to_server; http.user_agent; content:"w3af.sf.net"; fast_pattern; classtype:attempted-recon; sid:2015484; rev:4; metadata:created_at 2012_07_18, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; http.uri; content:"/tuner/?StationId="; fast_pattern; http.header; content:"tunein.com|0d 0a|"; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:4; metadata:created_at 2012_07_18, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hello controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/114893/Joomla-Hello-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015498; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeformcr view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jeformcr"; fast_pattern; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/94549/Joomla-Jeformcr-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015568; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Bsadv controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bsadv"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/94540/Joomla-Basdv-Local-File-Inclusion-Directory-Traversal.html; classtype:web-application-attack; sid:2015569; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_mailchimpccnewsletter controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_mailchimpccnewsletter"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95332/Joomla-MailChimpCCNewsletter-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015570; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lile.A DoS Outbound"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.header; content:"UserAgent|3a|"; content:"Windows 98"; fast_pattern; http.host; content:"www.fbi.gov"; startswith; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:5; metadata:created_at 2012_08_07, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sutra TDS /simmetry"; flow:to_server,established; http.uri; content:"/simmetry?"; fast_pattern; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:exploit-kit; sid:2015593; rev:4; metadata:created_at 2012_08_09, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; http.uri; content:"/spl_data/"; fast_pattern; http.header; content:"|20|Java/"; classtype:exploit-kit; sid:2015603; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh/Bublik Checkin /was/uid.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/was/uid.php"; fast_pattern; reference:md5,3ccc73f049a1de731baf7ea8915c92a8; reference:md5,91ce41376a5b33059744cb58758213bb; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:md5,21880326089f2eab466128974fc70d24; classtype:command-and-control; sid:2015623; rev:4; metadata:created_at 2012_08_14, former_category MALWARE, malware_family URLZone, tag Banking_Trojan, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SimpleTDS go.php (sid)"; flow:established,to_server; http.uri; content:"/go.php?sid="; fast_pattern; classtype:trojan-activity; sid:2015675; rev:5; metadata:created_at 2012_09_05, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Inbound /uploadify.php Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploadify.php"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2015687; rev:4; metadata:created_at 2012_09_08, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; http.uri; content:"/1."; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//"; classtype:exploit-kit; sid:2015693; rev:4; metadata:created_at 2012_09_11, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; http.header; content:"-Disposition|3a 20|inline"; nocase; content:".jar"; fast_pattern; pcre:"/[=\"]\w{8}\.jar/i"; file.data; content:"PK"; within:2; classtype:exploit-kit; sid:2015695; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"username="; nocase; isdataat:250,relative; content:!"|0A|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; http.uri; content:"/login.uix"; fast_pattern; nocase; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2102703; rev:7; metadata:created_at 2010_09_23, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; http.uri; content:"/iLog.php?dl="; fast_pattern; content:"&log="; http.user_agent; content:"IE"; startswith; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:command-and-control; sid:2013534; rev:9; metadata:created_at 2011_09_03, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Fareit.A/Pony Downloader Checkin (2)"; flow:to_server,established; http.uri; content:"ch=1"; fast_pattern; pcre:"/ch=1$/"; http.request_body; content:"ch=1"; depth:4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:md5,99fab94fd824737393f5184685e8edf2; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; classtype:command-and-control; sid:2015799; rev:8; metadata:created_at 2012_10_13, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; urilen:39; http.method; content:"POST"; http.uri; content:"/?ptrxcz_"; fast_pattern; pcre:"/^\/\?ptrxcz_[a-z0-9A-Z]{30}$/"; reference:md5,58ffe2b79be4e789be80f92b7f96e20c; classtype:command-and-control; sid:2015807; rev:5; metadata:created_at 2012_10_05, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fujacks Activity"; flow:to_server,established; http.header; content:".whboy.net|0d 0a|"; nocase; fast_pattern; http.user_agent; content:"QQ"; bsize:2; classtype:trojan-activity; sid:2015814; rev:14; metadata:created_at 2012_10_18, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 9"; nocase; fast_pattern; classtype:trojan-activity; sid:2015822; rev:5; metadata:created_at 2012_10_19, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot initial checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?ver="; content:"&p=cert123"; fast_pattern; content:"&id="; classtype:command-and-control; sid:2015854; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot checkin"; flow:to_server,established; http.uri; content:".php?ver="; content:"&p=bot123"; fast_pattern; content:"&id="; classtype:command-and-control; sid:2015855; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 2 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 2"; nocase; fast_pattern; classtype:trojan-activity; sid:2015899; rev:5; metadata:created_at 2012_11_20, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 3 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 3"; nocase; fast_pattern; classtype:trojan-activity; sid:2015900; rev:6; metadata:created_at 2012_11_20, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Unknown - .php?x=img&img="; flow:established,to_server; http.uri; content:".php?x=img&img="; fast_pattern; classtype:web-application-activity; sid:2015926; rev:4; metadata:created_at 2012_11_24, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SFTP/FTP Password Exposure via sftp-config.json"; flow:to_server,established; http.uri; content:"/sftp-config.json"; fast_pattern; reference:url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html; classtype:attempted-recon; sid:2015940; rev:4; metadata:created_at 2012_11_27, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access"; flow:established,to_server; http.uri; content:"/core/Loader.php?"; fast_pattern; nocase; content:"g="; content:"s="; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015947; rev:5; metadata:created_at 2012_11_28, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing URL"; flow:established,to_server; http.uri; content:".php?dentesus=208779"; fast_pattern; classtype:exploit-kit; sid:2015964; rev:13; metadata:created_at 2012_11_30, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; http.uri; content:"/js/java.js"; fast_pattern; http.host; content:"."; offset:2; depth:1; pcre:"/^[a-z]{2}\./"; classtype:exploit-kit; sid:2015982; rev:4; metadata:created_at 2012_12_04, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/admin/admin_header.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016002; rev:5; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/ajax_list_tree.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016003; rev:4; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/previews_functions.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016004; rev:4; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/dispatch.php?"; nocase; content:"atkaction=search"; fast_pattern; nocase; content:"atknodetype="; nocase; reference:url,packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html; classtype:web-application-attack; sid:2016005; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/consulta_fact.php?"; nocase; fast_pattern; content:"fact_num="; nocase; pcre:"/fact_num\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016008; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/newinventario.php?"; nocase; fast_pattern; content:"sn="; nocase; pcre:"/sn\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016009; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/newtransact.php?"; nocase; fast_pattern; content:"ref="; nocase; pcre:"/ref\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016010; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeBot grab data plaintext"; flow:established,to_server; http.request_body; content:"cmd=grab&data="; fast_pattern; content:"&login="; classtype:trojan-activity; sid:2016011; rev:6; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/hava_user.php?"; nocase; fast_pattern; content:"userId="; nocase; pcre:"/userId\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html; classtype:web-application-attack; sid:2016039; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"module="; nocase; content:"view="; nocase; content:"having="; nocase; fast_pattern; pcre:"/having\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ssi_examples.php?"; nocase; fast_pattern; content:"view="; nocase; pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016036; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mahara query Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/group/members.php?"; nocase; fast_pattern; content:"id="; nocase; content:"query="; nocase; pcre:"/query\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,securityfocus.com/bid/56718; classtype:web-application-attack; sid:2016156; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free Blog Arbitrary File Deletion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/up.php?del="; nocase; fast_pattern; content:"del="; nocase; reference:url,packetstormsecurity.com/files/119385/Free-Blog-1.0-Shell-Upload-Arbitrary-File-Deletion.html; classtype:web-application-attack; sid:2016198; rev:5; metadata:created_at 2013_01_12, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Iyus.H Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/run1/pr.php?p1="; fast_pattern; content:"&p2="; content:"&id="; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:command-and-control; sid:2016206; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Iyus.H work_troy.php CnC Request"; flow:established,to_server; http.uri; content:"/work_troy.php?id="; fast_pattern; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:command-and-control; sid:2016207; rev:5; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader Secondary Download Request - W32/Hupigon.Backdoor Likely Secondary Payload"; flow:established,to_server; http.uri; content:"/pir/bfg.php?dll="; fast_pattern; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; sid:2016208; rev:5; metadata:created_at 2013_01_15, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_collector Component Arbitrary File Upload Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_collector"; nocase; fast_pattern; content:"view="; nocase; reference:url,exploit-db.com/exploits/24228/; classtype:web-application-attack; sid:2016288; rev:5; metadata:created_at 2013_01_25, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible JDB Exploit Kit Class Request"; flow:established,to_server; http.uri; content:"/jdb/"; nocase; content:".class"; nocase; pcre:"/\/jdb\/[^\/]+\.class$/i"; http.header; content:"|20|Java/1"; fast_pattern; classtype:exploit-kit; sid:2016308; rev:8; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; http.uri; content:"/lib/adobe.php?id="; nocase; fast_pattern; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/i"; classtype:exploit-kit; sid:2016310; rev:7; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Pattern"; flow:established,to_server; http.uri; content:"/i.php?token="; fast_pattern; nocase; pcre:"/\/i.php?token=[a-z0-9]+$/i"; classtype:exploit-kit; sid:2015998; rev:5; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Beebus HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/s/asp?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3B 20 29 0D 0A|"; startswith; reference:url,blog.fireeye.com/research/2013/02/operation-beebus.html; classtype:command-and-control; sid:2016342; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; http.uri; content:"/jerk.cgi?"; fast_pattern; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016352; rev:4; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Secondary Landing"; flow:established,to_server; http.uri; content:".js"; pcre:"/^[a-z]+\.js$/"; http.referer; content:"/i.html"; fast_pattern; pcre:"/^(\?[^=]{1,10}=[^&\r\n]{100,})?$/Ri"; classtype:exploit-kit; sid:2016347; rev:8; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP tag in UA"; flow:established,to_server; http.user_agent; content:"<?php"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016415; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER base64_decode in UA"; flow:established,to_server; http.user_agent; content:"base64_decode("; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016416; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Zbot.ivgw Downloading EXE"; flow:to_server,established; http.uri; content:"/forum/images.php?id"; nocase; fast_pattern; http.user_agent; content:"Mozilla/6"; depth:9; content:"|20|MSIE|20|"; distance:0; reference:md5,e8e3d22203f9549d6c5f361dfe51f8c6; classtype:trojan-activity; sid:2016425; rev:7; metadata:created_at 2013_02_19, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBeplay Downloading Design"; flow:established,to_server; http.uri; content:".CAB.bin"; fast_pattern; pcre:"/[a-z]{2}\.CAB.bin/"; http.header; content:"|20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)|0d 0a|"; classtype:trojan-activity; sid:2016489; rev:6; metadata:created_at 2013_02_22, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Caphaw CnC Configuration File Request"; flow:established,to_server; http.uri; content:"&id="; content:"&inst="; content:"&net"; content:"&cmd=cfg"; fast_pattern; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:command-and-control; sid:2016508; rev:4; metadata:created_at 2013_02_27, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; http.uri; content:"/send.php?a_id="; content:"&telno="; fast_pattern; content:"&m_addr="; http.user_agent; content:"Android"; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:command-and-control; sid:2014161; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Exploit Request"; flow:established,to_server; http.uri; content:"/module.php?e="; fast_pattern; pcre:"/\.php\?e=[^&]+?$/"; classtype:exploit-kit; sid:2016523; rev:4; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for fake postal receipt from e-mail link"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"receipt="; nocase; fast_pattern; pcre:"/\.php\?(print_)?receipt=(s00|\d{3})_\d+$/i"; classtype:trojan-activity; sid:2016359; rev:5; metadata:created_at 2013_02_07, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LetsGo.APT Sleep CnC Beacon"; flow:established,to_server; http.uri; pcre:"/\.html\?[0-9]{10}$/"; http.user_agent; content:"sleep|20|"; fast_pattern; startswith; pcre:"/^sleep \d+[\r\x2c]/"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/the-dingo-and-the-baby.html; classtype:targeted-activity; sid:2016568; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT_NGO_wuaclt C2 Check-in"; flow:to_server,established; http.uri; content:"/news/show.asp?id1="; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1"; startswith; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016572; rev:4; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; http.uri; content:"/RegistUid.asp"; fast_pattern; nocase; content:"?pid="; nocase; content:"&cid="; nocase; content:"&imei="; nocase; content:"&sim="; nocase; content:"&imsi="; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/usr/bin/perl"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016641; rev:8; metadata:created_at 2013_03_22, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/bin/sh"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016642; rev:8; metadata:created_at 2013_03_22, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<?php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:8; metadata:created_at 2010_09_28, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Galock Ransomware Check-in"; flow:established,to_server; http.uri; content:"&os="; content:"&hostname="; content:"&codepage="; content:"&account"; http.header; content:"|3a 20|Mozilla/4.1|20|"; fast_pattern; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016644; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"error in your SQL syntax"; fast_pattern; classtype:bad-unknown; sid:2016672; rev:4; metadata:created_at 2013_03_27, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"svchost.exe"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.01|3b 20|Windows NT 5.0)"; reference:md5,539d3b15e9c3882ac70bb1ac7f90a837; classtype:command-and-control; sid:2016707; rev:6; metadata:created_at 2013_04_01, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BaneChant.APT Data Exfiltration POST to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adserv/get.php"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV2)"; bsize:55; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016727; rev:4; metadata:created_at 2013_04_05, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BaneChant.APT Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/adserv/logo.jpg"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV2)"; bsize:55; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016728; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"&os="; content:"&bot_id="; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&os=\d\.\d[^&]*&bot_id=/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016731; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Activity"; flow:established,to_server; http.uri; content:".php?id="; content:"&gr"; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}\.){3}\d{1,3}&gr/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016732; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Haxdoor Reporting User Activity 2"; flow:established,to_server; http.uri; content:"param="; content:"&socksport="; content:"&httpport="; fast_pattern; content:"&uptime"; content:"&uid="; content:"&ver="; reference:md5,e787c4437ff67061983cd08458f71c94; reference:md5,1777f0ffa890ebfcc7587957f2d08dca; reference:md5,d86b9eaf9682d60cb8b928dc6ac40954; reference:url,doc.emergingthreats.net/2002929; reference:md5,0995ecb8bb78f510ae995a50be0c351a; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; classtype:trojan-activity; sid:2002929; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PDF - Acrobat Enumeration - pdfobject.js"; flow:established,to_server; http.uri; content:"/pdfobject.js"; fast_pattern; classtype:misc-activity; sid:2016765; rev:4; metadata:created_at 2013_04_18, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin User-Agent Likely Bitcoin Miner"; flow:established,to_server; http.user_agent; content:"BitCoin"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:coin-mining; sid:2013457; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (AMD)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"|3b|c|3a|AMD-"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3aAMD-/"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:9; metadata:created_at 2012_10_13, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"|3b|c|3a|INT-"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3aINT-/"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:10; metadata:created_at 2012_10_13, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO myobfuscate.com Encoded Script Calling home"; flow:to_server,established; http.uri; content:"/?getsrc="; content:"&url="; http.header; content:"api.myobfuscate.com|0d|"; nocase; fast_pattern; classtype:misc-activity; sid:2016802; rev:6; metadata:created_at 2013_05_01, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medfos Connectivity Check"; flow:established,to_server; http.uri; content:"/uploading/id="; fast_pattern; http.uri.raw; pcre:"/^\/uploading\/id=\d{2,20}&u=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:misc-activity; sid:2016800; rev:8; metadata:created_at 2013_05_01, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cookies/Cookiebag Checkin"; flow:to_server,established; http.uri; content:"/indexs.zip"; fast_pattern; reference:md5,840BD11343D140916F45223BA05ABACB; classtype:command-and-control; sid:2016808; rev:4; metadata:created_at 2013_05_02, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Activity"; flow:established,to_server; http.uri; content:".php?version="; fast_pattern; content:"&user="; content:"&server="; content:"&crc="; pcre:"/user=[a-f0-9]{31,32}&/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014275; rev:6; metadata:created_at 2012_02_24, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Zusy.45802 Checkin"; flow:to_server,established; http.uri; content:".php?uid="; fast_pattern; content:"&affid="; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)"; pcre:"/^$/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2016816; rev:5; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Fake Opera 10 User-Agent"; flow:established,to_server; http.user_agent; content:"Opera/10|20|"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:2016823; rev:6; metadata:created_at 2013_05_04, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A CnC"; flow:established,to_server; http.uri; content:"/favicon.iso?"; fast_pattern; reference:url,code.google.com/p/malware-lu/wiki/en_malware_cdorked_A; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:command-and-control; sid:2016850; rev:4; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Chrome Plugin install"; flow:to_server,established; http.uri; content:"|2f|crx|2f|blobs"; nocase; fast_pattern; http.user_agent; content:"|20|Chrome/"; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:2016847; rev:5; metadata:created_at 2013_05_14, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover Campaign Keylogger Checkin"; flow:established,to_server; http.uri; content:".php?fol="; fast_pattern; content:"&ac="; content:"AVs"; content:"OS"; content:"SystemDT"; content:"AppVersion"; content:"DropPath"; reference:md5,023d82950ebec016cd4016d7a11be58d; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016861; rev:4; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.VB.cefz Checkin"; flow:established,to_server; http.uri; content:"/hyper/fm.php?tp=in"; fast_pattern; content:"&tg="; reference:md5,0cace87b377a00df82839c659fc3adea; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016863; rev:4; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.bjjv Checkin"; flow:established,to_server; http.uri; content:"/wakeup/access.php"; fast_pattern; http.user_agent; content:"UPHTTP"; depth:6; reference:md5,06ba10a49c8cea32a51f0bbe8f5073f1; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016864; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Firefox Plugin install"; flow:to_server,established; http.uri; content:".xpi"; nocase; fast_pattern; endswith; http.user_agent; content:"|20|Firefox/"; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:2016846; rev:6; metadata:created_at 2013_05_14, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Registering Client"; flow:established,to_server; http.uri; content:"/gate.php?reg="; fast_pattern; pcre:"/\/gate\.php\?reg=(?:[a-z]{10}|[A-Za-z]{15})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016899; rev:6; metadata:created_at 2013_05_21, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Briba CnC POST Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index"; depth:6; content:".asp"; distance:9; within:4; http.header; content:"Content-Length|3a 20|00"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.host; content:"update.microsoft.com"; startswith; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; classtype:command-and-control; sid:2016911; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Antavmu.guw Checkin"; flow:to_server,established; http.uri; content:"/smadstat.php?mac="; fast_pattern; content:"&key="; content:"&name="; content:"&os="; content:"&build="; content:"&old="; content:"&comp="; http.user_agent; content:"Smart-RTP"; depth:9; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:url,www.securelist.com/en/descriptions/16150989/Trojan.Win32.Antavmu.guw?print_mode=1; reference:md5,a80f33c94c44556caa2ef46cd5eb863c; classtype:command-and-control; sid:2016914; rev:5; metadata:created_at 2013_05_23, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution"; flow:established,to_server; http.uri; content:"xwork"; nocase; content:"MethodAccessor"; nocase; content:"denyMethodExecution"; nocase; fast_pattern; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-admin; sid:2016920; rev:4; metadata:created_at 2013_05_24, updated_at 2020_09_18;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific"; flow:established,to_server; pcre:"/^[\r\n\s]*?[^\r\n]+HTTP\/1\.\d[^\r\n]*?\r?\n((?!(\r?\n\r?\n)).)*?Transfer-Encoding\x3a[^\r\n]*?Chunked((?!(\r?\n\r?\n)).)*?\r?\n\r?\n[\r\n\s]*?(f{6}[8-9a-f][0-9a-f]|[a-f0-9]{9})/si"; http.header; content:"chunked"; nocase; fast_pattern; pcre:"/Transfer-Encoding\x3a[^\r\n]*?chunked/i"; reference:url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb; classtype:attempted-admin; sid:2016918; rev:8; metadata:created_at 2013_05_23, former_category WEB_SERVER, updated_at 2020_09_18;)
+
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] ![139,445] (msg:"ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|1a 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|24 00 00 00 06 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; isdataat:!5,relative; threshold: type limit, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:2030871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+
+alert tcp-pkt any any -> any any (msg:"ET INFO [401TRG] RPCNetlogon UUID (CVE-2020-1472) (Set)"; flow:established,to_server; content:"|05 00 0B|"; depth:3; content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 cf fb|"; distance:0; flowbits:set,dcerpc.rpcnetlogon; flowbits:noalert; reference:cve,2020-1472; classtype:misc-activity; sid:2030888; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_18, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+
+#alert tcp-pkt any any -> any any (msg:"ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; content:"|05 00 00|"; depth:3; content:"|1a 00|"; distance:19; within:3; content:"|00 00 00 00 00 00 00 00|"; isdataat:!5,relative; threshold:type both, track by_src, seconds 60, count 3; reference:cve,2020-1472; classtype:attempted-admin; sid:2030889; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_18, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE"; flow:established,to_server; http.uri; content:"LOAD_FILE("; nocase; fast_pattern; reference:url,dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-file; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016936; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP connection to net78.net Free Web Hosting (Used by Various Trojans)"; flow:established,to_server; http.host; content:".net78.net"; endswith; fast_pattern; reference:url,www.net78.net; classtype:bad-unknown; sid:2016944; rev:4; metadata:created_at 2013_05_30, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Trup.CX Checkin 1"; flow:to_server,established; http.uri; content:"/sms/do|2e|php?userid="; nocase; fast_pattern; content:"&time="; nocase; content:"&msg="; nocase; content:"&pauid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Agent.AAE; classtype:command-and-control; sid:2016951; rev:7; metadata:created_at 2011_03_14, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (AuthenticAMD)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"AuthenticAMD|3b|"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+AuthenticAMD\x3b/"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016960; rev:12; metadata:created_at 2013_06_01, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (GenuineIntel)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"GenuineIntel|3b|"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+GenuineIntel\x3b/"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016961; rev:13; metadata:created_at 2013_06_01, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER allow_url_include PHP config option in uri"; flow:established,to_server; http.uri; content:"allow_url_include"; fast_pattern; pcre:"/\ballow_url_include\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016977; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER safe_mode PHP config option in uri"; flow:established,to_server; http.uri; content:"safe_mode"; fast_pattern; pcre:"/\bsafe_mode\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016978; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER open_basedir PHP config option in uri"; flow:established,to_server; http.uri; content:"open_basedir"; fast_pattern; pcre:"/\bopen_basedir\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016981; rev:6; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER auto_prepend_file PHP config option in uri"; flow:established,to_server; http.uri; content:"auto_prepend_file"; fast_pattern; pcre:"/\bauto_prepend_file\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016982; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; http.uri; content:"suhosin.simulation"; fast_pattern; pcre:"/\bsuhosin\.simulation\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016979; rev:6; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER disable_functions PHP config option in uri"; flow:established,to_server; http.uri; content:"disable_functions"; fast_pattern; pcre:"/\bdisable_functions[\s\+]*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016980; rev:7; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Travnet.A Checkin"; flow:to_server,established; http.uri; content:".asp?hostid="; content:"&hostname="; content:"&hostip="; content:"&filename="; content:"&filestart="; content:"&filetext=begin|3a 3a|"; fast_pattern; pcre:"/\?hostid=[0-9A-F]+?&/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; reference:url,www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:command-and-control; sid:2016968; rev:7; metadata:created_at 2013_03_01, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tobfy.S"; flow:established,from_client; http.uri; content:"/upload/img.jpg"; fast_pattern; pcre:"/^\/[a-z0-9]{3,}\/upload\/img\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ac03c5980e2019992b876798df2df9ab; classtype:trojan-activity; sid:2017004; rev:6; metadata:created_at 2013_06_12, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi xp_cmdshell POST body"; flow:established,to_server; http.request_body; content:"xp_cmdshell"; nocase; fast_pattern; classtype:bad-unknown; sid:2017010; rev:5; metadata:created_at 2013_06_13, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TripleNine RAT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/999"; fast_pattern; bsize:4; http.header; content:".0|0d 0a|Host"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2017021; rev:7; metadata:created_at 2013_06_15, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor"; flow:established,to_server; http.user_agent; content:"SEX/1"; nocase; fast_pattern; startswith; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017026; rev:4; metadata:created_at 2013_06_18, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Activity related to APT.Seinup Checkin 1"; flow:established,to_server; urilen:>87; http.method; content:"GET"; nocase; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?[a-zA-Z0-9]+?=[a-zA-Z0-9]+?&[a-zA-Z0-9]+?=(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})(&[a-zA-Z0-9]+?=[a-f0-9]{32}){2}$/"; http.header; content:"User-Agent|3a|"; depth:11; http.user_agent; content:"|20|MSIE 6.0|3b|"; content:".NET CLR 1.1.4322"; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:targeted-activity; sid:2017036; rev:5; metadata:created_at 2013_06_20, former_category MALWARE, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 1"; flow:to_server,established; http.uri; content:".php?ver="; content:"&cver="; fast_pattern; content:"&id="; pcre:"/\.php\?ver=\d\&cver=\d\&id=\d{5}$/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011848; rev:7; metadata:created_at 2010_10_25, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (5)"; flow:established,to_server; http.uri; content:".txt?e="; nocase; fast_pattern; pcre:"/\.txt\?e=\d+(?:&[fh]=\d+)?$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016414; rev:10; metadata:created_at 2013_02_16, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; http.uri; content:"/?wps="; depth:6; fast_pattern; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017068; rev:4; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirect to DotkaChef EK Landing"; flow:established,from_server; http.stat_code; content:"302"; http.location; pcre:"/^[^\r\n]+\/[A-Fa-f0-9]+\.js\?cp=/i"; http.header; content:".js?cp="; fast_pattern; classtype:exploit-kit; sid:2017077; rev:5; metadata:created_at 2013_06_29, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - Pouya - URI - action="; flow:established,to_server; http.uri; content:".asp?action="; nocase; fast_pattern; pcre:"/\.asp\?action=(?:txt(?:edit|view)|upload|info|del)(?:&|$)/i"; classtype:trojan-activity; sid:2017091; rev:4; metadata:created_at 2013_07_02, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT - Possible Redkit 1-4 char JNLP request"; flow:established,to_server; urilen:<11; http.uri; content:".jnlp"; endswith; nocase; fast_pattern; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; classtype:exploit-kit; sid:2016811; rev:8; metadata:created_at 2013_05_03, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CRLF Injection - Newline Characters in URL"; flow:established,to_server; http.uri; content:"|0D 0A|"; fast_pattern; pcre:"/[\n\r](?:content-(?:type|length)|set-cookie|location)\x3a/i"; reference:url,www.owasp.org/index.php/CRLF_Injection; classtype:web-application-attack; sid:2017143; rev:5; metadata:created_at 2013_07_13, updated_at 2020_09_18;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Compromise svchost.jpg Beacon - Java Zeroday"; flow:established,to_server; http.uri; content:"/svchost.jpg"; fast_pattern; http.user_agent; content:"Java/1."; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,from_client; http.uri; content:"/vw.php?i="; fast_pattern; pcre:"/\/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$/"; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017007; rev:8; metadata:created_at 2013_06_12, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit JAR Download"; flow:established,to_server; http.uri; content:".php?id="; nocase; pcre:"/\.php\?id=[a-f0-9]{32}$/i"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2016309; rev:9; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; http.uri; content:"/Java-SPLOIT.jar"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2016521; rev:7; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pony Loader default URI struct"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pony"; fast_pattern; content:"/gate.php"; nocase; classtype:trojan-activity; sid:2017065; rev:6; metadata:created_at 2013_06_25, former_category CURRENT_EVENTS, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBReplay.P Ransomware"; flow:established,to_server; urilen:33; http.uri; pcre:"/^\/[a-f0-9]{32}$/"; http.user_agent; content:"MSIE 9.0|3b|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:trojan-activity; sid:2017269; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StealRat.SpamBot Configuration File Request"; flow:established,to_server; flowbits:set,et.stealrat.config; http.uri; content:"/lts.txt"; fast_pattern; pcre:"/^\x2Flts\x2Etxt$/"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017274; rev:4; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2020_09_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StealRat.SpamBot Email Template Request"; flow:established,to_server; http.uri; content:"/ae1.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017276; rev:4; metadata:created_at 2013_08_05, updated_at 2020_09_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; http.uri; content:"/${"; fast_pattern; pcre:"/\/\$\{[^\}\x2c]+?=/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, updated_at 2020_09_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FortDisco Reporting Hacked Accounts"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bruteres.php"; fast_pattern; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; classtype:trojan-activity; sid:2017311; rev:5; metadata:created_at 2013_08_12, updated_at 2020_09_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Upload File Filter Bypass"; flow:established,to_server; http.uri; content:"option=com_media"; nocase; fast_pattern; http.request_body; content:"Filedata[]"; nocase; pcre:"/filename[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[^\r\n\x22\x27\x3b]+?\.[\r\n\x3b\x22\x27]/i"; classtype:attempted-user; sid:2017327; rev:4; metadata:created_at 2013_08_14, updated_at 2020_09_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxychecker Lookup"; flow:established,to_server; http.uri; content:"/proxy/proxychecker/"; nocase; fast_pattern; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis; classtype:trojan-activity; sid:2017344; rev:5; metadata:created_at 2013_08_19, updated_at 2020_09_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Troj.Cidox Checkin"; flow:established,to_server; http.uri; content:".php?sign="; fast_pattern; content:"&key="; content:"&av="; content:"&os="; content:"&vm="; content:"&digital="; reference:md5,0ce7f9dde5c273d7e71c9f1301fe505d; classtype:command-and-control; sid:2017349; rev:5; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_09_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632"; flow:to_server; http.method; content:"POST"; http.uri; content:"/adminapi/administrator.cfc?"; nocase; content:"method"; nocase; content:"login"; nocase; http.request_body; content:"rdsPasswordAllowed"; nocase; fast_pattern; pcre:"/rdsPasswordAllowed[\r\n\s]*?=[\r\n\s]*?(?:true|1)/i"; reference:url,www.exploit-db.com/exploits/27755/; reference:cve,2013-0632; classtype:attempted-user; sid:2017366; rev:4; metadata:created_at 2013_08_22, updated_at 2020_09_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegSubsDat Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"0000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:command-and-control; sid:2014310; rev:7; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_09_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitcoin variant Checkin"; flow:to_server,established; http.uri; content:"/register_slave.php"; fast_pattern; http.header_names; content:!"|0d 0a|Referer"; nocase; reference:url,blog.avast.com/2013/08/01/malicious-bitcoin-miners-target-czech-republic/; classtype:coin-mining; sid:2017369; rev:4; metadata:created_at 2013_08_23, former_category MALWARE, updated_at 2020_09_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Vabushky.A Malicious driver download"; flow:established,to_server; http.uri; content:".bmp.gz"; fast_pattern; pcre:"/\/[a-z]{2,3}\/(?:\d{3,4}x\d{3,4}|default)\.bmp\.gz$/i"; reference:url,welivesecurity.com/2013/08/27/the-powerloader-64-bit-update-based-on-leaked-exploits/; classtype:trojan-activity; sid:2017377; rev:4; metadata:created_at 2013_08_27, updated_at 2020_09_20;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SERVER["; fast_pattern; pcre:"/[&\?]_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017436; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_GET["; fast_pattern; pcre:"/[&\?]_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017437; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_POST["; fast_pattern; pcre:"/[&\?]_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017438; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017439; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017440; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017441; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017442; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SERVER["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017443; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_GET["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017444; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_POST["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017445; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017446; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017447; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017448; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017449; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac FACEPUNCH Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.header; content:"X-Request-Kind-Code|3a 20|"; fast_pattern; http.user_agent; content:"Mozilla"; startswith; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_infiltrating_the_waledac_botnet_v2.pdf; classtype:trojan-activity; sid:2017455; rev:8; metadata:created_at 2013_09_11, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dipverdle.A Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cp/?"; nocase; fast_pattern; pcre:"/\/cp\/\?(?:logo\.jpg|adm)/i"; http.request_body; content:"token="; nocase; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:md5,182ea2f564f6211d37a6c35a4bd99ee6; classtype:trojan-activity; sid:2017475; rev:4; metadata:created_at 2013_09_17, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unicorn Stealer Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename="; content:"form-data|3b 20|name=|22|filename|22 0d 0a|"; content:"form-data|3b 20|name=|22|submit|22 0d 0a|"; content:"form-data|3b 20|name=|22|id|22 0d 0a|"; content:"form-data|3b 20|name=|22|src|22 0d 0a|"; fast_pattern; content:"form-data|3b 20|name=|22|type|22 0d 0a|"; content:"form-data|3b 20|name=|22|on|22 0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1307025445536239616; reference:md5,852646191db6768157a7fddcc13afed2; classtype:trojan-activity; sid:2030894; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2020-09-21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"xbalti"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&passid="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2033006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; http.uri; content:".swf"; offset:66; depth:4; endswith; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/i"; classtype:exploit-kit; sid:2016799; rev:5; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Caphaw Requesting Additional Modules From CnC"; flow:established,to_server; http.uri; content:"/ping.html?r="; fast_pattern; content:!"/utils/"; pcre:"/\x2Fping\x2Ehtml\x3Fr\x3D[0-9]{5,14}$/"; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:command-and-control; sid:2016507; rev:7; metadata:created_at 2013_02_27, former_category MALWARE, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-driver)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-driver"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017519; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-process)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-process"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017521; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-cmd-shell)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-cmd-shell"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017522; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DATA-BROKER BOT Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"g="; depth:2; content:"&cmd="; fast_pattern; pcre:"/^g=[A-Z0-9]+&cmd=/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/; reference:md5,adcfe50aaaa0928adf2785fefe7307cc; classtype:trojan-activity; sid:2017524; rev:5; metadata:created_at 2013_09_25, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK POST Compromise POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?id="; nocase; content:"&v1="; nocase; content:"&v2="; nocase; fast_pattern; content:"&q="; nocase; http.header; content:"Content-Length|3a 20|0"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017544; rev:4; metadata:created_at 2013_09_30, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK Payload Download (java only alternate method may overlap with 2017454)"; flow:established,to_server; urilen:>48; flowbits:set,et.exploitkitlanding; http.uri; content:".php?"; pcre:"/\.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}&/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2017554; rev:5; metadata:created_at 2013_10_03, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages"; flow:established,to_server; http.method; content:"POST"; http.host; content:".atwebpages.com"; fast_pattern; classtype:misc-activity; sid:2030890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, signature_severity Informational, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign"; flow:established,to_server; http.uri; content:".js?cp="; fast_pattern; pcre:"/\/[A-F0-9]{8}\.js\?cp=/"; classtype:exploit-kit; sid:2017555; rev:4; metadata:created_at 2013_10_03, updated_at 2020_09_21;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Forum Injection"; flow:established,to_server; urilen:27<>33; http.uri; content:".js?"; fast_pattern; pcre:"/^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$/"; classtype:trojan-activity; sid:2017453; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_21;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FiestaEK js-redirect"; flow:established,to_server; http.uri; content:"/?"; fast_pattern; pcre:"/^\/[a-z0-9]+[0-9][a-z0-9]+\/\?\d$/"; classtype:exploit-kit; sid:2017567; rev:5; metadata:created_at 2013_10_08, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade.php"; nocase; fast_pattern; http.header; content:"Origin|3a|"; http.request_body; content:"&customerid="; nocase; content:"&htmlsubmit="; content:"username"; nocase; content:"confirmpassword"; nocase; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017575; rev:4; metadata:created_at 2013_10_10, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/KanKan tools.ini Request"; flow:established,to_server; http.uri; content:"/tools.ini"; fast_pattern; bsize:10; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017585; rev:5; metadata:created_at 2013_10_14, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kovter Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?mode="; nocase; content:"&OS="; nocase; content:"&OSbit="; nocase; fast_pattern; reference:url,www.botnets.fr/index.php/Kovter; reference:md5,82d0e4f8b34d6d39ee4ff59d0816ec05; classtype:trojan-activity; sid:2016690; rev:14; metadata:attack_target Client_Endpoint, created_at 2013_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_21, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Egobot Checkin"; flow:to_server,established; http.uri; content:".php?arg1="; nocase; fast_pattern; content:"&arg2="; pcre:"/&arg2=((?:[a-f0-9]{32})|(?:[A-Za-z0-9\x2b\x2f]{4})*(?:[A-Za-z0-9\x2b\x2f]{2}==|[A-Za-z0-9\x2b\x2f]{3}=|[A-Za-z0-9\x2b\x2f]{4}))(?:&|$)/i"; reference:url,symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign; classtype:command-and-control; sid:2017600; rev:4; metadata:created_at 2013_10_15, former_category MALWARE, updated_at 2020_09_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt"; flow:established,to_server; http.uri; content:"/WEB-INF/web.xml"; nocase; fast_pattern; http.uri.raw; content:"|2e 2e 2f|"; reference:url,security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html; reference:cve,2013-3815; classtype:web-application-attack; sid:2017611; rev:4; metadata:created_at 2013_10_17, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Install"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/stats/debug/"; fast_pattern; content:"/?ts="; content:"&ver="; content:"&group="; content:"&token="; reference:md5,d1663e13314a6722db7cb7549b470c64; classtype:trojan-activity; sid:2017647; rev:4; metadata:created_at 2013_10_30, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS msctcd.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/msctcd.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017672; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS taskmgr.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/taskmgr.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017673; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS wsqmocn.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wsqmocn.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017674; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connhost.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017675; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?computer-name="; fast_pattern; content:"&username="; distance:0; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Cache"; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:command-and-control; sid:2030895; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=afalr-sharepoint.com"; nocase; fast_pattern; endswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:domain-c2; sid:2030896; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Rampant_Kitten, updated_at 2020_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=afalr-onedrive.com"; nocase; fast_pattern; endswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:domain-c2; sid:2030897; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Rampant_Kitten, updated_at 2020_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Usrname="; fast_pattern; content:"&0S-Name="; distance:0; content:"&Pt-Name="; distance:0; content:"&ToolsIsActive"; endswith; http.user_agent; content:"Python-urllib/"; startswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:command-and-control; sid:2030898; rev:1; metadata:created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017676; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS wimhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wimhost.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017677; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winlog.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017679; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS waulct.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/waulct.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017680; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS alg.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/alg.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017681; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS mssrs.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mssrs.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017682; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winhosts.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winhosts.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017683; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Stitur Secondary Download"; flow:established,from_server; http.header; content:".file|0d 0a|"; fast_pattern; content:"Content-Description|3a 20|File Transfer|0d 0a|"; content:"Content-Transfer-Encoding|3a 20|binary|0d 0a|"; pcre:"/filename=[a-f0-9]{13}\.file\r\n/"; classtype:trojan-activity; sid:2017700; rev:5; metadata:created_at 2013_11_09, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Monitor Request CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/monitor.php?resp=ID|3a|"; fast_pattern; content:"Target|3a|"; content:"Message|3a|"; pcre:"/\/monitor\.php\?resp=ID\x3a[A-Za-z]{15}/"; http.user_agent; content:"Mozilla/4.0 (SEObot)"; depth:20; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017717; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Command Request CnC Beacon"; flow:established,to_server; http.uri; content:"/gate.php?cmd="; fast_pattern; pcre:"/\/gate\.php\?cmd=(?:get(?:installconfig|exe)|urls)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017723; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL pwn.jsp shell"; flow:established,to_server; http.uri; content:"/pwn.jsp?"; nocase; fast_pattern; content:"cmd="; nocase; reference:url,nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html; reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; classtype:attempted-admin; sid:2017734; rev:6; metadata:created_at 2013_11_20, updated_at 2020_09_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PeopleSoft Portal Command with Default Creds"; flow:to_server,established; http.uri; content:"cmd="; nocase; content:"pwd=dayoff"; nocase; fast_pattern; pcre:"/[&?]pwd=dayoff(?:&|$)/i"; pcre:"/[&?]cmd=/i"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017801; rev:5; metadata:created_at 2013_12_06, updated_at 2020_09_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER IIS ISN BackDoor Command GetLog"; flow:established,to_server; http.uri; content:"isn_getlog"; nocase; fast_pattern; pcre:"/[?&]isn_getlog/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017820; rev:7; metadata:created_at 2013_12_10, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winhost(32|64).exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winhost"; nocase; fast_pattern; pcre:"/\/winhost(?:32|64)\.(exe|pack)$/i"; classtype:trojan-activity; sid:2017842; rev:4; metadata:created_at 2013_12_12, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS pony.exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pony."; nocase; fast_pattern; pcre:"/\/pony\.(exe|pack)$/i"; classtype:trojan-activity; sid:2017843; rev:4; metadata:created_at 2013_12_12, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kryptik Check-in"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"&bot_id="; nocase; fast_pattern; pcre:"/\.php\?(q|name)=/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:attempted-user; sid:2017741; rev:5; metadata:created_at 2013_11_22, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.BMW.APT Campaign CnC Beacon"; flow:established,to_server; urilen:35<>37; http.method; content:"POST"; http.uri; content:".aspx?Random="; fast_pattern; pcre:"/^\x2F(?:acheb|bajree|cyacrin|dauber|eaves)\x2Easpx\x3FRandom\x3D[a-z]{16}$/i"; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017858; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion cfcexplorer Directory Traversal"; flow:established,to_server; content:"path="; nocase; pcre:"/^[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; http.uri; content:"/cfcexplorer.cfc"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:attempted-user; sid:2017875; rev:4; metadata:created_at 2013_12_17, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request"; flow:established,to_server; http.uri; content:"/j.php?t=u00"; fast_pattern; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2015960; rev:14; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2020_09_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FOCA uri"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/*F0C4~1*/foca.aspx?aspxerrorpath=/"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017950; rev:5; metadata:created_at 2014_01_10, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StartPage jsp checkin"; flow:to_server,established; urilen:27<>40; threshold:type both,track by_src,count 2,seconds 60; http.method; content:"POST"; http.uri; content:"/201"; fast_pattern; content:".jsp"; pcre:"/^\/201\d{5,8}\/\d{6,11}\/\d{5,10}\.jsp$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.2|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 2.0.50727|3b 20|InfoPath.1)"; bsize:101; http.header_names; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,bb7bbb0646e705ab036d73d920983256; classtype:command-and-control; sid:2017967; rev:5; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Possible Process Dump in POST body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"System Idle Process"; fast_pattern; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; classtype:trojan-activity; sid:2017968; rev:6; metadata:created_at 2014_01_15, former_category INFO, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG JAVAFOG JAR checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:"?title=2.0_-"; fast_pattern; http.user_agent; content:"Java"; startswith; http.request_body; content:"content=HostName|3a 20|"; depth:18; content:"|0d 0a|Java Version|3a 20|"; distance:0; content:"|0d 0a 20|HostIp|3a 20|"; distance:0; http.header_names; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; reference:url,jsunpack.jeek.org/dec/go?report=6b63068d3259f5032a301e0d3f935b4d3f2e2998; classtype:command-and-control; sid:2017972; rev:6; metadata:created_at 2014_01_15, former_category MALWARE, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LockscreenBEI.Scareware Cnc Beacon"; flow:established,to_server; urilen:18; http.method; content:"GET"; http.uri; content:"/reboot/index.html"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,04948b6045730d4ec626f79504c7f9ad; reference:md5,9fff65c23fe403d25c08a5cdd3dc775d; classtype:command-and-control; sid:2018023; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY myip.ru IP lookup"; flow:established,to_server; http.host; content:"myip.ru"; fast_pattern; endswith; classtype:policy-violation; sid:2018021; rev:6; metadata:created_at 2014_01_28, updated_at 2020_09_22;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; http.request_body; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; classtype:trojan-activity; sid:2018056; rev:4; metadata:created_at 2014_02_03, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/StoredBt.A Activity"; flow:to_server,established; http.uri; content:".php?a1="; fast_pattern; pcre:"/\.php\?a1=\d+&a2=(?:[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}|(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4}))(?:&a\d+=[^&]+)+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,e8e9eb1cd4be7ab27743887be2aa28e9; classtype:trojan-activity; sid:2018074; rev:4; metadata:created_at 2014_02_05, updated_at 2020_09_22;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; content:"Content-Type|3a|"; nocase; pcre:"/^[^\r\n]*?boundary\s*?=\s*?[^\r\n]/Ri"; isdataat:4091,relative; content:!"|0A|"; within:4091; http.header; content:"multipart/form-data"; fast_pattern; reference:url,blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html; reference:cve,2014-0050; classtype:web-application-attack; sid:2018113; rev:4; metadata:created_at 2014_02_12, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Jackpos Checkin 2"; flow:to_server,established; http.uri; content:"/post/echo"; fast_pattern; bsize:10; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:command-and-control; sid:2018128; rev:4; metadata:created_at 2014_02_13, former_category MALWARE, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alman Dropper Checkin"; flow:established,to_server; http.uri; content:"?action=post&HD="; fast_pattern; content:"&OT="; content:"&IV="; pcre:"/&HD=[A-F0-9]{32}&/"; reference:url,doc.emergingthreats.net/2009203; classtype:command-and-control; sid:2009203; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.BSYO Checkin 2"; flow:to_server,established; http.uri; content:"/cmd?version="; fast_pattern; content:"&aid="; content:"&id="; content:"&os="; pcre:"/&id=[a-f0-9]{8}(-[a-f0-9]{4}){4}[a-f0-9]{8}&os=/"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:command-and-control; sid:2018198; rev:6; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Geral Checkin"; http.uri; content:".asp?MAC="; nocase; fast_pattern; content:"&ver="; nocase; pcre:"/\.asp\?MAC=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&VER=[^&]+$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f01260fff3d6fb705fc8afaa3ea54564; classtype:command-and-control; sid:2018201; rev:4; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_09_22;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER log4jAdmin access from non-local network (can modify logging levels)"; flow:established,to_server; http.uri; content:"/log4jAdmin.jsp"; fast_pattern; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018202; rev:4; metadata:created_at 2014_03_04, former_category WEB_SERVER, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.BSYO Checkin"; flow:to_server,established; http.uri; content:"/log?"; content:"|7c|aid="; fast_pattern; content:"|7c|version="; content:"|7c|id="; content:"|7c|os="; pcre:"/\/log\?(start|install)\x7caid=/"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:command-and-control; sid:2018205; rev:5; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Adultdns.net"; flow:established,to_server; http.host; content:".adultdns.net"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018211; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?r=cmd"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,e47a296bac49284371ac396a053a8488; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030904; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Servehttp.com"; flow:established,to_server; http.host; content:".servehttp.com"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018212; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Redirectme.net"; flow:established,to_server; http.host; content:".redirectme.net"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018214; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Zapto.org"; flow:established,to_server; http.host; content:".zapto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018215; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain serveblog.net"; flow:established,to_server; http.host; content:".serveblog.net"; fast_pattern; endswith; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018217; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain myftp.com"; flow:established,to_server; http.host; content:".myftp.com"; fast_pattern; endswith; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018218; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/Installiq.Adware Install Information Beacon"; flow:established,to_server; http.uri; content:"/ping/installping.aspx"; fast_pattern; content:"shortname="; content:"&os="; content:"&parents="; content:"&browserNames="; content:"&DefaultBrowserName="; content:"&langid="; content:"&installdate="; http.header; content:".installiq.com|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d28e9e62c83ef2308ddcdbad91fe9cb9; classtype:policy-violation; sid:2018210; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_03_05, deployment Perimeter, former_category POLICY, signature_severity Major, tag c2, updated_at 2020_09_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Payload Download"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; content:"&h="; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016499; rev:16; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RDP Brute Force Bot Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cmd.php"; http.user_agent; content:"Browser"; depth:7; http.request_body; content:"name=|22|data|22|"; content:"{ |22|bad|22 20 3a 20|"; content:", |22|bruting|22 20 3a 20|"; fast_pattern; content:", |22|checked|22 20 3a 20|"; reference:md5,c0c1f1a69a1b59c6f2dab18135a73919; reference:md5,e310cf7385ae4d15956e461c6d118c91; reference:md5,d316d208a66248c09986896f671f1db1; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018253; rev:8; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Expiro.CD Check-in"; flow:established,to_server; http.uri; content:"/gate.php?user="; fast_pattern; content:"&id="; nocase; content:"&type="; pcre:"/\.php\?user=[a-f0-9]{32}&id=\d+&type=\d+(?:$|&)/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,c6e161a948f4474849d5740b2f27964a; classtype:trojan-activity; sid:2018255; rev:4; metadata:created_at 2014_03_12, updated_at 2020_09_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF URI Struct March 12 2014"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; pcre:"/^\/1[34]\d{8}\.pdf$/"; http.header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2018258; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".htm"; fast_pattern; pcre:"/^\/1[34]\d{8}\.htm$/"; http.header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2018259; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Goon EK Java Payload"; flow:established,to_server; http.uri; content:".mp3"; pcre:"/\/\d{6}\.mp3$/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2017755; rev:7; metadata:created_at 2013_11_25, former_category EXPLOIT_KIT, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_SLOTH.A Checkin"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/help.html"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,185e930a19ad1a99c226d59ef563e28c; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/; reference:url,fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html; classtype:command-and-control; sid:2018285; rev:6; metadata:created_at 2014_03_17, former_category MALWARE, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus GameOver Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a 20|"; http.host; content:"default"; fast_pattern; startswith; content:!"."; reference:md5,bd850c21254c33cd9f6be41aafc6bf46; classtype:command-and-control; sid:2018296; rev:4; metadata:created_at 2014_03_18, former_category MALWARE, updated_at 2020_09_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"; bsize:101; fast_pattern; tls.cert_issuer; content:"C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"; bsize:101; reference:url,twitter.com/bryceabdo/status/1308802052487774210; classtype:domain-c2; sid:2030901; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bookmark/getServiceCode?price="; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:5; metadata:created_at 2014_03_24, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hesperus.Banker Nlog.php Variant Sending Data To CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nlog/nlog"; fast_pattern; content:".php"; http.header; content:"Content-Length|3a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:command-and-control; sid:2017465; rev:6; metadata:created_at 2013_09_16, former_category MALWARE, updated_at 2020_09_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=conwaytools.me"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,twitter.com/bryceabdo/status/1308743381099646976; classtype:domain-c2; sid:2030902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http any any -> any 5000 (msg:"ET SCAN Hikvision DVR attempted Synology Recon Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webman/info.cgi?host="; fast_pattern; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018343; rev:4; metadata:created_at 2014_04_02, former_category SCAN, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mal/Ransom-CE Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/windows"; fast_pattern; endswith; http.user_agent; content:"MSIE"; http.host; content:"www.microsoft.com"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,6faa7077de347ee0fa8c991934c2c3a5; reference:md5,a1fe3a7ff1ec997411b71212483eea33; reference:md5,97c0000473c5004d2e8c0464e322f429; classtype:trojan-activity; sid:2018295; rev:5; metadata:created_at 2014_03_18, updated_at 2020_09_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=TR, ST=Istanbul, L=Istanbul Buyuksehir Belediyesi, O=EsT Country, OU=ESTTKEY, CN=alahuakber"; bsize:93; fast_pattern; reference:url,twitter.com/bryceabdo/status/1308778721797640195; classtype:domain-c2; sid:2030903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 8"; nocase; fast_pattern; content:!"NOKIA"; nocase; classtype:trojan-activity; sid:2015821; rev:6; metadata:created_at 2012_10_19, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/counter.img?theme="; fast_pattern; content:"&digits="; content:"&siteId="; http.user_agent; content:"Opera/9 (Windows NT"; reference:url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:command-and-control; sid:2015723; rev:6; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2020_09_23;)
+
+#alert http any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; flowbits:set,ET.Rbrute.incoming; http.user_agent; content:"BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831"; fast_pattern; nocase; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:5; metadata:created_at 2014_04_04, former_category CURRENT_EVENTS, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbasic.com Domain"; flow:established,to_server; http.host; content:".mrbasic.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018365; rev:4; metadata:created_at 2014_04_05, updated_at 2020_09_23;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp"; flow:established,to_server; http.uri; content:".asp?mevla=1"; nocase; fast_pattern; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018370; rev:6; metadata:created_at 2014_04_07, updated_at 2020_09_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Moist Stealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=moist.company"; nocase; endswith; classtype:domain-c2; sid:2030899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (Download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"seCurEstrInGTogloBALAlLoCUnicOdE|28 20 24 28 27|76492d1116743f0423413b16050a5345MgB8A"; nocase; fast_pattern; reference:md5,fc30e902d1098b7efd85bd2651b2293f; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030905; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moist Stealer CnC Exfil"; flow:established,to_server; http.uri; content:".php?id="; content:"&caption="; distance:0; content:"|20|Moist|20|Stealer|20|gate|20|detected|20|new|20|log!"; nocase; distance:0; fast_pattern; content:"User|3a|"; nocase; distance:0; content:"IP|3a|"; nocase; distance:0; http.request_body; content:"].zip|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,f855dffcbd21d4e4a59eed5a7a392af9; classtype:command-and-control; sid:2030900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Moist_Stealer, signature_severity Major, updated_at 2020_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?p="; fast_pattern; content:"&s="; content:"&v="; distance:0; content:"uid="; distance:0; content:"&q="; distance:0; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2009299; classtype:trojan-activity; sid:2009299; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE hacker87 checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/AppEn.php"; fast_pattern; http.request_body; content:"parameter="; depth:10; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:command-and-control; sid:2018420; rev:4; metadata:created_at 2014_04_25, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest - Post Data Form 01"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/post.aspx?"; fast_pattern; pcre:"/^\/post\.aspx\?[^&]+=[0-9]{9,10}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018425; rev:4; metadata:created_at 2014_04_28, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.qgxi Checkin"; flow:to_server,established; http.uri; content:".php?bot="; fast_pattern; http.cookie; content:"bot="; depth:4; reference:md5,0b450a92f29181065bc6601333f01b07; reference:md5,548fbf4dde27e725c0a1544f61362b50; reference:url,arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising; classtype:command-and-control; sid:2018412; rev:10; metadata:created_at 2013_10_31, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin"; flow:established,to_server; http.uri; content:"/0001"; fast_pattern; pcre:"/^\/j\/[a-f0-9]{8}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{12}\/0001\/?$/"; reference:url,www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103; classtype:command-and-control; sid:2018448; rev:5; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HelloBridge.Backdoor Register CnC Beacon"; flow:established,to_server; urilen:55; http.uri; content:"/el/sregister.php?name="; fast_pattern; pcre:"/^\x2Fel\x2Fsregister\x2Ephp\x3Fname\x3D[a-f0-9]{32}$/"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:command-and-control; sid:2018474; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HelloBridge.Backdoor Login CnC Beacon"; flow:established,to_server; urilen:51; http.uri; content:"/el/slogin.php?uid="; fast_pattern; pcre:"/^\x2Fel\x2Fslogin\x2Ephp\x3Fuid\x3D[a-f0-9]{32}$/"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:command-and-control; sid:2018475; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hicrazyk.A Downloader Install CnC Beacon"; flow:established,to_server; http.uri; content:"/setup/?name="; fast_pattern; content:"&ini="; content:"&v="; http.user_agent; content:"NSISDL/"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FHicrazyk.A&ThreatID=-2147281007; reference:md5,ddb8110ec415b7b6f43c0ef2b4076d45; classtype:command-and-control; sid:2018435; rev:9; metadata:attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Agent.ksja"; flow:established,to_server; http.uri; content:".php?m="; fast_pattern; pcre:"/\.php\?m=[A-F0-9]{12}/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (Compatible|3b 20|MSIE 6.0|3b 29 0d 0a|Host|3a|"; depth:54; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,3b440e052da726942763d11cf9e3f72c; classtype:trojan-activity; sid:2018507; rev:5; metadata:created_at 2014_05_29, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Crypt.nc Checkin"; flow:to_server,established; http.uri; content:".php?l"; content:"&rvz1="; fast_pattern; content:"&rvz2="; pcre:"/&rvz1=\d+&rvz2=\d+?$/"; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2008567; classtype:command-and-control; sid:2008567; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; http.uri; content: "device_id="; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/Ri"; content:"&app_id="; pcre:"/^[a-f0-9]{30,35}&app_package_name=/Ri"; content: "screen_density="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P zzima_loader"; flow:established, to_server; http.method; content: "GET"; http.uri; content:"/zzima_loader/"; fast_pattern; http.user_agent; content:"zzima-nloader/ 1.0.3.1"; depth:22; http.header_names; content:!"Referer|0d 0a|"; reference:md5,810b4464785d8d007ca0c86c046ac0ef; classtype:trojan-activity; sid:2018532; rev:5; metadata:created_at 2014_06_05, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Trojan.Agent.U3D7V0 Checkin"; flow:established, to_server; http.method; content: "GET"; http.uri; content:"/getc"; content:"/?c="; fast_pattern; pcre:"/^\/getc(?:loud|onf)\/\?c=/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,97572a7a0690ba1643525bf6666b74c6; classtype:command-and-control; sid:2018530; rev:5; metadata:created_at 2014_06_05, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Etumbot.B Requesting RC4 Key"; flow:to_server,established; http.uri; content:"/home/index.asp?typeid="; nocase; fast_pattern; pcre:"/^\/home\/index\.asp\?typeid=(?:1[13]?|[3579])$/i"; http.referer; content:"http|3a|//www.google.com/"; bsize:22; reference:md5,82d4850a02375a7447d2d0381b642a72; reference:md5,ff5a7a610746ab5492cc6ab284138852; reference:url,arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf; classtype:trojan-activity; sid:2018552; rev:5; metadata:created_at 2014_06_09, updated_at 2020_09_24;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JCE Joomla Extension"; flow:to_server,established; http.uri; content:".php"; content:"option="; content:"&task="; content:"&plugin=imgmanager"; content:"&file="; content:"&version="; content:"&cid="; http.request_body; content:"folderRename"; fast_pattern; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:web-application-attack; sid:2018326; rev:5; metadata:created_at 2014_03_26, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar Downloader Request"; flow:established,to_server; http.uri; content:"/tasksz.php?"; fast_pattern; pcre:"/\/tasksz\.php\?(?:dc|load)/"; http.user_agent; content:"Google Bot"; bsize:10; reference:url,www.f-secure.com/v-descs/trojan_w32_scar_a.shtml; reference:url,doc.emergingthreats.net/2010288; classtype:trojan-activity; sid:2010288; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS EXE Download from Google Common Data Storage with no Referer"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.host; content:"commondatastorage.googleapis.com"; bsize:32; http.header_names; content:!"Referer|0d 0a|"; reference:md5,9fcbc6def809520e77dd7af984f82fd5; reference:md5,71e752dd4c4df15a910c17eadb8b15ba; classtype:trojan-activity; sid:2018556; rev:4; metadata:created_at 2014_06_11, former_category CURRENT_EVENTS, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/netsend/nmsm_json.jsp"; fast_pattern; http.user_agent; content:"Apache-HttpClient/"; depth:18; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:command-and-control; sid:2013694; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_09_24, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sasfis Botnet Client Reporting Back to Controller After Command Execution"; flow:established,to_server; http.uri; content:"/bb.php"; nocase; fast_pattern; content:"id="; nocase; content:"v="; nocase; content:"tm="; nocase; content:"b="; nocase; reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; reference:url,doc.emergingthreats.net/2010756; classtype:trojan-activity; sid:2010756; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miuref/Boaxxe Checkin"; flow:to_server,established; urilen:>400; http.method; content:"GET"; http.uri.raw; content:"%2b"; fast_pattern; content:"%2f"; content:!"|2e|"; content:!"|3f|"; content:!"|26|"; pcre:"/^\/(?:[a-zA-Z0-9]|%2[fb]){400,}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/01/17/boaxxe-adware-a-good-advert-sells-the-product-without-drawing-attention-to-itself-part-2/; reference:url,blogs.technet.com/b/mmpc/archive/2014/05/13/msrt-may-2014-miuref.aspx; classtype:pup-activity; sid:2018582; rev:12; metadata:created_at 2013_11_22, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/youxi_up.php"; fast_pattern; http.request_body; content:"--*****|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|npki|22|"; depth:52; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:5; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 1"; flow:established,to_server; http.uri; content:"/PSBlock"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018585; rev:6; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 2"; flow:established,to_server; http.uri; content:"/PSStore"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018586; rev:7; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override URI"; flow:to_server,established; http.uri; content:"c99shcook["; nocase; fast_pattern; pcre:"/[&?]c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018601; rev:4; metadata:created_at 2014_06_24, updated_at 2020_09_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Client Body"; flow:to_server,established; http.request_body; content:"c99shcook["; nocase; fast_pattern; pcre:"/(?:^|&)c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018603; rev:4; metadata:created_at 2014_06_24, updated_at 2020_09_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TimThumb Remote Command Execution"; flow:established,to_server; http.uri; content:".php"; content:"webshot="; fast_pattern; content:"src="; content:"|24 28|"; pcre:"/[&?]src=https?[^&]+\x24\x28/"; reference:url,cxsecurity.com/issue/WLB-2014060134; classtype:attempted-user; sid:2018605; rev:4; metadata:created_at 2014_06_26, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?secue="; fast_pattern; content:"&pro="; content:"|2c|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,secureworks.com/resources/blog/research/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761/; reference:md5,1c29b24d4d4ef7568f519c470b51bbed; classtype:targeted-activity; sid:2018631; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 2"; flow:established,to_server; http.uri; content:".php?file"; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Ffile(?:index\x3D[A-Z]|n\x3Dnoexist|wh\x3Dfalse)/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018632; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 3"; flow:established,to_server; http.uri; content:".php?Re="; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3FRe\x3D/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018633; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 4"; flow:established,to_server; http.uri; content:".php?verify="; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Fverify\x3D/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018634; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Exorcist 2.0 Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header.raw; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)|20 0d 0a|"; fast_pattern; http.request_body; content:"d="; depth:2; isdataat:100,relative; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; http.header_names; content:!"Referer"; reference:md5,9e5c89c84cdbf460fc6857c4e32dafdf; classtype:command-and-control; sid:2030906; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_24, deployment Perimeter, former_category MALWARE, malware_family Exorcist_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/SunCrypt Ransomware CnC Activity"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:!"."; http.request_body; content:"|19 10 03 41 24 29 70 24|"; depth:8; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,c171bcd34151cbcd48edbce13796e0ed; classtype:command-and-control; sid:2030907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_24, deployment Perimeter, former_category MALWARE, malware_family SunCrypt, signature_severity Major, tag Ransomware, updated_at 2020_09_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BANKER.WIN32.BANBRA.BEEC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/black/?"; fast_pattern; http.request_body; content:"tipo="; depth:5; content:"&cliente="; reference:md5,ceb6684ffce35dcbfae4afde3b6fd4bd; classtype:command-and-control; sid:2018641; rev:5; metadata:created_at 2014_07_04, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banload.BTQP Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?IDPC="; fast_pattern; pcre:"/\.asp\?IDPC=[^\x26]*?\x26(?:Status=|Msg=)[^\x26]*?$/i"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:command-and-control; sid:2018649; rev:6; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Banload2.KZU Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.request_body; content:"OPC="; nocase; fast_pattern; pcre:"/^OPC=\d/i"; http.header_names; content:!"Referer"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:command-and-control; sid:2018653; rev:4; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Banload2.KZU Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".hlp"; nocase; fast_pattern; pcre:"/^\/[^\x2f]+?\.hlp$/i"; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:command-and-control; sid:2018654; rev:5; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Uroburos/Turla CnC (OUTBOUND) 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/auth.cgi?mode="; fast_pattern; content:"&id="; content:"&serv="; distance:0; content:"&lang="; distance:0; content:"&q="; distance:0; content:"&date="; distance:0; reference:url,circl.lu/pub/tr-25/; classtype:command-and-control; sid:2018669; rev:4; metadata:created_at 2014_07_12, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Uroburos/Turla CnC (OUTBOUND) 2"; flow:established,to_server; http.uri; content:"/default.asp?act="; fast_pattern; content:"&id="; content:"&item="; distance:0; content:"&cln="; distance:0; content:"&flt="; distance:0; content:"&serv="; distance:0; content:"&t="; distance:0; content:"&mode="; distance:0; content:"&lang="; distance:0; content:"&date="; distance:0; reference:url,circl.lu/pub/tr-25/; classtype:command-and-control; sid:2018670; rev:5; metadata:created_at 2014_07_12, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya Credit Card Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"&ccnum="; fast_pattern; content:"mode="; depth:5; content:"&compinfo="; distance:0; content:"&type="; distance:0; content:"&track="; distance:0; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; reference:url,fortinet.com/sites/default/files/whitepapers/soraya_WP.pdf; classtype:trojan-activity; sid:2018680; rev:4; metadata:created_at 2014_07_16, updated_at 2020_09_24;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aibatook checkin 2"; flow:established,to_server; urilen:7; http.method; content:"GET"; http.uri; content:"/u.html"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/07/16/win32aibatook/; reference:md5,d5e8adfefbcc3667734b8df4ae066be6; classtype:command-and-control; sid:2018687; rev:4; metadata:created_at 2014_07_17, former_category MALWARE, updated_at 2020_09_24;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz / Asprox checkin"; flow:established,to_server; http.uri; content:"/api/"; fast_pattern; pcre:"/^\/(?:components|wp-content|tmp)/api/[a-zA-Z0-9\/\x20]{43}=\/(?:toll|inv|notice|get_label)$/"; reference:url,garwarner.blogspot.com/2014/07/e-zpass-spam-leads-to-location-aware.html; reference:url,blog.malcovery.com/blog/more-information-on-this-weeks-e-zpass-scam; classtype:command-and-control; sid:2018739; rev:4; metadata:created_at 2014_07_18, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asterope Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; content:"&id="; distance:0; content:"&os="; distance:0; content:"&res="; distance:0; http.header; content:"Accept-Asterope|3a|"; fast_pattern; reference:md5,19190ef53877979191f6889c6a795f31; classtype:command-and-control; sid:2018750; rev:5; metadata:created_at 2014_06_23, former_category MALWARE, updated_at 2020_09_24;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WordPress xmlrpc.php wp.getUsersBlogs Flowbit Set"; flow:established,to_server; flowbits:set,ET.XMLRPC.PHP; flowbits:noalert; http.uri; content:"/xmlrpc.php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018754; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_24;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win.Trojan.Agent-29225 Checkin"; flow:to_server,established; http.uri; content:"/proxy.exe"; nocase; fast_pattern; http.user_agent; content:"Java/1"; nocase; reference:url,virustotal.com/file/17b1639c08352cc37baac08f23137563546750292131896f37fd8be8c9412407/analysis/; classtype:command-and-control; sid:2018763; rev:6; metadata:created_at 2013_01_22, former_category MALWARE, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/flash/api.php?id="; fast_pattern; pcre:"/^\/flash\/api\.php\?id=\d/"; http.request_body; content:"method="; depth:7; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/api33/api.php"; fast_pattern; http.request_body; content:"method="; depth:7; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kbot.Backdoor Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/stat.php"; nocase; http.request_body; content:"id="; depth:3; content:"&build_id="; fast_pattern; pcre:"/&build_id=[A-F0-9]+$/i"; reference:md5,1df0ceab582ae94c83d7d2c79389e178; classtype:command-and-control; sid:2018078; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; urilen:5; http.method; content:"POST"; http.uri; content:"/1/?1"; fast_pattern; http.request_body; content:"{|22|n|22 3a 22|"; depth:6; content:"|22 2c 22|d|22 3a 22|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/message.php"; fast_pattern; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_28, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; http.host; content:".passinggas.net"; fast_pattern; endswith; classtype:bad-unknown; sid:2018809; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myredirect.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".myredirect.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018811; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.rr.nu Domain (Sitelutions)"; flow:established,to_server; http.host; content:".rr.nu"; fast_pattern; endswith; classtype:bad-unknown; sid:2018813; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.kwik.to Domain (Sitelutions)"; flow:established,to_server; http.host; content:".kwik.to"; fast_pattern; endswith; classtype:bad-unknown; sid:2018815; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myfw.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".myfw.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018817; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.ontheweb.nu Domain (Sitelutions)"; flow:established,to_server; http.host; content:".ontheweb.nu"; fast_pattern; endswith; classtype:bad-unknown; sid:2018819; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isthebe.st Domain (Sitelutions)"; flow:established,to_server; http.host; content:".isthebe.st"; fast_pattern; endswith; classtype:bad-unknown; sid:2018821; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.byinter.net Domain (Sitelutions)"; flow:established,to_server; http.host; content:".byinter.net"; fast_pattern; endswith; classtype:bad-unknown; sid:2018823; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.findhere.org Domain (Sitelutions)"; flow:established,to_server; http.host; content:".findhere.org"; fast_pattern; endswith; classtype:bad-unknown; sid:2018825; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.onthenetas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".onthenetas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018827; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.uglyas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".uglyas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018829; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.assexyas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".assexyas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018831; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passas.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".passas.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018833; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athissite.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".athissite.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018835; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athersite.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".athersite.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018837; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isgre.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".isgre.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018839; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lookin.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".lookin.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018841; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.bestdeals.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".bestdeals.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018843; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lowestprices.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".lowestprices.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018845; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff POS Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"&op="; depth:4; content:"&id="; content:"&ui="; content:"&wv="; fast_pattern; content:"&bv="; pcre:"/^&op=\d{1,2}&id=\w+?&ui=.+?&bv=\d{1,2}\.\d{1,2}($|&)/"; reference:md5,d0c74483f20c608a0a89c5ba05c2197f; classtype:command-and-control; sid:2018857; rev:8; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 1"; flow:established,to_server; urilen:18; http.method; content:"POST"; http.uri; content:"/project/check.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|)"; bsize:25; http.header_names; content:"Content-Length|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,12854bb8d1e6a590e1bd578267e4f8c9; classtype:command-and-control; sid:2018882; rev:6; metadata:created_at 2014_07_14, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 2"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/dr.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|)"; bsize:25; http.header_names; content:"Content-Length|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,c0656b66b9f4180e59e1fd2f9f1a85f2; classtype:command-and-control; sid:2018883; rev:5; metadata:created_at 2014_07_14, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pgift.Backdoor APT CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pgift.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b|)"; bsize:25; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:targeted-activity; sid:2018869; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/qsc.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b|)"; bsize:25; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:command-and-control; sid:2018884; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Mysayad Checkin 1"; flow:established,to_server; urilen:17; http.method; content:"HEAD"; http.uri; content:"/GlobalUpdate.upt"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent|0d 0a|"; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:command-and-control; sid:2018889; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Mysayad Checkin 2"; flow:established,to_server; urilen:9; http.method; content:"HEAD"; http.uri; content:"/all.wipe"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent|0d 0a|"; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:command-and-control; sid:2018890; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upfornow/connect.php"; fast_pattern; http.header; content:"Content-Length|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f085395253a40ce8ca077228c2322010; reference:url,securityblog.s21sec.com/2014/08/kronos-is-here.html; classtype:command-and-control; sid:2018891; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BITTERBUG Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/vtris"; fast_pattern; content:".php?srs="; pcre:"/\/vtris\d?\.php\?srs=\d{1,10}$/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:command-and-control; sid:2018901; rev:4; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Config Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/soft"; content:".dll"; fast_pattern; pcre:"/\/soft(?:32|64)\.dll$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; content:"User-Agent|3a|"; http.header_names; content:!"Referer"; reference:md5,5a99a6a6cd8600ea88a8fcc1409b82f4; classtype:trojan-activity; sid:2018661; rev:5; metadata:created_at 2014_07_10, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OneLouder Common URI Struct"; flow:established,to_server; http.uri; content:"/ord/"; fast_pattern; content:".exe"; nocase; pcre:"/\/ord\/[^\x2f]+?\.exe$/i"; classtype:trojan-activity; sid:2018929; rev:4; metadata:created_at 2014_08_13, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Steam.NBP Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data2.php?file="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,17d2b62f2fa20f407485437de17787fb; reference:md5,bec091077138a1cac49db00495d456e7; classtype:command-and-control; sid:2018949; rev:5; metadata:created_at 2014_08_18, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Downloading Config"; flow:established,to_server; http.uri; content:"/zConfig/"; fast_pattern; pcre:"/\/zConfig\/\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-99; classtype:trojan-activity; sid:2018960; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Activity"; flow:established,to_server; http.uri; content:"/zImprimer/"; fast_pattern; pcre:"/\/zImprimer\/\d+-/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018961; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Activity"; flow:established,to_server; http.uri; content:"/enc/1"; fast_pattern; pcre:"/\/enc\/1$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018962; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python.Ragua Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebCam/Cam.txt"; nocase; fast_pattern; http.user_agent; content:"Python-urllib/"; depth:14; nocase; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66108/el-machete/; reference:md5,a8602b4c35f426107c9667d804470745; classtype:command-and-control; sid:2018968; rev:5; metadata:created_at 2014_08_20, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR Download"; flow:established,to_server; http.uri; content:"/Signed_Update.jar"; nocase; fast_pattern; http.user_agent; content:"Java/1."; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018969; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX variant"; flow:to_server,established; threshold: type both, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:"/p/"; depth:3; pcre:"/^\/p\/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/"; http.header; content:"code.google.com"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Connection|0d 0a|"; reference:md5,f92e9e3e86856b5c0ee465f77a440abb; reference:url,researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; classtype:trojan-activity; sid:2018984; rev:9; metadata:created_at 2014_08_22, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xema dropping file"; flow:to_server,established; http.uri; content:"/pruebas.doc"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,f5fbdb120594f4da7f638122d6635933; classtype:trojan-activity; sid:2018994; rev:4; metadata:created_at 2014_08_25, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Tuscas"; flow:established,to_server; http.uri; content:"?version="; fast_pattern; content:"&group="; content:"&client="; content:"&computer="; content:"&os="; content:"&latency="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,stopmalvertising.com/malware-reports/analysis-of-tuscas.html; classtype:trojan-activity; sid:2018999; rev:4; metadata:created_at 2014_08_25, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/publickey/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,b61145a54698753cecf8748359c9d81e; classtype:command-and-control; sid:2018579; rev:9; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/fd/"; flow:established,to_server; http.uri; content:"/proc/self/fd/"; nocase; fast_pattern; classtype:web-application-attack; sid:2019110; rev:4; metadata:created_at 2014_09_04, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/report/install"; fast_pattern; http.request_body; content:"data="; depth:5; content:"os="; distance:0; content:"mac="; distance:0; content:"sign="; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:command-and-control; sid:2019125; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bapy.Downloader PE Download Request"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/tmps."; fast_pattern; pcre:"/[a-z]\d{2}$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,e256976cedda8c9d07a21ca0e5c2f86c; classtype:trojan-activity; sid:2019127; rev:4; metadata:created_at 2014_09_05, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup maxmind.com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/locate_my_ip"; fast_pattern; http.header; content:"maxmind.com"; reference:md5,0559c56d6dcf6ffe9ca18f43e225e3ce; classtype:external-ip-check; sid:2019140; rev:4; metadata:created_at 2014_09_09, former_category POLICY, updated_at 2020_09_25;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Huge IT Image Gallery 1.0.0 SQL Injection"; flow:established,to_server; http.uri; content:"wp-admin/admin.php"; content:"page=gallerys_huge_it_gallery"; fast_pattern; content:"task=edit_cat"; content:"removeslide="; reference:url,packetstormsecurity.com/files/128118/wphugeitig-sql.txt; classtype:web-application-attack; sid:2019139; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_09_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; http.uri; content:".pdf"; nocase; fast_pattern; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/"; classtype:exploit-kit; sid:2016405; rev:9; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check 2"; flow:established,to_server; urilen:1; http.host; content:"windowsupdate.microsoft.com"; bsize:27; http.connection; content:"Close"; fast_pattern; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,236bde81355e075e7ed6bcdc60daefcb; classtype:trojan-activity; sid:2019155; rev:4; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webmin Directory Traversal"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save_env.cgi"; fast_pattern; http.request_body; content:"&user="; content:"|2e 2e 2f|"; distance:0; reference:url,sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/; classtype:misc-attack; sid:2019157; rev:5; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecebalPOS Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?&co="; fast_pattern; content:"&us="; content:"&av="; content:"&os="; content:"&tr2="; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2019160; rev:4; metadata:created_at 2014_09_11, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JackPOS XOR Encoded HTTP Client Body (key AA)"; flow:established,to_server; http.request_body; content:"|AB AB|"; depth:2; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; fast_pattern; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019164; rev:4; metadata:created_at 2014_09_11, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; http.uri; content:"/images2/"; nocase; fast_pattern; pcre:"/\/images2\/[0-9a-fA-F]{500}/"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:command-and-control; sid:2012799; rev:8; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.de.ms domain"; flow:to_server,established; http.host; content:".de.ms"; fast_pattern; endswith; classtype:bad-unknown; sid:2013378; rev:5; metadata:created_at 2011_08_08, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.eu.tf domain"; flow: to_server,established; http.host; content:".eu.tf"; fast_pattern; endswith; classtype:bad-unknown; sid:2013828; rev:5; metadata:created_at 2011_11_05, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a .noip.cn domain"; flow:to_server,established; http.host; content:".noip.cn"; fast_pattern; endswith; classtype:bad-unknown; sid:2013969; rev:5; metadata:created_at 2011_11_28, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Predator Variant Dropper Activity"; flow:established,to_server; http.request_line; content:"GET|20|/FDpb|20|HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3679a900a8895e242e97e9d54cd2f5fa; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-268a; reference:url,twitter.com/craiu/status/1309449368559378432; classtype:trojan-activity; sid:2030908; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.upas.su domain"; flow:to_server,established; http.host; content:".upas.su"; fast_pattern; endswith; classtype:bad-unknown; sid:2015551; rev:5; metadata:created_at 2012_07_31, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; http.uri; content:"/updatesrv.aspx?f=1"; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:4; metadata:attack_target Mobile_Client, created_at 2014_09_15, former_category MOBILE_MALWARE, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; http.uri; content:"/updatesrv.aspx?f=2&uuid="; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:4; metadata:attack_target Mobile_Client, created_at 2014_09_15, former_category MOBILE_MALWARE, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.RapidStealer.B Checkin"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/key/index.php"; fast_pattern; http.request_body; content:"dir="; depth:4; content:"&data="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c14690b90459744a300a02f45b32168a; reference:url,quequero.org/2014/09/win32-blackberrybbc-malware-analysis/; classtype:command-and-control; sid:2019179; rev:4; metadata:created_at 2014_09_16, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP POST Generic eval of base64_decode"; flow:established,to_server; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; http.request_body; content:"base64_decode"; nocase; fast_pattern; classtype:trojan-activity; sid:2019182; rev:4; metadata:created_at 2014_09_16, updated_at 2020_09_25;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHPMyAdmin BackDoor Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/server_sync.php?"; fast_pattern; content:"c="; pcre:"/\/server_sync.php\?(?:.+?&)?c=/i"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:8; metadata:created_at 2012_09_26, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader GetBooks UA"; flow:established,to_server; http.user_agent; content:"GetBooks"; nocase; fast_pattern; classtype:trojan-activity; sid:2015756; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_10_03, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kelihos.K Executable Download DGA"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.host; content:".ru"; offset:7; depth:6; endswith; pcre:"/^(?:u(?:wf(?:ekfyj|ubpeb)|d(?:xowub|zycaf)|h(?:duxic|zubvo)|x(?:fokur|osgik)|celgos|ggifym|mpefan|qlahaf)|s(?:u(?:t(?:fasof|imjy)|kbewli)|i(?:ttanyg|webheb|hemuj)|e(?:suhror|xjereh)|o(?:haxim|qvaqo)|axyjuw)|r(?:i(?:zsebym|firac|sytfa|trios)|e(?:bfelqi|kvyfo)|u(?:xymqic|jfeag)|y(?:buhoq|kafeh)|acadpuh)|j(?:y(?:meegom|vvozoz|kyvca|torqu)|a(?:mwazer|ibzup)|e(?:btelyx|dytlu)|o(?:dkymy|kenqi))|o(?:t(?:geguuz|xolpow|pipug)|q(?:lapjim|jogxi)|cgaextu|gdowkys|jpaxlam|vquqaip|smuryf)|i(?:r(?:ojvuqu|hegre)|v(?:kikcop|nuvuk)|hmytog|kevzaq|mgohut|pdehas|wvahin|zxirfy)|b(?:y(?:(?:cmolh|vbym)y|gotbys|jlegta)|i(?:pulte|wuvba)|o(?:pwyeb|wbaiv))|p(?:e(?:dugtap|gyrgun|vhyvys)|y(?:nxomoj|ykxug)|a(?:gube|waha)v|ogwytfy)|d(?:e(?:afesqy|hjujuq)|o(?:hwapih|xilik)|a(?:lwoza|rabub)|inymak)|t(?:a(?:hfifak|ixcih)|i(?:wciwu|koqo)x|ecviqir|ozfyma|uriwil)|g(?:i(?:jevsog|nnyjyb)|olhysux|ywilhof|azuzoz|edopan|ubahvi)|y(?:(?:n(?:japru|kicy)|kocna)r|bsahov|dabxag|xyqwiz|zsabuq)|h(?:a(?:hsekju|poneg)|e(?:ztymut|dybih)|uquqxov|itakat)|w(?:a(?:pifnu|rkafo)c|e(?:tifjam|fecfo)|ibveces|yjenqo)|a(?:d(?:nedat|tesok)|qzepylu|baxhad|smukuf|wewsip)|l(?:u(?:(?:fseki|pylzu)m|ditla)|eqgugom|opoqyv)|z(?:u(?:pivzed|qijcel)|aefofin|idamuk|ylhomu)|v(?:u(?:njuet|ohsub)|ijsixem|otqygiq|euwhyz)|m(?:u(?:zupdyg|hipew|wosiv)|osjinme|abuhos)|x(?:o(?:fsimi|gitaj|moqol)|ikmonej|enacoz)|f(?:e(?:vnotow|tucxo)|i(?:dedhah|xavpu))|k(?:u(?:btyhuz|irfufo)|ejejib|ycufvy)|n(?:(?:iliqri|obzeky)x|eluzjiv)|c(?:ylqiduh|aqxaro|itsibe)|q(?:aijroke|iquzcy|uohdit)|e(?:gnisje|stesgo|vdyvaz))\.ru$/"; classtype:trojan-activity; sid:2016029; rev:5; metadata:created_at 2012_12_13, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zbot.Variant Fake MSIE 6.0 UA"; flow:to_server,established; flowbits:set,ET.zbot.ua.2106509; http.uri; content:".htm?"; fast_pattern; pcre:"/\/[a-z]\.htm\?[A-Za-z0-9]+$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; classtype:trojan-activity; sid:2016509; rev:7; metadata:created_at 2013_02_27, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Kia.exe Request"; flow:established,to_server; http.uri; content:"/kia.exe"; fast_pattern; classtype:trojan-activity; sid:2018081; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Wav.exe Request"; flow:established,to_server; http.uri; content:"/wav.exe"; fast_pattern; classtype:trojan-activity; sid:2018082; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Heap.exe Request"; flow:established,to_server; http.uri; content:"/heap.exe"; fast_pattern; classtype:trojan-activity; sid:2018083; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Unknown Initial CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ppp/ta.php"; fast_pattern; http.header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:command-and-control; sid:2018183; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Unknown Initial CnC Beacon 10/4/2014"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ccc/tab.php"; fast_pattern; http.header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:command-and-control; sid:2018384; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Downloader 2p (Zeus) May 07 2014"; flow:to_server,established; http.uri; content:"2p/"; fast_pattern; pcre:"/\/p?2p\/[a-z]{3}$/"; http.header_names; content:!"Accept-Language"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018453; rev:7; metadata:created_at 2014_05_08, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/333"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018894; rev:8; metadata:created_at 2014_08_05, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/222"; fast_pattern; http.header; content:"|20|MSIE|20|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018971; rev:5; metadata:created_at 2014_08_20, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2"; flow:established,to_server; http.request_body; content:"|25|28|25|29|25|20|25|7b|25|20"; fast_pattern; pcre:"/(:?(:?\x5e|%5e)|(:?[=?&]|\x25(:?3d|3f|26)))\s*?(:?%28|\x28)(:?%29|\x29)(:?%20|\x20)(:?%7b|\x7b)(:?%20|\x20)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019234; rev:6; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy v2 POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; content:"&bid="; content:"&dv="; content:"&dpv="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,948cd0bf83a670c05401c8b67d2eb310; classtype:trojan-activity; sid:2019281; rev:4; metadata:created_at 2014_09_26, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Boleteiro checking stolen boleto payment information"; flow:to_server,established; http.uri; content:"Vencimento="; fast_pattern; content:"&Valor="; content:"&Sacado="; content:"&URL="; content:"&Browser=Chrome"; reference:md5,3cffb955c08f6c1546bfeae37a215787; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-091718-2034-99&tabid=2; classtype:command-and-control; sid:2019243; rev:6; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CURL Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"curl|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bcurl\s[^\r\n]*?-(?:[Oo]|-(?:remote-name|output))[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019308; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"wget|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bwget\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019309; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER lwp-download Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"lwp-download|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019310; rev:4; metadata:created_at 2014_09_29, former_category WEB_SERVER, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server; http.uri; content:"|28 29 20 7b|"; fast_pattern; pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019231; rev:6; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 3"; flow:established,to_server; http.request_body; content:"()|25|20|25|7b"; fast_pattern; pcre:"/(:?(?:\x5e|%5e)|([=?&]|\x25(?:3d|3f|26)))\s*?\(\)(?:%20|\x20)(?:%7b|\x7b)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019241; rev:5; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpyClicker.ClickFraud CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/feed.dll?pub_id="; fast_pattern; content:"&ua="; offset:17; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019355; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt URI"; flow:to_server,established; http.uri; content:"/token.cgi"; nocase; content:"&realname=login_name"; nocase; fast_pattern; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019364; rev:4; metadata:created_at 2014_10_08, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/usdeclar.txt"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5f3530edbe1fce44e05ad0c96e54efb4; reference:md5,279fc5e6181d58f883a15d5089ce541b; reference:url,krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019380; rev:6; metadata:created_at 2014_10_09, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neverquest Request URI Struct"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?sid="; fast_pattern; pcre:"/\/\d\.php\?sid=[0-9A-F]{32}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019384; rev:5; metadata:created_at 2014_10_10, updated_at 2020_09_25;)
+
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt Client Body"; flow:to_server,established; http.uri; content:"/token.cgi"; nocase; http.request_body; content:"&realname=login_name"; nocase; fast_pattern; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019365; rev:7; metadata:created_at 2014_10_08, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BlackEnergy Dirconf CnC Beacon"; flow:established,to_server; http.uri; content:"/dirconf/check.php"; fast_pattern; http.header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/mi"; reference:url,www.f-secure.com/weblog/archives/00002721.html; classtype:command-and-control; sid:2019412; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; http.request_body; content:"name%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; http.request_body; content:"nam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; http.request_body; content:"nam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; http.request_body; content:"na%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; http.request_body; content:"na%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; http.request_body; content:"na%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; http.request_body; content:"na%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; http.request_body; content:"n%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; http.request_body; content:"n%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; http.request_body; content:"n%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; http.request_body; content:"n%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; http.request_body; content:"n%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; http.request_body; content:"n%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; http.request_body; content:"n%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; http.request_body; content:"n%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; http.request_body; content:"%6eame["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; http.request_body; content:"%6eame%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; http.request_body; content:"%6eam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; http.request_body; content:"%6eam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; http.request_body; content:"%6ea%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; http.request_body; content:"%6ea%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; http.request_body; content:"%6ea%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; http.request_body; content:"%6ea%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; http.request_body; content:"%6e%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; http.request_body; content:"%6e%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; http.request_body; content:"%6e%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; http.request_body; content:"%6e%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; http.request_body; content:"%6e%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; http.request_body; content:"%6e%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod_jshoppi"; fast_pattern; pcre:"/^\/mod_jshoppi(?:-|ng|\/)/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019459; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt"; flow:established,to_server; http.uri; content:"[$ne]"; fast_pattern; reference:url,blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html; reference:url,docs.mongodb.org/manual/reference/operator/query/ne/; classtype:web-application-attack; sid:2019460; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 1"; flow:established,to_server; http.uri; content:"=1/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.header; content:"Accept-Encoding|3a|"; content:"User-Agent|3a|"; distance:0; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019481; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 2"; flow:established,to_server; http.uri; content:"=2/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.header; content:"Accept-Encoding|3a|"; content:"User-Agent|3a|"; distance:0; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 3"; flow:established,to_server; http.uri; content:"=1/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019483; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 4"; flow:established,to_server; http.uri; content:"=2/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019484; rev:5; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE vSkimmer.PoS Checkin"; flow:to_server,established; http.uri; content:"/process.php?xy="; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,a99d5d1652dfcda190c3d412828dcf6d; reference:md5,82d9cab2692ae13fc5b835ea2cbb36d7; reference:url,anubis.iseclab.org/action=result&task_id=1b92f08cdbfb73e64450fd07ec88849b3; classtype:command-and-control; sid:2018109; rev:6; metadata:created_at 2013_03_12, former_category MALWARE, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Siggen.Dropper CnC Beacon"; flow:established,to_server; http.uri; content:".jpg?log="; fast_pattern; content:"&ts="; offset:11; content:"&act="; distance:0; http.header; content:"client|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ee363de2168aab353c829434189350e4; classtype:command-and-control; sid:2019515; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoBot Downloading Files"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"btc"; fast_pattern; pcre:"/\/[a-z]+\.k(?:ey)?btc$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3563; classtype:trojan-activity; sid:2019607; rev:4; metadata:created_at 2014_10_30, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=start&id="; fast_pattern; pcre:"/&id=[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d8e7983004c5545df6de868bc0c5a947; classtype:command-and-control; sid:2019636; rev:4; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_09_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iOS/WireLurker CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getversion.php?v="; fast_pattern; content:"&adid="; offset:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019664; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight URI Struct (noalert)"; flow:established,to_server; flowbits:set,et.Nuclear.SilverLight; flowbits:noalert; http.uri; content:"/14"; fast_pattern; pcre:"/\/14\d{8}(?:\.xap)?$/"; classtype:exploit-kit; sid:2019668; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_27;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Phishing Page Nov 07 2014"; flow:established,to_server; http.uri; content:"/cart.php?site="; fast_pattern; content:"&p="; content:"&nm="; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019682; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Roficor.A (Darkhotel) Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/view.php"; fast_pattern; pcre:"/\/images\/view\.php$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:targeted-activity; sid:2019687; rev:4; metadata:created_at 2014_11_11, former_category MALWARE, updated_at 2020_09_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinSpy Related WinRAR Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?attachmentid="; content:"&d="; distance:0; http.request_body; content:"|2e 8a 83 32 1f 36 bb 08 cb fc 19 52 92 2e c3 3c|"; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,4994952020da28bb0aa023d236a6bf3b; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; classtype:trojan-activity; sid:2030913; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinSpy Related Flash Installer Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?attachmentid="; content:"&d="; distance:0; http.request_body; content:"|c3 d6 21 f6 77 d7 95 61 2a 27 22 8b 2a d4 c9 16|"; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,a55aa68518586381213cd85441aa4e16; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; classtype:trojan-activity; sid:2030914; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Roficor.A (Darkhotel) Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/txt/read.php"; fast_pattern; pcre:"/\/txt\/read\.php$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:targeted-activity; sid:2019688; rev:4; metadata:created_at 2014_11_11, former_category MALWARE, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"<email_accounts_list>"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e24831e3f808116b30d85731c545e3ee; classtype:command-and-control; sid:2019704; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker Checkin"; flow:established,to_server; flowbits:set,ET.WireLurkerUA; http.method; content:"GET"; http.uri; content:"/mac_log/?appid="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019661; rev:5; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,to_server; flowbits:set,ET.WireLurkerUA; http.method; content:"GET"; http.uri; content:"/getversion.php?sn="; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019662; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Autorun.J Checkin"; flow:established,to_server; http.uri; content:".asp?i=0&v=o10.1"; fast_pattern; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FAutorun.J#tab=2; classtype:command-and-control; sid:2019710; rev:4; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check wtfismyip.com"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:text|json|xml)?$/"; http.host; content:"wtfismyip.com"; endswith; fast_pattern; classtype:policy-violation; sid:2019737; rev:4; metadata:created_at 2014_11_18, updated_at 2020_09_28;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Matsnu.Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:"id="; content:"&mynum="; content:"&ver="; content:"&cvr="; content:"&threadid="; fast_pattern; content:"&lang="; content:"&os="; reference:url,www.seculert.com/blog/2014/11/dgas-a-domain-generation-evolution.html; classtype:command-and-control; sid:2019741; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault POST M1"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"hwid="; depth:5; content:"&func="; fast_pattern; pcre:"/^hwid=[A-F0-9]{4}(?:-[A-F0-9]{4}){7}&func=/"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019776; rev:4; metadata:created_at 2014_11_24, updated_at 2020_09_28;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1599)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rtpd.cgi?"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019801; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1600)"; flow:established,to_server; urilen:17; http.method; content:"GET"; http.uri; content:"/upnp/asf-mp4.asf"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019802; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1601)"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/md/lums.cgi"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019803; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Katana/"; fast_pattern; startswith; classtype:attempted-admin; sid:2030909; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_09_28, deployment Perimeter, signature_severity Minor, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Katana/"; fast_pattern; startswith; classtype:web-application-attack; sid:2030910; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 2"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".html"; fast_pattern; pcre:"/\/[A-Za-z0-9-_]{75,}\.html$/"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE|20|"; depth:42; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016567; rev:8; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_09_28;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/W32.KRBanker.60928.C Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/upload.php"; http.header; content:"|0d 0a|Accept-Language|3a 20|zh-cn|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; bsize:50; http.request_body; content:"name=|22|upload_file1|22 3b 20|"; fast_pattern; content:".zip|22 0d 0a|"; content:"Content-Type|3a 20|application/x-zip-compressed|0d 0a|"; pcre:"/filename=\x22[A-Z]\x3a\\.+?\\[a-f0-9]{32}\.zip\x22\r\n/"; reference:md5,ec5d7bc9d84551066fff51e36bc41d4d; reference:md5,13bd584bb12ee5dc15c35f5911912b09; classtype:command-and-control; sid:2019828; rev:5; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HompesA Activity"; flow:established,to_server; http.uri; content:"/me/"; fast_pattern; pcre:"/^\/me\/(?:get(?:ref|ua)\.php|videos\.txt)$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,8cc58bc4d63f4b78b635d45aa69108f7; classtype:trojan-activity; sid:2019838; rev:4; metadata:created_at 2014_12_02, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/MSIL.bfsx Checkin"; flow:to_server,established; http.uri; content:"/infect"; fast_pattern; content:".php"; offset:7; pcre:"/\/infect(?:-\d)?\.php$/"; http.user_agent; content:"Microsoft"; bsize:9; reference:md5,506cd65bdd06f41f8219cd1ed78eac7d; reference:md5,0c39b39ee4a59a8ac5fc1df500da2a88; classtype:command-and-control; sid:2019840; rev:6; metadata:created_at 2014_12_03, former_category MALWARE, updated_at 2020_09_28;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sony Breach Wiper Malware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/igfxtpers.exe"; fast_pattern; reference:url,logfile.packetninjas.net/related-malware-to-sony-breach; classtype:trojan-activity; sid:2019849; rev:4; metadata:created_at 2014_12_03, updated_at 2020_09_28;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:".php?i="; content:"&data="; distance:0; content:"&hash="; fast_pattern; pcre:"/&hash=[^&]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,13c982c3b9c1ef714770820ffa278d2e; classtype:trojan-activity; sid:2019843; rev:5; metadata:created_at 2014_12_03, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fin4.InfoStealer Uploading User Credentials CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?msg="; fast_pattern; content:"&uname="; content:"&pword="; reference:url,www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html; classtype:command-and-control; sid:2019829; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to WebDAV CloudMe Service"; flow:established,to_server; http.host; content:"webdav.cloudme.com"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:policy-violation; sid:2019914; rev:4; metadata:created_at 2014_12_11, updated_at 2020_09_28;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cloud Atlas Request to WebDAV CloudMe"; flow:established,to_server; http.uri; content:"/CloudDrive/"; nocase; pcre:"/^\/(?:b(?:i(?:llder1405|mm4276)|rowner8674935)|c(?:arter0648|h(?:ak2488|hloe7400)|orn6814)|d(?:aw0996|epp3353)|fr(?:anko7046|ogs6352)|garristone|hurris4124867|james9611|lisa\.walker|parker2339915|sa(?:mantha2064|nmorinostar)|tem5842|young0498814)\/CloudDrive\//i"; http.header; content:"webdav.cloudme.com"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?webdav\.cloudme\.com[^\r\n]*?\r?$/mi"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019915; rev:4; metadata:created_at 2014_12_11, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cloud Atlas CnC Beacon"; flow:established,to_server; urilen:10; threshold:type limit, count 1, seconds 120, track by_src; http.method; content:"POST"; http.uri; content:"/check.jsp"; fast_pattern; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:command-and-control; sid:2019919; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TinyZBot Checkin (Operation Cleaver)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkupdate.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22|http|3a|//tempuri.org/GetServerTime|22 0d 0a|"; http.request_body; content:"GetServerTime xmlns=|22|http|3a|//tempuri.org/"; http.header_names; content:!"|0d 0a|Accept"; content:!"Referer|0d 0a|"; reference:md5,68cfc418c72b58b770bdccf19805703e; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019942; rev:5; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Agent.AIXD Checkin"; flow:to_server,established; http.uri; content:"/cnc.php?id="; fast_pattern; content:"&uid="; http.user_agent; content:"AppleMac"; bsize:8; reference:md5,801e450679e9d60f8c64675c432aab33; reference:md5,ad2e8210ca7c2b4b433b3fba65e87b94; reference:md5,f6ea10f719885fbcfb6743724faa94f7; classtype:command-and-control; sid:2019945; rev:5; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Symmi.46846 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/notify.php"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fe5dc2a4ee8aa084c9da42cd2d1ded2e; classtype:command-and-control; sid:2019948; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic PHP Remote File Include"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"allow_url_include"; content:"safe_mode"; http.uri.raw; content:"php|3a 2f 2f|input"; http.request_body; content:"<?php"; fast_pattern; content:"chmod 777"; classtype:attempted-user; sid:2019957; rev:4; metadata:affected_product Any, attack_target Server, created_at 2014_12_17, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_28;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; http.uri; content:"/dmp/api/"; fast_pattern; pcre:"/\/dmp\/api\/[a-z]+$/"; http.header; content:"dmp."; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/mi"; http.user_agent; content:"UAC/"; depth:4; content:"|28|Android|20|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:command-and-control; sid:2019958; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Poweliks.A Checkin 2"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; http.method; content:"GET"; http.uri; content:"/query?version="; fast_pattern; content:"&sid="; content:"&builddate="; distance:0; content:"&q="; distance:0; content:"&ua="; content:"&lang="; content:"&wt="; content:"&lr="; distance:0; content:"&ls="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2019966; rev:4; metadata:created_at 2014_12_18, former_category MALWARE, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Flash Redirector to RIG EK Dec 17 2014"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf?myid="; fast_pattern; pcre:"/\.swf\?myid=[a-zA-Z0-9]+$/"; classtype:exploit-kit; sid:2019967; rev:4; metadata:created_at 2014_12_18, updated_at 2020_09_28;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Ransom Page"; flow:established,to_server; http.uri; content:"/buy.php?user_code="; fast_pattern; content:"&user_pass="; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019978; rev:4; metadata:created_at 2014_12_20, updated_at 2020_09_28;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030911; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030912; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT39/Chafer Payload - CnC Checkin M1"; flow:established,to_server; http.method; content:"BITS_POST"; http.uri; content:"/googleyou_"; startswith; fast_pattern; http.header_names; content:"BITS-"; classtype:command-and-control; sid:2030915; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT39/Chafer Payload - CnC Checkin M2"; flow:established,to_server; http.method; content:"BITS_POST"; http.uri; content:"/winfoxupdate_"; startswith; fast_pattern; http.header_names; content:"BITS-"; classtype:command-and-control; sid:2030916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicious Panda Checkin"; flow:established,to_server; dsize:50<>400; content:"|46 45 79 4e 56 59 6c 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:md5,07328ad6efcf16b532499cbb8daa7633; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign/; reference:url,twitter.com/dewan202/status/1244595728175030272; classtype:trojan-activity; sid:2030920; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicious Panda CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tel/1214"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; bsize:26; http.accept; content:"image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; bsize:56; reference:md5,3009db32ca8895a0f15f724ba12a6711; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign/; reference:url,twitter.com/dewan202/status/1244595728175030272; classtype:command-and-control; sid:2030921; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound HTTP Request with BITS_POST Method"; flow:established,to_server; http.method; content:"BITS_POST"; fast_pattern; classtype:policy-violation; sid:2030917; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_29;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 1"; flow:established,from_server; flowbits:isset,ET.Anunanak.HTTP.1; http.header; content:"Content-Length|3a 20|11|0d 0a|"; file.data; content:"no commands"; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020028; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_29;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 2"; flow:established,from_server; flowbits:isset,ET.Anunanak.HTTP.2; http.header; content:"Content-Length|3a 20|9|0d 0a|"; file.data; content:"no result"; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020030; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Downloading PE"; flow:established,to_server; http.uri; content:".exe?dummy="; fast_pattern; pcre:"/\.exe\?dummy=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6b7759565454fb7d02fb5bc638136f31; classtype:trojan-activity; sid:2020032; rev:4; metadata:created_at 2014_12_23, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/connect.php?a=1"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Content-Type|0d 0a|"; classtype:command-and-control; sid:2020077; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Length|3a 20|74|0d 0a|"; fast_pattern; http.request_body; pcre:"/^(?P<v1>.).{33}(?P=v1).{9}(?P<v2>.)(?:.{4}(?P=v2)){3}/s"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Content-Type"; classtype:command-and-control; sid:2020080; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Stealer"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/uploads/images/201"; fast_pattern; pcre:"/\.png$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"User-Agent|0d 0a|"; reference:md5,5f50e810668942e8d694faeabab08260; reference:url,blog.0x3a.com/post/107195908164/analysis-of-steam-stealers-and-the-steam-stealer; classtype:trojan-activity; sid:2020095; rev:5; metadata:created_at 2015_01_06, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exploitpack.com tool checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/changelog/"; fast_pattern; pcre:"/^\/changelog\/(?:appversion|changelog|help)$/"; http.user_agent; content:"Java/1"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.exploitpack.com; classtype:bad-unknown; sid:2020195; rev:4; metadata:created_at 2015_01_15, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISRStealer Checkin"; flow:to_server,established; http.uri; content:"?action="; content:"&username="; content:"&password="; content:"&app="; content:"&pcname="; fast_pattern; content:"&sitename="; reference:md5,44be7c6d4109ae5fb0ceb2824facf2dd; reference:url,cert.pl/news/8706/langswitch_lang/en; classtype:command-and-control; sid:2016941; rev:8; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Codenox.gyezu CnC Activity"; flow:established,to_server; http.request_line; content:"GET /__wendaoQuery.ashx?t=getcoklist&area="; startswith; fast_pattern; content:"&tb="; content:"&min="; content:"&rnd="; content:" HTTP/1.1"; distance:18; within:9; endswith; reference:md5,2c8495e13ba334324574be52dbdce173; classtype:command-and-control; sid:2030918; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Adrom.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?page="; content:"&enckey="; fast_pattern; pcre:"/\x26enckey\x3D[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c621055803c68e89f3cb141608fd0894; reference:md5,3c2be5202d2d68047c76bdf7e1dfc2be; classtype:command-and-control; sid:2020293; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (7)"; flow:established,to_server; http.uri; content:"/get"; fast_pattern; content:".jpg"; pcre:"/\/(?:w(?:hite|orld)|step)\/get(?:a+|n+)\.jpg/"; classtype:exploit-kit; sid:2016559; rev:17; metadata:created_at 2013_03_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Heimdallbot Attack Tool Inbound"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"Heimdallbot"; nocase; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*?Heimdallbot/mi"; classtype:web-application-attack; sid:2020323; rev:4; metadata:created_at 2015_01_28, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Generic revslider Arbitrary File Download"; flow:established,to_server; http.uri; content:"/admin-ajax.php?"; fast_pattern; content:"slider_show_image"; pcre:"/^[^\r\n]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Rim"; reference:url,blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html; classtype:web-application-attack; sid:2020221; rev:6; metadata:created_at 2015_01_21, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action=get_"; fast_pattern; pcre:"/^\/action\.php\?action=get_(?:mails|red)$/"; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020330; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress PingBack Possible GHOST attempt"; flow:established,to_server; http.uri; content:"/xmlrpc.php"; nocase; http.request_body; content:"pingback.ping"; nocase; fast_pattern; content:"<string>"; pcre:"/^\s*?https?\x3a\/\//Rs"; isdataat:1024,relative; content:!"|2f|"; within:1024; content:!"</string>"; within:1033; pcre:"/^\d[\d\x2e]{255}/R"; classtype:web-application-attack; sid:2020327; rev:8; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_01_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Retrieving Update"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data_updater.dat"; fast_pattern; pcre:"/\/data_updater\.dat$/"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020333; rev:4; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data.cfg"; fast_pattern; pcre:"/\/data\.cfg$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020334; rev:4; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Download"; flow:to_server,established; http.uri; content:"/bn_versions/"; fast_pattern; content:".exe"; pcre:"/\/bn_versions\/\d+?\.exe$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020341; rev:6; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FancyBox Remote Code Inclusion POST Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/admin-post.php?page=fancybox-for-wordpress"; fast_pattern; http.request_body; content:"INPUTBODY|3a|"; content:"action=update"; content:"mfbfw"; content:"extraCalls"; nocase; reference:url,blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html; classtype:attempted-admin; sid:2020368; rev:7; metadata:created_at 2015_02_05, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-09-29"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; content:".php"; isdataat:!1,relative; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031873; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast C2 Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?cstring="; fast_pattern; content:"&tom="; content:"&id="; distance:0; http.request_body; content:"|00 00 00 00|"; depth:4; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020378; rev:4; metadata:created_at 2015_02_06, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS *.rar.exe in HTTP URL"; flow:to_server,established; http.uri; content:".rar.exe"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2020386; rev:4; metadata:created_at 2015_02_09, former_category POLICY, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre External IP Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"checkip.dyndns.org"; fast_pattern; http.header; pcre:"/^(?:Accept\x3a\x20text\/\*, application\/\*\r\n)?User-Agent\x3a[^\r\n\x3b\x28\x29]+\r\nHost\x3a[^\r\n]+checkip\.dyndns\.org\r\nCache-Control\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2020370; rev:6; metadata:created_at 2015_02_05, updated_at 2020_09_29;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Monitoring Software Domain (sneek .io) in TLS SNI"; flow:established,to_server; tls.sni; content:"sneek.io"; bsize:8; classtype:policy-violation; sid:2030922; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mayhem Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"Pragma|3a 20|1337|0d 0a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:command-and-control; sid:2018456; rev:5; metadata:created_at 2014_05_08, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.KeyLogger.ODN Checkin"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/newage.txt"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:command-and-control; sid:2019467; rev:5; metadata:created_at 2014_10_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY I2P Seeds File Request"; flow:established,to_server; http.uri; content:"/i2pseeds.su3"; fast_pattern; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020415; rev:4; metadata:created_at 2015_02_12, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct Feb 12 2015"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/0/"; fast_pattern; pcre:"/\/(?:5[12]|6[0-3])\/0\/[A-Z]*$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020419; rev:5; metadata:created_at 2015_02_13, former_category CURRENT_EVENTS, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gulcrypt.B Downloading components - set"; flow:established,to_server; urilen:8; flowbits:set,ET.Gulcrypt; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/manager"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020420; rev:4; metadata:created_at 2015_02_13, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"&user="; pcre:"/&user=\d+$/"; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020434; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Exfiltrating files"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"account="; depth:8; content:"&name="; content:"&folder="; fast_pattern; content:"&fname="; content:"&s="; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020435; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checking filename"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"path="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020437; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert udp any any -> any any (msg:"ET MALWARE Mozi Botnet DHT Config Sent"; flow:established,to_client; content:"|64 31 3a 72 64 32 3a 69 64 32 30 3a 38 38 38 38 38 38 38 38|"; content:"|3a 6e 6f 64 65 73 36 32 34 3a 15 15|"; distance:13; within:12; reference:url,blog.netlab.360.com/mozi-another-botnet-using-dht/; reference:url,securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/; reference:md5,5616a3471565d34d779b5b3d0520bb70; reference:md5,891158b3c43e621956558cd0b5b41e81; classtype:command-and-control; sid:2030919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, malware_family Mozi, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT File information"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"&user="; content:"&file="; distance:0; content:"&type="; distance:0; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020438; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Transmitting Serial"; flow:established,to_server; http.uri; content:".php?name="; fast_pattern; content:"&serial="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020439; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Transmitting Date"; flow:established,to_server; http.uri; content:".php?name="; fast_pattern; content:"&date="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020440; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (SK)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"SK"; nocase; fast_pattern; bsize:2; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020441; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (Skype)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"Skype"; nocase; fast_pattern; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020442; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (Skypee)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"Skypee"; nocase; fast_pattern; bsize:6; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020443; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_rtemp.php?n="; fast_pattern; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5efc02d416b15554b25d9acec362148e; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020436; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Beaugrit.gen.AAAA"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/attach/1759CB3B5124F217143044"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fbfe6c2673aec9098e1fc9bf6d7fc059; classtype:trojan-activity; sid:2020479; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.NSIS.Comame.A Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/9.php?safe="; fast_pattern; http.user_agent; content:"NSIS_Inetc (Mozilla)"; bsize:20; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6a15f19a3ccd05f74537464e6df64dab; classtype:command-and-control; sid:2020480; rev:5; metadata:created_at 2015_02_19, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible dlink-DSL2640B DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ddnsmngr.cmd?action=apply"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020485; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShuttleTech 915WM DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020486; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"dnsPrimary="; fast_pattern; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020487; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"dnsDynamic="; content:"dnsRefresh="; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperFish CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/verify.php?version="; fast_pattern; content:"&GUID=|7b|"; http.user_agent; content:"Mozilla/4.0"; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020490; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Arid Viper APT Advtravel Campaign GET Keepalive"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php/customer/onlin"; fast_pattern; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020432; rev:7; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen CnC Beacon 2"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/cou.php"; fast_pattern; http.header; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:command-and-control; sid:2020504; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe download with no referer (noalert)"; flow:established,to_server; flowbits:set,exe.no.referer; flowbits:noalert; http.uri; content:".exe"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2020573; rev:4; metadata:created_at 2015_02_27, former_category INFO, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Superlinks Plugin SQL Injection"; flow:established,to_server; http.uri; content:"/superlinks.php?"; nocase; fast_pattern; pcre:"/[?&]id=\d*?[^\d]\d*?(?:&|$)/i"; reference:url,www.exploit-db.com/exploits/33809/; classtype:attempted-user; sid:2018612; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_06_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Update check"; flow:established,to_server; http.uri; content:"/update.inf"; http.header; content:"X-TA-ClientVer|3a 20|"; fast_pattern; content:"X-TA-ClientOS|3a 20|"; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020580; rev:4; metadata:created_at 2015_02_27, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (ping.ccp) 2015-1187"; flow:to_server,established; urilen:9; http.method; content:"POST"; http.uri; content:"/ping.ccp"; fast_pattern; http.request_body; content:"ccp_act=ping_v6&ping_addr="; depth:26; pcre:"/ping_addr=[\d.]*[^\d.]/"; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020590; rev:4; metadata:created_at 2015_03_03, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xunpf.A Retrieving DLL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web_"; fast_pattern; content:".jpg"; pcre:"/\/web_[0-9A-F]{12}\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dfb7dd8b6975b73dc9c731319a05f86d; classtype:trojan-activity; sid:2020601; rev:4; metadata:created_at 2015_03_04, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/fwupgrade.ccp"; fast_pattern; http.request_body; content:"|0d 0a|fwupgrade"; content:"|0d 0a|resolv.conf"; nocase; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:4; metadata:created_at 2015_03_04, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; fast_pattern; http.request_body; content:"set_general"; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:5; metadata:created_at 2015_03_02, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Downloading Module"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".pack"; nocase; fast_pattern; endswith; http.user_agent; content:"Mozilla"; startswith; pcre:"/^Mozilla(?:\/4\.0)?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,65125129418e07ce1000aa677b66b72f; classtype:trojan-activity; sid:2018604; rev:7; metadata:created_at 2014_06_25, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor Based Locker Page (Torrentlocker)"; flow:established,to_server; http.uri; content:"/buy.php?"; fast_pattern; http.header; pcre:"/Host\x3a\x20[a-z0-9]{16}\.[^\r\n]*?(?:tor|onion)/mi"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018951; rev:6; metadata:created_at 2014_08_18, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M2 Feb 06 2015"; flow:established,to_server; http.uri; content:".php?rnd="; fast_pattern; content:"&id="; pcre:"/\.php\?rnd=[0-9]{3,7}&id=[0-9A-F]{44,54}$/"; classtype:exploit-kit; sid:2020644; rev:4; metadata:created_at 2015_03_07, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trapwot FakeAV Post Infection CnC Beacon"; flow:established,to_server; http.uri; content:"/rp?"; fast_pattern; content:"v="; content:"a="; content:"u="; content:"d="; pcre:"/^\/(?:[^\x2f]+\/)?rp\?[a-z]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,fc962cb08f62e3d6368500a8e747cf73; classtype:command-and-control; sid:2020645; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Onkods.A Downloader Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/^\/(?:[a-z]+\/)*?[a-z]+\.exe$/"; http.header; content:"User-Agent|3a 20|"; depth:12; pcre:"/^User-Agent\x3a\x20(?=\d*[a-z])[a-z0-9]+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,fb570e6d68e708daeceae5dfc544fba2; classtype:command-and-control; sid:2018121; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaoutra.ru)"; flow:to_server,established; http.header; content:"bagacaoutra.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacaoutra\.ru\r\n/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020650; rev:6; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacavoltou.ru)"; flow:to_server,established; http.header; content:"bagacavoltou.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacavoltou\.ru/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020651; rev:5; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaveia.ru)"; flow:to_server,established; http.header; content:"bagacaveia.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacaveia\.ru/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020652; rev:5; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trapwot FakeAV Checkin"; flow:established,to_server; http.uri; content:"v="; content:"a="; content:"u="; content:"i=0"; fast_pattern; pcre:"/^\/(?:[a-z]+\/)?[a-z_]+\?[a-z]=/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,baf71ace207afd3f330c4aba3784e074; classtype:command-and-control; sid:2020646; rev:6; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Checkin"; flow:established,to_server; http.uri; content:"/?user="; fast_pattern; content:"os="; content:"&os2="; content:"&ver="; content:"&host="; content:!"|2e|"; content:"type="; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2019678; rev:5; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|13|0d 0a|"; fast_pattern; http.request_body; content:"|00 04 00 00 00|"; offset:4; depth:5; content:!"|00 00 00 00|"; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,e610d3c383a4f1c8a27aaf018b12c370; classtype:command-and-control; sid:2020568; rev:6; metadata:created_at 2015_02_25, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; fast_pattern; pcre:"/\.php\?id=\d+$/"; http.header; content:!"Content-T"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,693ca229558aab99e0a9d3385cacc40c; classtype:command-and-control; sid:2020706; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FindPOS Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"oprat="; fast_pattern; content:"&uid="; content:"&uinfo="; content:"&win="; content:"&vers="; reference:md5,fe0f997d81d88bc11cc03e4d1fd61ebe; classtype:command-and-control; sid:2020723; rev:5; metadata:created_at 2015_03_21, former_category MALWARE, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fileless infection dropped by EK CnC Beacon"; flow:established,to_server; http.uri; content:"hl="; content:"source="; content:"aq="; content:"aqi="; content:"aql="; fast_pattern; content:"oq="; http.header; content:!"google."; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:49; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020734; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanProxy.JpiProx.B CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"ext="; content:"&pid="; content:"&country="; content:"®d="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020738; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Teslacrypt Ransomware HTTP CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/state"; fast_pattern; content:".php?"; pcre:"/\/state[^\x2f]*\.php\?[A-Za-z0-9+/]*={0,2}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:command-and-control; sid:2020717; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hyteod CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.header; content:"|5f 5e 5b 8b e5 5d|"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; bsize:63; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept-"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f2ad19a08063171b039accd24b0c27ca; classtype:command-and-control; sid:2020821; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 2"; flow:established,to_server; http.header; content:"Accept|3a 20|*/*,|20|"; content:", MZ"; fast_pattern; pcre:"/^Accept\x3a\x20\*\/\*,[^\r\n]+, MZ/mi"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020834; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F exe Download 2"; flow:to_server,established; urilen:<13; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; endswith; pcre:"/^\/[^\x2f]+?\.exe$/i"; http.host; content:".ru"; endswith; http.header; content:".ru|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,1303188d039076998b170fffe48e4cc0; classtype:trojan-activity; sid:2017190; rev:8; metadata:created_at 2013_07_24, updated_at 2020_09_29;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; threshold: type threshold, track by_dst, count 20, seconds 40; http.method; content:"GET"; http.uri; content:"/random"; nocase; fast_pattern; pcre:"/\x2Frandom\w+?\x2E(?:c(?:f[cm]|gi)|ht(?:ml?|r)|(?:ws|x)dl|a(?:sp|xd)|p(?:hp3|l)|bat|swf|vbs|do)/i"; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_29;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.sanlorenzoyacht.com"; bsize:23; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .automercado .co .cr in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.automercado.co.cr"; bsize:21; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.ne-ba.org"; bsize:13; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/cgi-bin/webcm"; fast_pattern; http.request_body; content:"getpage="; depth:10; content:"errorpage="; distance:0; content:"/html/index.html&login|3a|command"; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:5; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/setup.cgi?todo=wan_dns1="; fast_pattern; reference:url,www.rapid7.com/db/modules/exploit/linux/http/netgear_dgn1000b_setup_exec; classtype:attempted-admin; sid:2020874; rev:5; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/apply.cgi?wan_primary_dns="; fast_pattern; content:"&wan_secondary_dns="; reference:url,malwr.com/analysis/MGY1ZDFhYjE1MzQ4NDAwM2EyZTI5YmY3MWZjMWE5OGM; classtype:attempted-admin; sid:2020876; rev:4; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/router/add_dhcp_segment.cgi?"; fast_pattern; content:"is_router_as_dns=1"; content:"&dns1="; content:"submitbutton="; reference:url,wepawet.cs.ucsb.edu/view.php?hash=5e14985415814ed1e107c0583a27a1a2&t=1384961238&type=js; classtype:attempted-admin; sid:2020877; rev:4; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/loader.php?name="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,7e47a518561c46123d4facd43effafbf; classtype:command-and-control; sid:2020883; rev:7; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_09_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shellshock Worm Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.c.php?request="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,volexity.com/blog/?p=118; classtype:command-and-control; sid:2020887; rev:4; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_09_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Buhtrap CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; fast_pattern; pcre:"/\/gate\.php$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; http.request_body; content:"id="; depth:3; pcre:"/^[A-F0-9]+$/R"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:command-and-control; sid:2020890; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault Mailer CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/redirect.php?loc=mail"; fast_pattern; pcre:"/\/redirect\.php\?loc=mail$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,af0e5a5df0be279aa517e2fd65cadd5c; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020906; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault CnC Beacon M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hwid="; depth:5; content:"&knock="; distance:0; content:"&keylog="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020907; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ruckguv.A Requesting Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/id.exe"; fast_pattern; http.user_agent; content:"MSIE"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,227365242cc97fa611fdac295b732d82; reference:md5,b9eec5be1d2f5d0007bd94fdd8c7ea57; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3801; classtype:trojan-activity; sid:2020910; rev:5; metadata:created_at 2015_04_14, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ttint XORed CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.connection; content:"Upgrade"; http.request_body; content:"|a1 8a ee 02 e8 91 ff 04 be ac f7 09 b3 9c|"; offset:8; fast_pattern; reference:url,blog.netlab.360.com/ttint-an-iot-rat-uses-two-0-days-to-spread/; classtype:command-and-control; sid:2030924; rev:2; metadata:affected_product IoT, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, malware_family Ttint, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; http.stat_code; content:"302"; http.stat_msg; content:"Found"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:4; metadata:created_at 2015_04_16, updated_at 2020_09_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; http.stat_code; content:"301"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:4; metadata:created_at 2015_04_16, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/command.php?id="; fast_pattern; content:"&os="; content:"&com="; content:"&ver="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020918; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/keylogger.php?id="; fast_pattern; content:"&com="; content:"&key="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020920; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sysget/HelloBridge HTTP GET CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?fn="; fast_pattern; pcre:"/&(?:uid|name|file)=[a-f0-9]+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020921; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sysget/HelloBridge HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?fn="; fast_pattern; http.request_body; content:"name=|22|file|22|"; content:"name=|22|path|22|"; distance:0; content:"name=|22|submit|22|"; distance:0; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020922; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bioazih RAT Checkin"; flow:to_server,established; http.header; content:"Hostname|3a|"; content:"Ip|3a|"; content:"Os|3a|"; content:"Proxy|3a|"; fast_pattern; content:"Vm|3a|"; http.user_agent; content:"Pass|3a|"; startswith; reference:md5,7bc5451341a684aca80a59a463bad973; reference:md5,5443cf2b6c010c57cf740356c9167b77; reference:url,blogs.technet.com/b/mmpc/archive/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe.aspx; classtype:command-and-control; sid:2020927; rev:5; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".asp?HostID="; fast_pattern; pcre:"/\?HostID=([A-F0-9]{2}(?:-|<>)){5}[A-F0-9]{2}$/"; http.header; content:"Windows NT 5.0|3b 20|.NET CLR 1.1.4322|29 0d 0a|"; reference:md5,e397a68bf4fbb7a9b4d1b6da1fe2172b; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020928; rev:5; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?bit="; fast_pattern; content:"&version="; pcre:"/\/\?bit=(?:32|64)&version=\d{4}-\d{1,2}-\d{1,2}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:command-and-control; sid:2020939; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 6"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?check"; fast_pattern; pcre:"/\/\?check$/"; http.user_agent; content:"Example"; bsize:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:command-and-control; sid:2020940; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dalexis CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|uploaded|22 3b 20|filename=|22|"; fast_pattern; content:".jpg"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept"; nocase; classtype:command-and-control; sid:2020933; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Graftor Downloading Dridex"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; pcre:"/^\/\d+\/\d+\.exe$/"; http.header; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\nAccept-Language\x3a[^\r\n]+\r\nAccept\x3a[^\r\n]+\r\nAccept-Encoding\x3a[^\r\n]+\r\nConnection\x3a\x20close\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.user_agent; content:"MSIE"; http.connection; content:"close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2020960; rev:4; metadata:created_at 2015_04_22, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP GET CnC Beacon"; flow:established,to_server; flowbits:set,ET.CozyDuke.HTTP; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; pcre:"/[A-Z]{100}(?:&\w+=[a-zA-Z0-9/+=]+){0,2}$/"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020963; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?$/"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:61; http.request_body; pcre:"/^\w+=(?:[a-zA-Z0-9/+=]{1,30}&\w+=)?[a-zA-Z0-9+/]{0,13}[A-Z]{200}/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020964; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; http.stat_code; content:"307"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:4; metadata:created_at 2015_04_23, updated_at 2020_09_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; http.stat_code; content:"303"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020977; rev:4; metadata:created_at 2015_04_23, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BUILDINGCAN CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:69; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) Chrome/28.0.1500.95 Safari/537.36"; fast_pattern; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.request_body; content:"id="; startswith; pcre:"/(?:&(?:boardid|bbsNo|strBoardID|userid|bbs|filename|code|pid|seqNo|ReportID|v|PageNumber|num|view|read|action|page|mode|idx|cateId|bbsId|pType|pcode|index|tbl|idx_num|act|bbs_id|bbs_form|bid|bbscate|menu|tcode|b_code|bname|tb|borad01|borad02|borad03|mid|newsid|table|Board_seq|bc_idx|seq|ArticleID|B_Notice|nowPage|webid|boardDiv|sub_idxa)=[^&]+){3}$/R"; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:targeted-activity; sid:2030932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed DownloadAssistant User-Agent"; flow:established,to_server; http.user_agent; content:"DLA/"; startswith; reference:md5,521875fc63f4b2c004deb75e766cb8c5; classtype:pup-activity; sid:2030933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Internet, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/"; classtype:exploit-kit; sid:2020991; rev:4; metadata:created_at 2015_04_24, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DownloadAssistant Activity"; flow:established,to_server; http.start; content:"POST /v2/events HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Length|3a 20|"; fast_pattern; http.request_body; content:"4F44"; startswith; reference:md5,d6d20eef805a4719f0771321f832bbed; classtype:pup-activity; sid:2030934; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_30;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; threshold: type both, track by_dst, count 10, seconds 60; http.method; content:"POST"; http.uri; content:"/apply_noauth.cgi"; fast_pattern; http.request_body; content:"timestamp="; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:4; metadata:created_at 2015_04_28, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Checkin"; flow:to_server,established; urilen:7; http.method; content:"GET"; http.uri; content:"/dw/gtk"; fast_pattern; http.header; content:"Host|3a|"; depth:5; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:command-and-control; sid:2021028; rev:4; metadata:created_at 2015_04_28, former_category MALWARE, updated_at 2020_09_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Checkin 2"; flow:to_server,established; urilen:>107; http.method; content:"GET"; http.uri; content:"/setup/"; fast_pattern; pcre:"/\/setup\/[a-zA-Z0-9!-]{100,}$/"; http.header; content:"Host|3a|"; depth:5; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:command-and-control; sid:2021029; rev:4; metadata:created_at 2015_04_29, former_category MALWARE, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim payload retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/app.exe"; fast_pattern; pcre:"/\/app\.exe$/"; http.user_agent; content:"Wget"; depth:4; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020350; rev:6; metadata:created_at 2015_02_03, updated_at 2020_09_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline|3b|"; content:".xap"; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/m"; file.data; content:"AppManifest.xaml"; fast_pattern; classtype:exploit-kit; sid:2020982; rev:5; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_09_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbon FormGrabber/Retgate.A/Rombertik Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name="; content:"&host="; content:"&browser="; content:"&post="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,symantec.com/connect/blogs/european-automobile-businesses-fall-prey-carbon-grabber; reference:md5,72bab43e406c9e325e49e27b22853b60; reference:url,blogs.cisco.com/security/talos/rombertik; reference:md5,f504ef6e9a269e354de802872dc5e209; classtype:command-and-control; sid:2021055; rev:6; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Xenu Link Sleuth Scanner Outbound"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"Xenu Link Sleuth"; fast_pattern; classtype:attempted-recon; sid:2021058; rev:5; metadata:created_at 2015_05_05, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M1 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^1\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"1"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021067; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M2 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^2\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"2"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021068; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M3 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^3\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"3"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021069; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M4 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^4\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"4"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021070; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M5 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^5\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"5"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021071; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M6 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^6\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"6"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021072; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M7 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^7\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021073; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M8 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^8\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021074; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M9 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^9\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"9"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021075; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enfal CnC GET"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"docs/"; fast_pattern; pcre:"/^\/(?:tran|http)docs\//"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:command-and-control; sid:2021080; rev:4; metadata:created_at 2015_05_09, former_category MALWARE, updated_at 2020_09_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Checkin"; flow:to_server,established; urilen:6; http.method; content:"GET"; http.uri; content:"/v.vlt"; fast_pattern; http.header; content:"|0d 0a|UA-CPU|3a 20|"; reference:md5,d8bd77eebee2e74ea74679bf3f1f7210; classtype:command-and-control; sid:2021091; rev:4; metadata:created_at 2015_05_13, former_category MALWARE, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putty SSH Credential Stealer"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=c3NoOi8v"; fast_pattern; pcre:"/=c3NoOi8v[A-Za-z0-9+/]+={0,2}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b5c88d5af37afd13f89957150f9311ca; classtype:trojan-activity; sid:2021095; rev:4; metadata:created_at 2015_05_14, updated_at 2020_10_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA428 Tmanger Checkin"; flow:established,to_server; content:"|8f 98 45 59 08 12 b2 aa ea 9d 7b 27 15 96 5f 00 2b b5 00|"; offset:8; depth:19; reference:url,vblocalhost.com/uploads/VB2020-20.pdf; classtype:targeted-activity; sid:2030938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA428 Infostealer CnC Host Checkin"; flow:established,to_server; content:"|54 0b 54|"; offset:16; depth:3; fast_pattern; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|08 00|"; distance:0; content:"|01|"; endswith; reference:md5,a5a4046989fa0f99c2076aec3ea0ab2a; reference:url,vblocalhost.com/uploads/VB2020-20.pdf; classtype:targeted-activity; sid:2030939; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M5"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; fast_pattern; file.data; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; classtype:social-engineering; sid:2030936; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M6"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; fast_pattern; file.data; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; classtype:social-engineering; sid:2030937; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SPEAR CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".asp?"; fast_pattern; pcre:"/\.asp\?(?:[A-Za-z0-9+*]{4})*(?:[A-Za-z0-9+*]{2}==|[A-Za-z0-9+*]{3}=|[A-Za-z0-9+*]{4})$/"; http.user_agent; content:"|20|MSIE|20|"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,a69ac85c7e723ae37377516d7054fa0b; classtype:command-and-control; sid:2021118; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SPEAR CnC Beacon 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?wd="; fast_pattern; pcre:"/\?wd=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,1beb162fc327101c01b07240a924202f; classtype:command-and-control; sid:2021119; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.Jenxcus.H URL Structure"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/is-rinoy"; fast_pattern; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021122; rev:4; metadata:created_at 2015_05_20, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaScriptBackdoor HTTP GET CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action="; fast_pattern; content:"&guid="; content:"&version="; distance:0; pcre:"/&version=\d+$/"; http.header; content:"WinHttp.WinHttpRequest."; http.header_names; content:!"Referer|0d 0a|"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:command-and-control; sid:2021132; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE H1N1 Loader CnC Beacon M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http.request_body; pcre:"/^[A-Za-z0-9/_]+={0,2}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:command-and-control; sid:2021139; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bancos URL Structure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/infects/"; fast_pattern; pcre:"/\/[a-z]\/infects\/[a-z]\?[a-z]=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis; reference:md5,9766c5eca8d229f1af9dfb9bd97f02a0; classtype:trojan-activity; sid:2021142; rev:4; metadata:created_at 2015_05_22, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Autorun.AD Checkin"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/loglogin.html"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; reference:md5,3d652375fd511878f410fb1048e47f83; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AMSIL/Autorun.AD; reference:md5,3d652375fd511878f410fb1048e47f83; classtype:command-and-control; sid:2021143; rev:6; metadata:created_at 2015_05_23, former_category MALWARE, updated_at 2020_10_01;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Red-Is-Sus Server"; nocase; endswith; reference:md5,de232dfbef55fa3803b15f4fa01c9f95; classtype:domain-c2; sid:2030935; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE TransparentTribe AhMyth RAT Variant Activity (POST)"; flow:established,to_server; content:"|20|gzip|0d 0a 0d 0a|5d|0d 0a|--"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"U|3b 20|Android"; http.request_body; content:"form-data|3b 20|name=|22|imei|22 0d 0a|"; content:"form-data|3b 20|name=|22|image|22 3b 20|filename=|22|sm.csv|22 0d 0a|"; distance:0; reference:url,securelist.com/transparent-tribe-part-2/98233/; reference:md5,b8006e986453a6f25fd94db6b7114ac2; classtype:trojan-activity; sid:2030940; rev:1; metadata:attack_target Mobile_Client, created_at 2020_10_01, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 7"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action=getuid"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021166; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 8"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action="; fast_pattern; content:"&uid="; content:"&bit="; content:"&version="; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021167; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; http.uri; content:"/pha?android_version="; fast_pattern; content:"&id="; content:"&phone_number="; content:"&client_version="; content:"&imei="; content:"&name="; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_06_01, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Backspace CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.header; content:"HOST|3a 20|"; http.user_agent; content:"SJZJ (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ddf0981aebeea6ba9abdae6ddf8ed4e2; classtype:targeted-activity; sid:2021184; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?type=notification&machinename="; fast_pattern; content:"&machinetime="; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fa6f24a18ef772d9cdaa1d6cd1e24d1b; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:command-and-control; sid:2021188; rev:4; metadata:created_at 2015_06_05, former_category MALWARE, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zacom.A CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".py"; fast_pattern; endswith; http.user_agent; content:"Windows NT 5.0|3b|"; http.request_body; pcre:"/^\d{4}/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:command-and-control; sid:2021213; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zacom.A CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; fast_pattern; pcre:"/\.asp$/"; http.header; content:"Windows NT 5.0|3b|"; http.request_body; pcre:"/^\d{4}/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:command-and-control; sid:2021214; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip2location.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip2location.com"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021162; rev:5; metadata:created_at 2015_05_29, former_category POLICY, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup ip.webmasterhome.cn"; flow:established,to_server; http.host; content:"ip.webmasterhome.cn"; fast_pattern; bsize:19; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021250; rev:4; metadata:created_at 2015_06_11, former_category POLICY, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Retrieving Config"; flow:to_server,established; urilen:22; http.method; content:"GET"; http.uri; content:"/css/bootstrap.min.css"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/i"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021261; rev:4; metadata:created_at 2015_06_13, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload"; flow:established,to_server; http.uri; content:"/lns.txt"; fast_pattern; pcre:"/\/lns.txt$/"; http.user_agent; content:"WinHttp.WinHttpRequest"; reference:md5,0ed66982890ec483c3bc6f883e2424fb; classtype:trojan-activity; sid:2021284; rev:5; metadata:created_at 2015_06_17, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; pcre:"/\/win\.html$/"; http.header; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?[^\r\n]*?\/(?:index.html)?\r\n.*?\r\nHost\x3a\x20(?P=refhost)[\x3a\r]/si"; classtype:exploit-kit; sid:2021292; rev:4; metadata:created_at 2015_06_18, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".ini?"; fast_pattern; pcre:"/^\/[a-z]+?\.*?ini\?\d+$/i"; http.header_names; content:!"|0d 0a|Accept-"; content:!"User-Agent|0d 0a|"; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021300; rev:4; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/page_"; nocase; fast_pattern; content:".html"; nocase; pcre:"/\/[a-f0-9]{8}\/page_\d{8,10}\.html$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0"; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021274; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.DES.Downloader Request"; flow:to_server,established; http.uri; content:"/ad.php?id="; fast_pattern; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b 20|Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10|0d 0a|Accept-Encoding|3a 20|deflate|0d 0a|Accept-Language|3a 20|en-us|0d 0a|HOST|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021352; rev:4; metadata:created_at 2015_06_26, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup www.whatsmyip.us"; flow:established,to_server; http.host; content:"www.whatsmyip.us"; fast_pattern; bsize:16; classtype:external-ip-check; sid:2021371; rev:4; metadata:created_at 2015_06_30, former_category POLICY, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UpDocX Checkin"; flow:established,to_server; http.uri; content:"/up_docx.php"; fast_pattern; http.header_names; content:!"Referer"; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:command-and-control; sid:2021376; rev:4; metadata:created_at 2015_07_02, former_category MALWARE, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UpDocX Download"; flow:established,to_server; http.uri; content:"/WINWORD32.exe"; fast_pattern; http.header_names; content:!"Referer"; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:trojan-activity; sid:2021377; rev:5; metadata:created_at 2015_07_02, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/5.0 (Windows NT 5.2|29 20|"; startswith; http.request_body; content:"appid="; depth:6; content:"&model="; content:"&imei="; fast_pattern; content:"&connect="; content:"&dpi="; content:"&width="; content:"&cpu="; content:"&phoneno="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; http.uri; content:"/landing?c="; fast_pattern; content:"&g="; content:"&a="; content:"&s1="; content:"&s2="; content:"&s3="; content:"&s4="; content:"&s5="; content:"&s6="; content:"&s7="; content:"&s8="; content:"&s9="; content:"&s10="; content:"&s11="; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"uuid="; content:"language="; content:"appkey"; content:"model="; content:"operatorsname="; fast_pattern; content:"networkname="; content:"networktype="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matsnu Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; bsize:70; http.request_body; content:"="; depth:7; content:"AA"; distance:3; within:2; pcre:"/^[a-z]{1,7}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.connection; content:"Keep-AliveCache-Control|3a 20|no-cache"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7ff6912828faedbf39c4c66c7ba0260d; reference:md5,0361c2685bf799c04d796a6d18e1f075; reference:url,blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf; classtype:command-and-control; sid:2021399; rev:5; metadata:created_at 2015_07_10, former_category MALWARE, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adm/contador.php"; fast_pattern; http.user_agent; content:"Firefox/15.0.1"; bsize:14; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:command-and-control; sid:2021403; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi_test.cgi?write_"; fast_pattern; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/i"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:4; metadata:created_at 2015_07_13, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious SWF filename movie(dot)swf in doc root"; flow:established,to_server; urilen:10; http.uri; content:"/movie.swf"; fast_pattern; classtype:trojan-activity; sid:2021414; rev:4; metadata:created_at 2015_07_15, former_category CURRENT_EVENTS, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SLOTHFULMEDIA RAT CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v?m="; startswith; fast_pattern; content:"&i="; distance:0; http.accept; content:"application/octet-stream,application/xhtml"; bsize:42; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-275a; reference:md5,448838b2a60484ee78c2198f2c0c9c85; classtype:command-and-control; sid:2030960; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Delete Log"; flow:established,to_server; http.uri; content:"isn_logdel"; nocase; fast_pattern; pcre:"/[?&]isn_logdel/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017821; rev:8; metadata:created_at 2013_12_10, updated_at 2020_10_01;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Get Logpath"; flow:established,to_server; http.uri; content:"isn_logpath"; nocase; fast_pattern; pcre:"/[?&]isn_logpath/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017822; rev:8; metadata:created_at 2013_12_10, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jiripbot CnC 2"; flow:to_server,established; urilen:12; http.method; content:"GET"; http.uri; content:"/checkupdate"; fast_pattern; http.header; pcre:"/Host\x3a\x20jdk\.[a-f0-9]{32}\.org/mi"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; startswith; http.cookie; content:"A="; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/m"; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:command-and-control; sid:2021502; rev:4; metadata:created_at 2015_07_21, former_category MALWARE, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jiripbot CnC 1"; flow:to_server,established; http.uri; content:"/status"; fast_pattern; http.header; pcre:"/^[a-f0-9]{32}\.org/R"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; startswith; http.host; content:"jdk."; startswith; http.cookie; content:"SSID="; content:"A="; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/"; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:command-and-control; sid:2021501; rev:5; metadata:created_at 2015_07_21, former_category MALWARE, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php/"; fast_pattern; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/"; http.header; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/mi"; http.request_body; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021520; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload M2"; flow:established,from_server; flowbits:isset,ET.BARTALEX; content:"text/plain|0d 0a 0d 0a|http"; fast_pattern; http.stat_code; content:"200"; file.data; content:"http"; within:4; pcre:"/^s?\x3a\x2f+[^\r\n\s]+\.exe/Ri"; classtype:trojan-activity; sid:2021532; rev:4; metadata:created_at 2015_07_24, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Goon/Infinity/Magnitude EK SilverLight Exploit"; flow:established,to_server; http.uri; content:".xap"; nocase; fast_pattern; pcre:"/\/\d{2,}\.xap$/i"; classtype:exploit-kit; sid:2018402; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup trackip.net"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ip?json"; fast_pattern; http.host; content:"trackip.net"; classtype:external-ip-check; sid:2021550; rev:4; metadata:created_at 2015_07_29, former_category POLICY, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malicious Redirect 8x8 script tag URI struct"; flow:established,to_server; http.uri; content:".php?id="; fast_pattern; pcre:"/\/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$/"; classtype:trojan-activity; sid:2021552; rev:4; metadata:created_at 2015_07_30, former_category CURRENT_EVENTS, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 7"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?vid="; fast_pattern; pcre:"/\.jpg\?vid=\d+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021570; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Androm.gnlb Checkin"; flow:established,to_server; http.uri; content:"/Count.asp?ver="; fast_pattern; nocase; content:"&mac="; http.header; content:"Content-Length|3a 20|0"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c7e6ebf91c03a2bcaa8053f149870fad; classtype:command-and-control; sid:2021608; rev:4; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2020_10_01;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/gac/"; fast_pattern; pcre:"/^\/gac\/[a-f0-9]{15}$/"; http.header; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a|"; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_08_13, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest CnC Beacon"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:".php?"; content:"/0"; content:"=0000"; fast_pattern; content:"=?"; pcre:"/\.php\?[a-z]+=0000[a-fA-F0-9]{4}&[a-z]+=\?[A-F0-9]+&[a-z]=\d{4}&[a-z]=\d{4}$/"; http.header; content:"Accept"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,1b820dda5833f802be829d468884884e; classtype:command-and-control; sid:2025089; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tcp any any -> $HOME_NET 40006 (msg:"ET EXPLOIT [401TRG] HPDM Backdoor Login"; flow:established,to_server; content:"user|00|dm_postgres|00|database|00|hpdmdb|00|"; fast_pattern; reference:url,twitter.com/nickstadb/status/1310853783765815297; classtype:attempted-admin; sid:2030961; rev:2; metadata:created_at 2020_10_02, former_category EXPLOIT, performance_impact Low, updated_at 2020_10_02;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030941; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030942; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailgun Phishing Landing"; flow:to_client,established; file.data; content:"<title>Log In to Mailgun"; nocase; content:"function checkUsername()"; nocase; distance:0; content:"function checkPassword()"; nocase; distance:0; content:".php|22|,"; nocase; distance:0; content:"type|3a 20 22|POST|22|,"; nocase; distance:0; content:"data|3a 20|{username|3a 20|$('#username').val(),password|3a|$('#password').val()"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2030943; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDMonitor Sending Debug Messages"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?usid="; fast_pattern; content:"&txt=00"; distance:0; pcre:"/^[0-9a-f]+$/R"; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030954; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030944; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030945; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030946; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030947; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Uploading Files"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lup.php?name="; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030948; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030949; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030950; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030951; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030952; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030953; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Sending File Upload Progress"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"me="; distance:0; content:"&info=bot|2c 20|file|20|"; distance:0; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Sending Screenshot Upload Progress"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"me="; distance:0; content:"&info=bot|2c 20|src|20|"; distance:0; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDMonitor Checkin Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/data/"; content:".xd"; isdataat:!2,relative; http.user_agent; bsize:17; content:"internet explorer"; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, signature_severity Major, updated_at 2020_10_02;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FinSpy Domain (browserupdate .download in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".browserupdate.download"; endswith; fast_pattern; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; reference:url,github.com/AmnestyTech/investigations/blob/master/2020-09-25_finfisher/domains.txt; classtype:domain-c2; sid:2030962; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 3"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:"/r.php?"; fast_pattern; pcre:"/\/r\.php\?[A-F0-9]+=?$/"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,0a4d0e5d0b69560414bbd20127bd8176; classtype:command-and-control; sid:2021723; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aibatook checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; pcre:"/\.asp$/"; http.request_body; content:"m="; depth:2; content:"AA=="; fast_pattern; pcre:"/^m=(?:[A-Za-z0-9+/]{4}){11}(?:(?:[A-Za-z0-9+/]{4}){6})?AA==/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,57a0af91f3b35ef1cf54502e77cc2904; reference:url,www.welivesecurity.com/2014/07/16/win32aibatook/; classtype:command-and-control; sid:2018685; rev:5; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2020_10_05;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; http.uri; content:"/data.php?table="; fast_pattern; content:"&game="; pcre:"/&game=[a-f0-9]{40}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:4; metadata:attack_target Mobile_Client, created_at 2015_08_31, former_category MOBILE_MALWARE, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cert.php"; http.request_body; content:"id="; depth:3; content:"&cert="; content:"&priv="; fast_pattern; content:"&flag="; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:4; metadata:attack_target Mobile_Client, created_at 2015_08_31, former_category MOBILE_MALWARE, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Reconyc.equo Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; content:"&mac="; fast_pattern; content:"&auth="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,32c17edee5b29e41f31eda05e78b2241; classtype:command-and-control; sid:2021744; rev:5; metadata:created_at 2015_09_04, former_category MALWARE, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt Connectivity Check 1"; flow:established,to_server; urilen:4; http.uri; content:"/raw"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,d0e3471f4963496cefd73744e98340aa; classtype:trojan-activity; sid:2021775; rev:4; metadata:created_at 2015_09_15, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; http.uri; content:".php?rnd="; fast_pattern; content:"&id="; pcre:"/\.php\?rnd=\d+&id=[0-9A-F]{32,}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2021786; rev:4; metadata:created_at 2015_09_16, updated_at 2020_10_05;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Iron Tiger Backdoor.GCloud CnC Beacon"; flow:established,to_server; http.uri; content:"/user?pid="; fast_pattern; content:"&data="; http.user_agent; content:"WinHTTP Example/1.0"; bsize:19; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021790; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upx/"; fast_pattern; pcre:"/\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/"; http.header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021812; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; http.uri; content:".php?v="; content:"&brok="; fast_pattern; content:"&u="; content:"&id="; pcre:"/&id=\d{15}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:8; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_10_27, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"P"; depth:1; nocase; content:"myPath =|20|"; nocase; content:"iFold =|20|"; nocase; content:"wallPath =|20|"; nocase; fast_pattern; content:"listPath =|20|"; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021851; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Created wallet -|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021855; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M RecursiveFileSearch"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021856; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Scan folder|3a 20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021857; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Saved cryptor key -|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021858; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"|29 20|Encrypt|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021859; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Files encrypted,"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021860; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M STATE|3a 20|CRYPTED_"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021861; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Free disk space|3a 20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021862; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/itms-services|3a|"; http.header; content:"bb800.com|0d 0a|"; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/m"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:5; metadata:created_at 2015_10_05, updated_at 2020_10_05;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".plist"; pcre:"/\.plist$/"; http.header; content:"bb800.com|0d 0a|"; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/m"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:5; metadata:created_at 2015_10_05, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StartPage Userclass HTTP Request"; flow:established,to_server; urilen:10; http.uri; content:"/Userclass"; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent|0d 0a|"; content:!"Referer"; reference:md5,92ecb8cedb226a27e354b45a56f0353f; classtype:trojan-activity; sid:2021922; rev:4; metadata:created_at 2015_10_07, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; urilen:25; http.method; content:"POST"; http.uri; content:"/getInstalledPackages.jsp"; fast_pattern; http.request_body; content:"sdCardFree="; depth:11; content:"&imei="; distance:0; content:"&hasSd="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_10_08, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Nemim Checkin"; flow:to_server,established; http.uri; content:".php?a1="; nocase; fast_pattern; content:"&a2="; nocase; content:"&a3="; nocase; pcre:"/\.php\?a1=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&a2=[a-f0-9]{32}&a3=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; reference:url,symantec.com/connect/blogs/infostealernemim-how-pervasive-infostealer-continues-evolve; classtype:command-and-control; sid:2017599; rev:6; metadata:created_at 2013_10_15, former_category MALWARE, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"&act="; fast_pattern; pcre:"/\/(?:im(?:age|g)|pict)\.(?:jpg|php)\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; reference:url,www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2022007; rev:4; metadata:created_at 2015_10_28, updated_at 2020_10_05;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malvertising Malicious PE Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adobe_flashplayer_7.exe"; fast_pattern; reference:md5,d9b91aa8c66c4a701f5558bdca805eec; reference:url,otx.alienvault.com/pulse/5637202b4637f2388aaec61c/; classtype:trojan-activity; sid:2022020; rev:4; metadata:created_at 2015_11_03, updated_at 2020_10_05;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MosaicRegressor WinHTTP Downloader)"; flow:established,to_client; tls.cert_subject; content:"CN=ezan.yikongjian.cc"; bsize:21; fast_pattern; tls.cert_issuer; content:"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA"; bsize:86; reference:url,securelist.com/mosaicregressor/98849/; reference:url,74DB88B890054259D2F16FF22C79144D; classtype:domain-c2; sid:2030963; rev:1; metadata:attack_target Client_and_Server, created_at 2020_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Ransom.Win32.Blocker.dham Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?ID="; content:"&Serial="; content:"&acao="; content:"&Log="; content:"&PCInfo="; fast_pattern; reference:md5,e15b38251aed80298ba07169eb6ee2fa; classtype:command-and-control; sid:2022091; rev:4; metadata:created_at 2015_11_13, former_category MALWARE, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Buhtrap CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/menu.php"; fast_pattern; endswith; http.user_agent; content:"rv|3a|20.0"; content:"Firefox/20.0"; distance:0; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:command-and-control; sid:2020891; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP/LuciferHTTP Client Action"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/\.php\?hwid=[A-F0-9]{16}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; reference:md5,d543973bd33d45d515e8dfc251411c4b; classtype:trojan-activity; sid:2022127; rev:4; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 1"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"/img/"; depth:5; content:"/"; distance:32; within:1; content:"/general.png"; endswith; fast_pattern; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/general\.png$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022146; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A Checkin via HTTP POST 2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\d+$/"; http.user_agent; content:"Sony|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,f184c13be617754e394ecb8c972c8861; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:command-and-control; sid:2022188; rev:4; metadata:created_at 2015_11_26, former_category MALWARE, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip2nation.com"; flow:established,to_server; http.host; content:"www.ip2nation.com"; fast_pattern; bsize:17; classtype:external-ip-check; sid:2022222; rev:4; metadata:created_at 2015_12_07, former_category POLICY, updated_at 2020_10_05;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN COMMIX Command injection scan attempt"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"|55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6f 6d 6d 69 78|"; fast_pattern; reference:url,github.com/stasinopoulos/commix/blob/master/README.md; classtype:web-application-activity; sid:2022243; rev:4; metadata:created_at 2015_12_11, updated_at 2020_10_05;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:4; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (exe) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".exe"; nocase; fast_pattern; classtype:misc-activity; sid:2022264; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (msi) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".msi"; nocase; fast_pattern; classtype:misc-activity; sid:2022265; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (msp) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".msp"; nocase; fast_pattern; classtype:misc-activity; sid:2022266; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:4; metadata:created_at 2015_12_16, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ragnarok Ransomware CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&prv_ip="; fast_pattern; content:".doc"; content:".xls"; content:".ppt"; content:".sql"; content:".pdf"; reference:url,twitter.com/malwrhunterteam/status/1256263426441125888; reference:md5,32ed52d918a138ddad24dd3a84e20e56; classtype:command-and-control; sid:2030117; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (Internet Explorer)"; flow:established,to_server; http.user_agent; content:"Internet Explorer"; depth:17; endswith; nocase; http.host; content:!"pnrws.skype.com"; content:!"iecvlist.microsoft.com"; content:!".lenovo.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; classtype:bad-unknown; sid:2008052; rev:20; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Evil Macro Downloading Trojan Dec 16 2015 Post to EXE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/^[\x2fa-z\d]+\.exe$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|Connection|3a 20|"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022270; rev:4; metadata:created_at 2015_12_17, former_category CURRENT_EVENTS, updated_at 2020_10_05;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ProPoS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Pro PoS"; fast_pattern; startswith; http.accept; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.talosintel.com/2015/12/pro-pos.html; classtype:command-and-control; sid:2022282; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; nocase; http.request_body; content:"{|22|type|22 3a|"; depth:8; content:",|22|text|22 3a|"; content:",|22|code|22 3a|"; fast_pattern; content:",|22|from|22 3a|"; content:"|22|}"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_11_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IOS Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; http.uri; content:".ipa"; nocase; http.host; content:"appvv.com"; endswith; fast_pattern; classtype:policy-violation; sid:2022296; rev:4; metadata:created_at 2015_12_22, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; http.uri; content:".apk"; nocase; http.host; content:"appvv.com"; endswith; fast_pattern; classtype:policy-violation; sid:2022297; rev:4; metadata:created_at 2015_12_22, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Dimegup.A Downloading Image Common URI Struct"; flow:established,to_server; http.uri; content:"/444.jpg"; fast_pattern; http.host; content:"postimg.org"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,914c58df5d868f7c3438921d682f7fe5; classtype:trojan-activity; sid:2018022; rev:7; metadata:created_at 2014_01_28, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Htbot.B Checkin"; flow:to_server,established; http.uri; content:".php?command="; fast_pattern; pcre:"/\.php\?command=(?:g(?:hl|et(?:ip|id|backconnect))|update2?|dl|log)(?:$|&)/"; http.user_agent; content:"pb"; bsize:2; reference:md5,bdd2328d466e563a650bb7ccdb9aca79; reference:md5,ba1404af71ecf3ca8b0e30a2b365f6fd; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FHtbot.B; classtype:command-and-control; sid:2020089; rev:6; metadata:created_at 2015_01_05, former_category MALWARE, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Downloader fake image zip"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".zip"; endswith; nocase; fast_pattern; pcre:"/\.(?:gif|jpe?g)\.zip$/i"; http.content_type; content:"text/plain|3b 20|Charset=UTF-8"; bsize:25; reference:md5,7b678a25c533652dbb0c2a2ac37cf1e3; classtype:trojan-activity; sid:2022334; rev:4; metadata:created_at 2016_01_06, updated_at 2020_10_05;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; flowbits:set,ET.And.CruseWin; flowbits:noalert; http.uri; content:"/flash/test.xml"; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:command-and-control; sid:2013193; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_05;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL Linux/Torte Uploaded"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"JGVudiA9ICJYRFZTTl9TRVNTSU9OX0NPT0tJR"; fast_pattern; content:"eval(base64_decode($_REQUEST["; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:attempted-admin; sid:2022359; rev:4; metadata:created_at 2016_01_13, updated_at 2020_10_05;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Torte Checkin"; flow:established,to_server; http.uri; content:"/logo.gif?sessd="; fast_pattern; content:"&sessc="; content:"&sessk="; distance:0; http.header; pcre:"/^(?:zh-CN|en-US)\x3b rv\x3a1\.7\.6\)\r\n/R"; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|"; startswith; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:command-and-control; sid:2022358; rev:5; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_10_05;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL JSP/Backdoor Shell Access"; flow:established,to_server; http.uri; content:".war?cmd="; fast_pattern; content:"&winurl="; content:"&linurl="; pcre:"/\.war\?cmd=[a-zA-Z0-9+/=]+&winurl=[a-zA-Z0-9+/=]*&linurl=[a-zA-Z0-9+/=]*/"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:successful-admin; sid:2022348; rev:5; metadata:created_at 2016_01_12, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip.tyk.nu"; flow:established,to_server; urilen:1; http.host; content:"ip.tyk.nu"; fast_pattern; bsize:9; classtype:external-ip-check; sid:2022368; rev:4; metadata:created_at 2016_01_14, former_category POLICY, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tabDialog.html?dialog=login"; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022374; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - meuip.net.br"; flow:established,to_server; http.host; content:"meuip.net.br"; fast_pattern; bsize:12; classtype:external-ip-check; sid:2022405; rev:4; metadata:created_at 2016_01_25, former_category POLICY, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; http.uri; content:"/?keyword="; fast_pattern; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/"; classtype:exploit-kit; sid:2022493; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen CnC HTTP Pattern"; flow:established,to_server; http.method; content:"GET"; http.uri; content:",0x"; fast_pattern; pcre:"/(?:,0x[0-9a-f]{2}){10}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,8df8d0cd70f96538211c65fb6361704d; classtype:command-and-control; sid:2022494; rev:4; metadata:created_at 2016_02_08, former_category MALWARE, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HydraCrypt CnC Beacon 1"; flow:established,to_server; urilen:11; http.method; content:"GET"; http.uri; content:"/flamme.php"; fast_pattern; http.header; content:"Cache-Control|3a 20|no-cache"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; classtype:command-and-control; sid:2022495; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda HTTPClient CnC HTTP Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Microsoft"; nocase; content:"/default.asp"; distance:0; content:"?tmp="; fast_pattern; pcre:"/\/default\.aspx?\?tmp=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,resources.crowdstrike.com/putterpanda/; reference:md5,544fca6eb8181f163e2768c81f2ba0b3; classtype:command-and-control; sid:2018554; rev:6; metadata:created_at 2014_06_11, former_category MALWARE, updated_at 2020_10_05;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep HTTP POST CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; fast_pattern; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; http.cookie; content:"PHPSESSID="; pcre:"/(?:[a-z]+=\d{3,4}\x3b\x20){4}/"; http.request_body; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/"; http.accept; content:"text/html, application/xhtml+xml, */*"; bsize:37; classtype:command-and-control; sid:2021718; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton Checkin"; flow:to_server,established; http.uri; content:".php?ch="; fast_pattern; http.header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-length|3a 20|0|0d 0a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022676; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton CnC 1"; flow:to_server,established; http.request_body; content:"task=report&id="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022677; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton CnC 2"; flow:to_server,established; http.request_body; content:"task=knock&pub="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022678; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.TreasureHunter Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; content:"request=true"; fast_pattern; http.request_body; content:"request="; depth:8; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; reference:md5,070e9a317ee53ac3814eb86bc7d5bf49; reference:url,isc.sans.edu/forums/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/; classtype:command-and-control; sid:2022681; rev:3; metadata:created_at 2016_03_29, former_category MALWARE, updated_at 2020_10_05;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-sale.com"; bsize:18; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030969; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_10_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".html"; nocase; fast_pattern; pcre:"/\/\d{8,10}\.html$/i"; http.content_len; byte_test:0,=,0,0,string,dec; http.host; content:!"www.youdao.com"; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,cfa7954722d4277d26e96edc3289a4ce; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021276; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via dawhois.com"; flow:established,to_server; http.host; content:"www.dawhois.com"; fast_pattern; bsize:15; classtype:external-ip-check; sid:2022687; rev:4; metadata:created_at 2016_03_30, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion External IP Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; http.host; content:"www.dawhois.com"; fast_pattern; bsize:15; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:external-ip-check; sid:2022688; rev:4; metadata:created_at 2016_03_30, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion HTTP CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.request_body; content:"|40 24|"; depth:2; pcre:"/^\x40\x24[^\x20-\x7e\r\n]+$/s"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:command-and-control; sid:2022689; rev:4; metadata:created_at 2016_03_30, former_category MALWARE, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; http.uri; content:".php?"; content:"co"; content:"untry="; content:"phone="; content:"&op="; content:"imei="; fast_pattern; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:command-and-control; sid:2017588; rev:8; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_10_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST Keepalive"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".asp"; http.header; content:"Content-Length|3a 20|2|0d 0a|"; fast_pattern; http.request_body; content:"ok"; depth:2; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022363; rev:5; metadata:created_at 2016_01_13, updated_at 2020_10_06;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST/UP007 Keepalive 2"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".asp"; http.header; content:"Content-Length|3a 20|5|0d 0a|"; fast_pattern; http.request_body; content:"READY"; depth:5; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:trojan-activity; sid:2022750; rev:4; metadata:created_at 2016_04_20, updated_at 2020_10_06;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanDownloader.Banload.XDL Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/okok/Notify.php"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; reference:md5,70adf5506c767590e11bdc473c91bb38; classtype:command-and-control; sid:2022754; rev:4; metadata:created_at 2016_04_22, former_category MALWARE, updated_at 2020_10_06;)
+
+alert http any any -> $HOME_NET 8080 (msg:"ET EXPLOIT Linksys Router Unauthenticated Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; nocase; http.header; content:"Authorization|3a 20|Basic"; http.request_body; content:"%74%74%63%70%5f%69%70%3d%2d%68%20%60"; fast_pattern; reference:url,sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902; classtype:attempted-user; sid:2022758; rev:4; metadata:created_at 2016_04_25, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer Data Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ga.php?analytic=WyJ1cmwl"; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030979; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3718 SSRF Inbound (mvg + fill + url)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"fill"; content:"url("; distance:0; nocase; pcre:"/^\s*https?\x3a\/\//Ri"; classtype:web-application-attack; sid:2022791; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3715 File Deletion Inbound (ephermeral:+ mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"ephemeral"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022792; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3716 Move File Inbound (msl: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"msl"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022793; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3717 Local File Read Inbound (label: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"label"; nocase; pcre:"/^\s*\x3a\s*\x40/Ri"; classtype:web-application-attack; sid:2022794; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xbagger Macro Encrypted DL"; flow:established,to_server; http.uri; content:".jpg?"; fast_pattern; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/"; http.header; content:"Range"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; classtype:trojan-activity; sid:2022500; rev:7; metadata:created_at 2016_02_10, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality-GR Checkin 2"; flow:to_server,established; http.uri; content:".png?"; fast_pattern; pcre:"/\.png\x3f[0-9a-f]{4,8}\x3d\d+?$/"; http.header_names; content:!"Accept"; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,99d614964eafe83ec4ed1a4537be35b9; classtype:command-and-control; sid:2022804; rev:4; metadata:created_at 2016_05_13, former_category MALWARE, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enfal CnC POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; fast_pattern; endswith; http.header; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:command-and-control; sid:2021079; rev:5; metadata:created_at 2015_05_09, former_category MALWARE, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; pcre:"/https\x3a.+(?<!\x5c)(:[\x22\x27]|\\x2[27])\s*?[\x3b&\x7c><].*?(:[\x22\x27]|\\x2[27])/si"; classtype:web-application-attack; sid:2022789; rev:6; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (svg)"; flow:established,to_server; http.request_body; content:"<svg|20|"; nocase; fast_pattern; content:"xlink"; nocase; pcre:"/xlink\s*?\x3a\s*?href\s*?=\s*?(:[\x22\x27]|\\x2[27])https.+?"\s*?\x3b(?:\x7c|&(?:[gl]t|amp)\s*?\x3b)/si"; classtype:web-application-attack; sid:2022790; rev:6; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b|)"; http.accept; content:"*/*"; bsize:3; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:4; metadata:created_at 2016_05_19, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Unusually Fast HTTP Requests With Referer Url Matching DoS Tool"; flow:to_server,established; threshold: type both, track by_src, count 15, seconds 30; http.referer; content:"/slowhttptest/"; fast_pattern; reference:url,community.qualys.com/blogs/securitylabs/2012/01/05/slow-read; classtype:web-application-activity; sid:2014103; rev:6; metadata:created_at 2012_01_10, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M1"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022848; rev:4; metadata:created_at 2016_06_01, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M2"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 22 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022849; rev:4; metadata:created_at 2016_06_01, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email Login Phish 2016-06-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; fast_pattern; http.request_body; content:"email="; nocase; depth:6; content:"&passwd="; nocase; distance:0; content:"&Submit=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032682; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luminosity RAT Possible Module Download M1"; flow:to_server,established; urilen:5; http.method; content:"GET"; http.uri; content:"/EPWD"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022851; rev:4; metadata:created_at 2016_06_02, updated_at 2020_10_06;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luminosity RAT Possible Module Download M2"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/PWD"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022852; rev:4; metadata:created_at 2016_06_02, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".pdf/?"; fast_pattern; pcre:"/\.pdf\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023912; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".zip/?"; fast_pattern; pcre:"/\.zip\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023913; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".htm/?"; fast_pattern; pcre:"/\.htm\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023914; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".xml/?"; fast_pattern; pcre:"/\.xml\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023915; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip-score.com"; flow:established,to_server; http.host; content:"ip-score.com"; fast_pattern; bsize:12; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2022892; rev:4; metadata:created_at 2016_06_13, former_category POLICY, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; http.uri; content:".jpg?"; fast_pattern; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header; content:"Range"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022895; rev:4; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRatReporter check-in"; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php?filename="; fast_pattern; http.header; content:"Accept: */*"; http.accept_enc; content:"utf-8"; bsize:5; http.header_names; content:!"Referer"; content:!"Content-Type"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022903; rev:4; metadata:created_at 2016_06_15, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Continuum Arbitrary Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/saveInstallation.action"; fast_pattern; http.request_body; content:"&installation.varValue="; content:"|25|60"; classtype:attempted-user; sid:2022912; rev:4; metadata:created_at 2016_06_22, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit Connectivity Check 0 Byte POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"=http"; content:"/?"; pcre:"/\.[a-z]{3,4}\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Content-Length|3a 20|0|0D 0A|"; fast_pattern; http.host; content:"google."; within:10; pcre:"/^(?:www\.)?google(?:\.[a-z]{2,3})+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used; classtype:targeted-activity; sid:2021506; rev:6; metadata:created_at 2015_07_22, former_category MALWARE, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SFG Client Information POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".log"; pcre:"/\.log$/"; http.host; content:"nullptr"; fast_pattern; bsize:7; reference:url,sentinelone.com/blogs/sfg-furtims-parent/; classtype:trojan-activity; sid:2022963; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, malware_family Futrim, malware_family SFG, signature_severity Major, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server; http.uri; content:!".exe"; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/"; http.user_agent; content:"Microsoft BITS"; startswith; fast_pattern; http.host; content:!".microsoft.com"; endswith; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Lady CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pm.sh?"; fast_pattern; pcre:"/^\/pm\.sh\?\d+$/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:command-and-control; sid:2023034; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Linux_Lady, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monsoon Tinytyphon CnC Beacon GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dw.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:command-and-control; sid:2023049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category MALWARE, malware_family MONSOON, malware_family Tinytyphon, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monsoon Tinytyphon CnC Beacon Exfiltrating Docs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|MD5|22|"; content:"name=|22|fname|22|"; distance:0; content:"name=|22|compname|22|"; distance:0; content:"name=|22|uploadedfile|22 3b|"; fast_pattern; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:command-and-control; sid:2023050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern; classtype:social-engineering; sid:2023068; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_10_06;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Curso Banker.BR Checkin"; flow:established,to_server; http.uri; content:".asp?m="; fast_pattern; content:"&v="; pcre:"/\.asp\?m=(?:INS|UAC)(?:&p=&a=)?&i=201\d{11}&/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,bd389eb9cf03e55013eaf07970288f08; classtype:command-and-control; sid:2023081; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTA Application Download"; flow:established,to_server; flowbits:set,ET.HTA.Download; http.method; content:"GET"; http.uri; content:".hta"; nocase; fast_pattern; endswith; http.host; content:!"kaspersky.com"; endswith; reference:url,www.trustedsec.com/july-2015/malicious-htas/; classtype:bad-unknown; sid:2022520; rev:6; metadata:created_at 2016_02_15, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Team IPwned Phishing Landing 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"teamipwned"; fast_pattern; content:"data-shortuserid=|22|teamipwned|22|"; nocase; content:"data-userid=|22|teamipwned|22|"; nocase; distance:0; content:"value=|22|IPwned|22|"; nocase; distance:0; classtype:social-engineering; sid:2032693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET MALWARE PNScan.2 Inbound Status Check - set"; flow:established,to_server; urilen:6; flowbits:set,ET.PNScan.2; flowbits:noalert; http.uri; content:"/check"; fast_pattern; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023087; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+
+alert http $HOME_NET 9000 -> $EXTERNAL_NET any (msg:"ET MALWARE PNScan.2 Inbound Status Check Response"; flow:established,from_server; flowbits:isset,ET.PNScan.2; http.header; content:"Content-Length|3a 20|12|0d 0a|"; file.data; content:"{|22|status|22 3a|1}"; fast_pattern; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023088; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET MALWARE PNScan.2 CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/srv_report?ver="; fast_pattern; pcre:"/\?ver=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:command-and-control; sid:2023090; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family PNScan_2, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET MALWARE PNScan.2 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?ver="; fast_pattern; pcre:"/^\/(?:i686|arm|mips(?:el)?)\?ver=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:command-and-control; sid:2023089; rev:5; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family PNScan_2, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 3"; flow:established,to_server; http.uri; content:"/final111?&nocache="; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023133; rev:5; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"NotRift/"; depth:8; fast_pattern; nocase; classtype:attempted-admin; sid:2030964; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_06, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"NotRift/"; depth:8; fast_pattern; nocase; classtype:web-application-attack; sid:2030965; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Google Adwords Conversion not from Google"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pagead/conversion_async.js"; endswith; fast_pattern; http.host; content:!"googleadservices.com"; content:!"doubleclick.net"; content:!"google.com"; classtype:bad-unknown; sid:2030980; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2020_10_06;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Card Skimmer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".tags-manager.com"; endswith; fast_pattern; reference:url,blogs.akamai.com/2020/11/a-new-skimmer-uses-websockets-and-a-fake-credit-card-form-to-steal-sensitive-data.html; classtype:domain-c2; sid:2031205; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2022_03_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer JavaScript Inbound"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"var SendFlag = []|3b 0a|function Base64Function(e) {|0d|"; startswith; fast_pattern; content:"|0a|function SendData(vals){|0a|"; distance:0; content:"var b = document.createElement|28 22|img|22 29 3b|b.width = |22|1px|22 3b|b.height = |22|1px|22 3b 20|b.id = img_id|3b|b.src = atob|28 22|"; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
+
+alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:13; metadata:created_at 2012_05_04, updated_at 2022_04_18;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:10; metadata:created_at 2012_05_04, updated_at 2020_10_06;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:10; metadata:created_at 2012_05_04, updated_at 2020_10_06;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=z55gc.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_07, deployment Perimeter, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pony Variant FOX Reporting Adfraud Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php/data"; fast_pattern; pcre:"/\.php\/data$/"; http.request_body; content:"http|3a 2f 2f|"; offset:20; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cdfb7e5544c9aa49c17217fdfe04e854; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:trojan-activity; sid:2023293; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, malware_family Pony, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot URI Struct"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/catalog/"; fast_pattern; pcre:"/\/catalog\/\d{3,}$/"; http.header; content:!"nap.edu|0d 0a|"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019458; rev:5; metadata:created_at 2014_10_17, updated_at 2020_10_07;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Anuna PHP Backdoor Attempt"; flow:established,to_server; flowbits:set,ET.Anuna.Backdoor; http.uri; content:".php?cookie=1"; fast_pattern; pcre:"/\.php\?cookie=1$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2023305; rev:4; metadata:affected_product PHP, attack_target Web_Server, created_at 2016_09_28, deployment Perimeter, malware_family Anuna, signature_severity Major, updated_at 2020_10_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Aerial Keylogger DNS Request"; dns.query; content:"aerial-keylogger.com"; nocase; endswith; classtype:trojan-activity; sid:2030983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Checkin"; flow:established,to_server; flowbits:set,et.citadel; http.method; content:"POST"; http.uri; content:"/file.php"; fast_pattern; pcre:"/^\/[A-Za-z0-9]+?\/file\.php$/"; http.header; content:"Content-Length|3a 20|128|0d 0a|"; nocase; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|"; depth:25; http.header_names; content:!"Referer"; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:command-and-control; sid:2018598; rev:5; metadata:created_at 2014_06_24, former_category MALWARE, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Pdf.exe Observed in Zeus/Luminosity Link"; flow:established,to_server; http.uri; content:"/pdf.exe"; fast_pattern; classtype:trojan-activity; sid:2018080; rev:6; metadata:created_at 2014_02_05, former_category MALWARE, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 Ransomware Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"User-Agent|3a 20 70 6f 73 74 5f 65 78 61 6d 70 6c 65|"; fast_pattern; http.request_body; content:"=0x"; content:"|2c|0x"; distance:2; within:5; content:"|3c 62 72 3e|"; distance:0; reference:md5,ad2c80611ebc7f6d45bd3e46de38b776; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:command-and-control; sid:2023397; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_10_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.science) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".science"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023454; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.top) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".top"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023455; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.stream) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".stream"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023456; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.download) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".download"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023457; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.biz) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".biz"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023459; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.accountant) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".accountant"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023460; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.click) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".click"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023461; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.link) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".link"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023462; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.win) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".win"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023463; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Tor Module Download"; flow:established,to_server; http.uri; content:"/tor/"; fast_pattern; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/i"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moose CnC Request M1"; flow:to_server,established; urilen:1; content:"PP|3b 20|nhash="; fast_pattern; http.method; content:"GET"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|nhash="; distance:0; content:"|3b 20|chash="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023477; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Moose CnC Response"; flow:from_server,established; content:"PP|3b 20|expires="; fast_pattern; http.stat_code; content:"200"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|expires="; distance:0; content:"WL="; content:"PP|3b 20|expires="; distance:0; http.content_type; content:"text/html"; startswith; file.data; content:"<html><body><h1>It works!</h1>"; nocase; depth:30; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023478; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?id="; fast_pattern; pcre:"/\.jpg\?id=\d+$/"; http.header; content:!"tagesschau.de"; http.user_agent; content:!"ClipOrganizer"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2021203; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit/APT28/Sofacy Delphocy CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"as_q="; content:"as_ft="; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.welivesecurity.com/post_paper/en-route-with-sednit-part-3-a-mysterious-downloader/; classtype:targeted-activity; sid:2023486; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family Sofacy, malware_family Sednit_Delphocy, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/NotifyLog"; fast_pattern; pcre:"/\/NotifyLog$/"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"{|22|ClientId|22 3a|"; depth:12; content:",|22|Date|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Adups Firmware Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"{|22|dc_date|22 3a|"; depth:11; content:",|22|dc_type|22 3a|"; fast_pattern; content:",|22|keyword|22 3a|"; content:",|22|md5|22 3a|"; content:",|22|msg_date|22 3a|"; content:",|22|msg_type|22 3a|"; content:",|22|tell|22 3a|"; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023514; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_10_07;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mida eFramework RCE Attempt Inbound (CVE-2020-15922)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ipaddress0|22|"; fast_pattern; content:"|3b|"; within:6; reference:url,www.exploit-db.com/exploits/48835; reference:cve,2020-15922; classtype:attempted-admin; sid:2030989; rev:1; metadata:created_at 2020_10_07, cve CVE_2020_15922, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_07;)
+
+alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; http.request_body; content:"|3c 75 3a 47 65 74 53 65 63 75 72 69 74 79 4b 65 79 73|"; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023549; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Adobe Connectivity check"; flow:established,to_server; urilen:18; http.method; content:"POST"; http.uri; content:"/support/main.html"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,3a128a9e8668c0181d214c20898f4a00; classtype:trojan-activity; sid:2018676; rev:6; metadata:created_at 2014_07_15, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Microsoft Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fwlink/?LinkId="; fast_pattern; http.header; content:!"SOAPAction|3a|"; http.user_agent; content:!"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; http.host; content:"go.microsoft.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,467b786f7c645c73d5c29347d35cae11; classtype:trojan-activity; sid:2022124; rev:8; metadata:created_at 2015_11_20, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DistTrack/Shamoon CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?shinu="; fast_pattern; pcre:"/\.php\?shinu=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:command-and-control; sid:2023570; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE User-Agent (Visbot)"; flow:to_server,established; http.user_agent; content:"Visbot"; fast_pattern; startswith; reference:url,www.bleepingcomputer.com/news/security/visbot-malware-found-on-6-691-magento-online-stores/; classtype:trojan-activity; sid:2023575; rev:4; metadata:affected_product Magento, attack_target Web_Server, created_at 2016_12_02, deployment Datacenter, malware_family Visbot, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin HTTP Pattern"; flow:to_server,established; http.method; content:"POST"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; fast_pattern; content:"www-form-urlencoded|0d 0a|"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/m"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023577; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Click Fraud Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/link.txt?"; fast_pattern; pcre:"/^\/link\.txt\?[0-9]{1,2}\x3a[0-9]{1,2}\x3a[0-9]{1,2}/"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; classtype:command-and-control; sid:2023669; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Braincrypt Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?uuid="; fast_pattern; pcre:"/\.php\?uuid=[a-z0-9]{32}$/i"; http.user_agent; content:"Go-http-client/"; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,6b938ca31a55e743112ab34dc540a076; classtype:command-and-control; sid:2023675; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Braincrypt, signature_severity Major, tag Ransomware, updated_at 2020_10_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; http.uri; content:"lm="; content:"/watch/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; http.uri; content:"lm="; content:"/find/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; http.uri; content:"lm="; content:"/results/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; http.uri; content:"lm="; content:"/open/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; http.uri; content:"lm="; content:"/close/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HydraCrypt CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upd.php"; fast_pattern; endswith; http.header; pcre:"/^(?:Referer\x3a[^\r\n]+\r\n)?Host\x3a[^\r\n]+[\r\n]+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:command-and-control; sid:2020503; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI struct Oct 24 2016 (RIG-v)"; flow:established,to_server; flowbits:set,ET.RIGEKExploit; http.uri; content:"/?"; depth:2; content:"q="; content:"oq="; fast_pattern; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/"; classtype:exploit-kit; sid:2023401; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_07;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Strongpity CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=7ea7494e71e9"; nocase; endswith; reference:md5,989af6e0bb7fa4d62815f4fdc4696b85; classtype:domain-c2; sid:2030982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_07, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"<title>DocuSign"; fast_pattern; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; classtype:social-engineering; sid:2030984; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_07;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">PASSW0RD <span class=|22|form-required|22|>*</span></label>"; fast_pattern; distance:0; classtype:social-engineering; sid:2030985; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">Password <span class=|22|form-required|22|>*</span></label>"; fast_pattern; distance:0; content:">Confirm Password <span class=|22|form-required|22|>*</span></label>"; distance:0; classtype:social-engineering; sid:2030986; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">P a s s <span class=|22|form-not-required|22|>*</span></label>"; fast_pattern; distance:0; classtype:social-engineering; sid:2030987; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Second Stage VBS Downloader with URL Padding"; flow:established,to_server; http.uri; content:".exe???????????????"; nocase; fast_pattern; pcre:"/\.exe\?+$/i"; http.user_agent; content:"WinHttp.WinHttpRequest."; reference:md5,57ce6f966c6b441fe82a211647c6e863; classtype:trojan-activity; sid:2023739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS SideStep User-Agent"; flow: to_server,established; http.user_agent; content:"SideStep"; reference:url,doc.emergingthreats.net/2002078; reference:url,github.com/chetan51/sidestep/; classtype:misc-activity; sid:2002078; rev:32; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Chrome WebEx Extension RCE Attempt"; flow:to_server,established; http.uri; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1096; classtype:attempted-user; sid:2023756; rev:4; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; http.header; content:"Font_Update.exe"; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/mi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:social-engineering; sid:2023817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Evil Download wsf Double Ext No Referer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".wsf"; nocase; fast_pattern; pcre:"/\/[^\x2f]+\.[^\x2f]+\.wsf$/i"; http.header; content:!"User-Agent|3a 20 2a|"; classtype:trojan-activity; sid:2022271; rev:5; metadata:created_at 2015_12_17, former_category INFO, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant Retrieving Payload (x32)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"X32.jpg"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023871; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family ursnif, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant Retrieving Payload (x64)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"X64.jpg"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family ursnif, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?f="; fast_pattern; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; startswith; http.header_names; content:!"Referer"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tonto_SPM Backdoor CnC Activity"; flow:to_server,established; http.uri; content:"spm=xx{}:>*()_!"; endswith; classtype:trojan-activity; sid:2030990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_08, deployment Perimeter, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke Variant CnC Beacon via WebDAV"; flow:established,to_server; http.uri; content:"/catalog/outgoing"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV-MiniRedir/"; startswith; reference:md5,f3459924f8b657359cb0bd0984a1d0fa; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023930; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"&method="; fast_pattern; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:command-and-control; sid:2023933; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/functions.php"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"apslst="; depth:7; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.FETCH Retrieving Malicious PowerShell"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/pro.bat"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,97454efcab28e64ac5400e63780af764; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/; classtype:trojan-activity; sid:2023948; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_FETCH, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - Evil Twitter Callback"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/api/asyncTwitter.php"; fast_pattern; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023967; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_Implant8, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Uploader Variant Fake Request to Google"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"."; content:"/?"; distance:0; content:"="; distance:1; within:3; pcre:"/\/\?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.host; content:"google.com"; bsize:10; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:targeted-activity; sid:2023917; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family APT28_Uploader, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (tinytools.nu)"; flow:established,to_server; http.uri; content:"/MyIPAddress/"; nocase; http.host; content:"www.tinytools.nu"; fast_pattern; bsize:16; classtype:external-ip-check; sid:2023520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; http.uri; content:"/i_info_proxy.php?cmd="; fast_pattern; content:"&data="; http.uri.raw; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/"; http.header; content:"|3b 20|iPhone|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_09_15, deployment Perimeter, former_category MOBILE_MALWARE, updated_at 2020_10_08, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP"; flow:established,to_server; http.host; content:"check.torproject.org"; endswith; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:external-ip-check; sid:2017927; rev:5; metadata:created_at 2014_01_04, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/KeyLogger.ACQH!tr Checkin"; flow:to_server,established; http.uri; content:".php?cn"; content:"&str="; fast_pattern; content:"&file="; pcre:"/\.php\?cn(ame)?=/"; http.user_agent; content:"WinInetGet/"; depth:11; reference:md5,eddce1a6c0cc0eb7b739cb758c516975; reference:md5,c0d9352ad82598362a426cd38a7ecf0e; reference:url,www.fortiguard.com/av/VID4225990; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016912; rev:7; metadata:created_at 2012_12_12, former_category MALWARE, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mutter Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.aspx?i="; fast_pattern; http.header; pcre:"/^(Host\x3a [^\r\n]+?\r\nConnection\x3a Keep-Alive|Connection\x3a Keep-Alive\r\nHost\x3a [^\r\n]+?)\r\n(\r\n)?$/i"; reference:url,fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html; classtype:command-and-control; sid:2016773; rev:5; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Download Request to Hotfile.com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; http.header; content:"hotfile.com|0d 0a|"; fast_pattern; classtype:policy-violation; sid:2015015; rev:4; metadata:created_at 2012_07_04, former_category POLICY, updated_at 2020_10_08;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Drupal Object Unserialize Exploit Attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/user/login"; http.request_body; content:"username"; content:"SelectQuery"; fast_pattern; http.content_type; content:"application/vnd.php.serialized"; bsize:30; reference:url,www.ambionics.io/blog/drupal-services-module-rce; classtype:web-application-attack; sid:2024039; rev:4; metadata:affected_product Drupal_Server, attack_target Server, created_at 2017_03_08, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Minor, updated_at 2020_10_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; http.header; content:"Content-Disposition|3a|"; nocase; content:"|43 68 72 ce bf 6d 65|"; nocase; fast_pattern; content:"|66 ce bf 6e 74|"; nocase; content:"|2e 65 78 65|"; nocase; file.data; content:"MZ"; within:2; classtype:social-engineering; sid:2024040; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; classtype:exploit-kit; sid:2024055; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family terror_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS Downloader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?file="; fast_pattern; pcre:"/\.php\?file=(?:64|86)$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024064; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, malware_family MagikPOS, performance_impact Low, signature_severity Major, tag POS, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/?act=in"; fast_pattern; pcre:"/\/api\/\?act=in$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:command-and-control; sid:2024067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, malware_family MagikPOS, signature_severity Major, tag POS, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PoetRAT Domain (slimip .accesscam .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"slimip.accesscam.org"; bsize:20; fast_pattern; reference:url,blog.talosintelligence.com/2020/10/poetrat-update.html; classtype:domain-c2; sid:2030991; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_08, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Uploading Directory Listting"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name="; startswith; content:"&usid="; distance:0; fast_pattern; content:"&part="; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; http.uri; content:"/search?hl="; content:"q="; content:"meta="; fast_pattern; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/"; http.host; content:!"sogou.com"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, former_category TROJAN, malware_family HIMAN, performance_impact Moderate, signature_severity Major, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cmd="; content:"version="; content:"quality="; fast_pattern; content:"av="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2018580; rev:7; metadata:created_at 2014_06_18, former_category MALWARE, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino CC dump"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dumpgrab="; fast_pattern; content:"track_type="; content:"track_data="; content:"process_name="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020094; rev:5; metadata:created_at 2015_01_05, former_category TROJAN, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; http.uri; content:"/getTask.php?"; fast_pattern; nocase; content:"imei="; content:"balance="; http.header_names; content:!"Referer|0d 0a|"; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:command-and-control; sid:2017587; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_10_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mang.bbk"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Moderate, signature_severity Major, updated_at 2020_10_09;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/adinfo?gi="; fast_pattern; content:"&bf="; http.header; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/m"; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:command-and-control; sid:2024172; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download"; flow:established,to_server; http.uri; content:"e=cve"; fast_pattern; pcre:"/[&?]e=cve\d{8}(?:&|$)/"; pcre:"/=[a-f0-9]{32,}(?:&|$)/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2024180; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/sdk_api.php?id="; fast_pattern; content:"&type="; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/"; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_11, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ewind, tag Android, updated_at 2020_10_09, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy Request Outbound"; flow:established,to_server; http.uri; content:"/?"; content:"&ai="; fast_pattern; content:!"&adurl="; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/"; http.user_agent; content:"Windows NT"; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2019545; rev:1238; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_10_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2"; flow:established,to_client; flowbits:isset,Office.UA; http.content_type; content:"application/hta"; nocase; endswith; fast_pattern; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Betabot Checkin 5"; flow:established,to_server; http.uri; content:"/order.php"; fast_pattern; pcre:"/\.php$/"; http.request_body; pcre:"/(?:^|=)[A-F0-9]{70,}(?:$|&)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:command-and-control; sid:2023765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Unknown Possibly Ransomware (Dropped by RIG) CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Accept|3a 20|*|0d 0a|"; fast_pattern; http.request_body; content:"|0a|"; offset:64; depth:1; pcre:"/^[A-Za-z0-9+/]{64}\x0a/"; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:md5,26b21902548e3b821387c90d729bace6; classtype:command-and-control; sid:2024233; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Abnormal HTTP Headers high likelihood of Poweliks infection"; flow:established,to_server; http.method; content:"GET"; http.header; content:"builddate|3a 20|"; fast_pattern; content:"version|3a 20|"; content:"id|3a 20|"; classtype:trojan-activity; sid:2019606; rev:6; metadata:created_at 2014_10_30, former_category TROJAN, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"; flow:established,to_server; http.host; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024298; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2020_10_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Lucy Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Phishing Server"; fast_pattern; content:"system.appName =|20 22|Phishing Server|22 3b|"; content:"href=|22|/admin/login|22|>Phishing Server"; content:"title=|22|Lucy|22|"; reference:url,lucysecurity.com/; classtype:web-application-attack; sid:2030992; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lucy Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Phishing Server"; fast_pattern; content:"system.appName =|20 22|Phishing Server|22 3b|"; content:"href=|22|/admin/login|22|>Phishing Server"; content:"title=|22|Lucy|22|"; classtype:web-application-attack; sid:2030993; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; http.host; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024300; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2020_10_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neverquest/Vawtrak Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/viewforum.php?f="; fast_pattern; pcre:"/\/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$/"; http.content_type; content:"application/octet-stream"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0400671fd3804fbf3fd1d6cf707bced4; reference:md5,1dfaeb7b985d2ba039cd158f63b8ae54; classtype:trojan-activity; sid:2018543; rev:5; metadata:created_at 2014_06_07, former_category CURRENT_EVENTS, updated_at 2020_10_09;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)"; flow:to_server,established; http.uri; content:".php?"; content:"option="; content:"view="; content:"layout="; content:"&list[fullordering]="; fast_pattern; pcre:"/&list\[fullordering\]=(?:[a-zA-Z0-9])*[\x22\x27\x28]/i"; reference:url,blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html; reference:cve,2017-8917; classtype:web-application-attack; sid:2024342; rev:5; metadata:affected_product Joomla, attack_target Web_Server, created_at 2017_06_01, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload URI T1 Jun 02 2017"; flow:established,to_server; http.uri; content:"/d/"; content:"/?q=r4&"; fast_pattern; pcre:"/\&e=(?:cve|flash)/i"; classtype:exploit-kit; sid:2024344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request"; flow:established,to_server; http.uri; content:".hta"; nocase; fast_pattern; http.user_agent; content:"Microsoft Office"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:cve,2017-0199; classtype:trojan-activity; sid:2024224; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Madness Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mk="; fast_pattern; content:"&rs="; content:"&rq="; content:"&ver="; pcre:"/\?uid=\d{8}&ver=\d\.\d{2}&mk=[0-9a-zA-Z]{6}&os=[A-Za-z0-9]+&rs=[a-z]+&c=\d+&rq=\d/"; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,f1ed53c4665d2893fd116a5b0297fc68; classtype:command-and-control; sid:2018028; rev:6; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; http.uri; content:"/inj/injek-1.php?id="; fast_pattern; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:command-and-control; sid:2024426; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Marcher, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup whoer.net"; flow:established,to_server; http.host; content:"whoer.net"; fast_pattern; bsize:9; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021195; rev:5; metadata:created_at 2015_06_08, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M1"; flow:established,to_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.uri; content:".sct"; nocase; fast_pattern; endswith; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_10_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"text/scriptlet"; nocase; fast_pattern; startswith; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024551; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_10_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M3"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; content:"Content-Disposition|3a 20|"; nocase; content:".sct"; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]*\.sct[\x22\x27\s\r\n]/mi"; classtype:trojan-activity; sid:2024552; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_11_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_bkid="; content:"_bkpass="; fast_pattern; content:"_accn="; classtype:credential-theft; sid:2019784; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_fulln="; fast_pattern; content:"_ccn="; content:"_ccv="; classtype:credential-theft; sid:2019783; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_fn="; content:"_ln="; content:"_birthd="; fast_pattern; classtype:credential-theft; sid:2019782; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/HTA Downloader Behavior M3"; flow:to_server,established; http.uri; content:".php?cmd=p&id="; fast_pattern; content:"&rnd="; pcre:"/\.php\?cmd=p&id=\w+.*?&rnd=[\x2e\d]+$/i"; http.header_names; content:!"Referer"; reference:md5,d3abaa6736d7d549eca8644c67e9fcfe; classtype:trojan-activity; sid:2023485; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_07, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba Checkin 4"; flow:established,to_server; flowbits:set,ET.Tinba.Checkin; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|157"; nocase; fast_pattern; http.request_body; content:"|00 80 00 00 00|"; offset:24; depth:5; http.header_names; content:!"Content-Type"; nocase; content:!"Accept"; nocase; content:!"Referer:"; nocase; content:!"User-Agent|0d 0a|"; nocase; reference:md5,ade4d8f0447dac5a8edd14c3d44f410d; classtype:command-and-control; sid:2024659; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_04, deployment Perimeter, former_category MALWARE, malware_family Tinba, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Andromeda File Request"; flow:established,to_server; http.uri; content:"myguy"; fast_pattern; pcre:"/myguy\.(?:xls(?:\.hta)?|exe)$/"; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference:cve,2017-0199; classtype:trojan-activity; sid:2024490; rev:5; metadata:created_at 2017_07_21, former_category TROJAN, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; http.header; content:"User-Agent|3a|Mozilla"; nocase; fast_pattern; content:!"BlackBerry|3b|"; content:!"PlayBook|3b|"; content:!"Konfabulator"; content:!"masterconn.qq.com"; content:!"QQPCMgr"; classtype:trojan-activity; sid:2011800; rev:12; metadata:created_at 2010_10_13, former_category POLICY, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RelevantKnowledge Adware CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&os="; content:"&osmajorver="; distance:0; content:"&osminorver="; distance:0; content:"&osmajorsp="; distance:0; content:"&lang="; distance:0; content:"&country="; distance:0; content:"&ossname="; distance:0; content:"&brand="; distance:0; content:"&bits="; distance:0; http.header; content:"X-OSSProxy|3a|"; fast_pattern; reference:md5,d93b888e08693119a1b0dd3983b8d1ec; classtype:command-and-control; sid:2018174; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_02_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nolja Trojan User-Agent (FileNolja)"; flow:established,to_server; http.user_agent; content:"FileNolja"; nocase; fast_pattern; classtype:trojan-activity; sid:2013376; rev:5; metadata:created_at 2011_08_05, former_category USER_AGENTS, updated_at 2020_10_09;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon with default account"; flow:to_server,established; http.request_body; content:"=OIMINTERNAL"; fast_pattern; reference:cve,CVE-2017-10151; reference:url,oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html; classtype:attempted-admin; sid:2024941; rev:4; metadata:affected_product Oracle_Identity_Manager, attack_target Web_Server, created_at 2017_11_01, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:10; http.uri; content:"/top2.html"; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015478; rev:5; metadata:created_at 2012_07_17, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Book of Eli CnC Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header; content:"CharSet|3a 20|windows-1256|0d 0a|"; http.request_body; content:"id_serial="; depth:10; content:"&id_cpu="; content:"&go_and_fuck_this_life="; content:"&system__="; fast_pattern; content:"&hard_id="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,blog.eset.ie/2016/09/22/malware-in-libya-book-of-eli-african-targeted-attacks/; reference:md5,25e5744979b365dc58cce23d377b3835; reference:md5,d22857cebad4200c3b1e8ec17836b451; reference:url,www.virustotal.com/en/file/faa20341f7a7277114f5c61e5013b9871ab2b0356f383b6798013ce333a30ae5/analysis/; classtype:command-and-control; sid:2023254; rev:6; metadata:created_at 2013_05_17, former_category MALWARE, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Invoice EXE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/invoice"; nocase; fast_pattern; pcre:"/\/invoice[^a-z\/]*?\.(?:exe|zip|7z|rar|com|vbs|ps1)$/i"; reference:md5,bdf12366779ce94178c2d1e495565d2b; classtype:trojan-activity; sid:2019158; rev:7; metadata:created_at 2014_09_11, former_category TROJAN, updated_at 2020_10_09;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".jsp/"; nocase; fast_pattern; pcre:"/\.jsp\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024808; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".jspx/"; nocase; fast_pattern; pcre:"/\.jspx\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024809; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".shtml/"; nocase; fast_pattern; pcre:"/\.shtml\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024810; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".jsp/"; nocase; fast_pattern; pcre:"/\.jsp\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024811; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".jspx/"; nocase; fast_pattern; pcre:"/\.jspx\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024812; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".shtml/"; nocase; fast_pattern; pcre:"/\.shtml\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024813; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metasploit Framework Checking For Update"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/updateserver"; fast_pattern; http.user_agent; content:"MSFX/"; depth:5; http.header_names; content:!"Referer"; classtype:misc-activity; sid:2020475; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_02_19, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_10_09;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"_v="; content:"deleteid="; http.method; content:"POST"; http.uri; content:"/centralbackup.php?"; fast_pattern; classtype:trojan-activity; sid:2017060; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_06_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kazy Checkin"; flow:established,to_server; urilen:65; http.uri; content:"AAA=="; endswith; fast_pattern; pcre:"/\/[\x2f\x2bA-Za-z0-9]{59}AAA==$/"; http.host; content:!"mvds1.org"; classtype:command-and-control; sid:2018401; rev:5; metadata:created_at 2014_04_18, former_category MALWARE, updated_at 2020_10_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Belkin N600DB Wireless Router Request Forgery Attempt"; flow:to_server,established; http.uri; content:"/proxy.cgi?chk&url="; fast_pattern; classtype:attempted-user; sid:2025223; rev:3; metadata:attack_target IoT, created_at 2018_01_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change Request"; flow:to_server,established; http.uri; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"Enable_DNSFollowing=1"; classtype:attempted-user; sid:2025222; rev:4; metadata:affected_product D_Link_DSL_2640R, attack_target IoT, created_at 2018_01_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"lm="; content:"/search/?"; fast_pattern; content:!"&clid="; content:!"&banerid="; content:!"&win="; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_09, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke Checkin"; flow:to_server,established; http.uri; content:"/create.php?"; fast_pattern; pcre:"/^\/[^\x2f]+?\/create\.php\?[a-z0-9]+\x3d[a-z0-9\x5f\x2d]+?$/i"; http.host; content:!"maplelegends.com"; content:!"violinlab.com"; reference:url,welivesecurity.com/2014/05/20/miniduke-still-duking/; classtype:targeted-activity; sid:2018491; rev:7; metadata:created_at 2014_05_21, former_category MALWARE, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"valor="; depth:6; content:"verde"; content:"branco"; content:"vermelho"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:command-and-control; sid:2018516; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Key|3a 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; startswith; nocase; reference:md5,5ba6cf36f57697a1eb5ac8deaa377b4b; classtype:command-and-control; sid:2025381; rev:6; metadata:created_at 2015_11_24, former_category MALWARE, updated_at 2020_10_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.men) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".men"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025495; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.webcam) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".webcam"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025497; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.yokohama) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".yokohama"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025498; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.tokyo) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".tokyo"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025499; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.gq) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".gq"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025500; rev:4; metadata:created_at 2018_04_16, former_category HUNTING, updated_at 2020_10_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.work) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".work"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025501; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Download non Jar file"; flow:established,to_server; flowbits:set,ET.JavaNotJar; flowbits:noalert; http.uri; content:!".jar"; nocase; content:!".jnlp"; nocase; content:!".hpi"; nocase; http.user_agent; content:"Java/1."; fast_pattern; content:!"ArduinoIDE/"; classtype:bad-unknown; sid:2016539; rev:9; metadata:created_at 2013_03_06, former_category CURRENT_EVENTS, updated_at 2020_10_10;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MobileIron RCE Attempt Inbound (CVE-2020-15505)"; flow:established,to_server; http.uri; content:"|2f 2e 3b 2f|"; fast_pattern; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2030997; rev:1; metadata:created_at 2020_10_12, cve CVE_2020_15505, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_12;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Pastebin-style Service nrecom)"; flow:from_server,established; tls.cert_subject; content:"CN=ngn.gg"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:policy-violation; sid:2031000; rev:1; metadata:created_at 2020_10_12, former_category POLICY, signature_severity Informational, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Spy/TVRat Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&stat="; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:command-and-control; sid:2021747; rev:12; metadata:created_at 2015_09_05, former_category MALWARE, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/is-ready"; fast_pattern; nocase; reference:md5,d2e799904582f03281060689f5447585; reference:url,www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf; classtype:command-and-control; sid:2017516; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2013_08_28, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family H_worm, performance_impact Low, signature_severity Major, updated_at 2020_10_12;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts memberAccess inbound OGNL injection remote code execution attempt"; flow:to_server,established; threshold:type both, track by_dst, count 1, seconds 60; http.uri; content:"|23|_memberAccess"; fast_pattern; content:"new|20|"; nocase; pcre:"/new\s+(java|org|sun)/i"; reference:cve,2018-11776; classtype:attempted-admin; sid:2026035; rev:4; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SA Banker Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?role="; fast_pattern; content:"&os="; content:"&bits="; content:"&av="; content:"&host="; content:"&plugins="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d42c4395cb4cfa3cd6c4798b8c5e493a; classtype:command-and-control; sid:2023424; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mera Keylogger POSTing keystrokes"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/log/index.php"; fast_pattern; http.request_body; content:"text="; depth:5; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,techhelplist.com/index.php/spam-list/695-financial-statement-malware; classtype:trojan-activity; sid:2019965; rev:5; metadata:created_at 2014_12_18, former_category TROJAN, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware User-Agent (Envolo)"; flow: established,to_server; http.user_agent; content:"Envolo"; fast_pattern; reference:url,doc.emergingthreats.net/2001706; classtype:pup-activity; sid:2001706; rev:38; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware User-Agent (SAH)"; flow: established,to_server; http.user_agent; content:"SAH Agent"; fast_pattern; reference:url,doc.emergingthreats.net/2001707; classtype:pup-activity; sid:2001707; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Spyware User-Agent (MyWay)"; flow: established,to_server; threshold:type limit, count 1, seconds 360, track by_src; http.user_agent; content:"MyWay"; fast_pattern; reference:url,doc.emergingthreats.net/2001864; classtype:pup-activity; sid:2001864; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Spyware User-Agent (MyWebSearch)"; flow: established,to_server; http.user_agent; content:"MyWebSearch"; fast_pattern; reference:url,doc.emergingthreats.net/2001865; classtype:pup-activity; sid:2001865; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Engine 2000 Spyware User-Agent (searchengine)"; flow: established,to_server; http.header; content:"|20|searchengine|0d 0a|"; fast_pattern; pcre:"/User-Agent\:[^\n]+searchengine/i"; reference:url,doc.emergingthreats.net/2001867; classtype:pup-activity; sid:2001867; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (sureseeker)"; flow: established,to_server; http.user_agent; content:"sureseeker.com"; reference:url,doc.emergingthreats.net/2001868; classtype:pup-activity; sid:2001868; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfplayer Spyware User-Agent (SurferPlugin)"; flow: established,to_server; http.header; content:"SurferPlugin"; fast_pattern; pcre:"/User-Agent\:[^\n]+SurferPlugin/i"; reference:url,doc.emergingthreats.net/2001870; classtype:pup-activity; sid:2001870; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Better Internet Spyware User-Agent (thnall)"; flow: to_server,established; http.header; content:"THNALL"; fast_pattern; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/i"; reference:url,doc.emergingthreats.net/2002002; classtype:pup-activity; sid:2002002; rev:33; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP XupiterToolbar Spyware User-Agent (XupiterToolbar)"; flow: to_server,established; http.header; content:"XupiterToolbar"; fast_pattern; pcre:"/User-Agent\:[^\n]+XupiterToolbar/i"; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; classtype:pup-activity; sid:2002071; rev:19; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware User-Agent (spywareaxe)"; flow:to_server,established; http.header; content:"spywareaxe"; fast_pattern; pcre:"/User-Agent\:[^\n]+spywareaxe/"; reference:url,doc.emergingthreats.net/2002808; classtype:pup-activity; sid:2002808; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errorsafe.com Fake antispyware User-Agent (ErrorSafe)"; flow:to_server,established; http.user_agent; content:"ErrorSafe|20|"; fast_pattern; reference:url,doc.emergingthreats.net/2003346; classtype:pup-activity; sid:2003346; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com User-Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; http.user_agent; content:"GAMEHOUSE"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003347; classtype:pup-activity; sid:2003347; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Yourscreen.com Spyware User-Agent (FreezeInet)"; flow:to_server,established; http.user_agent; content:"FreezeInet"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003355; classtype:pup-activity; sid:2003355; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; threshold: type limit, count 1, seconds 300, track by_src; http.user_agent; content:"SpamBlockerUtility|20|"; fast_pattern; reference:url,doc.emergingthreats.net/2003384; classtype:pup-activity; sid:2003384; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus)"; flow:to_server,established; http.user_agent; content:"Morpheus"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003396; classtype:pup-activity; sid:2003396; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; threshold:type both, count 1, seconds 300, track by_src; http.user_agent; content:"Seekmo"; fast_pattern; nocase; classtype:pup-activity; sid:2003397; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; http.user_agent; content:"SmartInstaller"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003398; classtype:pup-activity; sid:2003398; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; http.header; content:"iMeshBar"; fast_pattern; pcre:"/User-Agent\:[^\n]+iMeshBar/i"; reference:url,doc.emergingthreats.net/2003406; classtype:pup-activity; sid:2003406; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; http.user_agent; content:"SF Installer"; fast_pattern; reference:url,doc.emergingthreats.net/2003428; classtype:pup-activity; sid:2003428; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; http.user_agent; content:"DSInstall"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003439; classtype:pup-activity; sid:2003439; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; http.header; content:"|20|Oemji"; fast_pattern; pcre:"/User-Agent\:[^\n]+Oemji/i"; reference:url,doc.emergingthreats.net/2003468; classtype:pup-activity; sid:2003468; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; threshold:type limit, count 2, seconds 360, track by_src; http.user_agent; content:"AskSearch"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003493; classtype:pup-activity; sid:2003493; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Win95)"; flow:to_server,established; http.user_agent; content:"Win95"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:pup-activity; sid:2008015; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; http.uri; content:"?action="; content:"&pc_id="; content:"&abbr="; fast_pattern; content:"&err="; reference:url,doc.emergingthreats.net/2008282; classtype:pup-activity; sid:2008282; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Unknown Malware patchlist.xml Request"; flow:established,to_server; http.uri; content:"/update/patchlist.xml"; fast_pattern; classtype:pup-activity; sid:2013200; rev:5; metadata:created_at 2011_07_05, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; http.uri; content:".php?pi="; fast_pattern; content:"&gu="; content:"&ac="; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 6.0)"; bsize:33; classtype:pup-activity; sid:2013540; rev:8; metadata:created_at 2011_09_06, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; http.uri; content:"/LogProc.php?"; fast_pattern; content:"mac="; content:"mode="; content:"&pCode="; reference:md5,2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:pup-activity; sid:2013797; rev:7; metadata:created_at 2011_10_24, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Ezula Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/download/UVid.asp?"; fast_pattern; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:pup-activity; sid:2016938; rev:6; metadata:created_at 2013_05_29, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Successful Install Beacon"; flow:established,to_server; http.uri; content:"/api/success/?s="; fast_pattern; content:"&c="; content:"&cv="; content:"&context="; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:pup-activity; sid:2017880; rev:9; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; http.uri; content:"/downloads/icons.dat"; fast_pattern; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:pup-activity; sid:2017881; rev:6; metadata:created_at 2013_12_18, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GMUnpackerInstaller.A Checkin"; flow:to_server,established; http.uri; content:"/new/rar.xml"; fast_pattern; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:pup-activity; sid:2017892; rev:5; metadata:created_at 2013_12_20, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.PUQD Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/debug/Version/"; fast_pattern; startswith; content:"/trace/"; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:pup-activity; sid:2017945; rev:6; metadata:created_at 2014_01_08, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Toolbar.CrossRider.A Checkin"; flow:to_server,established; http.uri; content:".gif?action="; content:"&browser="; content:"&ver="; content:"&bic="; fast_pattern; content:"&app="; content:"&appver="; content:"&verifier="; reference:md5,55668102739536c1b00bce9e02d8b587; classtype:pup-activity; sid:2018301; rev:6; metadata:created_at 2012_10_05, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yotoon.hs Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/product-am.php?id="; fast_pattern; content:"&v="; content:"&offer["; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; depth:20; http.header_names; content:!"Referer|0d 0a|"; reference:md5,20c7226185ed7999e330a46d3501dccb; classtype:pup-activity; sid:2018307; rev:7; metadata:created_at 2014_03_19, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Successful Install Beacon (2)"; flow:established,to_server; http.uri; content:"/api/software/?s="; fast_pattern; content:"&os="; content:"&output="; content:"&v="; content:"&l="; content:"&np="; content:"&osv="; content:"&b="; content:"&bv="; content:"&c="; content:"&cv="; reference:url,webroot.com/blog/2014/03/25/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications/; classtype:pup-activity; sid:2018323; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/iBryte.Adware Affiliate Campaign Executable Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?mode="; fast_pattern; content:"&subid="; content:"&filedescription="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,65e5b8e84772f55d761a85bf53c14169; reference:md5,cfda690ebe7bccc5c3063487f6e54086; classtype:pup-activity; sid:2018367; rev:10; metadata:created_at 2014_04_07, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/evt/?nexcb="; startswith; fast_pattern; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:pup-activity; sid:2018565; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_06_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Optimizer Pro Adware GET or POST to C2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?q="; offset:4; depth:8; pcre:"/^\/(?:get|install)\/\?q=/"; http.header; content:"optpro"; fast_pattern; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:pup-activity; sid:2018744; rev:7; metadata:created_at 2014_07_21, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Stan Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[a-f0-9]{50,}$/"; http.header; content:"Proxy-Authorization|3a 20|Basic"; http.host; content:"stan|2E|"; fast_pattern; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019145; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Kyle Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[\w-]{50,}$/"; http.host; content:"kyle|2E|"; fast_pattern; startswith; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019156; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:13<>18; http.method; content:"POST"; http.uri; content:"/?pcrc="; fast_pattern; pcre:"/^\/\?pcrc=[0-9]{7,10}$/"; http.request_body; content:"0A0Czut"; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:pup-activity; sid:2019511; rev:8; metadata:created_at 2014_10_27, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pxl/"; fast_pattern; content:"e=-1"; content:"&c="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c6ebffb418813ed68ac5ed9f51f83946; classtype:pup-activity; sid:2019622; rev:5; metadata:created_at 2014_10_31, former_category ADWARE_PUP, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update.php?p="; fast_pattern; content:"&v="; content:"&id="; distance:0; http.user_agent; content:"AutoUpdate"; bsize:10; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:pup-activity; sid:2021401; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney User Agent"; flow:established,to_server; http.user_agent; content:"Downloader|20|"; startswith; fast_pattern; pcre:"/^Downloader \d\.\d$/"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024249; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 3"; flow:to_server,established; http.uri; content:"/get_download_xml_"; fast_pattern; content:"?id="; http.user_agent; content:"tiny-dl"; startswith; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024252; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 6"; flow:to_server,established; http.uri; content:"/get_xml?story="; fast_pattern; content:"&file"; http.user_agent; content:"Downloader"; depth:10; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024254; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 7"; flow:to_server,established; http.uri; content:"/info?story="; fast_pattern; content:"&file="; http.user_agent; content:"Downloader"; depth:10; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024255; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 5"; flow:to_server,established; http.uri; content:"/getspfile.php?id="; fast_pattern; http.user_agent; content:"tiny-dl"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024256; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 1"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/ppu.php"; fast_pattern; http.request_body; content:"xml_req="; depth:8; content:"system"; distance:0; content:"os+version"; distance:0; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024258; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 3"; flow:established,to_server; http.uri; content:"/get_json?"; fast_pattern; content:"&name="; content:"rnd="; http.user_agent; content:"Downloader|20|"; startswith; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024261; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Java.Deathbot Requesting Proxies"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Socks"; fast_pattern; content:".txt"; endswith; distance:1; within:4; pcre:"/\/Socks[45]\.txt$/"; http.user_agent; content:"Java/1."; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:pup-activity; sid:2024794; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, signature_severity Major, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoetRAT Upload via HTTP"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Max-Downloads|0d 0a|Max-Days|0d 0a|"; fast_pattern; reference:url,blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html; classtype:command-and-control; sid:2031002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, malware_family PoetRat, performance_impact Moderate, signature_severity Major, updated_at 2020_10_12;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:attempted-admin; sid:2030995; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Minor, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:web-application-attack; sid:2030996; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex DL Pattern Feb 18 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?."; fast_pattern; pcre:"/\.exe\?\.\d+$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022549; rev:6; metadata:created_at 2016_02_19, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; http.method; content:"GET"; http.uri; content:".exe"; endswith; fast_pattern; pcre:"/^\/\d+\/\d+\.exe$/"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:5; metadata:created_at 2015_04_17, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock CVE-2014-6271"; flow:established,to_server; http.uri; content:"authLogin.cgi"; http.header; content:"|28 29 20 7b|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:5; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; http.method; content:"GET"; nocase; http.referer; content:"?//"; fast_pattern; pcre:"/\/(?:(?:index|toc)\.html?)?\?\/\//i"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:5; metadata:created_at 2013_06_20, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2012-1533 altjvm (jvm.dll) Requested Over WebDAV"; flow:established,to_server; http.uri; content:"/jvm.dll"; fast_pattern; endswith; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:7; metadata:created_at 2013_06_13, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"method=devicestatus"; fast_pattern; content:"&app_key="; offset:19; content:"&imei="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_18, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Lanfiltrator Checkin"; flow:established,to_server; http.uri; content:"/ralog.cgi?action="; nocase; fast_pattern; content:"&ip="; nocase; content:"&servertype="; nocase; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:command-and-control; sid:2009078; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish Dec 29 2016"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Chase Online"; fast_pattern; classtype:credential-theft; sid:2031573; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup myip.kz"; flow:established,to_server; http.host; content:"myip.kz"; fast_pattern; bsize:7; classtype:external-ip-check; sid:2021533; rev:4; metadata:created_at 2015_07_27, former_category POLICY, updated_at 2020_10_13;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.33db9538.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"33db9538.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023231; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.9507c4e8.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"9507c4e8.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023232; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.e5b57288.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"e5b57288.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023233; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.54dfa1cb.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"54dfa1cb.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023234; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"pjl_ready_message="; nocase; fast_pattern; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE indux.php check-in"; flow:established,to_server; http.uri; content:"/indux.php?U="; nocase; fast_pattern; content:"@"; http.referer; content:"http|3a|//www.google.com"; nocase; bsize:21; classtype:trojan-activity; sid:2011387; rev:8; metadata:created_at 2010_09_28, updated_at 2020_10_13;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanDynamicIpCfgRpm.htm?"; depth:32; content:"&dnsserver="; content:"&Save=Save"; fast_pattern; reference:url,www.exploit-db.com/exploits/34583; classtype:attempted-admin; sid:2020856; rev:5; metadata:created_at 2015_04_08, updated_at 2020_10_13;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"; flow:established,to_server; http.header; content:"Range|3a|"; nocase; content:"18446744073709551615"; fast_pattern; distance:0; pcre:"/^Range\x3a[^\r\n]*?18446744073709551615/mi"; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:5; metadata:created_at 2015_04_15, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; http.uri; content:"/level/15/exec/-/"; fast_pattern; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/i"; reference:url,doc.emergingthreats.net/2010623; classtype:web-application-attack; sid:2010623; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Felismus CnC Beacon 2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:"/products.php?"; fast_pattern; pcre:"/\.php\?[a-z]{15,}$/"; http.header; content:"Referer|3a|"; content:"/products.php|0d 0a|"; distance:0; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:command-and-control; sid:2024177; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Felismus, signature_severity Major, tag Felismus, tag c2, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Citibank Phish M1 2016-08-22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/online.citi.com/"; fast_pattern; content:".php"; endswith; classtype:credential-theft; sid:2032691; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Citibank Phish M2 2016-08-22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"/online.citi.com/"; fast_pattern; classtype:credential-theft; sid:2032692; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"new.odgarsupport.world"; nocase; endswith; classtype:domain-c2; sid:2028660; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_13;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".windows-updates.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028662; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".windows64x.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028663; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".firewallsupports.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Adobe_Coldfusion, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".winx64-microsoft.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028665; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:!"Taitus"; content:!"Sling/"; content:!"Updexer/"; http.host; content:!"sophosupd.com"; content:!"sophosupd.net"; http.accept; content:"text/*,|20|application/*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:14; metadata:created_at 2014_07_03, updated_at 2020_10_13;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:22; content:"CN=superlatinradio.com"; fast_pattern; reference:md5,ce879fb552e7740bb2e940c65746aad2; classtype:domain-c2; sid:2028672; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; content:"CN=corpcougar.in"; endswith; fast_pattern; reference:md5,f7a490fcf756f9ddbaedc2441fbc3c0c; classtype:domain-c2; sid:2028673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; http.user_agent; content:"NetInstaller"; nocase; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003528; classtype:pup-activity; sid:2003528; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (double dashes)"; flow:to_server,established; http.user_agent; content:"|2d 2d |"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; classtype:pup-activity; sid:2007948; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET MALWARE Downloader.Win32.Small CnC Beacon"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"MSDN SurfBear"; depth:13; endswith; reference:url,doc.emergingthreats.net/2011269; classtype:command-and-control; sid:2011269; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Moxilla"; flow:established,to_server; http.user_agent; content:"Moxilla"; depth:7; classtype:trojan-activity; sid:2012313; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino Related Spyware User-Agent Detected (Viper 4.0)"; flow:established,to_server; http.header; content:"Viper 4.0|29|"; nocase; fast_pattern; distance:2; within:10; http.user_agent; content:"Mozilla|2f|5|2e|0 |28|compatible"; depth:23; reference:url,doc.emergingthreats.net/2008586; classtype:pup-activity; sid:2008586; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (VMozilla)"; flow:to_server,established; http.user_agent; content:"VMozilla"; depth:8; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF; reference:url,www.avira.com/en/support-threats-description/tid/6259/tlang/en; classtype:trojan-activity; sid:2012555; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_25, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious User Agent (Lotto)"; flow:to_server,established; http.user_agent; content:"Lotto"; depth:5; classtype:trojan-activity; sid:2012695; rev:4; metadata:created_at 2011_04_20, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/taskx.txt"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; reference:md5,9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:4; metadata:created_at 2011_04_29, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; flow:to_server,established; http.user_agent; content:"VERTEXNET"; depth:9; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:5; metadata:created_at 2011_03_31, former_category USER_AGENTS, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (mdms)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"mdms"; depth:4; endswith; classtype:trojan-activity; sid:2012761; rev:4; metadata:created_at 2011_05_03, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (asd)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"asd"; nocase; depth:3; endswith; classtype:trojan-activity; sid:2012762; rev:4; metadata:created_at 2011_05_03, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"EmailSiphon"; nocase; depth:11; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013032; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Binget PHP Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013049; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Binget PHP Library User Agent Outbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013050; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER pxyscand Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013051; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS pxyscand/ Suspicious User Agent Outbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013052; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PyCurl Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013053; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS PyCurl Suspicious User Agent Outbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; depth:6; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013054; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Peach C++ Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Peach"; nocase; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013055; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Inbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013057; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Outbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013058; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN DominoHunter Security Scan in Progress"; flow:established,to_server; http.user_agent; content:"DominoHunter"; nocase; depth:12; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:2013171; rev:4; metadata:created_at 2011_07_02, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yandexbot Request Outbound"; flow:established,to_server; http.user_agent; content:"YandexBot"; depth:9; classtype:trojan-activity; sid:2013254; rev:4; metadata:attack_target Web_Server, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Informational, tag WebCrawler, updated_at 2020_10_13, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phish Landing 2020-10-13"; flow:established,to_client; content:"|0d 0a 0a|<!doctype|20|"; http.stat_code; content:"200"; file.data; content:".lollol|20|{|0d 0a|"; fast_pattern; content:"|20|chase logo|22|></div>|0d 0a|"; classtype:social-engineering; sid:2031010; rev:1; metadata:created_at 2020_10_13, former_category PHISHING, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (MSDN Query Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"&ac="; content:!"&refinement="; content:"/Search/en-US?query="; content:"&pgArea=header"; distance:150; endswith; content:!"."; pcre:"/^\/Search\/en-US\?query=[a-z]{200,400}&pgArea=header$/"; http.header; content:"|0d 0a|Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|"; fast_pattern; http.cookie; content:"MUID="; depth:5; content:"|3b|"; distance:32; within:1; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2032747; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent String (AskPartnerCobranding)"; flow:to_server,established; http.user_agent; content:"AskPartner"; depth:10; classtype:trojan-activity; sid:2012734; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_04_28, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; http.user_agent; content:"BlackSun"; nocase; depth:8; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Toata Scanner User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Toata dragostea|20|"; depth:16; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; classtype:attempted-recon; sid:2009159; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BSSID Location Lookup via api .mylnikov .org"; flow:established,to_server; http.host; content:"api.mylnikov.org"; fast_pattern; http.uri; content:"/geolocation/wifi?"; content:"&bssid="; distance:0; reference:md5,b666dc5379e31680a5621870210f0619; classtype:bad-unknown; sid:2031008; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Phishing Landing 2020-10-13"; flow:established,to_client; file.data; content:"<title>Copyright|20 7c 20|Help Instagram"; fast_pattern; content:"<form method=|22|post|22 20|action=|22|"; distance:0; content:".php|22|"; within:50; classtype:social-engineering; sid:2031003; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phishing Landing 2020-10-13"; flow:established,to_client; file.data; content:"Amazon Sign In</title>"; content:"#zwimel {"; distance:0; fast_pattern; classtype:social-engineering; sid:2031004; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Instagram Phishing Domain"; flow:established,to_server; http.host; content:"lnstagram"; fast_pattern; pcre:"/\.(?:tk|gq|ga|xyz|ml|cf)$/"; classtype:social-engineering; sid:2031005; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"AskInstall"; depth:10; nocase; reference:url,doc.emergingthreats.net/2011225; classtype:policy-violation; sid:2011225; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Data Exfil via Telegram"; flow:established,to_server; http.host; bsize:16; content:"api.telegram.org"; http.uri; content:"/sendMessage?chat_id="; content:"text=|0a|"; content:"|20 f0 9f|"; distance:0; content:"*|0a|Date|3a 20|"; distance:0; content:"|0a|System|3a 20|"; content:"|20|Bit)|0a|Username|3a 20|"; reference:md5,00171267979ca2e972336e751a5725b7; reference:url,github.com/LimerBoy/StormKitty; classtype:command-and-control; sid:2031009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family StormKitty, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Login Hosted on Firebasestorage"; flow:established,to_client; http.header; content:"X-GUploader-UploadID|3a 20|"; content:"|0d 0a|x-goog-"; file.data; content:"<title>Sign in to your Microsoft account</title>"; fast_pattern; classtype:social-engineering; sid:2031006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_13;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Windows+NT"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; classtype:trojan-activity; sid:2008600; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; http.uri; content:"/envia.php"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; nocase; http.request_body; content:"praquem="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008256; classtype:command-and-control; sid:2008256; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping)"; flow:to_server,established; http.user_agent; content:"Installer Ping"; depth:14; classtype:trojan-activity; sid:2013190; rev:5; metadata:created_at 2011_07_05, updated_at 2020_10_13;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; flow:established,to_server; http.user_agent; content:"Museon"; depth:6; reference:url,doc.emergingthreats.net/2006418; classtype:pup-activity; sid:2006418; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+
+#alert http $HOME_NET any -> any any (msg:"ET DELETED Suspicious User-Agent (asp2009)"; flow: established, to_server; http.user_agent; content:"asp2009"; depth:7; endswith; reference:md5,6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; classtype:trojan-activity; sid:2010136; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (??)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 3f 3f 0d 0a|"; reference:url,doc.emergingthreats.net/2007689; classtype:trojan-activity; sid:2007689; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WScript/VBScript XMLHTTP downloader likely malicious get?src="; flow:established,to_server; content:"|0d 0a|Request|3a 20|"; nocase; content:"run|0d 0a|"; within:5; http.uri; content:"/get?src="; nocase; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest"; nocase; depth:54; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010838; classtype:trojan-activity; sid:2010838; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zentom FakeAV Checkin"; flow:established,to_server; http.uri; content:".php?prodclass="; fast_pattern; content:"&coid="; content:"&fff="; content:"&IP="; content:"&lct="; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; classtype:command-and-control; sid:2013785; rev:5; metadata:created_at 2011_10_20, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P p2p Related User-Agent (eChanblard)"; flow:to_server,established; http.user_agent; content:"eChanblard"; depth:10; endswith; reference:url,doc.emergingthreats.net/2011232; classtype:trojan-activity; sid:2011232; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Automated Injection Tool User-Agent (AutoGetColumn)"; flow:established,to_server; http.user_agent; content:"AutoGetColumn"; depth:13; reference:url,doc.emergingthreats.net/2009154; classtype:attempted-recon; sid:2009154; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B Connectivity check"; flow:from_client,established; http.method; content:"GET"; http.uri; content:"/search?qu="; fast_pattern; http.header; content:"Content-Length|3a 20|4|0D 0A|"; http.user_agent; content:"Firefox/2.0.0.2"; depth:15; endswith; http.host; content:"www.google.com"; distance:0; bsize:14; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; classtype:trojan-activity; sid:2014173; rev:5; metadata:created_at 2012_01_31, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; http.user_agent; content:"asafaweb.com"; depth:12; endswith; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:5; metadata:created_at 2012_02_16, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PEx.942728546 Checkin"; flow:established,to_server; http.uri; content:".com.exe"; fast_pattern; http.user_agent; content:"GetRight/"; depth:9; reference:md5,25e9e3652e567e70fba00c53738bdf74; reference:url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546; classtype:command-and-control; sid:2014290; rev:4; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Graybird Checkin"; flow:to_server,established; http.uri; content:"/count.asp?mac="; content:"&os="; content:"&av="; http.user_agent; content:"Post"; depth:4; endswith; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:command-and-control; sid:2014365; rev:5; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2020_10_13;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (ld)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008342; classtype:trojan-activity; sid:2008342; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Banker.PWS POST Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"IDMAQUINA="; reference:url,doc.emergingthreats.net/2009127; classtype:command-and-control; sid:2009127; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos/Banker Info Stealer Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; nocase; http.request_body; content:"op="; nocase; content:"servidor="; nocase; content:"senha="; nocase; content:"usuario="; nocase; content:"base="; nocase; content:"sgdb="; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; classtype:trojan-activity; sid:2009471; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker PWS/Infostealer HTTP GET Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"guid="; nocase; content:"ver="; nocase; content:"stat="; nocase; content:"ie="; nocase; content:"os="; nocase; content:"ut="; nocase; content:"cpu="; nocase; fast_pattern; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; endswith; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,doc.emergingthreats.net/2009550; classtype:command-and-control; sid:2009550; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"tipo="; reference:url,doc.emergingthreats.net/2007863; classtype:command-and-control; sid:2007863; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE contacy.info Trojan Checkin (User agent clk_jdfhid)"; flow:to_server,established; http.user_agent; content:"clk_jdfhid"; depth:10; endswith; reference:url,doc.emergingthreats.net/2008399; classtype:command-and-control; sid:2008399; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DMSpammer HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/stat"; content:".php"; pcre:"/\/stat\d+\.php/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; endswith; fast_pattern; http.request_body; content:"x|9c|"; reference:url,doc.emergingthreats.net/2008271; classtype:command-and-control; sid:2008271; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (MzApp)"; flow:established,to_server; http.user_agent; content:"MzApp"; depth:5; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2009988; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.MC(vf) HTTP Request - Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"mode="; content:"&PartID="; content:"&mac="; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2007913; classtype:command-and-control; sid:2007913; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; http.user_agent; content:"MSID ["; nocase; depth:6; reference:url,doc.emergingthreats.net/2003590; classtype:trojan-activity; sid:2003590; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Irc.MFV User Agent Detected (IRC-U)"; flow:established,to_server; http.user_agent; content:"IRC-U v"; depth:7; nocase; reference:url,doc.emergingthreats.net/2003647; classtype:trojan-activity; sid:2003647; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Screenblaze SCR Related Backdoor - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?id="; nocase; content:"&serial="; nocase; content:"ver="; nocase; http.user_agent; content:"WinInetHTTP"; depth:11; endswith; nocase; reference:md5,0bcdc9c2e2102f36f594b9e727dae3c7; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none; reference:url,vil.nai.com/vil/content/v_156782.htm; reference:url,doc.emergingthreats.net/2009804; reference:url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm; classtype:trojan-activity; sid:2009804; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV/Security Application Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?url="; nocase; content:"&affid="; fast_pattern; nocase; pcre:"/\?url=[0-9]&affid=[0-9]{5}/i"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows XP)"; depth:46; endswith; nocase; reference:url,doc.emergingthreats.net/2009554; classtype:command-and-control; sid:2009554; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Free File Hosting Service (uplovd .com))"; flow:established,to_client; tls.cert_subject; content:"CN=api.uplovd.com"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:md5,b666dc5379e31680a5621870210f0619; classtype:policy-violation; sid:2031018; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FraudLoad.aww HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/instlog/?"; nocase; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient"; depth:45; reference:url,doc.emergingthreats.net/2008322; classtype:command-and-control; sid:2008322; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE AV HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; depth:46; http.request_body; content:"action="; nocase; content:"uid="; nocase; content:"cnt="; nocase; content:"lng="; nocase; content:"type="; nocase; content:"user_id="; nocase; content:"pc_id="; nocase; content:"abbr="; nocase; reference:url,doc.emergingthreats.net/2009455; classtype:command-and-control; sid:2009455; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fruspam polling for IP likely infected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/automation/n09230945.asp"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|U|3b 20|Linux i686|3b 20|en-US|3b 20|rv|3a|1.9.0.4) Ubuntu/8.04 (hardy) Firefox/3.0.0"; depth:85; endswith; reference:url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx; reference:url,doc.emergingthreats.net/2011072; classtype:trojan-activity; sid:2011072; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lost Door Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"subject=Lost|20|door|20|"; fast_pattern; content:"by|20|OussamiO"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; depth:55; nocase; reference:url,doc.emergingthreats.net/2008340; classtype:command-and-control; sid:2008340; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mac User-Agent Typo INBOUND Likely Hostile"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Macintosh|3b|"; depth:23; content:"(KHTML, like Geco,"; distance:0; fast_pattern; reference:url,doc.emergingthreats.net/2008955; classtype:trojan-activity; sid:2008955; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Obitel Downloader Request"; flow: established,to_server; http.uri; content:".php?id="; pcre:"/\.php\?id=[0-9a-f]{8}$/"; http.user_agent; content:"ie"; bsize:2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T; reference:url,doc.emergingthreats.net/2010244; classtype:trojan-activity; sid:2010244; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poebot Related User Agent (SPM_ID=)"; flow:established,to_server; http.user_agent; content:"SPM_ID="; depth:7; nocase; reference:url,doc.emergingthreats.net/2006391; classtype:trojan-activity; sid:2006391; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/update?id="; http.header; content:"X-Status|3a|"; content:"X-Size|3a|"; content:"X-Sn|3a|"; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b|SV1|3b |"; depth:54; endswith; classtype:trojan-activity; sid:2014231; rev:5; metadata:created_at 2012_02_16, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)"; flow:to_server,established; http.user_agent; content:"Babylon"; depth:7; fast_pattern; reference:md5,54e482d6c0344935115d04b411afdb27; reference:md5,54dfd618401a573996b2b32bdd21b2d4; reference:md5,546888f8a18ed849058a5325015c29ef; reference:url,www.babylon.com; classtype:policy-violation; sid:2012735; rev:9; metadata:created_at 2011_04_28, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established; http.uri; content:"/search"; content:"?h1="; fast_pattern; content:"&h2="; distance:0; content:"&h3="; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b|"; depth:24; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014174; rev:6; metadata:created_at 2012_01_31, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (XXX) Often Sony Update Related"; flow:established,to_server; http.user_agent; content:"XXX"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2010157; classtype:not-suspicious; sid:2010157; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; http.uri; content:"/do/SDM"; nocase; content:"action="; nocase; http.user_agent; content:"AHTTPConnection"; nocase; depth:15; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:7; metadata:created_at 2011_09_28, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fullstuff Initial Checkin"; flow:established,to_server; http.uri; content:"/version.txt?type="; content:"&GUID="; content:"&rfr="; content:"&bgn="; http.user_agent; content:"FULLSTUFF"; depth:9; classtype:command-and-control; sid:2013887; rev:5; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Capfire4 Checkin (register machine)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/registraMaquina"; http.user_agent; content:"Clickteam"; depth:9; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:command-and-control; sid:2014952; rev:5; metadata:created_at 2012_06_23, former_category MALWARE, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Capfire4 Checkin (update machine status)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/updMaqStatus"; http.user_agent; content:"Clickteam"; depth:9; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:command-and-control; sid:2014953; rev:5; metadata:created_at 2012_06_23, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pift Checkin 1"; flow:established,to_server; urilen:7; http.uri; content:"/plg3.z"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015458; rev:4; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pift Checkin 2"; flow:established,to_server; urilen:7; http.uri; content:"/ext1.z"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015459; rev:4; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Playtech Downloader Online Gaming Checkin"; flow:to_server,established; http.uri; content:"/client_update_urls.php"; http.user_agent; content:"Playtech|20|"; depth:9; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:command-and-control; sid:2008365; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; http.header; content:!"Tree"; within:4; http.user_agent; content:"Peach"; nocase; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:6; metadata:created_at 2011_06_17, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shamoon/Wiper/DistTrack Checkin"; flow:to_server,established; http.uri; content:"/data.asp?mydata="; content:"&uid="; content:"&state="; http.user_agent; content:"you"; depth:3; reference:url,www.symantec.com/connect/blogs/shamoon-attacks; reference:url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf; classtype:command-and-control; sid:2015632; rev:6; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|7.0|3b 20|Windows|20|NT|20|6"; startswith; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,8000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|DNT|0d 0a|Connection|0d 0a|"; startswith; content:"Referer|0d 0a|"; reference:md5,f4b00ffce71b197865071073dec5068d; classtype:trojan-activity; sid:2035077; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_14;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Free File Hosting Service (api .anonfiles .com))"; flow:established,to_client; tls.cert_subject; content:"CN=api.anonfiles.com"; bsize:20; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:md5,74d2206a0f29c6d975cba20028284ca2; classtype:policy-violation; sid:2031019; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Web.App Hosted Phish 2020-10-14"; flow:established,to_server; http.method; content:"POST"; http.host; content:".web.app"; isdataat:!1,relative; fast_pattern; http.request_body; content:"password="; depth:9; nocase; classtype:credential-theft; sid:2031011; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2020-10-14"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; content:"&passid="; distance:0; fast_pattern; content:"&Token="; distance:0; pcre:"/^userid=[^&]*&passid=[^&]*&Token=$/"; classtype:credential-theft; sid:2033007; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Exfil via AnonFiles"; flow:established,to_server; http.start; content:"POST /upload?token=43a7df2f0395152e HTTP/1.1|0d 0a|Content-Type|3a 20|multipart/form-data|3b|"; startswith; fast_pattern; http.host; content:"api.anonfiles.com"; bsize:17; reference:md5,74d2206a0f29c6d975cba20028284ca2; classtype:command-and-control; sid:2031020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family StormKitty, performance_impact Low, signature_severity Major, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; isdataat:!1,relative; http.host; content:".000webhostapp.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2031013; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; http.uri; content:"/data.php?action="; nocase; content:"&online="; distance:0; content:"&m="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Dalvik/"; depth:7; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2013_02_05, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_14, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"6."; depth:2; pcre:"/^6\.[0-2]\x20\d\d\x3a\d\d\x20/i"; reference:md5,b5e9ce72771217680efaeecfafe3da3f; reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016433; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"0"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016435; rev:7; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 2 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"1"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016436; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 3 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"2"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016437; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TABMSGSQL/Sluegot.C Checkin"; flow:established,to_server; http.uri; content:"?rands="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:26; endswith; reference:url,www.cyberesi.com/2011/06/15/trojan-letsgo-analysis/; reference:url,www.mandiant.com/apt1; reference:md5,052ec04866e4a67f31845d656531830d; classtype:command-and-control; sid:2016446; rev:6; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WARP Win32/Barkiofork.A"; flow:established,to_server; http.uri; content:"/s/asp?"; fast_pattern; content:"p=1"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:26; endswith; reference:url,www.mandiant.com/apt1; reference:md5,7acb0d1df51706536f33bbdb990041d3; classtype:trojan-activity; sid:2016447; rev:4; metadata:created_at 2013_02_20, updated_at 2020_10_14;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031014; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031015; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_14;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031016; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031017; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-DIV UA"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer Exelon|20|"; depth:35; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,1e5ec6c06e4f6bb958dcbb9fc636009d; classtype:command-and-control; sid:2016454; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; http.user_agent; content:"IPHONE"; depth:6; pcre:"/^IPHONE\d+\x2e\d+\x28(host\x3a|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/i"; reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016461; rev:6; metadata:created_at 2011_06_28, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-RAVE UA"; flow:established,to_server; http.user_agent; content:"HTTP Mozilla/5.0(compatible+MSIE)"; depth:33; endswith; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:command-and-control; sid:2016458; rev:5; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMO)"; flow:established,to_server; http.user_agent; content:"DEMO"; nocase; depth:4; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016886; rev:4; metadata:created_at 2013_05_21, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(UPHTTP)"; flow:established,to_server; http.user_agent; content:"UPHTTP"; nocase; depth:6; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016887; rev:7; metadata:created_at 2013_05_21, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sv="; fast_pattern; content:"&tq="; pcre:"/(?:1|2)\.(?:p(?:hp|ng)|jpe?g|cgi|gif)\?sv=\d{2,3}&tq=/i"; http.user_agent; content:"chrome/9.0"; depth:10; classtype:command-and-control; sid:2013795; rev:11; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Blackbeard Downloader"; flow:established,to_server; http.uri; content:"/load"; content:"p="; content:"&t="; pcre:"/[\?&]p=\d&t=\d(&|$)/"; http.user_agent; content:"IE"; depth:2; endswith; fast_pattern; reference:md5,2f6f13eced7fce495168059530246d77; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018110; rev:7; metadata:created_at 2014_01_23, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Ping"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/history/"; fast_pattern; depth:9; content:".asp"; pcre:"/^\x2fhistory\x2f[A-Za-z0-9+_-]+\x2easp$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018547; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot PUT File Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/docs/name="; fast_pattern; depth:11; pcre:"/^\x2fdocs\x2fname\x3d\x2f[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018549; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Command Status Message"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tech/s.asp?m="; fast_pattern; depth:14; pcre:"/^\x2ftech\x2fs\x2easp\x3fm\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018548; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot GET File Initial Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/manage/asp/item.asp?id="; fast_pattern; depth:24; pcre:"/^\x2fmanage\x2fasp\x2fitem\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26mux\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018550; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot GET File Data Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/article/30441/Review.asp?id="; fast_pattern; depth:29; pcre:"/^\x2farticle\x2f30441\x2fReview\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26data\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018551; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XPSecurityCenter FakeAV Checkin"; flow:to_server,established; http.uri; content:"/XPSecurityCenter/"; http.user_agent; content:"Internet Explorer 6.0"; depth:21; endswith; reference:md5,1c5eb2ea27210cf19c6ab24b7cc104b9; classtype:command-and-control; sid:2018761; rev:5; metadata:created_at 2012_07_14, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.DF Checkin"; flow:to_server,established; urilen:7; http.uri; content:"/ip.txt"; http.user_agent; content:"Huai_Huai"; depth:9; endswith; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:command-and-control; sid:2018762; rev:5; metadata:created_at 2012_07_14, former_category MALWARE, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel Web Scan - Default User Agent Detected"; flow:to_server,established; threshold: type limit, track by_dst, count 1, seconds 60; http.header; content:"http|3a|//www.grendel-scan.com"; nocase; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|Grendel-Scan"; nocase; depth:37; fast_pattern; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; classtype:attempted-recon; sid:2009480; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)"; flow:to_server,established; http.user_agent; content:"czxt2s"; nocase; depth:6; endswith; reference:url,doc.emergingthreats.net/2011174; classtype:web-application-attack; sid:2011174; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; http.uri; content:"backupdata"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012286; rev:7; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backup_data"; flow:established,to_server; http.uri; content:"backup_data"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012287; rev:6; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"5|2e|"; startswith; pcre:"/^5\.[0-2]\x20\d\d\x3a\d\d\x20/"; reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016450; rev:6; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible SKyWIper/Win32.Flame UA"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 1.1.2150)"; depth:69; endswith; fast_pattern; reference:url,crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:2014818; rev:8; metadata:created_at 2012_05_29, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla Scanner"; flow:established,to_server; http.user_agent; content:"BOT/0.1 (BOT for JCE)"; depth:21; classtype:web-application-attack; sid:2016032; rev:5; metadata:created_at 2012_12_14, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (DownloadNetFile)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"DownloadNetFile"; depth:15; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008344; classtype:trojan-activity; sid:2008344; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok User-Agent Detected (Rivest)"; flow:established,to_server; http.user_agent; content:"Rivest"; depth:6; endswith; nocase; reference:md5,c83b55ab56f3deb60858cb25d6ded8c4; classtype:trojan-activity; sid:2020179; rev:4; metadata:created_at 2015_01_13, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; threshold: type both, count 1, seconds 60, track by_src; http.user_agent; content:"Bittorrent"; depth:10; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:4; metadata:created_at 2015_03_18, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Payment Info"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"spShopId="; content:"&spShopPaymentId="; fast_pattern; distance:0; content:"&spCurrency="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020827; rev:4; metadata:created_at 2015_04_02, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"action=showPaymentForm&"; fast_pattern; content:"psAgreement="; distance:0; content:"&paymentSystemId="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020828; rev:4; metadata:created_at 2015_04_02, updated_at 2020_10_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xoxofuck.cyou"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"locker_ver="; fast_pattern; content:"&i_firstboot="; distance:0; content:"&harddiskserial="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:command-and-control; sid:2020829; rev:4; metadata:created_at 2015_04_02, former_category MALWARE, updated_at 2020_10_14;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 Fake Mozilla UA"; flow:established,to_server; http.user_agent; content:"Moziea/"; depth:7; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020901; rev:4; metadata:created_at 2015_04_14, former_category MALWARE, updated_at 2020_10_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"flathommy.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"minishtab.cyou"; bsize:14; fast_pattern; classtype:domain-c2; sid:2031023; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog HTTP POST Fake UA CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|29 |"; depth:69; endswith; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020925; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FormerFirstRAT HTTP POST CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"|3a|443|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322)"; depth:69; endswith; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020926; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ldrpeset.casa"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper Installing PUP 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ohupdate.php?"; content:"localip="; distance:0; content:"&macaddr="; distance:0; content:"&program="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; fast_pattern; reference:md5,9bfae378e38f0eb2dfff87fffa0dfe37; classtype:trojan-activity; sid:2021100; rev:4; metadata:created_at 2015_05_15, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper Installing PUP 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ohupdate.php?program="; content:"&q="; distance:0; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; classtype:trojan-activity; sid:2021101; rev:4; metadata:created_at 2015_05_15, updated_at 2020_10_14;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"smalleryurta.club"; bsize:17; fast_pattern; classtype:domain-c2; sid:2031025; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Deep Panda User-Agent"; flow:established,to_server; http.header; content:!"Host|3a 20|iecvlist.microsoft.com"; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|29 |"; depth:158; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020380; rev:5; metadata:created_at 2015_02_06, updated_at 2020_10_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ispen BADNEWS Fake User-Agent"; flow:established,to_server; http.user_agent; content:"UserAgent|3a|Mozilla/5.0(Windows|20|"; depth:30; fast_pattern; reference:md5,f974bb8a5b5220a061cb92a16fc6a1c6; reference:url,unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/; classtype:targeted-activity; sid:2030361; rev:4; metadata:created_at 2016_06_03, former_category MALWARE, updated_at 2020_10_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swrort.A Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; pcre:"/^\/[A-Za-z0-9-_]{30,}\/$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 |"; depth:46; endswith; http.request_body; content:"RECV"; depth:4; fast_pattern; reference:md5,61dacbf1fc20af3afdc432a0dd78eaf3; reference:md5,a3ef217825ce310c41e6edaee2db5eb9; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32/Swrort.A; classtype:command-and-control; sid:2019841; rev:5; metadata:created_at 2014_12_03, former_category MALWARE, updated_at 2020_10_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (USERAGENT)"; flow:to_server,established; http.user_agent; content:"USERAGENT"; nocase; depth:9; endswith; reference:md5,cd0e98508657b208219d435f9ac9d76c; reference:md5,cd100abc8eedf2119c7e6746975d7773; classtype:trojan-activity; sid:2034066; rev:7; metadata:created_at 2011_11_22, former_category USER_AGENTS, updated_at 2020_10_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious UA Mozilla / 4.0"; flow:to_server,established; http.host; content:!"captive.apple.com"; endswith; content:!".google.com"; endswith; http.user_agent; content:"Mozilla / 4.0"; nocase; bsize:13; classtype:trojan-activity; sid:2013964; rev:6; metadata:created_at 2011_11_23, updated_at 2020_10_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Xmaker)"; flow:to_server,established; http.user_agent; content:"Xmaker"; depth:6; reference:url,www.pcapanalysis.com/tag/trickster-google-drive-malware-trojan-pcap-file-download-traffic-sample/; classtype:trojan-activity; sid:2023746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; http.user_agent; content:"build"; depth:5; pcre:"/^build\d/"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_15;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)"; flow:established,to_server; http.user_agent; content:"Jcomers Bot"; nocase; depth:11; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011285; rev:8; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_10_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (Unknown)"; flow:to_server,established; http.user_agent; content:"Unknown"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007991; classtype:trojan-activity; sid:2007991; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+)"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0+(compatible|3b|+MSIE+/"; depth:31; fast_pattern; reference:url,doc.emergingthreats.net/2003530; classtype:trojan-activity; sid:2003530; rev:16; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Metafisher/Goldun User-Agent (z)"; flow:to_server,established; http.user_agent; content:"z"; depth:1; endswith; reference:url,doc.emergingthreats.net/2002874; classtype:trojan-activity; sid:2002874; rev:17; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WinXP Pro Service Pack 2)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"WinXP Pro Service Pack"; depth:22; reference:url,doc.emergingthreats.net/2003586; classtype:trojan-activity; sid:2003586; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent outbound (bot)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"bot/"; depth:4; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003622; classtype:trojan-activity; sid:2003622; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic.Malware.SFL User-Agent (Rescue/9.11)"; flow:established,to_server; http.user_agent; content:"Rescue/9.11"; depth:11; reference:url,doc.emergingthreats.net/2003645; classtype:trojan-activity; sid:2003645; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTPTEST) - Seen used by downloaders"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:!"PlayStation"; http.user_agent; content:"HTTPTEST"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2003927; classtype:trojan-activity; sid:2003927; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Snatch-System)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Snatch-System"; nocase; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2003930; classtype:trojan-activity; sid:2003930; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Ms)"; flow:established,to_server; http.user_agent; content:"Ms"; depth:2; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003933; classtype:trojan-activity; sid:2003933; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; http.user_agent; content:"ExampleDL"; depth:9; reference:url,doc.emergingthreats.net/2004440; classtype:trojan-activity; sid:2004440; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS KKtone Suspicious User-Agent (KKTone)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"KKTone"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2004443; classtype:trojan-activity; sid:2004443; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Dialer-967 User-Agent"; flow:to_server,established; http.user_agent; content:"del"; depth:3; endswith; nocase; reference:url,doc.emergingthreats.net/2006364; classtype:trojan-activity; sid:2006364; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MYURL)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"MYURL"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2006365; classtype:trojan-activity; sid:2006365; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Matcash or related downloader User-Agent Detected"; flow:established,to_server; http.user_agent; pcre:"/^x\w\wx\w\w\!x\w\wx\w\wx\w\w/"; content:"x"; startswith; reference:url,doc.emergingthreats.net/2006382; classtype:trojan-activity; sid:2006382; rev:12; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent Detected (Windows Updates Manager|3.12|...)"; flow:established,to_server; http.user_agent; content:"Windows Updates Manager|7c|"; depth:24; reference:url,doc.emergingthreats.net/2006387; classtype:trojan-activity; sid:2006387; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent Detected (ld)"; flow:established,to_server; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/2006394; classtype:trojan-activity; sid:2006394; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Mz)"; flow:established,to_server; http.user_agent; content:"Mz"; depth:2; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; http.user_agent; content:"Ismazo"; nocase; depth:6; reference:url,doc.emergingthreats.net/2007633; classtype:trojan-activity; sid:2007633; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (WINDOWS_LOADS)"; flow:established,to_server; http.user_agent; content:"WINDOWS_LOADS"; depth:13; reference:url,doc.emergingthreats.net/2007699; classtype:trojan-activity; sid:2007699; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm C&C with typo'd User-Agent (Windoss)"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windoss NT"; depth:45; fast_pattern; reference:url,doc.emergingthreats.net/2007742; classtype:trojan-activity; sid:2007742; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (netcfg)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"netcfg"; depth:6; endswith; reference:url,doc.emergingthreats.net/2007758; classtype:trojan-activity; sid:2007758; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Tear Application User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Tear Application"; depth:16; endswith; reference:url,doc.emergingthreats.net/2007770; classtype:trojan-activity; sid:2007770; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kpang.com Related Trojan User-Agent (kpangupdate)"; flow:established,to_server; http.user_agent; content:"kpangupdate"; depth:11; endswith; reference:url,doc.emergingthreats.net/2007779; classtype:pup-activity; sid:2007779; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neonaby.com Related Trojan User-Agent (neonabyupdate)"; flow:established,to_server; http.user_agent; content:"neonabyupdate"; depth:13; endswith; nocase; reference:url,doc.emergingthreats.net/2007825; classtype:trojan-activity; sid:2007825; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)"; flow:established,to_server; http.user_agent; content:"WinInet"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007837; classtype:trojan-activity; sid:2007837; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Possible Trojan Downloader Shell"; flow:established,to_server; http.user_agent; content:"Shell"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2007840; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:2007840; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kpang.com Related Trojan User-Agent (alertup)"; flow:established,to_server; http.user_agent; content:"alertup"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007849; classtype:trojan-activity; sid:2007849; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)"; flow:established,to_server; http.user_agent; content:"Yhrbg"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2007912; classtype:trojan-activity; sid:2007912; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (Digital)"; flow:established,to_server; http.user_agent; content:"Digital"; depth:7; endswith; nocase; reference:url,doc.emergingthreats.net/2007923; classtype:trojan-activity; sid:2007923; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (downloaded)"; flow:established,to_server; http.user_agent; content:"downloaded"; depth:10; endswith; nocase; reference:url,doc.emergingthreats.net/2007924; classtype:trojan-activity; sid:2007924; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (wnames)"; flow:established,to_server; http.user_agent; content:"wnames"; depth:6; endswith; nocase; reference:url,doc.emergingthreats.net/2007925; classtype:trojan-activity; sid:2007925; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (https)"; flow:established,to_server; http.user_agent; content:"https"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2008019; classtype:trojan-activity; sid:2008019; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (c \windows)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"c|3a 5c|"; depth:3; reference:url,doc.emergingthreats.net/bin/view/Main/2008043; classtype:trojan-activity; sid:2008043; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Version 1.23)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Version|20|"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008048; classtype:trojan-activity; sid:2008048; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla-web)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla-web"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008084; classtype:trojan-activity; sid:2008084; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (INSTALLER)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"INSTALLER"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008096; classtype:trojan-activity; sid:2008096; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IEMGR)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"IEMGR"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008097; classtype:trojan-activity; sid:2008097; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (GOOGLE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"GOOGLE"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008098; classtype:trojan-activity; sid:2008098; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (RBR)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"RBR"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008147; classtype:trojan-activity; sid:2008147; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Otwycal User-Agent (Downing)"; flow:to_server,established; http.user_agent; content:"Downing"; depth:7; endswith; reference:url,doc.emergingthreats.net/2008159; classtype:trojan-activity; sid:2008159; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MS Internet Explorer)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"MS Internet Explorer"; depth:20; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008181; classtype:trojan-activity; sid:2008181; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (QQ)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!"|0d 0a|Q-UA|3a 20|"; http.user_agent; content:"QQ"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:20; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (TestAgent)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"TestAgent"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008208; classtype:trojan-activity; sid:2008208; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SERVER2_03)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"SERVER"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008209; classtype:trojan-activity; sid:2008209; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WinProxy)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WinProxy"; nocase; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008211; classtype:trojan-activity; sid:2008211; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (sickness29a/0.1)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"sickness"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008214; classtype:trojan-activity; sid:2008214; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (up2dash updater)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"up2dash"; nocase; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008215; classtype:trojan-activity; sid:2008215; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (NSIS_DOWNLOAD)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"NSIS_DOWNLOAD"; nocase; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008216; classtype:pup-activity; sid:2008216; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla 1.02.45 biz)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:"|20|biz|0d 0a|"; within:15; http.user_agent; content:"Mozilla|20|"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008231; classtype:trojan-activity; sid:2008231; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP my247eshop .com User-Agent"; flow:established,to_server; http.user_agent; content:"EShopee"; depth:7; endswith; reference:url,doc.emergingthreats.net/2008243; classtype:pup-activity; sid:2008243; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"IE"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Nimo Software HTTP Retriever 1.0)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Nimo Software HTTP"; depth:18; reference:url,doc.emergingthreats.net/bin/view/Main/2008257; classtype:pup-activity; sid:2008257; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm 1)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WebForm"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; classtype:trojan-activity; sid:2008262; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (opera)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"opera"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008264; classtype:trojan-activity; sid:2008264; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Zilla)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Zilla"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008266; classtype:trojan-activity; sid:2008266; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keypack.co.kr Related Trojan User-Agent Detected"; flow:established,to_server; http.user_agent; content:"keypack"; depth:7; reference:url,doc.emergingthreats.net/2008339; classtype:trojan-activity; sid:2008339; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (123)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"123"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008343; classtype:trojan-activity; sid:2008343; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (angel)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"angel"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008355; classtype:trojan-activity; sid:2008355; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Accessing)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Accessing"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008361; classtype:trojan-activity; sid:2008361; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ISMYIE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ISMYIE"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008363; classtype:trojan-activity; sid:2008363; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (svchost)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"svchost"; depth:7; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008391; classtype:trojan-activity; sid:2008391; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ReadFileURL)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ReadFileURL"; depth:11; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008400; classtype:trojan-activity; sid:2008400; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (PcPcUpdater)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"PcPcUpdater"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008413; classtype:trojan-activity; sid:2008413; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Inet_read)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Inet_read"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2008422; classtype:trojan-activity; sid:2008422; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (CFS Agent)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"CFS Agent"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2008423; classtype:trojan-activity; sid:2008423; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (CFS_DOWNLOAD)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"CFS_DOWNLOAD"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008424; classtype:trojan-activity; sid:2008424; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AdiseExplorer)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"AdiseExplorer"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008427; classtype:trojan-activity; sid:2008427; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP Downloader)"; flow: established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HTTP Downloader"; depth:15; reference:url,doc.emergingthreats.net/bin/view/Main/2008428; classtype:trojan-activity; sid:2008428; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HttpDownload)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HttpDownload"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008429; classtype:trojan-activity; sid:2008429; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Download App)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Download App"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008440; classtype:trojan-activity; sid:2008440; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent (AutoDL\/1.0)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"AutoDL/1.0"; depth:10; endswith; reference:url,doc.emergingthreats.net/2008458; classtype:trojan-activity; sid:2008458; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (hacker)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"hacker"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008460; classtype:trojan-activity; sid:2008460; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ieguideupdate)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ieguideupdate"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008463; classtype:trojan-activity; sid:2008463; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (adsntD)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"adsntD"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008464; classtype:trojan-activity; sid:2008464; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (NULL)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"NULL"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008488; classtype:trojan-activity; sid:2008488; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ieagent)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"ieagent"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008494; classtype:trojan-activity; sid:2008494; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (antispyprogram)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"antispyprogram"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2008495; classtype:trojan-activity; sid:2008495; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SUiCiDE/1.5)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"SUiCiDE"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008504; classtype:trojan-activity; sid:2008504; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"|5c|xa2|5c|xa2HttpClient"; depth:18; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008510; classtype:trojan-activity; sid:2008510; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (C slash)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!"|5c|Citrix|5c|"; content:!"|5c|Panda S"; nocase; content:!"|5c|Mapinfo"; nocase; http.user_agent; content:"C|3a 5c|"; depth:3; fast_pattern; classtype:trojan-activity; sid:2008512; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (msIE 7.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"msIE"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008513; classtype:trojan-activity; sid:2008513; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AVP2006IE)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"AVP200"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008514; classtype:trojan-activity; sid:2008514; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (winlogon)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"winlogon"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008544; classtype:trojan-activity; sid:2008544; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Internet HTTP"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008564; classtype:trojan-activity; sid:2008564; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Downloader1.2)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Downloader"; depth:10; pcre:"/^Downloader\d+\.\d/"; reference:url,doc.emergingthreats.net/bin/view/Main/2008643; classtype:trojan-activity; sid:2008643; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Compatible)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Compatible"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008657; classtype:trojan-activity; sid:2008657; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (GetUrlSize)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"GetUrlSize"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008658; classtype:trojan-activity; sid:2008658; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (aguarovex-loader v3.221)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"aguarovex-loader v"; depth:18; reference:url,doc.emergingthreats.net/bin/view/Main/2008663; classtype:trojan-activity; sid:2008663; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WINS_HTTP_SEND"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2008734; classtype:trojan-activity; sid:2008734; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (checkonline)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"checkonline"; depth:11; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008749; classtype:trojan-activity; sid:2008749; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Kvadrlson 1.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Kvadrlson|20|"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008756; classtype:trojan-activity; sid:2008756; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Kangkio User-Agent (lsosss)"; flow:established,to_server; http.user_agent; content:"lsosss"; depth:6; endswith; reference:url,doc.emergingthreats.net/2008767; classtype:trojan-activity; sid:2008767; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (miip)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"miip"; depth:4; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008797; classtype:trojan-activity; sid:2008797; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozil1a)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Mozil1a"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008847; classtype:trojan-activity; sid:2008847; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Errordigger.com related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"min"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008912; classtype:trojan-activity; sid:2008912; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Trojan.Hijack.IrcBot.457 related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla/1.0 (compatible|3b 20|MSIE 8.0|3b|"; depth:34; reference:url,doc.emergingthreats.net/bin/view/Main/2008913; classtype:trojan-activity; sid:2008913; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (xr - Worm.Win32.VB.cj related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"xr"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008914; classtype:trojan-activity; sid:2008914; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Yandesk)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Yandesk"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008916; classtype:trojan-activity; sid:2008916; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent pricers.info related (section)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"sections"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008919; classtype:trojan-activity; sid:2008919; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HELLO)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HELLO"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008941; classtype:trojan-activity; sid:2008941; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE/1.0)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"IE/1.0"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008956; classtype:trojan-activity; sid:2008956; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow:established,to_server; http.user_agent; content:"AV1"; depth:3; endswith; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:11; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (runUpdater.html)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"runUpdater|2e|html"; depth:15; reference:url,doc.emergingthreats.net/2009355; classtype:trojan-activity; sid:2009355; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (runPatch.html)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"runPatch|2e|html"; depth:13; reference:url,doc.emergingthreats.net/2009356; classtype:trojan-activity; sid:2009356; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Poker)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Poker"; depth:5; endswith; nocase; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009534; classtype:trojan-activity; sid:2009534; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InHold) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"InHold"; depth:6; endswith; nocase; reference:url,doc.emergingthreats.net/2009544; classtype:trojan-activity; sid:2009544; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (INet)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"INet"; depth:4; endswith; reference:url,doc.emergingthreats.net/2009703; classtype:trojan-activity; sid:2009703; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (STEROID Download)"; flow:established,to_server; http.user_agent; content:"STEROID Download"; nocase; depth:16; endswith; reference:url,anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10; reference:url,security.thejoshmeister.com/2009/09/new-malware-ddos-botexe-etc-and.html; reference:url,doc.emergingthreats.net/2009994; classtype:trojan-activity; sid:2009994; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0(compatible|3b 20|TALWinHttpClient)"; depth:41; endswith; fast_pattern; reference:url,doc.emergingthreats.net/2010261; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010261; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32.OnLineGames User-Agent (BigFoot)"; flow:to_server,established; http.user_agent; content:"BigFoot"; nocase; depth:7; reference:url,doc.emergingthreats.net/2010678; classtype:trojan-activity; sid:2010678; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Nine Ball User-Agent Detected (NQX315)"; flow:established,to_server; http.user_agent; content:"NQX315"; depth:6; endswith; reference:url,doc.emergingthreats.net/2011188; classtype:trojan-activity; sid:2011188; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Artro Downloader User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|wget 3.0|3b 20|rv|3a|5.0) Gecko/20100101 Firefox/5.0"; depth:73; fast_pattern; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:pup-activity; sid:2013184; rev:9; metadata:created_at 2011_07_04, former_category USER_AGENTS, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (GUIDTracker)"; flow:to_server,established; http.user_agent; content:"GUIDTracker"; depth:11; reference:md5,7a8807f4de0999dba66a8749b2366def; classtype:trojan-activity; sid:2013455; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delphi Trojan Downloader User-Agent (JEDI-VCL)"; flow:established,to_server; http.host; content:!"apexwin.com"; http.user_agent; content:"JEDI-VCL"; depth:8; classtype:trojan-activity; sid:2013559; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_12, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (windsoft)"; flow:established,to_server; http.user_agent; content:"WindSoft"; depth:8; endswith; classtype:trojan-activity; sid:2013561; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_12, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent (NOPE)"; flow:established,to_server; http.user_agent; content:"N0PE"; depth:4; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=b0b7c391d084974b2666c1c57b349b62&id=711369; reference:url,www.virustotal.com/file-scan/report.html?id=54dcad20b326a409c09f1b059925ba4ba260ef58297cda1421ffca79942a96a5-1305296734; classtype:trojan-activity; sid:2013702; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Aldibot.A User-Agent (Aldi Bot)"; flow:to_server,established; http.user_agent; content:"Aldi Bot"; nocase; depth:8; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013747; rev:7; metadata:created_at 2011_09_24, former_category USER_AGENTS, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (NateFinder)"; flow:to_server,established; http.user_agent; content:"NateFinder"; depth:10; classtype:trojan-activity; sid:2013881; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (webfile)"; flow:to_server,established; http.user_agent; content:"webfile"; depth:7; reference:url,threatexpert.com/reports.aspx?find=upsh.playmusic.co.kr; classtype:trojan-activity; sid:2013883; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DARecover)"; flow:to_server,established; http.user_agent; content:"DARecover"; depth:9; reference:url,threatexpert.com/reports.aspx?find=clients.mydealassistant.com; classtype:trojan-activity; sid:2013884; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1-|20|"; depth:56; fast_pattern; reference:url,doc.emergingthreats.net/2010868; classtype:bad-unknown; sid:2010868; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer User-Agent (ROGUE)"; flow: to_server,established; http.user_agent; content:"ROGUE"; depth:5; reference:url,www.internet-optimizer.com; reference:url,doc.emergingthreats.net/2002405; classtype:pup-activity; sid:2002405; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User Agent (_)"; flow:to_server,established; http.user_agent; content:"_"; depth:1; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; classtype:trojan-activity; sid:2007942; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat Web Application Manager scanning"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/manager/html"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic"; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2010019; classtype:attempted-recon; sid:2010019; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; http.user_agent; content:"Agent"; depth:5; pcre:"/^Agent\d{5,6}$/i"; http.host; content:!"cloud.10jqka.com.cn"; content:!".maxthon.com"; classtype:trojan-activity; sid:2013315; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ezula Related User-Agent (mez)"; flow: to_server,established; http.user_agent; content:"mez"; nocase; depth:3; endswith; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:pup-activity; sid:2000586; rev:35; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP YourSiteBar User-Agent (istsvc)"; flow: to_server,established; http.user_agent; content:"istsvc"; nocase; depth:6; endswith; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:pup-activity; sid:2001699; rev:264; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware User-Agent (Bundle)"; flow: established,to_server; http.user_agent; content:"Bundle"; depth:6; reference:url,doc.emergingthreats.net/2001702; classtype:pup-activity; sid:2001702; rev:40; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 404Search Spyware User-Agent (404search)"; flow:established,to_server; http.user_agent; content:"404search"; depth:9; reference:url,doc.emergingthreats.net/2001852; classtype:pup-activity; sid:2001852; rev:31; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Easy Search Bar Spyware User-Agent (ESB)"; flow: established,to_server; http.user_agent; content:"ESB"; depth:3; reference:url,doc.emergingthreats.net/2001853; classtype:pup-activity; sid:2001853; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZULA Spyware User Agent"; flow: established,to_server; http.user_agent; content:"ezula"; depth:5; nocase; reference:url,doc.emergingthreats.net/2001854; classtype:pup-activity; sid:2001854; rev:27; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (Sidesearch)"; flow: established,to_server; http.user_agent; content:"Sidesearch"; depth:10; reference:url,doc.emergingthreats.net/2001869; classtype:pup-activity; sid:2001869; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Target Saver Spyware User-Agent (TSA)"; flow: established,to_server; http.user_agent; content:"TSA/"; depth:4; reference:url,doc.emergingthreats.net/2001871; classtype:pup-activity; sid:2001871; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware User-Agent (EI)"; flow: to_server,established; http.user_agent; content:"EI"; depth:2; endswith; reference:url,doc.emergingthreats.net/2001996; classtype:pup-activity; sid:2001996; rev:18; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolWebSearch Spyware (Feat)"; flow: to_server,established; http.user_agent; content:"Feat"; nocase; depth:4; pcre:"/^Feat[^\r\n]+(?:Install|Updat)er/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; reference:url,doc.emergingthreats.net/2002160; classtype:pup-activity; sid:2002160; rev:21; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Spyware User-Agent (host)"; flow: to_server,established; http.header; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; http.user_agent; content:"host"; nocase; depth:4; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; reference:url,doc.emergingthreats.net/2002164; classtype:pup-activity; sid:2002164; rev:16; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miva User-Agent (TPSystem)"; flow: to_server,established; http.user_agent; content:"TPSystem"; nocase; depth:8; reference:url,www.miva.com; reference:url,www.findwhat.com; reference:url,doc.emergingthreats.net/2002395; classtype:pup-activity; sid:2002395; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miva Spyware User-Agent (Travel Update)"; flow: to_server,established; http.user_agent; content:"Travel Update"; depth:13; endswith; reference:url,www.miva.com; reference:url,doc.emergingthreats.net/2002396; classtype:pup-activity; sid:2002396; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus User-Agent (PTS)"; flow: to_server,established; http.user_agent; content:"PTS"; depth:3; reference:url,www.contextplus.net; reference:url,doc.emergingthreats.net/2002403; classtype:pup-activity; sid:2002403; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Install)"; flow: to_server,established; http.uri; content:"/checkhttp.htm"; nocase; http.header; content:"freeze.com"; nocase; http.user_agent; content:"Wise"; nocase; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; classtype:pup-activity; sid:2002840; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; http.uri; content:"/ping/?shortname="; nocase; http.header; content:"freeze.com"; nocase; http.user_agent; content:"Wise"; nocase; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; classtype:pup-activity; sid:2002841; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; http.uri; content:"/checkin.php?"; nocase; content:"unq="; nocase; content:"version="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:pup-activity; sid:2003209; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Install"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"&pais="; nocase; content:"unq="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:pup-activity; sid:2003210; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; http.user_agent; content:"Download Agent"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:pup-activity; sid:2003243; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; http.user_agent; content:"YourScreen"; depth:10; reference:url,doc.emergingthreats.net/2003405; classtype:pup-activity; sid:2003405; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; http.user_agent; content:"RX Bar"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003407; classtype:pup-activity; sid:2003407; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; http.user_agent; content:"Updater"; depth:7; endswith; reference:url,doc.emergingthreats.net/2003470; classtype:pup-activity; sid:2003470; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; http.user_agent; content:"ad-protect"; nocase; depth:10; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; reference:url,doc.emergingthreats.net/2003476; classtype:pup-activity; sid:2003476; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; http.user_agent; content:"DInstaller"; nocase; depth:10; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; reference:url,doc.emergingthreats.net/2003477; classtype:pup-activity; sid:2003477; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; http.user_agent; content:"ERRORNUKER"; nocase; depth:10; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; reference:url,doc.emergingthreats.net/2003478; classtype:pup-activity; sid:2003478; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; http.user_agent; content:"MalwareWipe"; nocase; depth:11; endswith; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; classtype:pup-activity; sid:2003489; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; http.user_agent; content:"Mirar_KeywordContent"; nocase; depth:20; endswith; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; classtype:pup-activity; sid:2003490; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ms)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"ms"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:pup-activity; sid:2003497; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; http.user_agent; content:"Sprout Game"; nocase; depth:11; endswith; reference:url,doc.emergingthreats.net/2003498; classtype:pup-activity; sid:2003498; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; http.user_agent; content:"SpyDawn"; nocase; depth:7; endswith; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; classtype:pup-activity; sid:2003499; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; http.user_agent; content:"STBHOGet"; nocase; depth:8; endswith; reference:url,doc.emergingthreats.net/2003500; classtype:pup-activity; sid:2003500; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_18;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; http.user_agent; content:"Alawar Toolbar"; nocase; depth:14; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; reference:url,doc.emergingthreats.net/2003506; classtype:pup-activity; sid:2003506; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; http.user_agent; content:"CommonName"; nocase; depth:10; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; reference:url,doc.emergingthreats.net/2003532; classtype:pup-activity; sid:2003532; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; http.user_agent; content:"WinFixMaster"; nocase; depth:12; reference:url,doc.emergingthreats.net/2003544; classtype:pup-activity; sid:2003544; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (DIALER)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"DIALER"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003566; classtype:pup-activity; sid:2003566; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; http.user_agent; content:"iefeatsl"; nocase; depth:8; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; classtype:pup-activity; sid:2003570; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; http.user_agent; content:"MalwareWiped"; nocase; depth:12; reference:url,doc.emergingthreats.net/2003582; classtype:pup-activity; sid:2003582; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (update)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"update"; depth:6; endswith; reference:url,doc.emergingthreats.net/2003583; classtype:pup-activity; sid:2003583; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EELoader Malware Packages User-Agent (EELoader)"; flow:to_server,established; http.user_agent; content:"EELoader"; nocase; depth:8; reference:url,doc.emergingthreats.net/2003613; classtype:pup-activity; sid:2003613; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; http.user_agent; content:"KRSystem"; nocase; depth:8; reference:url,doc.emergingthreats.net/2003625; classtype:pup-activity; sid:2003625; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; http.user_agent; content:"ProxyDown"; nocase; depth:9; reference:url,doc.emergingthreats.net/2003639; classtype:pup-activity; sid:2003639; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; http.user_agent; content:"91cast"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003640; classtype:pup-activity; sid:2003640; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; http.user_agent; content:"GTBank"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003654; classtype:pup-activity; sid:2003654; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; http.user_agent; content:"Internet 1."; nocase; depth:11; reference:url,doc.emergingthreats.net/2003655; classtype:pup-activity; sid:2003655; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; http.user_agent; content:"PWMI/"; nocase; depth:5; reference:url,doc.emergingthreats.net/2003926; classtype:pup-activity; sid:2003926; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; http.user_agent; content:"Mbar"; nocase; depth:4; endswith; reference:url,doc.emergingthreats.net/2003928; classtype:pup-activity; sid:2003928; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; http.user_agent; content:"Mirar_Toolbar"; nocase; depth:13; reference:url,doc.emergingthreats.net/2003929; classtype:pup-activity; sid:2003929; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; http.user_agent; content:"fetcher"; nocase; depth:7; endswith; reference:url,doc.emergingthreats.net/2005318; classtype:pup-activity; sid:2005318; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; http.user_agent; content:"NavHelper"; nocase; depth:9; reference:url,doc.emergingthreats.net/2005321; classtype:pup-activity; sid:2005321; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; http.user_agent; content:"Huai_Huai"; depth:9; endswith; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:pup-activity; sid:2006361; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; http.user_agent; content:"IBSBand-"; depth:8; reference:url,doc.emergingthreats.net/2006362; classtype:pup-activity; sid:2006362; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031026; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, signature_severity Major, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031027; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, signature_severity Major, updated_at 2020_10_19;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031029; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; http.user_agent; content:"atsu"; depth:4; endswith; reference:url,doc.emergingthreats.net/2006370; classtype:pup-activity; sid:2006370; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (006)"; flow:established,to_server; http.user_agent; content:"00"; depth:2; pcre:"/00\d+$/"; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:pup-activity; sid:2006388; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; http.user_agent; content:"WTRecover"; depth:9; reference:url,doc.emergingthreats.net/2006392; classtype:pup-activity; sid:2006392; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; http.user_agent; content:"WTInstaller"; depth:11; reference:url,doc.emergingthreats.net/2006393; classtype:pup-activity; sid:2006393; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycashbank.co.kr Spyware User-Agent (pint_agency)"; flow:established,to_server; http.user_agent; content:"pint_agency"; depth:11; reference:url,doc.emergingthreats.net/2006413; classtype:pup-activity; sid:2006413; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner)"; flow:established,to_server; http.user_agent; content:"anycleaner"; depth:10; reference:url,doc.emergingthreats.net/2006419; classtype:pup-activity; sid:2006419; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine)"; flow:established,to_server; http.user_agent; content:"DoctorVaccine"; depth:13; reference:url,doc.emergingthreats.net/2006421; classtype:pup-activity; sid:2006421; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM)"; flow:established,to_server; http.user_agent; content:"WT_GET_COMM"; depth:11; reference:url,doc.emergingthreats.net/2006422; classtype:pup-activity; sid:2006422; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Spyware User-Agent (doctorpro1)"; flow:established,to_server; http.user_agent; content:"doctorpro"; depth:9; reference:url,doc.emergingthreats.net/2006423; classtype:pup-activity; sid:2006423; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Karine.co.kr Related Spyware User-Agent (Access down)"; flow:established,to_server; http.user_agent; content:"Access down"; depth:11; endswith; reference:url,doc.emergingthreats.net/2006430; classtype:pup-activity; sid:2006430; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Cpushpop.com Spyware User-Agent (CPUSH_UPDATER)"; flow:established,to_server; http.user_agent; content:"CPUSH_"; depth:6; reference:url,doc.emergingthreats.net/2006553; classtype:pup-activity; sid:2006553; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Debelizombi.com Spyware User-Agent (blahrx)"; flow:established,to_server; http.user_agent; content:"blahrx"; depth:6; reference:url,doc.emergingthreats.net/2006778; classtype:pup-activity; sid:2006778; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Cash Spyware User-Agent (ZC-Bridgev26)"; flow:established,to_server; http.user_agent; content:"ZC-Bridgev"; depth:10; reference:url,doc.emergingthreats.net/2006780; classtype:pup-activity; sid:2006780; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; http.user_agent; content:"ZC XML-RPC"; depth:10; reference:url,doc.emergingthreats.net/2006781; classtype:pup-activity; sid:2006781; rev:42; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirage.ru Related Spyware User-Agent (szNotifyIdent)"; flow:established,to_server; http.user_agent; content:"szNotifyIdent"; depth:13; reference:url,doc.emergingthreats.net/2006782; classtype:pup-activity; sid:2006782; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...)"; flow: established,to_server; http.user_agent; content:"vikiller ctrl"; nocase; depth:13; reference:url,doc.emergingthreats.net/2007582; classtype:pup-activity; sid:2007582; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (B Register)"; flow:established,to_server; http.user_agent; content:"B Register"; nocase; depth:10; reference:url,doc.emergingthreats.net/2007597; classtype:pup-activity; sid:2007597; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (updatesodui)"; flow:established,to_server; http.user_agent; content:"updatesodui"; nocase; depth:11; reference:url,doc.emergingthreats.net/2007598; classtype:pup-activity; sid:2007598; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (aaaabbb)"; flow:established,to_server; http.user_agent; content:"aaaabbb"; nocase; depth:7; reference:url,doc.emergingthreats.net/2007599; classtype:pup-activity; sid:2007599; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TryMedia Spyware User-Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; http.user_agent; content:"TryMedia_DM_"; nocase; depth:12; reference:url,doc.emergingthreats.net/2007600; classtype:pup-activity; sid:2007600; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; http.user_agent; content:"VirusProtectPro"; depth:15; reference:url,doc.emergingthreats.net/2007617; classtype:pup-activity; sid:2007617; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck)"; flow: established,to_server; http.user_agent; content:"viruscheck"; nocase; depth:10; reference:url,doc.emergingthreats.net/2007643; classtype:pup-activity; sid:2007643; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer)"; flow: established,to_server; http.user_agent; content:"Ultimate Fixer"; nocase; depth:14; reference:url,doc.emergingthreats.net/2007645; classtype:pup-activity; sid:2007645; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (XXX)"; flow:established,to_server; http.user_agent; content:"XXX"; nocase; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; classtype:pup-activity; sid:2007648; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (QdrBi Starter)"; flow:established,to_server; http.user_agent; content:"QdrBi Starter"; nocase; depth:13; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; classtype:pup-activity; sid:2007659; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser)"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Browser"; nocase; depth:26; endswith; reference:url,doc.emergingthreats.net/2007660; classtype:pup-activity; sid:2007660; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (install_s)"; flow:established,to_server; http.user_agent; content:"install_"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; classtype:pup-activity; sid:2007666; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (count)"; flow:established,to_server; http.user_agent; content:"count"; nocase; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; classtype:pup-activity; sid:2007667; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zredirector.com Related Spyware User-Agent (BndDriveLoader)"; flow:established,to_server; http.user_agent; content:"BndDriveLoader"; nocase; depth:14; reference:url,doc.emergingthreats.net/2007693; classtype:pup-activity; sid:2007693; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Popads123.com Related Spyware User-Agent (LmaokaazLdr)"; flow:established,to_server; http.user_agent; content:"LmaokaazLdr"; nocase; depth:11; reference:url,doc.emergingthreats.net/2007694; classtype:pup-activity; sid:2007694; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ie) - Possible Trojan Downloader"; flow:established,to_server; http.user_agent; content:"ie"; depth:2; endswith; reference:url,doc.emergingthreats.net/2007827; classtype:pup-activity; sid:2007827; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit)"; flow:to_server,established; http.user_agent; content:"DrPCClean"; depth:9; reference:url,doc.emergingthreats.net/2007839; classtype:pup-activity; sid:2007839; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (microsoft) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"microsoft"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; classtype:pup-activity; sid:2007859; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Firefox) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"Firefox"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; classtype:pup-activity; sid:2007868; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vombanetwork Spyware User-Agent (VombaProductsInstaller)"; flow:to_server,established; http.user_agent; content:"Vomba"; depth:5; reference:url,doc.emergingthreats.net/2007869; classtype:pup-activity; sid:2007869; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycomclean.com Spyware User-Agent (HTTP_GET_COMM)"; flow:to_server,established; http.user_agent; content:"HTTP_GET_COMM"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007881; classtype:pup-activity; sid:2007881; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycomclean.com Spyware User-Agent (SHINI)"; flow:to_server,established; http.user_agent; content:"SHINI"; depth:5; endswith; reference:url,doc.emergingthreats.net/2007882; classtype:pup-activity; sid:2007882; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3)"; flow:to_server,established; http.user_agent; content:"VirusHeat"; depth:9; reference:url,doc.emergingthreats.net/2007883; classtype:pup-activity; sid:2007883; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Example)"; flow:to_server,established; http.user_agent; content:"Example"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:pup-activity; sid:2007884; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kpang.com Spyware User-Agent (auctionplusup)"; flow:to_server,established; http.user_agent; content:"auctionplusup"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007900; classtype:pup-activity; sid:2007900; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTPGETDATA)"; flow:to_server,established; http.user_agent; content:"HTTPGETDATA"; depth:11; endswith; reference:url,doc.emergingthreats.net/2007908; classtype:pup-activity; sid:2007908; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN)"; flow:to_server,established; http.user_agent; content:"HTTPFILEDOWN"; depth:12; endswith; reference:url,doc.emergingthreats.net/2007909; classtype:pup-activity; sid:2007909; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN)"; flow:to_server,established; http.user_agent; content:"HTTP_FILEDOWN"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007910; classtype:pup-activity; sid:2007910; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Donkeyhote.co.kr Spyware User-Agent (UDonkey)"; flow:to_server,established; http.user_agent; content:"UDonkey"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007927; classtype:pup-activity; sid:2007927; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gcashback.co.kr Spyware User-Agent (InvokeAd)"; flow:to_server,established; http.user_agent; content:"InvokeAd"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007928; classtype:pup-activity; sid:2007928; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet)"; flow:to_server,established; http.user_agent; content:"Internet"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; classtype:pup-activity; sid:2008013; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; http.user_agent; content:"Ssol NetInstaller"; depth:17; reference:url,doc.emergingthreats.net/2008040; classtype:pup-activity; sid:2008040; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WinTouch)"; flow:established,to_server; http.user_agent; content:"WinTouch"; depth:8; reference:url,doc.emergingthreats.net/2008141; classtype:pup-activity; sid:2008141; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidebar Related Spyware User-Agent (Sidebar Client)"; flow:established,to_server; http.user_agent; content:"Sidebar"; depth:7; reference:url,doc.emergingthreats.net/2008201; classtype:pup-activity; sid:2008201; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZenoSearch Spyware User-Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|["; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/i"; reference:url,doc.emergingthreats.net/2008279; classtype:pup-activity; sid:2008279; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater)"; flow:to_server,established; http.user_agent; content:"AsmUpdater"; depth:10; reference:url,doc.emergingthreats.net/2008294; classtype:pup-activity; sid:2008294; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; http.user_agent; content:"Connector v"; depth:11; reference:url,doc.emergingthreats.net/2008372; classtype:pup-activity; sid:2008372; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; http.user_agent; content:"FavUpdate"; depth:9; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,doc.emergingthreats.net/2008457; classtype:pup-activity; sid:2008457; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (FTP)"; flow: to_server,established; http.user_agent; content:"Ftp"; nocase; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008735; classtype:pup-activity; sid:2008735; rev:11; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Matcash Trojan Related Spyware Code Download"; flow:established,to_server; http.user_agent; content:"Windows 5.1 (2600)|3b 20|DMCP"; depth:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; classtype:pup-activity; sid:2008759; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smileware Connection Spyware Related User-Agent (Smileware Connection)"; flow:established,to_server; http.user_agent; content:"Smileware"; depth:9; reference:url,doc.emergingthreats.net/2008892; classtype:pup-activity; sid:2008892; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (FileDownloader)"; flow:to_server,established; http.user_agent; content:"FileDownloader"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2009027; classtype:pup-activity; sid:2009027; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake AV User-Agent (N1)"; flow:to_server,established; http.user_agent; content:"N1"; depth:2; endswith; reference:url,doc.emergingthreats.net/2009157; classtype:pup-activity; sid:2009157; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb User-Agent (Lobo Lunar)"; flow: established,to_server; http.user_agent; content:"Lobo Lunar"; depth:10; reference:url,doc.emergingthreats.net/2009222; classtype:pup-activity; sid:2009222; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pigeon.AYX/AVKill Related User-Agent (CTTBasic)"; flow:established,to_server; http.user_agent; content:"CTT"; depth:3; reference:url,doc.emergingthreats.net/2009236; classtype:pup-activity; sid:2009236; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySideSearch Browser Optimizer"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?aff="; nocase; content:"&act="; nocase; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; nocase; depth:20; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; classtype:pup-activity; sid:2009524; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Microgaming Install Program"; nocase; depth:27; endswith; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; classtype:pup-activity; sid:2009783; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"ERRN200"; depth:7; reference:url,doc.emergingthreats.net/2009861; classtype:pup-activity; sid:2009861; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (User Agent) - Likely Hostile"; flow:established,to_server; http.user_agent; content:"User Agent"; depth:10; reference:url,doc.emergingthreats.net/2009930; classtype:pup-activity; sid:2009930; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU)"; flow:established,to_server; http.user_agent; content:"VaccineKiller"; depth:13; reference:url,doc.emergingthreats.net/2009993; classtype:pup-activity; sid:2009993; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> any any (msg:"ET USER_AGENTS Suspicious User-Agent (Sme32)"; flow: established, to_server; http.user_agent; content:"Sme32"; depth:5; endswith; reference:url,doc.emergingthreats.net/2010137; classtype:pup-activity; sid:2010137; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; http.user_agent; content:"SogouExplorerMiniSetup"; nocase; depth:22; reference:url,doc.emergingthreats.net/2010675; classtype:pup-activity; sid:2010675; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Fast Browser Search)"; flow:to_server,established; http.user_agent; content:"Fast Browser Search"; nocase; depth:19; reference:url,doc.emergingthreats.net/2010676; classtype:pup-activity; sid:2010676; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan.Win32.InternetAntivirus User-Agent (General Antivirus)"; flow:to_server,established; http.user_agent; content:"General Antivirus"; nocase; depth:17; reference:url,doc.emergingthreats.net/2010679; classtype:pup-activity; sid:2010679; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; http.user_agent; content:"Update1.0"; depth:9; reference:url,doc.emergingthreats.net/2010680; classtype:pup-activity; sid:2010680; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (FaceCooker)"; flow:to_server,established; http.user_agent; content:"FaceCooker"; nocase; depth:10; reference:url,doc.emergingthreats.net/2010717; classtype:pup-activity; sid:2010717; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Live Enterprise Suite)"; flow:to_server,established; http.user_agent; content:"Live Enterprise Suite"; nocase; depth:21; reference:url,doc.emergingthreats.net/2010727; classtype:pup-activity; sid:2010727; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Infobox3 Spyware User-Agent (InfoBox)"; flow:established,to_server; http.user_agent; content:"InfoBox"; depth:7; reference:url,doc.emergingthreats.net/2010934; classtype:pup-activity; sid:2010934; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (lineguide)"; flow:to_server,established; http.user_agent; content:"lineguide"; nocase; depth:9; reference:url,doc.emergingthreats.net/2011106; classtype:pup-activity; sid:2011106; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Save)"; flow:to_server,established; http.user_agent; content:"Save"; depth:4; endswith; reference:url,poweredbysave.com; classtype:pup-activity; sid:2011120; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InTeRNeT)"; flow:to_server,established; http.user_agent; content:"|5f|InTeRNeT"; depth:9; reference:url,doc.emergingthreats.net/2011127; classtype:pup-activity; sid:2011127; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Master) - Possible Malware Downloader"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Download Master"; depth:15; reference:url,www.httpuseragent.org/list/Download+Master-n727.htm; reference:url,www.westbyte.com/dm/; reference:url,doc.emergingthreats.net/2011146; classtype:pup-activity; sid:2011146; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (webcount)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"webcount"; depth:8; reference:url,doc.emergingthreats.net/2011149; classtype:pup-activity; sid:2011149; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou Toolbar Checkin"; flow:to_server,established; http.uri; content:"/seversion.txt"; http.user_agent; content:"SeFastSetup"; depth:11; reference:url,doc.emergingthreats.net/2011225; classtype:pup-activity; sid:2011226; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.0 (SP3 WINLD))"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0 |28|SP3 WINLD|29 |"; depth:23; endswith; fast_pattern; reference:url,doc.emergingthreats.net/2011238; classtype:pup-activity; sid:2011238; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Hostile User-Agent (Forthgoer)"; flow:to_server,established; http.user_agent; content:"Forthgoer"; depth:9; reference:url,doc.emergingthreats.net/2011247; classtype:pup-activity; sid:2011247; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (XieHongWei-HttpDown/2.0)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"XieHongWei"; depth:10; reference:url,doc.emergingthreats.net/2011248; classtype:pup-activity; sid:2011248; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CustomSpy)"; flow:to_server,established; http.user_agent; content:"|28|CustomSpy|29 |"; depth:11; endswith; reference:url,doc.emergingthreats.net/2011271; classtype:pup-activity; sid:2011271; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (C\\WINDOWS\\system32\\NetLogom.exe)"; flow:established,to_server; http.user_agent; content:"C|3a 5c|WINDOWS|5c|system32|5c|NetLogom.exe"; depth:32; classtype:pup-activity; sid:2011334; rev:9; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; http.user_agent; content:"http-get-demo"; depth:13; endswith; classtype:pup-activity; sid:2011392; rev:7; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer 6.0"; depth:31; endswith; classtype:pup-activity; sid:2011393; rev:6; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MSIL.Amiricil.gen HTTP Checkin"; flow:established,to_server; http.uri; content:"/registerSession.py?"; nocase; content:"proj="; nocase; content:"&country="; nocase; content:"&lang="; nocase; content:"&channel="; nocase; content:"source="; nocase; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:url,doc.emergingthreats.net/2011677; reference:md5,af0bbdf6097233e8688c5429aa97bbed; classtype:pup-activity; sid:2011677; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP_Query)"; flow:to_server,established; http.user_agent; content:"HTTP_Query"; nocase; depth:10; endswith; reference:url,doc.emergingthreats.net/2011678; classtype:pup-activity; sid:2011678; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Gbot)"; flow:established,to_server; http.user_agent; content:"gbot"; depth:4; classtype:pup-activity; sid:2011872; rev:6; metadata:created_at 2010_10_29, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo.com SearchToolbar User-Agent (SearchToolbar)"; flow:established,to_server; http.user_agent; content:"Search Toolbar"; depth:14; reference:url,www.zugo.com/faq/; reference:url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF; classtype:pup-activity; sid:2013333; rev:7; metadata:created_at 2011_07_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SWInformer.B Checkin"; flow:to_server,established; http.uri; content:"log.php?"; http.user_agent; content:"FDMuiless"; depth:9; endswith; reference:md5,0f90568d86557d62f7d4e1c0f7167431; classtype:pup-activity; sid:2014004; rev:7; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; http.uri; content:"/inst.php?"; http.user_agent; content:"psi"; depth:3; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:pup-activity; sid:2014262; rev:7; metadata:created_at 2012_01_21, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix On-demand User-Agent"; flow:to_server,established; http.user_agent; content:"WmpHostInternetConnection"; depth:25; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Steal0r"; flow:established,to_server; http.uri; content:"info=Steam|20|Steal0r|20|"; fast_pattern; content:"&acc="; content:"&pw="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; depth:55; nocase; reference:url,doc.emergingthreats.net/2008360; classtype:trojan-activity; sid:2008360; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virusremover2008.com Checkin"; flow:to_server,established; http.method; content:"GET"; depth:3; nocase; http.uri; content:"?action="; nocase; content:"pc_id="; nocase; content:"abbr="; http.user_agent; content:"Statistican"; depth:11; reference:url,doc.emergingthreats.net/2008527; classtype:command-and-control; sid:2008527; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.qh/xSock User-Agent Detected"; flow:established,to_server; http.user_agent; content:"xSock Config"; depth:12; nocase; reference:url,doc.emergingthreats.net/2007609; classtype:trojan-activity; sid:2007609; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.pt User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Machaon"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007663; classtype:trojan-activity; sid:2007663; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Opera/9.28 (Windows NT 6.0|3b 20|U|3b 20|en)"; depth:34; endswith; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009474; classtype:trojan-activity; sid:2009474; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Opera/8.81 (Windows NT 6.0|3b 20|U|3b 20|en)"; depth:34; endswith; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009525; classtype:trojan-activity; sid:2009525; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)"; flow:established,to_server; http.user_agent; content:"YOK Agent"; depth:9; endswith; reference:url,doc.emergingthreats.net/2008752; classtype:pup-activity; sid:2008752; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"curl"; nocase; startswith; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002825; classtype:attempted-recon; sid:2002825; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus Dropper Infection - /loads.php"; flow:established,to_server; http.uri; content:"/loads.php"; content:"?r="; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; http.host; content:"knocker"; startswith; reference:url,doc.emergingthreats.net/2009213; classtype:trojan-activity; sid:2009213; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (VIP2007)"; flow:established,to_server; http.user_agent; content:"VIP20"; depth:5; nocase; reference:url,doc.emergingthreats.net/2008156; classtype:trojan-activity; sid:2008156; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (MSIE 5.5)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"MSIE 5.5"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007833; classtype:trojan-activity; sid:2007833; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_19;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan"; flow:established,to_server; http.user_agent; content:"get-minimal"; depth:11; reference:url,doc.emergingthreats.net/2003634; classtype:attempted-admin; sid:2003634; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Winpcap Installation in Progress"; flow:established,to_server; http.uri; content:"/install/banner/"; nocase; pcre:"/\d/\d+.jpg/i"; http.user_agent; content:"NSISDL"; nocase; depth:6; http.host; content:"www.winpcap.org"; startswith; reference:url,www.winpcap.org; reference:url,doc.emergingthreats.net/2002866; classtype:policy-violation; sid:2002866; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; flow:to_server,established; http.user_agent; content:"WinFix Master"; nocase; depth:13; reference:url,doc.emergingthreats.net/2003545; classtype:pup-activity; sid:2003545; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malware Related msndown"; flow:established,to_server; http.user_agent; content:"msndown"; depth:7; endswith; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1; classtype:trojan-activity; sid:2012221; rev:5; metadata:created_at 2011_01_22, former_category USER_AGENTS, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Apple iDisk Sync Unencrypted"; flow:established,to_server; http.header; content:"|0d 0a|Host|3a 20|idisk.mac.com|0d 0a|"; nocase; http.user_agent; content:"DotMacKit-like, File-Sync-Direct"; depth:32; nocase; classtype:policy-violation; sid:2012331; rev:6; metadata:created_at 2011_02_22, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User Agent"; flow: established,to_server; http.user_agent; content:"w3af.sourceforge.net"; depth:20; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Hostname"; dns.query; bsize:>30; content:"61643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}6164(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){5,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Number of Queries"; dns.query; bsize:>30; content:"63643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6364(?:3[0-9]){4}\d{1,3}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028668; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Initial Hello Beacon"; dns.query; bsize:>30; content:"64643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6464(?:3[0-9]){4}\./"; reference:md5,ea66def6d653fb9e164751e007cbbe68; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Finished Sending Results"; dns.query; bsize:>30; content:"66643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6664(?:3[0-9]){4}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Getting CnC Data"; dns.query; bsize:>30; content:"68643"; offset:5; depth:5; content:"31303"; distance:7; within:5; content:"|2e|"; distance:1; within:1; pcre:"/^[a-zA-Z0-9]{5}6864(?:3[0-9]){4}31303[0-9]\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Command Results"; dns.query; bsize:>30; content:"72643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}7264(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){10,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028671; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent WebUpdate"; flow:established,to_server; http.user_agent; content:"WebUpdate"; bsize:9; reference:url,doc.emergingthreats.net/2010600; classtype:trojan-activity; sid:2010600; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares traffic"; flow:established,to_server; http.user_agent; content:"Ares"; startswith; reference:url,www.aresgalaxy.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001059; classtype:policy-violation; sid:2001059; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/GMServer/GMServlet"; nocase; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Request Command Beacon"; dns.query; bsize:>30; content:"71643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}7164(?:3[0-9]){4}\./"; reference:md5,ea66def6d653fb9e164751e007cbbe68; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028674; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Maxthon Browser Background Agent UA (MxAgent)"; flow:to_server,established; http.user_agent; content:"MxAgent"; nocase; depth:7; reference:url,doc.emergingthreats.net/2011125; classtype:not-suspicious; sid:2011125; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent (securityinternet)"; flow:established,to_server; http.user_agent; content:"securityinternet"; depth:16; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent - updating (Winlogon)"; flow:established,to_server; http.user_agent; content:"Winlogon"; depth:8; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; http.user_agent; content:"internetsecurity"; depth:16; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; http.user_agent; content:"SexTrackerWSI"; depth:13; nocase; reference:url,doc.emergingthreats.net/2003627; classtype:pup-activity; sid:2003627; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (???)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|???"; http.user_agent; content:!"|20|Sparkle|2f|"; reference:url,doc.emergingthreats.net/2010595; classtype:pup-activity; sid:2010595; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Azureus P2P Client User-Agent"; flow:to_server,established; http.user_agent; content:"Azureus"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007799; classtype:policy-violation; sid:2007799; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BTSP)"; flow:to_server,established; http.user_agent; content:"BTSP/"; depth:5; reference:url,doc.emergingthreats.net/2011713; classtype:policy-violation; sid:2011713; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; http.user_agent; content:"BitComet/"; depth:9; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; classtype:policy-violation; sid:2011710; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BitTornado)"; flow:to_server,established; http.user_agent; content:"BitTornado/"; depth:11; reference:url,www.bittornado.com; reference:url,doc.emergingthreats.net/2011702; classtype:policy-violation; sid:2011702; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"; flow:to_server,established; http.user_agent; content:"Bittorrent"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2006372; classtype:trojan-activity; sid:2006372; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent/3.x.x)"; flow:to_server,established; http.user_agent; content:"KTorrent/3"; depth:10; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011700; classtype:policy-violation; sid:2011700; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent 2.x)"; flow:to_server,established; http.user_agent; content:"ktorrent/2"; depth:10; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011711; classtype:policy-violation; sid:2011711; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Client User-Agent (Shareaza 2.x)"; flow:to_server,established; http.user_agent; content:"Shareaza 2."; depth:11; reference:url,shareaza.sourceforge.net; reference:url,doc.emergingthreats.net/2011707; classtype:policy-violation; sid:2011707; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent Detected"; flow:established,to_server; http.user_agent; content:"DAV.pm/v"; depth:8; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; classtype:attempted-recon; sid:2011089; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grabber.py Web Scan Detected"; flow:to_server,established; http.user_agent; content:"Grabber"; depth:7; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; classtype:attempted-recon; sid:2009483; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Mini MySqlatOr SQL Injection Scanner"; flow:to_server,established; http.user_agent; content:"prog.CustomCrawler"; depth:18; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; classtype:attempted-recon; sid:2008729; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQL Power Injector SQL Injection User Agent Detected"; flow:to_server,established; http.user_agent; content:"SQL Power Injector"; depth:18; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; classtype:attempted-recon; sid:2009769; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Open-Proxy ScannerBot (webcollage-UA)"; flow:established,to_server; http.user_agent; content:"webcollage/"; depth:11; nocase; reference:url,stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; classtype:bad-unknown; sid:2010768; rev:8; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Attack Tool Revolt Scanner"; flow:established,to_server; http.user_agent; content:"revolt"; depth:6; reference:url,www.Whitehatsecurityresponse.blogspot.com; reference:url,doc.emergingthreats.net/2009288; classtype:web-application-attack; sid:2009288; rev:59; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x)"; flow:to_server,established; http.user_agent; content:"BearShare"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2006371; classtype:trojan-activity; sid:2006371; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DataCha0s Web Scanner/Robot"; flow:established,to_server; http.user_agent; content:"DataCha0s"; nocase; depth:9; reference:url,www.internetofficer.com/web-robot/datacha0s.html; reference:url,doc.emergingthreats.net/2003616; classtype:web-application-activity; sid:2003616; rev:41; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (ScrapeBox)"; flow:to_server,established; http.user_agent; content:"ScrapeBox"; depth:9; classtype:trojan-activity; sid:2011282; rev:6; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"4.75 [en] (Windows NT 5.0"; http.protocol; content:"HTTP/1.0"; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user-agent (REKOM)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"REKOM"; nocase; depth:5; classtype:trojan-activity; sid:2012295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_07, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent VCTestClient"; flow:to_server,established; http.user_agent; content:"VCTestClient"; depth:12; nocase; classtype:trojan-activity; sid:2012386; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate"; flow:to_server,established; http.user_agent; content:"PrivacyInfoUpdate"; depth:17; nocase; classtype:trojan-activity; sid:2012387; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Goolbot.E Checkin UA Detected iamx"; flow:established,to_server; http.user_agent; content:"iamx/"; depth:5; classtype:trojan-activity; sid:2012246; rev:7; metadata:created_at 2011_01_27, former_category USER_AGENTS, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JEUSD CnC Domain Observed in DNS Query"; dns.query; content:"beastgoc.com"; nocase; endswith; classtype:domain-c2; sid:2031622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"stopsms.biz"; nocase; endswith; classtype:domain-c2; sid:2028817; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"infospress.com"; nocase; endswith; classtype:domain-c2; sid:2028818; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"hmizat.co"; nocase; endswith; classtype:domain-c2; sid:2028819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"revolution-news.co"; nocase; endswith; classtype:domain-c2; sid:2028820; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"videos-download.co"; nocase; endswith; classtype:domain-c2; sid:2028821; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"business-today.info"; nocase; endswith; classtype:domain-c2; sid:2028822; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Mustang Panda Payload - CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?wd="; pcre:"/^[a-f0-9]{8}$/Ri"; http.header_names; content:"x-debug"; content:"x-request"; content:"x-content"; content:"x-storage"; reference:url,www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations; classtype:command-and-control; sid:2028823; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, updated_at 2020_10_19;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT MustangPanda CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Adobe Reader"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=Adobe Reader"; tls.cert_serial; content:"62:CA:BE:68"; classtype:domain-c2; sid:2028824; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag MustangPanda, updated_at 2020_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"xp101.dyn-dns.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"svn-dns.ahnlabinc.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028839; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"dns1-1.7release.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028840; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"ssl.dyn-dns.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028841; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP"; flow:established,to_server; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1)"; depth:50; endswith; fast_pattern; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:"Cache-Control|0d 0a 0d 0a|"; distance:0; classtype:trojan-activity; sid:2012384; rev:5; metadata:created_at 2011_02_27, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Trojan.Agent.AXMO CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_line; content:"/log HTTP/1."; distance:0; fast_pattern; reference:url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html; classtype:command-and-control; sid:2016014; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.EGZ Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/b.php?id="; fast_pattern; pcre:"/^\d{1,3}$/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; classtype:command-and-control; sid:2013947; rev:6; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2020_10_19;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?page=SetMediaDir"; fast_pattern; content:"|3b|"; distance:0; isdataat:1,relative; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031056; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_19;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031057; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_19;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP NULL Pointer Dereference Attempt Inbound (CVE-2020-25858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; pcre:"/^[^=]{1,}$/RUi"; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-25858; classtype:attempted-admin; sid:2031058; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_25858, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_10_19;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=carlossaldanhacertificado"; bsize:28; fast_pattern; tls.cert_issuer; content:"CN=carlossaldanhacertificado"; bsize:28; classtype:domain-c2; sid:2031059; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=PatataDorito"; bsize:15; fast_pattern; tls.cert_issuer; content:"CN=PatataDorito"; bsize:15; classtype:domain-c2; sid:2031060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (bollywoods .co .in in DNS Lookup)"; dns.query; content:"bollywoods.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (chat2hire .net in DNS Lookup)"; dns.query; content:"chat2hire.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (chuki .mozillaupdates .us in DNS Lookup)"; dns.query; content:"chuki.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (click2chat .org in DNS Lookup)"; dns.query; content:"click2chat.org"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (cvstyler .co .in in DNS Lookup)"; dns.query; content:"cvstyler.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031034; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (daily .windowsupdates .eu in DNS Lookup)"; dns.query; content:"daily.windowsupdates.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (dailybuild .mozillaupdates .com in DNS Lookup)"; dns.query; content:"dailybuild.mozillaupdates.com"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (enigma .net .in in DNS Lookup)"; dns.query; content:"enigma.net.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (gozap .co .in in DNS Lookup)"; dns.query; content:"gozap.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (gyzu .mozillaupdates .us in DNS Lookup)"; dns.query; content:"gyzu.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (melodymate .co .in in DNS Lookup)"; dns.query; content:"melodymate.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nortonupdates .online in DNS Lookup)"; dns.query; content:".nortonupdates.online"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nightly .windowsupdates .eu in DNS Lookup)"; dns.query; content:"nightly.windowsupdates.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nightlybuild .mozillaupdates .com in DNS Lookup)"; dns.query; content:"nightlybuild.mozillaupdates.com"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (orangevault .net in DNS Lookup)"; dns.query; content:"orangevault.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (sake .mozillaupdates .us in DNS Lookup)"; dns.query; content:"sake.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (savitabhabi .co .in in DNS Lookup)"; dns.query; content:"savitabhabi.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (sharify .co .in in DNS Lookup)"; dns.query; content:"sharify.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (strongbox .in in DNS Lookup)"; dns.query; content:"strongbox.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (teraspace .co .in in DNS Lookup)"; dns.query; content:"teraspace.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (titaniumx .co .in in DNS Lookup)"; dns.query; content:"titaniumx.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (msoftserver .eu in DNS Lookup)"; dns.query; content:".msoftserver.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (microsoftupdate .in in DNS Lookup)"; dns.query; content:".microsoftupdate.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (wesharex .net in DNS Lookup)"; dns.query; content:"wesharex.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (x-trust .net in DNS Lookup)"; dns.query; content:"x-trust.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (zen .mozillaupdates .us in DNS Lookup)"; dns.query; content:"zen.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GravityRAT CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"signatureHash="; fast_pattern; content:"signatureString="; content:"userName="; content:"pcName="; content:"macId="; content:"cpuId="; content:"agent="; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:command-and-control; sid:2031061; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, signature_severity Major, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enosch.A gtalk connectivity check"; flow:to_server; http.uri; content:"/index.html"; http.user_agent; content:"gtalk"; fast_pattern; bsize:5; http.host; content:"www.google.com"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,b13db8b21289971b3c88866d202fad49; classtype:trojan-activity; sid:2018508; rev:5; metadata:created_at 2014_05_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Dojos Downloader Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"|3a 3a|"; content:"|3a 3a 2f 2e|"; distance:0; fast_pattern; reference:md5,be75ac1d9f26bee3cfdc7bdd977c0cdd; classtype:trojan-activity; sid:2035025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Fire-Cloud)"; flow:established,to_server; http.user_agent; content:"Fire-Cloud"; bsize:10; reference:md5,804c8f7d3b10b421ab5c09d675644212; classtype:trojan-activity; sid:2031065; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_10_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toplist.cz Related Spyware Checkin"; flow:to_server,established; http.user_agent; content:"BWL"; depth:3; pcre:"/^BWL(?:\sToplist|\d_UPDATE)/"; classtype:pup-activity; sid:2003505; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/php.php"; fast_pattern; http.host; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; http.user_agent; content:"Mozilla/4.0 (compatible)"; depth:24; reference:md5,cb53a6e8d65d86076fc0c94dac62aa77; classtype:command-and-control; sid:2019946; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suntrust Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<!-- Inserted by miarroba"; content:"<title>SunTrust</title>"; fast_pattern; nocase; content:">For your protection"; distance:0; content:"additional security step"; distance:0; content:"name=|22|captcha|22|"; distance:0; classtype:social-engineering; sid:2031062; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_10_20;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=jspri.co"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028835; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=cssjs.co"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028836; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"acciaio.com.br"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:domain-c2; sid:2028843; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"ceycarb.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028844; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"coachandcook.at"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028845; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"fisioterapiabb.it"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028846; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"lorriratzlaff.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028847; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"mavin21c.dothome.co.kr"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028848; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"motherlodebulldogclub.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"powerpolymerindustry.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"publiccouncil.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028851; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"rulourialuminiu.co.uk"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028852; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"sistemikan.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028853; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"varuhusmc.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028854; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MiniDuke Domain Observed"; dns.query; content:"ecolesndmessines.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MiniDuke Domain Observed"; dns.query; content:"salesappliances.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028856; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"busseylawoffice.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028857; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"fairfieldsch.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"ministernetwork.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"skagenyoga.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028860; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"westmedicalgroup.net"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028861; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LiteDuke Domain Observed"; dns.query; content:"bandabonga.fr"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028862; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"encryptit.qc.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028870; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecure.uk.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028871; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecurelite.uk.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028872; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecurelite.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028873; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"privatehd.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028874; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"sex17.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028875; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Steganographic Encoded WAV File Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"RIFF"; startswith; content:"WAVE"; distance:4; within:4; content:"|0B 87 06 53 DF 3A|"; distance:32; within:6; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html; classtype:trojan-activity; sid:2028876; rev:2; metadata:created_at 2019_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Steganographic Encoded WAV File Inbound via HTTP M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"RIFF"; startswith; content:"WAVE"; distance:4; within:4; content:"|5C 99 13 6F F2 52|"; distance:32; within:6; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html; classtype:trojan-activity; sid:2028877; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 10.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/10.0."; reference:url,www.oracle.com/technetwork/java/javase/10u-relnotes-4108739.html; classtype:bad-unknown; sid:2025518; rev:5; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 12.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/12.0."; content:!"2"; within:1; reference:url,www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html; classtype:bad-unknown; sid:2028868; rev:3; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Informational, updated_at 2021_12_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkRAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"request=YUhkcFpEM"; depth:17; fast_pattern; pcre:"/^[A-Za-z0-9\/\+\=]{100,}$/Rsi"; http.header_names; content:!"Referer"; reference:url,github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2; classtype:command-and-control; sid:2027886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, malware_family DarkRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_10_20;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>iServer Pro V"; fast_pattern; content:"<p>Welcome to your iServer Pro V"; distance:0; content:"<input name=|22|Password|22|"; distance:0; classtype:web-application-attack; sid:2031063; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>iServer Pro V"; fast_pattern; content:"<p>Welcome to your iServer Pro V"; distance:0; content:"<input name=|22|Password|22|"; distance:0; classtype:web-application-attack; sid:2031064; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=.extrafeature.xyz"; nocase; endswith; reference:md5,9d479cec86ea919694dab765bba9abbd; classtype:domain-c2; sid:2028893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_06, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 or Win32/Nuclear HTTP Framework"; flow:established,to_server; http.uri; pcre:"/\.(?:txt|gif|exe|bmp)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32|29|"; depth:41; http.header_names; content:!"Referer"; content:!"Accept"; content:"|0d 0a|User-Agent|0d 0a|HOST|0d 0a|"; depth:20; fast_pattern; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020897; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_10_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Steam HTTP Client User-Agent"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"SteamHTTPClient"; depth:15; endswith; classtype:policy-violation; sid:2028650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_10_20;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)"; flow:established,to_server; http.uri; content:"|25|OA"; nocase; content:"=/bin/sh+-c+'"; nocase; distance:0; fast_pattern; reference:url,github.com/neex/phuip-fpizdam; reference:url,github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043; reference:cve,2019-11043; classtype:web-application-attack; sid:2028895; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2019_10_23, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE R980/CRYPBEE.A Ransomware Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/assets/timepicker/x.php?"; fast_pattern; http.user_agent; content:"cpp"; depth:3; reference:md5,a38e156b5c7b337ffbde6cc1ddab1004; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/; classtype:trojan-activity; sid:2023085; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_10_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackTech Plead Encrypted Payload Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|91 00 13 87 33 00 90 06 19|"; fast_pattern; reference:url,www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/; classtype:trojan-activity; sid:2027364; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category MALWARE, malware_family Plead, performance_impact Low, signature_severity Major, tag APT, tag BlackTech, updated_at 2020_10_20;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn.redirectme.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028898; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"czinfo.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028899; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"pegasusco.net"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028900; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"smilekeepers.co"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028901; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"crabbedly.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028902; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"indagator.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028903; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"craypot.live"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028904; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"microsofte-update.com"; nocase; endswith; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:trojan-activity; sid:2028909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"pasta58.com"; nocase; endswith; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:trojan-activity; sid:2028910; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky CnC Domain Observed in DNS Query"; dns.query; content:"study---hard.medianewsonline.com"; nocase; endswith; classtype:domain-c2; sid:2028921; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky CnC Domain Observed in DNS Query"; dns.query; content:"sportsgame.mypressonline.com"; nocase; endswith; classtype:domain-c2; sid:2028922; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query"; dns.query; content:"cdnpps.us"; nocase; endswith; classtype:domain-c2; sid:2028924; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query"; dns.query; content:"thisadsfor.us"; nocase; endswith; classtype:domain-c2; sid:2028925; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?token="; fast_pattern; content:"&computername="; distance:0; content:"&username="; distance:0; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031072; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?api=40"; fast_pattern; endswith; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031073; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, tag RedDelta, updated_at 2020_10_21;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=TX, L=Texas, O=lol, OU=, CN=topbackupintheworld.com"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Texas, O=lol, OU=, CN=topbackupintheworld.com"; bsize:60; reference:url,twitter.com/malwrhunterteam/status/1318904041590718469; reference:md5,45ed8898bead32070cf1eb25640b414c; classtype:domain-c2; sid:2031069; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"0E:4D:5A:5C:F8:C9"; classtype:domain-c2; sid:2028926; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE StrongPity CnC Domain Observed in DNS Query"; dns.query; content:"upd32-secure-serv4.com"; nocase; endswith; classtype:trojan-activity; sid:2028927; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer IP Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action=getIP"; fast_pattern; endswith; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028929; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer Screenshot Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action=upload&host="; fast_pattern; content:"@"; distance:0; http.request_body; content:"filename=|22|screenshot_"; content:".jpeg|22|"; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer Systeminfo Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action=upload&host="; fast_pattern; content:"@"; distance:0; http.request_body; content:"filename=|22|system.info|22|"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptInject.BE!MTB Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logs=ey"; startswith; fast_pattern; isdataat:10000,relative; http.header_names; content:!"Referer"; reference:md5,644b45001c0e0af1c0a208ffad79e316; classtype:command-and-control; sid:2028932; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Connectivity Check"; flow:established,to_server; urilen:15; http.method; content:"HEAD"; http.uri; content:"/view/index.php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20 20|Windows NT 6.1)"; fast_pattern; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view/index.php?id="; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20 20|Windows NT 6.1)"; fast_pattern; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo.NG Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"versiya="; fast_pattern; content:"comp="; content:"id="; http.header_names; content:!"Referer"; reference:md5,a7183477c46a767a72caebee066dce39; classtype:command-and-control; sid:2034344; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_29, deployment Perimeter, former_category MALWARE, malware_family Stealer, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Capesand EK Visitor Tracking"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add_visitor.php?referrer=http"; depth:30; fast_pattern; http.header; content:"/landing.php|0d 0a|"; classtype:exploit-kit; sid:2028939; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P FFTorrent P2P Client User-Agent (FFTorrent/x.x.x)"; flow:to_server,established; http.user_agent; content:"FFTorrent/"; depth:10; classtype:policy-violation; sid:2028942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Turla CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dsme.info"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028944; rev:2; metadata:attack_target Client_and_Server, created_at 2019_11_05, deployment Perimeter, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2019-11-06"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&ps="; nocase; distance:0; content:"&psRNGCDefaultType="; nocase; distance:0; fast_pattern; content:"&FoundMSAs="; nocase; distance:0; content:"&i19="; nocase; distance:0; classtype:credential-theft; sid:2029681; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-11-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; nocase; content:"&psw="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2028945; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-11-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pd="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2028946; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"|3b 20|Win64|3b 20|x64|3b 20|rv|3a|42.0"; http.header; content:"AcceptanceID|3a|"; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag PLATINUM, updated_at 2020_10_21;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"micro-set.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028961; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"micro-office.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028962; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ViewUserHover.jspa?username="; fast_pattern; threshold: type limit, count 30, seconds 45, track by_src; reference:cve,2020-14181; classtype:attempted-recon; sid:2031066; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_14181, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Almashreq CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"MS|20|Web|20|Services|20|Client|20|Protocol"; fast_pattern; http.request_body; content:"<?xml"; depth:5; content:"<PCName>"; distance:0; content:"<|2f|PCName>"; distance:0; content:!"<SiteID>"; http.header_names; content:"SOAPAction"; content:!"Referer"; classtype:command-and-control; sid:2027353; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Payload Extraction"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?a=exe"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_11_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Payload Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?a=run"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028965; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Update Request"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/api/update/"; depth:12; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_10_21;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Possible APT33 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dyn-intl.world-careers.org"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT33, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"office-crash.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028969; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Internet Security Damaged !!! Call Help Desk"; nocase; classtype:social-engineering; sid:2028970; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Official Windows Notification"; nocase; fast_pattern; content:"Call Windows Technical Support"; nocase; distance:0; classtype:social-engineering; sid:2028971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Landing Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.htm$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2028979; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Flash Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.swf$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2028980; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; depth:10; endswith; http.content_len; byte_test:0,>,100000,0,string,dec; file.data; content:"[Byte[]]$image = 0x4d, 0x5a,|20|"; depth:29; fast_pattern; pcre:"/^(?:0x[a-f0-9]{1,2}, ){500}/R"; classtype:exploit-kit; sid:2028982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf"; endswith; http.host; content:".xyz"; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|x-flash-version|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cookie|0d 0a 0d 0a|"; depth:110; endswith; fast_pattern; classtype:exploit-kit; sid:2028973; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"__cfduid="; http.content_type; content:"image/jpeg"; bsize:10; file.data; content:"|20 2e 20|$Env|3a|comSPEC["; depth:16; nocase; fast_pattern; content:"]-joIN|27 27|)( -JoiN(|20 27|"; nocase; within:30; classtype:exploit-kit; sid:2028976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Flash HEAD Request"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".swf"; endswith; http.host; content:"rawcdn.githack.com"; fast_pattern; depth:18; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; classtype:exploit-kit; sid:2028977; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Flash GET Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf"; endswith; http.host; content:"rawcdn.githack.com"; fast_pattern; depth:18; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; content:"|0d 0a|x-flash-version|0d 0a|"; distance:0; classtype:exploit-kit; sid:2028978; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; content:"|0d 0a 0d 0a 20 28 20 27|"; fast_pattern; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; depth:10; endswith; http.content_len; byte_test:0,>,100000,0,string,dec; file.data; content:"|20 28 20 27|"; depth:4; pcre:"/^[0-9_,{AbZwP&-]{2000}/R"; classtype:exploit-kit; sid:2028981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Buer Loader)"; flow:established,to_client; tls.cert_subject; content:"CN=prioritywireless.club"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2029080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_19, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_10_21;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asd.stylesheet.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029004; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_19, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd%20/tmp|3b|wget%20"; depth:24; fast_pattern; http.header.raw; content:"Mozilla/5.0%20(Windows|3b|%20U|3b|%20Windows%20NT"; reference:md5,a26f67a1d0a50af72c5fd9c94e9f5a1c; classtype:web-application-attack; sid:2029008; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_11_20, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; http.uri; content:!"/CallParrotWebClient/"; http.header.raw; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http.user_agent; content:"Mozilla/4.0"; fast_pattern; nocase; bsize:11; http.host; content:!"www.google.com"; content:!"secure.logmein.com"; content:!"weixin.qq.com"; content:!"slickdeals.net"; content:!"cloudera.com"; content:!"secure.digitalalchemy.net.au"; content:!".ksmobile.com"; content:!"gstatic.com"; content:!".cmcm.com"; content:!".deckedbuilder.com"; content:!".mobolize.com"; content:!"wq.cloud.duba.net"; content:!"infoc2.duba.net"; content:!".bitdefender.net"; reference:url,doc.emergingthreats.net/2003492; classtype:bad-unknown; sid:2003492; rev:34; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_21;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (lol)"; flow:established,to_client; tls.cert_subject; content:", O=lol, "; fast_pattern; tls.cert_issuer; content:", O=lol, "; reference:md5,45ed8898bead32070cf1eb25640b414c; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031133; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarSys CnC Activity M1"; flow:established,to_server; http.request_line; content:"POST /login.php "; startswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"; bsize:114; fast_pattern; http.request_body; content:"id="; nocase; startswith; pcre:"/^[A-F0-9]{128}$/R"; reference:url,blog.360totalsecurity.com/en/secret-stealing-trojan-active-in-brazil-releases-the-new-framework-solarsys/; classtype:command-and-control; sid:2031070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Authentication Bypass Attempt Inbound (CVE-2020-8193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&sid=loginchallenge"; content:"&username=nsroot"; distance:0; fast_pattern; http.request_body; content:"<appfwprofile"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8193; classtype:attempted-admin; sid:2031067; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8193, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Information Disclosure Attempt Inbound (CVE-2020-8195)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?filter=path|3a 25|2F"; fast_pattern; http.request_body; content:"<clipermission"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8195; classtype:attempted-admin; sid:2031068; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8195, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity"; flow:established,to_client; dsize:41; content:"|00 27 00 00 00 01 00 00 00 15 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 65 73 6b 74 6f 70 00 00 00 05 2a 2e 74 78 74 05|"; fast_pattern; reference:url,twitter.com/executemalware/status/1318689700882821120; reference:md5,aac706fe42b4a03cac17330bfcd8d9ea; classtype:trojan-activity; sid:2031074; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible T-RAT Encrypted Zip Request"; flow:established,to_server; http.uri; content:".jpg"; offset:7; depth:4; http.accept; content:"*/*"; bsize:3; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20 2e|NET4.0C|3b 20 2e|NET4.0E|3b 20 2e|NET CLR 2.0.50727|3b 20 2e|NET CLR 3.0.30729|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.3)"; bsize:162; fast_pattern; reference:url,twitter.com/3xp0rtblog/status/1304006897729761280; reference:url,www.gdatasoftware.com/blog/trat-control-via-smartphone; classtype:command-and-control; sid:2031081; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MassLogger Client Exfil (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?/upload"; endswith; fast_pattern; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"{|22|ID|22 3a 22|"; startswith; content:"|22 2c 22|User|22 3a 22|"; content:"|22 2c 22|Country|22 3a 22|"; content:"|22 2c 22|Date|22 3a 22|"; content:"|22 2c 22|Image|22 3a|"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/James_inthe_box/status/1305509852362338304; reference:url,app.any.run/tasks/010a8af5-97bd-4e27-961d-8d202a9d6f29/; reference:md5,0a838f0ecff085eb611e41acf78a9682; classtype:trojan-activity; sid:2030878; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bazaloader Variant Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/act/pause"; bsize:10; http.header; content:"Update|3a 20|/act/pause|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,1c3dde885aa3cc2d7c24b7e13cccc941; reference:url,twitter.com/James_inthe_box/status/1319298609255383040; classtype:trojan-activity; sid:2031084; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bazaloader Variant Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/act/resume"; bsize:11; http.header; content:"Update|3a 20|/act/resume|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:url,twitter.com/James_inthe_box/status/1319298609255383040; classtype:trojan-activity; sid:2031085; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic File Upload Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031075; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic File Upload Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031077; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FLV/Youtube Downloader Install Activity"; flow:established,to_server; http.request_line; content:"GET /images/downloader/pixel.gif?action=install&"; startswith; content:"&lngid="; content:"cid="; content:"&kt=flvd"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,3af4b637e16922fdceaff00d64e98f53; classtype:pup-activity; sid:2031082; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_22;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031080; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE [PTsecurity] Spyware.BondPath (PathCall/Dingwe) Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"backup.php"; http.header; content:"Content-Length|3a 20|"; depth:20; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; distance:0; http.user_agent; content:"Apache-HttpClient"; depth:17; http.request_body; content:"type="; depth:5; fast_pattern; content:"data="; content:"hash="; reference:url,www.fortinet.com/blog/threat-research/android-bondpath--a-mature-spyware.html; classtype:trojan-activity; sid:2026039; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, former_category MOBILE_MALWARE, malware_family BondPath, signature_severity Major, updated_at 2020_10_22;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=generalmusician.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)"; flow:established,from_server; tls.cert_serial; content:"76:DC:D7:09:68:53:16:74:BB:A8:7B:CC:DE:C4:9D:66:77:43:34:DC"; reference:url,www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/; classtype:domain-c2; sid:2029048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ACBackdoor, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)"; flow:established,from_server; tls.cert_serial; content:"0E:4F:8B:2C:65:0A"; reference:url,www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/; classtype:domain-c2; sid:2029049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ACBackdoor, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Possible Godlua CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fullmeshnet.eu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029050; rev:3; metadata:attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family Godlua, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DoH Service)"; flow:from_server,established; tls.cert_subject; content:"CN=www.rubyfish.cn"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:policy-violation; sid:2029051; rev:3; metadata:created_at 2019_11_21, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag DNS_over_HTTPS, updated_at 2020_10_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (ph0ne)"; flow:established,to_server; http.user_agent; content:"ph0ne"; startswith; classtype:trojan-activity; sid:2028989; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2020_10_22;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"DEMONS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029015; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_22;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hakai"; fast_pattern; startswith; classtype:attempted-admin; sid:2029016; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Messiah"; fast_pattern; startswith; classtype:attempted-admin; sid:2029017; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Liquor"; fast_pattern; startswith; classtype:attempted-admin; sid:2029018; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"B4ckdoor"; bsize:8; classtype:attempted-admin; sid:2029019; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Nija"; fast_pattern; startswith; classtype:attempted-admin; sid:2029020; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Gemini"; fast_pattern; startswith; classtype:attempted-admin; sid:2029021; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Sector"; fast_pattern; startswith; classtype:attempted-admin; sid:2029024; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Kayla"; startswith; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/"; classtype:attempted-admin; sid:2029023; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Phishing Landing 2020-10-23"; flow:established,to_client; file.data; content:"var str = 'Sign in to Outlook'|3b|"; content:"$(|22|#add_pass|22|).show()|3b|"; content:"$('#email').val('')|3b|"; content:"function set_brand("; content:"function true_email("; fast_pattern; classtype:social-engineering; sid:2031086; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029026; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"DEMONS"; fast_pattern; startswith; classtype:web-application-attack; sid:2029027; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hakai"; fast_pattern; startswith; classtype:web-application-attack; sid:2029028; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Messiah"; fast_pattern; startswith; classtype:web-application-attack; sid:2029029; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Liquor"; fast_pattern; startswith; classtype:web-application-attack; sid:2029030; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"B4ckdoor"; bsize:8; classtype:web-application-attack; sid:2029031; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Nija"; fast_pattern; startswith; classtype:web-application-attack; sid:2029032; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Gemini"; fast_pattern; startswith; classtype:web-application-attack; sid:2029033; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Kayla"; fast_pattern; startswith; classtype:web-application-attack; sid:2029035; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Sector"; fast_pattern; startswith; classtype:web-application-attack; sid:2029036; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:web-application-attack; sid:2029038; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (lessie)"; flow:established,to_server; http.user_agent; content:"lessie"; nocase; depth:6; pcre:"/^lessie(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027130; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Cakle)"; flow:established,to_server; http.user_agent; content:"Cakle"; nocase; depth:5; pcre:"/^Cakle(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027132; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Damien)"; flow:established,to_server; http.user_agent; content:"Damien"; nocase; depth:6; pcre:"/^Damien(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027134; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Solar)"; flow:established,to_server; http.user_agent; content:"Solar"; nocase; depth:5; pcre:"/^Solar(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027136; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (muhstik)"; flow:established,to_server; http.user_agent; content:"muhstik"; nocase; depth:7; pcre:"/^muhstik(?:-scan)?(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027138; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Shaolin)"; flow:established,to_server; http.user_agent; content:"Shaolin"; nocase; depth:7; pcre:"/^Shaolin(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027140; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Rift)"; flow:established,to_server; http.user_agent; content:"Rift"; nocase; depth:4; pcre:"/^Rift(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027120; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Tsunami)"; flow:established,to_server; http.user_agent; content:"Tsunami"; nocase; depth:7; pcre:"/^Tsunami(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027122; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Yowai)"; flow:established,to_server; http.user_agent; content:"Yowai"; nocase; depth:5; pcre:"/^Yowai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027124; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Yakuza)"; flow:established,to_server; http.user_agent; content:"Yakuza"; nocase; depth:6; pcre:"/^Yakuza(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027126; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Hentai)"; flow:established,to_server; http.user_agent; content:"Hentai"; nocase; depth:6; pcre:"/^Hentai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027128; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/"; depth:8; http.host; content:!"login.live.com"; endswith; content:!"google.com"; endswith; content:!"www.bing.com"; endswith; content:!"yandex.ru"; endswith; content:!"linkedin.com"; endswith; http.connection; content:"close"; nocase; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:25; metadata:created_at 2010_10_02, updated_at 2020_10_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Various Crimeware)"; flow:established,to_client; tls.cert_subject; content:"CN=uloab.com"; endswith; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; classtype:trojan-activity; sid:2029053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Zmap User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; depth:21; endswith; classtype:network-scan; sid:2029054; rev:2; metadata:created_at 2019_11_26, former_category SCAN, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (Mylegion666)"; flow:established,to_server; http.user_agent; content:"Mylegion666"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029061; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (YourUserAgent)"; flow:established,to_server; http.user_agent; content:"YourUserAgent"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029062; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (salmonella-symptome)"; flow:established,to_server; http.user_agent; content:"salmonella-symptome"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (suspira)"; flow:established,to_server; http.user_agent; content:"suspiria"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (lilith)"; flow:established,to_server; http.user_agent; content:"lilith"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (legion)"; flow:established,to_server; http.user_agent; content:"legion"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (the devil)"; flow:established,to_server; http.user_agent; content:"The devil come to me"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed"; flow:established,to_server; http.user_agent; content:"fuck u"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (Amen)"; flow:established,to_server; http.user_agent; content:"Amen"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (satan)"; flow:established,to_server; http.user_agent; content:"satan"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (neva-project)"; flow:established,to_server; http.user_agent; content:"neva-project"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY PCHunter Download Observed"; flow:established,to_server; http.user_agent; content:"PCHunter"; depth:8; reference:url,www.bleepingcomputer.com/download/pc-hunter/; classtype:misc-activity; sid:2031087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_10_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Magecart)"; flow:established,to_client; tls.cert_subject; content:"OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=marketplace-magento.com"; fast_pattern; tls.cert_issuer; content:"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"; classtype:trojan-activity; sid:2029072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Pavica.FH Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/command.php?t=1&id="; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT)"; reference:md5,704f7e92de304744ad8b3a839550084c; reference:url,app.any.run/tasks/2acce298-8180-47fd-befc-9f380468dbe4/; reference:url,twitter.com/jstrosch/status/1319704698031640577; classtype:command-and-control; sid:2031096; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Magecart Credit Card Information JS Script"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; depth:22; endswith; file.data; content:"|20|Sxml_cc_cid"; nocase; content:"Sxml_cc_number"; nocase; distance:0; content:"Sxml_expiration_yr"; nocase; distance:0; content:"ccnum+|22 3b 22|+exp_m+|22 3b 22|+exp_y+|22 3b 22|+cvv"; distance:0; fast_pattern; nocase; classtype:credential-theft; sid:2029073; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"marketplace-magento.com"; nocase; endswith; classtype:domain-c2; sid:2029074; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .XYZ Domain with Minimal Headers"; flow:established,to_server; http.host; content:".xyz"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .TOP Domain with Minimal Headers"; flow:established,to_server; http.host; content:".top"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to 000webhostapp Domain with Minimal Headers"; flow:established,to_server; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .ML Domain with Minimal Headers"; flow:established,to_server; http.host; content:".ml"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .CF Domain with Minimal Headers"; flow:established,to_server; http.host; content:".cf"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031092; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .GQ Domain with Minimal Headers"; flow:established,to_server; http.host; content:".gq"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .TK Domain with Minimal Headers"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .GA Domain with Minimal Headers"; flow:established,to_server; http.host; content:".ga"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031095; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:".php|22 20|method=|22|post|22|"; content:"src=|22|https://logo.clearbit.com/"; distance:0; content:"$.get(|22|https://logo.clearbit.com/"; distance:0; content:"$(|22|#logoimg|22|).attr(|22|src|22|,|20 22|https://logo.clearbit.com/"; distance:0; classtype:social-engineering; sid:2031097; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:").attr('src', 'https://logo.clearbit.com/' + my_slice)|3b|"; content:"//new injection//"; distance:0; content:"var|20|filter|20|=|20|/^([a-zA-Z0-9_|5c|.|5c|-])+|5c|@(([a-zA-Z0-9|5c|-])+|5c|.)+([a-zA-Z0-9]{2,4})+$/|3b|"; distance:0; classtype:social-engineering; sid:2031098; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:").attr(|22|src|22|,|20 22|https://logo.clearbit.com/|22|+my_slice)|3b|"; content:"//new injection//"; distance:0; content:"var|20|filter|20|=|20|/^([a-zA-Z0-9_|5c|.|5c|-])+|5c|@(([a-zA-Z0-9|5c|-])+|5c|.)+([a-zA-Z0-9]{2,4})+$/|3b|"; distance:0; classtype:social-engineering; sid:2031099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup BROLER.F CnC Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?"; content:!"&"; distance:0; content:"=google"; endswith; fast_pattern; http.request_body; pcre:"/^[a-zA-Z/+=]$/"; http.content_len; content:"72"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,285e25e31b498dd1c0827286e9b44cfe; classtype:command-and-control; sid:2029092; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup ABK Backdoor CnC Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?uid="; fast_pattern; content:"&pid="; distance:0; pcre:"/\?uid=[A-F0-9]{15,}&pid=\d+$/i"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,ed363efd32984ed21e67cf618758b635; classtype:command-and-control; sid:2029093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Snack CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"WinHTTP AutoProxy Sample/1.0"; depth:28; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:34; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; classtype:command-and-control; sid:2029094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010555; classtype:web-application-attack; sid:2010555; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Coolbee/Avenger CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id="; content:"&group="; distance:0; content:"&class="; distance:0; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,507daf07c6f8f0080b5c4f818cfe77cb; classtype:command-and-control; sid:2029095; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010556; classtype:web-application-attack; sid:2010556; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Casper CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1|3b 20|.NET4.0C|3b 20|.NET4.0E)"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|"; depth:38; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; classtype:command-and-control; sid:2029096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010557; classtype:web-application-attack; sid:2010557; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:established,from_server; tls.cert_serial; content:"00:B3:4B:42:19:50:7A:3B:55:78:3D:6D:FD:12:54:C8:88"; classtype:domain-c2; sid:2029102; rev:2; metadata:attack_target Client_and_Server, created_at 2019_12_09, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010558; classtype:web-application-attack; sid:2010558; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magento-statistics.com"; nocase; endswith; classtype:domain-c2; sid:2029100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010559; classtype:web-application-attack; sid:2010559; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"strds.ru"; nocase; bsize:8; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028639; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_kkcontent"; nocase; content:"catID="; nocase; pcre:"/(\?|&)catID=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt; reference:url,doc.emergingthreats.net/2010606; classtype:web-application-attack; sid:2010606; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=upgrade-ms-home.com"; classtype:trojan-activity; sid:2029108; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/acomponents/com_mamboleto/mamboleto.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,xforce.iss.net/xforce/xfdb/54662; reference:url,www.exploit-db.com/exploits/10369; reference:url,doc.emergingthreats.net/2010620; classtype:web-application-attack; sid:2010620; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish Oct 07 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; http.method; content:"POST"; http.request_line; content:".php HTTP/"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; classtype:credential-theft; sid:2031570; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010636; classtype:web-application-attack; sid:2010636; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT38 CnC Domain Observed in DNS Query"; dns.query; content:"updateinfos.com"; nocase; endswith; classtype:domain-c2; sid:2029114; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT38, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010637; classtype:web-application-attack; sid:2010637; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT38 CnC Domain Observed in DNS Query"; dns.query; content:"updatemain.com"; nocase; endswith; classtype:domain-c2; sid:2029115; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT38, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010638; classtype:web-application-attack; sid:2010638; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Plugin Check JS"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"hasFlash=0x1"; content:"flashVersion=parseInt(VSwf"; distance:0; fast_pattern; content:"new RegExp('MSIE|5c|x20(|5c|x5cd+|5c|x5c.|5c|x5cd+)|3b|')|3b|"; distance:0; content:"))|3b|if(user==''){setCookie("; distance:0; content:"'data':{'data1':chk,'data2':is64,'data3':fls"; distance:0; classtype:exploit-kit; sid:2029123; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010639; classtype:web-application-attack; sid:2010639; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BottleEK Plugin Check Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/conn.php?callback=?&data1="; fast_pattern; content:"&data2="; distance:0; content:"&data3="; distance:0; content:"&callback=JSONP_"; distance:0; http.cookie; content:"username="; http.accept; content:"application/javascript, */*|3b|q=0.8"; classtype:exploit-kit; sid:2029124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010640; classtype:web-application-attack; sid:2010640; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious VBS Encoding Observed in BottleEK"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"Execute chr("; depth:12; fast_pattern; pcre:"/^-?\d+[/+]/R"; content:"CLng(&H"; within:7; pcre:"/^[A-F0-9]+/R"; content:"))&chr("; within:7; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; classtype:bad-unknown; sid:2029125; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_mojo/wp-comments-post.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010659; classtype:web-application-attack; sid:2010659; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BottleEK Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/conn.php?ge="; depth:13; fast_pattern; http.cookie; content:"username="; http.header_names; content:!"Referer"; classtype:exploit-kit; sid:2029126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_mojo/wp-trackback.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010660; classtype:web-application-attack; sid:2010660; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-12-12"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029127; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010710; classtype:web-application-attack; sid:2010710; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=magento-statistics.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029128; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010711; classtype:web-application-attack; sid:2010711; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=solomontoosas.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029116; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010712; classtype:web-application-attack; sid:2010712; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=colordrawyx.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029117; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010713; classtype:web-application-attack; sid:2010713; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=potronisl.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029118; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010714; classtype:web-application-attack; sid:2010714; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pontromosals.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010750; classtype:web-application-attack; sid:2010750; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pontrolimon.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010751; classtype:web-application-attack; sid:2010751; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=motylino.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029130; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010752; classtype:web-application-attack; sid:2010752; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=motorlafd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029131; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010753; classtype:web-application-attack; sid:2010753; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mantoropols.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029121; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010754; classtype:web-application-attack; sid:2010754; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=janfioooslls.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_mediaslide/viewer.php?"; nocase; content:"path="; nocase; reference:bugtraq,37440; reference:url,doc.emergingthreats.net/2010780; classtype:web-application-attack; sid:2010780; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=golitrops.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029133; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010805; classtype:web-application-attack; sid:2010805; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=giltipolsfols.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029134; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010806; classtype:web-application-attack; sid:2010806; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=finogorosod.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029135; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010807; classtype:web-application-attack; sid:2010807; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029153; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010808; classtype:web-application-attack; sid:2010808; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029152; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010809; classtype:web-application-attack; sid:2010809; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Outbound)"; flow:established,to_server; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029154; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_intuit/models/intuit.php?"; nocase; content:"approval="; nocase; reference:url,www.exploit-db.com/exploits/10730; reference:url,doc.emergingthreats.net/2010833; classtype:web-application-attack; sid:2010833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029155; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010843; classtype:web-application-attack; sid:2010843; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029156; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010844; classtype:web-application-attack; sid:2010844; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029157; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010845; classtype:web-application-attack; sid:2010845; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010846; classtype:web-application-attack; sid:2010846; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010842; classtype:web-application-attack; sid:2010842; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029160; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_morfeoshow/morfeoshow.html.php?"; nocase; content:"user_id="; nocase; pcre:"/user_id\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,secdb.4sec.org/?s1=exp&sid=18773; reference:url,doc.emergingthreats.net/2010848; classtype:web-application-attack; sid:2010848; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029161; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010853; classtype:web-application-attack; sid:2010853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010854; classtype:web-application-attack; sid:2010854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029165; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010855; classtype:web-application-attack; sid:2010855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla) - Possible Spyware Related"; flow:to_server,established; http.host; content:!"smartcom.com"; endswith; content:!"iscoresports.com"; endswith; content:!"popslotscasino.com"; endswith; http.user_agent; content:"Mozilla"; bsize:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; classtype:pup-activity; sid:2007854; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010856; classtype:web-application-attack; sid:2010856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029166; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010857; classtype:web-application-attack; sid:2010857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029167; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010924; classtype:web-application-attack; sid:2010924; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029168; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010925; classtype:web-application-attack; sid:2010925; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029169; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010926; classtype:web-application-attack; sid:2010926; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029170; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010927; classtype:web-application-attack; sid:2010927; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029171; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010928; classtype:web-application-attack; sid:2010928; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029172; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010947; classtype:web-application-attack; sid:2010947; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029173; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010948; classtype:web-application-attack; sid:2010948; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029174; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010949; classtype:web-application-attack; sid:2010949; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029175; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010950; classtype:web-application-attack; sid:2010950; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for APT40 Possible DADSTACHE CnC Domain"; dns.query; content:"nethosting.viewdns.net"; nocase; bsize:22; reference:md5,2e8d758b9bce51d25ea500d7b4ce4774; classtype:domain-c2; sid:2029151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, former_category MALWARE, malware_family APT40, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010951; classtype:web-application-attack; sid:2010951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029162; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jcollection&"; nocase; content:"controller="; nocase; reference:url,www.exploit-db.com/exploits/11088; reference:url,doc.emergingthreats.net/2010942; classtype:web-application-attack; sid:2010942; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029163; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?option=com_ccnewsletter&"; nocase; content:"controller="; nocase; reference:bugtraq,37987; reference:url,doc.emergingthreats.net/2010989; classtype:web-application-attack; sid:2010989; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon HEAD Request for .dot file on ddns.net"; http.method; content:"HEAD"; http.uri; content:".dot"; endswith; http.user_agent; content:"Microsoft Office"; fast_pattern; http.host; content:".ddns.net"; endswith; reference:md5,dbf4f92852cdae17aa3f2b1234f0140e; reference:md5,b221647d110bd2be2c6e9c5d727ca8db; classtype:command-and-control; sid:2028967; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010990; classtype:web-application-attack; sid:2010990; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2019-12-18"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Emailapp="; depth:9; content:"|25|40"; distance:0; content:"&passwordapp="; distance:0; fast_pattern; classtype:credential-theft; sid:2029682; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010991; classtype:web-application-attack; sid:2010991; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.BrowSecX.AB Install Log Sent"; flow:established,to_server; http.request_line; content:"GET http://"; startswith; content:"/installLog.php?scheme="; fast_pattern; content:"&user="; content:"&cpuid="; content:"&execid="; content:"&chromeLog="; content:"&winVer="; reference:md5,336867c6cfe7aacc6aaa3107300f93b6; classtype:pup-activity; sid:2031116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010992; classtype:web-application-attack; sid:2010992; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TinyNuke CnC Checkin"; flow:established,to_server; flowbits:set,ET.TinyNuke; http.method; content:"POST"; http.uri; content:!"&"; content:".php?"; pcre:"/\.php\?[A-F0-9]{15,25}$/i"; http.header; content:"|0d 0a|Content-Length|3a 20|9|0d 0a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,917124e4d53057324aa129520fca73fb; classtype:command-and-control; sid:2024991; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010993; classtype:web-application-attack; sid:2010993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amarula IRC Botnet Connection Request"; flow:established,to_server; content:"|55 53 45 52 20|"; startswith; content:"|20 3a 5a 75 4d 62 49 0a|"; endswith; fast_pattern; reference:md5,603841f6a7036311fa5bbc44d7435f83; reference:url,github.com/hackerama/Amarula-Python-Botnet/; classtype:command-and-control; sid:2031117; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010994; classtype:web-application-attack; sid:2010994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"arcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010981; classtype:web-application-attack; sid:2010981; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"aucdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031102; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010982; classtype:web-application-attack; sid:2010982; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"frcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031103; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010983; classtype:web-application-attack; sid:2010983; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtacdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010984; classtype:web-application-attack; sid:2010984; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtag.site"; nocase; endswith; classtype:trojan-activity; sid:2031105; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010985; classtype:web-application-attack; sid:2010985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtage.site"; nocase; endswith; classtype:trojan-activity; sid:2031106; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_communitypolls&"; nocase; content:"controller="; nocase; reference:url,www.exploit-db.com/exploits/11511; reference:url,doc.emergingthreats.net/2010996; classtype:web-application-attack; sid:2010996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtamanag.site"; nocase; endswith; classtype:trojan-activity; sid:2031107; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011001; classtype:web-application-attack; sid:2011001; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031108; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011002; classtype:web-application-attack; sid:2011002; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtgcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011003; classtype:web-application-attack; sid:2011003; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtmcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031110; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011004; classtype:web-application-attack; sid:2011004; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"usacdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011005; classtype:web-application-attack; sid:2011005; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"uscdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011022; classtype:web-application-attack; sid:2011022; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/v1/createUser"; startswith; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|username|22|"; content:"|3a 20|"; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/PR"; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011023; classtype:web-application-attack; sid:2011023; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Authentication Bypass Attempt Inbound (CVE-2020-26879)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|OlDkR+oocZg="; fast_pattern; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26879; classtype:attempted-admin; sid:2031115; rev:1; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26879, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011024; classtype:web-application-attack; sid:2011024; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terse Upload to Free Image Hosting Provider (uploads .im) - Likely Malware"; flow:established,to_server; http.request_line; content:"POST /api?upload"; startswith; http.host; content:"uploads.im"; bsize:10; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,897a5b60d609501e0feb06ff8e54d424; classtype:command-and-control; sid:2031118; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011025; classtype:web-application-attack; sid:2011025; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Root"; flow:established,to_server; tls.sni; content:"Root"; depth:4; endswith; nocase; classtype:bad-unknown; sid:2029191; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011026; classtype:web-application-attack; sid:2011026; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious ToTok Mobile Application DNS Request"; dns.query; content:"capi.im.totok.ai"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_jcalpro/cal_popup.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt; reference:url,doc.emergingthreats.net/2011017; classtype:web-application-attack; sid:2011017; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious ToTok Mobile Application TLS Request"; tls.sni; content:"capi.im.totok.ai"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029199; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_wgpicasa&"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/39467; reference:url,exploit-db.com/exploits/12230; reference:url,doc.emergingthreats.net/2011067; classtype:web-application-attack; sid:2011067; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magesource.su"; nocase; endswith; classtype:trojan-activity; sid:2029203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011077; classtype:web-application-attack; sid:2011077; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"magesource.su"; classtype:trojan-activity; sid:2029204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_26;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011078; classtype:web-application-attack; sid:2011078; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=magesource.su"; nocase; fast_pattern; classtype:domain-c2; sid:2029205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011079; classtype:web-application-attack; sid:2011079; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011080; classtype:web-application-attack; sid:2011080; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Dark Nexus IoT Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"dark_NeXus"; fast_pattern; startswith; classtype:attempted-admin; sid:2029208; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, signature_severity Minor, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011081; classtype:web-application-attack; sid:2011081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Nexus IoT Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"dark_NeXus"; fast_pattern; startswith; classtype:web-application-attack; sid:2029209; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/administrator/components/com_jwmmxtd/admin.jwmmxtd.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11845; reference:url,doc.emergingthreats.net/2011131; classtype:web-application-attack; sid:2011131; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/administrator/components/com_universal/includes/config/config.html.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11865; reference:bugtraq,38949; reference:url,doc.emergingthreats.net/2011132; classtype:web-application-attack; sid:2011132; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound"; flow:established,to_server; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029215; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/config.dadamail.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009383; classtype:web-application-attack; sid:2009383; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Inbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:10; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/config.dadamail.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//i"; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009384; classtype:web-application-attack; sid:2009384; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Outbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; classtype:attempted-admin; sid:2029216; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/com_ongumatimesheet20/lib/onguma.class.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,32095; reference:cve,CVE-2008-6347; reference:url,www.exploit-db.com/exploits/6976/; reference:url,doc.emergingthreats.net/2009391; classtype:web-application-attack; sid:2009391; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GENERIC Likely Malicious Fake IE Downloading .exe"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; content:!"download_helper.ns"; http.header; content:!"softdl.360tpcdn.com"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"microsoft.com"; content:!"adobe.com"; content:!"360safe.com"; content:!"cfbeta.razersynapse.com"; content:!"download.windowsupdate.com"; content:!"gladmainnew.morningstar.com"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2018403; rev:15; metadata:created_at 2014_04_22, former_category TROJAN, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006760; classtype:web-application-attack; sid:2006760; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"fuck u"; nocase; bsize:6; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2028991; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UNION SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006761; classtype:web-application-attack; sid:2006761; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"autizm"; nocase; fast_pattern; bsize:6; http.header_names; content:!"Referer"; reference:md5,0a73a5bf772fde4868283ce7d5228901; classtype:command-and-control; sid:2029101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category INSERT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006762; classtype:web-application-attack; sid:2006762; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.header; content:"User-Agent|3a 20 63 6f 63 6b 0d 0a|"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:md5,5a4384f5e18cfbd993a135301141243e; classtype:command-and-control; sid:2029176; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category DELETE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006763; classtype:web-application-attack; sid:2006763; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"get_you"; nocase; fast_pattern; bsize:7; http.header_names; content:!"Referer"; reference:md5,6d6a438b1687645b48cea729f235963e; classtype:command-and-control; sid:2029220; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ASCII"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006764; classtype:web-application-attack; sid:2006764; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (carlos_castaneda)"; flow:established,to_server; http.user_agent; content:"carlos_castaneda"; nocase; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,35d17e42e314a5ebf6ddd4a3d0b47712; classtype:command-and-control; sid:2029223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006765; classtype:web-application-attack; sid:2006765; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"googlo-analytics.com"; nocase; endswith; classtype:domain-c2; sid:2029224; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006766; classtype:web-application-attack; sid:2006766; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=googlo-analytics.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029226; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UNION SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006767; classtype:web-application-attack; sid:2006767; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"googlc-analytics.net"; nocase; endswith; classtype:domain-c2; sid:2029227; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent INSERT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006768; classtype:web-application-attack; sid:2006768; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=googlc-analytics.net"; nocase; fast_pattern; classtype:domain-c2; sid:2029229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent DELETE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006769; classtype:web-application-attack; sid:2006769; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"bestbuy.zapto.org"; nocase; endswith; classtype:domain-c2; sid:2029230; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ASCII"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006770; classtype:web-application-attack; sid:2006770; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain Observed in DNS Query"; dns.query; content:"comodo.world"; nocase; endswith; classtype:domain-c2; sid:2029239; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006771; classtype:web-application-attack; sid:2006771; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed"; flow:established,to_server; http.user_agent; content:"pussy"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029238; rev:2; metadata:created_at 2020_01_08, former_category MALWARE, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006772; classtype:web-application-attack; sid:2006772; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] PS/PowDesk Checkin (APT34)"; flow:to_server,established; http.uri; content:".php?devicename="; fast_pattern; content:"&result="; pcre:"/^(?:Sucessful|Failed|Missing\x20CBA8|Missing\x20LANDesk\x20Agent)$/R"; reference:url,www.clearskysec.com/powdesk-apt34/; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:targeted-activity; sid:2029253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006773; classtype:web-application-attack; sid:2006773; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"mimestyle.xyz"; nocase; endswith; classtype:domain-c2; sid:2029254; rev:3; metadata:created_at 2020_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006774; classtype:web-application-attack; sid:2006774; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig APT PowDesk Powershell Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reclaimlandesk.php?devicename="; fast_pattern; content:"&result="; distance:0; http.uri.raw; content:!"Missing%20LANDESK"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:url,twitter.com/ClearskySec/status/1209055280090288131; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:command-and-control; sid:2029189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006775; classtype:web-application-attack; sid:2006775; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Lets Encrypt Certificate for Suspicious TLD (.top)"; flow:established,to_client; tls.cert_subject; content:".top"; endswith; tls.cert_issuer; content:"Lets Encrypt"; classtype:bad-unknown; sid:2029257; rev:3; metadata:created_at 2020_01_13, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006776; classtype:web-application-attack; sid:2006776; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".sslproviders.net"; nocase; endswith; classtype:trojan-activity; sid:2029268; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006777; classtype:web-application-attack; sid:2006777; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY GG Url Shortener Observed in DNS Query"; dns.query; content:"gg.gg"; nocase; bsize:5; classtype:policy-violation; sid:2029258; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/adm/krgourl.php?"; nocase; content:"DOCUMENT_ROOT="; nocase; pcre:"/DOCUMENT_ROOT\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt; reference:url,doc.emergingthreats.net/2010475; classtype:web-application-attack; sid:2010475; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,1400,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\shttp\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.0\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:64; classtype:command-and-control; sid:2029279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/customer.forumtopic.php?"; nocase; content:"forum_topic_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,2008-5590; reference:bugtraq,32672; reference:url,www.exploit-db.com/exploits/7368/; reference:url,doc.emergingthreats.net/2009198; classtype:web-application-attack; sid:2009198; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SMS-Bomber Activity"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&v="; depth:3; http.referer; content:"SMS-Bomber"; fast_pattern; startswith; reference:md5,65ee077b7917f85234061082806f0352; classtype:trojan-activity; sid:2029281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_15, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Automated Link Exchange Portal cat_id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/linking.page.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,29205; reference:url,milw0rm.com/exploits/5611; reference:url,doc.emergingthreats.net/2009658; classtype:web-application-attack; sid:2009658; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Group 21 CnC Domain Observed in DNS Query"; dns.query; content:"quwa-paf.servehttp.com"; nocase; endswith; classtype:domain-c2; sid:2029289; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Group21, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004641; classtype:web-application-attack; sid:2004641; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ssl.cccccsssss.com"; nocase; endswith; reference:md5,0224334fbec16d74b4101c270a3566bf; classtype:domain-c2; sid:2031119; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004642; classtype:web-application-attack; sid:2004642; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart CnC Domain Observed in DNS Query"; dns.query; content:"jqueryextplugin.com"; nocase; endswith; classtype:domain-c2; sid:2029297; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004643; classtype:web-application-attack; sid:2004643; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ELF/Rekoobe CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kooktijd.acc.dynapps.be"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:domain-c2; sid:2029307; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Rekoobe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004644; classtype:web-application-attack; sid:2004644; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Website Hosting Service Observed in DNS Query"; dns.query; content:"dynapps.be"; nocase; endswith; classtype:policy-violation; sid:2029308; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004645; classtype:web-application-attack; sid:2004645; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Rekoobe CnC Observed in DNS Query"; dns.query; content:"huawel.site"; nocase; endswith; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:domain-c2; sid:2029309; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Rekoobe, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004646; classtype:web-application-attack; sid:2004646; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=jqueryextplugin.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/engine/content/elements/menu.php?"; nocase; content:"CONFIG[AdminPath]="; nocase; pcre:"/CONFIG\[AdminPath\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/57688; reference:url,doc.emergingthreats.net/2010197; classtype:web-application-attack; sid:2010197; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"jquerysmartstack.com"; nocase; endswith; classtype:domain-c2; sid:2029303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004979; classtype:web-application-attack; sid:2004979; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Binary Request"; flow:established,to_server; http.request_line; content:"GET /getrandombase64.php?get="; fast_pattern; content:"|20|HTTP/1.1"; distance:32; within:9; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:command-and-control; sid:2031127; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UNION SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004980; classtype:web-application-attack; sid:2004980; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DTLoader Encoded Binary - Server Response"; flow:established,to_client; http.response_body; content:"<html><head></head><body><p>Code|3a 20|"; startswith; fast_pattern; content:"</p><p>@@@"; distance:32; within:10; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:command-and-control; sid:2031128; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004981; classtype:web-application-attack; sid:2004981; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Domain (ahgwqrq .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"ahgwqrq.xyz"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:domain-c2; sid:2031129; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category MALWARE, malware_family DTLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid DELETE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004982; classtype:web-application-attack; sid:2004982; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Improperly Spaced Accept Header in User-Agent"; flow:established,to_server; http.user_agent; content:"Accept|3a|*/*"; classtype:misc-activity; sid:2031120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ASCII"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004983; classtype:web-application-attack; sid:2004983; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerysmartstack.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029305; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004984; classtype:web-application-attack; sid:2004984; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Observed in DNS Query"; dns.query; content:"masseffect.space"; nocase; endswith; classtype:domain-c2; sid:2029310; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Gamaredon, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005796; classtype:web-application-attack; sid:2005796; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=askkkkkkassaa.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029311; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005797; classtype:web-application-attack; sid:2005797; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mantropoliops.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029312; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005798; classtype:web-application-attack; sid:2005798; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=prontosloshop.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029313; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005799; classtype:web-application-attack; sid:2005799; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=miiiiisdkkkksd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029314; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005800; classtype:web-application-attack; sid:2005800; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=faniposlskd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029315; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005801; classtype:web-application-attack; sid:2005801; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ferilppdslos.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029316; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid SELECT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005069; classtype:web-application-attack; sid:2005069; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031121; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UNION SELECT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005070; classtype:web-application-attack; sid:2005070; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031122; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, signature_severity Minor, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid INSERT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005071; classtype:web-application-attack; sid:2005071; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"exec("; fast_pattern; within:500; classtype:attempted-admin; sid:2031123; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid DELETE"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005072; classtype:web-application-attack; sid:2005072; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"exec("; fast_pattern; within:500; classtype:attempted-admin; sid:2031124; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ASCII"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005073; classtype:web-application-attack; sid:2005073; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"/bin/bash"; fast_pattern; within:500; classtype:attempted-admin; sid:2031125; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005074; classtype:web-application-attack; sid:2005074; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"/bin/bash"; fast_pattern; within:500; classtype:attempted-admin; sid:2031126; rev:2; metadata:attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w SELECT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005973; classtype:web-application-attack; sid:2005973; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-01-27"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&month="; nocase; content:"&year="; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029684; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UNION SELECT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005974; classtype:web-application-attack; sid:2005974; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Telegram API Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=api.telegram.org"; fast_pattern; nocase; endswith; classtype:misc-activity; sid:2029322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w INSERT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005975; classtype:web-application-attack; sid:2005975; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Generic RAT over Telegram API"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"Microsoft"; nocase; content:"Windows"; nocase; content:"Pass"; nocase; http.header; content:"|0d 0a|Host|3a 20|api.telegram.org|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2029323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w DELETE"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005976; classtype:web-application-attack; sid:2005976; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".portmap."; nocase; pcre:"/^(?:com|io|host)/Ri"; classtype:policy-violation; sid:2027941; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ASCII"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005977; classtype:web-application-attack; sid:2005977; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Unk.PowerShell Loader CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"internationalrule.com"; bsize:21; reference:url,app.any.run/tasks/9b18c721-13b2-4151-9a1d-22b5c8478ad4; classtype:domain-c2; sid:2029325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005978; classtype:web-application-attack; sid:2005978; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"6google.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:domain-c2; sid:2029327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006315; classtype:web-application-attack; sid:2006315; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M4"; flow:to_server,established; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"userid="; nocase; depth:7; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031571; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006316; classtype:web-application-attack; sid:2006316; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M2"; flow:to_server,established; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"username="; nocase; depth:9; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2029656; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006317; classtype:web-application-attack; sid:2006317; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M7"; flow:to_server,established; content:"|0d 0a 0d 0a|user="; fast_pattern; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"user="; nocase; depth:5; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031579; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006318; classtype:web-application-attack; sid:2006318; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti DNS Lookup"; dns.query; content:".dnslookup.services"; nocase; endswith; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029347; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006319; classtype:web-application-attack; sid:2006319; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrongPity Host Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|name=v"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name=v"; depth:6; content:"_kt"; within:5; content:"p"; within:3; content:"_"; distance:1; within:1; pcre:"/^name=v[0-9]{1,2}_kt[0-9]{1,2}p[0-9]{1}_[0-9]{8,10}$/i"; reference:md5,e4758783b146b506e0ec42e98ad9e65c; reference:md5,98cca7f2f6ad00771f50e97f97b5b38e; reference:url,twitter.com/HONKONE_K/status/1505920551503626242; classtype:targeted-activity; sid:2035541; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006320; classtype:web-application-attack; sid:2006320; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"mangasiso.top"; nocase; endswith; classtype:trojan-activity; sid:2029348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country SELECT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004523; classtype:web-application-attack; sid:2004523; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 2"; flow:established,to_server; content:"|01 02 01 01|"; fast_pattern; http.method; content:"GET"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".htm HTTP/1.1"; http.content_len; byte_test:0,<,100,0,string,dec; http.header_names; content:"Host|0d 0a|"; content:"Content-Length|0d 0a|"; classtype:command-and-control; sid:2012139; rev:10; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UNION SELECT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004524; classtype:web-application-attack; sid:2004524; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lici Initial Checkin"; flow:established,to_server; http.uri; content:".php?email="; content:"&lici="; content:"&ver="; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,2f4d35e797249e837159ff60b827c601; classtype:command-and-control; sid:2014119; rev:5; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country INSERT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004525; classtype:web-application-attack; sid:2004525; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kelihos/Hlux GET jucheck.exe from CnC"; flow:established,to_server; http.uri; content:"/jucheck.exe"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,www.abuse.ch/?p=3658; classtype:command-and-control; sid:2014330; rev:5; metadata:created_at 2012_03_07, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country DELETE"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004526; classtype:web-application-attack; sid:2004526; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Win32.Autorun HTTP Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"cbID="; content:"cbVer="; distance:0; content:"cbTit="; distance:0; http.request_body; content:"cbBody="; depth:7; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.threatexpert.com/threats/worm-win32-autorun.html; reference:url,doc.emergingthreats.net/2009516; classtype:trojan-activity; sid:2009516; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country ASCII"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004527; classtype:web-application-attack; sid:2004527; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tiki-login.php"; http.request_body; content:"&user=admin&pass=&"; fast_pattern; reference:url,github.com/S1lkys/CVE-2020-15906; reference:cve,2020-15906; classtype:attempted-admin; sid:2031130; rev:1; metadata:created_at 2020_10_27, cve CVE_2020_15906, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004528; classtype:web-application-attack; sid:2004528; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonBot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/gateway/index"; http.protocol; content:"HTTP/1.0"; reference:url,labs.m86security.com/2011/06/new-bots-old-bots-ii-donbot/; classtype:command-and-control; sid:2013047; rev:6; metadata:created_at 2011_06_16, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/include/unverified.inc.php?"; nocase; content:"template="; nocase; reference:bugtraq,27964; reference:url,juniper.net/security/auto/vulnerabilities/vuln27964.html; reference:url,www.exploit-db.com/exploits/5179/; reference:url,doc.emergingthreats.net/2009761; classtype:web-application-attack; sid:2009761; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Bot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/gateway/index"; http.request_body; content:"botver="; content:"&build="; content:"&profile="; reference:md5,be3aed34928cb826030b462279a1c453; classtype:command-and-control; sid:2013168; rev:7; metadata:created_at 2011_07_01, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007294; classtype:web-application-attack; sid:2007294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Bing checking Internet connectivity"; flow:established,to_server; http.header; content:"|3a 20|no-cache"; http.host; content:"www.bing.com"; depth:12; endswith; http.start; content:"GET / HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|"; depth:60; http.header_names; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013488; rev:5; metadata:created_at 2011_08_30, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007295; classtype:web-application-attack; sid:2007295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.MUD Variant Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/total_visitas.php"; fast_pattern; http.start; content:".php HTTP/1.1|0d 0a|Host|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc; reference:md5,989ba48e0a9e39b4b6fc5c6bf400c41b; classtype:trojan-activity; sid:2014113; rev:6; metadata:created_at 2012_01_11, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id INSERT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007296; classtype:web-application-attack; sid:2007296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.RShot HTTP Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3b 20|name=|22|bot_id|22 0d 0a 0d 0a|"; fast_pattern; content:"|3b 20|name=|22|os_version|22 0d 0a 0d 0a|"; distance:0; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:command-and-control; sid:2014269; rev:7; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id DELETE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007297; classtype:web-application-attack; sid:2007297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - redirect received"; flow:established,to_client; http.stat_code; content:"302"; http.cookie; content:"SL_"; depth:3; content:"_0000="; within:8; fast_pattern; classtype:exploit-kit; sid:2014542; rev:5; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ASCII"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007298; classtype:web-application-attack; sid:2007298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set"; flow:established,to_client; http.stat_code; content:!"302"; http.cookie; content:"=_"; content:"_|3b 20|domain="; distance:1; within:10; fast_pattern; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/"; classtype:exploit-kit; sid:2014548; rev:5; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007299; classtype:web-application-attack; sid:2007299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - redirect received"; flow:established,to_client; http.stat_code; content:"302"; http.cookie; content:"=_"; content:"_|3b 20|domain="; distance:1; within:10; fast_pattern; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/"; classtype:exploit-kit; sid:2014547; rev:7; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007300; classtype:web-application-attack; sid:2007300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; depth:49; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:5; metadata:created_at 2011_08_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007301; classtype:web-application-attack; sid:2007301; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - POST 1-letter.php"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:".php"; pcre:"/^\/[a-z]\.php/"; http.user_agent; content:"Indy Library"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015504; rev:6; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id INSERT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007302; classtype:web-application-attack; sid:2007302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/news/?s="; fast_pattern; pcre:"/^\d{1,6}$/R"; http.header_names; content:!"Referer"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:trojan-activity; sid:2011825; rev:11; metadata:created_at 2010_10_18, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id DELETE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007303; classtype:web-application-attack; sid:2007303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/security.jsp"; nocase; fast_pattern; http.request_body; content:"f0="; depth:3; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:command-and-control; sid:2013327; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ASCII"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007304; classtype:web-application-attack; sid:2007304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP Addresses"; flow:established,to_server; http.uri; content:"/distrib_serv/ip_list_"; fast_pattern; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013536; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007305; classtype:web-application-attack; sid:2007305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity M2"; flow:established,to_client; dsize:1051; content:"|04 19 00 00 00 1a 00 00 00 17 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 6f 63 75 6d 65 6e 74 73 00 00 00 08 55 54 43 2d 2d|"; depth:42; reference:url,twitter.com/malware_traffic/status/1321182175916679168; reference:md5,25cddcec88ee81aab4db84bbd19a64d6; reference:url,app.any.run/tasks/228c144e-90a0-4e8f-87d8-102bc04b0335/; classtype:trojan-activity; sid:2031131; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007306; classtype:web-application-attack; sid:2007306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity M3"; flow:established,to_server; dsize:8; content:"|0c 00 0f 0a 0b 0a 0b 0a|"; reference:url,twitter.com/malware_traffic/status/1321182175916679168; reference:md5,25cddcec88ee81aab4db84bbd19a64d6; reference:url,app.any.run/tasks/228c144e-90a0-4e8f-87d8-102bc04b0335/; classtype:trojan-activity; sid:2031132; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007307; classtype:web-application-attack; sid:2007307; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP Addresses From Server"; flow:established,to_server; http.uri; content:"/search=ip_list_"; fast_pattern; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013537; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id INSERT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007308; classtype:web-application-attack; sid:2007308; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware From Server"; flow:established,to_server; http.uri; content:"/search="; fast_pattern; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013538; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id DELETE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007309; classtype:web-application-attack; sid:2007309; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Server Checkin"; flow:established,to_server; http.uri; content:"knock.php?ver="; fast_pattern; content:"&sid="; distance:0; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013539; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ASCII"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007310; classtype:web-application-attack; sid:2007310; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (listdir)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/listdir.php?dir="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013668; rev:4; metadata:created_at 2011_09_19, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007311; classtype:web-application-attack; sid:2007311; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (mkdir)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mkdir.php?dir="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013669; rev:4; metadata:created_at 2011_09_19, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007312; classtype:web-application-attack; sid:2007312; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 1"; flow:established,to_server; http.request_line; content:"GET @"; depth:5; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013791; rev:4; metadata:created_at 2011_10_24, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007313; classtype:web-application-attack; sid:2007313; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT34 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=manygoodnews.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029385; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family APT34, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid INSERT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007314; classtype:web-application-attack; sid:2007314; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fiffaslslslld.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029386; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid DELETE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007315; classtype:web-application-attack; sid:2007315; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=loppappsas.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029387; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ASCII"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007316; classtype:web-application-attack; sid:2007316; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=conversia91.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029388; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007317; classtype:web-application-attack; sid:2007317; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=123faster.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029389; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007318; classtype:web-application-attack; sid:2007318; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fatoftheland.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029390; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007319; classtype:web-application-attack; sid:2007319; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=creatorz123.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029391; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid INSERT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007320; classtype:web-application-attack; sid:2007320; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=compilator333.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029392; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid DELETE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007321; classtype:web-application-attack; sid:2007321; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set"; flow:established,to_client; http.stat_code; content:!"302"; http.cookie; content:"SL_"; depth:3; content:"_0000="; within:8; fast_pattern; classtype:exploit-kit; sid:2014544; rev:6; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ASCII"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007322; classtype:web-application-attack; sid:2007322; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CLOVER Checkin APT1 Related"; flow:established,to_server; http.uri; content:"/Default.asp"; http.header; content:"Accept: image/gif,image/x-xbitmap"; content:"|20|MSIE|20|"; http.cookie; content:"PREF=86845632017245"; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:targeted-activity; sid:2016452; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007323; classtype:web-application-attack; sid:2007323; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan Checkin (UA VBTagEdit)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"VBTagEdit"; depth:9; nocase; http.protocol; content:"HTTP/1.0"; reference:url,doc.emergingthreats.net/2010439; classtype:command-and-control; sid:2010439; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007324; classtype:web-application-attack; sid:2007324; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; http.content_type; content:"audio|2F|"; startswith; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:11; metadata:created_at 2011_08_22, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007325; classtype:web-application-attack; sid:2007325; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSpy - MySQL"; flow:established,to_server; http.request_body; content:"dbhost="; content:"dbuser="; content:"dbpass="; classtype:trojan-activity; sid:2017086; rev:4; metadata:created_at 2013_07_02, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid INSERT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007326; classtype:web-application-attack; sid:2007326; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=get&applicationID="; nocase; depth:25; fast_pattern; content:"&developerId="; nocase; distance:0; content:"&deviceId="; nocase; distance:0; content:"android.permission"; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:6; metadata:created_at 2011_06_16, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid DELETE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007327; classtype:web-application-attack; sid:2007327; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Avatar RootKit Yahoo Group Search"; flow:to_server,established; http.uri; content:"/search?query="; depth:14; content:"&sort=relevance"; within:15; pcre:"/^[A-Z0-9]{8}/R"; http.host; content:"groups.yahoo.com"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:4; metadata:created_at 2013_08_22, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ASCII"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007328; classtype:web-application-attack; sid:2007328; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Styx EK SilverLight Payload"; flow:established,to_server; urilen:19; http.uri; content:"/1"; depth:2; fast_pattern; pcre:"/^[a-z0-9]{13}\.[a-z]{3}$/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:exploit-kit; sid:2017731; rev:5; metadata:created_at 2013_11_20, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007329; classtype:web-application-attack; sid:2007329; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/getLastVersion"; depth:15; http.header; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2017999; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id SELECT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007330; classtype:web-application-attack; sid:2007330; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.MyDNS DNSChanger - HTTP POST"; flow:established,to_server; content:"|0d 0a 0d 0a|r="; fast_pattern; http.method; content:"POST"; nocase; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http.request_body; content:"r="; depth:2; nocase; content:"&f="; nocase; distance:0; content:"&p="; nocase; distance:0; content:"&u="; nocase; distance:0; content:"&i="; nocase; distance:0; content:"&g="; nocase; distance:0; reference:url,doc.emergingthreats.net/2009813; classtype:trojan-activity; sid:2009813; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007331; classtype:web-application-attack; sid:2007331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE possible OneLouder header structure"; flow:to_server,established; flowbits:set,ET.OneLouder.Header; flowbits:noalert; http.header; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b|)|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"Accept-Encoding|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018463; rev:11; metadata:created_at 2014_05_13, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id INSERT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007332; classtype:web-application-attack; sid:2007332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_src; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:5; metadata:created_at 2014_08_21, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id DELETE"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007333; classtype:web-application-attack; sid:2007333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_dst; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:4; metadata:created_at 2014_08_21, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ASCII"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007334; classtype:web-application-attack; sid:2007334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dirt Jumper/Russkill3 Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|k="; fast_pattern; http.method; content:"POST"; nocase; http.request_body; content:"k="; depth:2; pcre:"/^\d{15}/R"; http.protocol; content:"HTTP/1.0"; reference:md5,10e7af7057833a19097cb22ba0bd1b99; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; reference:url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html; classtype:command-and-control; sid:2013439; rev:12; metadata:created_at 2011_08_03, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007335; classtype:web-application-attack; sid:2007335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HB_Banker16 Get"; flow:to_server,established; http.method; content:"GET"; http.header; content:"Content-Type|3a 20|text/html|0d 0a|Host|3a|"; depth:30; fast_pattern; content:!"Indy Library"; http.user_agent; content:"Firefox/12.0"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:44; endswith; classtype:trojan-activity; sid:2019608; rev:6; metadata:created_at 2014_10_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/locms/smarty.php?"; nocase; content:"cwd="; nocase; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010023; classtype:web-application-attack; sid:2010023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 fb 28 39 fc 28 39 fb 4c 2f fb 3f 4f 8b 28 38 8c 28 39 fe|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/locms/smarty.php?"; nocase; content:"cwd="; nocase; pcre:"/cwd=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010024; classtype:web-application-attack; sid:2010024; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3e 2f fb 39 2f fb 3e 4b ed 3e 38 8d 4e 2f fa 49 2f fb 3b|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni SELECT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006657; classtype:web-application-attack; sid:2006657; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 39 ed 3e 3e ed 3e 39 89 28 39 fa 48 49 ed 3f 4e ed 3e 3c|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UNION SELECT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006658; classtype:web-application-attack; sid:2006658; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sem/"; nocase; content:".php"; nocase; content:"uniqueid="; nocase; content:"|3B|"; pcre:"/\/sem\/\w+\.php.*(\?|&)uniqueid=\d*\;/i"; reference:url,www.securityfocus.com/bid/37375/info; reference:url,doc.emergingthreats.net/2010510; classtype:web-application-attack; sid:2010510; rev:6; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni INSERT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006659; classtype:web-application-attack; sid:2006659; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Thumbnail.php?"; nocase; content:"base_path="; nocase; pcre:"/^\s*(ftps?|https?|php)\:\//Ri"; reference:url,securityvulns.com/Odocument913.html; reference:url,doc.emergingthreats.net/2009053; classtype:web-application-attack; sid:2009053; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni DELETE"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006660; classtype:web-application-attack; sid:2006660; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat upload from external source"; flow:to_server,established; flowbits:isset,ET.Tomcat.login.attempt; http.method; content:"POST"; http.uri; content:"/manager/html/upload"; nocase; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009220; classtype:successful-admin; sid:2009220; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ASCII"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006661; classtype:web-application-attack; sid:2006661; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/statuswml.cgi?"; nocase; content:"ping"; nocase; pcre:"/^\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B)/Ri"; reference:bugtraq,35464; reference:url,doc.emergingthreats.net/2009670; classtype:web-application-attack; sid:2009670; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006662; classtype:web-application-attack; sid:2006662; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/unathenticated/"; http.uri.raw; content:"/unauthenticated//..%01/..%01/..%01/"; reference:url,bliki.rimuhosting.com/comments/knowledgebase/linux/miscapplications/webmin; reference:url,doc.emergingthreats.net/2010009; classtype:web-application-attack; sid:2010009; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci SELECT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006663; classtype:web-application-attack; sid:2006663; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)"; flow:established,to_server; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase; content:"=http%3A%2F%2F"; within:40; http.method; content:"POST"; http.uri; content:"/jmx-console/HtmlAdaptor"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010379; classtype:web-application-attack; sid:2010379; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UNION SELECT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006664; classtype:web-application-attack; sid:2006664; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{25,40}$/"; http.user_agent; content:"UpdaterResponse"; fast_pattern; depth:15; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018025; rev:6; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci INSERT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006665; classtype:web-application-attack; sid:2006665; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin 2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/?8080"; fast_pattern; http.request_body; content:"name=|22|action|22 0d 0a 0d 0a|"; pcre:"/^(?:Get(?:Subscription(?:EmailsBlock|Content)|PTR|IP)|Port25(?:Close|Open))\x0d\x0a/R"; content:"name=|22|location|22 0d 0a 0d 0a|"; distance:0; pcre:"/^(?:winload(?:32)?|cmms)\x0d\x0a/R"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018257; rev:6; metadata:created_at 2014_03_12, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci DELETE"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006666; classtype:web-application-attack; sid:2006666; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; content:"DeploymentScanner"; nocase; content:"methodName=addURL"; nocase; content:"=http"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010380; classtype:web-application-attack; sid:2010380; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ASCII"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006667; classtype:web-application-attack; sid:2006667; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/send_sim_no.php"; fast_pattern; endswith; http.request_body; content:"_no="; depth:16; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017787; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006668; classtype:web-application-attack; sid:2006668; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; http.uri; content:"/Check.ashx?"; depth:12; content:"&e="; content:"&n="; content:"&mv="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018026; rev:5; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch SELECT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007362; classtype:web-application-attack; sid:2007362; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FortDisco Reporting Status"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cmd.php"; fast_pattern; endswith; http.user_agent; content:"|3b 20|Synapse"; http.request_body; content:"status="; depth:7; pcre:"/^\d$/R"; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017309; rev:6; metadata:created_at 2013_08_12, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UNION SELECT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007364; classtype:web-application-attack; sid:2007364; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin"; flow:established,to_server; flowbits:set,ETGamut; http.uri; content:"file=SenderClient.conf"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018245; rev:6; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch INSERT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007363; classtype:web-application-attack; sid:2007363; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Popwin Checkin"; flow:to_server,established; http.uri; content:"/soft/xiaomi"; fast_pattern; content:".asp"; distance:0; http.user_agent; content:"API-Guide test program"; depth:22; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:command-and-control; sid:2018143; rev:8; metadata:created_at 2014_02_15, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch DELETE"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007365; classtype:web-application-attack; sid:2007365; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Almanahe.B Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"ClientUpdate"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/f80fc95e44d90a8e02de4fde0ea5e58227cbbde7b6d3848c1f8afbd5ed0affe7/analysis/; reference:md5,1d331ef7d24f6316947e94f737d1f219; classtype:command-and-control; sid:2018123; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ASCII"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007366; classtype:web-application-attack; sid:2007366; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan with Fake Java User-Agent"; flow:established,to_server; http.user_agent; content:"Java/"; depth:5; http.request_line; content:"GET /1.php HTTP/1.1"; fast_pattern; http.accept; content:"text/html, image/gif, image/jpeg, *|3b 20|q=.2, */*|3b 20|q=.2"; depth:52; endswith; http.connection; content:"keep-alive"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:trojan-activity; sid:2018640; rev:7; metadata:created_at 2014_07_04, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007367; classtype:web-application-attack; sid:2007367; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banload.BTQP Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?IDPC="; fast_pattern; content:"&so="; nocase; content:"&user"; nocase; content:"&versao"; nocase; content:"&pcname="; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:command-and-control; sid:2018650; rev:6; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007368; classtype:web-application-attack; sid:2007368; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Fake Server Header"; flow:established,to_client; http.protocol; content:"HTTP/1."; http.server; content:"Stalin"; fast_pattern; startswith; reference:md5,7e3e28320d209a586917668e3b8eac40; classtype:trojan-activity; sid:2018775; rev:6; metadata:created_at 2014_07_25, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007369; classtype:web-application-attack; sid:2007369; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Initial Macro Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?u="; content:"&h="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028963; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007370; classtype:web-application-attack; sid:2007370; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (9)"; flow:established,to_server; http.uri; content:".txt?f="; fast_pattern; pcre:"/^\d+$/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016976; rev:12; metadata:created_at 2013_06_06, former_category EXPLOIT_KIT, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007371; classtype:web-application-attack; sid:2007371; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Retrieving Second Stage"; flow:established,to_server; http.host; pcre:"/^[^\r\n]+\x20[a-z]/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"POST / HTTP/1.1"; fast_pattern; reference:md5,6948d4f22e8d57369988be219ab70335; classtype:trojan-activity; sid:2020470; rev:8; metadata:created_at 2015_02_18, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007372; classtype:web-application-attack; sid:2007372; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaScriptBackdoor HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"username="; content:"memory_total="; content:"os_caption="; content:"os_serialnumber="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:command-and-control; sid:2021133; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007373; classtype:web-application-attack; sid:2007373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Wordpress Errorcontent CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?ip="; fast_pattern; content:"&referer="; distance:0; content:"&ua="; pcre:"/^\/[a-z]+\/\?ip=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,isc.sans.edu/diary/Possible+Wordpress+Botnet+C&C:+errorcontent.com/19733; classtype:command-and-control; sid:2021153; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_05_27, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Wordpress, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/smallaxe-0.3.1/inc/linkbar.php?"; nocase; content:"cfile="; nocase; pcre:"/cfile\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10676; reference:url,doc.emergingthreats.net/2011000; classtype:web-application-attack; sid:2011000; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M1 2016-11-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"accountname="; depth:12; nocase; fast_pattern; content:"&pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032717; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lito Lite CMS cate.php cid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cate.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/7294/; reference:url,secunia.com/advisories/32910/; reference:url,doc.emergingthreats.net/2008927; classtype:web-application-attack; sid:2008927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; fast_pattern; content:"&cvv"; nocase; distance:0; content:"&exp"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid SELECT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006473; classtype:web-application-attack; sid:2006473; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish M2 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.cookie; content:"PHPSESSID="; http.request_body; content:"donnee3="; depth:8; nocase; fast_pattern; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032711; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UNION SELECT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006474; classtype:web-application-attack; sid:2006474; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"em="; depth:3; nocase; fast_pattern; content:"&psw="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032712; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid INSERT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006475; classtype:web-application-attack; sid:2006475; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M3 2016-11-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"donnee"; distance:0; nocase; content:"donnee"; distance:0; nocase; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032718; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006476; classtype:web-application-attack; sid:2006476; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-folder)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-fa"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017520; rev:6; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid ASCII"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006477; classtype:web-application-attack; sid:2006477; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Mumblehard Initial Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|7.0.1) Gecko/20100101 Firefox/7.0.1"; fast_pattern; depth:67; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Accept-Charset|0d 0a|Connection|0d 0a 0d 0a|"; depth:92; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021051; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006478; classtype:web-application-attack; sid:2006478; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Mumblehard Command Status CnC"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|7.0.1) Gecko/"; fast_pattern; depth:45; pcre:"/^\d{1,5}\.[2-5]0[0-5]\.\d+? Firefox\/7\.0\.1/Ri"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Accept-Charset|0d 0a|Connection|0d 0a 0d 0a|"; depth:92; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021052; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID SELECT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005829; classtype:web-application-attack; sid:2005829; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic CnC Beacon 5"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/6."; fast_pattern; startswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"/ HTTP/1.1"; http.accept; content:"*/*"; depth:3; endswith; http.content_len; content:!"0"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:command-and-control; sid:2020944; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UNION SELECT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005830; classtype:web-application-attack; sid:2005830; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic CnC Beacon 6"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/7."; fast_pattern; startswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"/ HTTP/1.1"; http.accept; content:"*/*"; depth:3; endswith; http.content_len; content:!"0"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:command-and-control; sid:2020946; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID INSERT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005831; classtype:web-application-attack; sid:2005831; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type="; fast_pattern; pcre:"/^(?:update_hash|js|key|arsiv_(?:hash|link))$/R"; http.user_agent; content:!"Mozilla|2f|"; http.host; content:!"threatseeker.com"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,dad57ec2d5d99b725acc726b0a644c00; reference:url,seclists.org/fulldisclosure/2015/Jan/131; classtype:command-and-control; sid:2021030; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID DELETE"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005832; classtype:web-application-attack; sid:2005832; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Scanbox Sending Host Data"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg"; pcre:"/\/(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})\.jpg$/"; http.cookie; content:"recordid="; fast_pattern; depth:9; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2021229; rev:5; metadata:created_at 2015_06_10, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID ASCII"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005833; classtype:web-application-attack; sid:2005833; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor Intial Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|28|0d 0a|"; fast_pattern; http.request_body; pcre:"/^[a-z0-9]{11}=\d{16}$/"; http.header_names; content:!"Accept"; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:command-and-control; sid:2020345; rev:5; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Loggix Project RFI Attempt"; flow:established,to_server; http.uri; content:"pathToIndex="; nocase; content:".php?"; nocase; pcre:"/\.php(\?|.*\x26)pathToIndex=(https?|ftps?)\:\/\/[^\x26\x3B]+\?\?/i"; reference:url,www.exploit-db.com/exploits/9729/; reference:url,doc.emergingthreats.net/2010530; classtype:web-application-attack; sid:2010530; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potao CnC"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22|?>"; depth:21; content:"10a7d030-1a61-11e3-beea-001c42e2a08b"; distance:24; fast_pattern; http.content_type; content:"application/xml"; classtype:command-and-control; sid:2021554; rev:4; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID SELECT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006321; classtype:web-application-attack; sid:2006321; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS CnC"; flow:established,to_server; flowbits:set,ET.centerpos; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mode="; depth:5; nocase; content:"&uid="; nocase; distance:0; content:"&osname="; nocase; distance:0; content:"&compname="; nocase; distance:0; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:command-and-control; sid:2022469; rev:4; metadata:created_at 2016_01_29, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UNION SELECT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006322; classtype:web-application-attack; sid:2006322; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS CnC 2"; flow:established,to_server; flowbits:set,ET.centerpos; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mode="; depth:5; nocase; content:"&uid="; nocase; distance:0; content:"&comid="; nocase; fast_pattern; distance:0; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:command-and-control; sid:2022472; rev:4; metadata:created_at 2016_01_29, former_category MALWARE, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID INSERT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006323; classtype:web-application-attack; sid:2006323; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Generic - POST To gate.php with no accept headers"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; nocase; fast_pattern; http.header_names; content:!"Accept"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022985; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID DELETE"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006324; classtype:web-application-attack; sid:2006324; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; flowbits:set,ET.Sage.Primer; flowbits:noalert; http.start; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:command-and-control; sid:2023766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Sage, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ASCII"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006325; classtype:web-application-attack; sid:2006325; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Bancos ProxyChanger Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//admin/imagens/icones/new/get.php"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; reference:md5,d34912a19473fe41abdd4764e7bec5f9; classtype:command-and-control; sid:2024028; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag Banking_Trojan, updated_at 2020_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006326; classtype:web-application-attack; sid:2006326; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PNC Bank Phish 2016-01-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; fast_pattern; http.header; content:".php?LOB="; http.request_body; content:"user"; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032671; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/profiles/html/simpleSearch.do?name="; nocase; pcre:"/name=.+(IMG|SCRIPT|SRC|onkey|onmouse|onload)/i"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022945.html; reference:url,doc.emergingthreats.net/2009990; classtype:web-application-attack; sid:2009990; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-01-08"; flow:to_server,established; content:"|0d 0a 0d 0a|user="; fast_pattern; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.header; content:".php?"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032670; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004961; classtype:web-application-attack; sid:2004961; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-02-23"; flow:to_server,established; content:"|0d 0a 0d 0a|username="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"username="; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032674; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004962; classtype:web-application-attack; sid:2004962; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Update Phish 2016-02-17"; flow:to_server,established; content:"|0d 0a 0d 0a|username="; fast_pattern; nocase; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"username="; depth:9; nocase; content:"&email="; nocase; content:"&pass"; nocase; classtype:credential-theft; sid:2029655; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004963; classtype:web-application-attack; sid:2004963; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-10-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"fnumber="; depth:8; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&userid="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032708; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004964; classtype:web-application-attack; sid:2004964; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing Oct 06 2016"; flow:to_server,established; content:"|0d 0a 0d 0a|form"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"form"; depth:4; nocase; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2031569; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004965; classtype:web-application-attack; sid:2004965; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-08-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CardNumber="; nocase; fast_pattern; content:"&Exp"; nocase; content:"CVV="; nocase; classtype:credential-theft; sid:2029676; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004966; classtype:web-application-attack; sid:2004966; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ldrctl.php"; endswith; http.request_body; content:"os="; depth:3; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; fast_pattern; distance:0; content:"&data="; nocase; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:command-and-control; sid:2010217; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id SELECT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004967; classtype:web-application-attack; sid:2004967; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; http.start; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; classtype:exploit-kit; sid:2022990; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004968; classtype:web-application-attack; sid:2004968; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (123faster .top)"; dns.query; content:"123faster.top"; nocase; bsize:13; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029426; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id INSERT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004969; classtype:web-application-attack; sid:2004969; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Websocket Credential Phish Sep 15 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&transport=websocket&sid="; fast_pattern; http.header; content:"Sec-WebSocket-Version|3a 20|13|0d 0a|"; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate"; content:"Sec-WebSocket-Key|3a 20|"; content:"Upgrade|3a 20|websocket"; content:"origin|3a 20|"; pcre:"/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign\-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/Ri"; http.cookie; content:"connect.sid="; content:"io="; classtype:credential-theft; sid:2025001; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id DELETE"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004970; classtype:web-application-attack; sid:2004970; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (conversia91 .top)"; dns.query; content:"conversia91.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id ASCII"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004971; classtype:web-application-attack; sid:2004971; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (fatoftheland .top)"; dns.query; content:"fatoftheland.top"; nocase; bsize:16; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004972; classtype:web-application-attack; sid:2004972; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (creatorz123 .top)"; dns.query; content:"creatorz123.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005511; classtype:web-application-attack; sid:2005511; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (compilator333 .top)"; dns.query; content:"compilator333.top"; nocase; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005512; classtype:web-application-attack; sid:2005512; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 f0 28 39 fe 4e 2f fb 3e 4e 8e 4e 2f fa 49 2f fb 3a|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029436; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005514; classtype:web-application-attack; sid:2005514; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 35 2f fb 3b 49 ed 3e 39 8c 4b 49 ed 3f 4e ed 3e 3d|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005515; classtype:web-application-attack; sid:2005515; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 32 ed 3e 3c 8b 28 39 fb 49 4c 8b 28 38 8c 28 39 ff|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005516; classtype:web-application-attack; sid:2005516; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (Texsa)"; flow:established,to_client; tls.cert_subject; content:", L=Texsa, "; fast_pattern; tls.cert_issuer; content:", L=Texsa, "; reference:md5,45ed8898bead32070cf1eb25640b414c; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031135; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005517; classtype:web-application-attack; sid:2005517; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (Mountainvew)"; flow:established,to_client; tls.cert_subject; content:", L=Mountainvew, "; nocase; fast_pattern; tls.cert_issuer; content:", L=Mountainvew, "; nocase; reference:md5,5c1fce8fa3e228b8f2641bb1f7a29c3f; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; reference:url,gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456; classtype:targeted-activity; sid:2031136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006225; classtype:web-application-attack; sid:2006225; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 ff 28 39 fa 49 2f fb 3b 2f fb 3a 2f fb 34 48 ed 3f 4e 8a|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006226; classtype:web-application-attack; sid:2006226; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3a 2f fb 3f 4e ed 3e 3c ed 3e 3d ed 3e 33 8a 28 38 8c 4f|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006227; classtype:web-application-attack; sid:2006227; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 3d ed 3e 38 8c 28 39 fe 28 39 ff 28 39 f1 4f 2f fa 49 48|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006228; classtype:web-application-attack; sid:2006228; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE POWERTON CnC Domain in DNS Lookup"; dns.query; content:"dailystudy.org"; nocase; bsize:14; reference:url,blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/; classtype:domain-c2; sid:2029448; rev:2; metadata:created_at 2020_02_13, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006229; classtype:web-application-attack; sid:2006229; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Multibank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<title>Document</title>"; distance:0; content:"href=|22|run/images/"; distance:0; content:"<img src=|22|run/captcha.php?rand="; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|captcha|22|>"; distance:0; fast_pattern; classtype:social-engineering; sid:2031100; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006230; classtype:web-application-attack; sid:2006230; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Grimagent CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.header; content:"|0d 0a|Keep-Alive|3a 20|"; content:"|0d 0a|Connection|3a 20|keep-alive|0d 0a|Referer|3a 20|https|3a 2f 2f|www."; distance:3; within:50; pcre:"/^(?:(?:youtub|googl)e|microsoft|amazon|ebay).com\x0d\x0a/Rsi"; http.request_body; content:!"&"; pcre:"/^[A-Za-z0-9]{3,25}=[a-f0-9]{28,}$/s"; reference:md5,d0ef174669abc7d6358531002e458df1; classtype:trojan-activity; sid:2034179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006231; classtype:web-application-attack; sid:2006231; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Pierogi Backdoor Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cname="; depth:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; content:"&av="; within:40; content:"&osversion="; within:50; content:"&aname="; within:50; fast_pattern; content:"&ver="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:targeted-activity; sid:2029431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006232; classtype:web-application-attack; sid:2006232; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2020-01-29 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; content:"|0d 0a 0d 0a|user"; fast_pattern; http.method; content:"POST"; http.request_body; content:"user"; depth:4; nocase; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2029338; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006233; classtype:web-application-attack; sid:2006233; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hello, World"; nocase; fast_pattern; startswith; classtype:attempted-admin; sid:2029022; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006234; classtype:web-application-attack; sid:2006234; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hello, World"; nocase; fast_pattern; startswith; classtype:web-application-attack; sid:2029034; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006235; classtype:web-application-attack; sid:2006235; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-06-22"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:ebay\.co\.uk|singtel\.com|blockchain\.com)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032684; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006236; classtype:web-application-attack; sid:2006236; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware.Hidden-Tear Variant CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?info="; fast_pattern; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,5ae92b52b0a6df8a64a5f98700bc290f; classtype:command-and-control; sid:2034675; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012065; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-08-19"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:s(?:ocietegenerale\.com|parkasse\.at|ina\.com\.cn|wisscom\.ch|ec\.gov)|b(?:bva(?:compass\.com|\.com\.co)|anque-accord\.fr|mo\.com)|g(?:o(?:(?:ogle\.co|v)\.uk|daddy\.com)|mail\.com)|(?:z(?:illow|oosk)|images\.kw|office365)\.com|t(?:el(?:stra\.com\.au|ekom\.com)|-online\.de)|c(?:reditmutuel\.fr|panel\.net|iti\.com)|(?:(?:realestate|nab)\.com\.a|unc\.ed)u|d(?:esjardins\.c(?:om|a)|iscover\.com)|e(?:arthlink\.net|ftel\.com\.au|bay\.de)|a(?:bl\.com\.pk|liyun\.com|nz\.co\.nz)|w(?:estpac\.com\.au|ikimedia\.org)|v(?:isaeurope\.ch|erizon\.net)|h(?:blibank\.com\.pk|sbc\.com)|paypal\.co\.uk)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032689; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012066; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-11-28"; flow:to_server,established; content:"|0d 0a 0d 0a|id="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032719; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Profi Einzelgebots Auktions System auktion_text.php Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/auktion/auktion_text.php?"; nocase; content:"id_auk="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12005/; classtype:web-application-attack; sid:2012068; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M1 2016-12-02"; flow:to_server,established; content:"|0d 0a 0d 0a|handle="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"handle="; depth:7; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032722; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upgrade_unattended.php?"; nocase; content:"db_type="; nocase; reference:url,exploit-db.com/exploits/15736/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012069; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M2 2016-12-02"; flow:to_server,established; content:"|0d 0a 0d 0a|userid="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032723; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/upgrade_unattended.php?"; nocase; content:"db_type="; nocase; pcre:"/db_type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/15735/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012070; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|48 2f fb 38 2f fb 39 2f fb 39 48 ed 3e 3f ed 3e 3d ed 3f 4e ed 3e 3e|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/session.cgi?"; nocase; content:"sid="; nocase; content:"app=urchin.cgi"; nocase; content:"action=prop"; nocase; content:"rid="; nocase; content:"n="; nocase; content:"vid="; nocase; content:"dtc="; nocase; content:"cmd="; nocase; content:"gfid="; nocase; reference:url,exploit-db.com/exploits/15737/; classtype:web-application-attack; sid:2012071; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4f ed 3e 3f ed 3e 3e ed 3e 3e 8a 28 39 fd 28 39 ff 28 38 8c 28 39 fc|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029458; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php?"; nocase; content:"v1="; nocase; pcre:"/v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42544; classtype:web-application-attack; sid:2012072; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_12_17, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8d 28 39 fd 28 39 fc 28 39 fc 4f 2f fb 38 2f fb 3a 2f fa 49 2f fb 39|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029459; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006237; classtype:web-application-attack; sid:2006237; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 f1 28 39 fc 28 39 f9 28 39 fc 28 39 f1 28 39 f8 28 39 ff 28 38 8c 4c|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006238; classtype:web-application-attack; sid:2006238; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 34 2f fb 39 2f fb 3c 2f fb 39 2f fb 34 2f fb 3d 2f fb 3a 2f fa 49 4b|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006239; classtype:web-application-attack; sid:2006239; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029465; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006240; classtype:web-application-attack; sid:2006240; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&handle=java."; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031144; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006241; classtype:web-application-attack; sid:2006241; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"%252e%252e%252f"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031145; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006242; classtype:web-application-attack; sid:2006242; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (DE) Phish 2016-12-19"; flow:to_server,established; content:"|0d 0a 0d 0a|t1="; fast_pattern; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"|25|40"; distance:0; content:"&t2="; nocase; distance:0; http.start; pcre:"/^POST\x20(?<var>[^\x20]+).+Referer\x3a\x20[^\r\n]+(?P=var)[\r\n]+/si"; classtype:credential-theft; sid:2032727; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006243; classtype:web-application-attack; sid:2006243; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing M1 2016-09-26"; flow:to_server,established; content:"|0d 0a 0d 0a|email="; fast_pattern; http.method; content:"POST"; http.request_body; content:"email="; nocase; content:"&pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032699; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006244; classtype:web-application-attack; sid:2006244; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (vighik .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"vighik.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031150; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006245; classtype:web-application-attack; sid:2006245; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (cntrhum .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"cntrhum.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031151; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006246; classtype:web-application-attack; sid:2006246; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (doldig .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"doldig.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031152; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006247; classtype:web-application-attack; sid:2006247; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (sh78bug .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"sh78bug.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031153; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006248; classtype:web-application-attack; sid:2006248; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (dghns .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"dghns.xyz"; bsize:9; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/snippet.reflect.php?"; nocase; content:"reflect_base="; nocase; pcre:"/reflect_base=\s*(ftps?|https?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008897; classtype:web-application-attack; sid:2008897; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (bigjamg .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigjamg.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031155; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/snippet.reflect.php?"; nocase; content:"reflect_base="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008898; classtype:web-application-attack; sid:2008898; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (numklo .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"numklo.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/velid3/getid3.php?"; nocase; content:"determined_format[include]="; nocase; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011062; classtype:web-application-attack; sid:2011062; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (gut45bg .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gut45bg.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/velid3/module.archive.gzip.php?"; nocase; content:"determined_format[include]="; nocase; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011063; classtype:web-application-attack; sid:2011063; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (moig .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"moig.xyz"; bsize:8; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname SELECT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004427; classtype:web-application-attack; sid:2004427; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA67 CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?v="; content:"&g="; distance:0; http.user_agent; content:"Mozilla/5.0 Gecko/41.0 Firefox/41.0"; bsize:35; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3e5d4de6c6e2c18da8c1f75b10ca9cac; classtype:trojan-activity; sid:2031146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UNION SELECT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004428; classtype:web-application-attack; sid:2004428; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-09-12"; flow:to_server,established; content:"|0d 0a 0d 0a|login="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"login="; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032698; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname INSERT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004429; classtype:web-application-attack; sid:2004429; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-10-07"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^s?\x3a\/\/[^\/]*(?:goo(?:gle(?:\.(?:c(?:om\.[en]g|a)|r[ou])|apps\.com)|\.gl)|c(?:iovaccocapital\.com|entrin\.net\.id|artasi\.it)|s(?:(?:antander\.com\.b|fr\.f)r|tandardbank\.co\.za)|(?:aliexpress|vanguard|tdbank|ibm)\.com|e(?:xperienceasb\.co\.nz|im\.ae)|n(?:(?:avy)?fcu\.org|wolb\.com)|unicredit\.it|mbna\.co\.uk|oney\.fr|zkb\.ch)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032706; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname DELETE"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004430; classtype:web-application-attack; sid:2004430; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Parallax RAT CnC Domain Observed in DNS Query"; dns.query; content:"vahlallha.duckdns.org"; nocase; bsize:21; reference:url,twitter.com/malwrhunterteam/status/1227196799997431809; classtype:domain-c2; sid:2029454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_14, former_category MALWARE, malware_family Parallax, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname ASCII"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004431; classtype:web-application-attack; sid:2004431; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 13.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/13.0."; content:!"2"; within:1; reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html; classtype:bad-unknown; sid:2028869; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004432; classtype:web-application-attack; sid:2004432; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4e 2f fb 3c 4b 8e 49 48 ed 3e 3a ed 3f 4e 89|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029479; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname SELECT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004433; classtype:web-application-attack; sid:2004433; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|49 ed 3e 3b 89 4b 4e 8a 28 39 f8 28 38 8c 4c|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029480; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UNION SELECT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004434; classtype:web-application-attack; sid:2004434; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8b 28 39 f9 4c 4c 8c 4f 2f fb 3d 2f fa 49 4b|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname INSERT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004435; classtype:web-application-attack; sid:2004435; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M19"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4f 4e ed 3e 3a ed 3e 32 ed 3e 3e ed 3e 3e ed 3e 3c ed 3f 4e 8a|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname DELETE"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004436; classtype:web-application-attack; sid:2004436; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|48 8c 28 39 f8 28 39 f0 28 39 fc 28 39 fc 28 39 fe 28 38 8c 4f|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname ASCII"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004437; classtype:web-application-attack; sid:2004437; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8a 49 2f fb 3d 2f fb 35 2f fb 39 2f fb 39 2f fb 3b 2f fa 49 48|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004438; classtype:web-application-attack; sid:2004438; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Flowbit set for POST to Quicken Updater"; flow:established,to_server; flowbits:set,ET.QuickenUpdater; flowbits:noalert; http.method; content:"POST"; http.header; content:"quicken.com|0d 0a|"; content:"Date|3a|"; http.user_agent; content:"InetClntApp"; fast_pattern; depth:11; classtype:misc-activity; sid:2022803; rev:4; metadata:created_at 2016_05_11, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php SELECT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004766; classtype:web-application-attack; sid:2004766; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ReactorBot .bin Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi/"; content:".bin"; fast_pattern; endswith; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"kankan.com"; endswith; content:!"aocdn.net"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022841; rev:5; metadata:created_at 2016_05_27, former_category CURRENT_EVENTS, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004767; classtype:web-application-attack; sid:2004767; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_dispatch.php"; fast_pattern; endswith; http.header; content:"|0d 0a|x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http.request_body; pcre:"/^[0-9a-zA-Z=%-]{0,48}(?:%[A-F0-9]{2}){4}/si"; http.content_type; content:"www-form-urlencoded"; endswith; reference:md5,6f8987e28fed878d08858a943e7c6e7c; classtype:command-and-control; sid:2022952; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Locky, tag c2, updated_at 2020_10_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php INSERT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004768; classtype:web-application-attack; sid:2004768; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyCar V2 CnC Beacon"; flow:established,to_server; http.header; content:"=12&"; content:"=2"; distance:1; within:8; content:"=="; distance:12; within:6; content:"=="; distance:18; within:10; http.request_line; content:".php? HTTP/1."; fast_pattern; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:command-and-control; sid:2023966; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_CozyCar, signature_severity Major, tag c2, updated_at 2020_10_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php DELETE"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004769; classtype:web-application-attack; sid:2004769; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; http.method; content:"POST"; http.uri; content:"/signin"; endswith; http.header; content:"/signin|0d 0a|"; fast_pattern; http.request_body; content:"_token="; depth:7; nocase; content:"&email="; nocase; distance:0; content:"|25|40"; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024015; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php ASCII"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004770; classtype:web-application-attack; sid:2004770; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GET Request to Jaff Domain (orhangazitur . com)"; flow:to_server,established; http.method; content:"GET"; http.host; content:"orhangazitur.com"; fast_pattern; bsize:16; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024338; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004771; classtype:web-application-attack; sid:2004771; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.host; content:"comboratiogferrdto.com"; fast_pattern; bsize:22; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:command-and-control; sid:2024340; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_10_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Mambo MOStlyCE Module Image Manager Utility Arbitrary File Upload Attempt"; flow:established,to_server; http.uri; content:"/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?"; nocase; content:"Command=FileUpload"; nocase; content:"/configuration.php"; nocase; content:"CurrentFolder="; nocase; reference:url,www.securityfocus.com/bid/27472/info; reference:url,doc.emergingthreats.net/2009937; classtype:web-application-attack; sid:2009937; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"?id="; content:"&act="; distance:0; fast_pattern; pcre:"/\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024306; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_viewfulllisting"; nocase; content:"listing_id="; nocase; pcre:"/(\?|&)listing_id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt; reference:url,doc.emergingthreats.net/2010605; classtype:web-application-attack; sid:2010605; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Posting Host Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?id="; content:"&act="; fast_pattern; distance:0; pcre:"/\?id=\d+&act=\d$/"; http.host; content:!".money-media.com"; http.request_body; content:"rprt="; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024307; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011091; classtype:web-application-attack; sid:2011091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OilRig QUADAGENT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cpuproc.com"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:domain-c2; sid:2025892; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011092; classtype:web-application-attack; sid:2011092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MICROPSIA CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=new.young-spencer.com"; fast_pattern; reference:md5,738b3370230bd3168a97a7171d17ed64; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:domain-c2; sid:2025918; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_27, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011093; classtype:web-application-attack; sid:2011093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BadPatch CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"python-requests/"; depth:16; http.request_body; content:"="; pcre:"/^(?:[A-F0-9]{2}%3A){5}[A-F0-9]{2}&/R"; content:"=Py+version+"; distance:0; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/badpatch-campaign-uses-python-malware.html; classtype:command-and-control; sid:2028913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, malware_family BadPatch, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011094; classtype:web-application-attack; sid:2011094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Various Malicious AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; http.uri; content:!"="; content:!"&"; content:!"?"; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022503; rev:5; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011095; classtype:web-application-attack; sid:2011095; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Powershell Download Command Observed within Flash File - Probable EK Activity"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/x-shockwave-flash"; file.data; content:"cmd.exe /c powershell"; fast_pattern; content:"DownloadFile("; nocase; within:100; classtype:exploit-kit; sid:2028941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Maran PHP Shop id Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/prodshow.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32043; reference:url,frsirt.com/english/advisories/2008/2976; reference:url,doc.emergingthreats.net/2008837; classtype:web-application-attack; sid:2008837; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/optout/set/lt?jsonp="; fast_pattern; content:"key="; distance:16; within:27; content:"cv="; distance:18; within:27; content:"t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027427; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid SELECT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005141; classtype:web-application-attack; sid:2005141; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/addons/lnkr5.min.js"; fast_pattern; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027425; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005142; classtype:web-application-attack; sid:2005142; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/addons/lnkr30_nt.min.js"; fast_pattern; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027426; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid INSERT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005143; classtype:web-application-attack; sid:2005143; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET GAMES Wolfteam HileYapak Server Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; file.data; content:"Temizleme Yapildi HileYapak"; depth:27; fast_pattern; reference:md5,85cf4df17fcf04286fcbbdf9fbe11077; classtype:policy-violation; sid:2027417; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid DELETE"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005144; classtype:web-application-attack; sid:2005144; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xwo CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept-Charset|3a 20|ISO-8859-1"; http.request_body; content:"wanip="; depth:6; fast_pattern; content:"&username="; distance:0; content:"&password="; distance:0; content:"&lanip="; distance:0; content:"&port="; distance:0; reference:url,www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner; reference:md5,fd67a98599b08832cf8570a641712301; classtype:command-and-control; sid:2027144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Xwo, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ASCII"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005145; classtype:web-application-attack; sid:2005145; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M5"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/code?id="; fast_pattern; content:"subid="; distance:3; within:19; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027429; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005146; classtype:web-application-attack; sid:2005146; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spark Backdoor CnC Domain Query"; dns.query; content:"nysura.com"; nocase; bsize:10; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one; classtype:domain-c2; sid:2029492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/file_manager/special.php?"; nocase; content:"fm_includes_special="; nocase; pcre:"/fm_includes_special=\s*(ftps?|https?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/9350/; reference:url,vupen.com/english/advisories/2009/2136; reference:url,doc.emergingthreats.net/2011259; classtype:web-application-attack; sid:2011259; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerycdnlib.at"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029501; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) "; flow:established,to_server; http.uri; content:"/includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009888; classtype:web-application-attack; sid:2009888; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=storefrontcdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029502; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) "; flow:established,to_server; http.uri; content:"/classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009889; classtype:web-application-attack; sid:2009889; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=e4.ms"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029503; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) "; flow:established,to_server; http.uri; content:"/classes/class.thcsm_user.php?is_path=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009890; classtype:web-application-attack; sid:2009890; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=givemejs.cc"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029504; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) "; flow:established,to_server; http.uri; content:"/modul/mod.users.php?thCMS_root=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009891; classtype:web-application-attack; sid:2009891; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=opendoorcdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029505; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/queuedMessage.do?"; nocase; content:"method=getQueueMessages&"; nocase; content:"queueMsgType="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011082; classtype:web-application-attack; sid:2011082; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=wappallyzer.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029506; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/queuedMessage.do?"; nocase; content:"method=getQueueMessages&"; nocase; content:"QtnType="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011083; classtype:web-application-attack; sid:2011083; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerycdn.su"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029507; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004265; classtype:web-application-attack; sid:2004265; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=toplevelstatic.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029508; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004266; classtype:web-application-attack; sid:2004266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions Spyware Keywords Download"; flow: to_server,established; http.method; content:"GET"; http.uri; content:"keywords/kyf"; nocase; content:"partner_id="; distance:0; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; classtype:pup-activity; sid:2002001; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004267; classtype:web-application-attack; sid:2004267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Related User-Agent (UtilMind HTTPGet)"; flow: to_server,established; threshold: type limit, count 1, track by_src, seconds 360; http.header; content:"UtilMind HTTPGet"; fast_pattern; http.host; content:!"www.blueocean.com"; content:!"www.backupmaker.com"; content:!"promo.ascomp.de"; content:!"www.synchredible.com"; content:!"support.numarasoftware.com"; reference:url,www.websearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; classtype:pup-activity; sid:2002402; rev:25; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004268; classtype:web-application-attack; sid:2004268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query"; dns.query; content:"accounts.protonvpn.store"; nocase; bsize:24; reference:url,securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/; classtype:command-and-control; sid:2029523; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004269; classtype:web-application-attack; sid:2004269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query for Suspicious TLD (.management)"; dns.query; content:".management"; nocase; endswith; classtype:policy-violation; sid:2029509; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004270; classtype:web-application-attack; sid:2004270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns any any -> $HOME_NET any (msg:"ET PHISHING Suspected Appspot Hosted Phishing Domain"; dns.query; content:!"www."; content:"-dot-"; content:".appspot.com"; fast_pattern; isdataat:!1,relative; pcre:"/^[a-z]{36,38}\-dot\-[a-z]+\-[a-z]+\-\d{6}\.[a-z]{2}\.[a-z]\.appspot\.com$/"; classtype:social-engineering; sid:2031149; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004271; classtype:web-application-attack; sid:2004271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.uri.raw; content:"/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel="; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; distance:0; within:75; http.uri; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; fast_pattern; content:"java.lang.Runtime.getRuntime("; distance:0; content:".exec"; distance:0; reference:url,isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-user; sid:2031147; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004272; classtype:web-application-attack; sid:2004272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python/PBot Browser Hijacker Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?streamId="; fast_pattern; content:"&isAdvpp="; distance:0; content:".js?streamId="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&isAdvpp=(?:true|false)$/Rsi"; http.header; content:"|0d 0a|Origin|3a 20|http"; reference:md5,f741a2febf0630407ba17945362f3bce; classtype:trojan-activity; sid:2031148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_31;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004273; classtype:web-application-attack; sid:2004273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=stat-group.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.goggleheadedhacker.com/blog/post/16; classtype:domain-c2; sid:2029524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004274; classtype:web-application-attack; sid:2004274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apkv6.endurecif.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031162; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004275; classtype:web-application-attack; sid:2004275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fif0.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031163; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004276; classtype:web-application-attack; sid:2004276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=seahome.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031164; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004277; classtype:web-application-attack; sid:2004277; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=inapturst.top"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2031165; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004278; classtype:web-application-attack; sid:2004278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; urilen:10; content:"/hello.php"; fast_pattern; http.method; content:"GET"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020339; rev:5; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004279; classtype:web-application-attack; sid:2004279; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; endswith; http.header; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/si"; http.host; content:!"www.carrona.org"; classtype:exploit-kit; sid:2021293; rev:6; metadata:created_at 2015_06_18, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004280; classtype:web-application-attack; sid:2004280; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; http.uri; content:!"/"; offset:1; content:".asp"; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/"; pcre:"/[a-z].*?[a-z]/"; pcre:"/[A-Z].*?[A-Z]/"; pcre:"/\d.*?\d/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2021407; rev:6; metadata:created_at 2015_07_13, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004281; classtype:web-application-attack; sid:2004281; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Duqu 2.0 Request"; flow:established,to_server; http.start; content:"Cookie|3a 20|COUNTRY="; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.symantec.com/connect/blogs/duqu-20-reemergence-aggressive-cyberespionage-threat; classtype:trojan-activity; sid:2021247; rev:5; metadata:created_at 2015_06_11, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004282; classtype:web-application-attack; sid:2004282; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/apply.cgi"; endswith; http.request_body; content:"submit_button=index"; depth:19; content:"&action=Apply"; distance:0; nocase; content:"&lan_dns0="; distance:0; fast_pattern; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:4; metadata:created_at 2015_04_08, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004283; classtype:web-application-attack; sid:2004283; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Autoupdate)"; flow:to_server,established; http.header; content:!" Creative AutoUpdate v"; http.user_agent; content:"Autoupdate"; nocase; depth:10; content:!"McAfeeAutoUpdate"; nocase; http.host; content:!"update.nai.com"; content:!"nokia.com"; content:!"sophosupd.com"; content:!"sophosupd.net"; content:!"wholetomato.com"; content:!".acclivitysoftware.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; classtype:pup-activity; sid:2003337; rev:22; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004284; classtype:web-application-attack; sid:2004284; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; fast_pattern; content:"style="; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004023; classtype:web-application-attack; sid:2004023; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004285; classtype:web-application-attack; sid:2004285; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.VBSLoader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGk"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2c727910738e0a381acf00fd0e1d636d; classtype:trojan-activity; sid:2030139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004286; classtype:web-application-attack; sid:2004286; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Elite Windows Implant Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.jsp"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021626; rev:9; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004287; classtype:web-application-attack; sid:2004287; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Scout Windows Implant Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021627; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004288; classtype:web-application-attack; sid:2004288; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Android Implant Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.header; content:"Android"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021628; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004289; classtype:web-application-attack; sid:2004289; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Implant Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021629; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004290; classtype:web-application-attack; sid:2004290; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 3"; flow:to_server,established; urilen:4; http.header; content:"Empty|0d 0a|"; http.request_line; content:"GET /cl1"; depth:8; fast_pattern; http.referer; content:"1|3a|"; depth:2; pcre:"/^\d\.\d_(?:64|32)_\d\x3a/R"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021259; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004291; classtype:web-application-attack; sid:2004291; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK Nov 09 2015 M1"; flow:to_server,established; http.uri; content:".php?sid="; pcre:"/^\/[a-z]{3,20}\.php\?sid=[A-F0-9]{40,200}$/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2022070; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004292; classtype:web-application-attack; sid:2004292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK Nov 09 2015 M2"; flow:to_server,established; http.uri; content:".php?id=4"; fast_pattern; pcre:"/^\/[a-z]{3,20}\.php\?id=4[A-F0-9]{39,200}$/"; http.host; content:!".hostingcatalog.com"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2022071; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004293; classtype:web-application-attack; sid:2004293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid DELETE"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; fast_pattern; content:"gid="; nocase; distance:0; content:"DELETE"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005850; classtype:web-application-attack; sid:2005850; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004294; classtype:web-application-attack; sid:2004294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; fast_pattern; content:"passwordNew="; nocase; distance:0; content:"UNION"; nocase; distance:0; pcre:"/^\s+SELECT/Ri"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006022; classtype:web-application-attack; sid:2006022; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004295; classtype:web-application-attack; sid:2004295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; fast_pattern; content:"sent="; nocase; distance:0; content:"UPDATE"; nocase; distance:0; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006116; classtype:web-application-attack; sid:2006116; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004296; classtype:web-application-attack; sid:2004296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ASCII"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; fast_pattern; content:"ID="; nocase; distance:0; content:"ASCII("; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006145; classtype:web-application-attack; sid:2006145; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004297; classtype:web-application-attack; sid:2004297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful My ADP Phish (set) 2017-02-16"; flow:to_server,established; flowbits:set,ET.adpphish; flowbits:noalert; http.method; content:"POST"; http.host; content:!".adp.com"; endswith; http.request_body; content:"target="; depth:7; nocase; fast_pattern; content:"user"; nocase; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2027957; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004298; classtype:web-application-attack; sid:2004298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE jFect HTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping"; http.user_agent; content:"Java/"; depth:5; http.request_body; content:"uid="; depth:4; content:"&group="; content:"&lan="; content:"&nameAtPc="; fast_pattern; nocase; content:"&os="; content:"&country="; content:"&uptime="; content:"&installDate="; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d19261cf449afc52532028cca110eb36; classtype:command-and-control; sid:2022582; rev:4; metadata:created_at 2016_03_02, former_category MALWARE, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004299; classtype:web-application-attack; sid:2004299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible WinHttpRequest (no .exe)"; flow:to_server,established; flowbits:set,et.MS.WinHttpRequest.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022652; rev:4; metadata:created_at 2016_03_24, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004300; classtype:web-application-attack; sid:2004300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; http.user_agent; content:"TEST"; fast_pattern; bsize:4; http.host; content:!"messagecenter.comodo.com"; content:!"symantec.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:pup-activity; sid:2006357; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo SELECT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004301; classtype:web-application-attack; sid:2004301; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ASCII"; flow:established,to_server; content:"SELECT"; nocase; distance:0; http.uri; content:"/kullanicilistesi.asp?"; nocase; fast_pattern; content:"ak="; nocase; distance:0; content:"ASCII("; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006829; classtype:web-application-attack; sid:2006829; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UNION SELECT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004302; classtype:web-application-attack; sid:2004302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler DELETE"; flow:established,to_server; content:"FROM"; nocase; distance:0; http.uri; content:"/aramayap.asp?"; nocase; fast_pattern; content:"kelimeler="; nocase; distance:0; content:"DELETE"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006834; classtype:web-application-attack; sid:2006834; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo INSERT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004303; classtype:web-application-attack; sid:2004303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno DELETE"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; fast_pattern; content:"mesajno="; nocase; distance:0; content:"DELETE"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006846; classtype:web-application-attack; sid:2006846; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo DELETE"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004304; classtype:web-application-attack; sid:2004304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid INSERT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; fast_pattern; content:"pid="; nocase; distance:0; content:"INSERT"; nocase; distance:0; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006935; classtype:web-application-attack; sid:2006935; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ASCII"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004305; classtype:web-application-attack; sid:2004305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/update.logmein.com/"; nocase; fast_pattern; http.header_names; content:!"Host|0d 0a|"; reference:url,doc.emergingthreats.net/2007766; classtype:policy-violation; sid:2007766; rev:9; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004306; classtype:web-application-attack; sid:2004306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Trojan (General) HTTP Checkin (vit)"; flow:established,to_server; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; http.request_body; content:"vit="; nocase; distance:0; content:"&bk="; nocase; distance:0; content:"&dados="; fast_pattern; nocase; distance:0; reference:url,doc.emergingthreats.net/2007999; classtype:command-and-control; sid:2007999; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/centre.php?"; nocase; content:"padmin="; nocase; reference:url,vupen.com/english/advisories/2008/2938; reference:url,www.exploit-db.com/exploits/6846/; reference:url,doc.emergingthreats.net/2009330; classtype:web-application-attack; sid:2009330; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/OvCgi/"; nocase; content:"/OpenView5.exe?"; nocase; distance:0; fast_pattern; content:"Action=../../"; nocase; distance:0; http.protocol; content:"HTTP/1."; reference:bugtraq,28745; reference:cve,CVE-2008-0068; reference:url,aluigi.altervista.org/adv/closedviewx-adv.txt; reference:url,doc.emergingthreats.net/2008171; classtype:web-application-attack; sid:2008171; rev:12; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/infusions/last_seen_users_panel/last_seen_users_panel.php?"; nocase; content:"settings[locale]="; nocase; reference:url,osvdb.org/show/osvdb/56583; reference:url,www.exploit-db.com/exploits/9018/; reference:url,doc.emergingthreats.net/2010631; classtype:web-application-attack; sid:2010631; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; http.user_agent; content:"Mozila"; nocase; fast_pattern; bsize:6; http.host; content:!"rd.jword.jp"; endswith; content:!".lge.com"; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; classtype:pup-activity; sid:2008210; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyioSoft EasyBookMarker Parent parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bookmarker_backend.php?"; nocase; content:"Parent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32636/; reference:url,www.exploit-db.com/exploits/7053/; reference:url,doc.emergingthreats.net/2008835; classtype:web-application-attack; sid:2008835; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KLog Nick Keylogger Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0|20|(compatible|3b 20|Indy|20|Library)"; depth:38; http.request_body; content:"Nick+Key+Ativado"; fast_pattern; reference:url,doc.emergingthreats.net/2008338; classtype:command-and-control; sid:2008338; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My PHP Dating id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/success_story.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,secunia.com/advisories/32268; reference:url,www.exploit-db.com/exploits/6754/; reference:url,doc.emergingthreats.net/2008672; classtype:web-application-attack; sid:2008672; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RSS Simple News news.php pid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/news.php?"; nocase; fast_pattern; content:"pid="; nocase; distance:0; content:"UNION"; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7541; reference:bugtraq,32962; reference:url,doc.emergingthreats.net/2009000; classtype:web-application-attack; sid:2009000; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details SELECT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006627; classtype:web-application-attack; sid:2006627; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClaSS export.php ftype parameter Information Disclosure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/scripts/export.php?"; nocase; fast_pattern; content:"ftype="; nocase; distance:0; pcre:"/(\.\.\/){1,}/"; reference:url,secunia.com/advisories/33222; reference:bugtraq,32929; reference:url,doc.emergingthreats.net/2009009; classtype:web-application-attack; sid:2009009; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UNION SELECT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006628; classtype:web-application-attack; sid:2006628; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/books/getConfig.php?"; nocase; fast_pattern; content:"book_id="; nocase; distance:0; pcre:"/(\.\.\/){1,}/"; reference:url,www.milw0rm.com/exploits/7543; reference:bugtraq,32966; reference:url,doc.emergingthreats.net/2009010; classtype:web-application-attack; sid:2009010; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details INSERT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006629; classtype:web-application-attack; sid:2006629; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-admin login credentials"; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:"/manager/html"; nocase; http.header; content:"|0d 0a|Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4=|0d 0a|"; fast_pattern; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009217; classtype:attempted-admin; sid:2009217; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details DELETE"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006630; classtype:web-application-attack; sid:2006630; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?action=add&a="; fast_pattern; content:"&c="; distance:0; content:"&u="; distance:0; content:"&l="; distance:0; content:"&p="; distance:0; http.host; content:!"whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:command-and-control; sid:2009458; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details ASCII"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006631; classtype:web-application-attack; sid:2006631; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"15438.xyz"; nocase; endswith; pcre:"/(?:^|\.)15438\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029534; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006632; classtype:web-application-attack; sid:2006632; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"12724.xyz"; nocase; endswith; pcre:"/(?:^|\.)12724\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029535; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete SELECT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004612; classtype:web-application-attack; sid:2004612; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"21736.xyz"; nocase; endswith; pcre:"/(?:^|\.)21736\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029536; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UNION SELECT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004613; classtype:web-application-attack; sid:2004613; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Drop.Agent.bfsv HTTP Activity (UsER-AgENt)"; flow:established,to_server; http.method; content:"GeT"; http.protocol; content:"HttP"; http.header_names; content:"HoST|0d 0a|"; content:"UsER-AgENt|0d 0a|"; fast_pattern; reference:url,doc.emergingthreats.net/2010129; classtype:trojan-activity; sid:2010129; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete INSERT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004614; classtype:web-application-attack; sid:2004614; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/html"; depth:9; nocase; content:!"application"; nocase; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:17; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete DELETE"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004615; classtype:web-application-attack; sid:2004615; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/css"; depth:8; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:12; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete ASCII"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004616; classtype:web-application-attack; sid:2004616; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; threshold:type threshold,track by_src,count 10,seconds 60; http.stat_code; content:"401"; http.stat_msg; content:"Unauthorized"; nocase; file.data; content:"<script"; nocase; depth:280; fast_pattern; reference:url,doc.emergingthreats.net/2010513; classtype:web-application-attack; sid:2010513; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004617; classtype:web-application-attack; sid:2004617; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/HNAP1/"; nocase; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; nocase; content:"/HNAP1/"; distance:0; pcre:"/^(?:set|get)/Ri"; content:"DeviceSettings"; within:14; reference:url,www.securityfocus.com/bid/37690; reference:url,doc.emergingthreats.net/2010698; classtype:web-application-attack; sid:2010698; rev:6; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004095; classtype:web-application-attack; sid:2004095; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OvCgi/Toolbar.exe"; nocase; fast_pattern; http.header; content:"Accept-Language|3a 20|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; content:"Content-Length|3a|"; distance:0; reference:cve,2009-0921; reference:url,doc.emergingthreats.net/2010864; classtype:web-application-attack; sid:2010864; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004096; classtype:web-application-attack; sid:2004096; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Agent.PMS Variant CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|command="; fast_pattern; http.method; content:"POST"; nocase; http.request_body; content:"command="; depth:8; content:"&result="; within:12; classtype:pup-activity; sid:2011391; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004097; classtype:web-application-attack; sid:2004097; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Anchor ICMP Request"; itype:8; content:"hanc"; depth:4; pcre:"/^[a-f0-9]+\x08\x00$/Rs"; reference:md5,3690c361f7f2bdb1d1aed67c142bb90b; classtype:trojan-activity; sid:2031159; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, malware_family Anchor, signature_severity Major, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004098; classtype:web-application-attack; sid:2004098; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LolliCrypt Ransomware Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"key="; depth:4; fast_pattern; content:"&id="; distance:100; content:"&date="; distance:0; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rs"; http.header_names; content:!"Referer"; reference:md5,8e23b560b66134dcc4e21c461ed1a399; classtype:trojan-activity; sid:2031160; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_02, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004099; classtype:web-application-attack; sid:2004099; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE D1onis Stealer Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&p1="; content:"&p2="; content:"®ion="; fast_pattern; content:"&ip="; content:"&p3="; content:"&p4="; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,6cf4f85e3907d4f0a0c1e653d6c6943f; classtype:trojan-activity; sid:2031161; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family D1onis, signature_severity Major, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004100; classtype:web-application-attack; sid:2004100; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OnePlus phone data leakage"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cloud/pushdata"; endswith; fast_pattern; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"data="; depth:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025134; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_12_06, deployment Perimeter, former_category POLICY, malware_family Android_OnePlus, signature_severity Minor, tag Android, updated_at 2020_11_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UNION SELECT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"UNION"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004743; classtype:web-application-attack; sid:2004743; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] MSIL/Biskvit.A Check-in"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/api/auth/token"; http.header; content:"Authorization|3a 20 0d 0a|"; depth:18; fast_pattern; content:"Expect|3a 20|100-continue"; http.request_body; content:"{|22|ApiKey|22 3a 22|"; depth:11; isdataat:!100,relative; http.connection; content:"Keep-Alive"; depth:10; http.content_type; content:"application/json"; depth:16; http.header_names; content:"|0d 0a|Authorization|0d 0a|"; depth:17; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026007; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_22, deployment Perimeter, former_category MALWARE, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv SELECT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004742; classtype:web-application-attack; sid:2004742; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN abdullkarem Wordpress PHP Scanner"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"&php"; nocase; distance:0; content:"&wphp"; nocase; distance:0; content:"&abdullkarem="; nocase; fast_pattern; distance:0; http.protocol; content:"HTTP/1.0"; depth:8; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:web-application-attack; sid:2021949; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_10_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv INSERT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004744; classtype:web-application-attack; sid:2004744; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Darkleech C2"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; fast_pattern; content:"&utm_source="; distance:0; pcre:"/^\/blog\/\?[a-z]{3,20}+\&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:command-and-control; sid:2022260; rev:4; metadata:created_at 2015_12_14, former_category WEB_SERVER, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv DELETE"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004745; classtype:web-application-attack; sid:2004745; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; threshold:type threshold, track by_src, count 20, seconds 120; http.method; content:"POST"; http.cookie; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?$/"; http.accept_enc; content:"gzip"; depth:4; http.content_type; content:"application/octet-stream"; fast_pattern; nocase; bsize:24; http.header_names; content:"Content-Length|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Connection"; content:!"Cache-Control"; content:!"Accept|0d 0a|"; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:6; metadata:created_at 2016_03_28, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv ASCII"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004746; classtype:web-application-attack; sid:2004746; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M1"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"1"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022197; rev:6; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004747; classtype:web-application-attack; sid:2004747; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"2"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022198; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006880; classtype:web-application-attack; sid:2006880; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M3"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"3"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022199; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006881; classtype:web-application-attack; sid:2006881; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M4"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"4"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022200; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006882; classtype:web-application-attack; sid:2006882; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M5"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"5"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022201; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006883; classtype:web-application-attack; sid:2006883; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M6"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"6"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022202; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006884; classtype:web-application-attack; sid:2006884; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M7"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022203; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006885; classtype:web-application-attack; sid:2006885; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M8"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022204; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php SELECT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006736; classtype:web-application-attack; sid:2006736; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M9"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"9"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022205; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006737; classtype:web-application-attack; sid:2006737; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"oq="; fast_pattern; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024020; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php INSERT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006738; classtype:web-application-attack; sid:2006738; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.host; content:"fkksjobnn43.org"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; endswith; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,942c6a039724ed5326c3c247bfce3461; classtype:command-and-control; sid:2024288; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php DELETE"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006739; classtype:web-application-attack; sid:2006739; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enigma Locker Checkin"; flow:to_server,established; urilen:8; http.method; content:"GET"; http.uri; content:"/get.php"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/i"; http.connection; content:"close"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:command-and-control; sid:2023334; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Enigma, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php ASCII"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006740; classtype:web-application-attack; sid:2006740; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Malware Suite Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|0d 0a 0d 0a 0d 0a 2f 2f 2f 2f 2f 2f 2f|"; content:"System Infomation"; within:30; content:"|0d 0a 0d 0a|Boot Device|3a 20 5c|"; fast_pattern; content:"|0d 0a|Build Number|3a 20|"; distance:0; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006741; classtype:web-application-attack; sid:2006741; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Malware Suite Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"up.php?id="; pcre:"/^[A-Z]+$/R"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; content:"01234567890"; fast_pattern; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php SELECT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006742; classtype:web-application-attack; sid:2006742; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned IRS Page - Possible Phishing Landing"; flow:established,to_client; file.data; content:"<!-- saved from url=("; within:500; content:".irs.gov/"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2031166; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006743; classtype:web-application-attack; sid:2006743; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor Secondary Payload Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=news&id="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0."; startswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php INSERT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006744; classtype:web-application-attack; sid:2006744; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious HttpSocket User-Agent Observed"; flow:established,to_server; http.user_agent; content:"HttpSocket By Xswallow"; depth:22; classtype:misc-activity; sid:2031167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, signature_severity Major, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php DELETE"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006745; classtype:web-application-attack; sid:2006745; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky CSPY Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"dwn.php?van="; fast_pattern; pcre:"/^\d+$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php ASCII"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006746; classtype:web-application-attack; sid:2006746; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor CnC Activity"; flow:established,to_server; http.uri; content:"?id="; content:"&act="; content:"&ver=x"; distance:3; within:6; fast_pattern; pcre:"/^(?:64|86)$/R"; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006747; classtype:web-application-attack; sid:2006747; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moose CnC Request M2"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.cookie; content:"PHPSESSID="; content:"|3b 20|nhash="; distance:0; content:"|3b 20|chash="; fast_pattern; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a 0d 0a|"; depth:76; endswith; content:!"Referer|0d 0a|"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023479; rev:5; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/deco/blanc/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012122; classtype:web-application-attack; sid:2012122; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"info"; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/"; http.request_line; content:"/get.php|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:10; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_04_18, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Hqwar, tag Android, updated_at 2020_11_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/deco/blanc/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012123; classtype:web-application-attack; sid:2012123; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WS/JS Downloader Mar 07 2017 M2"; flow:established,to_server; http.uri; content:"/counter/?"; fast_pattern; pcre:"/\/counter\/(?:\?[a-z]?\d{1,2}$|[^\x2f]*\d\.exe$|.*?[?=](?=[A-Za-z_-]{0,200}[0-9][A-Za-z_-]{0,200}[0-9])(?=[A-Z0-9_-]{0,200}[a-z][A-Z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}[A-Z][a-z0-9_-]{0,200}[A-Z])[A-Za-z0-9_-]{50,}(?:&|$))/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:trojan-activity; sid:2024036; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/blanc/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012124; classtype:web-application-attack; sid:2012124; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-02-06"; flow:established,to_server; http.uri; content:".vbn"; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2023875; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family Nemucod, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/blanc/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012125; classtype:web-application-attack; sid:2012125; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Xtunnel Activity"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; pcre:"/^\/(?:\w+\/){1,5}\?[a-z]{1,6}=[a-z0-9]{2,40}(?:&[a-z]{1,6}=(?:[a-z0-9]){1,40}(%3D){0,2}){1,4}$/i"; http.header; content:"deflate,sdch|0d 0a|Accept|3a 20|text|2f|html,application|2f|xhtml"; fast_pattern; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|MSIE|20|7.0"; http.connection; content:"Close"; http.header_names; content:!"Referer"; content:!"Cache"; classtype:targeted-activity; sid:2027405; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, former_category MALWARE, malware_family XTunnel, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/default/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012126; classtype:web-application-attack; sid:2012126; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Onliner Receiving Commands from CnC"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b|id|3a|"; depth:4; pcre:"/^\d{5,10}\x7d/R"; content:"|7b|ok|3a 5b|task|5d|"; distance:0; fast_pattern; content:"|7b|urls|7d|"; distance:0; content:"|7b|tasks|7d|"; distance:0; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027808; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/default/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012127; classtype:web-application-attack; sid:2012127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Post Check-in Activity"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 60; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|10.0) like Gecko"; fast_pattern; depth:61; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.connection; content:"Close"; depth:5; endswith; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"Connection|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:md5,ac6ea1e500de772341a2075a7d916d63; classtype:trojan-activity; sid:2020064; rev:5; metadata:created_at 2014_12_23, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/gold/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012128; classtype:web-application-attack; sid:2012128; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 3 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".html"; nocase; endswith; pcre:"/\/\d{8,10}\.html$/i"; http.cookie; content:"BX="; http.start; content:"Cookie|3a 20|XX="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021278; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/gold/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012129; classtype:web-application-attack; sid:2012129; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"webscriptly.com"; nocase; bsize:15; reference:url,twitter.com/felixaime/status/1234111603831910400; classtype:domain-c2; sid:2029566; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pingsvr.php?"; nocase; content:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/view/96805/mybloggie216-rfi.txt; reference:url,doc.emergingthreats.net/2012130; classtype:web-application-attack; sid:2012130; rev:6; metadata:created_at 2010_12_30, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=huivaritaslloa.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029556; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_seyret"; nocase; content:"task=videodirectlink"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/14172/; reference:url,doc.emergingthreats.net/2012131; classtype:web-application-attack; sid:2012131; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=infinitydevelooperspes.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012159; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=unverifiedintigoosjai.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012161; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"app.dynamicrosoft.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029559; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family TScookie, malware_family BlackTech, signature_severity Major, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012162; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"home.mwbsys.org"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029560; rev:3; metadata:affected_product Web_Browsers, affected_product Linux, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family TScookie, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012163; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; http.method; content:"POST"; nocase; http.request_body; content:"&z"; pcre:"/^\d{1,3}=/Ri"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:5; metadata:created_at 2013_08_12, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/accept-signups/accept-signups_submit.php?"; nocase; content:"email="; nocase; pcre:"/email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96928/wpsignups-xss.txt; classtype:web-application-attack; sid:2012164; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot POST Request to C2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla"; depth:32; fast_pattern; pcre:"/(?:Proxy-)?Connection\x3a[^\r\n]+?\r\n(?:Pragma|Cache-Control)\x3a[^\r\n]+?\r\n(?:\r\n)?$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:44; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c86f7ec18b78055a431f7cd1dca65b82; classtype:command-and-control; sid:2019141; rev:5; metadata:created_at 2014_09_09, former_category MALWARE, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/blocks/file/controller.php?"; nocase; content:"DIR_FILES_BLOCK_TYPES_CORE="; nocase; pcre:"/DIR_FILES_BLOCK_TYPES_CORE=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,45669; classtype:web-application-attack; sid:2012165; rev:6; metadata:created_at 2011_01_07, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin"; flow:established,to_server; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; http.method; content:"POST"; http.content_len; byte_test:0,>,99,0,string,dec; http.start; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:command-and-control; sid:2019168; rev:7; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/com_xmovie/helpers/img.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/96996/xmovie-fli.txt; classtype:web-application-attack; sid:2012166; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Dervec.gen Connectivity Check to Google"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00 00 00|"; offset:35; depth:10; http.header; content:"HOST|3a 20|www.google.com|0d 0a|"; depth:22; fast_pattern; reference:md5,5eaae2d6a4b5d338b83ea5d97af93672; classtype:trojan-activity; sid:2019129; rev:12; metadata:created_at 2012_06_12, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ndCMS editor.aspx index Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/express_edit/editor.aspx?"; nocase; content:"index="; nocase; content:"AND"; nocase; content:"IF"; nocase; pcre:"/AND.*IF\(/i"; reference:url,exploit-db.com/exploits/15124/; classtype:web-application-attack; sid:2012167; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|20|MSIE|20|"; nocase; fast_pattern; content:!"Mozilla/4.0 (compatible|3b 20|MSIE|20|6.0|3b 20|DynGate)"; content:!"Windows Live Messenger"; content:!"MS Web Services Client Protocol"; http.host; content:!"groove.microsoft.com"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.request_body; content:!"grooveDNS|3a|//"; http.header_names; content:!"X-Requested-With"; nocase; content:!"Accept-Encoding"; content:!"Referer"; classtype:bad-unknown; sid:2018358; rev:10; metadata:created_at 2014_04_04, former_category INFO, updated_at 2020_11_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak Variant CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hst="; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:md5,dfd424684f3a5c44ff425c7fe425ca8b; classtype:command-and-control; sid:2030853; rev:1; metadata:created_at 2020_09_11, former_category MALWARE, performance_impact Low, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST (fsockopen)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"serverKey="; fast_pattern; content:"data="; content:"key="; http.method; content:"POST"; http.connection; content:"close"; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019749; rev:4; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/tiki-jsplugin.php?"; nocase; content:"plugin="; nocase; content:"language="; nocase; reference:url,johnleitch.net/Vulnerabilities/Tiki.Wiki.CMS.Groupware.5.2.Local.File.Inclusion/46; classtype:web-application-attack; sid:2012168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING APT SWC PluginDetect Landing Cookie 2015-10-15"; flow:established,from_server; http.start; content:"Cookie|3a 20|PNPSESSID="; fast_pattern; file.data; content:"SharePoint.OpenDocuments.5"; classtype:targeted-activity; sid:2031893; rev:5; metadata:created_at 2015_10_15, former_category PHISHING, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php SELECT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006748; classtype:web-application-attack; sid:2006748; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:from_server,established; tls.cert_subject; content:"CN=sucuritester.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029571; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006749; classtype:web-application-attack; sid:2006749; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:from_server,established; tls.cert_subject; content:"CN=reportgns.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029572; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php DELETE"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006751; classtype:web-application-attack; sid:2006751; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.FETCH CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?n="; fast_pattern; content:"&m="; distance:0; content:"&i="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,ed9e14a932b28f1ebdc4cd5b549af9da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023951; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_related, signature_severity Major, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php ASCII"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006752; classtype:web-application-attack; sid:2006752; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Uploader Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"."; content:"/?"; distance:0; content:"="; distance:1; within:3; pcre:"/\/?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.host; content:!"google.com"; endswith; http.start; content:".1|0d 0a|User-Agent|3a 20|Mozi"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:targeted-activity; sid:2023916; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family APT28_Uploader, signature_severity Major, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006753; classtype:web-application-attack; sid:2006753; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor CnC Activity M2"; flow:established,to_server; http.uri; content:".php?wShell="; fast_pattern; pcre:"/^\d+$/R"; http.user_agent; content:"|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.2)"; endswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006754; classtype:web-application-attack; sid:2006754; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil M3"; flow:established,to_server; http.uri; pcre:"/^\/\?m=[abcde]&p1=[a-f0-9]{8,12}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; http.uri.raw; content:"//?m="; depth:5; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Content-Type|0d 0a|"; reference:md5,1e14ded758c5dd7b41fe20297935eeef; classtype:targeted-activity; sid:2035444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006755; classtype:web-application-attack; sid:2006755; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spora Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"=XDATABASE64ENCRYPTED"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_11_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006756; classtype:web-application-attack; sid:2006756; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WSF/JS Downloader Jan 30 2017 M1"; flow:to_server,established; urilen:>65; http.uri; content:"/counter/?"; fast_pattern; depth:10; content:"a="; content:"i="; pcre:"/[&?]i=[A-Za-z0-9_-]{50,}(?:&|$)/"; pcre:"/[&?]a=(?:[a-zA-Z0-9_-]{25,}|(?:0\.)?\d+)(?:&|$)/"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,852cbd70766feb96923a79b210e94646; classtype:trojan-activity; sid:2023816; rev:4; metadata:created_at 2017_01_31, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006757; classtype:web-application-attack; sid:2006757; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Redirect to Joom AG Hosted Document - Potential Phishing"; flow:to_client,established; http.stat_code; content:"302"; http.location; content:"https://view.joomag.com/"; fast_pattern; startswith; classtype:misc-activity; sid:2031173; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag Phishing, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006758; classtype:web-application-attack; sid:2006758; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031174; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006759; classtype:web-application-attack; sid:2006759; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031175; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007288; classtype:web-application-attack; sid:2007288; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kimsuky Sending Encrypted System Information to CnC"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"WebKitFormBoundarywhpFxMBe19cSjFnG"; endswith; fast_pattern; reference:md5,92001e9cebec0f0f0ac2b7c7e04f017d; reference:url,vblocalhost.com/uploads/VB2020-46.pdf; classtype:command-and-control; sid:2031178; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007289; classtype:web-application-attack; sid:2007289; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky WildCommand CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"4cef22e90f"; endswith; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-46.pdf; classtype:command-and-control; sid:2031180; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007290; classtype:web-application-attack; sid:2007290; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; content:">MAILER INBOX SENDING"; distance:0; fast_pattern; classtype:web-application-attack; sid:2031176; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007291; classtype:web-application-attack; sid:2007291; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; fast_pattern; content:">MAILER INBOX SENDING"; distance:0; classtype:web-application-attack; sid:2031177; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007292; classtype:web-application-attack; sid:2007292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"oq="; fast_pattern; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024048; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007293; classtype:web-application-attack; sid:2007293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"QMvXcJ"; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012181; rev:5; metadata:created_at 2011_01_14, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony Payload DL"; flow:established,to_server; http.uri; content:"/inst.exe"; fast_pattern; endswith; http.host; content:!"360safe.com"; endswith; content:!"qhcdn.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Accept-"; content:"User-Agent|0d 0a|"; content:"Accept|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2023740; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_13, deployment Perimeter, former_category TROJAN, malware_family Pony, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/media.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:6; metadata:created_at 2011_01_14, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO IE7UA No Cookie No Referer"; flow:to_server,established; flowbits:set,et.IE7.NoRef.NoCookie; flowbits:noalert; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:bad-unknown; sid:2023670; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/xmlrpc/server.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin Dec 5 M1"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/checkupdate"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/s"; classtype:command-and-control; sid:2023576; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/libs/PLUGINADMIN.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012185; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"type="; depth:5; content:"&version="; content:"&lid="; content:"&c="; content:"&i="; http.request_line; content:"/stat/locker|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:command-and-control; sid:2024123; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/profile/user.php?"; nocase; content:"aXconf[default_language]="; nocase; reference:url,exploit-db.com/exploits/15938/; classtype:web-application-attack; sid:2012186; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Kwampirs Outbound GET request"; flow:to_server,established; urilen:>21; http.method; content:"GET"; http.uri; content:"?q=KT"; fast_pattern; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/"; http.user_agent; content:"Mozilla/"; depth:8; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Accept"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/bizdir/bizdir.cgi?"; nocase; content:"f_srch="; nocase; pcre:"/f_srch\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96613/bizdir510-xss.txt; classtype:web-application-attack; sid:2012187; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET HUNTING Generic IOT Downloader Malware in POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"wget"; content:".sh|3b 20|chmod +x|20|"; within:200; fast_pattern; content:"|3b 20|./"; within:100; classtype:bad-unknown; sid:2029011; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, signature_severity Minor, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/English_manual_version_2.php?"; nocase; content:"client="; nocase; pcre:"/client\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012190; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"wget"; content:".sh|3b 20|chmod +x|20|"; within:200; fast_pattern; content:"|3b 20|./"; within:100; classtype:bad-unknown; sid:2029009; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/zimplit.php?"; nocase; content:"action=load"; nocase; content:"file="; nocase; pcre:"/file\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012191; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Router EK Landing Page Inbound 2019-05-24"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:">Loading ...<|2f|title>"; content:"|3b|base64,"; distance:0; content:"ZnVuY3Rpb24gTWFrZShDcmVkZW50aWF"; distance:0; fast_pattern; content:"ZG5zU2Vjb25kYXJ5OiAn"; distance:0; classtype:exploit-kit; sid:2027380; rev:3; metadata:created_at 2019_05_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scan"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:"varhttp|3A|/"; nocase; content:"wwwhttp|3A|/"; nocase; content:"htmlhttp|3A|/"; nocase; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011809; rev:7; metadata:created_at 2010_10_12, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baldr Stealer Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Encrypted.zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; fast_pattern; content:!"PK"; within:25; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family BALDR, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012212; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Post-Compromise Data Dump"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/?"; depth:2; http.request_body; content:"|06 00 00 00 01 00 00 00|"; depth:8; content:"|00 00 02 00 00 00|"; offset:8; depth:16; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2027075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012211; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed External IP Lookup SSL Cert"; flow:from_server,established; tls.cert_subject; content:".iplocation.com"; nocase; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:external-ip-check; sid:2026882; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012213; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/imageload.cgi"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^[A-Za-z]{1,10}=[^&]+(?:&[A-Za-z]{1,10}=[^&]+){10,}$/s"; reference:md5,40ebefdec6870263827ce6425702e785; classtype:command-and-control; sid:2026517; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Locky, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012214; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"client?mac_address="; content:"&agent_id="; distance:0; content:"agent_file_version"; http.user_agent; content:"cpprestsdk/"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026435; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba (Banking Trojan) Check-in"; flow:established,to_server; content:"|0d 0a 0d 0a|"; depth:2000; byte_extract:2,0,byte0,relative; byte_extract:2,0,byte1,relative; byte_test:2,=,byte1,6,relative; byte_test:2,!=,byte1,7,relative; byte_test:2,=,byte1,10,relative; byte_test:2,!=,byte1,11,relative; byte_test:2,!=,byte1,23,relative; byte_test:2,!=,byte0,25,relative; byte_test:2,!=,byte1,27,relative; byte_test:2,=,byte0,40,relative; byte_test:2,=,byte1,42,relative; byte_test:2,=,byte0,44,relative; byte_test:2,=,byte1,46,relative; byte_test:2,=,byte0,48,relative; byte_test:2,=,byte1,50,relative; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; depth:64; fast_pattern; http.request_body; content:!"|00 00|"; depth:30; content:"|00 00|"; offset:34; depth:2; content:"|00 00|"; distance:2; within:2; content:"|00 00|"; distance:2; within:2; http.header_names; content:!"Referer|0d 0a|"; reference:md5,be312fdb94f3a3c783332ea91ef00ebd; classtype:trojan-activity; sid:2026002; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Tinba, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/tagcloud.swf?"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012216; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitList Argument Injection"; flow:established,to_server; http.request_body; content:"query=--open-files-in-pager"; fast_pattern; content:"php%20"; content:"%22eval"; content:"base64_decode"; reference:url,exploit-db.com/exploits/44993/; classtype:attempted-user; sid:2025820; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_07_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/op/op.Login.php?"; nocase; content:"login="; nocase; content:"sesstheme="; nocase; content:"lang="; nocase; reference:bugtraq,37828; classtype:web-application-attack; sid:2012217; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL Injection"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?page=pie-invitation-codes&orderby="; nocase; content:"&order="; nocase; distance:0; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44867/; classtype:web-application-attack; sid:2025747; rev:4; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2018_06_26, cve cve_2018_10969, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/tagcloud-ru.swf"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012220; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Wordpress Redirect - Possible Phishing Landing Jan 7 2016"; flow:to_client,established; flowbits:isset,ET.wpphish; http.stat_code; content:"302"; http.header; content:"|0d 0a|Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"|0d 0a|location|3a 20|"; nocase; pcre:"/^[a-f0-9]{32}(?:\/index\.php)?\x0d\x0a/R"; classtype:social-engineering; sid:2025671; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_11_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/environ"; flow:established,to_server; http.uri; content:"/proc/self/environ"; nocase; classtype:web-application-attack; sid:2012230; rev:6; metadata:created_at 2011_01_25, updated_at 2020_09_11;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)"; flow:established,to_server; http.cookie; content:"DNNPersonalization="; fast_pattern; content:"ObjectStateFormatter"; content:"ObjectDataProvider"; reference:cve,2017-9822; reference:url,f5.com/labs/articles/threat-intelligence/cyber-security/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks?sf176487178; classtype:attempted-admin; sid:2025545; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_04_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_11_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/send.php"; http.header; content:"facebook.com"; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus.D Requesting Commands from CnC"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:".css"; endswith; http.user_agent; content:"curl/"; http.cookie; content:"m_pixel_ratio="; fast_pattern; depth:14; pcre:"/^[a-f0-9]{32}\x3b$/R"; http.header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025465; rev:4; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Opera 8.11 UA related to Trojan Activity"; flow:established,to_server; http.header; content:"|20|HTTP/1.0|0d 0a|"; content:"|0d 0a|User-Agent|3a 20|opera/8.11|0d 0a|"; classtype:trojan-activity; sid:2012315; rev:4; metadata:created_at 2011_02_17, former_category USER_AGENTS, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; http.method; content:"POST"; http.uri; content:"/editor.php"; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern; nocase; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:attempted-admin; sid:2025459; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2018_04_03, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/customer_ftp.php?"; nocase; content:"id="; nocase; pcre:"/id=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/16051/; classtype:web-application-attack; sid:2012334; rev:5; metadata:created_at 2011_02_24, updated_at 2020_09_11;)
+alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12635)"; flow:established,to_server,only_stream; http.method; content:"PUT"; http.uri; content:"/_users/"; http.request_body; content:"_admin"; fast_pattern; reference:cve,2017-12635; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025435; rev:4; metadata:attack_target Server, created_at 2018_03_19, deployment Datacenter, former_category EXPLOIT, malware_family CoinMiner, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coupon Script bus parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"page=viewbus"; nocase; content:"bus="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/16034/; classtype:web-application-attack; sid:2012335; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)"; flow: established,to_server,only_stream; urilen:26; http.method; content:"PUT"; http.uri; content:"/_config/query_servers/cmd"; http.header; content:"Authorization|3a 20|Basic"; http.request_body; pcre:"/^\s*[\x22\x27]/"; reference:cve,2017-12636; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025432; rev:4; metadata:created_at 2018_03_13, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/cultbooking.php?"; nocase; content:"lang="; nocase; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012336; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Delf Checkin"; flow:established,to_server; http.uri; content:"/autoupdate/versaoatual.txt"; fast_pattern; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; reference:md5,52765b346c12d55e255a669bb8cfebb8; classtype:command-and-control; sid:2025283; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category MALWARE, malware_family Dropper, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cultbooking.php?"; nocase; content:"lang="; nocase; pcre:"/lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012337; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (rl. ammyy. com)"; flow:to_server,established; urilen:1; http.host; content:"rl.ammyy.com"; depth:12; endswith; fast_pattern; classtype:policy-violation; sid:2025149; rev:5; metadata:created_at 2017_12_13, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012338; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent when remote host claims to send an image"; flow:established,from_server; http.content_type; content:"image/jpeg"; startswith; file.data; content:"New-Object"; nocase; content:"System.Net.WebClient"; nocase; content:"Start-Process"; fast_pattern; classtype:trojan-activity; sid:2025007; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category MALWARE, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012339; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)"; flow:from_server,established; http.content_type; content:"multipart/related"; fast_pattern; startswith; file.data; content:"<xsl"; pcre:"/^((?!<\/xsl).)+?src\s*=\s*[\x27\x22](?P<loc>[^\x22\x27]+?)[\x27\x22].+?Content-Location\x3a\s+(?P=loc)/Rsi"; reference:cve,2017-5124; classtype:attempted-user; sid:2024996; rev:6; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012340; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Payload Request"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:kas|ser|mac)[0-9]+\.png$/i"; http.start; content:".png HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,2c6cd25a31fe097ee7532422fc8eedc8; classtype:trojan-activity; sid:2024901; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012341; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"|3b 20|Android|20|"; http.request_line; content:"/gt|20|HTTP/1."; fast_pattern; http.connection; content:"keep-alive"; depth:10; endswith; http.content_type; content:"application/json"; depth:16; endswith; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Connection|0d 0a|Content-Type|0d 0a|"; reference:md5,b66010a9c91b17f4d26dc973a97419ac; reference:url,info.phishlabs.com/blog/redalert2-mobile-banking-trojan-actively-updating-its-techniques; classtype:command-and-control; sid:2024765; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_09_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_RedAlert, signature_severity Major, tag Android, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012342; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod JS Downloader Aug 01 2017"; flow:established,to_server; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; depth:29; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,cb558b04216e0e7a9c936945ebee6611; classtype:trojan-activity; sid:2024508; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/active_auctions.php?"; nocase; content:"lan="; nocase; reference:url,johnleitch.net/Vulnerabilities/WeBid.0.8.5P1.Local.File.Inclusion/63; classtype:web-application-attack; sid:2012343; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Downloader Aug 18 2017"; flow:established,to_server; http.uri; content:"/s.php?id="; depth:10; pcre:"/^\/s\.php\?id=[a-z0-9]{2,6}$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,5285f1adfc0013fa86218a7d76c0016d; classtype:trojan-activity; sid:2024600; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lib/addressbook.php?"; nocase; content:"basedir="; nocase; pcre:"/basedir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12369/; classtype:web-application-attack; sid:2012344; rev:5; metadata:created_at 2011_02_24, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hancitor/Tordal Document Request"; flow:established,to_server; flowbits:set,ET.Hancitor; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php?d="; fast_pattern; pcre:"/\.php\?d=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie"; classtype:trojan-activity; sid:2024604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_frontenduseraccess"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/43137/; reference:url,securityhome.eu/exploits/exploit.php?eid=17879866924d479451d88fa8.02873909; classtype:web-application-attack; sid:2012345; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky VB/JS Loader Download Sep 08 2017"; flow:established,from_server; http.header_names; content:!"Cookie|0d 0a|"; file.data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 70 61 64 64 69 6e 67 3a 35 70 78 20 31 30 70 78 3b 22 3e 59 6f 75 72|"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9!\x22#$%&'()*+,.\/\x3a\x3b<=>?@\[\] ^_`{|}~\s-]+?downloading\.?\s*Please wait\x2e*<\/div\>\s*<iframe src\s*=\s*[\x22\x27]http\:\/\/[^\x22\x27]+\.php[\x22\x27]\s*style\s*=\s*[\x22\x27]display\x3a\s*none\x3b\s*[\x22\x27]>\s*<\/iframe\>\s*$/Rsi"; classtype:trojan-activity; sid:2024678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012346; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bitshifter Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?root="; fast_pattern; pcre:"/^[a-f0-9]{16}$/Ri"; http.accept; content:"text/plain"; depth:10; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,d01229914a6b57387e2c963e3aadbc1f; classtype:command-and-control; sid:2024489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_21, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Bitshifter, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012347; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; content:"&il="; distance:0; nocase; content:"&vr="; distance:0; nocase; content:"&bt="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Services id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012348; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/LoadMoney Adware Activity"; flow:to_server,established; flowbits:set,ETPTadmoney; http.method; content:"POST"; http.uri; content:".htm?v="; fast_pattern; content:"&eh="; distance:0; content:"&ts="; distance:0; content:"&u2="; distance:0; http.cookie; content:"a=h+"; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,681501695c12112aaf2129ab614481bd; reference:md5,1282b899c41b06dac0adb17e0e603d30; classtype:pup-activity; sid:2024693; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category ADWARE_PUP, malware_family Neshta, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012349; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucifer Loader Requesting Payload"; flow:established,to_server; urilen:15; http.uri; content:"/demonsgate.php"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,74a3c324a8565d7f567763bee960bcca; classtype:trojan-activity; sid:2024719; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, malware_family Lucifer_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012350; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:to_server,established; http.uri; content:".hta"; nocase; fast_pattern; pcre:"/\.hta(?:[?&]|$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; depth:34; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_07, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/SearchCenter/Pages/AllResults.aspx?"; nocase; content:"k="; nocase; pcre:"/k\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98029/enp-xss.txt; classtype:web-application-attack; sid:2012351; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible BeEF HTTP Headers Inbound"; flow:established,from_server; http.header; content:"Content-Type|3a 20|text/javascript|0d 0a|Server|3a 20|Apache/2.2.3 (CentOS)|0d 0a|Pragma|3a|"; fast_pattern; depth:69; content:"|0d 0a|Expires|3a 20|0|0d 0a|"; http.header_names; content:!"Set-Cookie|0d 0a|"; content:!"X-Powered-By|0d 0a|"; classtype:attempted-user; sid:2024421; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Classified ads software cid parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/browsecats.php?"; nocase; content:"cid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/16062/; classtype:web-application-attack; sid:2012352; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Jun 13 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"/?"; depth:2; content:"=x"; fast_pattern; distance:0; pcre:"/^[HX3][^&]Q[cdM][^&]{3}[ab]R/R"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024381; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/audio/getid3/demos/demo.browse.php?"; nocase; content:"showfile="; nocase; pcre:"/showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97834/WordPressAudio0.5.1-xss.txt; classtype:web-application-attack; sid:2012353; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod JS Downloader June 12 2017"; flow:established,to_server; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; depth:29; http.user_agent; content:"Firefox/51.0"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, performance_impact Low, signature_severity Major, tag WS_JS_Downloader, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/gradebook/open_document.php?"; nocase; content:"file="; reference:bugtraq,46173; classtype:web-application-attack; sid:2012354; rev:5; metadata:created_at 2011_02_24, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bingo EK Payload Download"; flow:established,to_server; urilen:116; http.uri; content:"/?"; depth:2; pcre:"/^\/\?[a-f0-9]{114}$/"; http.user_agent; content:"WinHttp.WinHttpRequest.5"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024367; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Bingo, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php?"; nocase; content:"PHPCOVERAGE_HOME"; nocase; pcre:"/PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98053/Moodle2.0.1-xss.txt; classtype:web-application-attack; sid:2012355; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin M1"; flow:to_server,established; urilen:4; http.request_line; content:"GET /a5/ HTTP/1."; depth:16; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:command-and-control; sid:2024290; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/js/modalbox/tests/functional/_ajax_method_get.php?"; nocase; content:"param="; nocase; pcre:"/param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97826/WordPressFeaturedContent0.0.1-xss.txt; classtype:web-application-attack; sid:2012356; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Webbug Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"_utm.gif?utmac="; fast_pattern; content:"&utmcn="; distance:0; content:"&utmcs="; distance:0; content:"&utmsr="; distance:0; content:"&utmsc="; distance:0; content:"&utmul="; distance:0; http.host; content:!"www.google-analytics.com"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc65cbf12622eb55f0fd382e0fe250c5; classtype:command-and-control; sid:2032748; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_xgallery/helpers/img.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/96864/joomlaxgallery-lfi.txt; classtype:web-application-attack; sid:2012357; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.cookie; content:"skin=noskin"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc65cbf12622eb55f0fd382e0fe250c5; classtype:command-and-control; sid:2032749; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPCMS modelid Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flash_upload.php?"; nocase; content:"modelid="; nocase; content:"ORDER"; nocase; content:"BY"; nocase; pcre:"/ORDER.+BY/i"; reference:bugtraq,45933; classtype:web-application-attack; sid:2012358; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/OzazaLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?key="; fast_pattern; content:"&value="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e8c6d686249fc3c6df3dc88ea2cddf02; classtype:command-and-control; sid:2024276; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family OzazaLocker, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Reimageplus Ransomware Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"enfiniql2buev6o.m.pipedream.net"; bsize:31; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:domain-c2; sid:2030851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet CnC Beacon 2"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Win32|3b 20|Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; http.cookie; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})/i"; http.header_names; content:"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:command-and-control; sid:2024275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Reimageplus Ransomware Checkin"; flow:established,to_server; http.request_line; content:"GET /?computer_name="; startswith; content:"&userName="; content:"&allow=ransom HTTP/1.1"; endswith; fast_pattern; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:command-and-control; sid:2030852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet CnC Beacon 1"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host|3a|"; fast_pattern; http.cookie; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; http.header_names; content:"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:command-and-control; sid:2024274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012359; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443] (msg:"ET MALWARE W32.Geodo/Emotet Checkin"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host"; fast_pattern; http.cookie; pcre:"/[a-z0-9]{3,4}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/i"; http.header_names; content:"|0d 0a|Cookie|0d 0a|"; depth:10; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2024272; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family Geodo, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012360; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Runsome Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?name="; content:"&key=ENC"; distance:0; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,70c27926e54732a579b0004ede566fc6; reference:url,github.com/ShaneNolan/Runsome; classtype:command-and-control; sid:2024223; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Runsome, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012361; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup"; dns.query; content:".boyput.site"; nocase; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:domain-c2; sid:2029580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012362; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup"; dns.query; content:".byteson.space"; nocase; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:domain-c2; sid:2029581; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012363; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Turla Carbon Paper CnC Beacon (Fake User-Agent)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"."; distance:1; within:2; content:".0|3b 20|Windows NT|20|"; distance:0; content:"Trident/"; distance:0; http.user_agent; pcre:"/^Mozilla\/4\.0\x20\(compatible\x3b\x20MSIE\x20\d{1,2}\.0\.\d+\.\d+\.0\x3b\x20Windows\x20NT\x20/"; content:"Mozilla/4.0 (compatible|3b 20|MSIE|20|"; startswith; http.start; content:"Cookie|3a 20|PHPSESSID="; fast_pattern; http.header_names; content:"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/; classtype:command-and-control; sid:2024183; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012364; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red Leaves HTTP CnC Beacon (APT10 implant)"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:"/index.php"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,28}[^\x20-\x7e\r\n]/s"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Keep-Alive"; depth:10; endswith; http.start; content:"dex.php|20|HTTP/1.1|0d 0a|Co"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024175; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, signature_severity Major, tag APT, tag APT10, tag RedLeaves, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012365; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/support.aspx"; endswith; http.header; content:"SessionId1|3a 20|"; content:"SessionId2|3a 20|"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:command-and-control; sid:2024171; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012366; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:to_server,established; http.uri; content:"/lang_check.html"; content:"timestamp="; http.request_body; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; classtype:attempted-admin; sid:2024121; rev:6; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012367; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; http.method; content:"GET"; http.uri; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/"; http.user_agent; content:"Firefox"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|"; depth:62; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2023583; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category TROJAN, malware_family Downloader, malware_family Locky_JS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012368; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:"/index.php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023203; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family Locky, malware_family Pony9, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/com_swmenupro/ImageManager/Classes/ImageManager.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/view/95505/joomlaswmenupro-rfi.txt; classtype:web-application-attack; sid:2012369; rev:5; metadata:created_at 2011_02_24, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; http.uri; content:"/distr/Proxifier"; nocase; depth:16; fast_pattern; http.host; content:"proxifier.com"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; nocase; content:!"Referer|0d 0a|"; content:!"Accept-"; content:!"Cookie|0d 0a|"; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/explanation.php?"; nocase; content:"explain"; nocase; pcre:"/explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012370; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/index"; http.start; content:"Content-length|3a 20|0|0d 0a|Cookie|3a 20|APSCOOKIE=Era=0&Payload="; fast_pattern; pcre:"/^[A-Za-z0-9+/]{0,4}?[^\x20-\x7e]/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-length|0d 0a|"; depth:24; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:attempted-admin; sid:2023075; rev:4; metadata:affected_product Fortigate, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/modules/boonex/custom_rss/post_mod_crss.php?"; nocase; content:"relocate"; nocase; pcre:"/relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012371; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pottieq.A Check-in"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20 7b|"; fast_pattern; http.user_agent; pcre:"/^\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}$/i"; http.request_body; content:"pc="; content:"mail="; content:"guid="; nocase; pcre:"/(?:^|&)id=\d+(?:$|&)/"; http.header_names; content:!"Accept"; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_27, deployment Perimeter, malware_family Pottieq, performance_impact Low, signature_severity Major, tag Pottieq, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ColdUserGroup LibraryID Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.cfm?"; nocase; content:"actcfug=LibraryView"; nocase; content:"LibraryID="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/14935/; classtype:web-application-attack; sid:2012372; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dll"; http.header; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; fast_pattern; http.user_agent; content:"MSIE 7"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/util/barcode.php?"; nocase; content:"type="; nocase; reference:url,packetstormsecurity.org/files/view/98424/horde-lfi.txt; classtype:web-application-attack; sid:2012373; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_24, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; http.uri; content:"/~"; depth:2; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/i"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012374; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony DLL Download"; flow:established,to_server; http.uri; content:"/pm"; pcre:"/^\d?\.dll$/R"; http.request_line; content:".dll HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:6; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012375; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; http.uri; content:!".swf"; nocase; content:!".flv"; nocase; content:!"/crossdomain.xml"; http.header; content:"x-flash-version|3a|"; fast_pattern; content:!"/crossdomain.xml"; content:!".swf"; nocase; content:!".flv"; nocase; content:!"[DYNAMIC]"; content:!"sync-eu.exe.bid"; http.host; pcre:"/^[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)/i"; http.header_names; content:!"|0d 0a|Cookie|0d 0a|"; classtype:trojan-activity; sid:2022894; rev:8; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012376; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 4"; flow:established,to_server; http.request_body; content:"a="; depth:2; content:"&c="; distance:0; content:"&r="; distance:0; pcre:"/^a=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&h=[a-zA-Z0-9_-]+&r=[0-9]{15,}$/"; http.request_line; content:"POST /u/"; depth:8; fast_pattern; http.connection; content:"Close"; nocase; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; nocase; reference:md5,3ea75d62966f8c52de16d7849eeb3691; classtype:pup-activity; sid:2022723; rev:5; metadata:created_at 2016_04_11, former_category ADWARE_PUP, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012377; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:social-engineering; sid:2022697; rev:6; metadata:created_at 2016_04_04, former_category WEB_CLIENT, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012378; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IrcBot Downloading .old"; flow:established,to_server; http.start; content:".old|20|HTTP/1.1|0d 0a|Host"; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022657; rev:4; metadata:created_at 2016_03_24, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TelebidAuctionScript aid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allauctions.php?"; nocase; content:"aid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,packetstormsecurity.org/files/view/82724/telebidauction-sql.txt; classtype:web-application-attack; sid:2012379; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound"; flow:to_server,established; http.uri.raw; content:"%"; content:"temp%"; nocase; fast_pattern; within:7; pcre:"/\%(?:25)?temp\%/i"; reference:url,labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/; classtype:misc-attack; sid:2022554; rev:5; metadata:created_at 2016_02_22, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/core/themes.php?"; nocase; content:"L_failedopentheme="; nocase; pcre:"/L_failedopentheme\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98143/podcastgenerator-xss.txt; classtype:web-application-attack; sid:2012380; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Keitaro TDS Redirect"; flow:established,from_server; http.stat_code; content:"302"; http.header; content:"LOCATION|3a 20|http"; nocase; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; fast_pattern; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/s"; http.content_type; content:"text/html|3b 20|charset=utf-8"; depth:24; endswith; classtype:exploit-kit; sid:2022466; rev:7; metadata:created_at 2016_01_28, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/itechd.php?"; nocase; content:"productid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/9497; classtype:web-application-attack; sid:2012381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Torte Downloading Binary"; flow:established,to_server; urilen:8; http.uri; content:"/crond"; fast_pattern; pcre:"/^(?:32|64)$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|rv|3a|18.0) Gecko/20100101 Firefox/18.0"; endswith; depth:72; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:trojan-activity; sid:2022357; rev:5; metadata:created_at 2016_01_13, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; http.uri; content:"awstats.cgi"; nocase; content:"config="; nocase; content:"pluginmode=rawlog"; nocase; content:"configdir=|5C 5C|"; nocase; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:4; metadata:created_at 2011_02_28, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WeBaCoo Web Backdoor Detected"; flow:to_server,established; http.method; content:"GET"; http.cookie; content:"cm="; content:"cn=M-cookie|3b|"; fast_pattern; content:"cp="; reference:url,panagioto.com/webacoo-backdoor-detection; classtype:web-application-activity; sid:2022295; rev:5; metadata:created_at 2015_12_22, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"stconf.nsf/WebMessage"; nocase; content:"OpenView"; nocase; content:"messageString="; nocase; pcre:"/messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012394; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; http.method; content:"GET"; http.uri; content:!"."; content:"/en-us/"; depth:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/R"; content:!"/im/"; http.start; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:10; metadata:created_at 2015_03_25, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"stconf.nsf"; nocase; content:"unescape"; nocase; fast_pattern; pcre:"/stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape/i"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012395; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 or Win32/Nuclear HTTP Framework POST"; flow:established,to_server; content:"|0d 0a 0d 0a|"; byte_jump:4,1,relative,little,post_offset -6; isdataat:!2,relative; http.method; content:"POST"; http.header; content:"|20 28|compatible|3b 20|MSIE 6.0|3b 20|Win32|29 0d 0a|HOST|3a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020898; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Cewolf DOS attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Cewolf?"; nocase; pcre:"/\&(width|height)\=([2-9][0-9][0-9][0-9]*)/i"; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079547.html; classtype:web-application-attack; sid:2012406; rev:5; metadata:created_at 2011_03_01, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:6; content:"/"; distance:1; within:2; content:"/"; distance:1; within:1; content:"/"; distance:1; within:1; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/"; http.host.raw; pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}$/i"; http.start; content:"|20|HTTP/1.1|0d 0a|User-Agent"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020369; rev:6; metadata:created_at 2015_02_05, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; pcre:"/post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012411; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Onion2Web Tor Proxy Cookie"; flow:established,to_server; http.cookie; content:"onion2web_confirmed="; fast_pattern; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,github.com/starius/onion2web; classtype:policy-violation; sid:2020324; rev:5; metadata:created_at 2015_01_28, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012412; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 2"; flow:established,to_server; content:"|0d 0a 0d 0a|env="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^env=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022281; rev:4; metadata:created_at 2015_12_18, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012413; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (no .exe)"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:45; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022049; rev:5; metadata:created_at 2015_11_09, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012414; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Oct 28"; flow:established,to_server; http.uri; content:"/pict."; fast_pattern; content:"?id="; distance:0; pcre:"/\/pict\.(?:jpg|php|xsp)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2022008; rev:6; metadata:created_at 2015_10_28, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012415; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PSEmpire Checkin via POST"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/admin/get.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http.cookie; pcre:"/^SESSIONID=[A-Z0-9]{16}/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.powershellempire.com; classtype:command-and-control; sid:2021616; rev:5; metadata:created_at 2015_08_12, former_category MALWARE, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012416; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST CnC Beacon 2"; flow:established,to_server; urilen:1; content:"|0d 0a 0d 0a|"; byte_extract:1,0,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; http.method; content:"POST"; http.header; content:"Content-Type|3a 20|text/css|0d 0a|Accept|3a 20|image/**|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; depth:8; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:command-and-control; sid:2020301; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012417; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019748; rev:4; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1"; flow:established,to_server; http.uri; content:"/shipping/methods/fedex_v7/label_mgr/js_include.php?"; nocase; content:"form="; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012418; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cohhoc RAT CnC Response"; flow:established,from_server; http.header; content:"Content-Length|3a 20|64|0d 0a|"; file.data; content:"gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; offset:1; depth:63; fast_pattern; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019626; rev:7; metadata:created_at 2014_11_03, former_category MALWARE, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2"; flow:established,to_server; http.uri; content:"/shipping/pages/popup_shipping/js_include.php?"; nocase; content:"form="; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012419; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_03, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ursnif Checkin"; flow:established,to_server; content:"no-cache|0d 0a 0d 0a 0d 0a|"; endswith; http.method; content:"POST"; http.uri; pcre:"/^(?:\/\w{3,12}){2,4}\?[a-z]{3,12}=(?:[A-Za-z0-9+/\x20]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/"; http.header; content:"|0d 0a|Content-Length|3a 20|2|0d 0a|Connection|3a 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dfeaae9cb1bc24ac467411955e48483b; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019377; rev:8; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ScriptResource.axd"; nocase; content:!"&t="; nocase; content:!"&|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6; metadata:created_at 2010_10_12, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stobox Connectivity Check"; flow:established,to_server; threshold: type both, count 5, seconds 300, track by_src; http.uri; content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; fast_pattern; http.host; content:"update.microsoft.com"; depth:20; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; sid:2019166; rev:7; metadata:created_at 2014_09_11, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/i"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snake rootkit usermode-centric client request"; flow:to_server,established; http.uri; content:"/1/6b-558694705129b01c0"; fast_pattern; http.connection; content:"Keep-Alive"; depth:10; endswith; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018247; rev:5; metadata:created_at 2014_03_11, former_category TROJAN, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id DELETE"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004364; classtype:web-application-attack; sid:2004364; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banking Trojan HTTP Cookie"; flow:established,to_server; http.cookie; content:"tcpopunder"; fast_pattern; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/updates-to-the-citadel-trojan/; classtype:trojan-activity; sid:2018119; rev:5; metadata:created_at 2014_02_12, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/public/code/cp_html2xhtmlbasic.php?"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; classtype:web-application-attack; sid:2010080; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller"; flow:to_server,established; urilen:>31; http.method; content:"GET"; http.uri; content:"/launch/?c="; fast_pattern; content:"&m="; content:"&l="; content:"&b="; content:"&sid="; content:"&os="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,3eaaf0de35579e5af89ae3dd81d0c592; reference:md5,ac030896aad1b6b0eeb00952dee24c3f; classtype:pup-activity; sid:2018095; rev:9; metadata:created_at 2014_01_14, former_category ADWARE_PUP, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed JS/Skimmer (likely Magecart) CnC Domain in DNS Lookup"; dns.query; content:"imprintcenter.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1236321303902269441; classtype:domain-c2; sid:2029597; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?dn"; nocase; content:"&flrdr="; fast_pattern; nocase; content:"&nxte="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2008639; classtype:trojan-activity; sid:2008639; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"cybermon.fortigatecloud.com"; nocase; depth:27; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029587; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98)"; flow:established,to_server; http.user_agent; content:"Win98"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008070; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)"; flow:from_server,established; tls.cert_subject; content:"CN=mikkymax.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/update?id="; http.header; content:"X-Status|3A|"; content:"X-Size|3A|"; content:"X-Sn|3A|"; fast_pattern; classtype:trojan-activity; sid:2014232; rev:5; metadata:created_at 2012_02_16, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)"; flow:from_server,established; tls.cert_subject; content:"CN=linkojager.org"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029595; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_21, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Web_Client_Attacks, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/EJBInvokerServlet/"; nocase; fast_pattern; http.content_type; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017574; rev:6; metadata:created_at 2013_10_10, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/entman/index.cfm"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011360; rev:7; metadata:created_at 2010_09_28, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; fast_pattern; http.content_type; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017573; rev:6; metadata:created_at 2013_10_10, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 60; http.user_agent; content:"|20|Netsparker)"; reference:url,www.mavitunasecurity.com/communityedition/; classtype:attempted-recon; sid:2011029; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeLoader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; nocase; http.header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^\d+$/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; classtype:command-and-control; sid:2017261; rev:7; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_pro_desk"; nocase; content:"include_file="; nocase; pcre:"/(\.\.\/){1}/"; reference:url,secunia.com/advisories/32523/; reference:url,www.exploit-db.com/exploits/6980/; reference:url,doc.emergingthreats.net/2008822; classtype:web-application-attack; sid:2008822; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; http.uri; content:"/vid.aspx?id="; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]+$/Ri"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:7; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bINSERT\b.*?INTO\b/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010077; classtype:web-application-attack; sid:2010077; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alina Server Response Code"; flow: established,from_server; http.response_line; content:"|20|666 OK"; fast_pattern; endswith; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; reference:md5,7d6ec042a38d108899c8985ed7417e4a; classtype:trojan-activity; sid:2016991; rev:7; metadata:created_at 2013_06_08, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"UPDATE"; nocase; distance:0; content:"SET"; nocase; distance:0; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bUPDATE\b.*?SET\b/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010078; classtype:web-application-attack; sid:2010078; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Kazy.174106 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?T="; http.user_agent; content:"Tesla"; fast_pattern; startswith; reference:md5,ff7a263e89ff01415294470e1e52c010; classtype:command-and-control; sid:2016939; rev:5; metadata:created_at 2013_05_29, former_category MALWARE, updated_at 2020_11_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; http.user_agent; content:"FDM 3."; depth:6; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; classtype:policy-violation; sid:2011712; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Post Exploit Payload Download"; flow:to_server,established; urilen:17; http.method; content:"POST"; http.uri; pcre:"/^\/[a-f0-9]{16}$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.connection; content:"close"; depth:5; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; depth:38; endswith; classtype:exploit-kit; sid:2016869; rev:6; metadata:created_at 2013_05_21, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO User-Agent (python-requests) Inbound to Webserver"; flow:established,to_server; http.user_agent; content:"python-requests/"; classtype:attempted-recon; sid:2017515; rev:6; metadata:created_at 2013_09_25, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GrandSoft PDF Payload Download"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.method; content:"GET"; http.user_agent; content:"http|3a|//"; fast_pattern; startswith; http.start; pcre:"/^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; classtype:exploit-kit; sid:2016764; rev:19; metadata:created_at 2013_04_17, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Redyms.A Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; offset:6; depth:7; http.header; content:".net|0d 0a|Content-Length|3a 20|128|0d 0a|"; fast_pattern; http.start; pcre:"/^POST \/(?P<filep>[a-z]{5,8})\.php HTTP.+?\r\nHost\x3a\x20(?P=filep)[a-z]+?\.net\r\n/s"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; classtype:command-and-control; sid:2016759; rev:4; metadata:created_at 2013_04_16, former_category MALWARE, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT_NGO_wuaclt"; flow:to_server,established; http.uri; content:"/pics/"; content:".asp?id="; distance:0; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SP Q"; depth:55; http.header_names; content:"|0d 0a|Cookies|0d 0a|"; fast_pattern; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016573; rev:5; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/COOKIEBAG Cookie APT1 Related"; flow:established,to_server; http.start; content:"|0a|Cookie|3a 20|CAQGBgoFD1Y"; fast_pattern; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016434; rev:6; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; classtype:web-application-attack; sid:2004532; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"symbol"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]symbol[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:6; metadata:created_at 2013_01_09, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; classtype:web-application-attack; sid:2004533; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"yaml"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]yaml[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:6; metadata:created_at 2013_01_09, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; classtype:web-application-attack; sid:2004534; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Magento XMLRPC-Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/api/xmlrpc"; http.request_body; content:"file|3a 2f 2f 2f|"; fast_pattern; reference:url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/; reference:url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update; reference:url,www.exploit-db.com/exploits/19793/; classtype:web-application-attack; sid:2015625; rev:4; metadata:created_at 2012_08_15, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; classtype:web-application-attack; sid:2004535; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet Empty CnC Beacon"; flow:established,to_server; http.start; content:"GET / HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host|3a|"; depth:111; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; reference:md5,627f3572e9c37de307b3511925934fb9; classtype:command-and-control; sid:2035046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:1; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; classtype:web-application-attack; sid:2004536; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer Requesting Config"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/config"; endswith; content:!"."; http.header; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|id|22 3b 0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; classtype:web-application-attack; sid:2004537; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP STOPzilla Download Accelerator Activity"; flow:established,to_server; http.user_agent; content:"STOPzilla Download Accelerator"; depth:30; reference:md5,6748824b325cbc1be57394469e361d63; classtype:pup-activity; sid:2031182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; classtype:web-application-attack; sid:2004538; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|spamerhash|22 3b 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|screenshot|22 3b 20|filename=|22|screenshot|22|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2031181; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; classtype:web-application-attack; sid:2004539; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SilverSpeedup Generic PUA Software UA"; flow:established,to_server; http.user_agent; content:"SilverSpeedup"; depth:13; reference:md5,b6640c915f827013c4cbfece4d5fb7c0; classtype:pup-activity; sid:2031183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; classtype:web-application-attack; sid:2004540; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local File Inclusion vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_edir"; nocase; fast_pattern; distance:0; content:"view="; nocase; distance:0; content:"controller="; nocase; distance:0; content:"|2e 2e 2f|"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95604/Joomla-eDir-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015471; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; classtype:web-application-attack; sid:2004541; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kuarela.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029602; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; http.user_agent; content:"Windows 3.1"; fast_pattern; content:!"Cisco AnyConnect VPN Agent"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=gabardina.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029603; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013"; flow:established,to_server; urilen:>64; flowbits:set,et.exploitkitlanding; http.uri; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){64}$/"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017603; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=almagel.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029604; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; http.uri; content:"/timthumb.php?"; content:!"webshot=1"; distance:0; content:"src="; distance:0; content:"http"; distance:0; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/i"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:exploit-kit; sid:2014846; rev:14; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dsnnguyrygfu.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029605; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS .exe Downloaded from SVN/HTTP on GoogleCode"; flow:established,to_server; http.uri; content:"/svn/"; nocase; content:".exe"; distance:0; nocase; fast_pattern; http.host; content:".googlecode.com"; endswith; classtype:trojan-activity; sid:2018191; rev:4; metadata:created_at 2014_02_26, former_category CURRENT_EVENTS, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ofiughfuu.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029610; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Custom Contact Forms DB Upload/Download Auth Bypass"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-post.php?"; nocase; content:"page=ccf_settings"; nocase; fast_pattern; http.request_body; pcre:"/ccf_(?:(?:clear|merge)_im|ex)port/i"; reference:url,blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html; classtype:web-application-attack; sid:2018975; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_08_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kiparis.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029611; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected"; flow:established,to_server; threshold:type limit, count 10, seconds 60, track by_src; http.user_agent; content:"Mozilla/5.0 SF"; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; classtype:attempted-recon; sid:2010953; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dfsgu747hugr.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029612; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to_server; http.user_agent; content:"bsqlbf"; nocase; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; classtype:web-application-activity; sid:2008362; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sgahugu4ijgji.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029613; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WebShag Web Application Scan Detected"; flow:to_server,established; http.user_agent; content:"webshag"; reference:url,www.scrt.ch/pages_en/outils.html; classtype:attempted-recon; sid:2009158; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asggh554tgahhr.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029614; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; http.method; content:"GET"; http.header; content:"C|3a|/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; classtype:attempted-recon; sid:2011028; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; http.header; content:"-Disposition|3a 20|inline"; nocase; content:".jar"; fast_pattern; pcre:"/[=\"]\w{8}\.jar/i"; file.data; content:"PK"; depth:2; classtype:trojan-activity; sid:2015050; rev:6; metadata:created_at 2012_07_12, updated_at 2020_11_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.uni.cc domain"; flow:to_server,established; http.host; content:".uni.cc"; endswith; classtype:bad-unknown; sid:2013438; rev:5; metadata:created_at 2011_08_19, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cridex Post to CnC"; flow:established,to_server; content:"|0d 0a 0d 0a de ad be ef|"; fast_pattern; http.method; content:"POST"; http.uri; content:!"."; http.host; content:!"hbi-ingest.net"; reference:url,vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:command-and-control; sid:2015028; rev:8; metadata:created_at 2012_07_06, former_category MALWARE, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET"; flow:established,to_server; http.uri; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; pcre:"/\WUPDATE\s+[A-Za-z0-9$_].*?\WSET\s+[A-Za-z0-9$_].*?\x3d/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006447; classtype:web-application-attack; sid:2006447; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie is set RULEZ"; flow:established,to_server; http.cookie; content:"sutraRULEZcookiessupport"; fast_pattern; classtype:exploit-kit; sid:2014612; rev:5; metadata:created_at 2012_04_18, updated_at 2020_11_05;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; urilen:22; http.method; content:"POST"; http.uri; content:"/cgi-bin/setup_dns.exe"; http.request_body; content:"getpage=|2e 2e|/html/setup/dns.htm"; depth:29; fast_pattern; content:"resolver|3a|settings/nameserver1="; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:6; metadata:created_at 2015_04_07, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set RULEZ"; flow:established,from_server; http.cookie; content:"sutraRULEZcookiessupport"; fast_pattern; classtype:exploit-kit; sid:2014611; rev:5; metadata:created_at 2012_04_18, updated_at 2020_11_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Aribitrary File Upload Vulnerability in WP Mobile Detector"; flow:from_client,established; http.uri; content:"/wp-content/plugins/wp-mobile-detector/"; content:"resize.php?src=http"; fast_pattern; reference:url,pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/; classtype:attempted-user; sid:2022860; rev:4; metadata:created_at 2016_06_03, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; fast_pattern; http.accept_enc; content:"*|3b|q=0"; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:trojan-activity; sid:2014562; rev:5; metadata:created_at 2012_04_13, updated_at 2020_11_05;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; flowbits:set,ET.GOOTKIT; http.method; content:"GET"; http.uri; content:"/ftp"; nocase; http.header; content:!"www.trendmicro.com"; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest"; nocase; startswith; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; http.method; content:"GET"; http.uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; http.host; content:!"pandora.com"; content:!"wordpress.com"; http.start; content:"= HTTP/1.1|0D 0A|Host|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:command-and-control; sid:2014409; rev:8; metadata:created_at 2012_03_22, former_category MALWARE, updated_at 2020_11_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Variant Downloader Activity (3)"; flow:established,to_server; http.uri; content:"/?id"; nocase; content:"&rnd="; pcre:"/\/\?id(\d+)?&rnd=\d+$/"; http.header; content:!"Windows NT"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.threatexpert.com/report.aspx?md5=438bcb3c4a304b65419674ce8775d8a3; classtype:trojan-activity; sid:2011338; rev:6; metadata:created_at 2010_09_28, updated_at 2020_09_13;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M1 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"console.portal?"; content:".sh.ShellSession|28|"; distance:0; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-admin; sid:2031143; rev:3; metadata:created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:".FileSystemXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031184; rev:2; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Felismus CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?V="; fast_pattern; content:"&U="; distance:0; http.header; content:"Windows NT"; content:"Referer|3a|"; content:".php|0d 0a|"; distance:0; http.header_names; content:!"Accept-"; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:command-and-control; sid:2024176; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Felismus, performance_impact Low, signature_severity Major, tag Felismus, updated_at 2020_09_13;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M4 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.header; content:"|0d 0a|cmd|3a 20|"; fast_pattern; http.request_body; content:"_nfpb=true"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031186; rev:1; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery photo_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gallery_photo.php?"; nocase; content:"photo_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; reference:url,doc.emergingthreats.net/2008831; classtype:web-application-attack; sid:2008831; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M5 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal?"; http.request_body; content:".ClassPathXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031187; rev:1; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BetMore Site Suite mainx_a.php bid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mainx_a.php?"; nocase; content:"x="; nocase; content:"xid="; nocase; content:"bid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/15999/; classtype:web-application-attack; sid:2012219; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 60"; flow:established,to_server; content:"|30 d0 52 71 74 3c 46 41 ac f3 4e|"; depth:11; fast_pattern; content:"|4e 3b|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026500; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Verified by Visa Phish Jan 30 2014"; flow:established,to_server; http.uri; content:"/vbv.php"; fast_pattern; http.request_body; content:"password="; classtype:credential-theft; sid:2018044; rev:6; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 28"; flow:established,to_server; content:"|ea 7f 70 7a 80 7c 4a a9 1b 68 8e|"; depth:11; fast_pattern; content:"|81 9c|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,29a0d1bc5abfbbf0bdf15ffa762cac27; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.htm; classtype:command-and-control; sid:2026018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; flowbits:set,ET.PROPFIND; flowbits:noalert; http.method; content:"PROPFIND"; nocase; classtype:misc-activity; sid:2011456; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 63"; flow:established,to_server; content:"|d1 ef 79 30 f1 d3 16 52 6d e9 f3|"; depth:11; fast_pattern; content:"|25 fc|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026503; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; http.stat_code; content:"404"; http.stat_msg; content:"Not Found"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 67"; flow:established,to_server; content:"|0b 7e 42 80 62 68 98 84 a8 66 28|"; depth:11; fast_pattern; content:"|39 f3|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BTWebClient UA uTorrent in use"; flow:established,to_server; http.user_agent; content:"BTWebClient"; classtype:policy-violation; sid:2012247; rev:6; metadata:created_at 2011_01_27, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos RAT Checkin 23"; flow:established,to_server; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,f4f2425e9735f92cc9f75711aa8cb210; classtype:command-and-control; sid:2025637; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (rTorrent)"; flow:to_server,established; http.user_agent; content:"rtorrent/"; depth:9; reference:url,libtorrent.rakshasa.no; reference:url,doc.emergingthreats.net/2011705; classtype:policy-violation; sid:2011705; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 58"; flow:established,to_server; content:"|05 3b 09 6a f6 9e f9 65 e5 38 b3|"; depth:11; fast_pattern; content:"|4d 70|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/hnmain.inc.php3?"; nocase; content:"config[incdir]="; nocase; distance:0; pcre:"/^\s*(ftps?|https?|php)\:\//Ri"; reference:url,inj3ct0r.com/exploits/11731; reference:url,exploit-db.com/exploits/12160; reference:url,doc.emergingthreats.net/2011161; classtype:web-application-attack; sid:2011161; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 62"; flow:established,to_server; content:"|46 4f 3e 16 69 12 4c e2 9a c2 28|"; depth:11; fast_pattern; content:"|a3 09|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz"; flow:established,to_client; http.cookie; content:"snkz="; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/R"; classtype:trojan-activity; sid:2018141; rev:5; metadata:created_at 2014_02_14, former_category TROJAN, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 30"; flow:established,to_server; content:"|81 29 6b 48 7f c7 22 ec 9b 9e b6|"; depth:11; fast_pattern; content:"|d8 95|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,63d36de591491d04071b4dc0a39d5fab; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026020; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Libtorrent User-Agent"; flow:to_server,established; http.user_agent; content:"libtorrent"; nocase; classtype:policy-violation; sid:2012390; rev:6; metadata:created_at 2011_02_27, former_category P2P, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Remcos RAT Checkin 25"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; fast_pattern; content:"|35 03|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,41c292b0cb2a4662381635a3316226f4; classtype:command-and-control; sid:2025984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_09, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2020_11_06;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Outbound WebShell GIF"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"GIF89a"; depth:6; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2027738; rev:3; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 55"; flow:established,to_server; content:"|2f 81 e4 ab 65 ab 1c 0d b9 8c e8|"; depth:11; fast_pattern; content:"|b6 13|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026495; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Outbound WebShell JPEG"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|FF D8 FF E0|"; depth:4; content:"JFIF"; distance:2; within:4; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2027739; rev:3; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 109"; flow:established,to_server; content:"|5b bc 1f 13 45 60 61 fd 0d 43 7f|"; depth:11; fast_pattern; content:"|3e 41|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:url,research.checkpoint.com/operation-tripoli/; classtype:command-and-control; sid:2027660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client HTTP Request "; flow:to_server,established; http.uri; content:"/trackerphp/announce.php?"; nocase; content:"?port="; nocase; content:"&peer_id="; reference:url,doc.emergingthreats.net/bin/view/Main/2006375; classtype:trojan-activity; sid:2006375; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 29"; flow:established,to_server; content:"|5e 0d 10 db 92 bf 73 6c 7d 6f 5d|"; depth:11; fast_pattern; content:"|67 04|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,5cb07299cedd69f096b09358754831e0; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026019; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Install"; flow: to_server,established; http.uri; content:"/morpheus/morpheus.exe"; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001035; classtype:policy-violation; sid:2001035; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 56"; flow:established,to_server; content:"|7d b5 14 83 61 23 20 d9 44 8a a7|"; depth:11; fast_pattern; content:"|2c da|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Install ini Download"; flow: to_server,established; http.uri; content:"/morpheus/morpheus_sm.ini"; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001036; classtype:policy-violation; sid:2001036; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 27"; flow:established,to_server; content:"|bf 9b b2 d8 b7 a9 86 78 26 d6 10|"; depth:11; fast_pattern; content:"|0e 24|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,5c52234cf35ab8d08b10fcc3c2a9d32b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026017; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Update Request"; flow: to_server,established; http.uri; content:"/gwebcache/gcache.asg?hostfile="; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001037; classtype:policy-violation; sid:2001037; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Remcos RAT Checkin 24"; flow:established,to_server; content:"|e8 ee 51 c7 05 29 cd 17 31 7b fd|"; depth:11; fast_pattern; content:"|55 47|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,98202283d7752779abd092665e80af71; classtype:command-and-control; sid:2025921; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2018_07_31, former_category MALWARE, malware_family Remcos, updated_at 2020_11_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Client Install"; flow: to_server,established; http.uri; content:"/ycontent/stats.php?version="; nocase; content:"EVENT=InstallBegin"; nocase; reference:url,doc.emergingthreats.net/2002659; classtype:policy-violation; sid:2002659; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 59"; flow:established,to_server; content:"|ed d1 72 f7 67 72 6f 57 ec 23 3c|"; depth:11; fast_pattern; content:"|59 73|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Acunetix Version 6 Crawl/Scan Detected"; flow:to_server,established; threshold: type threshold, track by_dst, count 2, seconds 5; http.uri; content:"/acunetix-wvs-test-for-some-inexistent-file"; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2008571; classtype:attempted-recon; sid:2008571; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 61"; flow:established,to_server; content:"|f3 85 1c e5 6c 10 d9 78 fa 64 de|"; depth:11; fast_pattern; content:"|78 49|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026501; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Scan in Progress"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 60; http.uri; content:"/Netsparker-"; reference:url,www.mavitunasecurity.com/communityedition/; reference:url,doc.emergingthreats.net/2011030; classtype:attempted-recon; sid:2011030; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 54"; flow:established,to_server; content:"|bc f5 5e 86 40 fa 48 95 a8 9e 28|"; depth:11; fast_pattern; content:"|ba 38|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004546; classtype:web-application-attack; sid:2004546; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 57"; flow:established,to_server; content:"|56 1e 2c fa 6e cc e4 74 40 48 df|"; depth:11; fast_pattern; content:"|22 30|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026497; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/imc/login.jsf"; nocase; content:"loginForm"; nocase; content:"javax.faces.ViewState="; nocase; pcre:"/ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,securitytracker.com/alerts/2010/May/1024022.html; reference:url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02; reference:url,doc.emergingthreats.net/2011145; classtype:web-application-attack; sid:2011145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 26"; flow:established,to_server; content:"|24 8a 91 18 92 bb 4b 55 39 bc ed|"; depth:11; fast_pattern; content:"|c5 de|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,81cecc440bd57a736ef6e473e77d5a1b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026016; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase; content:"email|3D|"; nocase; content:"hostname|3D|"; nocase; content:"default|5F|domain|3D|"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/37248/info; reference:url,doc.emergingthreats.net/2010462; classtype:web-application-attack; sid:2010462; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 64"; flow:established,to_server; content:"|d7 9e f0 38 3f f1 9a ab d6 74 00|"; depth:11; fast_pattern; content:"|15 46|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026504; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"onmouseover="; nocase; reference:url,www.w3schools.com/jsref/jsref_onmouseover.asp; reference:url,doc.emergingthreats.net/2009715; classtype:web-application-attack; sid:2009715; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 84"; flow:established,to_server; content:"|d5 c2 f9 4e 0a 7b 1c 62 a1 49 05|"; depth:11; fast_pattern; content:"|5d fe|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,12346b292b752af5ad924239eac02a09; classtype:command-and-control; sid:2026901; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010460; classtype:attempted-user; sid:2010460; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 66"; flow:established,to_server; content:"|12 37 57 b2 1e 20 12 3d f1 8a 24|"; depth:11; fast_pattern; content:"|d3 86|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cmd.exe"; nocase; reference:url,doc.emergingthreats.net/2009361; classtype:attempted-recon; sid:2009361; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 68"; flow:established,to_server; content:"|62 8d 57 43 81 41 32 36 55 5e 26|"; depth:11; fast_pattern; content:"|ec 50|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026508; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/support_param.html/config"; nocase; content:"Admin_Name=&Admin_Phone="; nocase; content:"Product_URL="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply/i"; reference:url,dsecrg.com/pages/vul/show.php?id=148; reference:cve,2009-2684; reference:url,doc.emergingthreats.net/2010919; classtype:web-application-attack; sid:2010919; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 65"; flow:established,to_server; content:"|ba e7 11 d6 b7 9f b5 c9 1d 10 58|"; depth:11; fast_pattern; content:"|4f 3a|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; http.uri; content:".aspx|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010593; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010593; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; threshold: type both, track by_src, count 225, seconds 60; http.header.raw; content:"User-Agent|3a 20 20|"; fast_pattern; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:8; metadata:created_at 2012_01_28, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_cmdshell"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,doc.emergingthreats.net/2009815; classtype:web-application-attack; sid:2009815; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; fast_pattern; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_servicecontrol"; nocase; pcre:"/(start|stop|continue|pause|querystate)/i"; reference:url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/; reference:url,doc.emergingthreats.net/2009816; classtype:web-application-attack; sid:2009816; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; fast_pattern; content:"only_hostid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013984; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"sp_adduser"; nocase; reference:url,technet.microsoft.com/en-us/library/ms181422.aspx; reference:url,doc.emergingthreats.net/2009817; classtype:web-application-attack; sid:2009817; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_content"; distance:0; content:"sflDir="; nocase; content:"|2e 2e 2f|"; nocase; distance:0; reference:url,exploit-db.com/exploits/17736; classtype:web-application-attack; sid:2013870; rev:5; metadata:created_at 2011_11_08, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_reg"; nocase; pcre:"/xp_reg(read|write|delete)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009818; classtype:web-application-attack; sid:2009818; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 2"; flow:established,to_server; http.uri; content:"|3a|@"; http.request_line; content:"GET|20 3a|@"; depth:6; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013792; rev:6; metadata:created_at 2011_10_24, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_fileexist"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.dugger-it.com/articles/xp_fileexist.asp; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009819; classtype:web-application-attack; sid:2009819; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1"; flow:established,to_server; http.uri; content:"/ibrowser/scripts/random.php?"; nocase; fast_pattern; content:"dir="; nocase; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013757; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_enumerrorlogs"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009820; classtype:web-application-attack; sid:2009820; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; threshold:type threshold, track by_dst, count 10, seconds 20; http.header; content:"TE|3a 20|deflate,gzip|3b|q=0.3|0d 0a|Connection|3a 20|TE, close|0d 0a|Host|3a 20|"; depth:53; content:"User-Agent|3a 20|"; within:100; http.user_agent; content:!"libwww-perl/"; http.request_line; content:"GET //"; fast_pattern; depth:6; http.header_names; content:"|0d 0a|TE|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:26; endswith; classtype:attempted-recon; sid:2013416; rev:11; metadata:created_at 2011_08_17, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_readerrorlogs"; nocase; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005; reference:url,doc.emergingthreats.net/2009822; classtype:web-application-attack; sid:2009822; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible FakeAV Binary Download (Security)"; flow:established,to_client; http.header; content:"filename=|22|"; nocase; content:"security"; fast_pattern; nocase; within:50; content:!"ALLOW-FROM www.onecallnow.com"; pcre:"/filename\x3D\x22[^\r\n]*security[^\n]+\.exe/i"; http.content_type; content:!"text/xml"; depth:8; classtype:trojan-activity; sid:2012981; rev:7; metadata:created_at 2011_06_09, former_category TROJAN, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_"; nocase; content:"_enum"; nocase; pcre:"/(xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,msdn.microsoft.com/en-us/library/ms173792.aspx; reference:url,doc.emergingthreats.net/2009823; classtype:web-application-attack; sid:2009823; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/accounts/ValidateAnswers?methodToCall=validateAll"; nocase; fast_pattern; http.request_body; content:"&Hide_Captcha=0"; nocase; content:"&LOGIN_NAME="; nocase; distance:0; content:"&quesList="; nocase; distance:0; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3272; classtype:web-application-attack; sid:2012979; rev:4; metadata:created_at 2011_06_09, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011142; classtype:attempted-recon; sid:2011142; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php?"; nocase; fast_pattern; content:"sleep="; nocase; distance:0; content:"file="; nocase; distance:0; http.uri.raw; content:"..%2f"; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012657; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011143; classtype:attempted-recon; sid:2011143; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (myip .com)"; flow:established,to_server; http.host; content:"api.myip.com"; depth:12; isdataat:!1,relative; classtype:policy-violation; sid:2031188; rev:1; metadata:created_at 2020_11_06, updated_at 2020_11_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011144; classtype:attempted-recon; sid:2011144; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/options-runnow-iframe.php?wpabs=/"; nocase; content:"%00&"; distance:0; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012407; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=https|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009152; classtype:web-application-attack; sid:2009152; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/options-view_log-iframe.php?wpabs=/"; nocase; content:"%00&logfile=/"; distance:0; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012408; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTP)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftp|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009153; classtype:web-application-attack; sid:2009153; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_banners/banners.class.php?"; nocase; content:"mosConfig_absolute_path="; nocase; distance:0; pcre:"/^\s*(ftps?|https?|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/1010-exploits/joomlabanners-rfi.txt; classtype:web-application-attack; sid:2011929; rev:5; metadata:created_at 2010_11_19, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftps\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009155; classtype:web-application-attack; sid:2009155; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; distance:0; content:"mailform_send="; nocase; distance:0; content:"confirm_value="; nocase; distance:0; content:"mailform_1="; nocase; distance:0; fast_pattern; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/1008-exploits/siteloomcms-xss.txt; classtype:web-application-attack; sid:2011927; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM"; flow:established,to_server; http.uri; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006443; classtype:web-application-attack; sid:2006443; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; fast_pattern; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011839; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006444; classtype:web-application-attack; sid:2006444; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"data.php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"|2e|passthru|28|"; content:"|2e|die|28 29 3b|"; distance:0; http.header_names; content:"horde_secret_key|0d 0a|"; nocase; fast_pattern; reference:url,cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/; reference:cve,2020-8518; classtype:attempted-admin; sid:2029636; rev:3; metadata:attack_target Web_Server, created_at 2020_03_13, cve 2020_8518, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar)"; flow:established,to_server; http.uri; content:"varchar("; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2008175; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"feb.kkooppt.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (exec)"; flow:established,to_server; http.uri; content:"exec("; nocase; reference:url,doc.emergingthreats.net/2008176; classtype:attempted-admin; sid:2008176; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"compdate.my03.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029627; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare)"; flow:established,to_server; http.uri; content:"DECLARE|20|"; nocase; content:"CHAR("; nocase; content:"CAST("; nocase; reference:url,doc.emergingthreats.net/2008467; classtype:attempted-admin; sid:2008467; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"jocoly.esvnpe.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible ALTER SQL Injection Attempt"; flow:to_server,established; http.uri; content:"ALTER"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_alter.asp; reference:url,doc.emergingthreats.net/2010084; classtype:web-application-attack; sid:2010084; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI"; flow:established,to_server; content:"SET"; nocase; distance:0; http.uri; content:"SHOW"; nocase; content:"CHARACTER"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html; reference:url,doc.emergingthreats.net/2010964; classtype:web-application-attack; sid:2010964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible DROP SQL Injection Attempt"; flow:to_server,established; http.uri; content:"DROP"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_drop.asp; reference:url,doc.emergingthreats.net/2010085; classtype:web-application-attack; sid:2010085; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bmy.hqoohoa.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029629; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI"; flow:to_server,established; http.uri; content:"CREATE"; nocase; pcre:"/^\s+(database|procedure|table|column|directory)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/Sql/sql_create_db.asp; reference:url,doc.emergingthreats.net/2010086; classtype:web-application-attack; sid:2010086; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bur.vueleslie.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"VARIABLES"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; classtype:web-application-attack; sid:2010965; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"wind.windmilldrops.com"; bsize:22; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"CUR"; nocase; distance:0; pcre:"/^(?:DATE|TIME)/Ri"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime; reference:url,doc.emergingthreats.net/2010966; classtype:web-application-attack; sid:2010966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gsb/datetime.php"; nocase; http.request_body; content:"delBackupName"; nocase; content:"backupRestoreFormSubmitted"; distance:0; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; classtype:web-application-attack; sid:2010863; rev:9; metadata:created_at 2010_07_30, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"TABLES"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/4.1/en/show-tables.html; reference:url,doc.emergingthreats.net/2010967; classtype:web-application-attack; sid:2010967; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php"; nocase; content:"page="; nocase; distance:0; pcre:"/\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(?:\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp)/i"; reference:url,www.securityfocus.com/bid/35584; reference:cve,2009-2334; reference:url,doc.emergingthreats.net/2010728; classtype:web-application-attack; sid:2010728; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"VALUES"; nocase; distance:0; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,en.wikipedia.org/wiki/Insert_(SQL); reference:url,doc.emergingthreats.net/2011039; classtype:web-application-attack; sid:2011039; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/OvCgi/ovalarm.exe"; nocase; fast_pattern; content:"OVABverbose="; nocase; distance:0; pcre:"/^(1|on|true)/Ri"; http.accept_lang; isdataat:100,relative; reference:cve,2009-4179; reference:url,doc.emergingthreats.net/2010704; classtype:web-application-attack; sid:2010704; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_07;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MassLogger Domain in TLS SNI (ecigroup-tw .com)"; flow:established,to_server; tls.sni; content:"ecigroup-tw.com"; bsize:15; reference:url,twitter.com/James_inthe_box/status/1305509852362338304; reference:url,app.any.run/tasks/010a8af5-97bd-4e27-961d-8d202a9d6f29/; reference:md5,0a838f0ecff085eb611e41acf78a9682; classtype:trojan-activity; sid:2030879; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt"; flow:established,to_server; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; distance:0; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010673; classtype:web-application-attack; sid:2010673; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (enoyq5xy70oq .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"enoyq5xy70oq.x.pipedream.net"; bsize:28; reference:md5,033abc4e8a618e545e4e84e0504f853d; classtype:coin-mining; sid:2030872; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010672; classtype:web-application-attack; sid:2010672; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources"; flow:established,to_server; http.uri; content:"BENCHMARK("; nocase; content:")"; pcre:"/BENCHMARK\x28[0-9].+\x29/i"; reference:url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark; reference:url,doc.emergingthreats.net/2011041; classtype:web-application-attack; sid:2011041; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010670; classtype:web-application-attack; sid:2010670; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"CONCAT"; nocase; pcre:"/SELECT.+CONCAT/i"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"INTO"; nocase; content:"OUTFILE"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010669; classtype:web-application-attack; sid:2010669; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function"; flow:established,to_server; http.uri; content:"REVERSE"; nocase; pcre:"/[^\w]REVERSE[^\w]?\(/i"; reference:url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html; reference:url,doc.emergingthreats.net/2011122; classtype:web-application-attack; sid:2011122; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; http.uri; content:"+CSCOE+/files/browse.html"; nocase; fast_pattern; content:"code=init"; nocase; distance:0; content:"path=ftp"; nocase; distance:0; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; reference:url,doc.emergingthreats.net/2010457; classtype:attempted-user; sid:2010457; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_layouts/help.aspx"; nocase; content:"cid0="; nocase; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20415; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:cve,2010-0817; reference:url,doc.emergingthreats.net/2011073; classtype:web-application-attack; sid:2011073; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010134; classtype:web-application-attack; sid:2010134; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt"; flow:established,to_server; http.uri; content:"/utility.cgi?testType="; nocase; content:"IP="; nocase; content:"|7C 7C|"; pcre:"/\x7C\x7C.+[a-z]/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023051.html; reference:url,www.securityfocus.com/archive/1/507263; reference:url,www.securityfocus.com/bid/36722/info; reference:url,doc.emergingthreats.net/2010159; classtype:attempted-admin; sid:2010159; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010133; classtype:web-application-attack; sid:2010133; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004386; classtype:web-application-attack; sid:2004386; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS *.dyn-ip24 .de Domain"; dns.query; content:".dyn-ip24.de"; nocase; endswith; classtype:policy-violation; sid:2029638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012160; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"INSTR"; nocase; pcre:"/SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010284; classtype:web-application-attack; sid:2010284; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Joia CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ABCDIMQ"; depth:7; fast_pattern; http.start; content:".php|20|HTTP/1.0|0d 0a|Host|3a 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,7e10e615edd111a5b77266c862aca78a; classtype:command-and-control; sid:2029641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SUBSTR"; nocase; pcre:"/SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010285; classtype:web-application-attack; sid:2010285; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Sogou.H Variant Request"; flow:established,to_server; http.request_line; content:"GET /appinfo?num="; startswith; fast_pattern; pcre:"/^\d+\sHTTP/1.1$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.user_agent; content:"HttpDownload"; bsize:12; reference:md5,29db559062d82a56c53c70c68dc160ec; classtype:pup-activity; sid:2031191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; http.uri; content:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; classtype:pup-activity; sid:2003060; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MZRevenge Ransomware CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.request_body; content:"filename|3d 22|TVpS"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=--------"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029647; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; http.uri; content:"/prxjdg.cgi"; nocase; reference:url,doc.emergingthreats.net/2003047; classtype:policy-violation; sid:2003047; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Aug 31 2015"; flow:to_server,established; content:"|0d 0a 0d 0a|email="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; content:"&pass="; distance:0; classtype:credential-theft; sid:2029652; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprecon Web Server Fingerprint Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/etc/passwd?format="; content:"><script>alert('xss')"; content:"traversal="; reference:url,www.computec.ch/projekte/httprecon/; reference:url,doc.emergingthreats.net/2008627; classtype:attempted-recon; sid:2008627; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Office Phishing Landing 2016-12-18"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<title>Microsoft Office"; fast_pattern; nocase; content:"Login below to access file"; nocase; distance:0; classtype:social-engineering; sid:2029658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/.adSensePostNotThereNoNobook"; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008617; classtype:attempted-recon; sid:2008617; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Account Phish 2015-11-03"; flow:to_server,established; content:"|0d 0a 0d 0a|fullname="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"fullname="; depth:9; nocase; content:"&address="; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; content:"&postcode="; nocase; distance:0; classtype:credential-theft; sid:2029653; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Backend Data Miner Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/actSensePostNotThereNoNotive"; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008629; classtype:attempted-recon; sid:2008629; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful DHL Phish (Meta HTTP-Equiv Refresh) 2017-02-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<meta name=|22|publisher|22 20|content=|22|DHL"; fast_pattern; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; classtype:credential-theft; sid:2029659; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|0D 0A|Location|3A|"; nocase; reference:url,www.secureworks.com/ctu/advisories/SWRX-2010-001/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20737; reference:cve,2008-7257; reference:url,doc.emergingthreats.net/2011763; classtype:web-application-attack; sid:2011763; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2019-10-18"; flow:established,to_server; content:"|0d 0a 0d 0a|epass="; fast_pattern; http.method; content:"POST"; http.uri; content:"/Logon.php"; nocase; endswith; http.request_body; content:"epass="; depth:6; nocase; content:!"&"; distance:0; classtype:credential-theft; sid:2029679; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Asp-Audit Web Scan Detected"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"STYLE=x|3a|e/**/xpression(alert('asp-audit'))>"; reference:url,www.hacker-soft.net/Soft/Soft_2895.htm; reference:url,wiki.remote-exploit.org/backtrack/wiki/asp-audit; reference:url,doc.emergingthreats.net/2009479; classtype:attempted-recon; sid:2009479; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xyz"; endswith; fast_pattern; http.request_body; content:"pass"; nocase; classtype:misc-activity; sid:2031189; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET [443,7080,8080,80] -> $HOME_NET any (msg:"ET MALWARE Emotet Post Drop C2 Comms M2"; flow:established,from_server; http.stat_code; content:"404"; http.header; content:"Content-Length|3a 20|148|0d 0a|"; fast_pattern; http.content_type; content:"text/html"; depth:9; file.data; content:!"<html"; nocase; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .pl source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".pl~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009949; classtype:web-application-attack; sid:2009949; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"APEP"; fast_pattern; startswith; classtype:attempted-admin; sid:2029025; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".inc~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; classtype:web-application-attack; sid:2009950; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"APEP"; fast_pattern; startswith; classtype:web-application-attack; sid:2029037; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .conf source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".conf~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009951; classtype:web-application-attack; sid:2009951; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert tcp-pkt $HOME_NET any -> any any (msg:"ET MALWARE Pay2Key Ransomware - Sending RSA Key"; flow:established,to_server; dsize:286; content:"|10 10 00 00 00 00 14 01 00 00 06 02 00 00 00 a4 00 00 52 53 41 31 00 08 00 00 01 00 01 00|"; startswith; reference:url,research.checkpoint.com/2020/ransomware-alert-pay2key/; classtype:command-and-control; sid:2031192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .asp source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009952; classtype:web-application-attack; sid:2009952; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"546874.tk"; nocase; endswith; classtype:domain-c2; sid:2029715; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .aspx source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".aspx~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009953; classtype:web-application-attack; sid:2009953; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0xf4a54cf56.tk"; nocase; endswith; classtype:domain-c2; sid:2029716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .cgi source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".cgi~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2010820; classtype:web-application-attack; sid:2010820; rev:9; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0x4fc271.tk"; nocase; endswith; classtype:domain-c2; sid:2029717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Bicololo Response 1"; flow:established,to_client; http.cookie; content:"ci_session="; file.data; content:"ne_unik"; fast_pattern; within:7; endswith; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016947; rev:4; metadata:created_at 2013_05_31, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"change-password.ml"; nocase; endswith; classtype:domain-c2; sid:2029718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M10"; flow:established,to_server; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6."; startswith; content:"|3b 20|"; distance:1; within:2; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,8000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; content:"Referer|0d 0a|"; distance:0; reference:md5,ba2e4a231652f8a492feb937b1e96e71; classtype:trojan-activity; sid:2030868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, signature_severity Major, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id24556.tk"; nocase; endswith; classtype:domain-c2; sid:2029719; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=peernew.com"; nocase; endswith; reference:md5,f3ead1eef8ee0d3b4aceaef10b7b4a9c; classtype:domain-c2; sid:2030867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id451295.com"; nocase; endswith; classtype:domain-c2; sid:2029720; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Zimbra Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Zimbra Web Client Sign In"; fast_pattern; classtype:social-engineering; sid:2030869; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"yahoo-change-password.com"; endswith; classtype:domain-c2; sid:2029721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoLang Dropper Domain (en7dftkjiipor .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"en7dftkjiipor.x.pipedream.net"; bsize:29; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:md5,a1de4ff7292f4557a7b133d90e2ec538; classtype:domain-c2; sid:2030873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0xf4a5.tk"; nocase; endswith; classtype:domain-c2; sid:2029722; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (endpsbn1u6m8f .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"endpsbn1u6m8f.x.pipedream.net"; bsize:29; reference:md5,0789fc10c0b2e34b4d780b147ae98759; classtype:coin-mining; sid:2030874; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id6589.com"; nocase; endswith; classtype:domain-c2; sid:2029723; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (en24zuggh3ywlj .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"en24zuggh3ywlj.x.pipedream.net"; bsize:30; reference:md5,785a7a47010d58638b874f29c4a1f0ad; classtype:coin-mining; sid:2030875; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful EDU Phish 2017-12-04"; flow:established,to_client; flowbits:isset,ET.eduphish; http.stat_code; content:"302"; http.header; content:"|0d 0a|Location|3a 20|"; nocase; pcre:"/^[^\r\n]+\.edu/Ri"; http.content_len; byte_test:0,=,0,0,string,dec; classtype:credential-theft; sid:2025114; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".d.requestbin.net"; distance:20; within:17; endswith; reference:md5,887648a50d31ed3f5f2f7bbe0d7eb35a; reference:url,requestbin.net/dns; classtype:command-and-control; sid:2030876; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Patchwork.Backdoor CnC Check-in M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?b="; nocase; pcre:"/^[A-F0-9]{30}$/Ri"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:command-and-control; sid:2025164; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo (requestbin .net) - Data Inbound"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".i.requestbin.net"; distance:20; within:17; endswith; reference:md5,887648a50d31ed3f5f2f7bbe0d7eb35a; reference:url,requestbin.net/dns; classtype:command-and-control; sid:2030877; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?cx="; nocase; fast_pattern; content:"&b="; nocase; distance:0; content:">="; nocase; distance:0; content:"&tx="; nocase; distance:0; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+>=[A-F0-9]+&tx=[A-F0-9]+$/i"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:command-and-control; sid:2025163; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-#alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Zerologon NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|04 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|00 00 00 00 00 00 00 00|"; endswith; fast_pattern; threshold: type limit, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:2030870; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Initial Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?t="; depth:4; content:"&&s="; distance:0; content:"&&p="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:65; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027439; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sage Ransomware Checkin"; flow:established,from_server; flowbits:isset,ET.Sage.Primer; http.header; content:"Content-Length|3a 20|1|0d 0a|"; file.data; content:"k"; within:1; endswith; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:command-and-control; sid:2023767; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Sage, signature_severity Major, tag Ransomware, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?e="; depth:4; content:"&&t="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.cookie; content:"id="; depth:3; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:73; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027440; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; http.header; content:"Content-Length|3a 20|3|0d 0a|"; fast_pattern; http.content_type; content:"application/x-msdownload"; bsize:24; file.data; content:"|3d 28 28|"; within:3; endswith; classtype:exploit-kit; sid:2023768; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo VBS Payload Downloaded"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&00000111&11"; fast_pattern; endswith; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a 0d 0a|"; depth:49; classtype:exploit-kit; sid:2028865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Spelevo_EK, signature_severity Major, tag Spelevo_EK, updated_at 2020_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Poste Italiane Phish Jun 08 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/foo-autenticazione.php"; fast_pattern; endswith; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2024370; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConstructorWin32/Agent.V"; flow:to_server,established; http.header; content:"|0d 0a|Pragma|3a 20|no-catch|0d 0a|"; http.request_line; content:"GET http://"; depth:11; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"X-HOST|0d 0a|"; reference:md5,3305ad96bcfd3a406dc9daa31e538902; classtype:trojan-activity; sid:2014643; rev:10; metadata:created_at 2012_04_26, updated_at 2020_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Broken/Filtered Payload Download Jun 19 2017"; flow:established,from_server; http.header; content:"Content-Length|3a 20|8|0d 0a|"; fast_pattern; file.data; content:"|6e 6f 62 69 6e 72 65 74|"; within:8; endswith; classtype:exploit-kit; sid:2024414; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"System Idle Process"; fast_pattern; content:"|49 6d 61 67 65 20 4e 61 6d 65|"; content:"|50 49 44 20 53 65 73 73 69 6f 6e 20 4e 61 6d 65|"; distance:0; content:"|53 65 73 73 69 6f 6e 23|"; distance:0; content:"|4d 65 6d 20 55 73 61 67 65|"; distance:0; content:"svchost.exe"; content:"winlogon.exe"; classtype:trojan-activity; sid:2018886; rev:4; metadata:created_at 2014_08_04, updated_at 2020_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FF-RAT Stage 1 CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?hdr_ctx="; fast_pattern; pcre:"/\.php\?hdr_ctx=[0-9]{1,5}_[0-9]{1,5}$/"; http.user_agent; content:"Mozilla/5.0"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html; classtype:command-and-control; sid:2024419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2"; flow:established,to_server; http.uri; content:"/vpns/"; fast_pattern; http.header; content:"|0d 0a|NSC_USER|3a 20|"; nocase; content:"|0d 0a|NSC_NONCE|3a 20|"; nocase; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029255; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_01_13, deployment Perimeter, signature_severity Critical, updated_at 2020_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LockPOS CnC"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"lock"; fast_pattern; endswith; http.request_body; content:"|00 00 00|"; offset:1; depth:3; reference:md5,0ad35a566cfb60959576835ede75983b; reference:url,www.arbornetworks.com/blog/asert/lockpos-joins-flock/; classtype:command-and-control; sid:2024461; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category MALWARE, malware_family PoS, signature_severity Major, tag POS, tag LockPOS, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/n2019cov (COVID-19) Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"usuario="; startswith; content:"|20|-|20|"; distance:0; content:"|20|-|20|"; distance:0; content:"&llave1="; distance:0; content:"&llave2="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,f02e5ae5b997e447a43ace281bc2bae9; classtype:command-and-control; sid:2029736; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any 53 (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in DNS Lookup)"; dns.query; content:"formyip.com"; endswith; classtype:external-ip-check; sid:2024830; rev:4; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded via ge.tt Filesharing Service"; flowbits:set,ET.ge.tt.download; http.method; content:"GET"; http.uri; content:"/gett/"; fast_pattern; depth:6; content:"?index="; distance:0; content:"&user="; distance:0; content:"&referrer="; distance:0; content:"&download="; distance:0; http.host; content:"ge.tt"; endswith; classtype:misc-activity; sid:2029745; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dragonfly APT Activity HTTP URI OPTIONS"; flow:established,to_server; http.method; content:"OPTIONS"; http.uri; content:"/ame_icon.png"; fast_pattern; endswith; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024899; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Uploaded to ge.tt Filesharing Service"; flow:established,to_server; content:"/upload/"; depth:8; http.method; content:"POST"; http.host; content:"ge.tt"; fast_pattern; http.request_body; content:"|22 3b 20|filename=|22|"; classtype:misc-activity; sid:2029746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_11_10;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com in DNS Lookup)"; dns.query; content:"handbrakestore.com"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024890; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Meterpreter)"; flow:established,to_server; http.uri; pcre:"/^\/ucD[A-Za-z0-9_\/\-+]{171}$/"; http.request_line; content:"GET|20|/ucD"; fast_pattern; content:"|20|HTTP/1.1"; distance:171; within:9; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/meterpreter.profile; classtype:command-and-control; sid:2029742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (eltima .in in DNS Lookup)"; dns.query; content:"eltima.in"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024888; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Adobe RTMP)"; flow:established,to_server; http.user_agent; content:"Shockwave Flash"; bsize:15; http.cookie; bsize:172; content:"="; offset:171; depth:1; endswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/"; http.request_line; content:"GET|20|/idle/1376547834/1|20|HTTP/1.1"; fast_pattern; bsize:31; http.content_type; content:"application/x-fcs"; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/rtmp.profile; classtype:command-and-control; sid:2029744; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc in DNS Lookup)"; dns.query; content:"handbrake.cc"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024892; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert smb any any -> $HOME_NET any (msg:"ET POLICY Possible winexe over SMB - Possible Lateral Movement"; flow:to_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|5c 00|a|00|h|00|e|00|x|00|e|00|c|00 00 00|"; fast_pattern; endswith; nocase; reference:url,attack.mitre.org/software/S0191/; classtype:bad-unknown; sid:2026879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Informational, updated_at 2020_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M5 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/server.armel"; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024928; rev:4; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Upaste Paste Site"; dns.query; content:"upaste.me"; nocase; endswith; classtype:trojan-activity; sid:2031195; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_10, deployment Perimeter, signature_severity Informational, updated_at 2020_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic 000webhostapp.com Phish 2017-10-27"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; classtype:credential-theft; sid:2029664; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Upaste)"; flow:established,to_client; tls.cert_subject; content:"CN=upaste.me"; classtype:misc-activity; sid:2031196; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING 401TRG Successful Multi-Email Phish - Observed in Docusign/Dropbox/Onedrive/Gdrive Nov 02 2017"; flow:to_server, established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"pasuma"; nocase; depth:100; fast_pattern; content:"name"; nocase; classtype:credential-theft; sid:2024942; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful COVID-19 Related Phish M1"; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"covid"; nocase; classtype:credential-theft; sid:2029757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M4"; dns.query; content:"cbk99.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024933; rev:5; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful COVID-19 Related Phish M2"; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"corona"; nocase; classtype:credential-theft; sid:2029758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M5"; dns.query; content:"bbk80.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024934; rev:5; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Telerik.Web.UI.WebResource.axd"; fast_pattern; content:"type=rau"; nocase; distance:0; http.request_body; content:"rauPostData"; nocase; reference:url,github.com/noperator/CVE-2019-18935; reference:cve,2019-18935; classtype:web-application-attack; sid:2029761; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_10;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (cba4a6e5d3c956548a337c52388473f1 .com in DNS Lookup)"; dns.query; content:"cba4a6e5d3c956548a337c52388473f1.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024956; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M2"; http.method; content:"GET"; http.uri; content:"/Telerik.Web.UI.WebResource.axd?dp="; fast_pattern; reference:url,www.exploit-db.com/exploits/43874; classtype:web-application-attack; sid:2029762; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_10;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (0a0074066c49886a39b5a3072582f5d6 .net in DNS Lookup)"; dns.query; content:"0a0074066c49886a39b5a3072582f5d6.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024957; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Plurox Backdoor CnC Checkin"; flow:established,to_server; content:"|aa 95 82 71|"; depth:4; content:"|01 00 00 00 00 00 00 00|"; distance:4; within:8; content:"|95 82 71 aa 95 82 71|"; endswith; fast_pattern; reference:md5,c5b42399a6636de5014e2934ef08278f; reference:url,securelist.com/plurox-modular-backdoor/91213/; classtype:command-and-control; sid:2027506; rev:4; metadata:created_at 2019_06_21, former_category MALWARE, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (73780fbd309561e201a4aee9914d882d .org in DNS Lookup)"; dns.query; content:"73780fbd309561e201a4aee9914d882d.org"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024958; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Check Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK>"; endswith; fast_pattern; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>$/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027707; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (dcb5684707f6c66492aaa9f7d9bfb5a6 .biz in DNS Lookup)"; dns.query; content:"dcb5684707f6c66492aaa9f7d9bfb5a6.biz"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024959; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch C2 Domain"; dns.query; content:"system0_update04driver_roots.dynamic-dns.net"; bsize:44; nocase; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:domain-c2; sid:2029766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Stitch, signature_severity Major, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (322ffbbc7c1b312c2f9d942f20422f8d .com in DNS Lookup)"; dns.query; content:"322ffbbc7c1b312c2f9d942f20422f8d.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024960; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch C2 Domain"; dns.query; content:"sys_andriod20_designer.dynamic-dns.net"; bsize:38; nocase; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:domain-c2; sid:2029767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Stitch, signature_severity Major, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (18bca7c5fd709ac468ba148c590ef6bf .net in DNS Lookup)"; dns.query; content:"18bca7c5fd709ac468ba148c590ef6bf.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024961; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (jquery Profile)"; flow:established,to_server; http.cookie; bsize:179; content:"session-"; depth:8; pcre:"/^[a-zA-Z0-9\/+_-]{171}$/R"; http.start; content:"GET|20|/jquery.min.js|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Cookie|3a 20|session-"; startswith; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2032751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (aaafc94b3a37b75ae9cb60afc42e86fe .org in DNS Lookup)"; dns.query; content:"aaafc94b3a37b75ae9cb60afc42e86fe.org"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024962; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M2"; http.method; content:"POST"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029714; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (c13a856f4a879a89e9a638207efd6c94 .biz in DNS Lookup)"; dns.query; content:"c13a856f4a879a89e9a638207efd6c94.biz"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024963; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M1"; http.method; content:"POST"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M6"; dns.query; content:"bbk86.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024935; rev:4; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M2"; http.method; content:"GET"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M7"; dns.query; content:"ha859.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024936; rev:4; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M1"; http.method; content:"GET"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (2fa3c2fa16c47d9b9bff8986a42b048f .com in DNS Lookup)"; dns.query; content:"2fa3c2fa16c47d9b9bff8986a42b048f.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024964; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 URI M2"; http.method; content:"POST"; http.uri; content:"corona"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029756; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (3ec9b600789b3bacf2c72ebae142a9c3 .net in DNS Lookup)"; dns.query; content:"3ec9b600789b3bacf2c72ebae142a9c3.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024965; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 URI M1"; http.method; content:"POST"; http.uri; content:"covid"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029755; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (tashdqdxp .com in DNS Lookup)"; dns.query; content:"tashdqdxp.com"; endswith; classtype:trojan-activity; sid:2024986; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2"; http.method; content:"GET"; http.uri; content:"corona"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029754; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (weryhstui .com in DNS Lookup)"; dns.query; content:"weryhstui.com"; endswith; classtype:trojan-activity; sid:2024987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M1"; http.method; content:"GET"; http.uri; content:"covid"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029753; rev:3; metadata:created_at 2020_03_28, former_category HUNTING, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (fyoutside .com in DNS Lookup)"; dns.query; content:"fyoutside.com"; endswith; classtype:trojan-activity; sid:2024988; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Anubis/BitSight - 35.205.61.67"; content:"|00 01 00 01|"; content:"|00 04 23 cd 3d 43|"; distance:4; within:6; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; reference:url,travisgreen.net/2019/08/13/anubis-sinhole.html; classtype:trojan-activity; sid:2031197; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_11_11, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_11_11;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (olinaodi .com in DNS Lookup)"; dns.query; content:"olinaodi.com"; endswith; classtype:trojan-activity; sid:2024989; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil"; flow:established,to_server; content:"|50 4b 03 04 14 00|"; depth:6; content:"Desktop.png"; distance:0; fast_pattern; reference:md5,20f025a45247cc0289e666057149c28e; reference:md5,7f053ba33d6e4bf07a15ee65dd2b0d92; reference:url,twitter.com/3xp0rtblog/status/1455134317710090248; reference:md5,490f0cff27a1cff0aead0ca3864e15d6; classtype:command-and-control; sid:2031198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_11, deployment Perimeter, former_category MALWARE, malware_family HunterStealer, malware_family AlfonsoStealer, malware_family PhoenixStealer, signature_severity Major, updated_at 2020_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to .tk domain Aug 26 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".tk"; endswith; fast_pattern; classtype:credential-theft; sid:2023137; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-standard.com"; bsize:22; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030966; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 1"; dns.query; content:"loaderclientarea24.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025014; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=bing-analytics.com"; bsize:21; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030967; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 2"; dns.query; content:"loaderclientarea22.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025015; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-money.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030968; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 3"; dns.query; content:"loaderclientarea20.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025016; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypal-assist.com"; bsize:20; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030970; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 4"; dns.query; content:"loaderclientarea15.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025017; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypal-debit.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030971; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Shiz.fxm/Agent-TBT Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE 2.0|3b|"; depth:34; fast_pattern; http.referer; content:"http://www.google.com"; depth:21; endswith; classtype:command-and-control; sid:2013435; rev:6; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=connect-facebook.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030972; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http any any -> any any (msg:"ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wpad.dat"; fast_pattern; endswith; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022913; rev:5; metadata:created_at 2016_06_23, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=cdn-jquery.com"; bsize:17; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030973; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; dns.query; content:".su"; nocase; endswith; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:4; metadata:created_at 2012_01_31, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-assistant.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030974; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; dns.query; content:".3322.org"; nocase; endswith; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:9; metadata:created_at 2011_01_12, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypalapiobjects.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030975; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vflooder.C Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"google.com"; fast_pattern; depth:10; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2021337; rev:5; metadata:created_at 2015_06_24, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-tasks.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030976; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup"; dns.query; content:"ilo.brenz.pl"; nocase; endswith; classtype:trojan-activity; sid:2012730; rev:7; metadata:created_at 2011_04_26, former_category TROJAN, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=jquery-insert.com"; bsize:20; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030977; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)"; flow:established,to_server; threshold:type both,track by_src,count 2,seconds 10; http.start; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; depth:36; endswith; classtype:bad-unknown; sid:2018430; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=googleapimanager.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030978; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pw domain"; flow:established,to_server; http.host; content:".pw"; fast_pattern; endswith; content:!"u.pw"; depth:4; endswith; classtype:bad-unknown; sid:2016777; rev:14; metadata:created_at 2013_04_19, updated_at 2020_09_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (info)"; flow:established,from_server; dsize:<50; content:"info|7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; distance:0; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xtrat.A Checkin"; flow:established,to_server; http.uri; content:".functions"; fast_pattern; endswith; pcre:"/^\/\d+\.functions$/"; http.host; content:!"microsoft.com"; http.header_names; content:!"Referer"; reference:url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2016275; rev:12; metadata:created_at 2011_12_12, former_category MALWARE, updated_at 2020_09_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (aw)"; flow:established,from_server; dsize:<50; content:"aw|7c 7c 7c|"; fast_pattern; nocase; depth:5; content:"|7c|"; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 2"; flow:established,to_server; urilen:>1; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:2,2,Tinba.Pivot,relative; byte_test:2,=,Tinba.Pivot,2,relative; byte_test:2,!=,Tinba.Pivot,5,relative; http.method; content:"POST"; http.uri; content:"/"; endswith; http.content_len; byte_test:0,>,99,0,string,dec; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; fast_pattern; content:!"User-Agent"; content:!"Accept"; reference:md5,7af6d8de2759b8cc534ffd72fdd8a654; classtype:command-and-control; sid:2020418; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF Linux/Dnsamp.AB Variant CnC"; flow:established,to_server; dsize:84; content:"|54|"; depth:1; content:"|11|"; distance:6; within:1; content:"|95 08 00 00 01 00 00 00|"; distance:68; within:8; fast_pattern; isdataat:!1,relative; reference:md5,b1fcab441a1221b33206924f12af64a0; reference:url,intezer.com/blog/ddos/chinaz-updates-toolkit-by-introducing-new-undetected-malware/; classtype:command-and-control; sid:2029839; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; http.host; content:"checkip.dyndns.org"; fast_pattern; depth:18; endswith; classtype:external-ip-check; sid:2021378; rev:5; metadata:created_at 2015_07_02, former_category POLICY, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE M3RAT CnC Checkin Outbound"; flow:established,to_server; content:"infoHacKed*"; depth:11; fast_pattern; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*Beta"; isdataat:!1,relative; reference:md5,5627e7aba7168aefe878e9251392542e; classtype:command-and-control; sid:2030144; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family M3RAT, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Download from dotted-quad Host"; flow:established,to_server; http.uri; content:".exe"; endswith; nocase; http.host; content:"."; offset:1; depth:3; content:"."; within:4; content:"."; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2016141; rev:7; metadata:created_at 2013_01_03, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Outbound (aw)"; flow:established,to_server; dsize:<50; content:"aw|7c 7c 7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-Clicker"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Session"; depth:7; endswith; nocase; reference:url,doc.emergingthreats.net/2009512; classtype:trojan-activity; sid:2009512; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (in)"; flow:established,from_server; dsize:<50; content:"in|7c 7c|Screen_Numbers|7c 7c|"; nocase; depth:20; fast_pattern; content:"|7c|"; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2030141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV.Rean Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; pcre:"/\/\d{10}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)"; fast_pattern; endswith; http.protocol; content:"HTTP/1.0"; reference:url,www.threatexpert.com/report.aspx?md5=0a998a070beb287524f9be6dd650c959; classtype:command-and-control; sid:2013339; rev:8; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Outbound (ds)"; flow:established,to_server; dsize:<50; content:"ds|7c 7c|"; nocase; depth:5; fast_pattern; content:"|7c 7c|"; distance:0; content:"|7c|"; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check"; flow:established,to_server; urilen:1; http.user_agent; content:"|3b 20|MSIE|20|"; fast_pattern; http.host; content:"www.google.com"; depth:14; endswith; http.accept; content:"*/*"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:59; endswith; classtype:trojan-activity; sid:2018242; rev:7; metadata:created_at 2014_03_10, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Screenshot Outbound"; flow:established,to_server; content:"|40 7c 7c|"; depth:3; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01|"; within:100; content:"|7c|Boss2019|7c|"; fast_pattern; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030143; rev:3; metadata:affected_product Windows_DNS_server, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.host; content:"api.wipmania.com"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; classtype:trojan-activity; sid:2015800; rev:10; metadata:created_at 2012_10_12, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer Init Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"guid="; depth:5; content:"&crederror="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Installer)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Installer"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008184; classtype:trojan-activity; sid:2008184; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Download URI Struct with no referer"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\d+\/\d+\.exe$/"; http.user_agent; content:!"LogitechUpdate"; depth:14; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2021245; rev:9; metadata:created_at 2015_06_10, updated_at 2020_11_12;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain"; dns.query; content:".flnet.org"; nocase; endswith; classtype:bad-unknown; sid:2014500; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - MAL_REFERER"; flow:established,to_server; http.method; content:"GET"; http.header; content:"&bvm=bv.81"; fast_pattern; content:"|2c|d."; distance:6; within:3; content:"|0d 0a|"; distance:3; within:2; content:"Referer|3a 20|https|3a|//www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd="; pcre:"/^(?:[02-9]|1[01]?)&ved=0C[A-L]{2}QFjA[A-L]&url=/R"; content:"&ei="; distance:0; pcre:"/^[A-Za-z0-9]{20,22}&usg=[A-Za-z0-9_]{34}&bvm=bv\.81[1-7]{6}\,d\.[A-Za-z0-9_]{3}\r\n/R"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2024004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_Implant8, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P possible torrent download"; flow:established,to_server; http.uri; content:".torrent"; nocase; endswith; http.host; content:!"mapfactor.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:10; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_09_14;)
+#alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; flow:established,to_server; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; reference:url,doc.emergingthreats.net/2009286; classtype:bad-unknown; sid:2009286; rev:4; metadata:created_at 2010_07_30, updated_at 2020_11_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious double Server Header"; flow:from_server,established; http.header_names; content:"|0d 0a|Server|0d 0a|"; content:"Server|0d 0a|"; distance:0; http.response_line; content:"HTTP/1.1 200"; depth:12; endswith; classtype:trojan-activity; sid:2012707; rev:7; metadata:created_at 2011_04_22, former_category MALWARE, updated_at 2020_09_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031199; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)"; flow:established,to_client; http.response_line; content:"HTTP/1.1 405 Method Not Allowed"; depth:31; endswith; nocase; file.data; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010520; classtype:web-application-attack; sid:2010520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031200; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent Containing .exe"; flow:established,to_server; http.uri; content:!"CTX_"; http.header; content:!"lnssatt.exe"; http.user_agent; content:".exe"; nocase; endswith; fast_pattern; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; content:!"vsee.exe"; nocase; http.host; content:!"gfi.com"; content:!"pandasoftware.com"; classtype:trojan-activity; sid:2013224; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag User_Agent, updated_at 2020_09_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031201; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net"; flow:established,to_server; http.host; content:".3322.net"; endswith; classtype:misc-activity; sid:2014788; rev:9; metadata:created_at 2012_05_18, updated_at 2020_09_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031202; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org"; dns.query; content:"networksecurityx.hopto.org"; endswith; reference:md5,37782108e8b7f331a6fdeabef9c8a774; reference:md5,10fa9c6c27e6eb512d12dee8181e182f; classtype:trojan-activity; sid:2018008; rev:6; metadata:created_at 2014_01_24, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031203; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dtdns.net Domain"; dns.query; content:".dtdns.net"; nocase; endswith; classtype:bad-unknown; sid:2014492; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031204; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.dtdns.net domain"; flow:to_server,established; http.host; content:".dtdns.net"; endswith; classtype:bad-unknown; sid:2013684; rev:6; metadata:created_at 2011_09_21, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-05-26"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:t(?:dcanadatrust|escobank|radekey)|r(?:ealtyexecutive|bcd)s|x(?:finity|oom)|ourtime)\.com|a(?:s(?:perasoft\.com|b\.co\.nz)|(?:ccesbankplc|nz)\.com|mazon\.co\.uk|ruba\.it)|m(?:(?:icrosoftstore|organstanley|sn)\.com|a(?:de-in-china\.com|il\.ru))|s(?:(?:eniorpeoplemeet|cotiabank)\.com|antander\.co\.uk|uddenlink\.net)|c(?:o(?:(?:ldwellbankerpreviews|x)\.com|mpresso\.co\.th)|fapubs\.org)|w(?:e(?:althmanagement\.com|bmail\.sfr\.fr)|ww-01\.ibm\.com)|l(?:(?:endingtree|loydsbank)\.com|abanquepostale\.mobi)|v(?:(?:aluewalk|ideotron)\.com|erifyemailaddress\.org)|n(?:a(?:tionwide\.co\.uk|vyfederal\.org)|etsuite\.com)|b(?:a(?:nquepopulaire\.fr|9hus\.in)|iztree\.com)|i(?:nternetbanking\.caixa\.gov\.br|cloud\.com)|d(?:iscoverbank\.com|hl\.co\.uk)|k(?:iwibank\.co\.nz|eybank\.com)|fidelitybank\.ng|paypal\.fr|ebay\.it)\/?/Ri"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032681; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns.net Domain"; flow:established,to_server; http.host; content:".dtdns.net"; endswith; classtype:bad-unknown; sid:2014493; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Postcode.php?sslchannel="; fast_pattern; content:"&sessionid="; distance:0; http.request_body; content:"postcode="; depth:9; content:!"&"; distance:0; classtype:credential-theft; sid:2029849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kelihos.F EXE Download Common Structure"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/^(?:\/[a-z]+\d*?)?\/\d?\w+\d*?\.exe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,f5bcc28e7868a68e473373d684a8c54a; classtype:trojan-activity; sid:2017598; rev:12; metadata:created_at 2013_10_15, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|7c 20|Processor|3a 20|"; content:"|7c 20|Cores|3a 20|"; distance:0; content:"|7c 20|Videocard|3a 20|"; distance:0; content:"|7c 20|SmartScreen|3a 20|"; distance:0; content:"|7c 20|Defender|3a 20|"; distance:0; content:"|7c 20|Antivirus|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/zoomed-in-a-look-into-a-coinminer-bundled-with-zoom-installer; classtype:command-and-control; sid:2029813; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain (mcdnn .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"mcdnn.me"; bsize:8; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030881; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL/Adobe/Excel Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"function script()"; nocase; content:"#email_field"; nocase; distance:0; fast_pattern; content:"#password_field"; nocase; distance:0; content:"click_to_download()"; nocase; distance:0; content:"Wrong Email Format"; nocase; distance:0; content:"make_the_delay()"; nocase; distance:0; classtype:social-engineering; sid:2032669; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain (mcdnn .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mcdnn.net"; bsize:9; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030882; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ModPipe CnC Activity (POST)"; flow:established,to_server; http.start; content:"POST /robots.txt HTTP/1."; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 8.0|3b 20|Windows|20|NT|20|6.1|3b 20|Trident/4.0)"; depth:63; isdataat:!1,relative; http.header_names; content:"Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:url,www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/; classtype:command-and-control; sid:2031208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Exfil Domain (imags .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"imags.pw"; bsize:8; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:trojan-activity; sid:2030883; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Java .jar request to dotted-quad domain"; flow:established,to_server; http.uri; content:".jar"; fast_pattern; http.header; content:"|20|Java/1"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:bad-unknown; sid:2015483; rev:6; metadata:created_at 2012_07_18, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:!"driftmania"; http.user_agent; content:"Mozilla"; depth:7; http.host; content:!"coreftp.com"; http.request_body; content:"data="; depth:5; fast_pattern; pcre:"/^[A-F0-9]{100,}$/R"; http.header_names; content:!"Referer"; reference:md5,a3440b6117f3783989683753c9f394dd; classtype:command-and-control; sid:2022504; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_10, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Alphacrypt, malware_family TeslaCrypt, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot downloader Installing Zeus"; flow:to_server,established; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.uri; content:".exe"; fast_pattern; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; depth:30; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 29 0d 0a|Host|3a 20|"; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; endswith; classtype:trojan-activity; sid:2018421; rev:5; metadata:created_at 2014_04_25, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain"; dns.query; content:".myftp.biz"; nocase; endswith; classtype:bad-unknown; sid:2013823; rev:5; metadata:created_at 2011_11_04, former_category HUNTING, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to .burpcollector .net Domain"; dns.query; content:".burpcollector.net"; nocase; endswith; classtype:policy-violation; sid:2029826; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Headers - Likely CnC Beacon"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Connection|0d 0a|"; depth:28; content:!"Referer"; content:!"Accept-"; content:"User-Agent|0d 0a 0d 0a|"; endswith; classtype:command-and-control; sid:2019755; rev:6; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Lazarus Nukesped Downloader"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.header; content:"Accept-Language|3a 20|ko-KR|3b|q="; http.request_body; content:"fn="; depth:3; nocase; content:".gif&code="; nocase; distance:0; fast_pattern; pcre:"/^fn=[^&]*\.gif&code=\d+$/i"; reference:url,www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/; classtype:command-and-control; sid:2031207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, signature_severity Major, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod_articles"; depth:13; fast_pattern; content:"/"; endswith; http.header_names; content:"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:md5,9a705a2c25a8b30de80e59dbb9adab83; classtype:command-and-control; sid:2018644; rev:6; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2020_09_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns_query; content:".authentication.directory"; nocase; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029834; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fareit Checkin 2"; flow:to_server,established; urilen:20; http.method; content:"POST"; http.uri; content:"/forum/viewtopic.php"; endswith; http.user_agent; content:"Windows 98)"; endswith; fast_pattern; http.content_type; content:"application/octet-stream"; reference:md5,10baa5250610fc2b5b2cdf932f2007c0; classtype:command-and-control; sid:2016550; rev:8; metadata:created_at 2013_01_11, former_category MALWARE, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KPOT Stealer Initial CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/util.php?id="; fast_pattern; pcre:"/^[A-F0-9]+$/Rsi"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:md5,5aa703c714e3fa012289bb521687cb0f; classtype:command-and-control; sid:2029837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, malware_family KPOT_Stealer, signature_severity Major, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - www.ip.cn"; flow:established,to_server; http.host; content:"www.ip.cn"; depth:9; endswith; classtype:external-ip-check; sid:2021600; rev:5; metadata:created_at 2015_08_06, former_category POLICY, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent"; flow:established,to_server; http.user_agent; content:"AnyDesk"; depth:7; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027762; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 3"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0"; depth:33; content:"Windows 98)"; fast_pattern; distance:0; endswith; http.accept; content:"*/*"; http.connection; content:"close"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:command-and-control; sid:2014234; rev:13; metadata:created_at 2012_02_17, former_category MALWARE, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DACLS RAT CnC (Log Server Reporting)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"log=save&session_id="; depth:20; fast_pattern; content:"&value="; distance:0; pcre:"/^log=save&session_id=[^&]+&value=[^&]+$/"; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:command-and-control; sid:2029879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8800.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".8800.org"; endswith; classtype:misc-activity; sid:2014784; rev:8; metadata:created_at 2012_05_18, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.AAIB Variant CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jpg"; endswith; http.user_agent; content:"WinHttpClient"; bsize:13; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; fast_pattern; reference:md5,0e3b41da52382744e5b2c1c38be00f04; reference:url,www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf; classtype:command-and-control; sid:2029893; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Hostile Domain .ntkrnlpa.info Lookup"; dns.query; content:".ntkrnlpa.info"; nocase; endswith; classtype:trojan-activity; sid:2012729; rev:6; metadata:created_at 2011_04_26, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Redkeeper Ransomware Domain"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwex.com"; nocase; endswith; classtype:domain-c2; sid:2029898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.VBKrypt.cugq/Umbra Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bot.php"; nocase; fast_pattern; endswith; http.request_body; content:"mode="; nocase; pcre:"/^\d/Ri"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya; classtype:command-and-control; sid:2018518; rev:10; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2020_09_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN7/JSSLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=domenuscdm.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029920; rev:2; metadata:attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin"; flow:established,to_server; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z-_]+?\.(php|html)$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016553; rev:6; metadata:created_at 2013_03_07, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Malicious (HTA-VBS-PowerShell) obfuscated command"; flow: established,to_client; http.stat_code; content:"200"; file.data; content:"<?xml"; depth:5; content:"|22|JScript|22|><![CDATA[ eval("; within:500; fast_pattern; pcre:"/%comSpec%\s\/c\s(?:(?:\\x50)|(?:\\x70)|[Pp])\^?(?:(?:\\x4f)|(?:\\x5f)|[Oo])\^?(?:(?:\\x57)|(?:\\x77)|[Ww])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x52)|(?:\\x72)|[Rr])\^?(?:(?:\\x53)|(?:\\x73)|[Ss])\^?(?:(?:\\x48)|(?:\\x68)|[Hh])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x2e)|\.)\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x58)|(?:\\x78)|[Xx])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?\s/R"; classtype:trojan-activity; sid:2025558; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com"; flow:established,to_server; http.host; content:".mooo.com"; endswith; classtype:bad-unknown; sid:2015634; rev:6; metadata:created_at 2012_08_16, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ModPipe CnC Activity (Response)"; flow:established,to_client; http.stat_code; content:"405"; file.data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d|"; fast_pattern; reference:url,www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector; classtype:command-and-control; sid:2031209; rev:1; metadata:created_at 2020_11_16, former_category MALWARE, performance_impact Moderate, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Simda.C Checkin"; flow:established,to_server; http.uri; content:"/?"; nocase; http.uri.raw; content:"=%96%"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Trident/4.0|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 3.0.04506.590|3b 20|.NET CLR 3.0.04506.648|3b 20|.NET CLR 3.5.21022|3b 20|.NET CLR 3.0.4506.2152|3b 20|.NET CLR 3.5.30729)"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,10642e1067aca9f04ca874c02aabda5c; classtype:command-and-control; sid:2016300; rev:7; metadata:created_at 2012_07_19, former_category MALWARE, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GandCrab Ransomware CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,20}(?:\?[a-z]{3,20}=[a-z]{0,10}&[a-z]{3,20}=[a-z]{0,10})?$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http.host; pcre:"/\.(?:bit|coin|sex|com|gandcrab\d*)$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.content_len; byte_test:0,>,4000,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:67; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,8b7d3093c477b2e99effde5065affbd5; classtype:command-and-control; sid:2025455; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Jorgee Scan"; flow:established,to_server; threshold: type limit, track by_dst, count 3, seconds 60; http.method; content:"HEAD"; http.user_agent; content:"Mozilla/5.0 Jorgee"; depth:18; endswith; fast_pattern; reference:url,www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/; classtype:trojan-activity; sid:2024265; rev:6; metadata:created_at 2015_06_26, former_category WEB_SERVER, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trojan.JS.Agent.dwz Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept|3a 20|*/*"; content:"Accept-Language|3a 20|"; distance:0; content:"auth255|3a 20|login"; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; distance:0; content:"Accept-Encoding|3a 20|gzip, deflate"; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"a="; depth:2; pcre:"/^(?:[a-f0-9]{2}){23,60}$/R"; classtype:command-and-control; sid:2025530; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query Domain .bit"; dns.query; content:".bit"; nocase; endswith; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:5; metadata:created_at 2013_10_30, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin M6"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>200; content:"/q/?q="; startswith; pcre:"/^[a-zA-Z0-9_-]+/R"; http.user_agent; content:"User-Agent|3a 20|"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; classtype:pup-activity; sid:2029055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.top domain - Likely Hostile"; threshold:type limit, track by_src, count 1, seconds 30; dns.query; content:".top"; nocase; endswith; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot Anchor Variant Style External IP Check"; flow:established,to_server; http.method; content:"GET"; urilen:1; http.header; content:"User-Agent|3a 20|WinHTTP loader/"; fast_pattern; http.host; bsize:21; content:"checkip.amazonaws.com"; http.header_names; content:!"Referer"; reference:md5,730b66cd89c8b4751dbe2c5158701a0b; classtype:trojan-activity; sid:2032216; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, former_category MALWARE, malware_family AnchorTrickBot, signature_severity Major, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org"; dns.query; content:".8866.org"; endswith; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:8; metadata:created_at 2011_04_28, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.parody)"; dns.query; content:".parody"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029954; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak HTTP CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"PHPSESSID="; depth:10; fast_pattern; pcre:"/^[A-F0-9]{32}$/R"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; depth:24; endswith; http.header_names; content:!"IBM-PROXY-WTE"; nocase; classtype:command-and-control; sid:2022225; rev:10; metadata:created_at 2015_12_07, former_category MALWARE, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)"; dns.query; content:".libre"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029958; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Pift DNS TXT CnC Lookup ppift.net"; dns.query; content:"ppift.net"; nocase; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015460; rev:6; metadata:created_at 2012_07_12, former_category MALWARE, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.bbs)"; dns.query; content:".bbs"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029960; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup fasternation"; dns.query; content:"fasternation.net"; nocase; endswith; classtype:trojan-activity; sid:2019695; rev:4; metadata:created_at 2014_11_11, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.null)"; dns.query; content:".null"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029963; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (ddnservice11.ru)"; dns.query; content:"ddnservice11.ru"; nocase; endswith; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020065; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.pirate)"; dns.query; content:".pirate"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029964; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Variation of Mozilla 4.0 - Likely Trojan"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 29|"; fast_pattern; endswith; http.header_names; content:!"BlueCoat"; nocase; classtype:trojan-activity; sid:2014002; rev:11; metadata:created_at 2011_12_08, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.oss)"; dns.query; content:".oss"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029966; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.3d-game.com Domain"; dns.query; content:".3d-game.com"; nocase; endswith; classtype:bad-unknown; sid:2014478; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.epic)"; dns.query; content:".epic"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029967; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork DNS Tunneling (nsn1.winodwsupdates .me)"; dns.query; content:".nsn1.winodwsupdates.me"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025072; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.indy)"; dns.query; content:".indy"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029968; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Domain (randreports .org in DNS Lookup)"; dns.query; content:"randreports.org"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025073; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.gopher)"; dns.query; content:".gopher"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029969; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Domain (rannd .org in DNS Lookup)"; dns.query; content:"rannd.org"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025081; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)"; dns.query; content:".coin"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029971; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cz.cc Domain"; dns.query; content:".cz.cc"; endswith; nocase; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:6; metadata:created_at 2010_09_27, former_category HUNTING, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.emc)"; dns.query; content:".emc"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029972; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.cc domain"; flow:established,to_server; http.host; content:".co.cc"; endswith; classtype:bad-unknown; sid:2011374; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.bazar)"; dns.query; content:".bazar"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029973; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Hopto.org"; flow:established,to_server; http.host; content:".hopto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018216; rev:5; metadata:created_at 2014_03_04, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for FurNIC TLD (.fur)"; dns.query; content:".fur"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029974; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, signature_severity Informational, updated_at 2020_11_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.cu.cc domain"; dns.query; content:".cu.cc"; nocase; endswith; classtype:bad-unknown; sid:2013172; rev:5; metadata:created_at 2011_07_02, former_category HUNTING, updated_at 2020_09_15;)
+alert http $HOME_NET any -> [92.63.0.0/16,91.218.114.0/24,149.56.245.196] any (msg:"ET MALWARE Maze/ID Ransomware Activity"; flow:established,to_server; urilen:>1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|AS|3b 20|rv|3a|11.0) like Gecko"; depth:72; endswith; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,f83fb9ce6a83da58b20685c1d7e1e546; reference:md5,9823800f063a1d4ee7a749961db7540f; classtype:trojan-activity; sid:2027392; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, tag Maze, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.osa.pl domain"; flow:established,to_server; http.host; content:".osa.pl"; endswith; classtype:bad-unknown; sid:2014037; rev:6; metadata:created_at 2011_12_22, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS Skimmer Domain in DNS Lookup"; dns.query; content:"clipbutton.com.br"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1252338975265546242; classtype:trojan-activity; sid:2029991; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to Free Hosting Domain (freevnn . com)"; dns.query; content:".freevnn.com"; nocase; endswith; reference:md5,18c1c99412549815bdb89c36316243a7; classtype:bad-unknown; sid:2024235; rev:5; metadata:created_at 2017_04_21, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS Skimmer Domain in DNS Lookup"; dns.query; content:"tivents.de"; nocase; bsize:10; reference:url,twitter.com/MBThreatIntel/status/1252338975265546242; classtype:trojan-activity; sid:2029992; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic .bin download from Dotted Quad"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; endswith; http.user_agent; content:!"McAfee Agent"; content:!"NetClient/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; classtype:trojan-activity; sid:2018752; rev:12; metadata:created_at 2014_07_22, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader - HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"mac="; fast_pattern; nocase; content:"key="; content:"ver="; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,doc.emergingthreats.net/2009549; classtype:trojan-activity; sid:2009549; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; http.uri; content:"/image/"; depth:7; content:".exe"; distance:0; endswith; fast_pattern; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/i"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2022622; rev:5; metadata:created_at 2016_03_16, former_category CURRENT_EVENTS, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Set"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/count.php?m=c&n="; content:"_"; distance:0; content:"@"; distance:0; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,6fd7493e56fdc3b0dd8ecd24aea20da1; classtype:trojan-activity; sid:2014803; rev:9; metadata:created_at 2011_11_05, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Variant Domain (blacklister .nl in DNS Lookup)"; dns.query; content:"blacklister.nl"; nocase; endswith; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025079; rev:5; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Malvertising Related Domain"; dns.query; content:"gdprcountryrestriction.com"; nocase; bsize:26; reference:url,duo.com/labs/research/crxcavator-malvertising-2020; classtype:pup-activity; sid:2030014; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Variant Domain (bigboatreps .pw in DNS Lookup)"; dns.query; content:"bigboatreps.pw"; nocase; endswith; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025078; rev:5; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.2access.xyz"; nocase; bsize:15; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030023; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs Common POST Header Structure"; flow:established,to_server; urilen:10<>20; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:!"NSIS|5f|Inetc |28|Mozilla|29|"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; endswith; http.content_len; byte_test:0,<=,400,0,string,dec; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:62; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,d11a453d4de6e6fd991967d67947c0d7; classtype:trojan-activity; sid:2021995; rev:5; metadata:created_at 2015_10_23, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.nsogroup.com"; nocase; bsize:16; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030024; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (API-Guide test program) Used by Several trojans"; flow:established,to_server; http.user_agent; content:"API-Guide test program"; depth:22; nocase; endswith; reference:url,doc.emergingthreats.net/2007826; classtype:trojan-activity; sid:2007826; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.qtechnologies.com"; nocase; bsize:21; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030025; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS .scr file download"; flow:established,to_server; http.uri; content:".scr"; endswith; fast_pattern; http.host; content:!"kaspersky.com"; classtype:trojan-activity; sid:2018231; rev:7; metadata:created_at 2014_03_07, former_category INFO, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"oldgoldcities.com"; nocase; bsize:17; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030026; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GET to Google with specific HTTP lib likely Cycbot/Bifrose/Kryptic checking Internet connection "; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.google.com"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Connection|0d 0a|Host|0d 0a|Pragma|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:command-and-control; sid:2012645; rev:7; metadata:created_at 2011_04_06, former_category MALWARE, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Drive DDoS Check-in"; flow:established,to_server; flowbits:set,ET.Drive.DDoS.Checkin; http.method; content:"POST"; http.header; pcre:"/-urlencoded\r\n(?:\r\n)?$/"; http.request_body; content:"k="; fast_pattern; startswith; pcre:"/^[0-9]*?[a-z]/PR"; http.content_len; byte_test:0,=,17,0,string,dec; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; classtype:trojan-activity; sid:2017045; rev:5; metadata:created_at 2013_06_22, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake AV Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; endswith; http.request_body; content:"data="; fast_pattern; depth:5; pcre:"/^data=[a-zA-Z0-9+\/]{64}/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2011912; rev:9; metadata:created_at 2010_11_09, former_category MALWARE, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Win32/Cridex Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z0-9+]+?\/){3}$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Host|3a 20|"; depth:19; content:"Cache-Control|3a 20|no-cache"; distance:0; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080$/"; http.connection; content:"Keep-Alive"; bsize:10; http.content_len; byte_test:0,>,99,0,string,dec; byte_test:0,<,1000,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:command-and-control; sid:2017305; rev:5; metadata:created_at 2013_08_09, former_category MALWARE, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; depth:30; http.request_body; content:"data="; depth:5; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|Host|0d 0a|"; depth:30; content:"User-Agent|0d 0a|"; distance:0; content:"Content-Length|0d 0a|"; distance:0; classtype:trojan-activity; sid:2012627; rev:5; metadata:created_at 2011_04_04, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ASNAROK Related Domain in DNS Lookup"; dns.query; content:"sophosfirewallupdate.com"; nocase; bsize:24; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:trojan-activity; sid:2030031; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; dns.query; content:".xxx"; nocase; endswith; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:4; metadata:created_at 2011_03_21, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ASNAROK CnC Domain in DNS Lookup"; dns.query; content:"sophosproductupdate.com"; nocase; bsize:23; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:command-and-control; sid:2030033; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jadtree Downloader rar"; flow:established,to_server; http.uri; content:".rar"; nocase; endswith; http.user_agent; bsize:4; pcre:"/^\d{4}$/"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:5; metadata:created_at 2014_01_30, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"forgame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030041; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (GeneralDownloadApplication)"; flow:to_server,established; http.user_agent; content:"GeneralDownloadApplication"; depth:26; endswith; classtype:pup-activity; sid:2025092; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"bestgame.bazar"; nocase; bsize:14; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030042; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.vv.cc domain"; flow:to_server,established; http.host; content:".vv.cc"; endswith; classtype:bad-unknown; sid:2012827; rev:8; metadata:created_at 2011_05_19, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"thegame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030043; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; http.uri; content:"/ip.txt"; nocase; endswith; fast_pattern; http.header; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; http.user_agent; content:!"Mozilla"; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:6; metadata:created_at 2013_05_31, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"newgame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030044; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.suroot.com Domain"; flow:established,to_server; http.host; content:".suroot.com"; endswith; classtype:bad-unknown; sid:2014511; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"portgame.bazar"; nocase; bsize:14; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030045; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; http.host; content:".xxx"; endswith; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:6; metadata:created_at 2011_04_20, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns.query; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026486; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ho"; content:"ping/mod_"; within:10; fast_pattern; content:"/"; distance:0; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:7; metadata:created_at 2014_11_20, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; flow:established,to_server; tls.sni; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026487; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2web)"; dns.query; content:".tor2web"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2015576; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"mine.remaariegarcia.com"; nocase; bsize:23; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030089; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Myvnc.com"; flow:established,to_server; http.host; content:".myvnc.com"; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018213; rev:5; metadata:created_at 2014_03_04, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"egg.stralisemariegar.com"; nocase; bsize:24; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030090; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?v"; content:"&tq="; pcre:"/\.(jpg|png|gif)\?v[0-9]{1,2}=[0-9]+&tq=/"; http.user_agent; content:"mozilla/2.0"; fast_pattern; depth:11; endswith; classtype:command-and-control; sid:2012939; rev:10; metadata:created_at 2011_06_07, former_category MALWARE, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"api.anaehler.com"; nocase; bsize:16; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030091; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/config"; fast_pattern; content:".jpg"; distance:0; endswith; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/"; http.header; content:"Cache-Control|3a 20|no-cache"; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:7; metadata:created_at 2015_07_23, former_category TROJAN, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IXWARE Stealer Domain in DNS Lookup"; dns.query; content:"ixware.dev"; nocase; bsize:10; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:domain-c2; sid:2030096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kelihos.F EXE Download Common Structure 2"; flow:established,to_server; http.uri; content:"od"; offset:2; depth:2; nocase; content:".exe"; nocase; endswith; fast_pattern; pcre:"/^\/[mp]od[12]\/[^\/]+?\.exe$/i"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent"; reference:md5,9db28205c8dd40efcf7f61e155a96de5; classtype:trojan-activity; sid:2018395; rev:7; metadata:created_at 2014_04_16, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IXWARE Stealer Domain in DNS Lookup"; dns.query; content:"ixware.xyz"; nocase; bsize:10; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:domain-c2; sid:2030097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup intohave"; dns.query; content:"intohave.com"; nocase; endswith; classtype:trojan-activity; sid:2019694; rev:4; metadata:created_at 2014_11_11, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IXWARE Stealer CnC Activity"; flow:established,to_server; http.request_body; content:"checkAcc="; startswith; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.start; content:"POST /stubCheck HTTP/"; depth:21; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:command-and-control; sid:2030098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"post="; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.content_type; content:"application/x-www-form-urlencoded"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022280; rev:5; metadata:created_at 2015_12_18, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT SEO Injection/Fraud DNS Lookup (count.trackstatisticsss .com)"; dns.query; content:"count.trackstatisticsss.com"; nocase; bsize:27; classtype:bad-unknown; sid:2030099; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Symmi Remote File Injector Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/ggu.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; depth:11; endswith; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:command-and-control; sid:2016967; rev:5; metadata:created_at 2013_06_03, former_category MALWARE, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE WEBMONITOR RAT CnC Domain in DNS Lookup (dabmaster.wm01 .to)"; dns.query; content:"dabmaster.wm01.to"; nocase; bsize:17; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/webmonitor-rat-bundled-with-zoom-installer/?web_view=true; classtype:command-and-control; sid:2030100; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.bbsindex.com Domain"; dns.query; content:".bbsindex.com"; nocase; endswith; classtype:bad-unknown; sid:2014484; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (1 space)"; flow:to_server,established; http.header; content:"User-Agent|3a 20 0d 0a|"; http.host; content:!"connectivitycheck.gstatic.com"; endswith; content:!".mcafee.com"; content:!"deezer.com"; endswith; content:!"googlezip.net"; content:!"metrics.tbliab.net"; endswith; content:!"dajax.com"; endswith; content:!"update.eset.com"; endswith; content:!".sketchup.com"; endswith; content:!".yieldmo.com"; endswith; content:!"ping-start.com"; endswith; content:!".bluekai.com"; content:!".stockstracker.com"; content:!".doubleclick.net"; content:!".pingstart.com"; content:!".colis-logistique.com"; content:!"android-lrcresource.wps.com"; content:!"track.package-buddy.com"; content:!"talkgadget.google.com"; endswith; content:!".visualstudio.com"; endswith; content:!".slack-edge.com"; endswith; content:!".slack.com"; endswith; content:!".lifesizecloud.com"; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:24; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category INFO, signature_severity Major, tag User_Agent, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".mooo.com"; nocase; endswith; classtype:misc-activity; sid:2015633; rev:5; metadata:created_at 2012_08_16, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT SEO Injection/Fraud Domain in DNS Lookup (stat.trackstatisticsss .com)"; dns.query; content:"stat.trackstatisticsss.com"; nocase; bsize:26; reference:url,www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/; classtype:bad-unknown; sid:2030118; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.co.tv domain"; dns.query; content:".co.tv"; nocase; endswith; classtype:bad-unknown; sid:2012956; rev:6; metadata:created_at 2011_06_08, former_category HUNTING, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY moanmyip .com DNS Lookup"; dns.query; content:"moanmyip.com"; nocase; endswith; classtype:policy-violation; sid:2030127; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Mozilla/3.0"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0"; fast_pattern; depth:11; endswith; classtype:trojan-activity; sid:2012619; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_04_01, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EVILNUM CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/register.php"; http.request_body; content:"av="; depth:3; content:"&cpu-name="; fast_pattern; distance:0; content:"&ref="; distance:0; content:"&user="; distance:0; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030125; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (RLMultySocket)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"RLMultySocket"; depth:13; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008603; classtype:trojan-activity; sid:2008603; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal CnC Checkin"; flow:established,to_server; http.uri; content:".txt"; pcre:"/^\/[a-z]{4}(?:\d{1,3}\.){3}\d{1,3}[a-z]{6}\.txt/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|0d 0a|Host|3a 20|"; depth:88; fast_pattern; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; reference:url,blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html; classtype:command-and-control; sid:2025922; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (forkinvestpay.com)"; dns.query; content:"forkinvestpay.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022045; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAZE Ransomware Payment Domain in DNS Lookup"; dns.query; content:"aoacugmutagkwctu.onion"; nocase; bsize:22; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:trojan-activity; sid:2030133; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.to)"; dns.query; content:".onion.to"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020116; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAZE Ransomware Payment Domain DNS Lookup"; dns.query; content:"mazedecrypt.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:trojan-activity; sid:2030134; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to Browser Coinminer (crypto-loot[.]com)"; dns.query; content:"crypto-loot.com"; endswith; classtype:coin-mining; sid:2024828; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup (mazenews .top)"; dns.query; content:"mazenews.top"; nocase; bsize:12; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:bad-unknown; sid:2030135; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01"; flow:established,to_server; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".exe"; endswith; nocase; pcre:"/\/[0-9]{2}\.exe$/i"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,8bdc81393a4fcfaf6d1b8dc01486f2f0; classtype:trojan-activity; sid:2022482; rev:5; metadata:created_at 2016_02_02, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup (newsmaze .top)"; dns.query; content:"newsmaze.top"; nocase; bsize:12; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:bad-unknown; sid:2030136; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org"; flow:established,to_server; http.host; content:".3322.org"; endswith; classtype:misc-activity; sid:2013213; rev:8; metadata:created_at 2011_07_06, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY ipchicken .com DNS Lookup"; dns.query; content:"ipchicken.com"; nocase; endswith; classtype:policy-violation; sid:2030138; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
-alert dns any any -> any any (msg:"ET POLICY possible Xiaomi phone data leakage DNS"; dns.query; content:"api.account.xiaomi.com"; nocase; endswith; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018918; rev:4; metadata:created_at 2014_08_11, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.VBSLoader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid=VwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcg"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,f1864d53ba7512471182cd100fb96c4b; classtype:trojan-activity; sid:2030148; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.connection; content:"Close"; endswith; http.content_type; content:"octet/binary"; endswith; http.header_names; content:!"Referer"; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:command-and-control; sid:2019891; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, malware_family Dridex, performance_impact Moderate, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup (corpleaks .net)"; dns.query; content:"corpleaks.net"; nocase; bsize:13; reference:url,app.any.run/tasks/c8d61923-ae7c-42e4-9b92-f4be92b2b04e; classtype:policy-violation; sid:2030161; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category POLICY, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 4"; dns.query; content:"bigdata.advmob.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023518; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup (hxt254aygrsziejn .onion) DNS Lookup"; dns.query; content:"hxt254aygrsziejn.onion"; nocase; bsize:22; reference:url,app.any.run/tasks/c8d61923-ae7c-42e4-9b92-f4be92b2b04e; classtype:policy-violation; sid:2030162; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category POLICY, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain"; flow:established,to_server; http.host; content:".sytes.net"; endswith; classtype:bad-unknown; sid:2018219; rev:9; metadata:created_at 2012_03_05, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet.C Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/download.php?listfiles="; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,cd74438c04b09baa5c32ad0e5a0306e7; classtype:command-and-control; sid:2020157; rev:4; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Intial Check-in"; flow:established,to_server; http.user_agent; content:"Windows NT 5.1|3b 20|ru|3b|"; content:"Gecko/20100722 Firefox/3.6.12"; distance:0; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2016748; rev:5; metadata:created_at 2013_04_10, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header CERT.PL"; flow:established,from_server; http.content_len; byte_test:0,=,24,0,string,dec; file.data; content:"Sinkholed by CERT.PL"; within:24; fast_pattern; classtype:trojan-activity; sid:2020172; rev:4; metadata:created_at 2015_01_13, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; dns.query; content:"client-lb.dropbox.com"; nocase; endswith; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:4; metadata:created_at 2015_02_24, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub botnet CnC Domain in DNS Lookup (irc.eleethub .com)"; dns.query; content:"irc.eleethub.com"; nocase; bsize:16; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:command-and-control; sid:2030195; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 42"; dns.query; content:"www.37513.cn"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022452; rev:4; metadata:created_at 2016_01_27, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub botnet CnC Domain in DNS Lookup (ghost.eleethub .com)"; dns.query; content:"ghost.eleethub.com"; nocase; bsize:18; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:command-and-control; sid:2030196; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 4."; fast_pattern; nocase; http.host; content:!".weatherbug.com"; endswith; content:!".wxbug.com"; endswith; classtype:policy-violation; sid:2016871; rev:7; metadata:created_at 2013_05_20, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub .com Domain in DNS Lookup (eleethub .com)"; dns.query; content:"eleethub.com"; nocase; bsize:12; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:trojan-activity; sid:2030197; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 3"; dns.query; content:"bigdata.adfuture.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023517; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jsp?view="; fast_pattern; content:"&os="; distance:0; content:"&address="; distance:0; reference:cve,2017-12615; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027517; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 2"; dns.query; content:"bigdata.adsunflower.com"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023516; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Avaddon Ransomware Payment Domain"; dns.query; content:"avaddonbotrxmuyl.onion.pet"; bsize:26; reference:md5,c9ec0d9ff44f445ce5614cc87398b38d; classtype:trojan-activity; sid:2030251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Avaddon, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (check.torproject .org in DNS lookup)"; dns.query; content:"check.torproject.org"; nocase; endswith; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:external-ip-check; sid:2017926; rev:6; metadata:created_at 2014_01_03, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"yourcontents.xyz"; nocase; endswith; classtype:domain-c2; sid:2030333; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.tk domain"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; content:!".tcl.tk"; content:!"tcl.tk"; depth:6; endswith; classtype:bad-unknown; sid:2012810; rev:12; metadata:created_at 2011_05_15, former_category POLICY, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"filepage.icu"; nocase; endswith; classtype:domain-c2; sid:2030332; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup ipinfo.io"; flow:established,to_server; http.host; content:"ipinfo.io"; depth:9; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:external-ip-check; sid:2020716; rev:6; metadata:created_at 2015_03_19, former_category POLICY, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"datasecure.icu"; nocase; endswith; classtype:domain-c2; sid:2030331; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; http.user_agent; content:"Twisted PageGetter"; depth:18; endswith; http.host; content:"swupdate.openvpn.net"; fast_pattern; depth:20; endswith; classtype:policy-violation; sid:2014799; rev:5; metadata:created_at 2012_05_22, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M1"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"x-flash-version|3a 20|"; content:!"32.0.0.387|0d 0a|"; within:12; content:!"32,0,0,387|0d 0a|"; within:12; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:127; metadata:affected_product Adobe_Flash, created_at 2012_05_09, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)"; dns.query; content:"myip.opendns.com"; nocase; endswith; classtype:external-ip-check; sid:2023472; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,200,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)"; dns.query; content:"ipapi.co"; nocase; endswith; classtype:external-ip-check; sid:2024527; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zebrocy Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/"; http.accept; content:"text/html, */*"; depth:14; endswith; http.accept_enc; content:"identity"; depth:8; endswith; http.content_len; byte_test:0,>,50000,0,string,dec; byte_test:0,<,120000,0,string,dec; http.start; content:".php HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Length|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,5b2eca6abe1903955d1dfd41e301e0af; classtype:targeted-activity; sid:2030122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 2"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/userinfo.php"; fast_pattern; http.request_body; pcre:"/[\x80-\xff]/"; http.content_type; content:"www-form-urlencoded"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:command-and-control; sid:2022769; rev:5; metadata:created_at 2016_04_27, former_category MALWARE, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (urlpush .net)"; dns.query; content:".urlpush.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/; classtype:trojan-activity; sid:2030379; rev:3; metadata:attack_target Mobile_Client, created_at 2020_06_22, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.tc domain"; flow:established,to_server; http.host; content:".tc"; endswith; classtype:bad-unknown; sid:2013535; rev:7; metadata:created_at 2011_09_06, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (free247downloads .com)"; dns.query; content:"free247downloads.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/; classtype:trojan-activity; sid:2030380; rev:3; metadata:attack_target Mobile_Client, created_at 2020_06_22, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ipecho.net"; flow:established,to_server; http.host; content:"ipecho.net"; depth:10; endswith; classtype:external-ip-check; sid:2022351; rev:5; metadata:created_at 2016_01_11, former_category POLICY, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Staging Domain in DNS Query"; dns.query; content:"dnsresolve.live"; nocase; endswith; classtype:domain-c2; sid:2030378; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Patchwork, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent HTTPGET"; flow:established,to_server; http.user_agent; content:"HTTPGET"; depth:7; http.host; content:!"autodesk.com"; endswith; content:!"rsa.com"; endswith; content:!"consumersentinel.gov"; endswith; content:!"technet.microsoft.com"; endswith; content:!"metropolis.com"; endswith; content:!"www.catalog.update.microsoft.com"; endswith; classtype:trojan-activity; sid:2013508; rev:14; metadata:created_at 2011_08_31, former_category TROJAN, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil Google Drive Download"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; http.host; content:"drive.google.com"; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030438; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in DNS Lookup)"; dns.query; content:"l2.io"; endswith; classtype:external-ip-check; sid:2024831; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms6-upload-serv3.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030418; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MageCart JS Retrieval"; flow:established,to_server; http.uri; content:"/122002/assets/js/widget.js"; bsize:27; fast_pattern; http.host; content:"mcdnn"; startswith; pcre:"/\.(?:me|net)$/WR"; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030884; rev:1; metadata:created_at 2020_09_15, former_category MALWARE, performance_impact Low, updated_at 2020_11_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"updt-servc-app2.com"; bsize:19; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030419; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; http.user_agent; content:"SOGOU_UPDATER"; nocase; depth:13; endswith; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"cdn2-system3-secrv.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030420; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY .onion proxy Domain (onion .plus in DNS Lookup)"; dns.query; content:"onion.plus"; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025095; rev:4; metadata:created_at 2017_12_01, former_category POLICY, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"file3-netwk-system.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030421; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com)"; dns.query; content:"wh47f2as19.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020869; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category POLICY, malware_family TeslaCrypt, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"service-net2-file.com"; bsize:21; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030422; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion .casa in DNS Lookup)"; dns.query; content:"onion.casa"; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025096; rev:4; metadata:created_at 2017_12_01, former_category POLICY, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"system2-access-sec43.com"; bsize:24; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030423; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Jetpack/Twentyfifteen Possible XSS Request"; flow:established,to_server; http.uri; content:"/genericons/example.html"; endswith; fast_pattern; reference:url,blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html; classtype:web-application-attack; sid:2021062; rev:5; metadata:created_at 2015_05_06, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"network-msx-system33.com"; bsize:24; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030424; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com)"; dns.query; content:"7hwr34n18.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020844; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_06, deployment Perimeter, former_category POLICY, malware_family TeslaCrypt, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mx3-rewc-state.com"; bsize:18; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030425; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 9d 26 66 9a 26 66 9d 42 70 9d 31 10 ed 26 66 98 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"upd3-srv-system-app.com"; bsize:23; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030426; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MageCart Exfil URI"; flow:established,to_server; http.uri; content:"/502.jsp"; fast_pattern; http.host; content:"imags.pw"; endswith; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:trojan-activity; sid:2030885; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"syse-update-app4.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030427; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"system2-cdn5-mx8.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030428; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 66 8b 30 61 8b 30 66 ef 26 66 9c 46 16 8b 30 63 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"secure-upd21-app2.com"; bsize:21; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030429; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 96 26 66 98 40 70 9d 30 11 e8 40 70 9d 34 70 9c 47|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms21-app3-upload.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030430; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 3b 70 9d 35 16 8b 30 66 ea 45 16 8b 30 62 8b 31 11|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"apt5-secure3-state.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030431; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 6d 8b 30 63 ed 26 66 9d 47 13 ed 26 66 99 26 67 ea|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"upd8-sys2-apt.com"; bsize:17; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030432; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 99 26 66 9c 47 70 9d 35 70 9d 34 70 9d 3a 17 ec 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029445; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"update5-sec3-system.com"; bsize:23; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030433; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 34 70 9d 31 11 8b 30 63 8b 30 62 8b 30 6c ec 41 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029446; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"state-awe3-apt.com"; bsize:18; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030434; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 62 8b 30 67 ea 26 66 98 26 66 99 26 66 97 41 17 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029447; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"advertstv.com"; bsize:13; classtype:domain-c2; sid:2030459; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 46 70 9d 36 70 9d 37 70 9d 37 17 8b 30 60 8b 30 62 8b 30 61 8b 31 11|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"amazingdonutco.com"; bsize:18; classtype:domain-c2; sid:2030461; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 10 8b 30 60 8b 30 61 8b 30 61 ec 26 66 9b 26 66 99 26 66 9a 26 67 ea|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mwebsoft.com"; bsize:12; classtype:domain-c2; sid:2030463; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 eb 26 66 9b 26 66 9a 26 66 9a 41 70 9d 36 70 9d 34 70 9d 37 70 9c 47|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"rostraffic.com"; bsize:14; classtype:domain-c2; sid:2030465; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029466; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"typiconsult.com"; bsize:15; classtype:domain-c2; sid:2030467; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cddn .site)"; dns.query; content:"cddn.site"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030480; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cxizi .net)"; dns.query; content:"cxizi.net"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030481; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 40 70 9d 32 14 e8 47 17 8b 30 65 ef 26 67 ea|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (yzxi .net)"; dns.query; content:"yzxi.net"; nocase; bsize:8; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030482; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 16 8b 30 64 ef 45 11 ec 26 66 9e 42 70 9c 47|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029483; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TaurusStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"zyvcin.xyz"; bsize:10; classtype:domain-c2; sid:2030477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, malware_family Taurus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 ed 26 66 9f 42 13 ea 41 70 9d 33 14 8b 31 11|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 6 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|YOU|20|BETTER|20|READ|20|THIS|0d|"; fast_pattern; content:"COLLECTED|20|ALL|20|YOUR|20|FILES"; content:"in|20|Bitcoin"; nocase; content:"receiving|20|the|20|Bitcoin"; nocase; threshold: type limit, count 1, seconds 30, track by_src; classtype:command-and-control; sid:2031210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_11_17, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M19"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 41 11 8b 30 65 8b 30 6d 8b 30 61 8b 30 61 8b 30 63 ec 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi (Outbound)"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2030503; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 17 ea 26 66 9e 26 66 96 26 66 9a 26 66 9a 26 66 98 41 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ml Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ml"; endswith; fast_pattern; classtype:credential-theft; sid:2026532; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 ec 47 70 9d 33 70 9d 3b 70 9d 37 70 9d 37 70 9d 35 17 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .cf Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".cf"; endswith; fast_pattern; classtype:credential-theft; sid:2026533; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FakeXPA Checkin URL"; flow:established,to_server; http.uri; content:"/firstrun.php?product="; nocase; fast_pattern; content:"&aff="; nocase; distance:0; content:"&update="; nocase; distance:0; http.user_agent; content:"Mozilla"; bsize:7; reference:url,doc.emergingthreats.net/2008152; classtype:command-and-control; sid:2008152; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ga Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ga"; endswith; fast_pattern; classtype:credential-theft; sid:2026534; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/Feebs.kw Worm User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Mozilla/4.7 [en] (WinNT"; depth:23; fast_pattern; reference:url,doc.emergingthreats.net/2007767; classtype:trojan-activity; sid:2007767; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .gq Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".gq"; endswith; fast_pattern; classtype:credential-theft; sid:2026535; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Installed OK)"; flow:established,to_server; http.user_agent; content:"Installed OK"; startswith; nocase; reference:md5,16035440878ec6e93d82c2aeea508630; classtype:bad-unknown; sid:2030880; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .gqn Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".gqn"; endswith; fast_pattern; classtype:credential-theft; sid:2026536; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M4"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__gads="; fast_pattern; http.cookie; content:"__gads="; startswith; content:"|3b 20|_gat="; distance:0; content:"|3b 20|_ga="; distance:0; content:"|3b 20|_u="; distance:0; content:"|3b 20|__io="; distance:0; content:"|3b 20|_gid="; isdataat:!13,relative; pcre:"/^__gads=\d{9,10}:[01]:\d+:\d+:\d{2,4}\x3b\s_gat=(?:10|6)\.[0-3]\.\d{4,6}.(?:32|64)\x3b\s_ga=\d\.\d{6}\.\d+\.\d+\x3b\s_u=[0-9A-F]+:[0-9A-F]+\x3b\s__io=\d{2}_\d{9,10}_\d{9,10}_\d{9,10}\x3b\s_gid=[0-9A-F]{12}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; reference:url,sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html; classtype:command-and-control; sid:2030053; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .icu Domain 2019-02-06"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".icu"; endswith; fast_pattern; classtype:credential-theft; sid:2026886; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla/3.0 (compatible)"; depth:24; endswith; http.host; content:!".hddstatus.com"; endswith; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Suspicious Outbound SIG DNS Query"; content:"|00 00 18 00 01|"; fast_pattern; dns.query; pcre:"/^\d/"; classtype:bad-unknown; sid:2030547; rev:2; metadata:created_at 2020_07_16, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; http.uri; content:"/"; content:".exe"; distance:1; within:8; fast_pattern; endswith; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/"; http.header; content:!"koggames"; http.host; content:!"download.bitdefender.com"; endswith; content:!".appspot.com"; endswith; content:!"kaspersky.com"; endswith; content:!".sophosxl.net"; endswith; http.header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:12; metadata:created_at 2014_11_14, former_category CURRENT_EVENTS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M1"; flow:established,to_server; http.uri; content:"/+CSCOT+/translation-table?type=mst&textdomain=/|2b|CSCOE|2b|/"; fast_pattern; content:"&default-language&lang="; distance:0; http.uri.raw; content:"&default-language&lang=../"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030581; rev:3; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gdn Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gdn"; fast_pattern; endswith; classtype:bad-unknown; sid:2025097; rev:4; metadata:created_at 2017_12_02, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M2"; flow:established,to_server; http.uri; content:"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform="; fast_pattern; content:"&name=|2b|CSCOE|2b 2f|"; distance:0; http.uri.raw; content:"&platform=..&resource-type=.."; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030582; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gq domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gq"; fast_pattern; endswith; classtype:bad-unknown; sid:2025100; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-06-27 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id1="; depth:4; nocase; content:"&id2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025630; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ga Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ga"; fast_pattern; endswith; classtype:bad-unknown; sid:2025101; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ThiefQuest CnC Domain in DNS Lookup"; dns.query; content:"andrewka6.pythonanywhere.com"; nocase; bsize:28; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/updates-on-thiefquest-the-quickly-evolving-macos-malware/; classtype:command-and-control; sid:2030613; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ml Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ml"; fast_pattern; endswith; classtype:bad-unknown; sid:2025102; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cloud-sources .com)"; dns.query; content:"cloud-sources.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1287409263623770112; classtype:trojan-activity; sid:2030636; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.cf Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".cf"; fast_pattern; endswith; classtype:bad-unknown; sid:2025103; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cdn-filestorm .com)"; dns.query; content:"cdn-filestorm.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1287409263623770112; classtype:trojan-activity; sid:2030637; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ga Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".ga"; nocase; endswith; classtype:bad-unknown; sid:2025105; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (chretiendaujoudhui .com)"; dns.query; content:"chretiendaujoudhui.com"; nocase; bsize:22; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ml Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".ml"; nocase; endswith; classtype:bad-unknown; sid:2025106; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (leprotestant .com)"; dns.query; content:"leprotestant.com"; nocase; bsize:16; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030639; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cf Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".cf"; nocase; endswith; classtype:bad-unknown; sid:2025107; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (vie-en-islam .com)"; dns.query; content:"vie-en-islam.com"; nocase; bsize:16; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030640; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gq Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".gq"; nocase; endswith; classtype:bad-unknown; sid:2025104; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (viedechretien .org)"; dns.query; content:"viedechretien.org"; nocase; bsize:17; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030641; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ga) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".ga"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025109; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAIDOOR CnC Domain in DNS Lookup (www.cnaweb.mrslove .com)"; dns.query; content:"www.cnaweb.mrslove.com"; nocase; bsize:22; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-216a; classtype:command-and-control; sid:2030642; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gq) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".gq"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025108; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAIDOOR CnC Domain in DNS Lookup (www.infonew.dubya .net)"; dns.query; content:"www.infonew.dubya.net"; nocase; bsize:21; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-216a; classtype:command-and-control; sid:2030643; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ml) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".ml"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025110; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://www.dropbox.com/"; file.data; content:"<title>Dropbox Business</title>"; nocase; classtype:social-engineering; sid:2024403; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.cf) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".cf"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025111; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M1"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"|73 63 72 69 70 74 3a 20 6e 6f 64 65 2c 20 74 65 6d 70 6c 61 74 65 3a 20 20 2c 20 64 61 74 65 3a 20 4a 75 6c 20 33|"; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gdn) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".gdn"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025112; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"<title>"; nocase; content:"your PayPal account"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:log\s*in|sign\s*in)/i"; classtype:social-engineering; sid:2024391; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Connection Setup Attempt"; flow:established,to_server; http.host; content:"localtunnel.me"; fast_pattern; endswith; http.header_names; content:"|0d 0a|host|0d 0a|accept"; depth:14; content:!"User-Agent"; content:!"Host"; content:!"Referer"; content:!"Accept"; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025116; rev:4; metadata:attack_target Client_and_Server, created_at 2017_12_04, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"<title>"; nocase; content:"|20|-|20|paypal"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:s(?:e(?:nd money, pay online or set up a merchant|cure) account|uspicious (?:transaction |activities))|con(?:firm card security information|to limitato)|(?:profile updat|mot de pass)e|login)\s*-\s*paypal\s*<\/title>/i"; classtype:social-engineering; sid:2024970; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SluttyPutty Maldoc User-Agent"; flow:established,to_server; http.user_agent; content:"come-tome"; depth:9; endswith; classtype:trojan-activity; sid:2025118; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, signature_severity Major, tag MalDoc, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iCloud Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"X-Apple-Request-UUID|3a|"; file.data; content:"<title>iCloud</title>"; nocase; classtype:social-engineering; sid:2024385; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPSEL File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mipsel"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025122; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title>Welcome to Facebook</title>"; nocase; classtype:social-engineering; sid:2024402; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPS File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mips"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025123; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title>"; nocase; content:"facebook email security"; within:40; nocase; fast_pattern; classtype:social-engineering; sid:2024451; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".arm"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025124; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title"; nocase; content:"Log in to Facebook"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2024807; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM7 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".arm7"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025125; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title"; nocase; content:"About Copyright|20 7c 20|Facebook Help Center"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025137; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO x86 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025126; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Wells Fargo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"wellsfargo.com/"; file.data; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; classtype:social-engineering; sid:2025360; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO m68k File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".m68k"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025127; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M4"; flow:established,to_client; http.header; content:!".wellsfargo.com/"; file.data; content:"antiClickjack.parentNode.removeChild"; within:1000; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025295; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SPARC File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".sparc"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025128; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; http.header; content:"!*.paypal.com"; file.data; content:"<title></title>"; nocase; fast_pattern; content:"<meta name=|22|application-name|22 20|content=|22|PayPal"; distance:0; classtype:social-engineering; sid:2024019; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, tag Phishing, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO POWERPC File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".powerpc"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025129; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"cdnapis.com"; nocase; endswith; depth:11; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO X86_64 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86_64"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025130; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Mobile Phish 2017-08-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; classtype:credential-theft; sid:2029661; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUPERH File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".superh"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025131; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2018-01-26"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&prefill_contact_point="; nocase; distance:0; content:"&prefill_source="; nocase; distance:0; content:"&prefill_type="; nocase; distance:0; content:"&first_prefill_source="; nocase; distance:0; content:"&first_prefill_type="; nocase; distance:0; content:"&had_cp_prefilled="; nocase; distance:0; content:"&had_password_prefilled="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029665; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in DNS Lookup)"; dns.query; content:".localtunnel.me"; endswith; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025138; rev:4; metadata:created_at 2017_12_06, former_category POLICY, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-04-26"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&jazoest="; nocase; distance:0; fast_pattern; content:"&m_ts="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&prefill_contact_point="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; classtype:credential-theft; sid:2029673; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in TLS SNI)"; flow:established,to_server; tls.sni; content:".localtunnel.me"; endswith; nocase; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025139; rev:4; metadata:created_at 2017_12_06, former_category POLICY, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-08-29"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2029678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY possible OnePlus phone data leakage DNS"; dns.query; content:"open.oneplus.net"; nocase; endswith; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025133; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_12_06, deployment Perimeter, former_category POLICY, malware_family Android_OnePlus, signature_severity Minor, tag Android, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2020-01-10"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&login="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Injected WP Keylogger/Coinminer Domain Detected (cloudflare .solutions in DNS Lookup)"; dns.query; content:"cloudflare.solutions"; endswith; reference:url,blog.sucuri.net/2017/12/cloudflare-solutions-keylogger-on-thousands-of-infected-wordpress-sites.html; classtype:coin-mining; sid:2025141; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2017_12_07, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.host; content:!"amazon.com"; endswith; content:!".amazon.co.jp"; endswith; http.request_body; content:"appActionToken="; nocase; content:"&appAction=SIGNIN"; nocase; distance:0; fast_pattern; content:"|25|40"; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2032713; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; byte_test:0,<,100,0,string,dec; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; depth:51; fast_pattern; reference:md5,5b0e06e3e896d541264a03abef5f30c7; classtype:command-and-control; sid:2025142; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing Aug 19 2015"; flow:to_client,established; http.header; content:!"X-BOA-RequestID|3a|"; file.data; content:"boaVIPAAuseGzippedBundles"; fast_pattern; content:"boaVIPAAjawrEnabled"; distance:0; classtype:social-engineering; sid:2025666; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/NxRansomware C2 Domain Detected (0cf5ff34 .ngrok .io in DNS Lookup)"; dns.query; content:"0cf5ff34.ngrok.io"; endswith; reference:url,twitter.com/struppigel/status/940239612324319232; classtype:command-and-control; sid:2025143; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineid="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032696; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=Te"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:command-and-control; sid:2025147; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Downloader_Small_BIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".craigslist.org"; endswith; http.request_body; content:"inputEmailHandle="; nocase; content:"|25|40"; distance:0; content:"&inputPassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032686; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; depth:1; content:"/"; distance:0; endswith; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025119; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"X-Apple-I-Request-ID|3a|"; file.data; content:"<title>Manage your Apple ID</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024707; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)"; dns.query; content:"curlmyip.net"; nocase; endswith; reference:md5,c375012865b94fa037d23c555e6c2772; classtype:external-ip-check; sid:2025154; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible CIBC Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|ServerNoWhere"; file.data; content:"<title>CIBC</title>"; nocase; classtype:social-engineering; sid:2024797; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; dns.query; content:".gr.com"; endswith; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:5; metadata:created_at 2017_12_12, former_category HUNTING, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 1"; flow:established,to_server; urilen:>100; flowbits:set,ET.Anunanak.HTTP.1; content:"Accept|3a 20 2a 2f 2a 0d 0a 0d 0a|"; fast_pattern; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/"; http.method; content:"GET"; http.uri; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/"; http.host; content:!".imodules.com"; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; depth:30; endswith; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020027; rev:7; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zeus Panda CnC Domain (in DNS Lookup)"; dns.query; content:"pprulispikosqcsiwef.info"; nocase; endswith; reference:md5,20adfac68ced5225c9021bc051e66d18; classtype:command-and-control; sid:2025177; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_29, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ave Maria RAT CnC Domain in DNS Lookup (uknwn.linkpc .net)"; dns.query; content:"uknwn.linkpc.net"; nocase; bsize:16; reference:url,twitter.com/James_inthe_box/status/1293267162258272256?cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email; reference:url,app.any.run/tasks/49ba0acb-fd7a-47ec-9998-cacc6eb875d5/; classtype:command-and-control; sid:2030679; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qasar Variant Domain (datapeople-cn .com in DNS Lookup)"; dns.query; content:"datapeople-cn.com"; endswith; reference:url,twitter.com/blu3_team/status/947858470816112640; classtype:trojan-activity; sid:2025179; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category TROJAN, malware_family Qasar_Rat, performance_impact Moderate, signature_severity Major, tag Patchwork, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-04-12"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; content:!".messenger.com"; endswith; http.request_body; content:"jazoest="; depth:8; nocase; fast_pattern; content:"&lsd="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2029672; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jul 2017"; dns.query; content:"ab1abad1d0c2a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024713; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GratefulPOS Covert DNS CnC Initial Checkin"; dns.query; content:".grp"; within:12; content:"ping.adm."; within:15; fast_pattern; isdataat:30,relative; pcre:"/^[a-f0-9]{8}\.grp[0-9]*\.ping\.adm\.(?:[a-f0-9]+\.){2,}/"; reference:md5,67a53bd24ee8499fed79c8c368e05f7a; reference:url,community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season; classtype:command-and-control; sid:2025144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Grateful_POS, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Aug 2017"; dns.query; content:"ab8cee60c2d.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024714; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Base64 Obfuscated Phishing Landing 2015-11-30"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv=|22|Refresh|22|"; within:100; fast_pattern; nocase; content:"content=|22|0|3b 20|URL="; nocase; distance:1; content:"data|3a|text/html|3b|base64,"; nocase; within:25; classtype:social-engineering; sid:2031906; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Sep 2017"; dns.query; content:"ab1145b758c30.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; pcre:"/^\/v0\/b\/(?:send|hit|few|lik|mtn|eli|rfda)\d.*\.appspot\.com\//i"; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031211; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Oct 2017"; dns.query; content:"ab890e964c34.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; depth:5; content:"&pt="; within:20; fast_pattern; http.user_agent; pcre:"/^[a-f0-9]{32}$/i"; http.request_body; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Cache"; content:!"Referer"; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:command-and-control; sid:2025598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, malware_family Autoit_NU, performance_impact Low, signature_severity Major, tag Dropper, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Nov 2017"; dns.query; content:"ab3d685a0c37.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024717; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake 404 With Hidden Login Form"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>404 Not Found</title>"; fast_pattern; depth:28; content:"background-color|3a 23|fff|3b|"; distance:0; content:"<form method=post>"; distance:0; content:"input type=password"; within:50; classtype:trojan-activity; sid:2025872; rev:3; metadata:attack_target Client_and_Server, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Dec 2017"; dns.query; content:"ab70a139cc3a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024718; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/Ramnit Stage 0 Communicating with CnC"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"WAIT|20|"; depth:15; content:"CERT|20|"; fast_pattern; within:20; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; reference:md5,20148e48668cb5e0b22d437ee0443cfe; reference:url,research.checkpoint.com/ramnits-network-proxy-servers/; classtype:command-and-control; sid:2026113; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_14, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jan 2018"; dns.query; content:"ab3c2b0d28ba6.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possibly Malicious VBS Writing to Persistence Registry Location"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"on|20|error|20|resume|20|next"; nocase; content:".regwrite|20 22|"; distance:0; content:"|5c|software|5c|microsoft|5c|windows|5c|currentversion|5c|run"; within:80; fast_pattern; reference:md5,cac1aedbcb417dcba511db5caae4b8c0; classtype:trojan-activity; sid:2026427; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_28, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Persistence, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Feb 2018"; dns.query; content:"ab99c24c0ba9.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pvtchat.live"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031215; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Mar 2018"; dns.query; content:"ab2e1b782bad.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024818; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"email="; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031212; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Apr 2018"; dns.query; content:"ab253af862bb0.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024819; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"#"; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031213; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA May 2018"; dns.query; content:"ab2d02b02bb3.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024820; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"login="; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jun 2018"; dns.query; content:"ab1b0eaa24bb6.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024821; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound PowerShell Executing Base64 Decoded VBE from Temp 2018-11-29"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|FromBase64String"; nocase; content:"-Path|20|C|3a 5c|windows|5c|temp|5c|"; distance:0; nocase; content:"start-process|20|c|3a 5c|windows|5c|system32|5c|wscript.exe|20|-ArgumentList|20 22|c|3a 5c|windows|5c|temp|5c|"; distance:0; nocase; fast_pattern; content:".vbe|22|"; within:20; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:trojan-activity; sid:2026677; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jul 2018"; dns.query; content:"abf09fc5abba.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024822; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/LamePyre Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?uid="; pcre:"/^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$/Ri"; http.user_agent; content:"curl/"; depth:5; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|scr|22 3b 20|filename=|22|"; fast_pattern; content:".png|22 0d 0a|"; within:30; http.header_names; content:!"Referer"; reference:md5,1dc949fbb35b816b3046731d8db98a3d; reference:url,objective-see.com/blog/blog_0x3C.html; classtype:trojan-activity; sid:2026823; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family LamePyre, performance_impact Moderate, signature_severity Major, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Aug 2018"; dns.query; content:"abce85a51bbd.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024823; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Receiving Redirect/Inject List"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"REDIR|3b|"; depth:15; content:"|7c 2d 7c|http"; within:50; fast_pattern; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026563; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Sep 2018"; dns.query; content:"abccc097dbc0.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024824; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/apply.cgi"; depth:10; http.request_body; content:"submit_button="; depth:14; content:"&submit_type=start_ping"; distance:0; fast_pattern; content:"&ping_size="; distance:0; content:"|3b|"; within:30; reference:url,www.exploit-db.com/exploits/24936; classtype:attempted-user; sid:2027099; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Oct 2018"; dns.query; content:"ab33b8aa69bc4.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024825; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"cookies.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027104; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Nov 2018"; dns.query; content:"ab693f4c0bc7.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024826; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"passwords.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027106; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Dec 2018"; dns.query; content:"ab23660730bca.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024827; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (wallet.dat) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"wallet.dat"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027115; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Feb 2017"; dns.query; content:"ab6d54340c1a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024708; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"screenshot."; distance:26; within:300; nocase; fast_pattern; pcre:"/^(?:(?:jp|pn)g|bmp)/Ri"; classtype:trojan-activity; sid:2027108; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Mar 2017"; dns.query; content:"aba9a949bc1d.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024709; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookie.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"cookie.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Apr 2017"; dns.query; content:"ab2da3d400c20.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024710; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (ccdata.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"ccdata.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027272; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA May 2017"; dns.query; content:"ab3520430c23.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024711; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (google_chrome_default_) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"google_chrome_default_"; distance:26; within:100; nocase; fast_pattern; pcre:"/^(?:logins|c(?:cdata|ookie))/Ri"; classtype:trojan-activity; sid:2027277; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jun 2017"; dns.query; content:"ab1c403220c27.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024712; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Mozilla_Firefox_Cookies) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"Mozilla_Firefox_Cookies"; distance:26; within:100; nocase; fast_pattern; classtype:trojan-activity; sid:2027279; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Python Monero Miner CnC DNS Query"; dns.query; content:".zsw8.cc"; endswith; pcre:"/^[a-z]\./"; reference:url,f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar; classtype:command-and-control; sid:2025183; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Cryptominer, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wide HTA with PowerShell Execution Inbound"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/hta"; file.data; content:"W|00|s|00|c|00|r|00|i|00|p|00|t"; nocase; content:"S|00|h|00|e|00|l|00|l|00|"; distance:0; nocase; content:"p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; distance:0; nocase; fast_pattern; content:"h|00|i|00|d|00|d|00|e|00|n"; within:200; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ml)"; flow:established,to_client; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"=|20|ReadSmbResponse|28|"; content:"|20|==|20|0x72|20|&&|20|"; within:400; fast_pattern; content:"|20|==|20|00"; within:400; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027336; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.gdn)"; flow:established,to_client; tls.cert_subject; content:".gdn"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025190; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|=|20|new|20|byte|5b 5d|"; content:"0xff,0x53,0x4d,0x42"; within:300; fast_pattern; content:"0x01,0x28"; distance:0; content:"0x02,0x4c,0x41,0x4e"; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.gq)"; flow:established,to_client; tls.cert_subject; content:".gq"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025191; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Inbound PowerShell Capable of Enumerating Internal Network via WMI"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|Win32_NetworkAdapterConfiguration"; nocase; content:"_.IPEnabled|20|-ne|20|$null"; within:200; nocase; content:"_.DefaultIPGateway|20|-ne|20|$null"; within:200; nocase; content:"select|20|IPAddress"; within:200; nocase; fast_pattern; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027338; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ga)"; flow:established,to_client; tls.cert_subject; content:".ga"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025192; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<%@|20|Page|20|Language=|22|Jscript|22|%><eval|28|Request.Item|5b|"; fast_pattern; content:"|22 29 3b|%>"; within:50; classtype:trojan-activity; sid:2027341; rev:4; metadata:created_at 2019_05_09, former_category WEB_SERVER, performance_impact Low, updated_at 2020_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.cf)"; flow:established,to_client; tls.cert_subject; content:".cf"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025193; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown VBScript Loader with Encoded PowerShell Execution Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"powershell"; nocase; content:"-e"; within:40; nocase; content:".Get|28 22|Win32_ProcessStartup|22 29|"; distance:0; nocase; fast_pattern; content:"Process.Create|28|"; distance:0; nocase; reference:md5,f17e15a9d28a85bd41d74233859d4df4; classtype:trojan-activity; sid:2027374; rev:4; metadata:created_at 2019_05_23, former_category CURRENT_EVENTS, tag Loader, updated_at 2020_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)"; flow:established,to_client; tls.cert_subject; content:".xyz"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025194; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER BlackSquid JSP Webshell Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<|25 25|java.io.InputStream|20|"; depth:25; content:"Runtime.getRunetime|28 29|.exec|28|request"; within:50; content:".getInputStream|28 29 3b|int|20|"; distance:0; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/; classtype:attempted-admin; sid:2027433; rev:3; metadata:attack_target Web_Server, created_at 2019_06_04, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Mami CnC Checkin"; flow:established,to_server; http.header; content:"User-Agent|3a 20 0d 0a|"; fast_pattern; http.request_body; content:"r="; depth:2; content:"&rc="; distance:0; http.request_line; content:"POST|20|/|20|HTTP/1.1"; depth:15; endswith; http.header_names; content:!"Referer"; reference:url,objective-see.com/blog/blog_0x26.html; reference:md5,8482fc5dbc6e00da151bea3eba61e360; classtype:command-and-control; sid:2025199; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_14, deployment Perimeter, former_category MALWARE, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M1 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script language=|22|"; content:"VBScript"; within:8; nocase; content:"|2e|scrollLeft"; distance:0; content:"|26|h4003|09 27 20|VT_BYREF|20 7c 20|VT_I4"; distance:0; fast_pattern; content:"|28 28 28 28 5c 2e 2e 5c|"; distance:0; content:"Powershell"; within:10; nocase; content:"|26|h40|2c 20 22 23 3e 24|"; within:400; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use; reference:url,www.zerodayinitiative.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer; reference:cve,CVE-2019-0752; classtype:attempted-admin; sid:2027721; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evrial Domain (cryptoclipper .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"cryptoclipper.ru"; endswith; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025201; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible FFSniff Inject Observed"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:".type|20|==|20 22|password|22 29|"; nocase; content:"=|20 22|Subject|3a 20 22 20|+|20|"; distance:0; nocase; content:"|20 22 5c|r|5c|n|5c|r|5c|n|22 20|+|20|window.top.content.document.location|20|"; within:150; nocase; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027814; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Chrome Extension Domain Request (change-request .info in DNS Lookup)"; dns.query; content:"change-request.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025216; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page Contents M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var|20|_0x"; content:"|27 5c|x61|5c|x57|5c|x35|5c|x75|5c|x5a|5c|x58|5c|x4a|5c|x49|5c|x5a"; within:150; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027815; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (nyoogle .info in DNS Lookup)"; dns.query; content:"nyoogle.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025217; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page Contents M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"location.href.search|28|atob|28 27|Y"; pcre:"/^[2'][2h'+][2hl'+][2hlY'+][2hlY2'+][2hlY2t'+][2hlY2tv'+][2hlY2tvd'+][2hlY2tvdX'+][2hlY2tvdXQ'+](?:[2hlY2tvdXQ='+]){1,10}/R"; content:"|20|=|20|atob|28 27|aHR0cHM6L"; within:300; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027816; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (lite-bookmarks .info in DNS Lookup)"; dns.query; content:"lite-bookmarks.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025219; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Inbound JS with Possible 1px-1px Exfiltration Image"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"document.createElement|28 22|"; content:".width=|22|1px|22|"; within:30; content:".height=|22|1px|22|"; within:30; content:"atob|28 22|aHR0cHM6Ly9"; within:100; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027817; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Evrial Domain (projectevrial .ru in DNS Lookup)"; dns.query; content:"projectevrial.ru"; nocase; endswith; classtype:trojan-activity; sid:2025228; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category TROJAN, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX ADWARE/AD Injector"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mvr="; within:5; pcre:"/[a-fA-F0-9]{8}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{12}/"; http.user_agent; content:"Python-urllib/"; depth:14; fast_pattern; reference:url,objective-see.com/blog/blog_0x3F.html; classtype:pup-activity; sid:2027319; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_11_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Evrial Domain (cryptoclipper .ru in DNS Lookup)"; dns.query; content:"cryptoclipper.ru"; endswith; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025256; rev:4; metadata:created_at 2018_01_29, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M1"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/optout/set/"; depth:12; fast_pattern; content:"?jsonp="; within:20; content:"&key="; distance:16; within:23; content:"&cv="; distance:18; within:23; content:"&t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027419; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evrial Domain (projectevrial .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"projectevrial.ru"; endswith; nocase; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025257; rev:4; metadata:created_at 2018_01_29, former_category TROJAN, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M3"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/metric/?mid="; depth:13; fast_pattern; content:"&wid="; within:20; content:"&sid="; within:20; content:"&tid="; within:20; content:"&rid="; within:20; content:"&t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027421; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Marcher.U DNS Lookup"; dns.query; content:"sagdzusghcsh.top"; nocase; endswith; reference:md5,ccefe18d7b9bc31a8673b9bf82104f48; classtype:trojan-activity; sid:2025273; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_01_30, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Marcher, signature_severity Major, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Win32/DealPly Configuration File Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<Data|20|"; depth:6; content:"|20|step1=|22|"; within:100; content:"|20|step2=|22|"; within:30; content:"|20|step3=|22|"; within:30; content:"<|2f|FName><FHash>"; distance:0; fast_pattern; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027829; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTraffic Initial Redirect M1"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/for/77/?d="; nocase; content:"&mykeys="; nocase; distance:0; http.host; content:"superasdc.pw"; depth:12; endswith; fast_pattern; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025287; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing M1 2019-04-15"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"alert|28 22|Windows|20|Firewall|20|has|20|detected|20|that|20|your|20|Windows"; fast_pattern; content:"system|20|files|20|are|20|automatically|20|deleted"; within:200; content:"Please|20|follow|20|the|20|instructions"; within:200; classtype:social-engineering; sid:2027197; rev:4; metadata:created_at 2019_04_15, former_category WEB_CLIENT, tag Tech_Support_Scam, tag Malvertising, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTraffic Initial Redirect M2"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/for/77/?d="; nocase; content:"&mykeys="; nocase; distance:0; http.host; content:"caforyn.pw"; depth:10; endswith; fast_pattern; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025288; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M1"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"descriptorByName/"; distance:0; content:"checkScriptCompile"; distance:0; content:"value=|40|GrabConfig"; distance:0; content:"|40|GrabResolver|28|"; distance:0; content:"|27|http"; within:60; content:"|27 29 0a 40|Grab|28|"; distance:0; http.header_names; content:!"Referer"; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027349; rev:5; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/"; http.cookie; content:"=|3b 20|"; content:"=|3b 20|"; distance:0; content:"=|3b|"; distance:0; endswith; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:command-and-control; sid:2025291; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category MALWARE, malware_family elise, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"eval|28|function|28|p,a,c,k,e,r|29|"; depth:26; content:"|20|TASKID|3d|"; distance:0; content:"|20|MAGICNUM|3d|"; within:25; content:"|20|EXECNUM|3d|"; within:25; content:"|20|FEEDBACKADDR|3d|"; within:25; content:"|28 2f|chrome|5c 5c 2f 28 5b 5c 5c 64 5d 2b 29 2f|gi"; distance:0; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027961; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; dns.query; content:"getfreshnews.com"; nocase; endswith; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a"; depth:6; content:"|27 2c|_b"; within:120; content:"|27 2c|_c"; within:120; content:"|2c|TASKID|3d|"; distance:0; content:"|2c|MAGICNUM|3d|"; within:25; content:"|2c|EXECNUM|3d|"; within:25; content:"|2c|FEEDBACKADDR|3d|"; within:25; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:27; within:11; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027962; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu"; endswith; classtype:credential-theft; sid:2025333; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 27|"; depth:8; content:"|27 2c|_b|3d 27|"; within:120; content:"|27 2c|_c|3d 27|"; within:120; content:"|27 2c|e|3d|"; within:120; content:"|2c|t|3d|"; within:10; content:"|2c|n|3d|"; within:15; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:26; within:12; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027963; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report -|20|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:19; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:command-and-control; sid:2025375; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_21, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M4"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 22|"; depth:8; content:"|22 2c|_b|3d 22|"; within:120; content:"|22 2c|_c|3d 22|"; within:120; content:"|22 3b|eval|28|function|28 5f 2c|"; within:120; content:"|29 7b|if|28|n|3d|function|28 5f 29 7b|return|28 5f|"; distance:9; within:27; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027964; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for .bin with BITS/ User-Agent"; flow:established,to_server; http.uri; content:".bin"; endswith; http.user_agent; content:"Microsoft BITS/"; depth:15; fast_pattern; http.host; content:!"microsoft.com"; content:!"pdfcomplete.com"; content:!"mymitchell.com"; content:!"azureedge.net"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2024420; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending LAN Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; depth:12; fast_pattern; content:"|22 7d|"; within:3; endswith; http.header_names; content:!"Referer"; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Princess Ransomware Payment Domain (royal25fphqilqft in DNS Lookup)"; dns.query; content:"royal25fphqilqft"; nocase; endswith; classtype:trojan-activity; sid:2025404; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_02, deployment Perimeter, former_category TROJAN, malware_family Princess_Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scarsi Variant CnC Activity"; flow:to_server,established; http.uri; content:"/WP"; content:".php"; within:50; endswith; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/i"; http.header; content:"Content-Length|3a 20|"; byte_test:1,>,0x30,0,relative; http.request_body; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/si"; http.content_type; content:"application/x-www-form-urlencoded|3b 20|Charset=UTF-8"; fast_pattern; bsize:48; http.header_names; content:!"Referer|0d 0a|"; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:command-and-control; sid:2024758; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (politiaromana .bit in DNS Lookup)"; dns.query; content:"politiaromana.bit"; nocase; endswith; classtype:command-and-control; sid:2025405; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Sending JPG Screenshot to CnC with .his Extension"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.request_body; content:"name=|22|kerna|22 3b 20|filename"; fast_pattern; content:".his|22 0d 0a|"; within:20; content:"|0d 0a 0d 0a ff d8 ff|"; distance:0; content:"JFIF"; within:15; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (gdcb .bit in DNS Lookup)"; dns.query; content:"gdcb.bit"; nocase; endswith; classtype:command-and-control; sid:2025407; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.request_body; content:"pingstr="; depth:8; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:5; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (malwarehunterteam .bit in DNS Lookup)"; dns.query; content:"malwarehunterteam.bit"; nocase; endswith; classtype:command-and-control; sid:2025406; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000"; flow:established,to_server; http.method; content:"POST"; depth:4; endswith; http.uri; content:"config.xml"; endswith; http.request_body; content:"|3c|script|3e 0a|"; content:"import|20|org|2e|buildobjects|2e|process|2e|ProcBuilder"; distance:0; fast_pattern; content:"|40|Grab|28 27|org|2e|buildobjects|3a|jproc|3a|"; distance:0; content:"|27 29 0a|"; within:12; content:"print|20|new|20|ProcBuilder|28 22 2f|"; distance:0; content:"|22 29 2e|run|28 29|"; within:200; content:"|2e|getOutputString|28|"; within:18; content:"|3c 2f|script|3e|"; within:30; reference:url,github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc; classtype:web-application-attack; sid:2027346; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2019_1003000, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bancos Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.instrumentshigh.com.br"; nocase; endswith; reference:md5,f8b2e89717f77633c7d112c98f2d22ab; classtype:command-and-control; sid:2025433; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_14, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Moderate, signature_severity Major, tag Banking_Trojan, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027454; rev:4; metadata:created_at 2019_06_11, cve 2018_7841, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (stickies .pro in DNS Lookup)"; dns.query; content:"stickies.pro"; nocase; endswith; reference:url,www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025218; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027455; rev:4; metadata:created_at 2019_06_11, cve 2018_7841, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)"; dns.query; content:".000webhostapp.com"; nocase; endswith; classtype:not-suspicious; sid:2026657; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; fast_pattern; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027486; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)"; flow:established,to_client; tls.cert_subject; content:"CN=*.000webhostapp.com"; nocase; endswith; classtype:not-suspicious; sid:2026658; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027487; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Sofacy CnC Domain (ndpmedia24 .com in DNS Lookup)"; dns.query; content:"ndpmedia24.com"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency; classtype:targeted-activity; sid:2025434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category MALWARE, malware_family Sofacy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027488; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. sx)"; dns.query; content:".onion.sx"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025446; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. pw)"; dns.query; content:".onion.pw"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Godlua Backdoor Downloading Encrypted Lua"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png"; http.user_agent; content:"Mozilla|2f|5.0|20 28|"; pcre:"/^(?:i686|x86_64|arm|mipsel)\-(?:static-linux|w64|iamsatan)\-(?:mingw32|uclibc(?:gnueabi)?)/R"; content:"|29 20|Chrome|2f|20"; within:11; http.referer; content:"https://www.google.com"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Referer|0d 0a 0d 0a|"; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027677; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns.query; content:"xmr.pool.minergate.com"; nocase; endswith; classtype:trojan-activity; sid:2025451; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Coinminer, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR Possible Response for LNKR js file"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"lnkr_redirecting"; fast_pattern; content:"_lnkr"; content:"excludeDomains"; within:40; content:"document.createElement|28 22|script|22|"; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027424; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (chlenaverasiskihe .sex in DNS Lookup)"; dns.query; content:"chlenaverasiskihe.sex"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025454; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; depth:42; fast_pattern; content:"|3b|"; within:40; content:"&targetUri="; distance:0; content:"&scaleType="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:5; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/InnaputRAT CnC DNS Lookup (ninjagames .top)"; dns.query; content:"ninjagames.top"; nocase; endswith; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:command-and-control; sid:2025462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family InnaputRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO NetSupport Remote Admin Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/x-www-form-urlencoded"; http.server; content:"NetSupport Gateway"; fast_pattern; startswith; reference:md5,54c0e7593d94c03a2b7909e6a459ce14; classtype:trojan-activity; sid:2035895; rev:5; metadata:created_at 2015_08_27, former_category POLICY, updated_at 2022_04_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/InnaputRAT CnC DNS Lookup (ajdhsfhiudsfhsi .top)"; dns.query; content:"ajdhsfhiudsfhsi.top"; nocase; endswith; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:command-and-control; sid:2025463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family InnaputRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; threshold: type both, track by_src, count 2, seconds 60; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&group="; fast_pattern; content:"&os="; content:"&cpu="; http.header_names; content:!"Referer|0d 0a|"; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:command-and-control; sid:2025253; rev:6; metadata:created_at 2018_01_26, former_category MALWARE, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus.D Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".js"; endswith; http.user_agent; content:"curl/"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025464; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.4."; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011584; rev:14; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2021_12_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (ssl .arkouthrie .com)"; dns.query; content:"ssl.arkouthrie.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025466; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"|26 23|"; within:5; content:"|3b 26 23|"; fast_pattern; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024228; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (s3 .hiahornber .com)"; dns.query; content:"s3.hiahornber.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025467; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls.cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (widget .shoreoa .com)"; dns.query; content:"widget.shoreoa.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025468; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls.cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&bit="; content:"&info=Windows|3a 20|"; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:command-and-control; sid:2025470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category MALWARE, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Google)"; tls.cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot CnC Task Status"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&taskId="; distance:0; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:command-and-control; sid:2025471; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category MALWARE, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls.cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; tls.cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP APN/Ask Toolbar PUA/PUP User-Agent"; flow:established,to_server; http.user_agent; content:"TBNotifier"; depth:10; fast_pattern; endswith; classtype:pup-activity; sid:2025400; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer IP Lookup"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; http.host; content:"ip-api.com"; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE LokiBot Fake 404 Response"; flow:established,from_server; flowbits:isset,ET.LokiBot; http.stat_code; content:"404"; file.data; content:"|08 00 00 00 00 00 00 00|File not found."; depth:23; fast_pattern; endswith; reference:md5,CA427D578AFA51B262272C78D1C04AB9; classtype:trojan-activity; sid:2025483; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_10, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer Config Download Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/grubConfig"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?confirmation"; fast_pattern; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&pass_input="; nocase; distance:0; classtype:credential-theft; sid:2025505; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/upload.php"; fast_pattern; http.request_body; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:5; metadata:created_at 2015_07_20, updated_at 2020_11_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Observed Coin-Hive In Browser Mining Domain (coin-hive .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"coin-hive.com"; endswith; classtype:trojan-activity; sid:2025535; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family CoinMiner, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; http.header; content:"QHBhc3N0aHJ1KC"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:7; metadata:created_at 2011_11_22, former_category WEB_SERVER, updated_at 2020_11_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Malicious SSL Cert (Coin-Hive In Browser Mining)"; flow:established,to_client; tls.cert_subject; content:"CN=*.coin-hive.com"; nocase; endswith; classtype:coin-mining; sid:2025536; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 1"; flow:established,to_server; http.uri; content:"/_users/org.couchdb.user|3a|"; http.request_body; content:"|22|roles|22 3a 20 5b 22 5f|admin|22 5d 2c|"; fast_pattern; content:"password"; reference:cve,2017-12635; classtype:attempted-user; sid:2025740; rev:4; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (msoftupdates .com in DNS Lookup)"; dns.query; content:"msoftupdates.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025542; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/index.php?cmd=submitcommand&command="; content:"&command_data=$("; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:4; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (msoftupdates .eu in DNS Lookup)"; dns.query; content:"msoftupdates.eu"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025543; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Bank of America"; nocase; content:"// the field has a value it's a spam bot"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025698; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (mylogisoft .com in DNS Lookup)"; dns.query; content:"mylogisoft.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025544; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; http.uri; content:"/handle_iscsi.php"; http.request_body; content:"act=discover&address="; fast_pattern; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M1"; http.host; content:".bit"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category TROJAN, malware_family GandCrab, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; http.user_agent; content:"|20|MySearch"; reference:url,doc.emergingthreats.net/2002080; classtype:pup-activity; sid:2002080; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M2"; http.host; content:".coin"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category TROJAN, malware_family GandCrab, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Win32/EoRezo Reporting"; flow:established,to_server; http.uri; content:"/advert/get"; nocase; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/i"; reference:md5,b5708efc8b478274df4b03d8b7dbbb26; classtype:pup-activity; sid:2013983; rev:9; metadata:created_at 2011_12_02, former_category ADWARE_PUP, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"ransomware.bit"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025452; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; fast_pattern; http.request_body; content:"from="; depth:5; content:"&type="; distance:0; content:"&pubid="; distance:0; content:"&BundleVersionID="; distance:0; classtype:pup-activity; sid:2018148; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"zonealarm.bit"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025453; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; fast_pattern; nocase; bsize:15; classtype:trojan-activity; sid:2024197; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"carder.bit"; endswith; reference:md5,9faf6dedd3e0cd018d2e45bc8855bd4a; classtype:trojan-activity; sid:2025546; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category TROJAN, malware_family GandCrab, signature_severity Major, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; http.uri.raw; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_31, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedLeaves HOGFISH APT Implant CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php"; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|.NET4.0C|3b 20|.NET4.0E)"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; http.connection; content:"Keep-Alive"; http.content_len; byte_test:0,<,110,0,string,dec; http.header_names; content:!"Referer"; content:!"Accept-Encoding"; content:!"Content-Type"; reference:md5,2d9ac00470a104b9841d851ddf33cad7; reference:md5,627b903657b28f3a2e388393103722c8; reference:url,www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf; classtype:targeted-activity; sid:2025557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT10, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nvserver"; http.request_body; content:"cmd="; content:"¶ms="; content:"Netviewer Proxy Test"; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:7; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .myq-see .com DDNS Domain"; dns.query; content:".myq-see.com"; nocase; endswith; classtype:policy-violation; sid:2025560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/settings.php"; http.header; content:"facebook.com|0d 0a|"; reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:7; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Ransomware Domain (y5mogzal2w25p6bn .ml in DNS Lookup)"; dns.query; content:"y5mogzal2w25p6bn.ml"; endswith; reference:md5,5f1ab58f0639b5e43fca508eb0d4f97e; classtype:trojan-activity; sid:2025567; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category TROJAN, malware_family Ransomware, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006353; classtype:web-application-attack; sid:2006353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) 2016-02-27"; flow:to_server,established; flowbits:set,ET.bofaphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"formID="; depth:7; nocase; classtype:credential-theft; sid:2027958; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004168; classtype:web-application-attack; sid:2004168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_19;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Hello, World"; fast_pattern; endswith; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:4; metadata:attack_target IoT, created_at 2018_05_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag GPON, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mods/hours/data/get_hours.php?"; nocase; content:"take="; nocase; content:"skip="; nocase; content:"pageSize="; nocase; content:"id="; nocase; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/i"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:6; metadata:created_at 2012_04_28, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending Machine Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"infobot"; depth:7; endswith; http.request_body; content:"|7b 22|bits|22 3a 20 22|"; depth:10; content:"|22|cpun|22 3a 20 22|"; distance:0; http.header_names; content:!"Referer"; reference:md5,3549c3af4417a344b5cbf53dbe7ab36c; classtype:trojan-activity; sid:2025577; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Checkin via POST"; flow: to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"f="; content:"&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:command-and-control; sid:2009156; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rarog Stealer CnC Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/check.php"; endswith; fast_pattern; http.request_body; content:"m="; depth:2; pcre:"/^m=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/si"; http.header_names; content:!"Referer"; reference:md5,b38a63aea75bcf06fed11067cc75cc7e; classtype:command-and-control; sid:2025580; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; dns.query; content:".pw"; nocase; endswith; content:!".u.pw"; endswith; nocase; classtype:bad-unknown; sid:2016778; rev:8; metadata:created_at 2013_04_20, updated_at 2020_11_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Malicious SSL Cert (Coinhive URL Shortener)"; flow:established,to_client; tls.cert_subject; content:"CN=cnhv.co"; nocase; endswith; reference:url,blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shorteners.html; classtype:coin-mining; sid:2025582; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_22, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; http.method; content:"GET"; http.uri; content:"/cfg.bin"; nocase; fast_pattern; endswith; http.header; content:"no-cache|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2008100; classtype:trojan-activity; sid:2008100; rev:15; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:social-engineering; sid:2022486; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:7; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"POST"; http.header; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:credential-theft; sid:2022487; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gdn Domain"; dns.query; content:".gdn"; nocase; endswith; classtype:bad-unknown; sid:2025098; rev:5; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header INetSim"; flow:established,from_server; http.content_type; content:"x-msdos-program"; file.data; content:"MZ|0a|Sinkholed|0a|"; depth:13; fast_pattern; endswith; classtype:trojan-activity; sid:2025585; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update.php"; endswith; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rsi"; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025171; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; http.method; content:"POST"; nocase; http.host; content:!"nvidia.com"; endswith; content:!"dc.services.visualstudio.com"; endswith; content:!".avg.com"; endswith; content:!"bitdefender.net"; endswith; content:!"svc.iolo.com"; endswith; content:!".lavasoft.com"; endswith; content:!"canonicalizer.ucsuri.tcs"; http.request_body; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; classtype:trojan-activity; sid:2011341; rev:17; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"xyz="; depth:4; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2025187; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031412; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, malware_family Formbook, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot User-Agent"; flow:established,to_server; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category TROJAN, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Donut Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Expect|3a 20|100-continue|0d 0a|"; http.request_body; content:"pc_id="; depth:6; content:"pc_key="; distance:0; content:"win_ver="; fast_pattern; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; classtype:command-and-control; sid:2025595; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_19, deployment Perimeter, former_category MALWARE, malware_family Donut, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Cobalt Strike Beacon"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025635; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BackSwap Trojan C2 Domain Observed (debasuin .nl in DNS Lookup)"; dns.query; content:"debasuin.nl"; endswith; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:command-and-control; sid:2025596; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE [PT MALWARE] Hacked Mikrotik C2 Request"; flow:established, to_server; threshold:type threshold, track by_src, count 1, seconds 35; http.method; content:"GET"; http.uri; content:"/mikrotik.php"; endswith; http.user_agent; content:"Mikrotik/6.x Fetch"; depth:18; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,forum.mikrotik.com/viewtopic.php?t=137217; classtype:command-and-control; sid:2026027; rev:5; metadata:created_at 2018_08_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BackSwap Trojan C2 Domain Observed (debasuin .nl in TLS SNI)"; flow:established,to_server; tls.sni; content:"debasuin.nl"; endswith; nocase; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:command-and-control; sid:2025597; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS ESET Installer"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"ESET Installer"; depth:14; endswith; classtype:policy-violation; sid:2027219; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_17, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag PUA, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".gif"; fast_pattern; endswith; content:!"__utm.gif"; endswith; http.host; content:!".tealiumiq.com"; content:!"snackly.co"; content:!"otf.msn.com"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:17; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.center"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027576; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (tpddata .com in DNS Lookup)"; dns.query; content:"tpddata.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025599; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027577; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (tpddata .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"tpddata.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025600; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encryptedmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027578; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .anlway .com in DNS Lookup)"; dns.query; content:"www.anlway.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025601; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027579; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .anlway .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.anlway.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025602; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveypro.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027580; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in DNS Lookup)"; dns.query; content:"www.ap8898.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025603; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveyservice.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027581; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.ap8898.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ifileupload.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027582; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .apshenyihl .com in DNS Lookup)"; dns.query; content:"www.apshenyihl.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025605; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027583; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .apshenyihl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.apshenyihl.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-secure.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027584; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] VBS Retrieving Malicious Payload"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".php1"; endswith; fast_pattern; pcre:"/\/[0-9]{10}.php1$/"; http.user_agent; content:"Microsoft BITS/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,aa56a1de9b91446c66d53f12f797bef5; classtype:trojan-activity; sid:2025626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027585; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (WiFi Password Change)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"LAN_WLAN"; fast_pattern; content:"IEEE11iAuthenticationMode"; content:"IEEE11iEncryptionModes"; content:"X_TP_PreSharedKey="; content:"X_TP_GroupKeyUpdateInterval"; reference:url,exploit-db.com/exploits/44781/; classtype:web-application-attack; sid:2025755; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"internal-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027586; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (DMZ enable and Disable)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"DMZ_HOST_CFG"; fast_pattern; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025751; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"itunesrewardscode.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027587; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Add Port Forwarding)"; flow:established,to_server; http.uri; content:"/cgi?3"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"IP_CONN_PORTTRIGGERING"; content:"openProtocol"; content:"openPort="; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025750; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafeeonlinescanner.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027588; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blind Server-Side Request Forgery"; flow:established,to_server; http.uri; content:"/xmlrpc/pingback"; endswith; http.request_body; content:"<methodCall>"; content:"<methodName>pingback.ping</methodName>"; fast_pattern; content:"<value>http://"; content:"<value>http://"; distance:0; reference:url,exploit-db.com/raw/44945/; classtype:attempted-user; sid:2025759; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_06_27, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafee-scan.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027589; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN HP Enterprise VAN SDN Controller"; flow:established,to_server; http.uri; content:"/sdn/ui/app/rs/hpws/config"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-recon; sid:2025760; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category SCAN, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"online-microsoft-update.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"!<arch>|0a|debian-binary"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025763; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"outlook-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025636; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"searscorporategiftcard.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution"; flow:established,to_server; http.uri; content:"/admin/moduleinterface.php"; fast_pattern; endswith; http.request_body; content:"<?php system($_GET["; reference:cve,2018-1000094; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-user; sid:2025782; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-corp.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027593; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Trade - Information Disclosure"; flow:established,to_server; http.uri; content:"/dashboard/deposit"; fast_pattern; endswith; reference:cve,2018-12905; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-recon; sid:2025783; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027594; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopNx - Arbitrary File Upload"; flow:established,to_server; http.uri; content:"/api/media"; fast_pattern; endswith; http.request_body; content:"<script"; reference:cve,2018-12519; reference:url,exploit-db.com/exploits/44978/; classtype:web-application-attack; sid:2025784; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-online.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027595; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 1"; dns.query; content:"goldncup.com"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025639; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 2"; dns.query; content:"glancelove.com"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025640; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secmail-us.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027597; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 3"; dns.query; content:"autoandroidup.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025641; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secureimailonline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027598; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 4"; dns.query; content:"mobilestoreupdat.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025642; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-data.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027599; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 5"; dns.query; content:"updatemobapp.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025643; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027600; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PolarisOffice Insecure Library Loading"; flow:to_server; http.method; content:"GET"; http.uri; content:"puiframeworkproresenu.dll"; endswith; reference:cve,2018-12589; classtype:attempted-user; sid:2025792; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category WEB_CLIENT, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027601; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rostpay Downloader User-Agent"; flow:established,to_server; http.user_agent; content:"Rostpay Downloader"; nocase; depth:18; endswith; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-ssl.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027602; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:".dtd|22|>"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025841; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securessl-vpn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027603; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE html PUBLIC |22|-//W3C//DTD XHTML 1.0 Transitional//EN|22|"; pcre:"/^[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025842; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-vpn.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027604; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE data SYSTEM"; pcre:"/^[^>]+\x22\s*ftp\x3a\x2f\x2f/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025843; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-account.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE data SYSTEM"; pcre:"/^[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; content:"<data>&send|3b|</data>"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025844; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-login.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027606; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup"; dns.query; content:"ios-certificate-update.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025727; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-secure.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027607; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2"; dns.query; content:"al-enayah.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025728; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-upgrade.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027608; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3"; dns.query; content:"voguextra.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025729; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssofiles.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027609; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4"; dns.query; content:"techwach.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025730; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027610; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5"; dns.query; content:"wpitcher.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025731; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Gemini/2.0)"; flow:established,to_server; http.user_agent; content:"Gemini/2.0"; depth:10; fast_pattern; endswith; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025889; rev:3; metadata:attack_target Server, created_at 2018_07_25, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vpn-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027612; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Hakai/2.0)"; flow:established,to_server; http.user_agent; content:"Hakai/2.0"; depth:9; fast_pattern; endswith; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025890; rev:4; metadata:attack_target Server, created_at 2018_07_25, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vsecuremail.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027613; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE OilRig QUADAGENT CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"www.cpuproc.com"; endswith; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:command-and-control; sid:2025891; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-cloud.net"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027614; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Successful 163 Webmail Phish 2018-07-25"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"application/json"; file.data; content:"{|22|user_id|22|:|22|"; nocase; within:20; content:"|22|,|22|ip|22|:|22|"; nocase; within:15; content:"|22|,|22|add_time|22|:|22|"; nocase; distance:0; content:".163.com|5c 2f 22 2c 22|code|22 3a 22|ok|22|}"; nocase; distance:0; endswith; fast_pattern; classtype:credential-theft; sid:2025893; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_11_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027615; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 6"; dns.query; content:"ios-certificate-whatsapp.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025896; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"wu-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027616; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 7"; dns.query; content:"hytechmart.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025897; rev:4; metadata:created_at 2018_07_25, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027617; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 8"; dns.query; content:"appswonder.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025898; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027618; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 9"; dns.query; content:"referfile.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025899; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (downloader)"; flow:to_server,established; http.user_agent; content:"downloader"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:pup-activity; sid:2007885; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 10"; dns.query; content:"hiltrox.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025900; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey CnC Check-In"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; nocase; content:"&vs="; nocase; content:"&ar="; nocase; content:"&bi="; nocase; content:"&lv="; nocase; content:"&os="; nocase; content:"&av="; nocase; fast_pattern; reference:md5,a83a58cbcd200461b1a80de45e436d9c; classtype:command-and-control; sid:2027700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Amadey, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 11"; dns.query; content:"scrollayer.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025901; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi MVEL Eval RCE Inbound M1 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"|22|script|3a 3a|"; distance:0; fast_pattern; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031219; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 12"; dns.query; content:"twitck.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025902; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Usteal.B Checkin"; flow:to_server,established; http.uri; content:"/ufr.php"; fast_pattern; http.request_body; content:"name="; content:"filename="; content:"UFR|21|"; reference:md5,3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:command-and-control; sid:2014616; rev:8; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 14"; dns.query; content:"nfinx.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025904; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; http.uri; content:"/kspp/do?imei="; fast_pattern; content:"&wid="; content:"&type="; content:"&step="; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; classtype:trojan-activity; sid:2016318; rev:9; metadata:affected_product Android, attack_target Mobile_Client, created_at 2012_12_12, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_11_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 15"; dns.query; content:"metclix.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025905; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi OGNL Eval RCE Inbound M2 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"getClass|28|"; distance:0; nocase; content:".runtime"; distance:0; nocase; content:"getDeclaredMethods|28|"; distance:0; fast_pattern; content:".invoke|28|"; distance:0; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031220; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 16"; dns.query; content:"capsnit.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025906; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:established,to_server; urilen:<13; http.method; content:"GET"; http.uri; content:".htm"; fast_pattern; pcre:"/^\/[^\x2f]+?\.htm$/"; http.header; content:"Content-Length|3a 20|"; content:!"0|0d 0a|"; within:3; content:"|0d 0a|"; distance:0; http.user_agent; content:!"BridgitAgent"; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:command-and-control; sid:2017191; rev:6; metadata:created_at 2013_07_24, former_category MALWARE, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malvertising EK Redirect to EK M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?id="; isdataat:!5,relative; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.referer; content:".php?JBOSSESSION="; fast_pattern; classtype:exploit-kit; sid:2025913; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK PDF URI Struct"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; content:"/1"; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.pdf$/"; http.header; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2017636; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin"; flow:established,to_server; urilen:<100; http.method; content:"POST"; http.request_body; content:"|81 b2 a8 97 7e a3 1b 91|"; depth:8; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:command-and-control; sid:2025923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK URI Struct"; flow:established,to_server; http.uri; content:"/3/"; fast_pattern; pcre:"/\/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$/"; classtype:exploit-kit; sid:2018534; rev:6; metadata:created_at 2014_06_05, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 4"; dns.query; content:"euiro8966.organiccrap.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025927; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; http.user_agent; content:"Zollard"; nocase; fast_pattern; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:6; metadata:created_at 2013_12_10, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 3"; dns.query; content:"kted56erhg.dynssl.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025926; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/replace/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,4d1d43789e038c6a03c07083ca0b0809; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018749; rev:9; metadata:created_at 2014_07_21, former_category MALWARE, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 2"; dns.query; content:"www.hosting.tempors.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025925; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; http.request_body; content:"|28 29 20 7b|"; fast_pattern; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:7; metadata:created_at 2014_09_25, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 1"; dns.query; content:"jennifer998.lookin.at"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025924; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Checkin"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/random.php"; fast_pattern; http.user_agent; content:"Mozilla/5."; pcre:"/^\d{2,7}$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,01be3fc3243d582d9f93d01401c4f95e; classtype:command-and-control; sid:2019353; rev:6; metadata:created_at 2014_10_03, former_category MALWARE, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 5"; dns.query; content:"games.my-homeip.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025928; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Blocker.fwlm Checkin"; flow:established,to_server; urilen:497; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/; classtype:command-and-control; sid:2019538; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 1"; dns.query; content:"banca-movil.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025933; rev:4; metadata:affected_product Android, affected_product iOS, attack_target Mobile_Client, created_at 2018_08_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Citrix XenMobile Server Directory Traversal Attempt Inbound (CVE-2020-8209)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sbFileName=../"; fast_pattern; reference:url,github.com/B1anda0/CVE-2020-8209/blob/main/CVE-2020-8209.py; reference:cve,2020-8209; classtype:attempted-admin; sid:2031221; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_8209, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 2"; dns.query; content:"pine-sales.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025934; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action="; fast_pattern; content:"&sent_all="; content:"&sent_success="; distance:0; content:"&active_connections="; distance:0; content:"&queue_connections="; distance:0; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020329; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 3"; dns.query; content:"ecommerce-ads.org"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025935; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Bayrob Keepalive"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/isup.php"; fast_pattern; http.header.raw; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:6; metadata:created_at 2015_03_05, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 4"; dns.query; content:"bytlo.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025936; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.asp?search="; fast_pattern; http.header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\r?$/mi"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:command-and-control; sid:2020913; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 5"; dns.query; content:"ticket-selections.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025937; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nette"; content:"?callback=shell_exec"; distance:0; fast_pattern; reference:url,github.com/hu4wufu/CVE-2020-15227/blob/master/exploit-CVE-2020-15227.py; reference:cve,2020-15227; classtype:attempted-admin; sid:2031222; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_15227, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 6"; dns.query; content:"onlineshopzm.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025938; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; fast_pattern; pcre:"/\.php$/"; http.header; content:"HOST|3a|"; depth:5; content:"User-Agent|3a|"; distance:0; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/mi"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021584; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 7"; dns.query; content:"zednewszm.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025939; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; http.header; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; content:"Next|2d|Polling"; fast_pattern; content:"Content|2d|Salt|3a 20|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/i"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:13; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 8"; dns.query; content:"zm-banks.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025940; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:",|22|model|22 3a|"; content:",|22|apps|22 3a 5b 22|"; content:",|22|imei|22 3a|"; fast_pattern; pcre:"/^\{\x22(?:os|type)\x22\x3a/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:8; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_12_21, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_11_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 9"; dns.query; content:"zm-weather.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025941; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Glupteba/ClIEcker CnC Checkin"; flow:established,to_server; http.uri; content:"&downlink="; content:"&uplink="; content:"&id="; content:"&statpass="; fast_pattern; content:"&version="; content:"&features="; content:"&guid="; content:"&comment="; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:command-and-control; sid:2013293; rev:7; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 10"; dns.query; content:"znothernkivu.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025942; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot User-Agent (Charon/Inferno)"; flow:established,to_server; http.user_agent; content:"(Charon|3b 20|Inferno)"; fast_pattern; classtype:trojan-activity; sid:2021641; rev:9; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 11"; dns.query; content:"afriquenouvelle.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025943; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.header; content:"WinHttp.WinHttpRequest."; http.host; content:!"download.nai.com"; classtype:trojan-activity; sid:2022658; rev:8; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 12"; dns.query; content:"allafricaninfo.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025944; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"application/x-httpd-php"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|"; pcre:"/^[^\r]*?name=[\x22\x27]image_file"\x3b[^(?>\r\n|\n|\r)]*?(?>\r\n|\n|\r)(?>\r\n|\n|\r)?Content-Type: application\/x-httpd-php/Rsi"; reference:url,www.exploit-db.com/exploits/34681/; reference:cve,2014-5460; classtype:trojan-activity; sid:2019728; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_11_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 13"; dns.query; content:"centrasia-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025945; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; flowbits:set,ET.iTunes.vuln; flowbits:noalert; http.header; pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/m"; http.user_agent; content:"iTunes/10.6."; depth:12; classtype:policy-violation; sid:2014954; rev:12; metadata:created_at 2012_06_25, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 14"; dns.query; content:"mystulchik.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025946; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2F"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 15"; dns.query; content:"odnoklass-profile.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025947; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin Dec 29 2014"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_body; content:"EPF#"; depth:4; fast_pattern; http.connection; content:"close"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:command-and-control; sid:2020076; rev:5; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 16"; dns.query; content:"sputnik-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025948; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 3"; flow:established,to_server; urilen:1; http.request_line; content:"POST / 1.1"; depth:10; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; depth:28; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021632; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 17"; dns.query; content:"tengrinews.co"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025949; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"l=dj0"; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/Rs"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029803; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 18"; dns.query; content:"sergek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025950; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Ouija_x.86)"; flow:established,to_server; http.user_agent; content:!"OuijaBoardWigi"; content:"Ouija"; startswith; classtype:trojan-activity; sid:2028990; rev:6; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 19"; dns.query; content:"egov-sergek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025951; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Ahmyth.f (DNS Lookup)"; dns.query; content:"tryanotherhorse.com"; endswith; reference:md5,cf71ba878434605a3506203829c63b9d; classtype:domain-c2; sid:2030822; rev:3; metadata:attack_target Mobile_Client, created_at 2020_09_02, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ahmyth, signature_severity Critical, tag Android, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 20"; dns.query; content:"egov-segek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025952; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Microsoft Update GET)"; flow:established,to_server; urilen:220; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; startswith; fast_pattern; content:".cab"; distance:171; endswith; http.user_agent; content:"Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40"; bsize:58; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/microsoftupdate_getonly.profile; classtype:command-and-control; sid:2032752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 21"; dns.query; content:"mykaspi.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025953; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"lib.hostareas.com"; nocase; bsize:17; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030891; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 22"; dns.query; content:"kaspi-payment.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025954; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"lib.jsquerys.net"; nocase; bsize:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030892; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 24"; dns.query; content:"e-sveiciens.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025955; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"web.miscrosaft.com"; nocase; bsize:18; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 25"; dns.query; content:"klientuserviss.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025956; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"cnc.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030925; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 26"; dns.query; content:"kurjerserviss.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025957; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"back.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030926; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 27"; dns.query; content:"reklamas.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025958; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"q9uvveypiB.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030927; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 28"; dns.query; content:"legyelvodas.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025959; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint Update CnC Domain in DNS Query"; dns.query; content:"uhyg8v.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030928; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 29"; dns.query; content:"theastafrican.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025960; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerGhost Checkin CnC in DNS Query"; dns.query; content:"log.conf1g.com"; nocase; endswith; classtype:domain-c2; sid:2030999; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 30"; dns.query; content:"ajelnews.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025961; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerGhost Staging CnC in DNS Query"; dns.query; content:"box.conf1g.com"; nocase; endswith; classtype:domain-c2; sid:2030998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 31"; dns.query; content:"akhbara-aalawsat.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025962; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style Service nrecom in DNS Query"; dns.query; content:"paste.nrecom.net"; nocase; endswith; classtype:policy-violation; sid:2031001; rev:3; metadata:created_at 2020_10_12, former_category POLICY, signature_severity Informational, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 32"; dns.query; content:"akhbar-arabia.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025963; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-11-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"em="; depth:3; nocase; fast_pattern; content:"&ps="; nocase; distance:0; pcre:"/^em=[^&]*&ps=[^&]*$/i"; classtype:credential-theft; sid:2031218; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 33"; dns.query; content:"gulf-news.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025964; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoetRAT CnC Domain in DNS Lookup"; dns.query; content:"volt220.kozow.com"; nocase; bsize:17; reference:url,twitter.com/ShadowChasing1/status/1314847032155074562; classtype:domain-c2; sid:2031007; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, malware_family PoetRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 34"; dns.query; content:"eltiempo-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025965; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (office)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST="; startswith; content:", O=Office, OU=, CN="; nocase; fast_pattern; tls.cert_issuer; content:"C=US, ST="; startswith; content:", O=Office, OU=, CN="; nocase; reference:md5,880a45ff31bc540e80ecf2cf93134c12; reference:url,gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031134; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 35"; dns.query; content:"arabnews365.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025966; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"duke6.tk"; nocase; bsize:8; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031137; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 36"; dns.query; content:"arabworldnews.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025967; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"wekanda.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031138; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 37"; dns.query; content:"breaking-extranews.online"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025968; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"sanitar.ml"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 38"; dns.query; content:"breaking-news.co"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025969; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"branter.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 39"; dns.query; content:"breakingnewsasia.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025970; rev:4; metadata:created_at 2018_08_03, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"bronerg.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 40"; dns.query; content:"breakthenews.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025971; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"crusider.tk"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/data/collectdata-new.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|a|22 3a|"; depth:5; content:"|22|b|22 3a|[{|22|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025987; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, signature_severity Major, tag Android, updated_at 2020_09_16;)
+#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Unknown Router Remote DNS Change Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/setup.htm"; nocase; http.request_body; content:"wan_proto=dhcp"; nocase; content:"dhcps_dns_1="; nocase; fast_pattern; content:"dhcps_mode=enabled"; nocase; content:"lan_proto=enable"; nocase; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; classtype:attempted-admin; sid:2023468; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/newuser.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|imei|22 3a|"; depth:8; content:"|22|tag|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:command-and-control; sid:2025988; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain in DNS Lookup"; dns.query; content:"ab1de19d80ae6.com"; nocase; bsize:17; reference:md5,ef694b89ad7addb9a16bb6f26f1efaf7; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2031206; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/data/fcollectdata.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|category|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b603017bbcee17a76f5b0ee478d2d935; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025989; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DonotGroup CnC in DNS Query"; dns.query; content:"pvtchat.live"; nocase; endswith; classtype:domain-c2; sid:2031216; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Panda Banker C2)"; flow:established,to_client; tls.cert_subject; content:"CN=uiaoduiiej.chimkent.su"; nocase; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025995; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2"; dns.query; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!"covid19.wisc.edu"; isdataat:!1,relative; content:!"services.corona.be"; isdataat:!1,relative; classtype:bad-unknown; sid:2029710; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_11_20;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Panda Banker Injects)"; flow:established,to_client; tls.cert_subject; content:"CN=urimchi3dt4.website"; nocase; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2025996; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (TrevorForget Profile)"; flow:established,to_server; http.request_line; content:"GET /us/ky/louisville/312-s-fourth-st.html HTTP/1.1"; bsize:51; fast_pattern; http.cookie; bsize:171; pcre:"/^[a-zA-Z0-9\/+_-]{171}$/"; http.referer; content:"https://locations.smashburger.com/us/ky/louisville.html"; bsize:55; reference:md5,d2c8f1a8b5fc9bf4fe8bde43e88f04a0; classtype:command-and-control; sid:2032754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Panda Banker C2 Domain (uiaoduiiej .chimkent .su in DNS Lookup)"; dns.query; content:"uiaoduiiej.chimkent.su"; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025997; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.gdn)"; flow:from_server,established; tls.cert_subject; content:".gdn"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031223; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker C2 Domain (uiaoduiiej .chimkent .su in TLS SNI)"; flow:established,to_server; tls.sni; content:"uiaoduiiej.chimkent.su"; endswith; nocase; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.ml)"; flow:from_server,established; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031224; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Panda Banker Injects Domain (urimchi3dt4 .website in DNS Lookup)"; dns.query; content:"urimchi3dt4.website"; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2025999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.gq)"; flow:from_server,established; tls.cert_subject; content:".gq"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031225; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker Injects Domain (urimchi3dt4 .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"urimchi3dt4.website"; endswith; nocase; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2026000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.ga)"; flow:from_server,established; tls.cert_subject; content:".ga"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031226; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (bigboss .x24hr .com)"; dns.query; content:"bigboss.x24hr.com"; nocase; fast_pattern; endswith; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026021; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category TROJAN, malware_family BISKVIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.cf)"; flow:from_server,established; tls.cert_subject; content:".cf"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031227; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (secured-links .org)"; dns.query; content:"secured-links.org"; nocase; fast_pattern; endswith; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026022; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category TROJAN, malware_family BISKVIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.xyz)"; flow:from_server,established; tls.cert_subject; content:".xyz"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031228; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Payload Download Nov 11 2014"; flow:established,to_server; http.uri; content:"/bin.exe"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2019696; rev:5; metadata:created_at 2014_11_11, former_category CURRENT_EVENTS, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.icu)"; flow:from_server,established; tls.cert_subject; content:".icu"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031229; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor 2"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; content:".deb|0d 0a|"; http.request_body; content:"|7f|ELF"; depth:4; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026030; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category SCAN, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.top)"; flow:from_server,established; tls.cert_subject; content:".top"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031230; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; endswith; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; http.host; content:!".bloomberg.com"; content:!".bitdefender.com"; content:!".microsoft.com"; endswith; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022550; rev:19; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL SSL/TLS Certificate"; flow:from_server,established; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031231; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.FakeEzQ.kr Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"MyAgent"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,7afebc844a3313eb2a89b3028fbba7a6; reference:url,otx.alienvault.com/pulse/5b8844d6db17df1779153624; classtype:command-and-control; sid:2026071; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.pw)"; flow:from_server,established; tls.cert_subject; content:".pw"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031232; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in DNS Lookup)"; dns.query; content:"www.megaopac.host"; endswith; reference:url,twitter.com/serhack_/status/1037026672787304450; classtype:trojan-activity; sid:2026072; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2018_09_04, deployment Perimeter, former_category TROJAN, malware_family Stealer, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.header; content:"|0d 0a|Content-Length|3a 20|95|0d 0a|"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Pragma"; content:!"Referer"; reference:md5,a3c4951687b39e58550309dbbf2e5c85; reference:md5,1c1d7bf3ad926f3cdf0befbc5205a1fe; classtype:trojan-activity; sid:2031233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_24;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.megaopac.host"; endswith; nocase; reference:url,twitter.com/serhack_/status/1037026672787304450; classtype:trojan-activity; sid:2026073; rev:4; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2018_09_04, former_category TROJAN, malware_family Stealer, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:800; content:")https://www.instagram.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2031238; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig CnC DNS Lookup (defender-update .com)"; dns.query; content:"defender-update.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackrota Domain (blackrato .ga in TLS SNI)"; flow:established,to_server; tls.sni; content:"blackrato.ga"; bsize:12; fast_pattern; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031235; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, malware_family Blackrota, performance_impact Low, signature_severity Major, updated_at 2020_11_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig CnC DNS Lookup (windowspatch .com)"; dns.query; content:"windowspatch.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026080; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Blackrota)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Arizona, L=Scottsdale, O=Amazon, OU=Starfield Class, CN=blackrato.ga"; bsize:77; fast_pattern; tls.cert_issuer; content:"C=US, ST=Arizona, L=Scottsdale, O=Amazon, OU=Starfield Class, CN=blackrato.ga"; bsize:77; reference:md5,04dab9530bbcb7679ff5498400417e40; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031236; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, malware_family Blackrota, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pser?"; depth:6; fast_pattern; pcre:"/^[A-F0-9]{10,}(?:BBZ|BBY)[A-F0-9]{,1000}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026081; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Geocon CnC Request"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.0|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENUS)"; fast_pattern; bsize:76; http.cookie; bsize:172; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; reference:url,github.com/darkr4y/geacon/blob/5d9a9101c1f3b7dfb71484a58db5cc51ea279583/cmd/packet/http.go; reference:md5,6e020db51665614f4a2fd84fb0f83778; classtype:command-and-control; sid:2031237; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tahw?"; depth:6; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phish Landing 2020-11-26"; flow:established,to_client; file.data; content:"<title>Ch&alpha|3b|se &Beta|3b|&alpha|3b|n&Kappa|3b|"; fast_pattern; classtype:social-engineering; sid:2031239; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/khc?"; depth:5; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|proclist|22|"; content:"svchost.exe"; content:"name=|22|sysinfo|22|"; content:"ipconfig"; content:"net view /all"; fast_pattern; content:"nltest"; distance:0; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:command-and-control; sid:2031241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aura Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"{KIARA}"; depth:7; endswith; fast_pattern; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026100; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category USER_AGENTS, malware_family Aura, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Windows.net Hosted Phish 2020-10-14"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".windows.net"; isdataat:!1,relative; fast_pattern; http.uri; content:!"/getEffectiveAccess?api-version="; classtype:credential-theft; sid:2031012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSIL/Peppy User-Agent"; flow:established,to_server; http.user_agent; content:"onedru/"; depth:7; endswith; fast_pattern; reference:md5,ebffb046d0e12b46ba5f27c0176b01c5; classtype:trojan-activity; sid:2026101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_07, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-11-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"number="; nocase; content:"exp"; nocase; content:"cvv="; nocase; fast_pattern; http.host; content:!".ez-chow.com"; endswith; classtype:credential-theft; sid:2029680; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Tor/Noscript JS Bypass"; flow:established,to_client; http.content_type; content:"text/html|3b|/json"; depth:15; endswith; reference:url,twitter.com/Zerodium/status/1039127214602641409; classtype:trojan-activity; sid:2026109; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc 2020-11-30)"; flow:established,to_client; tls.cert_subject; content:"CN=filestream.download"; nocase; endswith; reference:md5,1e0d96c551ca31a4055491edc17ce2dd; classtype:domain-c2; sid:2031240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_11_30, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=baways.com"; nocase; endswith; reference:url,riskiq.com/blog/labs/magecart-british-airways-breach; classtype:trojan-activity; sid:2026110; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_11, deployment Perimeter, former_category TROJAN, malware_family MageCart, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY ToDesk Remote Access Control Tool"; flow:established,to_server; content:"|00 00 00|"; startswith; content:"|01 0a 20|"; offset:4; depth:3; content:"|12|"; offset:39; depth:1; byte_jump:1,0,relative; content:"|18 01 22|"; within:3; byte_jump:1,0,relative; content:"|3a 3f|"; within:2; content:"B$"; distance:63; within:2; isdataat:!68,relative; reference:md5,d428709903e8c86bc02dfc29ab903634; classtype:policy-violation; sid:2031242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_30, deployment Perimeter, former_category POLICY, performance_impact Significant, signature_severity Informational, updated_at 2020_11_30;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil)"; flow:established,to_client; tls.cert_subject; content:"CN=info-stat.ws"; nocase; endswith; reference:url,bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script; classtype:trojan-activity; sid:2026112; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031243; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, signature_severity Major, updated_at 2020_12_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)"; flow:from_server,established; tls.cert_subject; content:"CN=ipinfo.io"; nocase; endswith; classtype:external-ip-check; sid:2025330; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031244; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, signature_severity Major, updated_at 2020_12_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=neweggstats.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-newegg; classtype:trojan-activity; sid:2026215; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M6 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:"com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031245; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_02, cve CVE_2020_14882, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_12_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in DNS Lookup)"; dns.query; content:"1jve.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026115; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:!".jpg',no','no',no'"; nocase; distance:0; content:!".pdf,no','no',no'"; nocase; distance:0; content:!".SlideMenu1_Folder div"; content:!"PhotoGallery"; nocase; classtype:social-engineering; sid:2026047; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_02;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"1jve.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026116; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file.data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"¤t_page=Advanced_System_Content.asp"; nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:5; metadata:attack_target Networking_Equipment, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in DNS Lookup)"; dns.query; content:"clarke-taylor.life"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026117; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"acunetix_wvs_security_test"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023687; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in TLS SNI)"; flow:established,to_server; tls.sni; content:"clarke-taylor.life"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026118; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix variable in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"|24|acunetix"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023688; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in DNS Lookup)"; dns.query; content:"hcttmail.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026119; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT General MSN Chat Activity"; flow:established; http.header; content:"Content-Type|3A|"; content:"application/x-msn-messenger"; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009375; classtype:policy-violation; sid:2009375; rev:9; metadata:created_at 2010_07_30, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hcttmail.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026120; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Forms/dns_1?"; fast_pattern; content:"Enable_DNSFollowing=1"; distance:0; content:"dnsPrimary="; distance:0; reference:url,www.exploit-db.com/exploits/35917; classtype:attempted-admin; sid:2023466; rev:8; metadata:created_at 2015_01_29, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in DNS Lookup)"; dns.query; content:"mail-presidency.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026121; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Blackrota Domain"; dns.query; content:"blackrato.ga"; nocase; bsize:12; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031234; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, malware_family Blackrota, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-presidency.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026122; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"european-who.com"; nocase; bsize:16; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031246; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in DNS Lookup)"; dns.query; content:"aamir-khan.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026123; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"who-international.com"; nocase; bsize:21; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031247; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"aamir-khan.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026124; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"office-pulgin.com"; nocase; bsize:17; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031248; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in DNS Lookup)"; dns.query; content:"daario-naharis.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026125; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"health-world-org.com"; nocase; bsize:20; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031249; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"daario-naharis.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026126; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"adverting-cdn.com"; nocase; bsize:17; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031250; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in DNS Lookup)"; dns.query; content:"help-live.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026127; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (hotspot .accesscam .org)"; dns.query; content:"hotspot.accesscam.org"; nocase; bsize:21; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031252; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"help-live.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026128; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (highcolumn .webredirect .org)"; dns.query; content:"highcolumn.webredirect.org"; nocase; bsize:26; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031253; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in DNS Lookup)"; dns.query; content:"margaery-tyrell.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026129; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (ethdns .mywire .org)"; dns.query; content:"ethdns.mywire.org"; nocase; bsize:17; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031254; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"margaery-tyrell.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026130; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (theguardian .webredirect .org)"; dns.query; content:"theguardian.webredirect.org"; nocase; bsize:27; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031255; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in DNS Lookup)"; dns.query; content:"accaunts-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026131; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (allmedicalpro .com)"; dns.query; content:"allmedicalpro.com"; nocase; bsize:17; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031256; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accaunts-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026132; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (mediqhealthcare .com)"; dns.query; content:"mediqhealthcare.com"; nocase; bsize:19; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031257; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in DNS Lookup)"; dns.query; content:"dachfunny.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026133; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (gofinancesolutions .com)"; dns.query; content:"gofinancesolutions.com"; nocase; bsize:22; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031258; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"dachfunny.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026134; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M3 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:".sh.ShellSession"; fast_pattern; pcre:"/^(?:\x28|%28)/R"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031185; rev:3; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_12_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in DNS Lookup)"; dns.query; content:"help-sec.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026135; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (Meta HTTP-Equiv Refresh) Dec 29 2016"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; file.data; content:"<META HTTP-EQUIV="; nocase; within:600; fast_pattern; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:25; content:"url="; nocase; within:25; http.header; content:!".efunds.com"; classtype:credential-theft; sid:2031574; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"help-sec.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026136; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkIRC Bot CnC Domain Lookup"; dns.query; content:"cnc."; startswith; fast_pattern; content:".xyz"; endswith; bsize:22; pcre:"/^cnc\.[a-fA-F0-9]{14}.xyz$/"; reference:url,blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability; classtype:command-and-control; sid:2031260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in DNS Lookup)"; dns.query; content:"maria-bouchard.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026137; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_12_04;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"maria-bouchard.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026138; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?m="; pcre:"/^[^&]+&[a-z]=[^&]+&[a-z]=[A-F0-9]+$/Rsi"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Win32)"; bsize:41; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,2250fec29baf44d9d2c123ae037fce9c; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036308; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in DNS Lookup)"; dns.query; content:"account-gocgle.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026139; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information"; flow:established,to_server; http.uri; content:"?q=7b2268776964223a22"; nocase; fast_pattern; content:"222c22706e223a22"; nocase; distance:0; content:"222c226f73223a2257696e646f7773"; nocase; distance:0; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:trojan-activity; sid:2030393; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family Jupyter, signature_severity Major, updated_at 2020_12_07;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"account-gocgle.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026140; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (gogohid .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gogohid.com"; bsize:11; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in DNS Lookup)"; dns.query; content:"dachfunny.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026141; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (blackl1vesmatter .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"blackl1vesmatter.org"; bsize:20; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031262; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"dachfunny.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026142; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (vincentolife .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vincentolife.com"; bsize:16; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031263; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in DNS Lookup)"; dns.query; content:"heyapp.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026143; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M2"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"X-Requested-With|3a 20|ShockwaveFlash/"; fast_pattern; content:!"32.0.0.453|0d 0a|"; within:12; content:!"32.0.0.445|0d 0a|"; within:12; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2024379; rev:37; metadata:affected_product Adobe_Flash, created_at 2017_06_13, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_12_07;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"heyapp.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026144; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031271; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in DNS Lookup)"; dns.query; content:"marklavi.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026145; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031272; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"marklavi.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026146; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in DNS Lookup)"; dns.query; content:"account-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026147; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert udp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"account-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026148; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] POSSIBLE HackTool.TCP.Rubeus.[User32LogonProcesss]"; flow:to_server; content:"User32LogonProcesss"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in DNS Lookup)"; dns.query; content:"dardash.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026149; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[Build ID]"; content:"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026150; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.SSL.BEACON.[CSBundle Ajax]"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=WA, L=Seattle, O=Microsoft, OU=Information Technologies, CN=ajax.microsoft.com"; bsize:87; fast_pattern; tls.cert_issuer; content:"C=US, ST=WA, L=Seattle, O=Microsoft, OU=Information Technologies, CN=ajax.microsoft.com"; bsize:87; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in DNS Lookup)"; dns.query; content:"hitmesanjjoy.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026151; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|0a|_domainkey"; distance:0; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"hitmesanjjoy.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026152; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert udp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in DNS Lookup)"; dns.query; content:"mary-crawley.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026153; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mary-crawley.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026154; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M2"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 31 00 30 00 20 00 44 00 65 00 66 00 65 00 6e 00 64 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031301; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in DNS Lookup)"; dns.query; content:"accountforuser.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026155; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M1"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 55 00 70 00 64 00 61 00 74 00 65 00 20 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031300; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountforuser.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026156; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M3"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4c 00 69 00 63 00 65 00 6e 00 73 00 65 00 20 00 4b 00 65 00 79 00 20 00 41 00 63 00 74 00 69 00 76 00 61 00 74 00 69 00 6f 00 6e|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in DNS Lookup)"; dns.query; content:"dardash.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026157; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M4"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4f 00 66 00 66 00 69 00 63 00 65 00 20 00 33 00 36 00 35 00 20 00 50 00 72 00 6f 00 78 00 79|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026158; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M5"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 43 00 65 00 6e 00 74 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in DNS Lookup)"; dns.query; content:"hoopoechat.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026159; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M6"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4f 00 6e 00 65 00 44 00 72 00 69 00 76 00 65 00 20 00 53 00 79 00 6e 00 63 00 20 00 43 00 65 00 6e 00 74 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031305; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hoopoechat.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026160; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M7"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|42 00 61 00 63 00 6b 00 67 00 72 00 6f 00 75 00 6e 00 64 00 20 00 41 00 63 00 74 00 69 00 6f 00 6e 00 20 00 4d 00 61 00 6e 00 61 00 67 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031306; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in DNS Lookup)"; dns.query; content:"masuka.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026161; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M8"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|53 00 65 00 63 00 75 00 72 00 65 00 20 00 54 00 6f 00 6b 00 65 00 6e 00 20 00 4d 00 65 00 73 00 73 00 61 00 67 00 69 00 6e 00 67 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"masuka.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026162; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M9"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 20 00 55 00 70 00 64 00 61 00 74 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in DNS Lookup)"; dns.query; content:"accountforusers.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026163; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original GET]"; flow:established,to_server; http.method; content:"GET"; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-US"; bsize:5; http.accept_enc; content:"gzip, deflate"; bsize:13; content:"Cookie|3a 20|"; content:"display-culture=en|3b|check=true|3b|lbcs=0|3b|sess-id="; content:"|3b|SIDCC=AN0-TY21iJHH32j2m|3b|FHBv3=B"; fast_pattern; http.uri; pcre:"/^\/(?:v(?:1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|4\/links\/activity-stream|3\/links\/ping-centre)|gp\/(?:aj\/private\/reviewsGallery\/get-(?:application-resource|image-gallery-asset)s|cerberus\/gv)|en-us\/(?:p\/(?:onerf\/MeSilentPassport|book-2\/8MCPZJJCC98C)|store\/api\/checkproductinwishlist)|wp-(?:content\/themes\/am43-6\/dist\/records|includes\/js\/script\/indigo-migrate)|api2\/json\/(?:cluster\/(?:resource|task)s|access\/ticket))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031264; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountforusers.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026164; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; flow:established,from_server; file.data; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031294; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in DNS Lookup)"; dns.query; content:"dardash.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026165; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:established,from_server; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031293; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026166; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Accept-Ranges|3a 20|bytes"; content:"Age|3a 20|5806"; content:"Cache-Control|3a 20|public,max-age=31536000"; content:"Content-Encoding|3a 20|gzip"; content:"Content-Length|3a 20|256398"; content:"Content-Type|3a 20|application/javascript"; content:"Server|3a 20|UploadServer"; content:"Vary|3a 20|Accept-Encoding, Fastly-SSL"; content:"x-api-version|3a 20|F-X"; content:"x-cache|3a 20|HIT"; content:"x-Firefox-Spdy|3a 20|h2"; content:"x-nyt-route|3a 20|vi-assets"; content:"x-served-by|3a 20|cache-mdw17344-MDW"; content:"x-timer|3a 20|S1580937960.346550,VS0,VE0"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031267; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in DNS Lookup)"; dns.query; content:"hotimael.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026167; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; flow:established,to_server; content:"|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a 22|"; fast_pattern; content:"nid"; content:"msg-"; http.method; content:"POST"; http.uri; content:"/notification"; startswith; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031292; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hotimael.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026168; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server 3]"; flow:established,from_server; content:"{|22|alias|22 3a 22|apx|22|,|22|prefix|22 3a 22 22|,|22|suffix|22 3a|null,|22|suggestions|22 3a|[],|22|responseId|22 3a 22|15QE9JX9CKE2P|22|,|22|addon|22 3a 20 22|"; fast_pattern; content:"|22|,|22|shuffled|22 3a|false}"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031268; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in DNS Lookup)"; dns.query; content:"matthew-stevens.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026169; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[POST]"; flow:established,to_server; urilen:1; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.connection; content:"upgrade"; depth:7; http.header; content:"|0d 0a|Upgrade|3a 20|tcp/1|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie:"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"matthew-stevens.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026170; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server 2]"; flow:established,from_server; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031291; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in DNS Lookup)"; dns.query; content:"accounts-gocgle.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026171; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:from_server,established; file.data; content:"{|22|navgd|22 3a 22|<div class=gnt_n_dd_ls_w><div class=gnt_n_dd_nt>ONLY AT USA TODAY:</div><div class=gnt_n_dd_ls><a class=gnt_n_dd_ls_a href=https|3a|//supportlocal.usatoday.com/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031273; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accounts-gocgle.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026172; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server]"; flow:established,from_server; content:"{|22|meta|22|:{},|22|status|22 3a 22|OK|22|,|22|saved|22 3a 22|1|22|,|22|starttime|22 3a|17656184060,|22|id|22 3a 22 22|,|22|vims|22 3a|{|22|dtc|22 3a|"; fast_pattern; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Content-Type|3a 20|text/json|0d 0a|"; content:"Server|3a 20|Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By|3a 20|ASP.NET|0d 0a|"; content:"Cache-Control|3a 20|no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"X-Frame-Options|3a 20|SAMEORIGIN|0d 0a|"; content:"Connection|3a 20|close|0d 0a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031275; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in DNS Lookup)"; dns.query; content:"dardash.live"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026173; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]"; flow:established,to_server; content:"sess-="; content:"auth=0|3b|loc=US|7d|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)/"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.live"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026174; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; flow:established,to_server; content:"nyt-a="; content:"nyt-gdpr=0|3b|nyt-purr=cfh|3b|nyt-geo=US}"; fast_pattern; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; http.request_line; pcre:"/^GET\s(?:\/(?:(?:v(?:i-assets\/static-asset|[12]\/preference)|idcta\/translation)s|ads\/google))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031276; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in DNS Lookup)"; dns.query; content:"hotmailme.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026175; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp Request]"; flow:established,to_server; http.cookie; content:"hl=en|3b|bse="; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9_\/\+\-]{2}==|[a-zA-Z0-9_\/\+\-]{3}=|[a-zA-Z0-9_\/\+\-]{4})\x3b/"; content:"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b|"; endswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"hotmailme.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026176; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Connection|3a 20|close"; content:"Content-Type|3a 20|application/json|3b 20|charset=utf-8"; content:"Content-Security-Policy|3a 20|upgrade-insecure-requests"; content:"Strict-Transport-Security|3a 20|max-age=10890000"; content:"Cache-Control|3a 20|public, immutable, max-age=315360000"; content:"Accept-Ranges|3a 20|bytes"; content:"X-Cache|3a 20|HIT, HIT"; content:"X-Timer|3a 20|S1593010188.776402,VS0,VE1"; content:"Vary|3a 20|X-AbVariant, X-AltUrl, Accept-Encoding"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031274; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in DNS Lookup)"; dns.query; content:"mauricefischer.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026177; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]"; flow:established,to_server; content:"|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a|"; fast_pattern; http.method; content:"POST"; http.uri; pcre:"/^(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/"; http.accept; content:"*/*"; startswith; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"mauricefischer.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026178; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[SID1]"; flow:established,to_server; http.start; content:"|0d 0a|Cookie: SID1="; fast_pattern; http.method; content:"GET"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in DNS Lookup)"; dns.query; content:"accounts-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026179; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Stager]"; flow:established,from_client; http.accept; content:"*/*"; depth:3; http.accept_lang; content:"en-US"; depth:5; http.accept_enc; content:"gzip, deflate"; depth:13; http.cookie; content:"SIDCC=AN0-TYutOSq-fxZK6e4kagm70VyKACiG1susXcYRuxK08Y-rHysliq0LWklTqjtulAhQOPH8uA"; depth:80; fast_pattern; http.uri; content:"/api/v1/user/"; content:"/avatar/"; distance:3; within:8; pcre:"/\/api\/v1\/user\/(?:512|124)\/avatar/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accounts-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026180; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (wherisdomaintv .com in DNS Lookup)"; dns_query; content:"wherisdomaintv.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031309; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in DNS Lookup)"; dns.query; content:"david-mclean.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026181; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (whoisdomainpc .com in DNS Lookup)"; dns_query; content:"whoisdomainpc.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031310; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"david-mclean.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026182; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (fullplayersoftware .com in DNS Lookup)"; dns_query; content:"fullplayersoftware.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031311; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in DNS Lookup)"; dns.query; content:"italk-chat.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026183; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (softwareplayertop .com in DNS Lookup)"; dns_query; content:"softwareplayertop.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031312; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"italk-chat.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026184; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Stager 2]"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Content-Type|3a 20|text/json|0d 0a|"; content:"Server|3a 20|Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By|3a 20|ASP.NET|0d 0a|"; content:"Cache-Control|3a 20|no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"X-Frame-Options|3a 20|SAMEORIGIN|0d 0a|"; content:"Connection|3a 20|close|0d 0a|"; content:"Content-Type|3a 20|image/gif"; file_data; content:"|01 00 01 00 00 02 01 44 00 3b|"; content:"|ff ff ff 21 f9 04 01 00 00 00 2c 00 00 00 00|"; fast_pattern; content:"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in DNS Lookup)"; dns.query; content:"max-eleanor.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026185; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp GET]"; flow:established,to_server; content:"request_origin=user"; http.method; content:"GET"; http.request_line; content:"&parent_request_id="; within:256; fast_pattern; content:"|20|HTTP/1"; within:1024; pcre:"/^GET [^\r\n]{0,256}&parent_request_id=(?:[A-Za-z0-9_\/\+\-%]{128,1024})={0,2}[^\r\n]{0,256} HTTP\/1\.[01]/"; http.header; content:"|0d 0a|Sec-Fetch-Dest|3a 20|empty|0d 0a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"max-eleanor.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026186; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle CDN GET]"; flow:established,to_server; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US"; bsize:5; http.header; content:"client-="; fast_pattern; content:"|3b|auth=1}"; http.uri; pcre:"/^\/v1\/(?:queue|profile|docs\/wsdl|pull)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in DNS Lookup)"; dns.query; content:"accountusers.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026187; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:from_server,established; http.response_line; content:"HTTP/1."; depth:7; file.data; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountusers.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026188; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday GET]"; flow:established,to_server; content:"gnt_ub=86|3b|gnt_sb=18|3b|usprivacy=1YNY|3b|DigiTrust.v1.identity="; fast_pattern; content:"%3D|3b|GED_PLAYLIST_ACTIVITY=W3sidSI6IkZtTWUiLCJ0c2wiOjE1OTMwM|3b|"; http.method; content:"GET"; http.connection; content:"close"; bsize:5; http.accept; content:"*/*"; bsize:3; http.header; content:"Cookie|3a 20|"; http.request_line; pcre:"/^GET\s(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/tangsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in DNS Lookup)"; dns.query; content:"david-moris.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026189; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|03|"; within:15; content:"|0a|_domainkey"; distance:3; within:11; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031265; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"david-moris.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026190; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original POST]"; flow:established,to_server; content:"ses-"; content:"{|22|locale|22 3a 22|en|22|,|22|channel|22 3a 22|prod|22|,|22|addon|22 3a 22|"; fast_pattern; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-US"; bsize:5; http.accept_enc; content:"gzip, deflate"; bsize:13; http.request_line; pcre:"/^POST\s(?:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in DNS Lookup)"; dns.query; content:"italk-chat.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026191; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; flow:established,to_server; content:"{|22|locale|22 3a 22|en|22|,|22|channel|22 3a 22|prod|22|,|22|addon|22 3a 22|"; fast_pattern; content:"cli"; content:"l-"; http.request_line; content:"POST /v1/push"; depth:13; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"italk-chat.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026192; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Qbot CnC Activity M2"; flow:established,to_server; http.request_line; content:"POST|20|/t4|20|HTTP/1.1"; bsize:17; fast_pattern; http.accept; content:"application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*"; bsize:70; http.request_body; pcre:"/^[A-Za-z0-9]{3,20}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.header_names; content:!"Referer"; reference:md5,3ceb36fc3607df3d67d9eb0f1d00fea0; classtype:command-and-control; sid:2035525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Qbot, performance_impact Low, signature_severity Major, updated_at 2020_12_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in DNS Lookup)"; dns.query; content:"max-mayfield.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026193; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sofacy Zebrocy CnC DNS Lookup (support-cloud .life)"; dns_query; content:"support-cloud.life"; nocase; bsize:18; reference:url,www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/; classtype:domain-c2; sid:2031315; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"max-mayfield.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026194; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Account Phish Dec 04 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"continue="; content:"followup="; content:"checkedDomains="; http.host; content:!".microsoft.com"; isdataat:!1,relative; classtype:credential-theft; sid:2015980; rev:6; metadata:attack_target Client_Endpoint, created_at 2012_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in DNS Lookup)"; dns.query; content:"accuant-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026195; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Docusign Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Docusign</title>"; nocase; classtype:social-engineering; sid:2024387; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_10;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accuant-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026196; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cgi/?SSID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031314; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in DNS Lookup)"; dns.query; content:"davina-claire.xyz"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026197; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cgi?SoID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031313; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"davina-claire.xyz"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026198; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Astrum EK URI Struct"; flow:established,to_server; urilen:60<>100; http.request_line; content:"|2e 20|HTTP/1."; fast_pattern; http.uri; pcre:"/^\/(?=[A-Za-z_-]*?\d)(?=[a-z0-9_-]*?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$/"; classtype:exploit-kit; sid:2019176; rev:5; metadata:created_at 2014_09_16, updated_at 2020_12_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in DNS Lookup)"; dns.query; content:"jack-wagner.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026199; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak <v9 - Stage 2 - Request"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:"_aWQ9"; fast_pattern; content:".html"; endswith; pcre:"/_aWQ9[a-zA-Z0-9\/]{43,46}(?:JmdpZD|Z2lkP|ZnaWQ9)/"; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_10;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"jack-wagner.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026200; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Trojan.APT.9002 POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-f0-9]+$/"; http.user_agent; content:"lynx"; depth:4; isdataat:!1,relative; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:targeted-activity; sid:2017702; rev:4; metadata:created_at 2013_11_11, former_category MALWARE, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in DNS Lookup)"; dns.query; content:"maxlight.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026201; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[A-F0-9]{24}$/"; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; depth:13; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017714; rev:8; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_12_10;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxlight.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026202; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage1 CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?host="; fast_pattern; content:"&password="; distance:0; pcre:"/\.php\?host=[^&]+&password=[a-f0-9]{32}$/"; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029499; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in DNS Lookup)"; dns.query; content:"activedardash.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026203; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kuluoz.B Request"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-f0-9]+$/i"; http.header; content:"Windows NT 9.0|3b|"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:6; metadata:created_at 2012_12_05, updated_at 2020_12_10;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"activedardash.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026204; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox CnC Beacon"; flow:established,to_server; http.host; pcre:"/\x3a\d{1,5}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016528; rev:8; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in DNS Lookup)"; dns.query; content:"davos-seaworth.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026205; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Java Installer Landing Page Oct 21"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download.php?id="; content:"&sid="; distance:0; content:"&name=Java|20|Runtime|20|Environment|20|"; distance:0; fast_pattern; pcre:"/^\/[0-9]+\/download\.php\?id=/"; pcre:"/&name=[a-z0-9\x20]+$/i"; reference:url,heimdalsecurity.com/blog/security-alert-blackhat-seo-campaign-passes-around-malware-to-unsuspecting-users; classtype:trojan-activity; sid:2021991; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2020_12_10;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"davos-seaworth.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026206; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT32/Oceanlotus Maldoc CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?"; content:"=e010000127"; distance:0; fast_pattern; content:".exe|3b|"; nocase; pcre:"/^[^\r\n]+\.exe(?:\x3b)?$/Ri"; reference:md5,e2511f009b1ef8843e527f765fd875a7; reference:md5,cc2027319a878ee18550e35d9b522706; reference:url,twitter.com/HONKONE_K/status/1290511333343993856; classtype:command-and-control; sid:2030652; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in DNS Lookup)"; dns.query; content:"james-charles.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026207; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MontysThree HTTPTransport Module Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|image|22 3b 20|filename=|22|image.jpg|22|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1f0461dba1aefdd124f8333afe7f5982; reference:url,twitter.com/Int2e_/status/1314479575523446784; classtype:trojan-activity; sid:2030994; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"james-charles.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026208; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ask.com Toolbar/Spyware User-Agent (AskPBar)"; flow:established,to_server; http.user_agent; content:"AskPBar"; fast_pattern; reference:url,doc.emergingthreats.net/2006381; classtype:pup-activity; sid:2006381; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_12_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in DNS Lookup)"; dns.query; content:"mediauploader.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026209; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 4"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"."; pcre:"/\.(?:gif|bmp|jpeg|png)$/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; fast_pattern; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:command-and-control; sid:2021829; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"mediauploader.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026210; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M6"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/mi"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023679; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in DNS Lookup)"; dns.query; content:"alain.ps"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026211; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M7"; flow:from_server,established; flowbits:isset,min.gethttp; http.header; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/mi"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023711; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in TLS SNI)"; flow:established,to_server; tls.sni; content:"alain.ps"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026212; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 3"; flow:to_server,established; content:"/rico.php"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020656; rev:5; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in DNS Lookup)"; dns.query; content:"debra-morgan.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026213; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli)"; flow:established,to_server; http.user_agent; content:"JDatabaseDriverMysqli"; fast_pattern; http.header; pcre:"/^User-Agent\x3a[^\r\n]*JDatabaseDriverMysqli/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022261; rev:4; metadata:created_at 2015_12_14, updated_at 2020_12_11;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"debra-morgan.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026214; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 2"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|Pragma|3a 20|no-cache|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:104; fast_pattern; content:"Connection|3a 20|Keep-Alive|0d 0a|Content-Length|3a 20|"; distance:0; pcre:"/User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a)[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\nContent-Length\x3a\x20\d+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/m"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021631; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot Blockchain Based CnC DNS Lookup (musl .lib)"; dns.query; content:"musl.lib"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026323; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP with Multiple Callbacks (CVE-2020-12695)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"CALLBACK|3a 20|"; fast_pattern; nocase; content:"<http"; distance:0; content:"><http"; distance:0; pcre:"/^Callback\x3a\x20<http[^>]+><http/mi"; reference:url,github.com/yunuscadirci/CallStranger; reference:cve,2020-12695; classtype:attempted-dos; sid:2030339; rev:2; metadata:affected_product UPnP, attack_target IoT, created_at 2020_06_15, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot/Satori CnC DNS Lookup (ukrainianhorseriding .com)"; dns.query; content:"ukrainianhorseriding.com"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026324; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC checkin Nov 21"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[^\x2e\x3f\x3d\x26]+\.[^\x2e\x2f\x3f\x3d\x26]+$/"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.referer; pcre:"/^http\x3a\x2f\x2f[^\x2f]+\x2f$/"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023551; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot/Satori CnC DNS Lookup (rippr .cc)"; dns.query; content:"rippr.cc"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026325; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic .EDU Phish Aug 17 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; flowbits:isnotset,ET.realEDUrequest; http.stat_code; content:"302"; http.location; content:".edu"; nocase; fast_pattern; pcre:"/https?:\/\/[^/]+\.edu/i"; classtype:credential-theft; sid:2029662; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (censys .xyz)"; dns.query; content:"censys.xyz"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026326; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2019-02-13"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?rand=13InboxLightaspxn."; fast_pattern; content:"&email="; distance:0; content:"@"; distance:0; classtype:credential-theft; sid:2029669; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (leakingprivacy .tk)"; dns.query; content:"leakingprivacy.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026327; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic 302 Redirect to Phishing Landing"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?client_id="; fast_pattern; content:"&response_mode="; distance:0; content:"&response_type="; distance:0; pcre:"/^[a-z0-9]{24,28}\.php\?client_id=/i"; classtype:social-engineering; sid:2031578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (realnewstime .xyz)"; dns.query; content:"realnewstime.xyz"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful IRS Phish 2016-01-23"; flow:to_client,established; flowbits:isset,ET.irs.phish; http.stat_code; content:"302"; http.location; content:"http"; depth:4; content:"irs.gov"; distance:0; nocase; fast_pattern; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032672; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_01_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (scanaan .tk)"; dns.query; content:"scanaan.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026329; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Redirect - Possible Phishing May 25 2016"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?email="; fast_pattern; content:!"unsubscribe"; content:!"lastpass.com"; classtype:social-engineering; sid:2031567; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (blockbitcoin .com)"; dns.query; content:"blockbitcoin.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026330; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO McAfee AV Download (set)"; flow:established,to_server; flowbits:set,ET.Mcafee.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"McAfee ePO"; fast_pattern; http.host; content:"update.nai.com"; classtype:not-suspicious; sid:2031317; rev:1; metadata:created_at 2020_12_11, former_category INFO, performance_impact Low, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (vfk2k5s5tfjr27tz .tk)"; dns.query; content:"vfk2k5s5tfjr27tz.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Emotet CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/"; http.start; content:".php|20|HTTP/1.1|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; http.host; content:!".360.cn"; reference:md5,518d189f8922280c81ab123604076dfd; classtype:command-and-control; sid:2035075; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (3g2upl4pq6kufc4m .tk)"; dns.query; content:"3g2upl4pq6kufc4m.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"Passwords.txt"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2029846; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in DNS Lookup)"; dns.query; content:"jimmykudo.online"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026217; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 401TRG Liferay RCE (CVE-2020-7961)"; flow:established,to_server; http.uri; content:"/api/jsonws/expandocolumn/update-column"; nocase; http.request_body; content:"userOverridesAsString=HexAsciiSerializedMap"; nocase; fast_pattern; reference:cve,2020-7961; reference:url,www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html; classtype:attempted-admin; sid:2031318; rev:1; metadata:created_at 2020_12_11, cve CVE_2020_7961, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"jimmykudo.online"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026218; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) M2"; flow:established,to_server; http.header; content:"JDatabaseDriverMysqli"; fast_pattern; content:"JSimplepieFactory"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2031319; rev:1; metadata:created_at 2020_12_11, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in DNS Lookup)"; dns.query; content:"meet-me.chat"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026219; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getPolicy?a="; fast_pattern; startswith; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031320; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_11, deployment Perimeter, former_category MALWARE, malware_family apt27, malware_family luckymouse, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in TLS SNI)"; flow:established,to_server; tls.sni; content:"meet-me.chat"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026220; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic 302 Redirect to Google"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"https://google.com"; fast_pattern; startswith; classtype:misc-activity; sid:2030594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, signature_severity Informational, updated_at 2020_12_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in DNS Lookup)"; dns.query; content:"alisonparker.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026221; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Poloniex Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://poloniex.com"; fast_pattern; startswith; classtype:credential-theft; sid:2024617; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"alisonparker.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026222; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Exmo Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://exmo.com"; fast_pattern; startswith; classtype:credential-theft; sid:2024618; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in DNS Lookup)"; dns.query; content:"donna-paulsen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026223; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paxful Cryptocurrency Wallet Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://paxful.com"; startswith; classtype:credential-theft; sid:2024621; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"donna-paulsen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026224; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful LocalBitcoins Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://localbitcoins.com"; startswith; classtype:credential-theft; sid:2024640; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"android-settings.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026225; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paxful Cryptocurrency Wallet Phish 2020-08-17"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://www.paxful.com"; startswith; classtype:credential-theft; sid:2030695; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in DNS Lookup)"; dns.query; content:"android-settings.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026226; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M1"; flow:established,to_server; http.uri; content:"/swip/Events"; endswith; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in DNS Lookup)"; dns.query; content:"easyshow.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026227; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M2"; flow:established,to_server; http.uri; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"easyshow.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026228; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M3"; flow:established,to_server; http.uri; content:"swip/Upload.ashx"; endswith; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031339; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in DNS Lookup)"; dns.query; content:"jon-snow.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026229; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M4"; flow:established,to_server; http.uri; content:"/swip/upd/"; within:75; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"jon-snow.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026230; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to digitalcollege .org"; flow:established,to_server; http.host; dotprefix; content:".digitalcollege.org"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in DNS Lookup)"; dns.query; content:"men-ana.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026231; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to freescanonline .com"; flow:established,to_server; http.host; dotprefix; content:".freescanonline.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"men-ana.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026232; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to deftsecurity .com"; flow:established,to_server; http.host; dotprefix; content:".deftsecurity.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031349; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in DNS Lookup)"; dns.query; content:"apkapps.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026233; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to thedoccloud .com"; flow:established,to_server; http.host; dotprefix; content:".thedoccloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"apkapps.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026234; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to virtualdataserver .com"; flow:established,to_server; http.host; dotprefix; content:".virtualdataserver.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in DNS Lookup)"; dns.query; content:"eleanor-guthrie.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026235; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M2"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Server: nginx/1.14.0 (Ubuntu)"; content:"Connection|3a 20|close"; distance:0; content:"Cache-Control|3a 20|max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options|3a 20|nosniff"; distance:0; content:"X-AspNetMvc-Version|3a 20|3.0"; fast_pattern; distance:0; content:"X-AspNet-Version|3a 20|4.0.30319"; distance:0; content:"X-Powered-By|3a 20|ASP.NET"; distance:0; content:"Content-Length|3a 20|"; content:"|0d 0a|"; distance:6; within:4; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"eleanor-guthrie.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026236; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M3"; flow:established,from_server; file.data; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in DNS Lookup)"; dns.query; content:"jorah-mormont.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026237; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M4"; flow:established,from_server; file.data; content:"<p>Companies-Best-Man-Vendors-Best</p>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"jorah-mormont.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026238; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M5"; flow:established,from_server; file.data; content:"<meta name=|22|msvalidate.01|22| content=|22|ECEE9516DDABFC7CCBBF1EACC04CAC20|22|>"; content:"<meta name=|22|google-site-verification|22| content=|22|CD5EF1FCB54FE29C838ABCBBE0FA57AE|22|>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in DNS Lookup)"; dns.query; content:"michael-keaton.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026239; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M6"; flow:from_server,established; file.data; content:"<p>Million-Support-Years-Week-Agents</p>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"michael-keaton.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026240; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|"; content:"|22 3b|filename=|22|"; content:"|22 0a|Content-Type|3a|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031323; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in DNS Lookup)"; dns.query; content:"apkapps.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026241; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tocaoonline .com)"; dns_query; content:"tocaoonline.com"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031372; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"apkapps.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026242; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (qh2020 .org)"; dns_query; content:"qh2020.org"; nocase; bsize:10; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031373; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in DNS Lookup)"; dns.query; content:"eleanorguthrie.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026243; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tinmoivietnam .com)"; dns_query; content:"tinmoivietnam.com"; nocase; bsize:17; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031374; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"eleanorguthrie.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026244; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tocaoonline .org)"; dns_query; content:"tocaoonline.org"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031375; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in DNS Lookup)"; dns.query; content:"joycebyers.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026245; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (facebookdeck .com)"; dns_query; content:"facebookdeck.com"; nocase; bsize:16; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031376; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"joycebyers.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026246; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (nhansudaihoi13 .org)"; dns_query; content:"nhansudaihoi13.org"; nocase; bsize:18; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031377; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in DNS Lookup)"; dns.query; content:"miranda-barlow.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026247; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (thundernews .org)"; dns_query; content:"thundernews.org"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031378; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"miranda-barlow.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026248; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to thedoccloud .com"; dns.query; content:"thedoccloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in DNS Lookup)"; dns.query; content:"appchecker.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026249; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to deftsecurity .com"; dns.query; content:"deftsecurity.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"appchecker.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026250; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to freescanonline .com"; dns.query; content:"freescanonline.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in DNS Lookup)"; dns.query; content:"engin-altan.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026251; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to websitetheme .com"; dns.query; content:"websitetheme.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031328; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"engin-altan.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026252; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to highdatabase .com"; dns.query; content:"highdatabase.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031329; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in DNS Lookup)"; dns.query; content:"juana.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026253; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to incomeupdate .com"; dns.query; content:"incomeupdate.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031330; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"juana.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026254; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to databasegalore .com"; dns.query; content:"databasegalore.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031331; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in DNS Lookup)"; dns.query; content:"miwakosato.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026255; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to panhardware .com"; dns.query; content:"panhardware.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"miwakosato.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026256; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to zupertech .com"; dns.query; content:"zupertech.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in DNS Lookup)"; dns.query; content:"appuree.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026257; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to virtualdataserver .com"; dns.query; content:"virtualdataserver.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"appuree.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026258; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to digitalcollege .org"; dns.query; content:"digitalcollege.org"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031335; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in DNS Lookup)"; dns.query; content:"esofiezo.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026259; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IP Grabber CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/datarecord/"; endswith; http.request_body; content:"username="; startswith; content:"&content=IP%3a+"; distance:0; fast_pattern; content:"%0a"; endswith; reference:md5,635b08c141465abf86eaec88391b5ee6; classtype:command-and-control; sid:2030599; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"esofiezo.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026260; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (thedoccloud .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".thedoccloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in DNS Lookup)"; dns.query; content:"kaniel-outis.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026261; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (incomeudpate .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".incomeupdate.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"kaniel-outis.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026262; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (panhardware .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".panhardware.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031364; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in DNS Lookup)"; dns.query; content:"mofa-help.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026263; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (freescanonline .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".freescanonline.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031365; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"mofa-help.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026264; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (databasegalore .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".databasegalore.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031366; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in DNS Lookup)"; dns.query; content:"arthursaito.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026265; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (highdatabase .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".highdatabase.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031367; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"arthursaito.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026266; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (websitetheme .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".websitetheme.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in DNS Lookup)"; dns.query; content:"everyservices.space"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026267; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (zupertech .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".zupertech.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"everyservices.space"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026268; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (deftsecurity .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".deftsecurity.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in DNS Lookup)"; dns.query; content:"karenwheeler.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026269; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Requesting Remote Template (.dotm)"; flow:established,to_server; flowbits:set,ETPRO.Maldoc.dotm; http.method; content:"GET"; http.uri; content:".dotm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|MSOffice|20|"; classtype:bad-unknown; sid:2031379; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_12_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"karenwheeler.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026270; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|Googlebot/2.1|3b 20|+http|3a 2f 2f|www.google|2e|com/bot.html)"; bsize:72; http.request_body; content:"="; depth:25; content:"&"; distance:0; content:"="; distance:0; within:25; content:"=V2luZG93cy"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/pymicropsia/; classtype:trojan-activity; sid:2031371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in DNS Lookup)"; dns.query; content:"moneymotion.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026271; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windows Explorer Tab Add-on Post Install Checkin"; flow:established,to_server; http.request_line; content:"POST /api HTTP/1.1"; bsize:18; http.request_body; content:"f=100&p=ew0KICAgIk0iOi"; startswith; fast_pattern; reference:md5,47d9aee3497bed660b640194dbab5879; classtype:pup-activity; sid:2031386; rev:2; metadata:created_at 2020_12_15, former_category ADWARE_PUP, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"moneymotion.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026272; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to solartrackingsystem .net"; dns.query; dotprefix; content:".solartrackingsystem.net"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031387; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in DNS Lookup)"; dns.query; content:"aryastark.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026273; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to webcodez .com"; dns.query; dotprefix; content:".webcodez.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031388; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aryastark.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026274; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to lcomputers .com"; dns.query; dotprefix; content:".lcomputers.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031389; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in DNS Lookup)"; dns.query; content:"exvsnomy.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026275; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to seobundlekit .com"; dns.query; dotprefix; content:".seobundlekit.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031390; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"exvsnomy.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026276; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to kubecloud .com"; dns.query; dotprefix; content:".kubecloud.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031391; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in DNS Lookup)"; dns.query; content:"kate-austen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026277; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to globalnetworkissues .com"; dns.query; dotprefix; content:".globalnetworkissues.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031392; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"kate-austen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026278; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (solartrackingsystem .net in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".solartrackingsystem.net"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031393; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in DNS Lookup)"; dns.query; content:"myboon.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026279; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (webcodez .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".webcodez.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031394; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"myboon.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026280; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (lcomputers .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lcomputers.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031395; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in DNS Lookup)"; dns.query; content:"aslaug-sigurd.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026281; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (seobundlekit .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".seobundlekit.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031396; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aslaug-sigurd.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026282; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (kubecloud .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kubecloud.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031397; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in DNS Lookup)"; dns.query; content:"ezofiezo.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026283; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (globalnetworkissues .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".globalnetworkissues.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031398; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"ezofiezo.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026284; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (solartrackingsystem .net)"; flow:established,to_client; tls.cert_subject; content:"CN=solartrackingsystem.net"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031380; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in DNS Lookup)"; dns.query; content:"katesacker.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026285; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (webcodez .com)"; flow:established,to_client; tls.cert_subject; content:"CN=webcodez.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031381; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"katesacker.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026286; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (lcomputers .com)"; flow:established,to_client; tls.cert_subject; content:"CN=lcomputers.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031382; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in DNS Lookup)"; dns.query; content:"mygift.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026287; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (seobundlekit .com)"; flow:established,to_client; tls.cert_subject; content:"CN=seobundlekit.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031383; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"mygift.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026288; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (kubecloud .com)"; flow:established,to_client; tls.cert_subject; content:"CN=kubecloud.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031384; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in DNS Lookup)"; dns.query; content:"assets-acc.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026289; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (globalnetworkissues .com)"; flow:established,to_client; tls.cert_subject; content:"CN=globalnetworkissues.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031385; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"assets-acc.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026290; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (panhardware .com)"; flow:established,to_client; tls.cert_subject; content:"CN=panhardware.com"; bsize:18; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031355; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in DNS Lookup)"; dns.query; content:"face-book-support.email"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026291; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (deftsecurity .com)"; flow:established,to_client; tls.cert_subject; content:"CN=deftsecurity.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in TLS SNI)"; flow:established,to_server; tls.sni; content:"face-book-support.email"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026292; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (thedoccloud .com)"; flow:established,to_client; tls.cert_subject; content:"CN=thedoccloud.com"; bsize:18; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031345; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in DNS Lookup)"; dns.query; content:"katie.party"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026293; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (virtualdataserver .com)"; flow:established,to_client; tls.cert_subject; content:"CN=virtualdataserver.com"; bsize:24; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in TLS SNI)"; flow:established,to_server; tls.sni; content:"katie.party"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026294; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (incomeupdate .com)"; flow:established,to_client; tls.cert_subject; content:"CN=incomeupdate.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in DNS Lookup)"; dns.query; content:"mygift.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026295; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (digitalcollege .org)"; flow:established,to_client; tls.cert_subject; content:"CN=digitalcollege.org"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031342; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"mygift.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026296; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (zupertech .com)"; flow:established,to_client; tls.cert_subject; content:"CN=zupertech.com"; bsize:16; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031353; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in DNS Lookup)"; dns.query; content:"bbc-learning.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026297; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (databasegalore .com)"; flow:established,to_client; tls.cert_subject; content:"CN=databasegalore.com"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031354; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"bbc-learning.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026298; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (freescanonline .com)"; flow:established,to_client; tls.cert_subject; content:"CN=freescanonline.com"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031343; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in DNS Lookup)"; dns.query; content:"fasebcck.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026299; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (websitetheme .com)"; flow:established,to_client; tls.cert_subject; content:"CN=websitetheme.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebcck.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026300; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (highdatabase .com)"; flow:established,to_client; tls.cert_subject; content:"CN=highdatabase.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in DNS Lookup)"; dns.query; content:"kik-com.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026301; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] Observed SUNBURST DGA Request"; dns.query; content:".appsync-api."; nocase; content:".avsvmcloud.com"; distance:9; within:15; endswith; nocase; fast_pattern; pcre:"/^[a-z0-9]+\.appsync-api\.(?:eu|us)-(?:ea|we)st-[12]\.avsvmcloud\.com$/"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031359; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_12_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"kik-com.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026302; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031449; rev:9; metadata:attack_target Client_Endpoint, created_at 2017_12_19, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in DNS Lookup)"; dns.query; content:"namybotter.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026303; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"&"; http.request_body; content:"="; within:15; content:"|00 00 00 00 00 00|"; fast_pattern; isdataat:!1,relative; pcre:"/=[a-z0-9\(_~\-\.\x00]{300,}\x00$/i"; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.connection; content:"close"; depth:5; endswith; http.content_len; byte_test:0,>,300,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Content-Length|0d 0a|"; depth:36; reference:md5,6f5d2b42f4a74886ac3284fa9a414a87; classtype:command-and-control; sid:2031413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2021_02_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"namybotter.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026304; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Tombol Microsoft Account Phishing Landing 2020-12-16"; flow:established,to_client; file.data; content:"$('#password').keyup("; content:"$('#Tombol1').click("; distance:0; fast_pattern; content:"data: { u : email, p : password_v"; distance:0; classtype:social-engineering; sid:2031414; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in DNS Lookup)"; dns.query; content:"bellamy-bob.life"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026305; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"baldwin-gonzalez.live"; depth:21; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031399; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in TLS SNI)"; flow:established,to_server; tls.sni; content:"bellamy-bob.life"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026306; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/de/?d="; startswith; fast_pattern; content:"&v="; distance:0; content:"&t="; distance:0; http.header_names; content:!"Referer"; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,d01bcca6255a4f062fc59a014f407532; reference:md5,2d459929135993959cacceb0dd81a813; classtype:command-and-control; sid:2031417; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in DNS Lookup)"; dns.query; content:"fasebock.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026307; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/en/?2"; startswith; fast_pattern; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; http.request_body; content:"f="; startswith; content:"&c="; distance:0; content:"&u="; distance:0; content:"&v="; distance:0; content:"&s="; distance:0; content:"&mi="; distance:0; content:"&t="; distance:0; content:"&txt="; distance:0; content:"&e=EOF"; endswith; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,2d459929135993959cacceb0dd81a813; reference:md5,d01bcca6255a4f062fc59a014f407532; classtype:command-and-control; sid:2031418; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebock.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026308; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031415; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in DNS Lookup)"; dns.query; content:"kristy-milligan.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026309; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031416; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"kristy-milligan.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026310; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jaime-martinez.info"; depth:19; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in DNS Lookup)"; dns.query; content:"namyyeatop.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026311; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"judystevenson.info"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"namyyeatop.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026312; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"robert-keegan.life"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in DNS Lookup)"; dns.query; content:"bestbitloly.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026313; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"benyallen.club"; depth:14; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"bestbitloly.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026314; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"chad-jessie.info"; depth:16; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in DNS Lookup)"; dns.query; content:"fasebook.cam"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026315; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"escanor.live"; depth:12; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebook.cam"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026316; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"krasil-anthony.icu"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in DNS Lookup)"; dns.query; content:"lagertha-lothbrok.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026317; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"nicoledotson.icu"; depth:16; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031407; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lagertha-lothbrok.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026318; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"samwinchester.club"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031408; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in DNS Lookup)"; dns.query; content:"natemunson.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026319; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tatsumifoughtogre.club"; depth:22; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031409; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"natemunson.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026320; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup (vgca.homeunix .org)"; dns.query; content:"vgca.homeunix.org"; nocase; bsize:17; reference:url,www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/; classtype:domain-c2; sid:2031431; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in DNS Lookup)"; dns.query; content:"billy-bones.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026321; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup (office365.blogdns .com)"; dns.query; content:"office365.blogdns.com"; nocase; bsize:21; reference:url,www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/; classtype:domain-c2; sid:2031432; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"billy-bones.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026322; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031429; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (up .jkc8 .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip.aspx"; endswith; http.user_agent; content:"sjd32DSKJF9Ssf"; depth:14; fast_pattern; http.host; content:"up.jkc8.com"; http.header_names; content:!"Referer"; reference:md5,5a7526db56f812e62302912a1c20edd2; classtype:external-ip-check; sid:2026216; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031430; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in DNS Lookup)"; dns.query; content:"fasebookvideo.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026339; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"advertrex20.xyz"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031419; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebookvideo.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026340; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"gentexman37.xyz"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in DNS Lookup)"; dns.query; content:"leonard-kim.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026341; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"advertsp74.xyz"; nocase; depth:14; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"leonard-kim.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026342; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"shopweb95.xyz"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031422; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in DNS Lookup)"; dns.query; content:"new.filetea.me"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026343; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"mexstat128.com"; nocase; depth:14; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"new.filetea.me"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026344; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"sdadvert197.com"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031424; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in DNS Lookup)"; dns.query; content:"bitgames.world"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026345; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"decatos30.com"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031425; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in TLS SNI)"; flow:established,to_server; tls.sni; content:"bitgames.world"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026346; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"decatos30.xyz"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031426; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in DNS Lookup)"; dns.query; content:"fatehmedia.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026347; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"asdasd08.com"; nocase; depth:12; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"fatehmedia.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026348; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"asdasd08.xyz"; nocase; depth:12; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in DNS Lookup)"; dns.query; content:"leslie-barnes.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026349; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; http.request_body; content:"&log=passwords|3a 20|"; depth:16; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031434; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"leslie-barnes.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026350; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; http.request_body; content:"************************"; depth:24; content:"************************"; distance:0; content:"************************"; distance:0; content:"username|3a 20|"; distance:0; content:"password|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031435; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in DNS Lookup)"; dns.query; content:"nightchat.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026351; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Nitol.K Variant CnC"; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; content:"Windows|20|"; distance:4; within:8; content:"|00|"; within:5; content:"|7c b4 ab b2 a5 7c|"; fast_pattern; reference:md5,56bff68317a0af08f749a1c717125cf3; classtype:command-and-control; sid:2022337; rev:4; metadata:created_at 2016_01_07, former_category MALWARE, updated_at 2020_12_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"nightchat.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026352; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?A="; fast_pattern; pcre:"/^[A-Z0-9\-]{30,42}$/R"; http.header; content:"Accept-Language|3a 20|zh-TW"; http.header_names; content:"Referer|0d 0a|"; content:!"Cache"; reference:md5,344c04216840312cad17b6610b723825; classtype:command-and-control; sid:2025145; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Randrew_A, performance_impact Low, signature_severity Major, updated_at 2020_12_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in DNS Lookup)"; dns.query; content:"black-honey.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026353; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; http.uri; content:".html"; pcre:"/^\/\d+?\/\d+?\.html$/i"; http.header; content:"From|3a| "; depth:6; pcre:"/^\d+?\r\n/Ri"; content:"Via|3a| "; content:!"1|2e|"; within:2; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:command-and-control; sid:2015786; rev:5; metadata:created_at 2012_10_10, former_category MALWARE, updated_at 2020_12_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"black-honey.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026354; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M5"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__io_r="; fast_pattern; http.cookie; content:"__io_r="; startswith; content:"|3b 20|__io_vl="; distance:0; content:"|3b 20|__io_bl="; distance:0; content:"|3b 20|Session_id="; distance:0; content:"|3b 20|__io_uniq="; distance:0; content:"|3b 20|__io_f="; isdataat:!38,relative; pcre:"/^__io_r=[0-9]{10}_[01]_[0-9]{4,5}_[0-9]{7,8}_[0-9]{1,2}\x3b\x20__io_vl=[0-9]_[0-9]{6}_[0-9]{3}_[0-9]{2}\x3b\x20__io_bl=[0-9]{1,2}:[0-9]:[0-9]{4,5}:[0-9]{2}\x3b\x20Session_id=[0-9A-F]{12}\x3b\x20__io_uniq=[0-9A-F]{8,22}_[0-9A-F]{12,20}\x3b\x20__io_f=[0-9]{2}::[0-9]{10}::[0-9]{9,10}::[0-9]{9,10}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; classtype:command-and-control; sid:2031298; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2020_12_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in DNS Lookup)"; dns.query; content:"firesky.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026355; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (img565vv6 .holdmydoor .com)"; flow:established,to_server; tls.sni; dotprefix; content:".img565vv6.holdmydoor.com"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/; classtype:domain-c2; sid:2031439; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"firesky.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026356; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (crashparadox .net)"; flow:established,to_server; tls.sni; dotprefix; content:".crashparadox.net"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031440; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in DNS Lookup)"; dns.query; content:"lets-see.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026357; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (f15fwd322 .regularhours .net)"; flow:established,to_server; tls.sni; dotprefix; content:".f15fwd322.regularhours.net"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031441; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"lets-see.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026358; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (bananakick .net)"; flow:established,to_server; tls.sni; content:"bananakick.net"; bsize:14; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031442; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in DNS Lookup)"; dns.query; content:"nightchat.live"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026359; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (stilloak .net)"; flow:established,to_server; tls.sni; content:"stilloak.net"; bsize:12; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031443; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-26"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&formtext1="; nocase; distance:0; content:"&formimage1.x=1&formimage1.y=1"; fast_pattern; nocase; distance:0; endswith; classtype:credential-theft; sid:2026412; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (flowersarrows .com)"; flow:established,to_server; tls.sni; content:"flowersarrows.com"; bsize:17; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031444; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"nightchat.live"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026364; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031437; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_12_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in DNS Lookup)"; dns.query; content:"bob-turco.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026365; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031438; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, signature_severity Major, updated_at 2020_12_21;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"bob-turco.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026366; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> any any (msg:"ET MALWARE Possible MSIL/Solorigate.G!dha/SUPERNOVA Webshell Access Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logoimagehandler.ashx"; content:"clazz="; fast_pattern; content:"method="; content:"args="; content:"codes="; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect; reference:url,unit42.paloaltonetworks.com/solarstorm-supernova; classtype:trojan-activity; sid:2031436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_12_21, deployment Perimeter, former_category MALWARE, malware_family Solorigate, signature_severity Major, updated_at 2020_12_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in DNS Lookup)"; dns.query; content:"flirtymania.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026367; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Redirect to Download EXE from Bitbucket"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"https://bitbucket.org"; startswith; content:".exe"; endswith; classtype:bad-unknown; sid:2026515; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"flirtymania.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026368; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; http.stat_code; content:"3"; depth:1; http.location; content:"data|3a|"; fast_pattern; depth:5; classtype:misc-activity; sid:2015674; rev:6; metadata:created_at 2012_09_05, updated_at 2020_12_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in DNS Lookup)"; dns.query; content:"lexi-branson.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026369; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?cmd=_update-information&account_bank="; nocase; fast_pattern; content:"&dispatch="; distance:32; within:10; nocase; http.content_len; byte_test:0,=,0,0,string,dec; classtype:social-engineering; sid:2024016; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2020_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"lexi-branson.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026370; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Fedex/DHL Phish 2018-10-22"; flow:established,from_server; flowbits:isset,ET.Fedex_DHL_Phish; http.stat_code; content:"302"; http.location; content:"tracking2.php"; startswith; classtype:credential-theft; sid:2029667; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in DNS Lookup)"; dns.query; content:"nissour-beton.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026371; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-10-14"; flow:from_server,established; flowbits:isset,ET.bofaphish; http.stat_code; content:"302"; http.location; content:".php?template="; fast_pattern; content:"&valid="; content:"&session="; pcre:"/\.php\?template=[^\r\n]+&valid=[^\r\n]+&session=[a-f0-9]{32,}$/i"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032710; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"nissour-beton.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026372; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?c="; fast_pattern; pcre:"/\.php\?c=[a-f0-9]{160}$/"; http.referer; content:".php?q="; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021228; rev:4; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_12_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in DNS Lookup)"; dns.query; content:"buymicrosft.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026373; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent in Referer Field - Likely Malware"; flow:established,to_server; http.referer; content:"Mozilla/4.0|20|"; startswith; classtype:trojan-activity; sid:2013423; rev:10; metadata:created_at 2011_08_18, updated_at 2020_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"buymicrosft.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026374; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.content_len; byte_test:0,=,0,0,string,dec; http.header; content:"location|3a 20|"; fast_pattern; content:"|2f 3f|"; distance:32; within:2; content:"|0d 0a|"; distance:32; within:2; http.content_type; content:"text/html"; startswith; classtype:social-engineering; sid:2024008; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in DNS Lookup)"; dns.query; content:"freya.miranda-barlow.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026375; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check (2)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/timezone/0/0"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.host; content:"www.earthtools.org"; bsize:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,malware-traffic-analysis.net/2014/09/09/index.html; classtype:trojan-activity; sid:2020491; rev:10; metadata:created_at 2015_02_20, updated_at 2020_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"freya.miranda-barlow.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026376; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Poweliks GET Request"; flow:established,to_server; urilen:4; http.method; content:"GET"; http.uri; content:"/dll"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,malware-traffic-analysis.net/2014/08/01/index3.html; classtype:trojan-activity; sid:2019138; rev:6; metadata:created_at 2014_09_08, updated_at 2020_12_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in DNS Lookup)"; dns.query; content:"lincoln-blake.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026377; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zeprox.B Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?a=n|60|e|3e|"; fast_pattern; http.header; content:"Proxy-Connection|3a|"; http.header_names; content:!"Referer|0d 0a|"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,bc27f28e5fe47b78202fd3108d39aac1; reference:md5,38c89cca7806fde08bba82b3cb533e5a; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3AWin32/Zeprox.B; classtype:command-and-control; sid:2020203; rev:8; metadata:created_at 2015_01_16, former_category MALWARE, updated_at 2020_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"lincoln-blake.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026378; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Smanager CnC Domain in DNS Lookup"; dns.query; content:"coms.documentmeda.com"; nocase; bsize:21; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031446; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, updated_at 2020_12_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in DNS Lookup)"; dns.query; content:"octavia-blake.world"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026379; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Smanager CnC Domain in DNS Lookup"; dns.query; content:"freenow.chickenkiller.com"; nocase; bsize:25; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031447; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, updated_at 2020_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in TLS SNI)"; flow:established,to_server; tls.sni; content:"octavia-blake.world"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026380; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (PhantomNet/Smanager CnC)"; flow:established,to_client; tls.cert_subject; content:"C=AU, ST=Hello, L=China, O=Microsoft, OU=dirweb, CN=secfire/emailAddress=iunkown1987@gmail.com"; bsize:94; fast_pattern; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031448; rev:1; metadata:attack_target Client_and_Server, created_at 2020_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in DNS Lookup)"; dns.query; content:"camilleoconnell.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026381; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT LuckyMouse BlueTraveller CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/home/"; startswith; pcre:"/^[0-9]{4}\/[0-9]{4}\/[^\r\n]+(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a|"; startswith; fast_pattern; content:!"Referer"; content:!"Accept"; pcre:"/Cache-Control\r\n(?:\r\n|Cookie\r\n\r\n)$/"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031316; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_11, deployment Perimeter, former_category MALWARE, malware_family apt27, malware_family luckymouse, performance_impact Moderate, signature_severity Major, updated_at 2020_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"camilleoconnell.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026382; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; content:"|3b 20|"; distance:1; within:2; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,9000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:96; reference:md5,73f8864c7dfee8445205d0d233f20707; classtype:trojan-activity; sid:2035076; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_12_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in DNS Lookup)"; dns.query; content:"geny-wise.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026383; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031453; rev:9; metadata:attack_target Client_Endpoint, created_at 2017_12_19, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_23;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"geny-wise.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026384; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain in TLS SNI (mobilnweb .com)"; flow:established,to_server; tls.sni; content:"mobilnweb.com"; bsize:13; reference:url,unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline; classtype:domain-c2; sid:2031451; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_23, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in DNS Lookup)"; dns.query; content:"lindamullins.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026385; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain in DNS Query"; dns_query; content:"mobilnweb.com"; nocase; depth:13; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline; classtype:domain-c2; sid:2031452; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_23, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_23;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lindamullins.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026386; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sephardimension .com)"; dns.query; content:"sephardimension.com"; nocase; bsize:19; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031454; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in DNS Lookup)"; dns.query; content:"olivia-hartman.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026387; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (besaintegration .com)"; dns.query; content:"besaintegration.com"; nocase; bsize:19; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031455; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_28;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"olivia-hartman.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026388; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (dmnadmin .com)"; dns.query; content:"dmnadmin.com"; nocase; bsize:12; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031456; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in DNS Lookup)"; dns.query; content:"caroline-nina.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026389; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sendbits .m2stor4ge .xyz)"; dns.query; content:"sendbits.m2stor4ge.xyz"; nocase; bsize:22; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031457; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"caroline-nina.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026390; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (myrric-uses .singlejets .com)"; dns.query; content:"myrric-uses.singlejets.com"; nocase; bsize:26; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031458; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in DNS Lookup)"; dns.query; content:"gmailservice.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026391; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"securebestapp20.com"; bsize:19; fast_pattern; reference:md5,222792d2e75782516d653d5cccfcf33b; classtype:domain-c2; sid:2032958; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category MALWARE, malware_family DarkSide, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2020_12_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"gmailservice.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026392; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT PurpleFox EK Domain in DNS Lookup"; dns.query; content:"rawcdn.githack.cyou"; nocase; bsize:19; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:domain-c2; sid:2031461; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in DNS Lookup)"; dns.query; content:"liz-keen.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026393; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Payload Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/up.php?key="; startswith; bsize:13; fast_pattern; pcre:"/^\d$/R"; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:exploit-kit; sid:2031462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"liz-keen.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026394; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Redirect"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"/?key="; fast_pattern; pcre:"/^[A-F0-9]{16}$/R"; file.data; content:"<body>"; content:"<a HREF=|22|http"; distance:0; content:"/?key="; within:400; pcre:"/^[A-F0-9]{16}\x22>/R"; content:!"<html>"; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:exploit-kit; sid:2031463; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in DNS Lookup)"; dns.query; content:"oriential.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026395; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Jpg Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; content:".jpg"; endswith; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-zA-Z0-9]{16}\/[a-f0-9]{40}\/[a-zA-Z0-9]+\.jpg$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2031466; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_30;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"oriential.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026396; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /update HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031464; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in DNS Lookup)"; dns.query; content:"cassy-gray.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026397; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /banner HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031465; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"cassy-gray.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026398; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE NuggetPhantom Module Download Request"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:".moe"; endswith; fast_pattern; pcre:"/^\/[a-fA-F0-9]{8}\.moe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf; classtype:command-and-control; sid:2031467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in DNS Lookup)"; dns.query; content:"graceygretchen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026399; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Clydesdale Bank Phish 2020-12-30"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uzername="; depth:9; nocase; fast_pattern; content:"&ip="; nocase; distance:0; content:"&ua="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031468; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"graceygretchen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026400; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.TRM Data Exfil (sysinfo)"; flow:established,to_server; http.method; content:"POST"; http.start; content:"Cookie|3a 20|dkv="; fast_pattern; http.cookie; content:"dkv="; startswith; content:"|3b|YSC="; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/C"; http.header_names; content:!"Referer"; content:!"Content-Type"; http.request_body; content:"DQpIb3N0IE5hbWU6"; startswith; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; classtype:command-and-control; sid:2029855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in DNS Lookup)"; dns.query; content:"login-yohoo.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026401; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain in TLS SNI (cs .lg22l .com)"; flow:established,to_server; tls.sni; content:"cs.lg22l.com"; bsize:12; reference:md5,774419bb738a2a4fa18aacee88850d2c; classtype:domain-c2; sid:2031469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_31;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"login-yohoo.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026402; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Simple Bot"; flow:established,to_server; http.user_agent; content:"Simple Bot v"; startswith; fast_pattern; reference:md5,3cf04350400299844abb17a0e1640975; classtype:bad-unknown; sid:2031471; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_12_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in DNS Lookup)"; dns.query; content:"ososezo.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026403; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Azula Logger CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"username=azula+logger&avatar_url="; startswith; fast_pattern; reference:md5,7ad3777dfb916150e21e9414dd24c1da; reference:url,github.com/CythosaSec/Azula-Logger; classtype:command-and-control; sid:2031470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_31;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"ososezo.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026404; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (mykessef .com)"; dns.query; content:"mykessef.com"; nocase; bsize:12; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031474; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in DNS Lookup)"; dns.query; content:"cecilia-dobrev.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026405; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (mihannevis .com)"; dns.query; content:"mihannevis.com"; nocase; bsize:14; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031475; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cecilia-dobrev.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026406; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (idtpl .org)"; dns.query; content:"idtpl.org"; nocase; bsize:9; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031476; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in DNS Lookup)"; dns.query; content:"hareyupnow.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026407; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, signature_severity Major, updated_at 2021_01_04;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"hareyupnow.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026408; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, signature_severity Major, updated_at 2021_01_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in DNS Lookup)"; dns.query; content:"lord-varys.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026409; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA1C Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?REQ="; fast_pattern; content:"&ID="; distance:0; http.user_agent; content:"|29 20|WindowsPowerShell/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,b100f0ab63a2b74a5d5ff54d533fc60f; classtype:trojan-activity; sid:2031477; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_04;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lord-varys.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026410; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information M2"; flow:established,to_server; http.uri; content:"?i=7B226964223A22"; nocase; fast_pattern; content:"222C2268776964223A22"; nocase; distance:0; content:"227D"; nocase; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; reference:md5,a9c8b293fdb84ceb9478f8043ff19b71; classtype:trojan-activity; sid:2031481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family Jupyter, signature_severity Major, updated_at 2021_01_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2018-09-27 M2"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:".php?Email="; nocase; fast_pattern; content:"@"; distance:0; classtype:credential-theft; sid:2029666; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_16;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious XSL file download (FTP)"; flow:established,to_server; content:"RETR|20|/frog/usoprive.xsl"; fast_pattern; reference:md5,dd0124264f131a203ecfc70314dcec04; reference:url,asec.ahnlab.com/ko/19439/; classtype:trojan-activity; sid:2031482; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic 000webhostapp.com POST 2018-09-27 (set)"; flow:to_server,established; flowbits:set,ET.000webhostpost; flowbits:noalert; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; classtype:misc-activity; sid:2026420; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ElectroRAT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|go-resty/"; content:"|20|(https|3a|//github.com/go-resty/resty)|0d 0a|"; distance:0; within:50; http.request_body; content:"{|22|id|22 3a 22|"; depth:7; content:"|22 2c 22|mac_name|22 3a 22|"; nocase; distance:0; content:"|22 2c 22|os_version|22 3a 22|"; nocase; fast_pattern; distance:0; content:"|22 2c 22|user_name|22 3a 22|"; nocase; distance:0; content:"|22 2c 22|os|22 3a 22|"; nocase; distance:0; http.header_names; content:!"Referer"; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK SWF Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; content:".swf"; distance:26; within:4; endswith; pcre:"/\/(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.swf$/i"; http.header; content:"/"; content:".html"; distance:26; within:5; content:"x-flash-version|3a 20|"; http.referer; pcre:"/^.+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html$/i"; http.cookie; content:"token="; depth:6; fast_pattern; pcre:"/^[a-f0-9]{32}$/Ri"; classtype:exploit-kit; sid:2026426; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_09_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ElectroRAT Command from Server (Screenshot)"; flow:established,from_server; content:"{|22|type|22 3a 22|Screenshot|22 2c 22|uid|22 3a|"; offset:2; depth:27; fast_pattern; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031479; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (curl53)"; flow:established,to_server; http.user_agent; content:"curl53"; depth:6; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/09/vpnfilter-part-3.html; classtype:trojan-activity; sid:2026428; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_10_01, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, signature_severity Major, updated_at 2020_09_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ElectroRAT Command from Server (Get folder content)"; flow:established,from_server; content:"{|22|type|22 3a 22|Get folder content|22 2c 22|uid|22 3a|"; offset:2; depth:35; fast_pattern; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031480; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VPNFilter htpx Module C2 Request"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"curl53"; depth:6; fast_pattern; endswith; http.header_names; content:"Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a 0d 0a|"; reference:url,blog.talosintelligence.com/2018/09/vpnfilter-part-3.html; classtype:command-and-control; sid:2026429; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family VPNFilter, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceRat Backdoor Checkin"; flow:established,to_server; http.request_line; content:"GET /users.php?"; startswith; fast_pattern; pcre:"/^(?:resp|onl|pr)=/R"; content:"|3a|windows|20|"; distance:0; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; reference:md5,dae90ae7fe103fc7e1866b4e13389101; classtype:command-and-control; sid:2031486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.TW Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.tw"; endswith; classtype:credential-theft; sid:2026430; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceRat CnC Acitivty M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/execuser.php?login="; startswith; fast_pattern; content:"&pass="; content:"&user="; http.user_agent; content:"Java/"; startswith; reference:url,malwaretips.com/threads/jphp-icerat-analysis.105233/; reference:md5,5e864667d91e3867a29df90dbcadb6b2; classtype:command-and-control; sid:2031487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Reaper (APT37) DNS Lookup (kmbr1 .nitesbr1 .org)"; dns.query; content:"kmbr1.nitesbr1.org"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:targeted-activity; sid:2026432; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family Final1stspy, malware_family DOGCALL, performance_impact Low, signature_severity Major, tag APT37, tag Reaper, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031483; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Final1stspy CnC Checkin (Reaper/APT37 Stage 1 Payload)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?MachineId="; content:"&InfoSo="; distance:0; content:"&Index="; distance:0; content:"&Account="; distance:0; content:"&List="; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.user_agent; content:"Host|20|Process|20|Update"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:targeted-activity; sid:2026431; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family Final1stspy, performance_impact Low, signature_severity Major, tag APT37, tag ReaperGroup, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031484; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Malformed Double Accept Header"; flow:established,to_server; http.user_agent; content:!"-DRM"; http.host; content:!"buhphone.ru"; content:!"www.backupmaker.com"; content:!"ati.com"; content:!"amd.com"; endswith; http.accept; content:"Accept|3a 20|"; fast_pattern; reference:url,doc.emergingthreats.net/2008975; classtype:policy-violation; sid:2008975; rev:18; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_16;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv2 Used in Session"; flow:to_server,established; ssl_version:sslv2; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031488; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in DNS Lookup)"; dns.query; content:"ososezo.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026442; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv3 Used in Session"; flow:to_server,established; ssl_version:sslv3; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031489; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"ososezo.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026443; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.1 Used in Session"; flow:to_server,established; tls.version:1.1; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031490; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in DNS Lookup)"; dns.query; content:"cecilia-gilbert.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026444; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.0 Used in Session"; flow:to_server,established; tls.version:1.0; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031491; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cecilia-gilbert.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026445; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; pcre:"/(localhost|127\.0\.0\.1)/W"; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in DNS Lookup)"; dns.query; content:"harper-monty.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026446; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"client=ssh"; fast_pattern; content:"ssh_priv="; content:"%20"; distance:0; reference:cve,CVE-2020-16846; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2031495; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_16846, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"harper-monty.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026447; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Instagram Phishing or Scam Landing Page"; flow:established,to_client; file.data; content:"lnstagram"; nocase; fast_pattern; within:1000; content:"</title>"; within:50; nocase; classtype:social-engineering; sid:2031493; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_01_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in DNS Lookup)"; dns.query; content:"lyanna-stark.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026448; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.ULH CnC Activity"; flow:established,to_server; http.start; content:"GET /swidget/d23r523t4id HTTP/1.1|0d 0a|Host|3a 20|whos.amung.us|0d 0a 0d 0a|"; bsize:58; fast_pattern; reference:md5,2679be8b6b76fb765191c9854af39e9f; classtype:command-and-control; sid:2031496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lyanna-stark.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026449; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17132)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ecp/DLPPolicy/ManagePolicyFromISV.aspx"; startswith; http.request_body; content:"ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; content:"[Diagnostics.Process]::start|28|"; distance:0; reference:cve,CVE-2020-17132; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-17132/CVE-2020-17132.rules; reference:cve,2020-17132; classtype:attempted-admin; sid:2031506; rev:2; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17132, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in DNS Lookup)"; dns.query; content:"parrotchat.co"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026450; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey Stealer CnC"; flow:established,to_server; http.request_line; content:"POST //"; depth:7; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&cred="; fast_pattern; distance:0; content:"|7c|"; within:10; pcre:"/^id=\d+&cred=[a-z]+\x7c/"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ca467e332368cbae652245faa4978aa4; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/; classtype:command-and-control; sid:2031498; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_01_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"parrotchat.co"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026451; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> any any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17141)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; startswith; http.request_body; content:"<m:RouteComplaint|20|"; content:"<m:Data>"; distance:0; base64_decode:bytes 300, offset 0, relative; base64_data; content:"<!DOCTYPE"; content:"SYSTEM"; distance:0; reference:cve,CVE-2020-17141; reference:cve,2020-17141; classtype:web-application-attack; sid:2031507; rev:1; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17141, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in DNS Lookup)"; dns.query; content:"cerseilannister.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026452; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET INFO PHP Xdebug Extension Query Parameter (XDEBUG_SESSION_START)"; flow:established,to_server; http.uri; content:"?XDEBUG_SESSION_START="; classtype:web-application-activity; sid:2031499; rev:1; metadata:attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"cerseilannister.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026453; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Spring Boot Actuator Health Check Request"; flow:established,to_server; http.uri; content:"/actuator/health"; endswith; classtype:web-application-activity; sid:2031500; rev:1; metadata:attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in DNS Lookup)"; dns.query; content:"harrykane.online"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026454; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Netlink GPON Login Attempt (GET)"; flow:established,to_server; http.uri; content:"/boaform/admin/formLogin"; fast_pattern; content:"username="; content:"psd="; classtype:attempted-admin; sid:2031501; rev:2; metadata:created_at 2021_01_08, updated_at 2021_01_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"harrykane.online"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026455; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ElegyRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=ElegyRAT Server"; fast_pattern; endswith; tls.cert_issuer; content:"CN=ElegyRAT Server"; endswith; reference:md5,a24cae9f6cf137e0e72817a1879f0acf; classtype:domain-c2; sid:2031497; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_08, deployment Perimeter, former_category MALWARE, malware_family ElegyRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in DNS Lookup)"; dns.query; content:"mail-accout.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026456; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Request to Hidden Environment File"; flow:established,to_server; http.uri; content:"/.env"; endswith; classtype:misc-attack; sid:2031502; rev:1; metadata:created_at 2021_01_08, updated_at 2021_01_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-accout.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026457; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Liferay JSON Web Services Invoker"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/jsonws/invoke"; http.content_type; content:"application/json"; classtype:web-application-activity; sid:2031503; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in DNS Lookup)"; dns.query; content:"pmi-pna.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026458; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Apache Solr System Information Request"; flow:established,to_server; http.uri; content:"/solr/admin/info/system"; classtype:web-application-activity; sid:2031504; rev:1; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"pmi-pna.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026459; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET SCAN WordPress Scanner Performing Multiple Requests to Windows Live Writer XML"; flow:established,to_server; http.uri; content:"/wp-includes/wlwmanifest.xml"; threshold: type both, track by_src, count 4, seconds 8; classtype:network-scan; sid:2031505; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_01_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=www.windowsdriversupd.com"; nocase; endswith; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:command-and-control; sid:2026467; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category MALWARE, malware_family Gadwats, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Attempted Executable Drop via VBScript"; flow:established,to_client; file.data; content:"<SCRIPT Language=VBScript"; nocase; content:"DropFileName"; nocase; within:100; content:".exe"; within:100; nocase; content:"WriteData =|20 22|4D5A"; nocase; within:100; fast_pattern; classtype:trojan-activity; sid:2031508; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_01_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=www.windowswsusonline.com"; nocase; endswith; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:command-and-control; sid:2026468; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category MALWARE, malware_family Gadwats, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (bald-panel .firebaseio .com in DNS Lookup)"; dns_query; content:"bald-panel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FruityArmor DNS Lookup (weekendstrips .net)"; dns.query; content:"weekendstrips.net"; nocase; fast_pattern; endswith; reference:url,securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/; classtype:trojan-activity; sid:2026469; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag FruityArmor, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (hawkshaw-cae48 .firebaseio .com in DNS Lookup)"; dns_query; content:"hawkshaw-cae48.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031510; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FruityArmor DNS Lookup (shelves-design .com)"; dns.query; content:"shelves-design.com"; nocase; fast_pattern; endswith; reference:url,securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/; classtype:trojan-activity; sid:2026470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag FruityArmor, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (spitfirepanel .firebaseio .com in DNS Lookup)"; dns_query; content:"spitfirepanel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031511; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware Start Activity 1"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|Begin"; distance:0; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category TROJAN, malware_family Kraken_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (phoenix-panel .firebaseio .com in DNS Lookup)"; dns_query; content:"phoenix-panel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031512; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kraken Ransomware Start Activity 2"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|StartU"; distance:0; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aStartU$/"; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2026472; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category TROJAN, malware_family Kraken_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX DNS Lookup"; dns.query; content:"sery.brushupdata.com"; nocase; bsize:20; reference:url,twitter.com/KorbenD_Intel/status/1346193938277949443; reference:md5,a587a2af22c7e18a0260cab5c06d980d; classtype:domain-c2; sid:2031520; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, former_category MALWARE, malware_family PlugX, performance_impact Low, signature_severity Major, updated_at 2021_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M2 2018-10-12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flashplayer_down.php"; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:coin-mining; sid:2026475; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SocEng, tag CoinMinerCampaign, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031513; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in DNS Lookup)"; dns.query; content:"chat-often.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026476; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031514; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"chat-often.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026477; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Kryptos Logic"; flow:to_client,established; file.data; content:"<title>Sinkholed by Kryptos Logic"; fast_pattern; content:"<h1>Sinkholed!</h1><p>This domain has been sinkholed"; distance:0; classtype:misc-activity; sid:2031515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in DNS Lookup)"; dns.query; content:"harvey-ross.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026478; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MassLogger)"; flow:established,to_client; tls.cert_subject; content:"CN=bestpccare.best"; bsize:18; fast_pattern; reference:url,twitter.com/jorgemieres/status/1306608136623718401; classtype:domain-c2; sid:2031521; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_13, deployment Perimeter, former_category MALWARE, malware_family MassLogger, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"harvey-ross.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026479; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Qihoo360.J Variant Install Report"; flow:established,to_server; http.request_line; content:"POST /v1/client/report"; startswith; fast_pattern; http.request_body; content:"|5b 7b 22|action|22 3a 22|"; startswith; content:"|22 2c 22|device|5f|id|22 3a 22|"; distance:0; reference:md5,93dc18be56153f41fd1e12b686cca9fe; classtype:pup-activity; sid:2031522; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_13, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2021_01_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in DNS Lookup)"; dns.query; content:"mail-goog1e.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026480; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1"; flow:established,to_server; tls.sni; content:"covid"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!"covid19.wisc.edu"; isdataat:!1,relative; content:!".canada.ca"; isdataat:!1,relative; content:!".nicovideo.jp"; isdataat:!1,relative; content:!"strib-covid-data.s3.amazonaws.com"; isdataat:!1,relative; classtype:bad-unknown; sid:2029707; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2021_01_13;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-goog1e.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026481; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST Only Containing Password - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2031523; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in DNS Lookup)"; dns.query; content:"pml-help.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026482; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST Only Containing Pass - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"pass="; nocase; depth:5; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2031524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"pml-help.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026483; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot Key Exchange Request"; flow:established,to_server; dsize:28; stream_size:client,=,29; content:"|24 01 00 00 00 00 00 00 00 00 00 00|"; startswith; classtype:command-and-control; sid:2034465; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category MALWARE, malware_family Danabot, signature_severity Major, updated_at 2021_01_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in DNS Lookup)"; dns.query; content:"christopher.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026484; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ITW Android Post-Exploit Downloader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api2/v9/pass"; bsize:13; fast_pattern; http.content_type; content:"application/octet-stream"; bsize:24; reference:url,googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html; classtype:command-and-control; sid:2031525; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"christopher.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026485; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - POST To .php w/Extended ASCII Characters"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; pcre:"/[\x80-\xff]/"; http.content_type; content:"www-form-urlencoded"; http.header_names; content:!"Referer"; http.host; content:!".webex.com"; endswith; classtype:trojan-activity; sid:2017259; rev:15; metadata:created_at 2013_07_31, updated_at 2021_01_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Fake 404 Response"; flow:established,to_client; flowbits:isset,ET.xls.dde.drop; http.stat_code; content:"200"; file.data; content:"<h1>404 Not Found</h1><span>The resource requested could not be found on this server!</span>"; endswith; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_16;)
+#alert tcp any any -> any any (msg:"ET EXPLOIT Possible NTFS Index Attribute Corruption Vulnerability"; flow:established; file_data; content:"|63 3a 5c 3a 24 69 33 30 3a 24 62 69 74 6d 61 70|"; classtype:attempted-admin; sid:2031526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_15, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Informational, updated_at 2021_01_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows 10)"; flow:to_server,established; http.user_agent; content:"Windows 10"; depth:10; http.host; content:!"google-analytics.com"; endswith; classtype:bad-unknown; sid:2026521; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arbitrium-RAT CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/checkupdate.js?id="; startswith; fast_pattern; content:"&token="; distance:0; content:"&platform="; distance:0; reference:url,github.com/BenChaliah/Arbitrium-RAT/; classtype:command-and-control; sid:2031528; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, malware_family Arbitrium_RAT, performance_impact Low, signature_severity Major, updated_at 2021_01_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious EXE Download Content-Type image/jpeg"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; flowbits:set,ET.http.binary; http.content_type; content:"image/jpeg"; depth:10; endswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:policy-violation; sid:2026537; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arbitrium-RAT Observed User-Agent (JustKidding)"; flow:established,to_server; http.user_agent; content:"JustKidding"; bsize:11; reference:url,github.com/BenChaliah/Arbitrium-RAT; classtype:command-and-control; sid:2031529; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, malware_family Arbitrium_RAT, performance_impact Low, signature_severity Major, updated_at 2021_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/"; depth:9; content:"/true/true/done"; distance:0; fast_pattern; endswith; http.user_agent; content:"WinHttp.WinHttpRequest."; http.header_names; content:"Referer"; content:!"Cache"; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag VBS, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] DeDeCMS RFI Attempt"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data"; http.uri; content:"/select_soft_post.php"; nocase; http.request_body; content:"cfg_basedir"; nocase; content:"uploadfile"; nocase; content:"upload"; nocase; reference:cve,2010-1097; reference:url,www.exploit-db.com/exploits/33685; classtype:attempted-admin; sid:2031527; rev:2; metadata:created_at 2021_01_19, former_category EXPLOIT, updated_at 2021_01_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Domain Observed in SNI (samwinchester .club)"; flow:established,to_server; tls.sni; content:"samwinchester.club"; endswith; nocase; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FFDroider CnC Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/poe.php?e="; http.header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d5b7b65cd6e3fa8c8ac4ebe39bb5ffef; reference:url,www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users; classtype:trojan-activity; sid:2035795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover CnC Checkin"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_dst; http.method; content:"POST"; http.uri; content:"/api/hazard/"; depth:12; fast_pattern; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026547; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/WizardUpdate Domain in TLS SNI ( .dlvplayer .com)"; flow:established,to_server; tls.sni; content:".dlvplayer.com"; endswith; reference:md5,6a76ee693b3d43ed385ce4b930fe3e30; classtype:domain-c2; sid:2031530; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Response M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"common|20|soon"; depth:11; fast_pattern; endswith; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026548; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WizardUpdate CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/checknew"; nocase; endswith; http.request_body; content:"{|22|machine_id|22 3a 20 22|"; depth:16; content:"|22 2c 20 22|model_name|22 3a 20 22|"; fast_pattern; distance:0; content:"|22 2c 20 22|os|22 3a 20 22|"; distance:0; content:"|22 2c 20 22|os_version|22 3a 20 22|"; distance:0; content:"|22 2c 20 22|model_ident"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6a76ee693b3d43ed385ce4b930fe3e30; classtype:trojan-activity; sid:2031531; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Response M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"loub"; depth:4; fast_pattern; endswith; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026549; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Freakout IRC Checkin"; flow:established,to_server; content:"NICK|20|[HAX|7c|"; depth:10; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; classtype:command-and-control; sid:2031534; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Reporting Infected System Information and RAT Version"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_dst; http.method; content:"POST"; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.request_body; content:"|3a|1.0.2|0d 0a 2d 2d 2d 2d 2d|"; fast_pattern; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026551; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST /info/"; startswith; fast_pattern; pcre:"/(?:retdl|fb|step) HTTP\/1\.1$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"info="; startswith; content:!"&"; reference:md5,acd347a1839ee422d9393a09b5302ea2; classtype:command-and-control; sid:2031927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware Initial Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check"; fast_pattern; endswith; pcre:"/^\/d[0-9]?\.php\?check$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026541; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/zend3/public/"; bsize:14; fast_pattern; http.request_body; content:"zend"; nocase; content:"validator"; nocase; distance:0; content:"callback"; nocase; distance:0; content:"file_put_contents"; nocase; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2021-3007; classtype:attempted-admin; sid:2031536; rev:1; metadata:created_at 2021_01_22, cve CVE_2021_3007, updated_at 2021_01_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Server Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?servers"; fast_pattern; endswith; pcre:"/^\/d[0-9]?\.php\?servers$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026542; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A MalDoc Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[0-9]{6,16}-(?:pro|xl2|us1)$/s"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Connection"; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031433; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Server Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check="; fast_pattern; pcre:"/^\/[a-z]\.php\?check=[a-f0-9]{32}$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026543; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded from Discord"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; http.uri; content:"/attachments/"; startswith; fast_pattern; pcre:"/^[0-9]{18}\/[0-9]{18}\/[a-zA-Z0-9]{5,7}$/R"; reference:md5,1ef671ebe0e5efd44cf05c630fbe9cb5; classtype:policy-violation; sid:2031083; rev:4; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish to zap-webspace.com Webhost 2018-10-25"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".zap-webspace.com"; endswith; fast_pattern; classtype:credential-theft; sid:2026553; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_09_16;)
+alert http any any -> any any (msg:"ET EXPLOIT Suspected SAP EEM SOLMAN RCE (CVE-2020-6207)"; flow:established,to_server; http.uri; content:"/EemAdminService/EemAdmin"; startswith; fast_pattern; http.request_body; content:"getruntime|28 29 2e|exec"; nocase; content:"processbuilder|28|"; nocase; reference:url,github.com/chipik/SAP_EEM_CVE-2020-6207; classtype:attempted-admin; sid:2031546; rev:1; metadata:created_at 2021_01_25, cve CVE_2020_6207, former_category EXPLOIT, updated_at 2021_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (IEhook)"; flow:established,to_server; http.user_agent; content:"IEhook"; depth:6; endswith; fast_pattern; reference:md5,f0483493bcb352bd2f474b52f3b2f273; classtype:trojan-activity; sid:2026558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/jarrewrite.sh"; endswith; fast_pattern; http.user_agent; content:"|28 29 20 7b|"; reference:url,darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/; reference:cve,2014-6271; classtype:attempted-admin; sid:2031543; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Creating Docker Container"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/containers/create"; endswith; http.user_agent; content:"Docker-Client"; depth:13; fast_pattern; http.request_body; content:"|7b 22|Hostname|22 3a 22|"; depth:13; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/; classtype:trojan-activity; sid:2026561; rev:4; metadata:attack_target Server, created_at 2018_10_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [401TRG] SUNBURST Related DNS Lookup to infinitysoftwares .com"; dns.query; content:"infinitysoftwares.com"; nocase; endswith; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Requesting Redirect/Inject List"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/red/info.php"; depth:13; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026562; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] Observed Backdoor.SUNBURST CnC Domain (infinitysoftwares .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"infinitysoftwares.com"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Receiving Exit Instruction"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"EXIT|3b|"; depth:5; fast_pattern; endswith; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026564; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Backdoor.BEACON SSL Cert Inbound (infinitysoftwares .com)"; flow:established,to_client; tls.cert_subject; content:"CN=infinitysoftwares.com"; bsize:24; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrueBot/Silence.Downloader CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|C|3a 5c|"; content:".DAT|22 3b 0d 0a|"; distance:0; content:"|0d 0a|Host Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|0d 0a|OS Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|0d 0a|OS Version|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:command-and-control; sid:2026559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category MALWARE, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [401TRG] SUNBURST Related DNS Lookup to bigtopweb .com"; dns.query; content:"bigtopweb.com"; nocase; endswith; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrueBot/Silence.Downloader Keep-Alive"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?dns="; fast_pattern; pcre:"/^[a-f0-9]{8}$/Rs"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity; sid:2026560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] Observed Backdoor.SUNBURST CnC Domain (bigtopweb .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigtopweb.com"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?m="; fast_pattern; content:"&i="; distance:0; content:"&p="; distance:0; pcre:"/\.aspx\?m=[A-F0-9]{3,40}&i=[A-F0-9]{3,40}&p=[A-F0-9]{3,40}$/i"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; endswith; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/ja/2018/10/tscookie-1.html; classtype:command-and-control; sid:2026568; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_01, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Backdoor.BEACON SSL Cert Inbound (bigtopweb .com)"; flow:established,to_client; tls.cert_subject; content:"CN=bigtopweb.com"; bsize:16; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29/WellMess CnC Activity"; flow:established,to_server; content:"+++|0d 0a|"; fast_pattern; urilen:1; http.method; content:"POST"; http.cookie; content:"+++"; endswith; http.request_body; pcre:"/^(?:[\x3a\x2c\x2e]?[A-Za-z0-9]{1,8}[\x3a\x2c\x2e]?[\x3a\x2c\x2e]?\s*){50,}$/si"; http.header_names; content:!"Referer"; reference:md5,861879f402fe3080ab058c0c88536be4; reference:url,ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf; classtype:trojan-activity; sid:2030534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, malware_family WellMess, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Sysn.cdjy CnC Activity"; flow:established,to_server; http.uri; content:".php?logik="; content:".txt&info=Time|3a|"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; reference:md5,9842e0a710a5b820f6ceb687fa079721; classtype:command-and-control; sid:2031544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/GPlayed (sub1 .tdsworker .ru in DNS Lookup)"; dns.query; content:"sub1.tdsworker.ru"; endswith; reference:url,blog.talosintelligence.com/2018/10/gplayerbanker.html; classtype:trojan-activity; sid:2026566; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_11_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GPlayed, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Silver"; bsize:9; fast_pattern; tls.cert_issuer; content:"CN=Silver"; bsize:9; reference:md5,949f4223f86d23ec243d1e23dd0a28c9; reference:url,twitter.com/reecdeep/status/1345411411829260289; classtype:domain-c2; sid:2031545; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET to Puu.sh for TXT File with Minimal Headers"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".txt"; nocase; endswith; http.host; content:"puu.sh"; depth:6; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2026569; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (angeldonationblog .com)"; flow:established,to_client; tls.cert_subject; content:"CN=angeldonationblog.com"; bsize:24; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031548; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/putty.exe"; nocase; endswith; http.host; content:!"the.earth.li"; classtype:bad-unknown; sid:2026570; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (codevexillium .org)"; flow:established,to_server; tls.sni; content:"codevexillium.org"; bsize:17; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031549; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT33/CharmingKitten JS/HTA Stage 1 CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?anti="; content:"&cliname="; distance:0; fast_pattern; http.accept; content:"*/*"; endswith; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Cache"; content:!"Referer"; reference:md5,e15b3d2c39888fe459dc2d9c8dec331d; classtype:targeted-activity; sid:2026575; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (investbooking .de)"; flow:established,to_client; tls.cert_subject; content:"CN=investbooking.de"; bsize:19; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031550; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT33/CharmingKitten Retrieving New Payload (flowbit set)"; flow:established,to_server; flowbits:set,ET.APT33CharmingKitten.1; http.method; content:"GET"; http.uri; content:"/images/static/content/"; depth:23; fast_pattern; endswith; http.header_names; content:!"Cache"; content:!"Accept"; content:!"Referer"; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026577; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (krakenfolio .com)"; flow:established,to_server; tls.sni; content:"krakenfolio.com"; bsize:15; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031551; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M1"; dns.query; content:"mynetwork.ddns.net"; nocase; fast_pattern; endswith; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026573; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (opsonew3org .sg)"; flow:established,to_client; tls.cert_subject; content:"CN=opsonew3org.sg"; bsize:17; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031552; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M2"; dns.query; content:"mypsh.ddns.net"; nocase; fast_pattern; endswith; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026574; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (transferwiser .io)"; flow:established,to_server; tls.sni; content:"transferwiser.io"; bsize:16; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031553; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 12"; flow:established,to_server; urilen:<6; http.method; content:"POST"; http.uri; content:"/"; endswith; content:!"."; content:!"&"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; depth:2; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Host|0d 0a|Referer|0d 0a|User-Agent"; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:command-and-control; sid:2026555; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category MALWARE, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (transplugin .io)"; flow:established,to_server; tls.sni; content:"transplugin.io"; bsize:14; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031554; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArrobarLoader CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"4RR0B4R 4 X0T4 D4 TU4 M4E"; fast_pattern; http.request_body; content:"0"; endswith; http.header_names; content:!"Referer"; content:!"Cache"; reference:md5,3d7436bcf635a7e56a785c9d26ed3767; classtype:command-and-control; sid:2026528; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category MALWARE, malware_family ArrobarLoader, performance_impact Low, signature_severity Major, tag Loader, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gh0st Variant CnC Domain in DNS Lookup (rninhsss .com)"; dns.query; content:"www.rninhsss.com"; nocase; bsize:16; reference:md5,3dbf62639a63001daee68b25fadf4f10; classtype:domain-c2; sid:2031555; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=magento.si-shell.net"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST to Wordpress Folder - Possible Successful Banking Phish"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; http.request_body; content:"pin="; depth:4; fast_pattern; classtype:credential-theft; sid:2031547; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category HUNTING, signature_severity Major, tag Phishing, updated_at 2021_01_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=onlinestatus.site"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle WebLogic JNDI Injection RCE Attempt (CVE-2021-2109)"; flow:established,to_server; http.uri; content:"/consolejndi.portal?"; content:"_pageLabel=JNDIBindingPageGeneral"; content:"_nfpb=true"; content:"JNDIBindingPortletHandle=com.bea.console.handles.JndiBindingHandle("; content:"ldap|3a 2f 2f|"; distance:0; within:20; content:"|3b|AdminServer"; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw; reference:cve,2021-2109; reference:url,packetstormsecurity.com/files/161053/Oracle-WebLogic-Server-14.1.1.0-Remote-Code-Execution.html; classtype:attempted-user; sid:2031532; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_20, cve CVE_2021_2109, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=s3-us-west.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026593; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gh0st Variant CnC Domain in DNS Lookup (dexercisep .com)"; dns.query; content:"www.dexercisep.com"; nocase; bsize:18; reference:md5,cd14c71626f022781cfd2192bd8b454e; classtype:domain-c2; sid:2031556; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=maxijs.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (blog .br0vvnn .io)"; flow:established,to_server; tls.sni; content:"blog.br0vvnn.io"; bsize:15; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031557; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=allacarts.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026595; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/upload/upload.php HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031558; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=googiecloud.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026596; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/download/download.asp HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031559; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=braintform.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026597; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/upload/upload.asp HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031560; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=onlineshopsecurity.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026598; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 Remote AT Scheduled Job Create Request"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00|a|00|t|00|s|00|v|00|c|00|"; distance:0; content:!"|00|c|00|r|00|y|00|p|00|t|00|c|00|a|00|t|00|s|00|v|00|c|00|"; classtype:bad-unknown; sid:2025713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2021_01_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=magecreativetech.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026599; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zimbra <8.8.11 - XML External Entity Injection/SSRF Attempt (CVE-2019-9621)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover"; nocase; http.request_body; content:"<!DOCTYPE"; depth:50; content:"file:///etc/passwd"; distance:0; fast_pattern; content:"<EMailAddress>"; content:"<AcceptableResponseSchema>"; reference:url,www.exploit-db.com/exploits/46967; reference:url,packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html; reference:cve,2019-9621; reference:cve,2021-2109; classtype:attempted-user; sid:2031562; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2021_2109, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=busnguard.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026600; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound (CVE-2012-2311)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E"; fast_pattern; reference:url,www.kb.cert.org/vuls/id/520827; reference:cve,2012-2311; classtype:attempted-user; sid:2031563; rev:1; metadata:affected_product PHP, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2012_2311, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=cloud-privacy.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:trojan-activity; sid:2026601; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Creating Docker Image"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"images/create?fromImage="; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/; classtype:trojan-activity; sid:2031584; rev:2; metadata:attack_target Server, created_at 2021_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2021_01_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/upload.cfm?action=upload"; nocase; fast_pattern; endswith; reference:cve,2018-15961; reference:url,volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/; classtype:attempted-user; sid:2026604; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag CVE_2018_15961, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeamTNT Gattling Gun AWS Creds Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/incoming/access_data/aws.php"; endswith; fast_pattern; reference:url,www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques; reference:url,twitter.com/Suprn8/status/1349938276623384576; classtype:command-and-control; sid:2031585; rev:2; metadata:attack_target Client_and_Server, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JunkMiner Downloader Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Microsoft Windows"; depth:17; fast_pattern; endswith; http.request_body; content:"&JSONQUERY="; depth:11; content:"&SHA1="; distance:0; content:"&SHA2="; distance:0; content:"&SHA3="; distance:0; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026608; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_14, deployment Perimeter, former_category MALWARE, malware_family JunkMiner, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeamTNT Gattling Gun CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".borg.wtf"; nocase; endswith; reference:url,www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques; reference:url,twitter.com/Suprn8/status/1349938276623384576; classtype:domain-c2; sid:2031586; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Mystery Baby syschk CnC Communication"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart / form-data|3b 20|boundary = -------- 1650502037"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/m/1963; classtype:command-and-control; sid:2026614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Sending Docker Swarm Join Command"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/swarm/join"; endswith; http.request_body; content:"|7b 22|ListenAddr|22 3a 22|"; startswith; content:"|22|RemoteAddrs|22 3a 5b 22|"; content:"|2c 22|JoinToken|22 3a 22|"; http.header_names; content:!"Referer"; reference:url,github.com/Caprico1/Docker-Botnets/commit/bbfd65fce31d74bfa798e00a2c918022a45d211a; classtype:trojan-activity; sid:2031587; rev:2; metadata:attack_target Server, created_at 2021_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2021_01_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif Inject Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=opzioni.at"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2026615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sn0wsLogger CnC Exfil M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|RestSharp/"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22 0d 0a 0d 0a|token_"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|name|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|text|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,644038dbb036d00f45969afb7992e762; classtype:trojan-activity; sid:2031582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, malware_family Sn0wsLogger, signature_severity Major, updated_at 2021_01_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns.query; content:"scsnewstoday.com"; nocase; fast_pattern; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026611; rev:4; metadata:attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DragonFly, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sn0wsLogger CnC Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|RestSharp/"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; content:"-payment.txt|22 0d 0a|"; within:40; fast_pattern; http.header_names; content:!"Referer"; reference:md5,644038dbb036d00f45969afb7992e762; classtype:trojan-activity; sid:2031583; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, malware_family Sn0wsLogger, signature_severity Major, updated_at 2021_01_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns.query; content:"thyssenkrupp-marinesystems.org"; nocase; fast_pattern; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026612; rev:4; metadata:attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DragonFly, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Magecart/Skimmer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=google-conversion.com"; bsize:24; fast_pattern; reference:url,twitter.com/jeromesegura/status/1354598447022653442; classtype:domain-c2; sid:2031593; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2021_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT29 Domain in DNS Lookup (pandorasong .com)"; dns.query; content:"pandorasong.com"; nocase; fast_pattern; endswith; reference:url,twitter.com/DrunkBinary/status/1063075530180886529; classtype:targeted-activity; sid:2026617; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT29, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|"; startswith; content:"%22%26"; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031590; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hades APT Domain in DNS Lookup (findupdatems .com)"; dns.query; content:"findupdatems.com"; nocase; fast_pattern; endswith; reference:url,twitter.com/DrunkBinary/status/1063075530180886529; classtype:targeted-activity; sid:2026620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag HadesAPT, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|unsafe+"; startswith; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031591; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkGate CNC Checkin"; flow:established,to_server; urilen:1; flowbits:set,ET.DarkGate.1; http.method; content:"POST"; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|Synapse|29|"; endswith; fast_pattern; http.request_body; content:"id="; depth:3; content:"&data="; distance:0; content:"&action="; distance:0; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:command-and-control; sid:2026629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category MALWARE, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/jsonws/"; http.request_body; content:".c3p0.WrapperConnectionPoolDataSource"; fast_pattern; content:"&defaultData.userOverridesAsString=HexAsciiSerializedMap|3a|"; distance:0; reference:url,www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html; reference:cve,2020-7961; classtype:attempted-admin; sid:2031592; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_7961, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DarkGate CnC Requesting Data Exfiltration from Bot"; flow:established,from_server; flowbits:isset,ET.DarkGate.1; http.stat_code; content:"200"; file.data; content:"getbotdata"; depth:10; fast_pattern; endswith; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:command-and-control; sid:2026630; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category MALWARE, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to cl .ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|cl.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:bad-unknown; sid:2031588; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_02_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (akamai .la)"; dns.query; content:"akamai.la"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to rebrand .ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|rebrand.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:misc-activity; sid:2031589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_02_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (hardwarenet .cc)"; dns.query; content:"hardwarenet.cc"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO NoxPlayer Simulator Update Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/posttoken/simulator/"; startswith; fast_pattern; content:"/update"; endswith; http.host; content:"api.bignox.com"; bsize:14; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:policy-violation; sid:2031594; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_02_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (awsamazon.cc)"; dns.query; content:"awsamazon.cc"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026633; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Poison Ivy Variant CnC Domain in DNS Lookup (cdn. cloudistcdn .com)"; dns.query; content:"cdn.cloudistcdn.com"; nocase; bsize:19; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031595; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (battlenet .la)"; dns.query; content:"battlenet.la"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026634; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Malware CnC Domain in DNS Lookup (q. cloudistcdn .com)"; dns.query; content:"q.cloudistcdn.com"; nocase; bsize:17; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031597; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"gazanew.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026621; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Malware CnC Domain in DNS Lookup (update .boshiamys .com)"; dns.query; content:"update.boshiamys.com"; nocase; bsize:20; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031598; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcu.pw"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026622; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot maserv Module Command"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mass/"; depth:30; fast_pattern; pcre:"/^(?:81|freq|domains|over|rate|npcap\.exe)\/?\s*[^\/]*$/si"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:url,www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/; reference:md5,ff57c02b09cd9df4d1cac5090e01a5d2; classtype:trojan-activity; sid:2031600; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_02_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"hostingcloud.science"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026623; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot maserv Module CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/81"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|source|22 0d 0a 0d 0a|PORT|20|scan|0d 0a|"; nocase; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/; reference:md5,ff57c02b09cd9df4d1cac5090e01a5d2; classtype:trojan-activity; sid:2031601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_02_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"mining711.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026624; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Generic IDBTE4M Exploit Scanner (Outbound)"; flow:to_server,established; http.user_agent; content:"IDBTE4M CODE87"; fast_pattern; classtype:bad-unknown; sid:2031602; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_02, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_02_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"src-ips.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026625; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Generic IDBTE4M Exploit Scanner (Inbound)"; flow:to_server,established; http.user_agent; content:"IDBTE4M CODE87"; fast_pattern; classtype:bad-unknown; sid:2031603; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_02, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_02_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcip.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin"; flow:established,to_server; dsize:100; content:"ordata|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:1; depth:47; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2031599; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SystemBC, signature_severity Major, updated_at 2021_02_02;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in TLS SNI"; flow:established,to_server; tls.sni; content:"srcip.com"; endswith; nocase; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026627; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snake Keylogger CnC Exfil via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; http.request_body; content:"PC Name|3a|"; content:"Snake|20|Keylogger"; fast_pattern; content:"Snake|20|Keylogger"; distance:0; http.host; content:"telegram.org"; endswith; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; classtype:trojan-activity; sid:2031604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_03, deployment Perimeter, former_category MALWARE, malware_family Snake_Keylogger, signature_severity Major, updated_at 2021_02_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcips.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026628; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PivNoxy CnC Activity"; flow:established,to_server; urilen:17; http.cookie; content:"id="; startswith; bsize:15; http.header_names; content:"|0d 0a|Accept|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; http.uri; pcre:"/^\/[0-9a-f]{16}$/"; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; reference:md5,77a06a18015ee2d509d8e89000489eb6; reference:md5,7fd7b1c218d7df7a3f09a8f06f141c71; classtype:command-and-control; sid:2031596; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (cdn-ampproject .com)"; dns.query; content:"cdn-ampproject.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026645; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Small.AWO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"boxfid.php?&mac="; fast_pattern; content:"&action="; distance:12; within:8; content:"&disk="; distance:0; content:"&md5="; distance:0; isdataat:!33,relative; reference:md5,047719e7aae5c1466db7c82a18726828; classtype:command-and-control; sid:2031605; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (bootstraplink .com)"; dns.query; content:"bootstraplink.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026646; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Detplock Checkin via SMTP"; flow:established,to_server; content:"Subject|3a 20|Virus Infection Monitor|0d 0a|"; fast_pattern; content:"Content|2d|type|3a 20|multipart|2f|mixed|3b 20|boundary|3d 22 23|BOUNDARY|23 22 0d 0a|"; reference:md5,6ac14ccd294d75e340d48d19aa74be09; classtype:trojan-activity; sid:2031608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (sskimresources .com)"; dns.query; content:"sskimresources.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026647; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>|7c 7c 20|B3taCypt Priv8 Mailer|20 7c 7c|</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031606; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_08, deployment Perimeter, signature_severity Major, updated_at 2021_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (widgets-wp .com)"; dns.query; content:"widgets-wp.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>|7c 7c 20|B3taCypt Priv8 Mailer|20 7c 7c|</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031607; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_08, deployment Perimeter, signature_severity Major, updated_at 2021_02_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=srv6"; nocase; endswith; tls.cert_serial; content:"E2:56:45:9F:06:BC:8C:B9"; classtype:trojan-activity; sid:2026666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer Installer Started"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"type=install&seller="; startswith; fast_pattern; content:"&price="; content:"&guid="; content:"&ver="; content:"&origin="; reference:md5,e2d3f779d8d646f7287dc58976e79494; classtype:command-and-control; sid:2031928; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=debian"; nocase; endswith; tls.cert_serial; content:"B6:9B:45:06:EE:69:DE:58"; classtype:trojan-activity; sid:2026667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buer Loader Domain (officewestunionbank .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"officewestunionbank.com"; bsize:23; fast_pattern; reference:md5,61e213e717cc8e156cec79a7c1cd0c64; classtype:domain-c2; sid:2031610; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_10, deployment Perimeter, former_category MALWARE, malware_family Buer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=debian"; nocase; endswith; tls.cert_serial; content:"CB:E2:F0:46:19:AE:BE:40"; classtype:trojan-activity; sid:2026668; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Download Request"; flow:established,to_server; urilen:>200; flowbits:set,ETPRO.wacatac.b.download; http.method; content:"GET"; http.uri; content:"/api/download/"; depth:14; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029078; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2021_02_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=srv4"; nocase; endswith; tls.cert_serial; content:"86:80:0E:21:37:91:42:A3"; classtype:trojan-activity; sid:2026669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Buer Loader Successful Payload Download"; flow:established,to_client; flowbits:isset,ETPRO.wacatac.b.download; http.stat_code; content:"200"; http.content_type; content:"application/*"; fast_pattern; bsize:13; http.content_len; byte_test:0,>,500000,0,string,dec; byte_test:0,<,3000000,0,string,dec; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2021_02_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=amorenvena.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:targeted-activity; sid:2026678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, malware_family POWERSTAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Trend Micro Phishing Simulation Service"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>You have almost been phished"; nocase; content:"Trend Micro Phish Insight provides a phishing simulation service"; nocase; fast_pattern; classtype:social-engineering; sid:2031611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_02_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=andresocana.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:targeted-activity; sid:2026679; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, malware_family POWERSTAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".cdncontentdelivery.com"; nocase; endswith; classtype:trojan-activity; sid:2031612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2021_02_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSpionage Requesting Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Login?id=Fy"; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:targeted-activity; sid:2026681; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNSpionage, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (aaaa)"; flow:established,to_server; http.user_agent; content:"aaaa"; bsize:4; reference:md5,61e213e717cc8e156cec79a7c1cd0c64; classtype:bad-unknown; sid:2031613; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_02_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".microsoftonedrive.org"; distance:0; nocase; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:command-and-control; sid:2026680; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sq?"; startswith; fast_pattern; http.cookie; content:"woocommerce_cart_hash="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,4d1d20d5691af20be3592ddc1936a8c0; classtype:command-and-control; sid:2032756; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".0ffice36o.com"; nocase; endswith; reference:md5,c00c9f6ebf2979292d524acff19dd306; classtype:command-and-control; sid:2026557; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/RELEASE?"; startswith; fast_pattern; http.cookie; content:"woocommerce_items_in_cart="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,631bcc2f0885acb960fd500ca574a796; classtype:command-and-control; sid:2032757; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to Bit.ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|bit.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:bad-unknown; sid:2026674; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (9487d)"; flow:established,from_server; http.stat_code; content:"302"; http.cookie; content:"9487d=eyJ0e"; fast_pattern; pcre:"/^[A-Z0-9_\-.]{20,300}\x3b/Ri"; classtype:trojan-activity; sid:2031614; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category WEB_CLIENT, malware_family KeitaroTDS, signature_severity Major, updated_at 2022_03_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for MageCart Data Exfil Domain"; dns.query; content:"g-analytics.com"; nocase; depth:15; endswith; reference:url,www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions; classtype:trojan-activity; sid:2026685; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evil Keitaro TDS Redirection Domain (fiberswatch .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fiberswatch.com"; bsize:15; fast_pattern; classtype:domain-c2; sid:2031615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category MALWARE, malware_family KeitaroTDS, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for MageCart Data Exfil Domain"; dns.query; content:"jquery-js.com"; nocase; endswith; reference:url,www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions; classtype:trojan-activity; sid:2026686; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mobilelink.buzz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"O=Let's Encrypt"; classtype:domain-c2; sid:2031617; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"bizsonet.ayar.biz"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026689; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Known External IP Lookup Service Domain in SNI"; flow:to_server,established; tls.sni; content:"www.watismijnip.nl"; endswith; classtype:external-ip-check; sid:2031616; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2021_02_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"bizsonet.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Playit Activity (playit .gg)"; flow:established,to_server; http.method; content:"GET"; http.referer; content:"https://playit.gg/claim/v2/"; startswith; http.host; content:"playit.gg"; bsize:9; fast_pattern; reference:md5,adef7b6d9fcd8c2a0fabd94d73bc9789; classtype:policy-violation; sid:2031619; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, deployment SSLDecrypt, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2021_02_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"client-message.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026691; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/RemoteUtilities Checkin via SMTP"; flow:established,to_server; content:"|0d 0a|SUQ6"; content:"0J3QsNC30LLQsNC90LjQtSDQutC+0LzQv9GM0Y7RgtC1"; distance:0; fast_pattern; classtype:pup-activity; sid:2031618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_02_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"client-screenfonts.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoderVir Stealer Zip Upload"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|LOG|5f|"; fast_pattern; pcre:"/^[A-F0-9]{24}/R"; content:"|2e|zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; within:53; reference:md5,35ff637ac2748789925a34f893376545; classtype:command-and-control; sid:2031620; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"docsdriver.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin"; bsize:6; http.cookie; content:"wordpress_"; startswith; pcre:"/^[a-z0-9]{32}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; fast_pattern; reference:md5,e75bef518faea38765cb91b71ba6c8a8; classtype:command-and-control; sid:2032755; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"grsvps.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026694; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/ViewLog.asp"; depth:20; endswith; http.request_body; content:"remote_submit_Flag="; depth:19; content:"&remote_host="; distance:0; content:"&remoteSubmit=Save|0d 0a 0d 0a|"; endswith; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Jan/40; classtype:attempted-user; sid:2027092; rev:5; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_02_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"pqexport.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026695; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSMTPD RCE Inbound (CVE-2020-7247)"; flow:established,to_server; content:"MAIL|20|FROM|3a|<|3b|"; fast_pattern; reference:url,blog.qualys.com/vulnerabilities-research/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247; reference:cve,2020-7247; classtype:attempted-admin; sid:2031621; rev:1; metadata:attack_target SMTP_Server, created_at 2021_02_17, cve CVE_2020_7247, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"scaurri.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026696; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoldenSpy CnC Activity"; flow:established,to_server; http.request_line; content:"POST /data/receive "; depth:19; fast_pattern; http.request_body; content:"ectid="; depth:6; content:"&taxCode="; distance:0; http.host; content:!"i-xinnuo.com"; endswith; reference:md5,be1a7bbc42d5d6f3a3270201906a68d9; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/; classtype:command-and-control; sid:2030394; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"secozco.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026697; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Fancy Bear (APT28) Maldoc CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; bsize:22; http.request_body; content:"IB="; startswith; fast_pattern; content:"&log="; distance:0; reference:url,twitter.com/RedDrip7/status/1362343352759250946?s=20; reference:md5,c9a43fd6623bf0bc287012b6ee10a98e; reference:md5,49696043b51acca6ced2ab213bd4abef; classtype:command-and-control; sid:2031628; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family Fancy_Bear, performance_impact Low, signature_severity Major, updated_at 2021_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"sharedriver.pw"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026698; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak Staging Domain in DNS Lookup (civilizationidium .com)"; dns.query; content:"civilizationidium.com"; nocase; bsize:21; reference:url,twitter.com/z0ul_/status/1361698529228578816; reference:md5,17735bdf3f19b51eaa45d6375f943f97; classtype:trojan-activity; sid:2031629; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family Carbanak, malware_family Carbanak_JScript, performance_impact Low, signature_severity Major, updated_at 2021_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"sharedriver.us"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026699; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Activity (Windows Variant)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"wMKBUqjC7ZMG5A5g"; fast_pattern; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; reference:md5,48971e0e71300c99bb585d328b08bc88; classtype:command-and-control; sid:2031623; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"tempdomain8899.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026700; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Activity (OSX Variant)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"jGzAcN6k4VsTRn9"; fast_pattern; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; reference:md5,6058368894f25b7bc8dd53d3a82d9146; classtype:command-and-control; sid:2031624; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"world-paper.net"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026701; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Domain in DNS Lookup (jmttrading .org)"; dns.query; content:"jmttrading.org"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; classtype:domain-c2; sid:2031625; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"zwfaxi.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Union Crypto CnC Domain in DNS Lookup (unioncrypto .vip)"; dns.query; content:"unioncrypto.vip"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048c; classtype:domain-c2; sid:2031626; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Group/More_Eggs CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=safesecurefiles.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - Union Crypto CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"auth_timestamp"; content:"rlz="; content:"&ei="; distance:0; content:"&act=check"; distance:0; fast_pattern; reference:md5,da17802bc8d3eca26b7752e93f33034b; reference:md5,629b9de3e4b84b4a0aa605a3e9471b31; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048c; classtype:command-and-control; sid:2031627; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursa Loader CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; http.request_body; pcre:"/^[a-z]{1,10}=[A-Z]+(?:&[a-z]{1,10}=[A-Z]+){2,}$/s"; http.request_line; content:"POST / HTTP/1.0"; depth:15; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; reference:md5,d05af060e3e104dea638f17c4bceb5ac; classtype:command-and-control; sid:2026756; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Ursa_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Domain in DNS Lookup (levelframeblog .com)"; dns.query; content:"levelframeblog.com"; nocase; bsize:18; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; reference:md5,17ab2927a235a0b98480945285767bcf; classtype:domain-c2; sid:2031631; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"outlooklive.org.kz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026704; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Domain in DNS Lookup (kupaywallet .com)"; dns.query; content:"kupaywallet.com"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; classtype:domain-c2; sid:2031630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.toshiba.org.kz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026705; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.request_body; content:"ver="; startswith; content:"×tamp="; fast_pattern; isdataat:!11,relative; reference:md5,60c2efdafbffc5bd6709c8e461f7b77d; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; classtype:command-and-control; sid:2031632; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.fujitsu.org.kz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026706; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - CoinGoTrade CnC Domain in DNS Lookup (coingotrade .com)"; dns.query; content:"coingotrade.com"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,149a696472d4a189f5896336ab16cc34; classtype:domain-c2; sid:2031633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.asus.org.kz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026707; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (airbseeker .com)"; dns.query; content:"airbseeker.com"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031634; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family NukeSped, signature_severity Major, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.miria.kz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (globalkeystroke .com)"; dns.query; content:"globalkeystroke.com"; nocase; bsize:19; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031635; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family NukeSped, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"cloudpallets32.com"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/NukeSped Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"N9dLfqxHNUUw8qaUPqggVTpX"; fast_pattern; reference:md5,451c23709ecd5a8461ad060f6346930c; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; classtype:command-and-control; sid:2031637; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"contents.bz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026710; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (woodmate .it)"; dns.query; content:"woodmate.it"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031636; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family NukeSped, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"usasecurefiles.com"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026711; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Dorusio CnC Domain in DNS Lookup (dorusio .com)"; dns.query; content:"dorusio.com"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048f; reference:md5,d620c699a5b1828aca699b5aee77e5e6; reference:md5,0f39312e8eb5702647664e9ae8502ceb; classtype:domain-c2; sid:2031638; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"freecloud.biz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026712; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Ants2Whale CnC Domain in DNS Lookup (ants2whale .com)"; dns.query; content:"ants2whale.com"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048g; classtype:domain-c2; sid:2031639; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"alotile.biz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Ants2Whale CnC Domain in DNS Lookup (qnalytica .com)"; dns.query; dotprefix; content:".qnalytica.com"; nocase; endswith; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048g; reference:md5,d4d1bcdfb67ee30303f30137db752b94; classtype:domain-c2; sid:2031640; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"transef.biz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.4.x CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=Ghc7XJ5OVyh_"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html; reference:md5,7831a9eebbb485ab4850460e33185cb3; classtype:command-and-control; sid:2031641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2021_02_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"fundsxe.com"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026715; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Use of rzd URL Shortener Service"; flow:established,to_server; http.method; content:"HEAD"; http.host; content:"rzd.ac"; bsize:6; fast_pattern; classtype:policy-violation; sid:2031647; rev:1; metadata:created_at 2021_02_22, former_category HUNTING, updated_at 2021_02_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"document.cdn-one.biz"; distance:0; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026716; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/Silver Sparrow Download Domain in TLS SNI"; flow:established,to_server; tls_sni; content:"specialattributes.s3.amazonaws.com"; bsize:34; reference:url,redcanary.com/blog/clipping-silver-sparrows-wings; classtype:domain-c2; sid:2031642; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (ifconfig .me)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ip"; depth:3; endswith; http.host; content:"ifconfig.me"; depth:11; endswith; fast_pattern; reference:md5,52ba2e1f51d16394bf109b42c1166b74; classtype:external-ip-check; sid:2026718; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/Silver Sparrow Download Domain in TLS SNI"; flow:established,to_server; tls_sni; content:"mobiletraits.s3.amazonaws.com"; bsize:29; reference:url,redcanary.com/blog/clipping-silver-sparrows-wings; classtype:domain-c2; sid:2031644; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=afgdhjkrm.pw"; nocase; endswith; reference:md5,603dc6ff2a0f28cdf7693050a62f2355; classtype:command-and-control; sid:2026769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WRAT Dropper (TLS SNI)"; flow:established,to_server; tls.sni; content:"alsalaf.info"; reference:md5,7831f12dac1d4ef7dcd6e3218b8dad68; classtype:trojan-activity; sid:2031646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WRAT, updated_at 2021_02_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID WebSocket Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data2.php?"; pcre:"/^[A-F0-9]{16}$/R"; http.header; content:"Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,b17a729efb71d1781405c6c00052c85e; classtype:trojan-activity; sid:2026673; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category TROJAN, malware_family IcedID, signature_severity Major, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (WRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=alsalaf.info"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,7831f12dac1d4ef7dcd6e3218b8dad68; classtype:trojan-activity; sid:2031645; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category TROJAN, signature_severity Major, tag WRAT, updated_at 2021_02_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MongoLock Variant CnC Domain (s .rapid7 .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"s.rapid7.xyz"; endswith; reference:md5,fa64390d7ffa4ee604dd944bbcf0bc09; classtype:command-and-control; sid:2026722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER DEWMODE Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:".php?csrftoken="; content:"|22|><font|20|size=4>Cleanup|20|Shell</font>"; fast_pattern; content:"file_id"; content:"path"; content:"file_name"; content:"uploaded_by"; content:"Recipient"; content:"Actions"; reference:url,www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html; reference:md5,2798c0e836b907e8224520e7e6e4bb42; reference:md5,bdfd11b1b092b7c61ce5f02ffc5ad55a; classtype:attempted-admin; sid:2031650; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=begin"; distance:0; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_12_13, deployment Perimeter, former_category TROJAN, malware_family Satan, performance_impact Low, signature_severity Major, tag Multi_Platform, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Keylogger.ENJ Variant CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; depth:19; http.host; content:"discord.com"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"username=New+User+open+your+virus&content=%60%60%60%0aUser+name+%3a+"; startswith; fast_pattern; reference:md5,9b48e6da117f45841cb629964af7e463; classtype:command-and-control; sid:2031648; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donot (APT-C-35) Stage 1 Requesting Persistence Setup File"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/pushBatch"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip,|20|deflate"; depth:13; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:"User-Agent"; content:!"Referer"; content:!"Cache"; reference:url,ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/; classtype:targeted-activity; sid:2026728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Donot, tag APT_C_35, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form action=|22 22 20|"; content:"<input|20|type=|22|text|22 20|name=|22|_jy|22|><input|20|type=|22|submit|22 20|value=|22|>>"; fast_pattern; classtype:attempted-admin; sid:2031651; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_02_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donot (APT-C-35) Stage 1 Requesting Main Payload"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/pushAgent"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip,|20|deflate"; depth:13; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:"User-Agent"; content:!"Referer"; content:!"Cache"; reference:url,ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/; classtype:targeted-activity; sid:2026729; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Donot, tag APT_C_35, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VoidRay Downloader CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?UID="; fast_pattern; content:"_"; distance:8; within:1; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; reference:md5,082b7a27b2e75bbcde189fab82b0fe72; classtype:trojan-activity; sid:2031649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shamoon V3 CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?selection="; http.user_agent; content:"Mozilla/13.0|20 28|MSIE|20|7.0|3b 20|Windows|20|NT|20|6.0|29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/; classtype:command-and-control; sid:2026730; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, performance_impact Low, signature_severity Major, tag APT, tag Wiper, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ares Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/panel/connect.php?a="; startswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,372184b84d8a35ae1c5d756c69d1d0a2; classtype:trojan-activity; sid:2032947; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=vesecase.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2026770; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_18, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (billionaireshore .top)"; dns.query; content:"billionaireshore.top"; nocase; bsize:20; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031655; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Domain (gandcrab .bit)"; dns.query; content:"gandcrab.bit"; nocase; endswith; reference:md5,023f078d5eb70bcbf4c5ad5b87df9710; classtype:trojan-activity; sid:2026737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_18, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (vikingsofnorth .top)"; dns.query; content:"vikingsofnorth.top"; nocase; bsize:18; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031656; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Free Hosting Domain (.free .bg)"; dns.query; content:".free.bg"; nocase; endswith; classtype:policy-violation; sid:2026742; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_21, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (realityarchitector .top)"; dns.query; content:"realityarchitector.top"; nocase; bsize:22; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031657; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.pointsoft.pw"; nocase; endswith; reference:md5,5b7244c47104f169b0840440cdede788; classtype:command-and-control; sid:2026771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_21, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (gentlebouncer .top)"; dns.query; content:"gentlebouncer.top"; nocase; bsize:17; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031658; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)"; flow:established,to_client; tls.cert_subject; content:"CN=ident.me"; nocase; endswith; classtype:external-ip-check; sid:2026743; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (brainassault .top)"; dns.query; content:"brainassault.top"; nocase; bsize:16; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031659; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Windshift APT Related Domain 1"; dns.query; content:"flux2key.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x3B.html; classtype:targeted-activity; sid:2026744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_27, deployment Perimeter, former_category MALWARE, malware_family Windshift, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (greatersky .top)"; dns.query; content:"greatersky.top"; nocase; bsize:14; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031660; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Windshift APT Related Domain 2"; dns.query; content:"string2me.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x3B.html; classtype:targeted-activity; sid:2026745; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_27, deployment Perimeter, former_category MALWARE, malware_family Windshift, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (unicornhub .top)"; dns.query; content:"unicornhub.top"; nocase; bsize:14; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031661; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucky Ransomware Reporting Successful File Encryption"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=done"; distance:0; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026727; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_12_13, deployment Perimeter, former_category TROJAN, malware_family Satan, performance_impact Low, signature_severity Major, tag Multi_Platform, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (corporatelover .top)"; dns.query; content:"corporatelover.top"; nocase; bsize:18; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031662; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; depth:15; http.request_body; content:"project=%3C%230%3E"; depth:18; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026755; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (bloggersglobbers .top)"; dns.query; content:"bloggersglobbers.top"; nocase; bsize:20; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031663; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SedUploader)"; flow:established,to_client; tls.cert_subject; content:"CN=photopoststories.com"; nocase; endswith; classtype:trojan-activity; sid:2026757; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_04, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (simsimsalabim .top)"; flow:established,to_server; tls.sni; content:"simsimsalabim.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2031652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Unk Downloader 0 Byte POST CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|0|0d|"; http.user_agent; content:"xmsSofts_1.0.0_"; depth:15; fast_pattern; content:"|5c|"; distance:0; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026760; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (perfectscenario .top)"; flow:established,to_server; tls.sni; content:"perfectscenario.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2031653; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via vtransmit .com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip.php"; depth:10; endswith; http.host; content:"vtransmit.com"; depth:13; fast_pattern; endswith; classtype:external-ip-check; sid:2026761; rev:4; metadata:attack_target Client_and_Server, created_at 2019_01_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mariofart8 .top)"; flow:established,to_server; tls.sni; content:"mariofart8.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2031654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Operation Cobra Venom Stage 1 DNS Lookup"; dns.query; content:"my-homework.890m.com"; nocase; fast_pattern; endswith; reference:url,blog.alyac.co.kr/2066; classtype:trojan-activity; sid:2026763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin"; fast_pattern; bsize:43; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031664; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - CnC Checkin"; flow:established,to_server; urilen:>14; http.method; content:"GET"; http.uri; content:"/board.php?v=a"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:command-and-control; sid:2026764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~8f3g4yogufey8g7yfg/~dfb375y8ufg34gfyu.bin"; fast_pattern; bsize:43; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031665; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - File Decode Completed"; flow:established,to_server; urilen:>14; http.method; content:"GET"; http.uri; content:"/board.php?v=e"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:trojan-activity; sid:2026765; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~munhgy8fw6egydubh/9gh3yrubhdkgfby43.php"; fast_pattern; bsize:41; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031666; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 1"; dns.query; content:"0ffice365.agency"; nocase; endswith; classtype:targeted-activity; sid:2026775; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=flickry.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"O=Let's Encrypt"; classtype:domain-c2; sid:2031672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2021_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2021_02_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 2"; dns.query; content:"0nedrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026776; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M1 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|..|5c|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031667; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 3"; dns.query; content:"corewindows.agency"; nocase; endswith; classtype:targeted-activity; sid:2026777; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M2 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|..|2f|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031668; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 4"; dns.query; content:"microsoftonline.agency"; nocase; endswith; classtype:targeted-activity; sid:2026778; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt with Untrusted SSH Key Upload (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:".tar|22|"; content:"|0d 0a|."; distance:0; content:"|2f|.ssh|2f|authorized_keys"; distance:0; within:100; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031669; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 5"; dns.query; content:"onedrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026779; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M3 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|.|5c|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031670; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 6"; dns.query; content:"sharepoint.agency"; nocase; endswith; classtype:targeted-activity; sid:2026780; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M4 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|.|2f|"; distance:0; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031671; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 7"; dns.query; content:"skydrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026781; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaBackdoor Variant CnC Activity M4"; flow:established,to_server; urilen:36; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; content:!"&"; http.cookie; content:"group="; depth:6; isdataat:!2,relative; fast_pattern; pcre:"/^\d$/R"; http.uri; pcre:"/^\/[a-z0-9]{32}\/\d\/$/i"; reference:url,twitter.com/lazyactivist192/status/1364668631460827142; reference:md5,8488d9be18308a7f4e83b7c39fc79d17; classtype:command-and-control; sid:2031673; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 8"; dns.query; content:"0ffice365.life"; nocase; endswith; classtype:targeted-activity; sid:2026782; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gameredon Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64|3a 3a|"; startswith; fast_pattern; content:"|3a 3a|"; distance:2; endswith; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; reference:md5,04490fb43c9adbfdee9d7918e3db0af5; classtype:trojan-activity; sid:2031676; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 9"; dns.query; content:"0ffice365.services"; nocase; endswith; classtype:targeted-activity; sid:2026783; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound Hashicorp Consul RCE via Services API"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"v1/agent/service/register"; fast_pattern; http.request_body; content:"|22|sh|22|"; content:"|22|-c|22|"; reference:url,www.exploit-db.com/exploits/46074; classtype:attempted-admin; sid:2031675; rev:1; metadata:attack_target Web_Server, created_at 2021_02_26, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 10"; dns.query; content:"skydrive.services"; nocase; endswith; classtype:targeted-activity; sid:2026784; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception/CloudAtlas CnC Domain in DNS Lookup (ms-officeupdate .com)"; dns.query; content:"ms-officeupdate.com"; nocase; bsize:19; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031677; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 11"; dns.query; content:"akdns.live"; nocase; endswith; classtype:targeted-activity; sid:2026785; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception/CloudAtlas CnC Domain in DNS Lookup (newmsoffice .com)"; dns.query; content:"newmsoffice.com"; nocase; bsize:15; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031678; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 12"; dns.query; content:"akamaiedge.live"; nocase; endswith; classtype:targeted-activity; sid:2026786; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Inbox To All"; nocase; fast_pattern; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; distance:0; classtype:web-application-attack; sid:2031679; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 13"; dns.query; content:"akamaiedge.services"; nocase; endswith; classtype:targeted-activity; sid:2026787; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Inbox To All"; nocase; fast_pattern; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; distance:0; classtype:web-application-attack; sid:2031680; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 14"; dns.query; content:"edgekey.live"; nocase; endswith; classtype:targeted-activity; sid:2026788; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Uploader Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Uploader by ghost-dz</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031681; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 15"; dns.query; content:"akamaized.live"; nocase; endswith; classtype:targeted-activity; sid:2026789; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Uploader Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Uploader by ghost-dz</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031682; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 16"; dns.query; content:"trafficmanager.live"; nocase; endswith; classtype:targeted-activity; sid:2026790; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT32/OceanLotus Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Collection Info/1.0"; bsize:19; fast_pattern; http.request_body; content:"data1="; startswith; reference:md5,864eace6e6f67b77163d7ed5da4498c8; reference:url,github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam; reference:url,www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/; classtype:trojan-activity; sid:2031683; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 17"; dns.query; content:"cloudfronts.services"; nocase; endswith; classtype:targeted-activity; sid:2026791; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Collection Info)"; flow:established,to_server; http.user_agent; content:"Collection Info/1.0"; bsize:19; fast_pattern; reference:md5,864eace6e6f67b77163d7ed5da4498c8; reference:url,github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam; reference:url,www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/; classtype:bad-unknown; sid:2031684; rev:1; metadata:created_at 2021_03_01, former_category USER_AGENTS, performance_impact Low, updated_at 2021_03_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 18"; dns.query; content:"hotmai1.com"; nocase; endswith; classtype:targeted-activity; sid:2026792; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark CnC Activity M2"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".php?u="; fast_pattern; content:"_"; distance:0; content:"&i="; distance:0; http.user_agent; content:"Microsoft BITS/"; startswith; reference:md5,d30484a523fe3d8a883738f4ec06a952; reference:md5,f9509755c5781f87788ffdf9efad075d; reference:url,twitter.com/reddrip7/status/1366703445990723585?s=21; classtype:trojan-activity; sid:2031748; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_03_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 19"; dns.query; content:"microsoftonline.services"; nocase; endswith; classtype:targeted-activity; sid:2026793; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Battle.net Phish 2015-09-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?"; http.request_body; content:"accountName="; depth:12; fast_pattern; content:"&password="; distance:0; content:"&persistLogin="; distance:0; content:"&csrftoken="; distance:0; classtype:credential-theft; sid:2031742; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 20"; dns.query; content:"nsatc.agency"; nocase; endswith; classtype:targeted-activity; sid:2026794; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (cook32.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cook32.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_03_02, former_category MALWARE, malware_family ursnif, updated_at 2021_03_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 21"; dns.query; content:"phicdn.world"; nocase; endswith; classtype:targeted-activity; sid:2026795; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (cook64.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cook64.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031744; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 22"; dns.query; content:"t-msedge.world"; nocase; endswith; classtype:targeted-activity; sid:2026796; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (grab32.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/grab32.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031745; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 23"; dns.query; content:"akadns.live"; nocase; endswith; classtype:targeted-activity; sid:2026797; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (grab64.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/grab64.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 24"; dns.query; content:"azureedge.today"; nocase; endswith; classtype:targeted-activity; sid:2026798; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Interesting Content-Type Inbound (application/x-sh)"; flow:established,from_server; http.header; content:"Content-Type|3a 20|application/x-sh"; fast_pattern; reference:url,developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types; classtype:policy-violation; sid:2031747; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=memail.mea.com.lb"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:targeted-activity; sid:2026800; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Hidden embedded HTML Document"; flow:established,to_client; file.data; content:"<embed src=|27|data|3a|text/html|3b|base64|2c|PCFET0NUWVBFIGh0bWw+"; content:"|27 20|height|3d 27|0|27 20|frameborder|3d 27|0|27 3e 3c 2f|embed|3e|"; within:6000; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:bad-unknown; sid:2031803; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=webmail.finance.gov.lb"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:targeted-activity; sid:2026801; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; nocase; content:"dnsPrimary="; content:"dnsRefresh="; nocase; reference:url,www.expku.com/remote/5853.html; classtype:attempted-admin; sid:2023467; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2021_03_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=mail.apc.gov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:targeted-activity; sid:2026802; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mt?"; startswith; fast_pattern; content:"="; distance:0; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,0d2c5bbf711058f31cd8ce81da30e870; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031806; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=mail.mgov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:targeted-activity; sid:2026803; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT DNS Change Attempt (Unknown Device)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/advWAN.cgi"; startswith; http.request_body; content:"tAction=editApply"; content:"viewPage=multiWANCfg"; content:"action=edit"; content:"dns1="; content:"dns2="; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031804; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_03, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=adpvpn.adpolice.gov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:targeted-activity; sid:2026804; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"fabulouscityofbruges.top"; bsize:24; fast_pattern; classtype:domain-c2; sid:2031805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_03;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ServHelper RAT CnC Domain Observed in SNI"; flow:established,to_server; tls.sni; content:"arhidsfderm.pw"; endswith; nocase; reference:md5,43e7274b6d42aef8ceae298b67927aec; classtype:command-and-control; sid:2026768; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".css"; endswith; http.cookie; content:"lu="; fast_pattern; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,ce73caaa42bd465a37802ad3457d2081; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031810; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Awad Bot CnC Domain (hawad .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hawad.000webhostapp.com"; endswith; reference:md5,5872fde3bf4b5a30a64837a35d1ec5fd; classtype:command-and-control; sid:2026799; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category MALWARE, malware_family AwadBot, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (teastycandycoffe .top)"; flow:established,to_server; tls.sni; content:"teastycandycoffe.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 25"; dns.query; content:"data-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026812; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/form2dns.cgi?dnsmode=1&dns1="; nocase; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&submit.htm?dns.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027907; rev:4; metadata:attack_target Networking_Equipment, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2021_03_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 26"; dns.query; content:"asimov-win-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026813; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SUNSHUTTLE CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; content:"HjELmFxKJc="; fast_pattern; content:"P5hCrabkKf="; content:"iN678zYrXMJZ="; reference:url,www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html; classtype:command-and-control; sid:2031811; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 27"; dns.query; content:"iecvlist-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026814; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt M2"; flow:established,to_server; http.uri; content:"/form2wan.cgi?wantype=1"; nocase; content:"&wan_dns2="; distance:0; content:"&wan_dns3="; distance:0; content:"&submit.htm"; distance:0; content:"wan.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031808; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 28"; dns.query; content:"onecs-live.services"; nocase; endswith; classtype:targeted-activity; sid:2026815; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DI-804HV DNS Changer Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/prim"; startswith; content:"prim&rf=0004&"; fast_pattern; content:"&ID00="; distance:0; content:"&ID01="; distance:0; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031809; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_04;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cryptor Ransomware CnC Domain (e3kok4ekzalzapsf .onion .ws in TLS SNI)"; flow:established,to_server; tls.sni; content:"e3kok4ekzalzapsf.onion.ws"; endswith; reference:md5,4b6f0113007cddea4ad31237add23786; classtype:command-and-control; sid:2026806; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family CryptorRansomware, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT APT/Hafnium SPORTSBALL Webshell Observed Outbound"; flow:established,to_client; file.data; content:"<td>logon|3a|<td>"; content:"name=|22|sport|22 20|"; distance:0; content:"<td>cmd|3a|"; distance:0; content:"input|20|name=|22|balls|22 20|"; fast_pattern; content:"name=|22|woods|22|"; content:"name=|22|sky|22|"; reference:md5,1a4ab99bbe9adbe2deb0e4b96d82a955; classtype:web-application-attack; sid:2031812; rev:2; metadata:attack_target Web_Server, created_at 2021_03_04, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2021_03_04;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TrumpHead Ransomware CnC Domain (6bbsjnrzv2uvp7bp .onion .pet in TLS SNI)"; flow:established,to_server; tls.sni; content:"6bbsjnrzv2uvp7bp.onion.pet"; endswith; reference:md5,49fdb7e267c00249e736aad5258788d2; classtype:command-and-control; sid:2026807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family TrumpHeadRansomware, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (thereisnoscheme .top)"; flow:established,to_server; tls.sni; content:"thereisnoscheme.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2031876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_05;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. pet))"; flow:established,to_client; tls.cert_subject; content:"CN=*.onion.pet"; nocase; endswith; classtype:policy-violation; sid:2026808; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-03-08"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; fast_pattern; content:"password="; nocase; distance:0; classtype:credential-theft; sid:2031875; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .pet)"; dns.query; content:".onion.pet"; nocase; endswith; classtype:policy-violation; sid:2026809; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP3 with ID3 in HTTP Flowbit Set"; flow:from_server,established; file.data; content:"ID3"; within:3; content:"|FB FF|"; distance:0; flowbits:set,ET.mp3.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025986; rev:2; metadata:affected_product Adobe_Flash, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_03_08;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .ws)"; dns.query; content:".onion.ws"; nocase; endswith; classtype:policy-violation; sid:2026810; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND)"; flow:established,from_server; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017609; rev:4; metadata:created_at 2013_10_17, updated_at 2021_03_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. ws))"; flow:established,to_client; tls.cert_subject; content:"CN=*.onion.ws"; nocase; endswith; classtype:policy-violation; sid:2026811; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:social-engineering; sid:2024199; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2021_03_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PS/PowerRatankba CnC DNS Lookup"; dns.query; content:"ecombox.store"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family POWERRATANKBA, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, tag PowerShell, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|a0 00 00 00 24 02 00 00 40 00 00 00|"; distance:0; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_03_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PS/PowerRatankba CnC DNS Lookup"; dns.query; content:"bodyshoppechiropractic.com"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026818; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family POWERRATANKBA, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, tag PowerShell, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_03_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERRATANKBA CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ecombox.store"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Docs</title>"; nocase; classtype:social-engineering; sid:2024386; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_03_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=givemejs.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026819; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Meet Google Drive - One Place For All Your Files</title>"; nocase; classtype:social-engineering; sid:2024388; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_03_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=content-delivery.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026820; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (nyqualitypizza .top)"; flow:established,to_server; tls.sni; content:"nyqualitypizza.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MageCart CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"cdn-content.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026821; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES GameHouse License Check"; flow:established,to_server; http.request_line; content:"POST /lm/dynamicLicense HTTP/1.1"; bsize:32; fast_pattern; http.header_names; content:"|0d 0a|Referer|0d 0a|"; http.request_body; content:"parameters="; startswith; reference:md5,0e29380dcc1f9a57f545fc26b4045c94; classtype:policy-violation; sid:2031878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2021_03_08;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MageCart CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"deliveryjs.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026822; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VilnyNet VPN Install Started"; flow:established,to_server; http.uri; content:"?event=winInstaller"; fast_pattern; content:"&uuid="; distance:0; content:"&osver"; distance:0; content:"&osbuild="; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; bsize:20; reference:md5,3bdc372644285aa7b3c8263d7d1c9a4a; classtype:pup-activity; sid:2031533; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_03_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (areadozemode .space in DNS Lookup)"; dns.query; content:"areadozemode.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026828; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_01_22, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Anubis, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected SUPERNOVA Webshell Command (External)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Orion/logoimagehandler.ashx"; bsize:28; fast_pattern; http.user_agent; content:"python-requests/"; startswith; nocase; reference:url,www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group; classtype:attempted-admin; sid:2031879; rev:1; metadata:attack_target Server, created_at 2021_03_09, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_03_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (selectnew25mode .space in DNS Lookup)"; dns.query; content:"selectnew25mode.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026829; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected SUPERNOVA Webshell Command (Internal)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Orion/logoimagehandler.ashx"; bsize:28; fast_pattern; http.user_agent; content:"python-requests/"; startswith; nocase; reference:url,www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group; classtype:attempted-admin; sid:2031880; rev:1; metadata:attack_target Server, created_at 2021_03_09, deployment Internal, deployment SSLDecrypt, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_03_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (twethujsnu .cc in DNS Lookup)"; dns.query; content:"twethujsnu.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026830; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js"; endswith; http.cookie; content:"woocommerce_cart_hash="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,7502041ccf809668e2dce5a38fa0a2a5; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031881; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (project2anub .xyz in DNS Lookup)"; dns.query; content:"project2anub.xyz"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026831; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Glitch Hosted GET Request - Possible Phishing Landing"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:".glitch.me"; fast_pattern; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031917; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (taiprotectsq .xyz in DNS Lookup)"; dns.query; content:"taiprotectsq.xyz"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026832; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Glitch Hosted DNS Request - Possible Phishing Landing"; dns.query; content:".glitch.me"; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031918; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (uwannaplaygame .space in DNS Lookup)"; dns.query; content:"uwannaplaygame.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026833; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Glitch Hosted TLS SNI Request - Possible Phishing Landing"; flow:established,to_server; tls.sni; content:".glitch.me"; endswith; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031919; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (projectpredator .space in DNS Lookup)"; dns.query; content:"projectpredator.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026834; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"url=https://en.wikipedia.org/wiki/Microsoft_Outlook"; content:"$(|22|#hide-from-bots|22|).show()|3b|"; fast_pattern; distance:0; content:"------ START OF BODYYYY ------"; distance:0; classtype:social-engineering; sid:2031920; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (nihaobrazzzahit .top in DNS Lookup)"; dns.query; content:"nihaobrazzzahit.top"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026835; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (thelegendofberia .top)"; flow:established,to_server; tls.sni; content:"thelegendofberia.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (aserogeege .space in DNS Lookup)"; dns.query; content:"aserogeege.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026836; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (hitfromthebong .top)"; flow:established,to_server; tls.sni; content:"hitfromthebong.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (hdfuckedin18 .top in DNS Lookup)"; dns.query; content:"hdfuckedin18.top"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026837; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (autopartslarry .top)"; flow:established,to_server; tls.sni; content:"autopartslarry.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dingpsounda .space in DNS Lookup)"; dns.query; content:"dingpsounda.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026838; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Redirector Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"myFunction()"; within:50; content:"function myFunction() {"; within:50; content:"if (feedUpdateSplit[x]==|22|#|22|"; distance:0; fast_pattern; content:"#|22|+btoa(che)|3b|"; distance:0; content:"window.location.href=joinlink|3b|"; distance:0; classtype:social-engineering; sid:2031921; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wantddantiprot .space in DNS Lookup)"; dns.query; content:"wantddantiprot.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026839; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Encoded Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"############################"; within:200; content:"### THIS WEBPAGE WAS PROTECTED AT|3a|"; fast_pattern; distance:0; content:"############################"; distance:0; classtype:social-engineering; sid:2031922; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (privateanbshouse .space in DNS Lookup)"; dns.query; content:"privateanbshouse.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026840; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"https://logo.clearbit.com/"; content:"///////new injection//////"; fast_pattern; distance:0; classtype:social-engineering; sid:2031923; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (seconddoxed .space in DNS Lookup)"; dns.query; content:"seconddoxed.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026841; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic NewInjection Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"////////urlemailgetting////////"; fast_pattern; content:"///////newinjection//////"; classtype:social-engineering; sid:2031924; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (firstdoxed .space in DNS Lookup)"; dns.query; content:"firstdoxed.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026842; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic NewInjection Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"/////urlgettingemail/////"; fast_pattern; content:"/////urlemailgetting/////"; classtype:social-engineering; sid:2031925; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (oauth3 .html5100 .com in DNS Lookup)"; dns.query; content:"oauth3.html5100.com"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026843; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/RedXOR CnC Checkin"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.content_len; content:"00000"; startswith; http.header; content:"Total-Length|3a 20|00000"; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/; classtype:command-and-control; sid:2031934; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, former_category MALWARE, malware_family RedXOR, signature_severity Major, updated_at 2021_03_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dosandiq .space in DNS Lookup)"; dns.query; content:"dosandiq.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026844; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/RedXOR CnC Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_len; content:"00000"; startswith; http.header; content:"Total-Length|3a 20|00000"; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/; classtype:command-and-control; sid:2031935; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, former_category MALWARE, malware_family RedXOR, signature_severity Major, updated_at 2021_03_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (protect4juls .space in DNS Lookup)"; dns.query; content:"protect4juls.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026845; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Unauthenticated RCE Inbound (CVE-2020-26919)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.htm"; http.request_body; content:"submitId=debug&debugCmd="; startswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-26919; classtype:attempted-admin; sid:2031936; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_26919, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wijariief .space in DNS Lookup)"; dns.query; content:"wijariief.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026846; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Remote Authentication Bypass with Factory Reset (CVE-2020-35231)"; dsize:13; content:"|00 1a 00 00 04 00 00 01 01 ff ff 00 00|"; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35231; classtype:attempted-admin; sid:2031937; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35231, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (scradm .in in DNS Lookup)"; dns.query; content:"scradm.in"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026847; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer Overflow (CVE-2020-35232)"; dsize:>16; content:"|00 1a 00 0a|"; startswith; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35232; classtype:attempted-admin; sid:2031938; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35232, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert http any any -> $HOME_NET any (msg:"ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement"; flow:established,to_server; http.user_agent; content:"Microsoft|20|WinRM|20|Client"; depth:22; fast_pattern; endswith; reference:url,attack.mitre.org/techniques/T1028/; classtype:bad-unknown; sid:2026850; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_23, deployment Internal, former_category USER_AGENTS, performance_impact Low, signature_severity Major, tag WinRM, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Stored XSS Inbound (CVE-2020-35228)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"submitId=multiLanguageCfg&selectLang="; fast_pattern; content:"|27 3a|"; distance:0; within:50; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35228; classtype:attempted-admin; sid:2031939; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"nolkbacteria.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026855; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Write Access to DHCP Config (CVE-2020-35226)"; content:"|00 0b 00|"; content:"|ff ff 00 00|"; distance:2; within:4; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031940; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35226, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"2searea0.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026856; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow Attempt Inbound M1 (CVE-2020-35230)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portbased_basic.htm"; http.request_body; content:"submitId="; content:"&bPortBasedVLAN="; fast_pattern; content:"&groupId=-"; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35230; classtype:attempted-admin; sid:2031941; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35230, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"touristsila1.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026857; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow Attempt Inbound M2 (CVE-2020-35230)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portbased_basic.htm"; http.request_body; content:"submitId="; content:"&bPortBasedVLAN="; fast_pattern; content:"&memBMap=-"; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35230; classtype:attempted-admin; sid:2031942; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35230, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Donot Group/APT-C-35 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=.sessions4life.pw"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:targeted-activity; sid:2026859; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_28, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_16;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x0003 (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 03|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031943; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=driverconnectsearch.info"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,2bd9a6ea29182f5ec6acafe032fbeaab; classtype:command-and-control; sid:2026861; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_29, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x0005 (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 05|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031944; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zepakab CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Seven DSert SHA2 CA"; nocase; endswith; tls.cert_issuer; content:"C=US, ST=Some-State, O=Seven Ltd, CN=Seven DSert SHA2 CA"; reference:url,blog.yoroi.company/research/sofacys-zepakab-downloader-spotted-in-the-wild/; classtype:command-and-control; sid:2026864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_31, deployment Perimeter, former_category MALWARE, malware_family Zekapab, malware_family Zepakab, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, updated_at 2020_09_16;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x000a (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 0a|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031945; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Skypool Coin Mining Pool DNS Lookup"; dns.query; content:"skypool.org"; nocase; endswith; reference:md5,2a0a5e1ed928eb01e322dd3680a13eba; classtype:policy-violation; sid:2026867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mynameisgarfield .top)"; flow:established,to_server; tls.sni; content:"mynameisgarfield.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031946; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=syn.browserstime.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:targeted-activity; sid:2026869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mansizeprofile .top)"; flow:established,to_server; tls.sni; content:"mansizeprofile.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031947; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=check.webhop.org"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:targeted-activity; sid:2026870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (letsmakesome .fun)"; flow:established,to_server; tls.sni; content:"letsmakesome.fun"; bsize:16; fast_pattern; classtype:domain-c2; sid:2031948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=office.windown-update.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:targeted-activity; sid:2026871; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (gogowormdealer .top)"; flow:established,to_server; tls.sni; content:"gogowormdealer.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=check.homeip.net"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:targeted-activity; sid:2026872; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16;)
+alert tls any any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (Metasploit Self Signed CA)"; flow:from_server,established; tls.cert_issuer; content:"CN=MetasploitSelfSignedCA"; classtype:policy-violation; sid:2031932; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, deployment Internet, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=e.browsersyn.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:targeted-activity; sid:2026873; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16;)
+alert tls any any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (Metasploit in TLS Subject)"; flow:from_server,established; tls.cert_subject; content:"Metasploit"; nocase; classtype:policy-violation; sid:2031933; rev:2; metadata:attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, deployment Internet, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=word.webhop.info"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:targeted-activity; sid:2026874; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Maldoc CnC"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/shop_testbr/localization/dir_photoes/"; startswith; fast_pattern; content:".php?"; distance:0; http.user_agent; content:"Office"; http.host; content:"www.dronerc.it"; reference:url,twitter.com/h2jazi/status/1370024802791096320; reference:md5,6c7fb32d476b7a367df0403b6a8c950f; reference:md5,31d748392f447001ba275361fbe65695; classtype:command-and-control; sid:2031951; rev:1; metadata:created_at 2021_03_11, former_category MALWARE, updated_at 2021_03_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cortana.homelinux.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:targeted-activity; sid:2026875; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (seattlecarwash .fun)"; flow:established,to_server; tls.sni; content:"seattlecarwash.fun"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Peppy/KeeOIL Google User-Agent (google/dance)"; flow:established,to_server; http.user_agent; content:"google/dance"; depth:14; fast_pattern; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026883; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX/Korplug CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/script"; bsize:7; http.request_body; content:"v="; startswith; fast_pattern; content:"&id="; distance:0; content:"&uid="; distance:0; content:"&vs="; distance:0; http.header_names; content:!"Referer"; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; reference:md5,26e442aa18fcea38e4c652d346627238; classtype:command-and-control; sid:2032001; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, malware_family PlugX, performance_impact Low, signature_severity Major, updated_at 2021_03_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peppy/KeeOIL Google Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"google/dance"; depth:12; fast_pattern; endswith; http.host; content:"www.google.com"; depth:14; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026884; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category TROJAN, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, tag Connectivity_Check, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowPad CnC Domain in DNS Lookup (ns .rtechs .org)"; dns.query; content:"ns.rtechs.org"; nocase; bsize:13; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; classtype:command-and-control; sid:2032002; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Peppy/KeeOIL User-Agent (ekeoil)"; flow:established,to_server; http.user_agent; content:"ekeoil/"; depth:7; fast_pattern; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowPad CnC Domain in DNS Lookup (soft .mssysinfo .xyz)"; dns.query; content:"soft.mssysinfo.xyz"; nocase; bsize:18; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; classtype:command-and-control; sid:2032003; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.icu domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".icu"; fast_pattern; endswith; classtype:bad-unknown; sid:2026887; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (pleaseletmesleep .fun)"; flow:established,to_server; tls.sni; content:"pleaseletmesleep.fun"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_12;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .icu Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".icu"; nocase; endswith; classtype:bad-unknown; sid:2026888; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (return2monkey .fun)"; flow:established,to_server; tls.sni; content:"return2monkey.fun"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032000; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_12;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.icu) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".icu"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2026889; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2"; flow:established,to_server; http.request_line; content:"POST /logupload"; startswith; fast_pattern; http.request_body; content:"name=|22|logMetaData|22|"; content:"itrLogPath"; content:"name=|22|logfile|22 3b|"; content:"log_upload_wsgi.py"; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:url,attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece; reference:cve,2021-21978; classtype:attempted-admin; sid:2032008; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Informational, updated_at 2021_03_15;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)"; flow:established,to_client; tls.cert_subject; content:".icu"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2026890; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1"; flow:established,to_server; http.request_line; content:"POST /logupload?logMetaData="; startswith; fast_pattern; content:"itrLogPath"; content:"log_upload_wsgi.py"; http.request_body; content:"name=|22|logfile|22 3b|"; reference:url,paper.seebug.org/1495/; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:cve,2021-21978; classtype:attempted-admin; sid:2032009; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_03_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via iplocation.com"; flow:established,to_server; tls.sni; content:"iplocation.com"; endswith; nocase; classtype:external-ip-check; sid:2026892; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_07, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasmin Ransomware C2 Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"machine_name="; startswith; fast_pattern; content:"&computer_user="; nocase; distance:0; content:"&systemid="; nocase; distance:0; content:"&os="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&time="; nocase; distance:0; content:"&ip="; nocase; distance:0; content:"&location="; nocase; distance:0; content:"&password="; nocase; distance:0; reference:md5,eabb920f75c2943113713849878a6dfb; reference:url,twitter.com/c3rb3ru5d3d53c/status/1370740134937772037; classtype:command-and-control; sid:2032010; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CDC Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"NCDC-19-PoS"; depth:11; endswith; classtype:policy-violation; sid:2026893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_08, deployment Perimeter, former_category TROJAN, malware_family CDCRansomware, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (youaresoslow .top)"; flow:established,to_server; tls.sni; content:"youaresoslow.top"; bsize:16; fast_pattern; classtype:domain-c2; sid:2032011; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/rpt"; pcre:"/\/rpt\d/"; http.user_agent; content:!"Mozilla"; depth:7; http.host; content:!".apple.com"; endswith; content:!".pandora.com"; endswith; content:!"microsoft.com"; endswith; reference:url,doc.emergingthreats.net/2008233; classtype:command-and-control; sid:2008233; rev:18; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Spammer's Mail (Private)"; nocase; fast_pattern; classtype:web-application-attack; sid:2032005; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_15, deployment Perimeter, signature_severity Major, updated_at 2021_03_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known External IP Lookup Service Domain in SNI"; flow:to_server,established; tls.sni; content:"whatismyipaddress.com"; endswith; classtype:external-ip-check; sid:2026896; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Spammer's Mail (Private)"; nocase; fast_pattern; classtype:web-application-attack; sid:2032006; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_15, deployment Perimeter, signature_severity Major, updated_at 2021_03_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY IP Logger Redirect Domain in SNI"; flow:to_server,established; tls.sni; content:"maper.info"; endswith; classtype:policy-violation; sid:2026897; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2021-03-15"; flow:to_client,established; file.data; content:"<title>OneDrive|20 7c 20|Login"; nocase; fast_pattern; content:"<video playsinline="; nocase; distance:0; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2032007; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SomeTimes)"; flow:established,to_server; http.user_agent; content:"SomeTimes"; depth:9; endswith; fast_pattern; reference:md5,a86d4e17389a37bfc291f4a8da51a9b8; classtype:trojan-activity; sid:2026898; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Phishing Landing via Tripod.com M3 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"mail"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032215; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_31, signature_severity Major, updated_at 2021_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.CO Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.co"; endswith; classtype:credential-theft; sid:2026894; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2021-03-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"j_username="; depth:11; nocase; content:"&j_password="; nocase; distance:0; content:"&save-username="; nocase; distance:0; content:"&hdnuserid="; nocase; distance:0; content:"&btnSignon=Sign+On&screenid=SIGNON&origination="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2036221; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.BR Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.br"; endswith; classtype:credential-theft; sid:2026895; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Leaf PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"V5 PHPMailer</title>"; fast_pattern; content:"for=|22|senderName|22|>Sender Name</label>"; content:"type=|22|file|22 20|name=|22|attachment[]|22 20|id=|22|attachment[]|22|"; classtype:web-application-attack; sid:2032078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_16, deployment Perimeter, signature_severity Major, updated_at 2021_03_16;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE BrushaLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"traderserviceinfo.info"; endswith; classtype:command-and-control; sid:2026900; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"V5 PHPMailer</title>"; fast_pattern; content:"for=|22|senderName|22|>Sender Name</label>"; content:"type=|22|file|22 20|name=|22|attachment[]|22 20|id=|22|attachment[]|22|"; classtype:web-application-attack; sid:2032079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_16, deployment Perimeter, signature_severity Major, updated_at 2021_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Astaroth User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|SLCC1)"; depth:57; endswith; reference:md5,589d2d33825a0329f61406f0af709469; reference:url,www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research; classtype:trojan-activity; sid:2026906; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Astaroth, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Saint Bot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header; content:"Accept|3a 20|text/plain"; http.request_body; content:"transfer="; depth:9; fast_pattern; pcre:"/^transfer=[A-Za-z0-9/+=]+$/"; reference:md5,b1f40eac7ca6d66ba9b11dcf77f1a259; reference:url,blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/; classtype:trojan-activity; sid:2032753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cayosin/Mirai CnC Domain in DNS Lookup"; dns.query; content:"hostnamepxssy.club"; nocase; endswith; reference:url,perchsecurity.com/perch-news/threat-report-sunday-february-3rd-2019/; classtype:command-and-control; sid:2026915; rev:3; metadata:created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ZHtrap CnC Checkin"; flow:established,to_server; content:"|05 01 00|"; startswith; content:".onion"; distance:0; fast_pattern; isdataat:!3,relative; flowbits:set,ET.zhtrap1; reference:url,blog.netlab.360.com/new_threat_zhtrap_botnet_en/; classtype:command-and-control; sid:2032083; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Punto Loader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/klog.php"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"text|2f|html|3b|q=0|2e|7|2c 20 2a 2f 2a 3b|q=1"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category MALWARE, malware_family Punto, performance_impact Low, signature_severity Major, tag Loader, updated_at 2020_09_16;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ZHtrap CnC Response - Connection Successfully Established"; flow:established,from_server; content:"|05 00 00 01 00 00 00 00 00 00|"; startswith; fast_pattern; flowbits:isset,ET.zhtrap1; reference:url,blog.netlab.360.com/new_threat_zhtrap_botnet_en/; classtype:command-and-control; sid:2032084; rev:2; metadata:attack_target Client_and_Server, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FBot Downloader Generic GET for ARM Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fbot.arm"; depth:9; fast_pattern; content:".u"; endswith; pcre:"/^\/fbot\.arm\d{1}\.u$/i"; http.protocol; content:"HTTP/1.0"; reference:url,blog.netlab.360.com/the-new-developments-of-the-fbot-en/; classtype:trojan-activity; sid:2026951; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_21, deployment Perimeter, former_category TROJAN, malware_family Fbot, performance_impact Low, signature_severity Major, tag Downloader, tag DDoS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Phishing Page - Page Saved with SingleFile Extension"; flow:to_client,established; file.data; content:"Page saved with SingleFile"; fast_pattern; content:"|0d 0a 20|url|3a 20|"; distance:0; content:"|0d 0a 20|saved date|3a 20|"; distance:0; reference:url,chrome.google.com/webstore/detail/singlefile/mpiodijhokgodhhofbcjdecpffjipkle?hl=en; classtype:misc-activity; sid:2032082; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"cheapairlinediscount.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026953; rev:3; metadata:created_at 2019_02_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (followmeasap13 .top)"; flow:established,to_server; tls.sni; content:"followmeasap13.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"emailerservo.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026954; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of Multimedia Content flowbit set"; flow:established,to_client; file_data; content:"|00 00 00|"; depth:3; content:"|66 74 79 70|"; distance:1; within:4; fast_pattern; flowbits:noalert; flowbits:set,ET.Multimedia.Download; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024689; rev:2; metadata:created_at 2017_09_08, former_category WEB_CLIENT, tag noalert, updated_at 2021_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"fazadminmessae.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026955; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of .MOV Content flowbit set"; flow:established,to_client; file_data; content:"|6D 6F 6F 76|"; distance:4; within:4; flowbits:noalert; flowbits:set,ET.MP4.Download; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024690; rev:2; metadata:created_at 2017_09_08, former_category WEB_CLIENT, tag noalert, updated_at 2021_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"housecleaning.press"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026956; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http any any -> any any (msg:"ET USER_AGENTS Suspicious User-Agent (HaxerMen)"; flow:established,to_server; http.user_agent; content:"HaxerMen"; bsize:8; fast_pattern; reference:md5,19aa54bd0c5a4b78f47247bb432b689d; classtype:bad-unknown; sid:2032081; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2021_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"hrent.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026957; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http any any -> any any (msg:"ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/web_shell_cmd.gch"; fast_pattern; http.request_body; content:"IF_ACTION=apply&IF_ERRORSTR=SUCC&"; startswith; reference:url,twitter.com/bad_packets/status/1235106406144937984; reference:cve,2014-2321; reference:url,github.com/stasinopoulos/ZTExploit/; classtype:attempted-user; sid:2032077; rev:2; metadata:affected_product Router, attack_target IoT, created_at 2021_03_16, cve CVE_2014_2321, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2021_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"irepare.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026958; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert tcp any 666 -> any any (msg:"ET MALWARE ELF/BASHLITE CnC Activity (Response)"; flow:established,to_client; content:"|21 20|DUP"; content:"epoll_"; distance:0; isdataat:!1,relative; fast_pattern; reference:md5,d76cebc82c79b9d7c56bced94c03c9e8; classtype:trojan-activity; sid:2032080; rev:2; metadata:created_at 2021_03_16, former_category MALWARE, updated_at 2021_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"macmall.fun"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026959; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Request Cookie"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"_gads="; depth:7; content:"_gat="; distance:0; content:"_ga="; distance:0; content:"_u="; distance:0; content:"_io="; distance:0; content:"_gid="; distance:0; reference:url,sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html; reference:url,www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html; classtype:trojan-activity; sid:2032086; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"managerdriver.website"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026960; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Unauthenticated RCE Inbound (CVE-2021-22986)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/"; http.request_body; content:"|22|filepath|22 3a 22 60|"; fast_pattern; reference:cve,2021-22986; classtype:attempted-admin; sid:2032092; rev:1; metadata:attack_target Server, created_at 2021_03_17, cve CVE_2021_22986, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mantorsagcoloms.club"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026961; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; nocase; fast_pattern; content:"$(|22|#patb|22|).click(function(){"; distance:0; classtype:web-application-attack; sid:2032087; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mediaaplayer.win"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026962; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; nocase; fast_pattern; content:"$(|22|#patb|22|).click(function(){"; distance:0; classtype:web-application-attack; sid:2032088; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mobileshoper.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026963; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer Venom"; nocase; fast_pattern; content:"name=|22|fmail|22 20|type=|22|text|22 20|id=|22|fakemail|22|"; distance:0; classtype:web-application-attack; sid:2032089; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"ppservice.stream"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026964; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer Venom"; nocase; fast_pattern; content:"name=|22|fmail|22 20|type=|22|text|22 20|id=|22|fakemail|22|"; distance:0; classtype:web-application-attack; sid:2032090; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"searchidriverip.space"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026965; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CopperStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=su94Cb2b5Ed89d7c.su"; bsize:22; fast_pattern; classtype:domain-c2; sid:2032093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servemai.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026966; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CopperStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ru94cb2b5ed89d7c.ru"; bsize:22; fast_pattern; classtype:domain-c2; sid:2032094; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servemaining.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026967; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert dns any any -> any any (msg:"ET SCAN DNS Query for allports.exposed"; dns.query; content:"allports.exposed"; nocase; reference:url,blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/; classtype:network-scan; sid:2032091; rev:1; metadata:created_at 2021_03_17, updated_at 2021_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serveselitmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026968; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-03-18"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; fast_pattern; content:"&pass"; nocase; distance:0; pcre:"/^uname=[^&]*&pass/i"; classtype:credential-theft; sid:2032161; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serveselitmailer.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026969; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible F5 BIG-IP Infoleak and Out-of-Bounds Write Inbound (CVE-2021-22991)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3a 2f 2f 5b|"; fast_pattern; content:"|5d|"; endswith; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2126; reference:cve,2021-22991; classtype:attempted-admin; sid:2032173; rev:1; metadata:attack_target Server, created_at 2021_03_18, cve CVE_2021_22991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailelit.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026970; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PS1 Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ps1; flowbits:unset,http.dottedquadhost; http.request_line; content:".ps1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027259; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailerpro.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026971; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PS1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".ps1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032162; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailerprogres.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026972; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSM1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psm1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032163; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servespromail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026973; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSD1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psd1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032164; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servicemaile.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026974; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PS1XML Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".ps1xml HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032165; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serviveemail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026975; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSSC Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".pssc HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servoemail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026976; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSRC Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psrc HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servomail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026977; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO CDXML Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".cdxml HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"progresservesmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026978; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell DownloadString Command"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:".DownloadString("; nocase; fast_pattern; classtype:bad-unknown; sid:2032169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"proservesmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026979; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell DownloadFile Command"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:".DownloadFile("; nocase; fast_pattern; classtype:bad-unknown; sid:2032170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"proservesmailing.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026980; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell Starting Wscript Process"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:"start-process wscript"; nocase; fast_pattern; classtype:bad-unknown; sid:2032171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BabyShark CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"fmchr.in"; endswith; reference:url,unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/; classtype:command-and-control; sid:2026981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_25, deployment Perimeter, former_category MALWARE, malware_family BabyShark, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell Launching Hidden Window"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:"-windowstyle hidden"; nocase; fast_pattern; classtype:bad-unknown; sid:2032172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nuuo NVR RCE Attempt (CVE-2018-15716)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_handle.php?cmd=getupgradinginfo"; fast_pattern; endswith; classtype:attempted-admin; sid:2026982; rev:3; metadata:created_at 2019_02_26, cve 2018_15716, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (finalcountdown .top)"; flow:established,to_server; tls.sni; content:"finalcountdown.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032174; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup/Patchwork CnC DNS Lookup"; dns.query; content:"aroundtheworld123.net"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026983; rev:4; metadata:created_at 2019_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Netbounce Related Activity (Program Wrapper)"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/json"; bsize:16; file.data; content:"|5c 5c|Trackingfolder084|5c 5c|start.txt|22 0a|"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1daccddd902156737587a2041224b46b; classtype:trojan-activity; sid:2032222; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup/Patchwork CnC DNS Lookup"; dns.query; content:"frameworksupport.net"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce User-Agent (Netbounce)"; flow:established,to_server; http.user_agent; content:"Netbounce/1.0"; bsize:13; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; classtype:trojan-activity; sid:2032223; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dittm.org"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/ba8f6e93-3815-f047-d2e7-0d9e39303c50; classtype:command-and-control; sid:2026997; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M4"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__gads="; fast_pattern; http.cookie; content:"__gads="; startswith; content:"|3b 20|_gat="; distance:0; content:"|3b 20|_ga="; distance:0; content:"|3b 20|_u="; distance:0; content:"|3b 20|__io="; distance:0; content:"|3b 20|_gid="; isdataat:!13,relative; pcre:"/^__gads=\d{9,10}:[01]:\d+:\d+(?::\d{2,4})?\x3b\s_gat=(?:10|6)\.[0-3]\.\d{4,6}\.(?:32|64)\x3b\s_ga=\d\.\d+\.\d+\.\d+\x3b\s_u=[0-9A-F]+:[0-9A-F]+\x3b\s__io=\d{2}_\d{9,10}_\d{9,10}_\d{9,10}\x3b\s_gid=[0-9A-F]{12}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; reference:url,sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html; classtype:command-and-control; sid:2030053; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2021_03_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=google-analytics.is"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/ba8f6e93-3815-f047-d2e7-0d9e39303c50; classtype:command-and-control; sid:2026998; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [NCC/FOX-IT] Possible F5 BIG-IP/BIG-IQ iControl REST RCE Attempt (CVE-2021-22986)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/tm/util/bash"; nocase; fast_pattern; http.request_body; content:"|22|command|22 3a 20 22|run|22|"; content:"|22|utilCmdArgs|22 3a 20 22|"; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2021_03_cve_2021_22986.txt; reference:cve,2021-22986; classtype:attempted-admin; sid:2032220; rev:1; metadata:created_at 2021_03_19, cve CVE_2021_22986, former_category EXPLOIT, updated_at 2021_03_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=whoama.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2026999; rev:3; metadata:affected_product Web_Browsers, created_at 2019_02_28, former_category MALWARE, malware_family MageCart, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Bank of America Phish M1 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineId="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032269; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_31, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdnnote.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027000; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mydrinksare .top)"; flow:established,to_server; tls.sni; content:"mydrinksare.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=checkfreedom.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027001; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Proxy Activity"; flow:established,to_server; http.start; content:"CONNECT|20|/_controlPath/|20|"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032224; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=connectionstatistics.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Proxy User-Agent (idk)"; flow:established,to_server; http.user_agent; content:"idk"; bsize:3; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032225; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=conveeir.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027003; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Ransomware HTTP POST to Onion Link Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".onion.link"; endswith; fast_pattern; http.request_body; content:"data="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-076a; classtype:command-and-control; sid:2032219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=countryers.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027004; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Program Wrapper Download"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.uri; content:"/progwrapper.exe"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; content:!"Connect"; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032226; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=countryflagonline.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027005; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/userid="; startswith; fast_pattern; pcre:"/^[A-Z]{256}$/R"; http.header; content:"Content-Transfer-Encoding|3a 20|base64|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,435f83b1ab70c68e34bd523bae4217e0; reference:url,twitter.com/bryceabdo/status/1372895643102969861; classtype:trojan-activity; sid:2032274; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=crowlock.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027006; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android GolfSpy (services4me .net in TLS SNI)"; flow:established,to_server; tls_sni; content:"services4me.net"; isdataat:!1,relative; nocase; reference:md5,a762768c582064880a29934c81e24ba2; classtype:command-and-control; sid:2032270; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_03_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_03_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=i-checkme.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027007; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MALWARECAT Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|MALWARECAT"; fast_pattern; reference:md5,bc45f9e3b0a681fb7bc08dbf3c44bcf3; classtype:command-and-control; sid:2032271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=magedefacto.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027008; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (habbybearshop .top)"; flow:established,to_server; tls.sni; content:"habbybearshop.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032272; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mageenergy.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027009; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (youcanfindmeonthe .top)"; flow:established,to_server; tls.sni; content:"youcanfindmeonthe.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032273; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mnewage.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027010; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/tmp?q=6"; endswith; fast_pattern; http.user_agent; content:"|20|Office|20|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/ShadowChasing1/status/1372464570183208961; reference:md5,1670bb091dba017606ea5e763072d45f; classtype:trojan-activity; sid:2032275; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_03_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=my-that.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027011; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (chMiner/RAT)"; flow:established,to_client; tls.cert_subject; content:"CN=8Yq1.qSt3.S5It.Lbp0"; bsize:22; fast_pattern; reference:url,twitter.com/3xp0rtblog/status/1374080723032887297; reference:md5,102362f98b67ece5b9b3607bebf4125a; classtype:domain-c2; sid:2032276; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=phatem.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (nameyourcatlikeshedeserved .top)"; flow:established,to_server; tls.sni; content:"nameyourcatlikeshedeserved.top"; bsize:30; fast_pattern; classtype:domain-c2; sid:2032312; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_23, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=s1all.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027013; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP klm123.com Spyware User Agent"; flow:established,to_server; http.user_agent; content:"{"; depth:1; fast_pattern; pcre:"/\{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/i"; http.host; content:!"directory.gladinet.com"; content:!"ff.avast.com"; content:!"ispringsolutions.com"; content:!"cdn.download.comodo.com"; content:!"liveupdate.symantec.com"; content:!"liveupdate.norton.com"; reference:url,doc.emergingthreats.net/2007616; classtype:pup-activity; sid:2007616; rev:17; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2021_03_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=scripteco.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027014; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; fast_pattern; reference:url,twitter.com/z0ul_/status/1374121916143919106; reference:md5,4cf6fb8514073319e7759b4f66d13f08; classtype:domain-c2; sid:2032313; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=secureqbrowser.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027015; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert smtp any any -> any any (msg:"ET MALWARE Suspected Jobcrypter Ransomware Exfil (SMTP)"; flow:to_server,established; content:"|0d 0a|RTEE="; fast_pattern; content:"RRRTC|3a 20|"; pcre:"/^[0-9]{90,180}\r\n/R"; distance:0; reference:md5,4de76198ea4488eae192d0ca4e4bd66b; reference:url,twitter.com/guelfoweb/status/1374042649322209283; classtype:trojan-activity; sid:2032318; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=security-mage.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027016; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/timeconfig.py?"; fast_pattern; content:"|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/; reference:cve,2020-9020; classtype:attempted-admin; sid:2032314; rev:1; metadata:created_at 2021_03_24, cve CVE_2020_9020, former_category EXPLOIT, updated_at 2021_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sysproperties.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027017; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Girostat Stealer (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; http.request_body; content:"name=|22|info|22 0d 0a|"; content:"name=|22|debug1|22 0d 0a|"; distance:0; content:"name=|22|debug2|22 0d 0a|"; fast_pattern; content:"filename=|22|"; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,934058124782476cdbe7866c4ceed167; classtype:trojan-activity; sid:2032319; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=teflag.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027018; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (onthewire1 .top)"; flow:established,to_server; tls.sni; content:"onthewire1.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=topstatshop.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027019; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (companyllc .top)"; flow:established,to_server; tls.sni; content:"companyllc.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=usvalidly.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027020; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (rpirpiwhyyouleaveyourhorse .top)"; flow:established,to_server; tls.sni; content:"rpirpiwhyyouleaveyourhorse.top"; bsize:30; fast_pattern; classtype:domain-c2; sid:2032317; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=validlyglobal.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027021; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HiddenTears Ransomware Activity (GET)"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/alertmsg.zip"; fast_pattern; http.host; content:".tk"; endswith; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,eabb920f75c2943113713849878a6dfb; reference:md5,28b0ef0c832916a852ddf0c3c5427be3; classtype:trojan-activity; sid:2032320; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2021_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=youlikedme.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027022; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Atom Logger exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|["; content:"|20 7c 20|Atom Logger"; within:100; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026825; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2021_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=zstatonline.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:command-and-control; sid:2027023; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni Related Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/MID/32546678/dn.php?client_id="; fast_pattern; startswith; content:"&prefix="; distance:0; reference:url,twitter.com/ShadowChasing1/status/1374750091001491458; reference:md5,c578189efd31c06b494b78c168cf84dd; classtype:trojan-activity; sid:2032329; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Address Lookup DNS Query"; dns.query; content:"2ip.ua"; nocase; endswith; reference:md5,81bfa5fe9d0147c8df47a51a1cd4b7c4; classtype:external-ip-check; sid:2027026; rev:3; metadata:created_at 2019_03_04, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity"; flow:established,to_server; http.method; content:"GET"; http.start; content:".js|20|HTTP/1.1|0d 0a|Cookie|3a 20|SSID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r\n/R"; reference:md5,653b45c576c89c00a164b51e23732957; reference:url,twitter.com/z0ul_/status/1374724622508245008; classtype:trojan-activity; sid:2032330; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup/Patchwork CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=car.drivethrough.top"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2026827; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_21, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag DonotGroup, tag APT_C_35, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Black KingDom Ransomware Related Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpn-service/"; startswith; content:"crunchyroll-vpn"; endswith; fast_pattern; pcre:"/^\/vpn-service\/[a-z]{15}\/crunchyroll-vpn$/"; reference:url,news.sophos.com/en-us/2021/03/23/black-kingdom/; classtype:trojan-activity; sid:2032331; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cayosin Botnet User-Agent Observed M1"; flow:established,to_server; http.user_agent; content:"Cayosin/2.0"; depth:11; fast_pattern; endswith; classtype:trojan-activity; sid:2026876; rev:5; metadata:affected_product Linux, attack_target Server, created_at 2019_02_04, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert udp any any -> $HOME_NET 1900 (msg:"ET EXPLOIT DD-WRT UPNP Unauthenticated Buffer Overflow (CVE-2021-27137)"; content:"M-SEARCH|20|"; startswith; content:"|0d 0a|ST|3a|"; nocase; fast_pattern; content:"uuid|3a|"; distance:0; within:6; pcre:"/^[^\r\n]{128,}\r\n/R"; reference:url,ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/; reference:cve,2021-27137; classtype:attempted-admin; sid:2032326; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_25, cve CVE_2021_27137, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cayosin Botnet User-Agent Observed M2"; flow:established,to_server; http.user_agent; content:"Cock/2.0"; depth:8; fast_pattern; endswith; classtype:trojan-activity; sid:2026877; rev:5; metadata:affected_product Linux, attack_target Server, created_at 2019_02_04, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Agent.NSU CnC Activity M2"; flow:established,to_server; http.request_line; content:"POST /?z="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"zone="; startswith; content:"&rb="; distance:0; content:"&hil="; distance:0; content:"&wgl="; distance:0; reference:md5,d29f4467c54f688c8903d2e365f3ba8f; classtype:pup-activity; sid:2032327; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"|2f|"; depth:1; content:"--"; content:"|5c|"; content:"-service.html"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Python, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FFDroider CnC Activity M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/seemorebty/"; fast_pattern; content:".php?e="; distance:0; http.referer; content:"https://www.facebook.com"; reference:md5,ffceece2e297cf5769a35bf387c310ef; reference:url,www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users; classtype:command-and-control; sid:2035798; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC DNS Query"; dns.query; content:"win10-update.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027054; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING ANTIBOT Phishing Panel Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PANEL ANTIBOT"; nocase; fast_pattern; content:">Real Visitor Detection Manager"; nocase; distance:0; classtype:web-application-attack; sid:2032322; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_25, deployment Perimeter, signature_severity Major, updated_at 2021_03_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC DNS Query"; dns.query; content:"win7-update.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ANTIBOT Phishing Panel Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PANEL ANTIBOT"; nocase; fast_pattern; content:">Real Visitor Detection Manager"; nocase; distance:0; classtype:web-application-attack; sid:2032323; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_25, deployment Perimeter, signature_severity Major, updated_at 2021_03_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder CnC DNS Query"; dns.query; content:"cdn-load.net"; nocase; endswith; reference:url,s.tencent.com/research/report/659.html; classtype:command-and-control; sid:2027056; rev:3; metadata:attack_target Client_and_Server, created_at 2019_03_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag Sidewinder, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/boxes?nid="; fast_pattern; startswith; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,91b9c9db4916b7e416da074e29a36082; classtype:trojan-activity; sid:2032332; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FIN6 StealerOne CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"contactlistsagregator.com"; endswith; reference:url,usa.visa.com/content/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf; classtype:command-and-control; sid:2027058; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family StealerOne, performance_impact Low, signature_severity Major, tag FIN6, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Small.CLJ CnC Activity"; flow:established,to_server; http.start; content:"GET /"; startswith; content:"|20|HTTP/1.1|0d 0a|Referer|3a 20|Microsoft|20|Windows|20|"; fast_pattern; http.user_agent; content:"@"; http.header_names; content:"|0d 0a|Referer|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:43; reference:md5,fb7f916531e239c8a705249d93b48598; classtype:trojan-activity; sid:2032328; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN6 StealerOne CnC DNS Query"; dns.query; content:"akamaitechnologies.kz"; nocase; endswith; reference:url,usa.visa.com/content/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf; classtype:command-and-control; sid:2027059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family StealerOne, performance_impact Low, signature_severity Major, tag FIN6, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FREAKZBROTHERS - PANEL"; nocase; fast_pattern; classtype:web-application-attack; sid:2030588; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getInfoAfterInstall"; fast_pattern; endswith; http.user_agent; content:"Firef0x"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FREAKZBROTHERS - PANEL"; nocase; fast_pattern; classtype:web-application-attack; sid:2030589; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/applyingpoliciesrules"; fast_pattern; endswith; http.user_agent; content:"Firef0x"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027061; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Login Panel</title>"; fast_pattern; content:"background-color|3a 20|#000000"; distance:0; content:"text-center|22|>Login to Panel</div>"; distance:0; content:"class=|22|form-control|22 20|id=|22|key|22 20|name=|22|key|22 20|placeholder=|22|Private Key|22|"; distance:0; classtype:web-application-attack; sid:2032324; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 JEShell CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=stream.playnetflix.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:targeted-activity; sid:2027068; rev:3; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category MALWARE, malware_family JEShell, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Login Panel</title>"; fast_pattern; content:"background-color|3a 20|#000000"; distance:0; content:"text-center|22|>Login to Panel</div>"; distance:0; content:"class=|22|form-control|22 20|id=|22|key|22 20|name=|22|key|22 20|placeholder=|22|Private Key|22|"; distance:0; classtype:web-application-attack; sid:2032325; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; http.host; content:".su"; endswith; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014170; rev:6; metadata:created_at 2012_01_31, former_category POLICY, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/copyright.js"; bsize:13; fast_pattern; http.cookie; content:"SSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,653b45c576c89c00a164b51e23732957; classtype:trojan-activity; sid:2032337; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Wget Request for Executable"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; nocase; http.user_agent; content:"Wget/"; depth:5; fast_pattern; classtype:bad-unknown; sid:2027076; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_12, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_11_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Forums?listinfo="; fast_pattern; startswith; http.cookie; content:"made_write_conn="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,49ebd0be7e33c59ee584cb8601093775; classtype:trojan-activity; sid:2032338; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 13"; dns.query; content:"32player.com"; depth:12; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025903; rev:5; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (videomart .top)"; flow:established,to_server; tls.sni; content:"videomart.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_03_26, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|1|2f|0|2f|0"; endswith; pcre:"/^\/[A-F0-9]{30,60}\/1\/0\/0$/"; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ku?disable="; startswith; fast_pattern; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,661bdbab0140cf3bed508a14c2c5804a; classtype:trojan-activity; sid:2032339; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"4D53473A213A"; content:"20457865637574656420417320"; distance:0; fast_pattern; content:"0D0A"; distance:0; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027078; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Files Stealer CnC Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/log.php"; endswith; http.request_body; content:"form-data|3b 20|name=userfile|3b 20|filename="; content:"Stealer|5c|"; distance:0; fast_pattern; reference:md5,b572ed0bf3030cbb18d8af16e2c7e2c2; classtype:trojan-activity; sid:2032333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_26, former_category MALWARE, signature_severity Major, updated_at 2021_03_26;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Retadup Success Response from CnC"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|donnn|3a 3a|"; depth:9; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_11_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; content:"|20|/logo|20|HTTP/1."; fast_pattern; http.method; content:"GET"; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|"; startswith; reference:md5,45ec8cee2c028e47d3bba2e14a93a957; classtype:trojan-activity; sid:2032336; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PirateMatryoshka CnC DNS Query"; dns.query; content:"mobilekey.pw"; nocase; endswith; reference:url,securelist.com/piratebay-malware/89740/; classtype:command-and-control; sid:2027080; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family PirateMatryoshka, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|SSID="; fast_pattern; pcre:"/^SSID=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/C"; http.method; content:"GET"; http.uri; content:".css"; endswith; http.header_names; content:"User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,9e97ace1f585b0914f99fde7014ed8c5; classtype:trojan-activity; sid:2032335; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ciscoupdt.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/ddb59d8cc93688bbf4925c7d27462b70e53225cb/; classtype:command-and-control; sid:2027082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Valyria Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/naw15?"; fast_pattern; pcre:"/^(?:id|tfzT)=/R"; http.header_names; content:!"Referer"; reference:md5,0c4578dac4ae278beabbfe18a8c37efb; reference:md5,5154a6f3a5c93337a8a390e63b1448f8; classtype:trojan-activity; sid:2032343; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Dorv InfoStealer CnC DNS Query"; dns.query; content:"googleservice-info.ru"; nocase; endswith; reference:md5,888864c2ea27babf978d5feda40b3b2f; reference:url,twitter.com/wdsecurity/status/1105992405629583362; classtype:command-and-control; sid:2027088; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Win32_Dorv, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_16;)
+alert http any any -> any any (msg:"ET WEB_SERVER Babydraco WebShell Activity"; flow:established,to_server; http.uri; content:"/owa/auth/babydraco.aspx"; bsize:24; fast_pattern; reference:url,krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/; classtype:attempted-admin; sid:2032344; rev:1; metadata:created_at 2021_03_29, former_category WEB_SERVER, updated_at 2021_03_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rdfs.cgi"; depth:17; endswith; fast_pattern; http.request_body; content:"Client="; depth:7; content:"|3b|"; distance:0; content:"&Download="; distance:0; classtype:attempted-admin; sid:2027090; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Unk Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=arganaif.org"; bsize:15; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; bsize:79; reference:md5,1743533d63a8ba25142ffa3efc59b50b; classtype:domain-c2; sid:2032341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 File Inclusion"; flow:established,to_server; content:"&src=|2e 2e 2f 2e 2e 2f 2e 2e 2f|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/cgi-bin/login.cgi"; depth:18; endswith; classtype:attempted-user; sid:2027091; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Exchange Webshell CnC Domain in DNS Lookup"; dns.query; content:"brian.krebsonsecurity.top"; nocase; bsize:25; reference:url,krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/; classtype:domain-c2; sid:2032345; rev:1; metadata:created_at 2021_03_29, former_category WEB_CLIENT, updated_at 2021_03_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"&ping_IPAddr="; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6077; classtype:attempted-user; sid:2027093; rev:3; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Druid RCE Inbound (CVE-2021-25646)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|type|22 3a 20 22|javascript|22|"; fast_pattern; content:"|22|function|22 3a 20|"; pcre:"/^\x22[^\x22]*\x7b[^\x22]*\x7d[^\x22]*\x22[^\x22]*\x22{2}/Rm"; reference:cve,2021-25646; classtype:attempted-admin; sid:2032340; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2021_03_29, cve CVE_2021_25646, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dnslookup.cgi"; depth:14; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"host_name="; depth:10; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6334; classtype:attempted-user; sid:2027094; rev:3; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26877)"; content:"|2e 95|"; offset:2; depth:2; content:"|00 10 00 01|"; distance:0; fast_pattern; byte_extract:1,5,data_len,relative; byte_test:1,>,data_len,0,relative; reference:cve,2021-26877; classtype:attempted-admin; sid:2032347; rev:2; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26877, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WAP54Gv3 Remote Debug Root Shell Exploitation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/debug.cgi"; depth:10; endswith; http.request_body; content:"data1=|3b|"; depth:7; fast_pattern; content:"&command="; distance:0; reference:url,seclists.org/bugtraq/2010/Jun/93; classtype:attempted-user; sid:2027095; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)"; dsize:>1300; content:"|29 00|"; offset:2; depth:2; threshold:type limit, count 45, seconds 90, track by_src; reference:cve,2021-26897; classtype:attempted-admin; sid:2032348; rev:1; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26897, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_30;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=poladidlei.website"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/008d33ce2e5d3583d8ebb115f72b250975757018/; classtype:command-and-control; sid:2027086; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; http.user_agent; content:!"Mozilla/"; content:"-"; offset:4; depth:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; bsize:19; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032349; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PlugX Common Header Struct"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a 20|61456|0d 0a|"; fast_pattern; http.user_agent; content:!"Dickson/"; depth:8; http.host; content:!".googleapis.com"; endswith; http.content_len; content:!"61456"; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:9; metadata:created_at 2014_03_06, former_category TROJAN, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?file="; http.accept_lang; content:"ru|2d|RU|2c|ru|3b|q|3d|0|2e|9|2c|en|3b|q|3d|0|2e|8"; bsize:23; http.user_agent; content:"TAKEMIX"; bsize:7; fast_pattern; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request to Dotted Quad"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.ip.request; flowbits:noalert; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"UA-CPU"; content:!"Cookie"; content:!"Referer"; content:!"Accept-Language"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:misc-activity; sid:2022054; rev:6; metadata:created_at 2015_11_09, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Amazon Profile) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/g/rfer=nmn_fr_gees_1/42-332638-0264389/field-keywords=toys"; fast_pattern; http.cookie; content:"skin=noskin|3b|"; startswith; reference:url,twitter.com/TheDFIRReport/status/1376878123061551104; reference:md5,5ac5656269d2dd45405a153dca591ede; classtype:trojan-activity; sid:2032353; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowHammer DNS Lookup"; dns.query; content:"asushotfix.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027109; rev:3; metadata:created_at 2019_03_25, former_category TROJAN, malware_family ShadowHammer, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Related Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ZP/MIKV.php"; bsize:12; fast_pattern; http.user_agent; content:"Embarcadero|20|URI|20|Client/1.0"; bsize:26; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/ESETresearch/status/1376490532445294594; reference:md5,ad8fd5461bec26b97cdfc0b05028bfc0; reference:md5,1e4b45e2ab5c679f9e983da1c135ab5e; reference:md5,34db9c98f3149d98bf0a562ce2ef5344; classtype:trojan-activity; sid:2032356; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible ShadowHammer DNS Lookup"; dns.query; content:"simplexoj.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027111; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category TROJAN, malware_family ShadowHammer, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Request for EXE via GO HTTP Client"; flow:established,to_server; http.request_line; content:".exe HTTP/"; http.user_agent; content:"Go-http-client/"; startswith; classtype:misc-activity; sid:2032355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible ShadowHammer DNS Lookup"; dns.query; content:"homeabcd.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category TROJAN, malware_family ShadowHammer, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?usersearch="; fast_pattern; http.cookie; content:"reg_fb_gate="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:url,twitter.com/z0ul_/status/1377385770470703106; reference:md5,c5668ee76cb9a9a5c4837eb0049c005b; classtype:trojan-activity; sid:2032360; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ShadowHammer CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asushotfix.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,securelist.com/operation-shadowhammer/89992/; classtype:command-and-control; sid:2027116; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Critical, tag SSL_Malicious_Cert, tag ShadowHammer, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP DriverPack Domain in DNS Query"; dns.query; content:"drp.su"; nocase; endswith; classtype:pup-activity; sid:2032357; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2021_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JasperLoader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?b="; content:"&v="; distance:0; content:"&psver="; distance:0; fast_pattern; isdataat:!2,relative; http.connection; content:"Keep-Alive"; depth:10; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept"; classtype:command-and-control; sid:2027100; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_03_19, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".wm01.to"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/; reference:md5,b44898666f0f07e9fae379b6e88a331c; reference:md5,e91bbe677636002682dbcc430fc1065b; classtype:domain-c2; sid:2032361; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUA Related User-Agent (WINTERNET)"; flow:established,to_server; http.user_agent; content:"WINTERNET"; depth:9; endswith; fast_pattern; reference:md5,feeb9efd6b724d772768cd89d3c30380; classtype:pup-activity; sid:2027141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_29, former_category USER_AGENTS, tag User_Agent, tag PUA, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".gif?utmac="; fast_pattern; content:"&utmcn="; distance:0; content:"&utmcs="; distance:0; http.header_names; content:!"Referer"; reference:url,twitter.com/MichalKoczwara/status/1377651431478595588; reference:md5,db9214c2f8340ceba664800481f0ca08; classtype:trojan-activity; sid:2032362; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Mozilla 6.0)"; flow:established,to_server; http.user_agent; content:"Mozilla 6.0"; depth:11; endswith; classtype:bad-unknown; sid:2027142; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_01, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+#alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible OpenSSL TLSv1.2 DoS Inbound (CVE-2021-3449)"; flow:established,to_server; tls.version:1.2; ssl_state:client_hello; content:!"|00 0d|"; content:"|00 32 00|"; content:"|ff 01 00 01 00|"; distance:0; fast_pattern; reference:cve,2021-3449; classtype:denial-of-service; sid:2032358; rev:1; metadata:affected_product OpenSSL, created_at 2021_04_01, cve CVE_2021_3449, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kribat-A Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Command"; depth:7; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,78184ca66e1774598b96188f977f0687; classtype:trojan-activity; sid:2027024; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for EXE from DigitalOcean Spaces"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:".digitaloceanspaces.com"; endswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; classtype:bad-unknown; sid:2032359; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Password Submitted to *.000webhostapp.com"; flow:established,to_server; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.request_body; content:"password="; nocase; classtype:credential-theft; sid:2027146; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious HTTP Request to .bit domain"; flow:to_server,established; http.host; content:".bit"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,normanshark.com/blog/necurs-cc-domains-non-censorable/; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:bad-unknown; sid:2018009; rev:5; metadata:created_at 2014_01_24, former_category HUNTING, updated_at 2021_06_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Request for Payload (TA505 Related)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".tmp"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.start; content:".tmp|20|HTTP/1."; fast_pattern; content:"|0d 0a|Host|3a 20|"; distance:1; within:8; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:25; classtype:trojan-activity; sid:2027143; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Control Panel Applet File Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"CPlApplet"; fast_pattern; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/bb776392%28v=vs.85%29.aspx; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf; classtype:policy-violation; sid:2018087; rev:3; metadata:created_at 2014_02_07, updated_at 2021_04_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK/BKDR_HTV.ZKGD-A CnC Checkin"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&string="; depth:8; fast_pattern; pcre:"/^[A-F0-9]+$/R"; http.content_type; content:"|20|Charset=UTF-8"; endswith; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.co.jp/archives/19054; classtype:command-and-control; sid:2027155; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category MALWARE, malware_family BKDR_HTV_ZKGD_A, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Nitro Stealer Exfil Activity (Response)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"is_bot|22 3a|"; content:"|2c 22|username|22 3a 22|nitronotification_bot|22|"; fast_pattern; reference:url,app.any.run/tasks/ab993f27-958c-4ab4-8da4-0bcd7fe35fcd/; reference:url,twitter.com/James_inthe_box/status/1378044484089376768; reference:md5,95b98ecb440a23daefc5c12d0edfa048; classtype:trojan-activity; sid:2032418; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_02;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pedraz12ziniphoto.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/16e06a88dbb10c75077780d4baed6d0b2733f985/; classtype:command-and-control; sid:2027157; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Redirect M2"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"?key="; fast_pattern; content:"&id="; distance:16; within:4; content:"&gid="; pcre:"/key=[A-F0-9]{16}&id=\d+&gid=[A-F0-9\-]+$/"; file.data; content:"<body>"; content:"<a HREF=|22|http"; distance:0; content:"?key="; within:400; pcre:"/^[A-F0-9]{16}(?:&|&\x3b)id=\d+(?:&|&\x3b)gid=[A-F0-9\-]+\x22>/R"; content:!"<html>"; reference:url,twitter.com/nao_sec/status/1378546891349106692; classtype:exploit-kit; sid:2032480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.ga"; nocase; endswith; classtype:trojan-activity; sid:2027158; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Suspicious GitHack TLS SNI Request - Possible PurpleFox EK"; flow:established,to_server; tls.sni; content:".githack."; content:!".githack.com"; endswith; classtype:exploit-kit; sid:2032481; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.gq"; nocase; endswith; classtype:trojan-activity; sid:2027159; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Killbot JS Configuration - Possible Phishing"; flow:established,to_client; file.data; content:"const killbot"; nocase; content:"apiKey|3a|"; nocase; content:"botRedirection|3a|"; nocase; content:"killbot-security.js"; nocase; fast_pattern; reference:url,killbot.org; classtype:misc-activity; sid:2032468; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category INFO, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.ml"; nocase; endswith; classtype:trojan-activity; sid:2027160; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT Suspicious GitHack DNS Request - Possible PurpleFox EK"; flow:established,to_server; dns.query; content:".githack."; content:!".githack.com"; endswith; classtype:exploit-kit; sid:2032482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"daitalh.gq"; nocase; endswith; classtype:trojan-activity; sid:2027161; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Sparkasse Phishing Domain 2021-04-05"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"sparkasse.de"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032469; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"daitalh.ml"; nocase; endswith; classtype:trojan-activity; sid:2027162; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (tk) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".tk"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032470; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.cf"; nocase; endswith; classtype:trojan-activity; sid:2027163; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (ml) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ml"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032471; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.ml"; nocase; endswith; classtype:trojan-activity; sid:2027164; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (gq) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gq"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032472; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.tk"; nocase; endswith; classtype:trojan-activity; sid:2027165; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (ga) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ga"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032473; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"paltyr.tk"; nocase; endswith; classtype:trojan-activity; sid:2027166; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (cf) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".cf"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032474; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (DonotGroup Android CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=justin.drinkeatgood.space"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027195; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_04_12, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (xyz) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xyz"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032475; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Check myexternalip.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"myexternalip.com"; depth:16; endswith; classtype:external-ip-check; sid:2019980; rev:6; metadata:created_at 2014_12_19, former_category POLICY, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Mamalo Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-04-12"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ur="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027196; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Mamalo Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032477; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Unk.IoT IPCamera Exploit Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sysTimeCfgEx"; fast_pattern; endswith; http.request_body; content:"systemdate="; depth:11; nocase; content:"&systemtime="; nocase; content:"&dwTimeZone"; nocase; content:"&updatemode="; nocase; content:"&ntpHost="; nocase; content:"&ntpPort="; nocase; content:"&timezonecon="; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/zom3y3/status/1115481065701830657/photo/1; classtype:trojan-activity; sid:2027194; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Tehran Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032478; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc)"; dns.query; content:"tiny.cc"; nocase; endswith; classtype:trojan-activity; sid:2027199; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Tehran Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032479; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc)"; flow:from_server,established; tls.cert_subject; content:"CN=tiny.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2027200; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MereTam.A Ransomware CnC Init Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?gen&session-id="; fast_pattern; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Rs"; http.header_names; content:!"Accept"; content:!"Cache-"; content:!"Referer"; content:!"User-Agent"; reference:md5,b306115dc9c137b0fa455a9ce1708917; classtype:trojan-activity; sid:2032419; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_04_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (time-loss .dns05 .com)"; dns.query; content:"time-loss.dns05.com"; nocase; endswith; reference:url,securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/; classtype:command-and-control; sid:2027208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category MALWARE, tag DustySky, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MereTam.A Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?submit"; http.request_body; content:"session-id="; depth:11; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/Rs"; content:"&id="; distance:0; within:4; content:"&country="; content:"&operatingSystem="; content:"&cpuModel="; content:"&machineName="; content:"&randomAccessMemory="; fast_pattern; http.header_names; content:!"Accept"; content:!"Cache-"; content:!"Referer"; content:!"User-Agent"; reference:md5,b306115dc9c137b0fa455a9ce1708917; classtype:trojan-activity; sid:2032420; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_04_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (dji-msi .2waky .com)"; dns.query; content:"dji-msi.2waky.com"; nocase; endswith; reference:url,securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/; classtype:command-and-control; sid:2027209; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category MALWARE, tag DustySky, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Template Download"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/jack/"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9]{32}\.dot$/R"; http.user_agent; content:"Microsoft Office"; http.header_names; content:!"Referer"; reference:md5,82e3981303bee2eff6d1af17ad51eb32; reference:md5,8cc87eb3667aecc1bd41018f00aca559; reference:md5,d4b45f7a937139e05f386a8ad0aba04e; reference:md5,5fdcbb85733f9e8686d582b2f1459961; reference:url,twitter.com/ShadowChasing1/status/1379048935969316871; classtype:trojan-activity; sid:2032483; rev:1; metadata:created_at 2021_04_05, former_category MALWARE, malware_family DonotGroup, updated_at 2021_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup (drivethrough .top)"; dns.query; content:"drivethrough.top"; nocase; endswith; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027217; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, former_category MALWARE, malware_family YTY_Framework, malware_family StealJob, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number"; flow:established,to_server; http.protocol; content:"|28 29 20 7b|"; startswith; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019236; rev:6; metadata:created_at 2014_09_25, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup (drinkeatgood .space)"; dns.query; content:"drinkeatgood.space"; nocase; endswith; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027218; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, malware_family StealJob, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011108; classtype:web-application-attack; sid:2011108; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CoreDn/BLINDINGCAN Activity)"; flow:established,to_client; tls.cert_subject; content:"CN=www.curiofirenze.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:trojan-activity; sid:2030923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011109; classtype:web-application-attack; sid:2011109; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=microsoftonline-secure-login.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027221; rev:4; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011110; classtype:web-application-attack; sid:2011110; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"secure-message.online"; distance:0; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027222; rev:4; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011111; classtype:web-application-attack; sid:2011111; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"internal-message.app"; distance:0; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027223; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011112; classtype:web-application-attack; sid:2011112; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (xsecuremail .com)"; dns.query; content:"xsecuremail.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027224; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<img src=|22|file/cip.php?rand="; nocase; fast_pattern; content:"id=|27|capisimg|27|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|capis|22|"; nocase; distance:0; classtype:social-engineering; sid:2032509; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (wipro365 .com)"; dns.query; content:"wipro365.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027225; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (lifemaindecision .top)"; flow:established,to_server; tls.sni; content:"lifemaindecision.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2032524; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (microsoftonline-secure-login .com)"; dns.query; content:"microsoftonline-secure-login.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027226; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Hidden Text - Possible Phishing Landing"; flow:established,to_client; file.data; content:"<span style='font-size:0px|3b|'>"; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; classtype:social-engineering; sid:2032510; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Windows Phone PUA.Redpher (myservicessapps .com in DNS Lookup)"; dns.query; content:"myservicessapps.com"; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/pua-microsoft-store-porn-gambling; classtype:trojan-activity; sid:2027220; rev:4; metadata:attack_target Mobile_Client, created_at 2019_04_18, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"id='captcha_image' name='captcha_image' src='captcha.php?rand="; nocase; content:"placeholder='Enter Code' style='text-align:center|3b|' class='input' name='captcha'"; nocase; distance:0; content:"function refreshCaptcha(){"; nocase; distance:0; classtype:social-engineering; sid:2032511; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (secure-message .online)"; dns.query; content:"secure-message.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027227; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office Related Appspot Hosted Shared Document Phishing Landing"; flow:established,to_client; file.data; content:"script language=javascript>document.write(unescape("; nocase; content:"href%3D%22https%3A//fonts.googleapis.com/"; nocase; distance:0; content:"stylesheet%22%3E%20%3Cscript%20src%3D%22https%3A//kit.fontawesome.com/"; nocase; distance:0; content:"____rdr%20%3D%20%27https%3A//www.office.com/"; nocase; distance:0; content:"var%20LIB_view%20%3D%20%27PGRpdiBjbGFzcz0iY"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2032512; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypt-email .online)"; dns.query; content:"encrypt-email.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027228; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Redirect to Phishing Landing"; flow:established,to_client; file.data; content:"<title>Review|3a 20 20|0ffice365"; fast_pattern; nocase; content:"<script type=|22|text/javascript|22|>window.location.href"; distance:0; nocase; classtype:social-engineering; sid:2032513; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (secured-mail .online)"; dns.query; content:"secured-mail.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027229; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"/////url email getting//////"; fast_pattern; nocase; content:"ind=my_email.indexOf(|22|@|22|"; distance:0; content:"///////new injection//////"; distance:0; nocase; classtype:social-engineering; sid:2032514; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (internal-message .app)"; dns.query; content:"internal-message.app"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027230; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing"; flow:established,to_client; file.data; content:"$.ajax({|0d 0a|"; content:"dataType|3a 20|'JSON',|0d 0a|"; within:50; content:"url|3a|"; within:50; content:".php',|0d 0a|"; within:500; content:"type|3a 20|'POST',|0d 0a|"; within:50; fast_pattern; content:"data|3a|{|0d 0a|"; within:50; content:"function(xhr"; distance:0; classtype:social-engineering; sid:2032515; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypted-message .cloud)"; dns.query; content:"encrypted-message.cloud"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027231; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"//////url getting ai//////"; fast_pattern; nocase; content:"var my_ai = ai|3b|"; distance:0; nocase; content:"my_ai.indexOf(|22|@|22|"; distance:0; nocase; classtype:social-engineering; sid:2032516; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Microsoft Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"microsoft"; content:".github.io"; distance:0; endswith; fast_pattern; content:!"microsoft.github.io"; depth:19; endswith; classtype:policy-violation; sid:2027274; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"/////url ai getting//////"; fast_pattern; nocase; content:"///////url getting ai///////"; distance:0; nocase; classtype:social-engineering; sid:2032517; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Binance Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"binance"; fast_pattern; content:".github.io"; distance:0; endswith; classtype:policy-violation; sid:2027240; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<img src=|22|files/cps.php?rand="; nocase; fast_pattern; content:"id='cpsaimg'"; nocase; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|caps|22|"; nocase; distance:0; classtype:social-engineering; sid:2032518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Ebay Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"ebay"; fast_pattern; content:".github.io"; distance:0; endswith; classtype:policy-violation; sid:2027242; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<center><h1>IDBTE4M CODE 87</h1><br>[uname] Linux"; nocase; fast_pattern; classtype:web-application-attack; sid:2032519; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Webmail Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"webmail"; fast_pattern; content:".github.io"; distance:0; endswith; classtype:policy-violation; sid:2027243; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<center><h1>IDBTE4M CODE 87</h1><br>[uname] Linux"; nocase; fast_pattern; classtype:web-application-attack; sid:2032520; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, signature_severity Major, updated_at 2021_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Account Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"account"; fast_pattern; content:".github.io"; distance:0; endswith; classtype:policy-violation; sid:2027244; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"FoxWSO v1</title>"; fast_pattern; nocase; content:"function encrypt("; distance:0; classtype:web-application-attack; sid:2032521; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, signature_severity Major, updated_at 2021_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Outlook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"outlook"; fast_pattern; content:".github.io"; distance:0; endswith; classtype:policy-violation; sid:2027246; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"FoxWSO v1</title>"; fast_pattern; nocase; content:"function encrypt("; distance:0; classtype:web-application-attack; sid:2032522; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible DHL Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"dhl"; fast_pattern; content:".github.io"; distance:0; endswith; classtype:policy-violation; sid:2027247; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Western Union Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&txtCaptcha="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032633; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Docusign Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"docusign"; fast_pattern; content:".github.io"; distance:0; endswith; classtype:policy-violation; sid:2027248; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pult Downloader Activity"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|UserAgent|3a|Mozilla/5.0|20|(Windows|20|NT|20|6.1|3b 20|"; fast_pattern; reference:md5,82e3981303bee2eff6d1af17ad51eb32; reference:url,twitter.com/ShadowChasing1/status/1379048935969316871; classtype:trojan-activity; sid:2032525; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, updated_at 2021_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Facebook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"facebook"; content:".github.io"; distance:0; endswith; fast_pattern; content:!"facebook.github.io"; depth:18; endswith; classtype:policy-violation; sid:2027275; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Related VBS Retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xx/f_Skoifa.vbs"; fast_pattern; bsize:16; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; reference:url,www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt; reference:md5,27d85a6aff129deb07048a735de1c884; classtype:trojan-activity; sid:2032530; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Molerats, performance_impact Low, signature_severity Major, updated_at 2021_04_07;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Paypal Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"paypal"; fast_pattern; content:".github.io"; distance:0; endswith; content:!"paypal.github.io"; depth:16; endswith; classtype:policy-violation; sid:2027241; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Python RAT (Aurora Campaign))"; flow:established,to_client; tls.cert_subject; content:"C=MK, ST=MikoState, L=MikoCity, O=Miko LLC, OU=Miko, CN=Foo Bar"; bsize:63; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attacking-azerbaijan-using-multiple-rats/; classtype:domain-c2; sid:2032528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealerNeko CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"country="; depth:8; content:"&cc="; content:"&autof="; content:"&cookies="; content:"&filezilla="; fast_pattern; content:"&passwords="; content:"&telegram="; content:"&wallet="; content:"winver="; content:"&pidgin="; http.header_names; content:!"Referer"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027239; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, malware_family StealerNeko, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT)"; flow:established,to_client; tls.cert_issuer; content:"CN=DcRat Server"; fast_pattern; reference:md5,c57460b4d595a97fd37211e5087b2557; classtype:domain-c2; sid:2034847; rev:1; metadata:attack_target Client_and_Server, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; dns.query; content:"kuternull.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (heroofthe .top)"; flow:established,to_server; tls.sni; content:"heroofthe.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032529; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; dns.query; content:"rimrun.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-04-08"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"emid="; depth:5; nocase; fast_pattern; content:"&epass="; nocase; distance:0; pcre:"/^emid=[^&]*&epass/i"; classtype:credential-theft; sid:2032532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *.myddns.me Domain"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".myddns.me"; nocase; endswith; classtype:policy-violation; sid:2027287; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uid="; startswith; content:"passwd=|60|"; fast_pattern; reference:url,packetstormsecurity.com/files/160602/Trend-Micro-IWSVA-CSRF-XSS-Bypass-SSRF-Code-Execution.html; reference:cve,2020-8466; classtype:attempted-admin; sid:2032533; rev:1; metadata:attack_target Server, created_at 2021_04_08, cve CVE_2020_8466, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Powershell Empire POST M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.cookie; content:"session="; depth:8; http.header_names; content:"Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2027283; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Empire, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hierarchicalfiles .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hierarchicalfiles.com"; bsize:21; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032534; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Powershell Empire GET M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; content:"session="; depth:8; http.header_names; content:"Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2027284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Empire, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (resolutionplatform .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"resolutionplatform.com"; bsize:22; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032535; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myddns.me Domain"; flow:established,to_server; http.host; content:".myddns.me"; endswith; classtype:policy-violation; sid:2027288; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (pulmonyarea .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"pulmonyarea.com"; bsize:15; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032536; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns.query; content:"pxybomb.icu"; nocase; endswith; classtype:trojan-activity; sid:2027285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Monero, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hardwareoption .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hardwareoption.com"; bsize:18; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"data-backup.online"; nocase; endswith; classtype:command-and-control; sid:2027290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (shehootastayonwhatshelirned .top)"; flow:established,to_server; tls.sni; content:"shehootastayonwhatshelirned.top"; bsize:31; fast_pattern; classtype:domain-c2; sid:2032538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"fontsupdate.com"; nocase; endswith; classtype:command-and-control; sid:2027291; rev:3; metadata:created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (applicationrepo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"applicationrepo.com"; bsize:19; fast_pattern; reference:md5,60e9f401ea30605d57cdc821533d9675; reference:url,twitter.com/RedBeardIOCs/status/1379422249590128646; classtype:targeted-activity; sid:2032539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"akamaihub.stream"; nocase; endswith; classtype:command-and-control; sid:2027292; rev:3; metadata:created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (uppertrainingtool .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"uppertrainingtool.com"; bsize:21; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1347357947307778049?s=20; classtype:targeted-activity; sid:2032540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Novaloader Stage 2 VBS Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cabaco2.txt"; fast_pattern; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; reference:url,www.zscaler.com/blogs/research/novaloader-yet-another-brazilian-banking-malware-family; reference:md5,4ef89349a52f9fcf9a139736e236217e; classtype:trojan-activity; sid:2027289; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_29, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Novaloader, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hostoperationsystems .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hostoperationsystems.com"; bsize:24; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1347357947307778049?s=20; classtype:targeted-activity; sid:2032541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.autoddns .com Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".autoddns.com"; nocase; endswith; classtype:policy-violation; sid:2027299; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ozone/Darktrack RAT Variant - Client Hello (set)"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.OzoneRAT; content:"|2c ef 3a e7 89 fe 48 af ac f8|"; depth:10; dsize:110<>113; reference:md5,583de02ec747f0316fb7b0e59bd858bd; classtype:trojan-activity; sid:2032542; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.autoddns.com Domain"; flow:established,to_server; http.host; content:".autoddns.com"; endswith; classtype:policy-violation; sid:2027300; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ozone/Darktrack RAT Variant - Server Hello"; flow:established,to_client; flowbits:isset,ET.OzoneRAT; dsize:666; content:"|53 53 48 2d 32 2e 30 2d 64 72 6f 70 62 65 61 72 5f 32 30 31 37 2e 37 35 0d 0a|"; reference:md5,583de02ec747f0316fb7b0e59bd858bd; classtype:trojan-activity; sid:2032543; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:"coldfart.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027280; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downer.B Variant Checkin"; flow:established,to_server; http.method; content:"GET"; content:"winver="; distance:0; content:"&sdsoft="; distance:0; fast_pattern; content:"&webid="; distance:0; content:"&softid"; distance:0; content:"&usesnum="; distance:0; content:"&mac="; distance:0; content:"&filename="; distance:0; reference:md5,fa304e71504863f32e6f9032b772cea1; reference:md5,b4188819a0da135ada42e2df4fa97619; classtype:pup-activity; sid:2030565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_04_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"mystrylust.pw"; nocase; endswith; classtype:command-and-control; sid:2027295; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed POST to xsph .ru Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xsph.ru"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032531; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2021_04_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Stage 2 CnC Domain in DNS Lookup"; dns.query; content:"new.listenmusic.pw"; nocase; endswith; classtype:command-and-control; sid:2027296; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig SideTwist CnC Domain in DNS Lookup (sarmsoftware .com)"; dns.query; content:"sarmsoftware.com"; nocase; bsize:16; reference:url,research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/; classtype:domain-c2; sid:2032640; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup Stage 2 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=new.listenmusic.pw"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027297; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032636; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mystrylust.pw"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027298; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032637; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"houusha33.icu"; nocase; endswith; classtype:command-and-control; sid:2027304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/async.php?action="; content:"&source=|3b|"; fast_pattern; reference:cve,2021-3317; classtype:attempted-admin; sid:2032638; rev:1; metadata:attack_target Server, created_at 2021_04_09, cve CVE_2021_3317, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"joisff333.icu"; nocase; endswith; classtype:command-and-control; sid:2027305; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<b><br><br>Linux|20|"; content:"method=|22|post|22 20|enctype=|22|multipart/form-data|22 20|name=|22|uploader|22 20|id=|22|uploader|22|><input type=|22|file|22 20|name=|22|file|22 20|size="; content:"<input name=|22|_upl|22 20|type=|22|submit|22 20|id=|22|_upl|22 20|value=|22|Upload|22|></form>"; fast_pattern; classtype:web-application-attack; sid:2032634; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_09, deployment Perimeter, signature_severity Major, updated_at 2021_04_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"aasdkkkdsa3442.icu"; nocase; endswith; classtype:command-and-control; sid:2027306; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<b><br><br>Linux|20|"; content:"method=|22|post|22 20|enctype=|22|multipart/form-data|22 20|name=|22|uploader|22 20|id=|22|uploader|22|><input type=|22|file|22 20|name=|22|file|22 20|size="; content:"<input name=|22|_upl|22 20|type=|22|submit|22 20|id=|22|_upl|22 20|value=|22|Upload|22|></form>"; fast_pattern; classtype:web-application-attack; sid:2032635; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_09, deployment Perimeter, signature_severity Major, updated_at 2021_04_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"fjiisiis33.icu"; nocase; endswith; classtype:command-and-control; sid:2027307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (lomhasnopryiyome .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"lomhasnopryiyome.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2032639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_09, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"afsafasdarm.icu"; nocase; endswith; classtype:command-and-control; sid:2027308; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M1 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"IDLOG="; depth:6; nocase; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032590; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"cdnavupdate.icu"; nocase; endswith; classtype:command-and-control; sid:2027309; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M2 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"question1="; depth:10; nocase; content:"&Answer1="; nocase; distance:0; content:"&question2="; nocase; distance:0; content:"&Answer2="; nocase; distance:0; content:"&question3="; nocase; distance:0; content:"&Answer3="; nocase; distance:0; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032591; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE AridViper CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"tatsumifoughtogre.club"; endswith; classtype:targeted-activity; sid:2027312; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_SNI, tag AridViper, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname="; depth:6; nocase; content:"&lname="; nocase; distance:0; content:"&db1="; nocase; distance:0; content:"&db2="; nocase; distance:0; content:"&db3="; nocase; distance:0; content:"&adrs="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&exp1="; nocase; distance:0; content:"&exp2="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&vbv="; nocase; distance:0; content:"&sortcode="; nocase; distance:0; fast_pattern; content:"&ssn="; nocase; distance:0; classtype:credential-theft; sid:2032615; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Krypton Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Client"; depth:6; endswith; http.request_body; content:"id="; depth:3; content:"&message="; distance:0; fast_pattern; reference:md5,825afad02d07063689b7b59e8cf46809; classtype:command-and-control; sid:2027313; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_03, deployment Perimeter, former_category MALWARE, malware_family Krypton, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon"; content:"|00 00 01 00 01|"; endswith; dns.query; bsize:>19; content:"646"; offset:2; depth:5; fast_pattern; pcre:"/^[qbedm]{1}[a-zA-Z]{1,3}646[a-zA-Z0-9]{1,3}+\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; reference:md5,162959ebfd839229969d5e830c7d1dbc; classtype:command-and-control; sid:2031193; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IcedID Fake Resume Server in DNS Lookup"; dns.query; content:"browse-resumes.com"; nocase; endswith; classtype:trojan-activity; sid:2027314; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_03, former_category TROJAN, malware_family IcedID, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (tapewormorchestra .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"tapewormorchestra.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_04_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (ReactGet Group)"; dns.query; content:"ebitbr.com"; depth:10; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027317; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, malware_family MirrorThief, malware_family ReactGet, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (belochkaneprihoditodna .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"belochkaneprihoditodna.top"; bsize:26; fast_pattern; classtype:domain-c2; sid:2032743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_12;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ReactGet Group)"; flow:established,to_client; tls.cert_subject; content:"CN=ebitbr.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027318; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, malware_family MirrorThief, malware_family ReactGet, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SSL/TLS Certificate Observed (OpenNIC Project API)"; flow:established,to_client; tls.cert_subject; content:"CN=api.opennicproject.org"; bsize:25; fast_pattern; reference:url,wiki.opennic.org/API; classtype:bad-unknown; sid:2032744; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_04_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (Mirrorthief Group)"; dns.query; content:"cloudmetric-analytics.com"; depth:25; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027321; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-11-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; nocase; http.request_body; content:"login_ak"; depth:8; nocase; content:"&pwd_ak"; nocase; distance:0; fast_pattern; content:"&1.Continue"; nocase; distance:0; classtype:credential-theft; sid:2032643; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Mirrortheif group)"; flow:established,to_client; tls.cert_subject; content:"CN=cloudmetric-analytics.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027322; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Discover Phish M2 2016-12-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"ccnumb="; depth:7; nocase; fast_pattern; content:"&expirMonth="; nocase; distance:0; content:"&expiryear="; nocase; distance:0; content:"&CCV="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&jsenabled="; nocase; distance:0; classtype:credential-theft; sid:2032666; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/rest/tinymce/1/macro/preview"; fast_pattern; endswith; http.request_body; content:"|22|contentId|22|"; depth:20; content:"|22|_template|22 3a|"; distance:0; reference:url,packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html; classtype:attempted-admin; sid:2027333; rev:4; metadata:created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP Request for OpenNIC API GeoIP Request"; flow:established,to_server; http.uri; content:"/geoip"; nocase; startswith; http.host; content:"api.opennicproject.org"; bsize:22; fast_pattern; reference:url,wiki.opennic.org/API; classtype:bad-unknown; sid:2032745; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_04_12;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Information Disclosure CVE-2017-1000395"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/api/xml"; distance:0; endswith; http.header_names; content:!"Referer"; reference:cve,2017-1000395; reference:url,jenkins.io/security/advisory/2017-10-11/#user-remote-api-disclosed-users-email-addresses; classtype:web-application-attack; sid:2027347; rev:4; metadata:attack_target Server, created_at 2019_05_10, cve 2017_1000395, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Phish M1 2016-06-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; depth:9; fast_pattern; content:"&password="; nocase; distance:0; content:"&domain="; nocase; distance:0; content:"&Phone"; nocase; distance:0; classtype:credential-theft; sid:2032685; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Pre-auth User Information Leakage"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/search/index?q="; distance:0; isdataat:1,relative; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; reference:url,github.com/rapid7/metasploit-framework/pull/11466; classtype:web-application-attack; sid:2027348; rev:4; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful *.myjino. ru Phish 2016-12-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.host; content:".myjino.ru"; endswith; http.request_body; content:"user"; depth:4; nocase; content:"&pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032725; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=magento-analytics.com"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.netlab.360.com/ongoing-credit-card-data-leak/; classtype:command-and-control; sid:2027342; rev:5; metadata:attack_target Client_Endpoint, created_at 2019_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Onedrive Phish 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login="; nocase; depth:6; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2032680; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MirrorThief CnC Domain in DNS Lookup"; dns.query; content:"magento-analytics.com"; nocase; endswith; reference:url,blog.netlab.360.com/ongoing-credit-card-data-leak/; classtype:command-and-control; sid:2027343; rev:5; metadata:attack_target Client_Endpoint, created_at 2019_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish M1 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"yahoo"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; fast_pattern; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032683; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jqueryextd.at"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.netlab.360.com/xin-yong-qia-shu-ju-xie-lou-chi-xu-jin-xing-zhong/; classtype:command-and-control; sid:2027355; rev:3; metadata:created_at 2019_05_15, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>0byt3m1n1-"; fast_pattern; classtype:web-application-attack; sid:2032738; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MirrorThief CnC in DNS Lookup"; dns.query; content:"jqueryextd.at"; nocase; endswith; reference:url,blog.netlab.360.com/xin-yong-qia-shu-ju-xie-lou-chi-xu-jin-xing-zhong/; classtype:command-and-control; sid:2027356; rev:3; metadata:created_at 2019_05_15, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>0byt3m1n1-"; fast_pattern; classtype:web-application-attack; sid:2032739; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CyberArk Enterprise Password Vault XXE Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/PasswordVault/auth/saml/"; fast_pattern; endswith; http.request_body; content:"SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1F"; depth:41; reference:url,www.exploit-db.com/exploits/46828; classtype:attempted-admin; sid:2027358; rev:4; metadata:created_at 2019_05_16, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; fast_pattern; classtype:web-application-attack; sid:2032740; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User-Agent Downloading ZIP"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".zip"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2027360; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; fast_pattern; classtype:web-application-attack; sid:2032741; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech Plead CnC in DNS Lookup"; dns.query; content:"ssmailer.com"; nocase; endswith; pcre:"/^[a-z0-9\-\.]{1,60}\.ssmailer\.com$/"; reference:url,www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/; classtype:command-and-control; sid:2027362; rev:3; metadata:created_at 2019_05_17, deployment Perimeter, former_category MALWARE, malware_family Plead, performance_impact Low, signature_severity Major, tag APT, tag BlackTech, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"tkyjzgbqfwk3gr55."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024981; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (dns-report .com)"; dns.query; content:"dns-report.com"; nocase; endswith; pcre:"/^[a-z0-9\-\.]{1,60}\.dns-report\.com$/"; classtype:bad-unknown; sid:2027363; rev:3; metadata:created_at 2019_05_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"u7duee44hwu5lf7r."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024983; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious shell .now .sh Domain"; dns.query; content:"shell.now.sh"; nocase; endswith; reference:url,www.lacework.com/blog-attacks-exploiting-confluence; classtype:misc-attack; sid:2027367; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_19, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"u2sg7pqxmmrhnzms."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024982; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821"; http.method; content:"POST"; http.uri; content:"/servlet/UploadServlet"; depth:22; endswith; fast_pattern; http.header; content:"Destination-Dir|3a 20|tftpRoot"; http.request_body; content:"String(|22|/bin/"; content:"new Socket(|22|"; distance:0; content:"Runtime.getRuntime().exec("; distance:0; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header_names; content:!"Referer"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce; classtype:web-application-attack; sid:2027368; rev:4; metadata:attack_target Server, created_at 2019_05_20, cve 2019_1821, deployment Perimeter, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS Lookup)"; dns.query; content:"cxkefbwo7qcmlelb"; nocase; depth:16; reference:md5,e69b3a5b8fccd8607e08dd6d34ae99a9; classtype:trojan-activity; sid:2025121; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2021_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/^\/[A-Za-z0-9]+(?:\/[A-F0-9]+){3,}$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a11)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; depth:3; endswith; http.start; content:"P/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,17bd012f145bba62b4e58b376d8002d3; classtype:command-and-control; sid:2022609; rev:5; metadata:created_at 2016_03_10, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Netlify Hosted GET Request - Possible Phishing Landing"; flow:established,to_server; http.method; content:"GET"; http.host; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in"; flow:established,to_server; urilen:<134; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; depth:24; content:!"Accept-"; nocase; content:!"Referer"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:18; metadata:created_at 2014_05_05, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Netlify Hosted DNS Request - Possible Phishing Landing"; dns.query; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032759; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Check-in"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z]+\/)?$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; pcre:"/^Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows\x20NT\x20\d+\.\d+\x3b\x20SV1\x29$/"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; classtype:trojan-activity; sid:2019881; rev:6; metadata:created_at 2014_12_06, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Netlify Hosted TLS SNI Request - Possible Phishing Landing"; flow:established,to_server; tls.sni; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032760; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - iplocation .truevue .org"; flow:established,to_server; http.host; content:"iplocation.truevue.org"; fast_pattern; depth:22; endswith; classtype:external-ip-check; sid:2027372; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Vonteera.M Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getdata.php?wti="; fast_pattern; content:"&s="; distance:0; content:"&sta="; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; bsize:20; reference:md5,06cba7e1a75deca367afca8f27eb4db2; classtype:pup-activity; sid:2032761; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to External IP Lookup Domain ( iplocation .truevue .org)"; dns.query; content:"iplocation.truevue.org"; nocase; endswith; classtype:external-ip-check; sid:2027373; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (whatsthescore .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"whatsthescore.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032762; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shade Ransomware Payment Domain in DNS Lookup"; dns.query; content:"cryptsen7f043rr6.onion"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/; classtype:trojan-activity; sid:2027379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_24, former_category TROJAN, malware_family Shade, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedLine - GetArguments Request"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|0d 0a|SOAPAction|3a 20 22|http://tempuri.org/"; http.request_body; content:"|3c 73 3a|Body|3e 3c|GetArguments|20|xmlns=|22|http|3a 2f 2f|tempuri|2e|org|2f 22 2f|"; fast_pattern; reference:md5,9a3ac9f18c1222e7a77a47db01b1f597; classtype:command-and-control; sid:2034361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category MALWARE, malware_family Redline, signature_severity Major, updated_at 2021_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Matrix Ransomware Sending Encrypted Filelist"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; endswith; http.request_body; content:"name=|22|uploadfile|22 3b 20|filename=|22|C|3a 5c|"; content:"|0d 0a|[ALL]|0d 0a|"; distance:0; content:"|0d 0a|[ALL_END]|0d 0a 0d 0a|[PRIORITY]|0d 0a|"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,e5293a4da4b67be6ff2893f88c8ef757; classtype:trojan-activity; sid:2024178; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Matrix, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .live) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.live"; nocase; bsize:31; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032763; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_04_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible EXE Download Request to ngrok"; flow:established,to_server; http.uri; content:".exe"; endswith; http.host; content:".ngrok.io"; endswith; fast_pattern; classtype:policy-violation; sid:2027391; rev:4; metadata:created_at 2019_05_28, deployment Perimeter, former_category POLICY, signature_severity Major, tag Suspicious_Download, updated_at 2020_09_17;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ScadaBR/view_edit.shtm"; fast_pattern; http.request_body; content:"|22|view.name|22|"; content:"|0d 0a 0d 0a|"; content:"|3c 25 40|"; distance:0; within:5; reference:url,github.com/hevox/CVE-2021-26828_ScadaBR_RCE/blob/main/LinScada_RCE.py; reference:cve,2021-26828; classtype:attempted-admin; sid:2032766; rev:1; metadata:attack_target Server, created_at 2021_04_15, cve CVE_2021_26828, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ProtonBot Stealer Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"-"; distance:8; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"&clip=get"; distance:12; within:9; endswith; http.user_agent; content:"Proton Browser"; fast_pattern; http.header_names; content:!"Referer"; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:trojan-activity; sid:2027383; rev:3; metadata:created_at 2019_05_28, former_category TROJAN, malware_family ProtonBot, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup 2021-04-15"; dns.query; content:"ctgame.tk"; nocase; bsize:9; reference:url,twitter.com/nao_sec/status/1381100024919035908; classtype:domain-c2; sid:2032764; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".microsofts.org"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027385; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iView3/NetworkServlet"; fast_pattern; http.request_body; content:"page_action"; startswith; content:"|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|"; reference:url,www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/; reference:cve,2021-22652; classtype:attempted-admin; sid:2032767; rev:1; metadata:attack_target Web_Server, created_at 2021_04_15, cve CVE_2021_22652, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".kaspresksy.com"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027386; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .xyz) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.xyz"; nocase; bsize:30; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032765; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".tencentchat.net"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?filename=corona"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest|2e|5)"; bsize:57; http.header_names; content:!"Referer"; reference:md5,0821884168a644f3c27176a52763acc9; reference:url,twitter.com/ShadowChasing1/status/1382509560179531782; classtype:trojan-activity; sid:2032770; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_04_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:unknown; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magecart/Skimmer - AngryBeaver Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"cgi-bin/index.php"; endswith; http.content_type; content:"application/x-www-form-urlencoded|3b|charset=utf-8"; bsize:47; http.request_body; content:"0="; startswith; content:"&1="; distance:0; content:"&2=enc02"; endswith; fast_pattern; reference:url,twitter.com/rootprivilege/status/1376899513592336391?s=20; reference:url,lukeleal.com/research/posts/magento2-angrybeaver-skimmer/; classtype:trojan-activity; sid:2032769; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag CardSkimmer, updated_at 2021_04_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Node XMLHTTP User-Agent"; flow:established,to_server; http.user_agent; content:"node-XMLHttpRequest"; depth:19; endswith; nocase; fast_pattern; classtype:unknown; sid:2027388; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (annafraudy .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"annafraudy.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (php)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"|0d 0a 0d 0a|php"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^php.{0,500}[\x80-\xff]/s"; http.header_names; content:!"Content-Type"; content:!"Referer"; content:!"Cookie:"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022901; rev:5; metadata:created_at 2016_06_15, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>x3x3x3x_5h3ll"; fast_pattern; classtype:web-application-attack; sid:2032774; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_16, deployment Perimeter, signature_severity Major, updated_at 2021_04_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT ScanBox Framework used in WateringHole Attacks Initial (POST)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"seed="; fast_pattern; content:"&referrer="; content:"&agent="; content:"&location="; content:"&toplocation="; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:exploit-kit; sid:2019094; rev:8; metadata:created_at 2014_08_29, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>x3x3x3x_5h3ll"; fast_pattern; classtype:web-application-attack; sid:2032775; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_16, deployment Perimeter, signature_severity Major, updated_at 2021_04_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SeaDuke CnC Beacon"; flow:established,to_server; content:"|0d 0a 0d 0a|Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/"; http.header_names; content:!"Accept"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:targeted-activity; sid:2021413; rev:5; metadata:created_at 2015_07_14, former_category MALWARE, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (youareperfect2day .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"youareperfect2day.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032771; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Content-Type\x3a[^\r\n]+\r\n)?(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; http.request_body; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/"; http.accept; content:"text/html, application/xhtml+xml, */*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; classtype:command-and-control; sid:2021418; rev:12; metadata:created_at 2015_07_15, former_category MALWARE, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (mindbreaker .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"mindbreaker.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032772; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".doc"; fast_pattern; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; classtype:bad-unknown; sid:2025162; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remocs 3.x Unencrypted Checkin"; flow:established,to_server; content:"|24 04 ff 00|"; startswith; content:"|4b 00 00 00|"; distance:4; within:4; content:"|7c 1e 1e 1f 7c|"; distance:0; fast_pattern; reference:md5,d27f70216d11b769c937a961fc1b1c81; classtype:command-and-control; sid:2032776; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2021_04_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - Mozilla 4.0 EXE Request"; flow:established,to_server; urilen:6<>15; http.uri; content:".exe"; endswith; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; classtype:trojan-activity; sid:2020705; rev:7; metadata:created_at 2015_03_18, updated_at 2020_09_17;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Remocs 3.x Unencrypted Server Response"; flow:established,to_client; content:"|24 04 ff 00|"; startswith; content:"|01 00 00 00 30 7c 1e 1e 1f 7c|"; distance:4; within:10; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:md5,d27f70216d11b769c937a961fc1b1c81; classtype:command-and-control; sid:2032777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2021_04_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Payload Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|29 20|A"; endswith; http.request_body; content:"filename=|22|"; content:"|3a 5c|Windows|5c|"; distance:1; within:10; pcre:"/^[A-F0-9]{8}_[A-F0-9]{8}\.sql/Ri"; content:"|00|.|00|i|00|n|00|k|00|"; distance:0; fast_pattern; http.request_line; content:".php|20|HTTP/1.0"; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027398; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Major, tag APT, tag DarkHotel, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (attentionmagnet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"attentionmagnet.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"pwsmbx.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027399; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, tag DarkHotel, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk Downloader CnC Activity"; flow:established,to_server; http.request_line; content:"GET /"; startswith; content:"image.php?id="; fast_pattern; pcre:"/^[0-9A-F]{21,22}\x20HTTP\/1\.1$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,1743533d63a8ba25142ffa3efc59b50b; classtype:command-and-control; sid:2032342; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"reuqest-userauth.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027400; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, updated_at 2020_09_17;)
+#alert dns $HOME_NET any -> any any (msg:"ET HUNTING Malformed Domain Name in DNS Query (Domain Length Exceeds 253 Bytes)"; dns.query; bsize:>253; classtype:bad-unknown; sid:2032779; rev:1; metadata:created_at 2021_04_19, former_category HUNTING, updated_at 2021_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"vgmtx.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027401; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, tag DarkHotel, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".config"; endswith; http.request_body; content:"CMD=CONFIG&GO=index.asp&TYPE=CONFIG"; fast_pattern; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032780; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"schooltillhungryprocess.com"; nocase; endswith; classtype:targeted-activity; sid:2027406; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation Inbound M2"; flow:established,to_server; flowbits:set,ZBLEPON.1; http.method; content:"GET"; http.uri; content:"/system_password.asp"; endswith; fast_pattern; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032781; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"maylaytravelgroup.com"; nocase; endswith; classtype:targeted-activity; sid:2027407; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation - Responding with Superuser Credentials"; flow:established,from_server; flowbits:isset,ZBLEPON.1; http.stat_code; content:"200"; file_data; content:"1|3b|super|3b|"; fast_pattern; content:"1|3b|admin|3b|"; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032782; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"reasonwithusefulpolicy.com"; nocase; endswith; classtype:targeted-activity; sid:2027408; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon MalDoc CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"Mozilla/"; startswith; content:"|3a 3a|"; distance:0; content:"|3a 3a 2f 2e|"; within:50; fast_pattern; http.header_names; content:!"Referer"; content:!"Cache-"; reference:md5,bbfef3fcb75449889e544601f7975b34; classtype:command-and-control; sid:2035024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"streetunderrelevantpeople.com"; nocase; endswith; classtype:targeted-activity; sid:2027409; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos Builder License Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"logaccess.php?DATA="; fast_pattern; pcre:"/^[0-9A-F]+$/R"; http.user_agent; content:"Remcos"; bsize:6; classtype:trojan-activity; sid:2032783; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2021_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"experiencewithweakkid.com"; nocase; endswith; classtype:targeted-activity; sid:2027410; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Wacapew.A!ml Domain in TLS SNI (zytrox .tk)"; flow:established,to_server; tls.sni; content:"zytrox.tk"; bsize:9; classtype:domain-c2; sid:2032778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"systembeforeniceparent.com"; nocase; endswith; classtype:targeted-activity; sid:2027411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Cobalt Strike Stager Time Check M1"; flow:established,to_server; dsize:11; content:"GET|20|driver|0a|"; fast_pattern; reference:md5,e566c853fe8555fc255bd643f96ba574; classtype:trojan-activity; sid:2032784; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Request"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.shmyip.com"; fast_pattern; endswith; reference:md5,0b14eedcc9e847a2d20abf409c8b505f; classtype:external-ip-check; sid:2027430; rev:3; metadata:created_at 2019_06_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Cobalt Strike Stager Time Check M2"; flow:established,to_server; dsize:8; content:"GET|20|drv|0a|"; fast_pattern; reference:md5,e566c853fe8555fc255bd643f96ba574; classtype:trojan-activity; sid:2032785; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Sending System Information"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?e="; depth:4; content:"&&t="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.cookie; content:"id="; depth:3; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:73; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027441; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magecart/Skimmer - _try_action Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".png"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.request_body; content:"cid="; startswith; fast_pattern; content:"&host="; reference:url,lukeleal.com/research/posts/cdn-frontend-skimmer/; classtype:trojan-activity; sid:2032788; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag CardSkimmer, updated_at 2021_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (BURAN)"; flow:established,to_server; http.user_agent; content:"BURAN"; depth:5; endswith; classtype:trojan-activity; sid:2027443; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, malware_family Buran, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart/Skimmer - _try_action CnC Domain (cdn-frontend .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cdn-frontend.com"; bsize:16; fast_pattern; reference:url,lukeleal.com/research/posts/cdn-frontend-skimmer/; classtype:domain-c2; sid:2032789; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2021_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (GHOST)"; flow:established,to_server; http.user_agent; content:"GHOST"; depth:5; endswith; classtype:trojan-activity; sid:2027444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (newageiscoming .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"newageiscoming.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032790; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"GHOST"; depth:5; endswith; fast_pattern; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027445; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, malware_family Buran, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Possibly SLIGHTPULSE Related - Suspicious POST to Specific URI Path"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"meeting_testjs.cgi"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-admin; sid:2032787; rev:1; metadata:created_at 2021_04_20, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_04_20;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027450; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET ![443,587] -> $HOME_NET any (msg:"ET MALWARE Observed Qbot Style SSL Certificate"; flow:established,from_server; tls.cert_issuer; content:"C="; depth:2; content:",|20|ST="; distance:2; within:5; content:",|20|L="; distance:2; within:4; content:",|20|O="; within:20; content:",|20|CN="; within:50; pcre:"/^C=(?:M[ACDEGHKLMNOPQRSTUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|B[ABDEFGHIJMNORSTVWZ]|A[DEFGILMNOQRSTUWXZ]|S[ABCEGHIJKLMNRTUVZ]|C[ACFHIKLMNORSVXYZ]|T[CDFGHJKMNOPRTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRTUZ]|K[EGHIMNRWYZ]|L[ACIKSTUVY]|I[DELMNOST]|E[CEGHRST]|F[IJKMORX]|U[AGKMSYZ]|V[ACEGINU]|D[EJKMOZ]|H[KMNRTU]|R[EOSUW]|J[EMOP]|W[FS]|Y[ET]|Z[AM]|OM|QA),\sST=(?!(?:M[ADEINOST]|N[CDEHJMVY]|A[KLRZ]|I[ADLN]|W[AIVY]|C[AOT]|O[HKR]|[GLP]A|K[SY]|S[CD]|T[NX]|V[AT]|[HR]I|DE|FL|UT))[A-Z]{2},\sL=[A-Z][a-z]{2,15}(?:\s[A-Z][a-z]{2,10})?,\sO=[A-Z][a-z]{2,25}\s[A-Z][a-z]{2,25}(?:\s[A-Z][a-z]{2,25})?(?:\s[A-Z][a-z]{2,25})?(?:\s(?:Inc|LLC)\.)?,\sCN=[a-z]{4,11}\.[a-z]{2,4}$/"; classtype:trojan-activity; sid:2035530; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family Qbot, performance_impact Significant, signature_severity Major, updated_at 2021_04_20;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027451; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HabitsRAT Checkin"; flow:established,to_server; http.request_line; content:"POST /checkin"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.request_body; content:"goarch="; content:"goos="; content:"hostname="; content:"no_replay="; content:"public_key="; reference:url,www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers; reference:md5,2177fb8f49934333a201197d6f55378d; classtype:command-and-control; sid:2032791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family HabitsRAT, performance_impact Low, signature_severity Major, updated_at 2021_04_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"telemerty-cdn-cloud.host"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027465; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Possible STEADYPULSE Webshell Accessed M1"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<form action=|22||22| method=|22|GET|22|>"; content:"<input type=|22|text|22| name=|22|cmd|22| "; distance:0; content:"<input type=|22|text|22| name=|22|serverid|22| "; distance:0; fast_pattern; content:"<input type=|22|submit|22| value=|22|Run|22|>"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-user; sid:2032801; rev:1; metadata:created_at 2021_04_21, former_category MALWARE, updated_at 2021_04_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"cdn-amaznet.club"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027466; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Possible STEADYPULSE Webshell Accessed M2"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"|0d 0a|Results of|20 27|"; content:"'|27 20|execution|3a 0a 0a|"; distance:1; within:256; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-user; sid:2032800; rev:1; metadata:created_at 2021_04_21, former_category MALWARE, updated_at 2021_04_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"reservecdn.pro"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027467; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (gimmegimmejimmy .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"gimmegimmejimmy.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032802; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"wsuswin10.us"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027468; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .myfirewall .org"; dns.query; content:".myfirewall.org"; endswith; fast_pattern; classtype:bad-unknown; sid:2032792; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_04_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"telemetry.host"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027469; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Request for uac.exe With Minimal Headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uac.exe"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:"|0d 0a|Host|0d 0a|"; depth:10; isdataat:!20,relative; bsize:<31; reference:md5,fd66c2729efe28d54dbbdca62490b936; classtype:trojan-activity; sid:2032794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_04_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Bicololo Response 2"; flow:established,to_client; flowbits:isset,ET.Bicololo.Request; http.cookie; content:"ci_session="; fast_pattern; file.data; content:"ok"; depth:2; endswith; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016948; rev:5; metadata:created_at 2013_05_31, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (apiujpnkbrhsdn57oi0ns0qmbaj0wcdzjhblj6frlh1tr .eur .lc)"; dns.query; content:"apiujpnkbrhsdn57oi0ns0qmbaj0wcdzjhblj6frlh1tr.eur.lc"; bsize:52; fast_pattern; classtype:domain-c2; sid:2032795; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 3"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".php"; endswith; pcre:"/\/[a-z-_]{75,}\.php$/"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE|20|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016809; rev:8; metadata:created_at 2013_05_01, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (hombreymaquina .com)"; dns.query; content:"hombreymaquina.com"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032796; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zberp receiving config via image file - SET"; flow:to_server,established; flowbits:set,ET.Zberp; flowbits:noalert; http.uri; content:".jpg"; endswith; http.request_line; content:".jpg HTTP/1."; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021381; rev:10; metadata:created_at 2015_07_06, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (igconsulting. pe)"; dns.query; content:"igconsulting.pe"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032797; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Office Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"office"; fast_pattern; content:".github.io"; distance:0; endswith; content:!"officedev.github.io"; classtype:policy-violation; sid:2027245; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif CnC Domain (vorulenuke. us)"; dns.query; content:"vorulenuke.us"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_04_21;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ww1-filecloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:command-and-control; sid:2027472; rev:3; metadata:created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif CnC Domain (horulenuke .us)"; dns.query; content:"horulenuke.us"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032799; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_04_21;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn-imgcloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:command-and-control; sid:2027473; rev:3; metadata:created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 44 Caliber Stealer Data Exfil via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.content_type; content:"multipart/form-data|3b 20|boundary=|22|"; startswith; http.request_body; content:"form-data|3b 20|name=content|0d 0a 0d 0a 5c|n|20 3a|spy|3a 20|NEW LOG FROM - "; fast_pattern; content:"|20 30|person_in_manual_wheelchair|3a 0d 0a 5c|n|20 3a|eye|3a 20|IP|3a 20|"; distance:0; content:"|5c|n|20 3a|desktop|3a 20|"; distance:0; reference:md5,5d8135dc3f85bee9dd93456a9445fa35; reference:url,twitter.com/nao_sec/status/1370702500798418946; classtype:command-and-control; sid:2032803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_21;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=font-assets.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:command-and-control; sid:2027474; rev:3; metadata:created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil via Discord M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:".lunar|22 3b 20|filename=|22|"; content:"|0d 0a 0d 0a|<UsernameSplit><UsernameSplit><TimeHackedSplit>"; reference:md5,11ca4e678716a5aa177bd8506f0e109f; classtype:command-and-control; sid:2032804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=wix-cloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:command-and-control; sid:2027475; rev:3; metadata:created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Phenakite User-Agent"; flow:established,to_server; http.user_agent; content:"app/4.7|20 28|iPhone|3b 20|iOS 12.4.5|3b 20|Scale/2.00|29|"; bsize:40; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032808; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Phenakite, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=js-cloudhost.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:command-and-control; sid:2027476; rev:3; metadata:created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Phenakite Audio Upload CnC"; flow:established,to_server; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|deviceName|22 3a 22|"; fast_pattern; content:"|22|name|22 3a|"; content:"|22|audio|22 3a 22|"; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032809; rev:2; metadata:attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chafer Win32/TREKX Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b|"; content:"TREK"; distance:0; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rs"; http.content_type; content:"multipart|2f|form-data|3b|"; http.content_len; byte_test:0,<=,255,0,string,dec; http.header_names; content:!"Referer"; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027479; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family TREKX, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Phenakite Image Upload CnC activity"; flow:established,to_server; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|img_name|22 3a 22|"; fast_pattern; content:"|22|img|22 3a 22|"; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032810; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, malware_family Phenakite, signature_severity Major, updated_at 2021_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chafer Win32/TREKX Uploading to CnC (Modified CAB)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b|"; content:"TREC"; distance:0; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rs"; http.content_type; content:"multipart|2f|form-data|3b|"; http.content_len; byte_test:0,>=,256,0,string,dec; http.header_names; content:!"Referer"; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027480; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family TREKX, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|[dw0rd]_"; fast_pattern; content:"Information.txt"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,51e8f4abbb4ba18a39e302edad171b71; classtype:trojan-activity; sid:2032805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"nvidia-services.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027481; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (linda-callaghan .icu)"; dns.query; content:"linda-callaghan.icu"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"sabre-css.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027482; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (mikkelbourke .pro)"; dns.query; content:"mikkelbourke.pro"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"sabre-airlinesolutions.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027483; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (scorerabbate .site)"; dns.query; content:"scorerabbate.site"; nocase; bsize:17; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (YourUserAgent)"; flow:established,to_server; http.user_agent; content:"YourUserAgent"; depth:13; fast_pattern; endswith; reference:md5,c1ca718e7304bf28b5c96559cbf69a06; classtype:bad-unknown; sid:2027484; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (overingtonray .info)"; dns.query; content:"overingtonray.info"; nocase; bsize:18; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=unfrocked.info"; nocase; fast_pattern; endswith; classtype:command-and-control; sid:2027485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (marwapetersson .info)"; dns.query; content:"marwapetersson.info"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User Agent Executable Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2019935; rev:7; metadata:created_at 2014_12_15, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag AutoIt, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (belcherjacky .info)"; dns.query; content:"belcherjacky.info"; nocase; bsize:17; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032816; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (gallant-william .icu)"; dns.query; content:"gallant-william.icu"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (ansonwhitmore .live)"; dns.query; content:"ansonwhitmore.live"; nocase; bsize:18; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (irenewansley .icu)"; dns.query; content:"irenewansley.icu"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032819; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (norayowell .info)"; dns.query; content:"norayowell.info"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidsmedia .com in DNS Lookup)"; dns.query; content:"androidsmedia.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027490; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to MoserPass Download Domain (passwordstate-18ed2 .kxcdn .com)"; dns.query; content:"passwordstate-18ed2.kxcdn.com"; bsize:29; fast_pattern; reference:url,www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain; classtype:domain-c2; sid:2032806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidssystem .com in DNS Lookup)"; dns.query; content:"androidssystem.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027491; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"D5wdnvX3A="; startswith; content:"&WgJEo7TIB=c2xsZ3JhdA&"; distance:0; fast_pattern; reference:md5,bbe4dddc09dcef160db0fd4c24c4f052; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:command-and-control; sid:2032821; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (secandroid .com in DNS Lookup)"; dns.query; content:"secandroid.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027492; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/MosaiqueRAT CnC Checkin"; flow:established,to_server; dsize:<400; content:"|e1 00 00 00|"; startswith; content:"|00 00 00|Windows|20|"; fast_pattern; distance:0; content:"|00 00 00|Client|20|"; isdataat:!4,relative; reference:url,github.com/thdal/MosaiqueRAT; classtype:trojan-activity; sid:2032807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediadownload .space in DNS Lookup)"; dns.query; content:"mediadownload.space"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027493; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.uri; content:"/logo.html"; bsize:10; http.cookie; content:"wordpress_logged_in="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,6517eadd2e4fb8fdf1f64a601e5a2b59; reference:url,twitter.com/MichalKoczwara/status/1385679642791665668; classtype:trojan-activity; sid:2032824; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediamobilereg .com in DNS Lookup)"; dns.query; content:"mediamobilereg.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027494; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Screenshot Upload M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|jpxnk|22 3b 20|filename="; fast_pattern; content:"|22 0d 0a|Content-Type|3a 20|utf-8|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF"; within:40; http.header_names; content:!"Referer"; reference:md5,7833c0f413c1611f7281ac303bcef4b3; classtype:command-and-control; sid:2032822; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (sharpion .org in DNS Lookup)"; dns.query; content:"sharpion.org"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027495; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Screenshot Upload M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|vcqmxylcv|22|"; fast_pattern; content:"|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF"; distance:0; within:40; reference:md5,7833c0f413c1611f7281ac303bcef4b3; classtype:command-and-control; sid:2032823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (shileyfetwell .com in DNS Lookup)"; dns.query; content:"shileyfetwell.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027496; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (birdmilk .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"birdmilk.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2032825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
-alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.header; content:!"GeoVision"; http.user_agent; content:"|20|MSIE 5."; fast_pattern; nocase; http.host; content:!".microsoft.com"; endswith; content:!".trendmicro.com"; endswith; content:!".sony.net"; endswith; content:!".weather.com"; endswith; content:!".yahoo.com"; endswith; content:!".dellfix.com"; endswith; content:!".oncenter.com"; endswith; classtype:policy-violation; sid:2016870; rev:15; metadata:created_at 2013_05_20, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (footballstar .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"footballstar.top"; bsize:16; fast_pattern; classtype:domain-c2; sid:2032826; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Turla Domain (vision2030 .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"vision2030.tk"; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments; classtype:targeted-activity; sid:2027501; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (stockme .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"stockme.top"; bsize:11; fast_pattern; classtype:domain-c2; sid:2032827; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla DNS Lookup (vision2030 .cf)"; dns.query; content:"vision2030.cf"; nocase; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments; classtype:targeted-activity; sid:2027502; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PHP Skimmer CnC Domain in DNS Lookup (secure-authorize .net)"; dns.query; content:"secure-authorize.net"; nocase; bsize:20; reference:url,lukeleal.com/research/posts/secure-authorize-dot-net-skimmer/; classtype:domain-c2; sid:2032828; rev:1; metadata:affected_product Web_Server_Applications, affected_product Magento, attack_target Web_Server, created_at 2021_04_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/key?k="; depth:11; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.user_agent; content:"Mozilla|20|4.0|20 2f 20|Chrome"; depth:20; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; pcre:"/^[^\x20-\x7e\r\n]{2}$/R"; reference:md5,7f5f7de558fd2ef2a195b3a507c11ff2; classtype:command-and-control; sid:2027497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Danabot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http [$HTTP_SERVERS,$HOME_NET] any -> $EXTERNAL_NET any (msg:"ET MALWARE PHP Skimmer Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".dll"; endswith; http.content_type; content:"text/plain"; bsize:10; http.request_body; content:"|22|cc_type|22|"; content:"|22|cc_number|22|"; fast_pattern; content:"|22|ip|22|"; content:"|22|cc_cid|22|"; content:"|22|site|22|"; reference:url,lukeleal.com/research/posts/secure-authorize-dot-net-skimmer/; classtype:command-and-control; sid:2032829; rev:2; metadata:affected_product Web_Server_Applications, affected_product Magento, attack_target Web_Server, created_at 2021_04_26, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_04_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Plurox CnC Domain in DNS Lookup"; dns.query; content:"webdynamicname.com"; nocase; endswith; classtype:command-and-control; sid:2027498; rev:3; metadata:created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Plurox, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SharpNoPSExec EXE Lateral Movement Tool Downloaded"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"S|00|h|00|a|00|r|00|p|00|N|00|o|00|P|00|S|00|E|00|x|00|e|00|c|00 2e 00|e|00|x|00|e"; distance:0; fast_pattern; content:"Z|00|Q|00|B|00|j|00|A|00|G|00|g|00|A|00|b|00|w|00|A|00|g|00|A|00|E|00|c|00|A|00|b|00|w|00|B|00|k|00|A|00|C|00|A|00|A|00|Q|00|g|00|B|00|s|00|A|00|G|00|U|00|A|00|c|00|w|00|B|00|z|00|A|00|C|00|A|00|A|00|W|00|Q|00|B|00|v|00|A|00|H|00|U|00|A|00|I|00|Q|00|A|00 3d|"; distance:0; reference:url,github.com/juliourena/SharpNoPSExec/; classtype:trojan-activity; sid:2032875; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Plurox CnC Domain in DNS Lookup"; dns.query; content:"obuhov2k.beget.tech"; nocase; endswith; classtype:command-and-control; sid:2027499; rev:3; metadata:created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Plurox, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .firebaseio .com in DNS Lookup)"; dns_query; content:"dash-chat-c02b3.firebaseio.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2032830; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot UA Observed"; flow:established,to_server; http.user_agent; content:"Mozilla|20|4.0|20 2f 20|Chrome"; depth:20; fast_pattern; endswith; reference:md5,7f5f7de558fd2ef2a195b3a507c11ff2; classtype:trojan-activity; sid:2027500; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .appspot .com in DNS Lookup)"; dns_query; content:"dash-chat-c02b3.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032831; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Client Request (set)"; flow:established,to_server; flowbits:set,ET.Linux.Ngioweb; flowbits:noalert; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:59.0|29 20|Gecko/20100101 Firefox/59.0"; endswith; http.start; content:"GET|20|/min.js?h=aWQ9"; depth:18; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027507; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .firebaseio .com in DNS Lookup)"; dns_query; content:"hidden-chat-e58d7.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032832; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Hello, World)"; flow:established,to_server; http.user_agent; content:"Hello, World"; depth:12; endswith; classtype:bad-unknown; sid:2027503; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .appspot .com in DNS Lookup)"; dns_query; content:"hidden-chat-e58d7.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032833; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Hello-World)"; flow:established,to_server; http.user_agent; content:"Hello-World"; depth:11; endswith; classtype:bad-unknown; sid:2027504; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (calculator-1e016 .firebaseio .com in DNS Lookup)"; dns_query; content:"calculator-1e016.firebaseio.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2032834; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious UA (Skuxray)"; flow:established,to_server; http.user_agent; content:"Skuxray"; depth:7; endswith; reference:md5,cc46f255297ef0366dd447bbcde841ac; classtype:bad-unknown; sid:2027505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category TROJAN, malware_family Skuxray, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (calculator-1e016 .appspot .com in DNS Lookup)"; dns_query; content:"calculator-1e016.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032835; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HYDSEVEN VBS CnC Host Information Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Authorization|3a 20|SUQ6"; fast_pattern; http.accept; content:"*.*"; depth:3; endswith; reference:url,www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html; reference:url,www.lac.co.jp/lacwatch/pdf/20190619_cecreport_sp.pdf; classtype:command-and-control; sid:2027515; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .firebaseio .com in DNS Lookup)"; dns_query; content:"samehnew-10a7c.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032836; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT CnC Domain in DNS Lookup"; dns.query; content:"sessions4life.pw"; nocase; endswith; classtype:targeted-activity; sid:2027564; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .appspot .com in DNS Lookup)"; dns_query; content:"samehnew-10a7c.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032837; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"adfs-ssl.com"; nocase; endswith; classtype:command-and-control; sid:2027567; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (play-store-51182 .firebaseio .com in DNS Lookup)"; dns_query; content:"play-store-51182.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032838; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"b2bmerchant.online"; nocase; endswith; classtype:command-and-control; sid:2027568; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (play-store-51182 .appspot .com in DNS Lookup)"; dns_query; content:"play-store-51182.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032839; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"bhnetwork.online"; nocase; endswith; classtype:command-and-control; sid:2027569; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .firebaseio .com in DNS Lookup)"; dns_query; content:"stand-by-97c5c.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032840; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cert-ssl.com"; nocase; endswith; classtype:command-and-control; sid:2027570; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .appspot .com in DNS Lookup)"; dns_query; content:"stand-by-97c5c.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032841; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cisco-vpn-client.com"; nocase; endswith; classtype:command-and-control; sid:2027571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (es-last-telegram .firebaseio .com in DNS Lookup)"; dns_query; content:"es-last-telegram.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032842; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cisco-vpn.online"; nocase; endswith; classtype:command-and-control; sid:2027572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (es-last-telegram .appspot .com in DNS Lookup)"; dns_query; content:"es-last-telegram.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032843; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"corporate-ciscovpn.com"; nocase; endswith; classtype:command-and-control; sid:2027573; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (margarita-smith .host in DNS Lookup)"; dns_query; content:"margarita-smith.host"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032844; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ducacorp.com"; nocase; endswith; classtype:command-and-control; sid:2027574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (blogsolutions .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"blogsolutions.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"efaxmakeronline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027575; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasibauik .co in DNS Lookup)"; dns_query; content:"fasibauik.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032845; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Quasar CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Quasar Server CA"; nocase; fast_pattern; endswith; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/f87d2aff4148f98f014460ab709c77587ea1e430/; classtype:command-and-control; sid:2027619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, malware_family Quasar, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag RAT, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcak .co in DNS Lookup)"; dns_query; content:"fasebcak.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032846; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=tupeska.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcck .com in DNS Lookup)"; dns_query; content:"fasebcck.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032847; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"backupnet.ddns.net"; nocase; endswith; classtype:targeted-activity; sid:2027622; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcoki .com in DNS Lookup)"; dns_query; content:"fasebcoki.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032848; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"hyperservice.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027623; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcak .com in DNS Lookup)"; dns_query; content:"fasebcak.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032849; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"mynetwork.cf"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027624; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasbcaok .com in DNS Lookup)"; dns_query; content:"fasbcaok.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032850; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"mywinnetwork.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027625; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaak .com in DNS Lookup)"; dns_query; content:"fasebaak.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032851; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"remote-server.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027626; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaok .co in DNS Lookup)"; dns_query; content:"fasebaok.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032852; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"remserver.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027627; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaook .com in DNS Lookup)"; dns_query; content:"fasebaook.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032853; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"securityupdated.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027628; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaok .com in DNS Lookup)"; dns_query; content:"fasebaok.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032854; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"servhost.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027629; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (log-yoahao .co in DNS Lookup)"; dns_query; content:"log-yoahao.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032855; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"service-avant.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027630; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (log-yoheo .info in DNS Lookup)"; dns_query; content:"log-yoheo.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032856; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"srvhost.servehttp.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027631; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (kevin-good .top in DNS Lookup)"; dns_query; content:"kevin-good.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032857; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"fucksaudi.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027632; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (marty-colvard .top in DNS Lookup)"; dns_query; content:"marty-colvard.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032858; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"googlechromehost.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027633; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (anna-sanchez .online in DNS Lookup)"; dns_query; content:"anna-sanchez.online"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032859; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"younesadams.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027634; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (wendy-johnston .pw in DNS Lookup)"; dns_query; content:"wendy-johnston.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032860; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"teamnj.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027635; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (jennifer-marler .pw in DNS Lookup)"; dns_query; content:"jennifer-marler.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032861; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"bistbotsproxies.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027636; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (goerge-amper .website in DNS Lookup)"; dns_query; content:"goerge-amper.website"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032862; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"hellocookies.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027637; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stacks-zadar .website in DNS Lookup)"; dns_query; content:"stacks-zadar.website"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032863; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"n3tc4t.hopto.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027638; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (joe-rumley .pw in DNS Lookup)"; dns_query; content:"joe-rumley.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032864; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"newhost.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027639; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (richardbeman .info in DNS Lookup)"; dns_query; content:"richardbeman.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032865; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"njrat12.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027640; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (vickeryduncan .site in DNS Lookup)"; dns_query; content:"vickeryduncan.site"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032866; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"svcexplores.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027641; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (moggfelicio .info in DNS Lookup)"; dns_query; content:"moggfelicio.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032867; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"trojan1117.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027642; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stevensmalley .pro in DNS Lookup)"; dns_query; content:"stevensmalley.pro"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032868; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"update-sec.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027643; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (kentporter .site in DNS Lookup)"; dns_query; content:"kentporter.site"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032869; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"windowsx.sytes.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027644; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (chad-jessie .info in DNS Lookup)"; dns_query; content:"chad-jessie.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032870; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"wwwgooglecom.sytes.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027645; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (lordblackwood .club in DNS Lookup)"; dns_query; content:"lordblackwood.club"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032871; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"xtreme.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027646; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (julie-parker .top in DNS Lookup)"; dns_query; content:"julie-parker.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032872; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"za158155.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027647; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (tim-jordan .info in DNS Lookup)"; dns_query; content:"tim-jordan.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032873; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (Ave, Caesar!)"; flow:established,to_server; http.user_agent; content:"Ave,|20|Caesar!"; depth:12; fast_pattern; endswith; classtype:bad-unknown; sid:2027648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_28, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hannah-parsons .info in DNS Lookup)"; dns_query; content:"hannah-parsons.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032874; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (zwt)"; flow:established,to_server; http.user_agent; content:"zwt"; depth:3; endswith; classtype:bad-unknown; sid:2027649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_01, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY RDP Wrapper Download (bat)"; flow:established,to_client; file.data; content:"|3a 3a| Automatic RDP Wrapper installer and updater"; fast_pattern; content:"|3a 3a| Location of new/updated rdpwrap.ini files"; content:"set rdpwrap_ini_update_github_1=|22|"; reference:url,github.com/asmtron/rdpwrap; classtype:bad-unknown; sid:2032880; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, updated_at 2021_04_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (My Agent)"; flow:established,to_server; http.user_agent; content:"My Agent"; depth:8; endswith; classtype:bad-unknown; sid:2027650; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_01, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY RDP Wrapper Download (ini)"; flow:established,to_client; file.data; content:"|3b| RDP Wrapper Library configuration"; fast_pattern; content:"LogFile=|5c|rdpwrap.txt"; reference:url,github.com/asmtron/rdpwrap; classtype:bad-unknown; sid:2032881; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Informational, updated_at 2021_04_27;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (helegedada .github .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"helegedada.github.io"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027662; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lunar Builder Domain (lunarbuilder .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lunarbuilder.000webhostapp.com"; bsize:30; fast_pattern; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:domain-c2; sid:2032877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (dd .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"dd.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027663; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|account|22 3b 20|filename=|22|"; content:".lunar|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|<UsernameSplit>"; distance:0; fast_pattern; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:command-and-control; sid:2032878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (d .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"d.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Koubbeh Sending Windows System Info"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/api/ping//?"; startswith; fast_pattern; http.user_agent; content:"|3b| WinHttp.WinHttpRequest.5|29|"; reference:md5,3883ea48ee84f9b084e0920bc185bc39; classtype:trojan-activity; sid:2032882; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (c .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"c.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027665; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<UsernameSplit>"; nocase; fast_pattern; content:"<TimeHackedSplit>"; nocase; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:command-and-control; sid:2032879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (dd .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dd.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027666; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.SpyEyes.bllw CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; distance:0; content:".zip|22 0d 0a|"; distance:0; within:50; content:"passwords.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,c818013b12aedef81965f4dd98634ea8; classtype:trojan-activity; sid:2035017; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_27;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (d .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"d.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027667; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (plugin)"; flow:established,from_server; content:"plugin|7c 7c|"; depth:8; fast_pattern; content:"|7c 7c|"; within:100; isdataat:1000,relative; app-layer-protocol:!http; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029699; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2021_04_27;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (c .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"c.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027668; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magelib.com"; bsize:11; nocase; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_04_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"www.kemostarlogistics.co.ke"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027651; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA471 Malicious AutoIT File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upld/"; startswith; http.content_type; content:"multipart/form-data|3b| boundary=----WebKitFormBoundary"; startswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|"; depth:14; content:!"Accept-Enc"; reference:md5,75d6f57cfba0ebc3633a49a8412a43e5; reference:md5,304d1ac0296fedec694a097480b341d9; classtype:trojan-activity; sid:2032886; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"www.terryhill.top"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027652; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)"; http.method; content:"GET"; http.uri; content:"/login_ok.htm"; fast_pattern; http.cookie; content:"login=1"; reference:url,github.com/Sec504/Zyxel-NBG2105-CVE-2021-3297; reference:cve,2021-3297; classtype:attempted-user; sid:2032523; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_04_06, cve CVE_2021_3297, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"mail.jaguarline.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027653; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Executable Download Over HTTP"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|89 71 04 89|"; content:"|30 8d 04 bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1; within:5; content:"|89 01 85 ff 74|"; distance:1; within:5; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 CnC in DNS Lookup"; dns.query; content:"search.webstie.net"; nocase; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027654; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Executable Download Over HTTP"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|33 ff|"; content:"|89 37|"; distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4; content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1 e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|"; within:4; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029335; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 CnC in DNS Lookup"; dns.query; content:"dns.domain-resolve.org"; nocase; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027655; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M3 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Passcode="; depth:9; nocase; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032592; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif POSTing Log Message to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_logs.php"; depth:19; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027656; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-11-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname_ak"; depth:8; nocase; fast_pattern; content:"&lname_ak"; nocase; distance:0; content:"&staddd_ak"; nocase; distance:0; content:"&city_ak"; nocase; distance:0; content:"&state_ak"; nocase; distance:0; content:"&zip_ak"; nocase; distance:0; content:"&mobile_ak"; nocase; distance:0; content:"&1.Continue"; nocase; distance:0; classtype:credential-theft; sid:2032644; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif Submitting Output of Command to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_cmd_res.php"; depth:22; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027657; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish 2016-12-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|multipart/form-data|3b|"; http.request_body; content:"form-data|3b 20|name=|22|Email"; nocase; content:"form-data|3b 20|name=|22|Pass"; fast_pattern; distance:0; nocase; content:"form-data|3b 20|name=|22|Recovery"; distance:0; nocase; content:"form-data|3b 20|name=|22|mobile"; distance:0; nocase; classtype:credential-theft; sid:2032652; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cl_client_cmd.php"; depth:18; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Discover Phish M3 2016-12-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"first="; depth:6; nocase; content:"&last="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&Phone="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; content:"&jsenabled="; nocase; distance:0; classtype:credential-theft; sid:2032667; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_online.php"; depth:21; endswith; http.request_body; content:"Q29tcHV0ZXJOYW1lPV"; depth:18; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; reference:md5,516ad28f8fa161f086be7ca122351edf; classtype:targeted-activity; sid:2027659; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded Server Response (success)"; flow:established,from_server; file.data; content:"c3VjY2Vzcw=="; depth:12; classtype:bad-unknown; sid:2032883; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_04_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Tripoli Related CnC Checkin"; flow:established,to_server; http.user_agent; content:"30909D51946D672A48B1729580088C4F"; depth:32; fast_pattern; endswith; reference:url,research.checkpoint.com/operation-tripoli/; classtype:command-and-control; sid:2027661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $HOME_NET 80 (msg:"ET EXPLOIT Possible Local Active Directory Federation Services (AD FS) Replication Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adfs/services/policystoretransfer"; startswith; fast_pattern; threshold:type limit,track by_src,count 1,seconds 600; reference:url,fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html; classtype:web-application-attack; sid:2032884; rev:1; metadata:attack_target Server, created_at 2021_04_28, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_28;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Turla/APT34 CnC Domain Domain (dubaiexpo2020 .cf in TLS SNI)"; flow:established,to_server; tls.sni; content:"dubaiexpo2020.cf"; endswith; reference:md5,4079500faa93e32a2622e1593ad94738; classtype:targeted-activity; sid:2027669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family APT34, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SupremeLogger CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"machineID="; startswith; nocase; content:"&guid={"; content:"&ver="; content:"&os=Windows"; nocase; content:"&platform="; content:"&username="; content:"&display_resolution="; content:"processor="; content:"&cpu_count="; fast_pattern; content:"&install_path="; http.header_names; content:!"Referer"; reference:md5,0f1ab52a8d9c2d23412e0badc4515cb3; classtype:trojan-activity; sid:2032885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Turla/APT34 CnC Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft.updatemeltdownkb7234.com"; nocase; endswith; reference:md5,2a8672b0fd29dc3b6f49935691b648bc; classtype:targeted-activity; sid:2027670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family APT34, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDropper.Agent.RLO CnC Acitivty"; flow:established,to_server; dsize:576; content:"|5f 53 40 59 32 32 32 32 32 32 32 32 32 32|"; offset:298; depth:14; fast_pattern; content:"|65 5b 5c|"; offset:564; depth:3; reference:md5,a6d36df7ee6cb5407853aeacfd818ac9; classtype:command-and-control; sid:2032887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Malicious Server in DNS Lookup (updatecache .com)"; dns.query; content:"updatecache.com"; nocase; endswith; classtype:trojan-activity; sid:2027678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious lnk Activity"; flow:established,to_client; file.data; content:"ExpandEnvironmentStrings|28 22 25|Temp|25 5c|MaGiaiNenNe.txt|22 29|"; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1387602989033017346; reference:md5,57f02fe8fa9d096e5ac9b6c9be66f05b; classtype:trojan-activity; sid:2032891; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Screenshot to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=sc&i="; distance:0; fast_pattern; content:".png"; distance:0; endswith; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027681; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (realonlinetrend .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"realonlinetrend.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032890; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|command|2f|"; depth:9; fast_pattern; content:".cmd"; distance:0; endswith; pcre:"/^\/command\/[A-Fa-f0-9]{8}\-(?:[A-Fa-f0-9]{4}\-){3}[A-Fa-f0-9]{12}\.cmd$/"; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027684; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PurpleFox EK Landing Page Domain in SNI"; flow:to_server,established; tls.sni; content:"lingering-math-ec29.7axrg.workers.dev"; endswith; classtype:exploit-kit; sid:2032889; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2021_04_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Custom Firefox UA Observed (Firefox...)"; flow:established,to_server; http.user_agent; content:"Firefox..."; depth:10; fast_pattern; endswith; classtype:bad-unknown; sid:2027686; rev:3; metadata:created_at 2019_07_04, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/XRat.AT Variant CnC Activity"; flow:established,to_server; content:"0|7c|SS Client ID|7c|"; startswith; fast_pattern; content:"Windows"; distance:0; reference:md5,35b93cc523e0ac8c9bb922a236416d6f; classtype:command-and-control; sid:2032888; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jokerlol.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027687; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (baroquetees .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"baroquetees.com"; bsize:15; fast_pattern; reference:url,twitter.com/Bank_Security/status/1387787132249518087; reference:md5,54f99323245d439893539eb6c7cd0239; classtype:domain-c2; sid:2032894; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_30, deployment Perimeter, former_category MALWARE, malware_family DarkSide, signature_severity Major, tag Ransomware, updated_at 2021_04_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kusasukusa.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027688; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer - DomainInfo User-Agent"; flow:established,to_server; http.user_agent; content:"|6e 71 71 66 34 3a 33 35 25 2d 46 75 75 71 6a 32 6e 55 6d 74 73 6a 3c 48 37 34 36 37 35 37 33 39 3b 3b 40 25 5a 40 25 48 55 5a 25 71 6e 70 6a 25 52 66 68 25 54 58 25 5d 40 25 6a 73 2e 25 46 75 75 71 6a 5c 6a 67 50 6e 79 34 39 37 35 30 25 2d 50 4d 59 52 51 31 25 71 6e 70 6a 25 4c 6a 68 70 74 2e 25 5b 6a 77 78 6e 74 73 34 38 33 35 25 52 74 67 6e 71 6a 34 36 46 3a 39 38 25 58 66 6b 66 77 6e 34 39 36 3e 33 38|"; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:trojan-activity; sid:2032892; rev:1; metadata:created_at 2021_04_30, former_category MALWARE, malware_family Buer, updated_at 2021_04_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"tracker-visitors.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027689; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to Buer - DomainInfo Domain"; flow:established,to_server; dns.query; content:"officewestunionbank.com"; bsize:23; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:domain-c2; sid:2032893; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_30, deployment Perimeter, former_category MALWARE, malware_family Buer, signature_severity Major, updated_at 2021_04_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jquery-web.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027690; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Mirrored Website Comment Observed"; flow:established,to_client; file.data; content:"<!-- Mirrored from "; content:"by HTTrack Website Copier/"; distance:0; classtype:trojan-activity; sid:2018302; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jquery-stats.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027691; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/DarkNexus User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|checker/v"; fast_pattern; http.user_agent; content:"checker/v"; startswith; content:"/p"; distance:0; http.header_names; content:!"Referer"; reference:md5,81150784e5cef98bf6e56638da5fe5f3; classtype:trojan-activity; sid:2032895; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jsreload.pw"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027692; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange RCE Setup Inbound (CVE-2021-28482)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; http.request_body; content:"ProposeOptionsMeeting"; content:""|3b|>|3b|cmd"; distance:0; fast_pattern; content:"Value>|3b|"; distance:0; reference:cve,2021-28482; classtype:attempted-admin; sid:2032897; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_05_04, cve CVE_2021_28482, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=started"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027701; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim receive_msg Integer Overflow Attempt Inbound M1 (CVE-2020-28020)"; flow:established,to_server; content:"|0a 20|"; content:"|0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a|"; fast_pattern; isdataat:50000,relative; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28020; classtype:attempted-admin; sid:2032898; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28020, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Done"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=done"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027702; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim receive_msg Integer Overflow Attempt Inbound M2 (CVE-2020-28020)"; flow:established,to_server; content:"|0a 09|"; content:"|0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a|"; fast_pattern; isdataat:50000,relative; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28020; classtype:attempted-admin; sid:2032899; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28020, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"cloudflare-dns.com"; endswith; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/json-format; classtype:policy-violation; sid:2027695; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound M1 (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^[^\+]+\+0A/R"; content:"+0A"; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032900; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; http.user_agent; content:"Python-urllib/"; nocase; depth:14; http.host; content:!"dropbox.com"; endswith; content:!"downloads.ironport.com"; endswith; content:!".ubuntu.com"; endswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:9; metadata:created_at 2011_06_14, updated_at 2020_09_17;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound M2 (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^[^\+]+(?:\+[A-F0-9]{2}){4,}/R"; content:"+0A"; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032901; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Command Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK><COMMAND>"; distance:0; fast_pattern; content:"</COMMAND>"; distance:0; endswith; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027708; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound - Information Disclosure Attempt (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^.{0,100}\+0A.{0,100}\x40/R"; content:"+0A"; fast_pattern; content:"|40|"; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032902; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC POST"; flow:to_server,established; urilen:>40; http.method; content:"POST"; http.uri; content:"/?"; depth:2; content:"AAAAAAAAAA"; distance:0; pcre:"/^\/\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Accept|3a 20|Accept|3a|*/*|0d 0a|"; depth:20; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.5|3b 20|Windows NT 5.0)"; depth:50; endswith; http.request_body; content:"AAAAAAAAAAAAAAAAAAAA"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim Stack Exhaustion via BDAT Error Inbound (CVE-2020-28019)"; flow:established,to_server; content:"BDAT|20|"; pcre:"/^[^\r\n]{50,}/R"; content:"BDAT|20|"; distance:0; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28019; classtype:attempted-admin; sid:2032903; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28019, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC GET"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/?"; depth:2; content:"AAAAAAAAAA"; distance:0; pcre:"/^\/\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Accept|3a 20|Accept|3a|*/*|0d 0a|"; depth:20; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.5|3b 20|Windows NT 5.0)"; depth:50; endswith; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027710; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.addns .org Domain"; dns.query; content:".addns.org"; endswith; classtype:bad-unknown; sid:2032896; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_04;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure/ContactAdministrators"; fast_pattern; content:".jspa"; endswith; http.request_body; content:"subject="; content:"|2e|forName"; distance:0; content:"java.lang.Runtime"; distance:2; within:23; content:"|2e|getMethod"; distance:2; within:16; content:"getRuntime"; distance:1; within:16; content:"|2e|exec"; distance:0; content:"|2e|waitFor"; distance:0; reference:url,medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f; reference:url,confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html; reference:cve,CVE-2019-11581; classtype:attempted-admin; sid:2027711; rev:5; metadata:attack_target Web_Server, created_at 2019_07_15, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1"; flow:established,to_server; http.uri; content:"/dana"; depth:7; fast_pattern; pcre:"/^\S{0,7}\/(?:meeting|fb\/smb|namedusers|metric)/Ri"; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032904; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (single dash)"; flow:to_server,established; http.user_agent; content:"-"; depth:1; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007880; classtype:trojan-activity; sid:2007880; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M2"; flow:established,to_server; http.uri.raw; content:"/dana-na/"; depth:11; content:"cat%20/home/webserver/htdocs/dana-na/"; nocase; distance:2; within:100; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032905; rev:1; metadata:affected_product Pulse_Secure, attack_target Networking_Equipment, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/uploadplugin.action"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file_"; content:"Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a 50 4b 03 04|"; distance:0; reference:url,www.corben.io/atlassian-crowd-rce/; reference:cve,CVE-2019-11580; classtype:attempted-admin; sid:2027712; rev:3; metadata:attack_target Web_Server, created_at 2019_07_16, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M3"; flow:established,to_server; content:"MIME|3a 3a|Base64|3b|"; nocase; http.uri; content:"/dana-na/"; depth:11; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:trojan-activity; sid:2032906; rev:1; metadata:affected_product Pulse_Secure, created_at 2021_05_05, cve CVE_2021_22893, former_category EXPLOIT, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SLUB Domain in DNS Lookup"; dns.query; content:"toni132.pen.io"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use/; classtype:trojan-activity; sid:2027722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Suspected PULSECHECK Webshell Access Inbound"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|0d 0a|x_cmd|3a 20|"; nocase; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"; http.header_names; content:"|0d 0a|x_key|0d 0a|"; nocase; content:"|0d 0a|x_cnt|0d 0a|"; nocase; content:"|0d 0a|x_cmd|0d 0a|"; nocase; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-admin; sid:2032786; rev:3; metadata:attack_target Server, created_at 2021_04_20, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/sslmgr"; endswith; nocase; http.request_body; content:"scep-profile-name=%"; depth:19; fast_pattern; pcre:"/^[0-9]+/R"; reference:url,blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html; classtype:attempted-admin; sid:2027723; rev:4; metadata:attack_target Server, created_at 2019_07_18, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [FIREEYE] PULSECHECK Webshell Access Outbound"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|X-CMD|0d 0a|"; nocase; content:"|0d 0a|X-CNT|0d 0a|"; nocase; content:"|0d 0a|X-KEY|0d 0a|"; nocase; content:!"|0d 0a|Referer|0d 0a|"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032907; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"gamework.ddns.net"; nocase; depth:17; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027724; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M1"; flow:established,to_server; flowbits:isnotset,ET.slightpulse; flowbits:noalert; flowbits:set,ET.slightpulseM1; http.method; content:"POST"; http.request_body; content:"cert="; startswith; fast_pattern; content:"&md5="; distance:16; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032908; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"workan.ddns.net"; nocase; depth:15; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027725; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M2"; flow:established,to_server; flowbits:isnotset,ET.slightpulse; flowbits:noalert; flowbits:set,ET.slightpulseM1; http.method; content:"POST"; http.request_body; content:"md5="; startswith; content:"&cert="; fast_pattern; distance:16; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032909; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"clsass.ddns.net"; nocase; depth:15; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027726; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2"; flow:established,to_client; flowbits:isset,ET.slightpulseM2; http.stat_code; content:"200"; http.content_type; content:"application/x-download"; bsize:22; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename=tmp|0d 0a|"; fast_pattern; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032912; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"kotl.space"; nocase; depth:10; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027727; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M3"; flow:established,to_client; flowbits:isset,ET.slightpulseM2; http.stat_code; content:"200"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.content_type; content:"image/gif"; bsize:9; fast_pattern; file.data; content:!"<br>"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032913; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Disposable Email Provider Domain in DNS Lookup (www .yopmail .com)"; dns.query; content:"www.yopmail.com"; nocase; depth:15; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:policy-violation; sid:2027733; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+#alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1"; flow:established,to_client; flowbits:isset,ET.slightpulseM1; http.stat_code; content:"200"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:"|0d 0a|Content-Type|0d 0a 0d 0a|"; endswith; fast_pattern; file.data; content:!"<br>"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032914; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_05_05;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=nurlamurla.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027740; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_22, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Suspected HARDPULSE Request"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/dana-na/auth/recover.cgi?token="; startswith; fast_pattern; http.request_body; content:"checkcode"; content:"hashid"; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032915; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"subarnakan.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027741; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set) M1"; flow:established,to_server; flowbits:isnotset,ET.slightpulseM2; flowbits:noalert; flowbits:set,ET.slightpulseM2; http.method; content:"POST"; http.request_body; content:"img="; startswith; fast_pattern; content:"&name="; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032910; rev:3; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"asilofsen.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027742; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set) M2"; flow:established,to_server; flowbits:isnotset,ET.slightpulseM2; flowbits:noalert; flowbits:set,ET.slightpulseM2; http.method; content:"POST"; http.request_body; content:"name="; startswith; fast_pattern; content:"&img="; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032911; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"manrodoerkes.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027743; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SuperAntiSpyware Install Checkin"; flow:established,to_server; http.uri; content:"sEventName=SASRPI_Install&sEventData=tag|3a|SUPERAntiSpyware.exe"; fast_pattern; http.user_agent; content:"SUPERSetup"; bsize:10; reference:md5,05226ffa6102a0b3f9dfb8fa4965d0a2; classtype:pup-activity; sid:2032923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"ashkidiore.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027744; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement"; flow:established,to_server; content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; content:!"S|00|Q|00|L|00|C|00|m|00|d|00|P|00|a|00|r|00|s|00|e|00|r|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|r"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2021_05_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"druhanostex.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027745; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"download.riseknite.life"; bsize:23; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032920; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"kapintarama.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"onedrive-upload.ikpoo.cf"; bsize:24; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032921; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"moreflorecast.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027747; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"alps.travelmountain.ml"; bsize:22; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032922; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"preploadert.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027748; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Exep Command Issued"; dsize:>787; itype:8; content:"exep"; depth:4; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032934; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"troxymuntisex.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Shell Command Issued"; dsize:>787; itype:8; content:"shell"; depth:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032916; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"nduropasture.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027750; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Download Command Issued"; dsize:>787; itype:8; content:"download"; depth:8; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032917; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=nlgyscgika"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=nlgyscgika"; classtype:command-and-control; sid:2027753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Upload Command Issued"; dsize:>787; itype:8; content:"upload"; depth:6; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032918; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (Quick Macros)"; flow:established,to_server; http.user_agent; content:"Quick|20|Macros"; depth:12; endswith; reference:md5,aa682f5d4a17307539a2bc7048be0745; classtype:trojan-activity; sid:2027755; rev:3; metadata:created_at 2019_07_24, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Exec Command Issued"; dsize:>787; itype:8; content:"exec"; depth:4; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032919; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Lookup"; dns.query; content:"b0t.to"; depth:6; nocase; endswith; classtype:command-and-control; sid:2027756; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback OK Issued"; dsize:>787; itype:8; content:"OK"; depth:2; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032935; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Commercial Proxy Provider geosurf .io)"; flow:established,to_client; tls.cert_subject; content:"C=IL, L=Tel Aviv, O=BI Science (2009) Ltd, OU=WEB, CN=*.geosurf.io"; endswith; fast_pattern; classtype:policy-violation; sid:2027760; rev:3; metadata:created_at 2019_07_26, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE lolzilla JS/PHP WebSkimmer - Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"_hash|22 0d 0a 0d 0a|eydyZWZlcmVyJzo"; fast_pattern; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; classtype:command-and-control; sid:2032927; rev:1; metadata:affected_product Magento, attack_target Client_and_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)"; flow:established,to_client; threshold: type limit, track by_dst, count 1, seconds 600; tls.cert_subject; content:"C=DE, O=philandro Software GmbH, CN=AnyNet Relay"; endswith; fast_pattern; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027761; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M1"; flow:established,to_server; http.cookie; content:"lolzilla="; fast_pattern; content:"g="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L146-L151; classtype:attempted-admin; sid:2032928; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8866.org"; flow:established,to_server; http.host; content:"8866.org"; endswith; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:7; metadata:created_at 2011_07_06, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"mgdminhtml="; fast_pattern; http.request_body; content:"mgdminhtml="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L140-L145; classtype:attempted-admin; sid:2032929; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 2"; flow:established,to_server; urilen:>100; flowbits:set,ET.Anunanak.HTTP.2; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http.method; content:"POST"; http.uri; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a 0d 0a|"; depth:60; endswith; reference:url,www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf; reference:md5,cd22fa7c9d9e61b4aeac6acd10790d10; reference:md5,82332d2a0cf8330f8de608865508713d; classtype:targeted-activity; sid:2020029; rev:5; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE zgRAT Activity"; flow:established,to_server; flowbits:isset,ET.zgRAT; content:"|01 00 00 00 1f 8b 08 00 00 00 00 00 04 00 33 04 00 b7 ef dc 83 01 00 00 00|"; dsize:25; reference:md5,b18a7e266eee1977ef3a145369589d5c; classtype:command-and-control; sid:2033108; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/newsocks5.php"; depth:14; fast_pattern; endswith; http.user_agent; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|10.0|3b 20|Win64"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; content:!"Connection"; reference:md5,03b6c8d49c70df01afc0765f8fa51d0c; classtype:command-and-control; sid:2028920; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category MALWARE, malware_family Phoriex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M3"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"mgdminhtml="; fast_pattern; http.request_body; content:"name=|22|mgdminhtml|22|"; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L140-L145; classtype:attempted-admin; sid:2032930; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (www .net .cn)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static/customercare/yourip.asp"; depth:31; endswith; fast_pattern; http.host; content:"www.net.cn"; reference:md5,51bdd385ab780d1efd1a62129f066edf; classtype:external-ip-check; sid:2027786; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"lolzilla="; fast_pattern; content:"g="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L135-L139; classtype:attempted-admin; sid:2032931; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.sh"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|lolzilla|22|"; fast_pattern; content:"name=|22|g|22|"; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L135-L139; classtype:attempted-admin; sid:2032932; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"mail.protonmail.sh"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027773; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (number1g .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"number1g.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2032933; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"mailprotonmail.ch"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027774; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request for .x86"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032924; rev:1; metadata:affected_product Linux, affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_10;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"mailprotonmail.com"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027775; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request for .x64"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x64"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032925; rev:1; metadata:affected_product Linux, affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_10;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.direct"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected SombRAT DNS Activity (TXT)"; pcre:"/\x1c(?:[a-z0-9]{28})[^\r\n]+(?:\x03(?:net|com)|\x02in)/"; content:"|00 10 00 01|"; fast_pattern; endswith; threshold:type both, track by_src,count 10, seconds 300; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-126a; reference:url,blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced; reference:md5,05e133f34e44d75e596811bffba24156; classtype:trojan-activity; sid:2032942; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_11;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.gmbh"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027777; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (UNC2447)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-includes/po.php"; endswith; fast_pattern; http.cookie; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; classtype:trojan-activity; sid:2032943; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_05_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.systems"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027778; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound"; flow:established,to_server; content:"EHLO"; startswith; isdataat:1000,relative; classtype:bad-unknown; sid:2032926; rev:2; metadata:attack_target SMTP_Server, created_at 2021_05_10, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_11;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"prtn.app"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027779; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (catsdegree .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"catsdegree.com"; bsize:14; fast_pattern; reference:md5,f00aded4c16c0e8c3b5adfc23d19c609; classtype:domain-c2; sid:2032939; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.team"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027780; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (temisleyes .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"temisleyes.com"; bsize:14; fast_pattern; reference:md5,f00aded4c16c0e8c3b5adfc23d19c609; classtype:domain-c2; sid:2032940; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.support"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027781; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (UNC2447)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".htm"; endswith; http.user_agent; content:"|20 28|compatible|3b 20|"; content:"|3b 20|.NET4.0E|20 29|"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; classtype:trojan-activity; sid:2032944; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_05_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"user.protonmail.support"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027782; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (rumahsia .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"rumahsia.com"; bsize:12; fast_pattern; reference:md5,979692cd7fc638beea6e9d68c752f360; classtype:domain-c2; sid:2032941; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"prtn.xyz"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027783; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.CoinMiner Loader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; http.header; content:"User-Agent|3a 20|Win|3a|"; http.user_agent; content:"Win|3a|"; startswith; content:"|20 7c 20|CPU|3a 20|"; fast_pattern; content:"|20 7c 20|Cores|3a 20|"; content:"|20 7c 20|GPU|3a 20|"; http.header_names; content:!"Referer"; content:!"Cache-"; content:!"Accept"; content:!"Connection"; reference:md5,403913dda79d0b739a8046022d2e3b37; classtype:trojan-activity; sid:2032937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"secure-protonmail.com"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027784; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Non-standard User-Agent (PATCHER)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|PATCHER|0d 0a|"; classtype:policy-violation; sid:2032938; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_05_11;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"my.secure-protonmail.com"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027785; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious User-Agent (altera forma)"; flow:established,to_server; http.user_agent; content:"altera|20|forma"; bsize:12; fast_pattern; reference:md5,f019d3031c3aaf45dbd3630a33ab0991; classtype:bad-unknown; sid:2032948; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2021_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (agent)"; flow:established,to_server; http.header; content:!"cn.patch.battlenet.com.cn"; http.user_agent; content:"agent"; depth:5; http.host; content:!".battle.net"; content:!".blizzard.com"; endswith; content:!"blz"; depth:3; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; classtype:trojan-activity; sid:2001891; rev:24; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Observed (MASB UA)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0|20|(compatible|3b 20|MSIE 9.0|3b 20|Windows NT|20|6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|MASB)"; bsize:76; fast_pattern; http.cookie; pcre:"/^[a-zA-Z0-9/+]{171}=$/"; http.header_names; content:!"Referer"; reference:md5,8079676dd62582da4d2e9d2448c1142d; classtype:command-and-control; sid:2032945; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=linddiederich462.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027799; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tnega Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/hit.php?a=|25|"; fast_pattern; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,f019d3031c3aaf45dbd3630a33ab0991; classtype:trojan-activity; sid:2032949; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2021_05_12;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=lambada.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Ares Loader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/panel/upload/"; startswith; content:".cmp"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:25; reference:md5,b3cdb7135bf99a921376870898b22155; reference:url,www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan; classtype:trojan-activity; sid:2032950; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_12;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uberalles.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2027801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY PCHunter CnC activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PCHunter_"; startswith; fast_pattern; content:"="; distance:0; pcre:"/[A-F0-9]{96}$/R"; reference:md5,987b65cd9b9f4e9a1afd8f8b48cf64a7; classtype:misc-activity; sid:2032946; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_05_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eris Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/check"; depth:13; fast_pattern; endswith; http.request_body; content:"|7b 22 75 69 64 22 3a 22|"; depth:8; content:"|22 7d|"; distance:0; endswith; pcre:"/^\{\x22uid\x22\x3a\x22[a-f0-9]+\x22\}$/si"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,a4eeec442799c56c3e1aa9761661fb42; reference:url,www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/; classtype:command-and-control; sid:2027802; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family Eris, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible RustyBuer Client Activity"; flowbits:set,ET.rustybuer; flowbits: noalert; ja3.hash; content:"6cc312d5b10bcbc97c4619603a24131b"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknown; sid:2032959; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .itraffic .click in DNS Lookup)"; dns.query; content:"purple.itraffic.click"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027804; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible RustyBuer Server Response"; flowbits:isset,ET.rustybuer; ja3s.hash; content:"f6dfdd25d1522e4e1c7cd09bd37ce619"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknown; sid:2032960; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .m-ads .net in DNS Lookup)"; dns.query; content:"purple.m-ads.net"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027805; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=CA, L=Mountain View, O=Google GMail, OU=Google Mail, CN=gmail.com"; bsize:74; fast_pattern; tls.cert_issuer; content:"C=US, ST=CA, L=Mountain View, O=Google GMail, OU=Google Mail, CN=gmail.com"; bsize:74; reference:md5,b210c0f7687a9199de870e0cc11996c1; classtype:domain-c2; sid:2032952; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (drproxy .pro in DNS Lookup)"; dns.query; content:"drproxy.pro"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027806; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (security-desk .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"security-desk.com"; bsize:17; fast_pattern; reference:md5,efb5212c17a7cd05e087ef7a5655b4aa; classtype:domain-c2; sid:2032955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adm.php"; fast_pattern; endswith; http.request_body; content:"k="; depth:2; pcre:"/^\d{5,10}$/R"; http.accept_lang; content:"en-US|3b|q=0.5,en|3b|q=0.3"; http.header_names; content:!"Referer"; content:"Content"; content:"User-Agent"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fam_newspaper"; startswith; http.accept; content:"image/*"; bsize:7; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 8.0.0|3b 20|SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202"; bsize:112; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,efb5212c17a7cd05e087ef7a5655b4aa; classtype:command-and-control; sid:2032956; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"artisticday.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027819; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/remove"; startswith; fast_pattern; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 7.0|3b 20|Pixel C Build/NRD90M|3b 20|wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0"; bsize:109; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,bf8061539abbe6664924e37489a3751c; classtype:command-and-control; sid:2032957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"astonishingwill.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027820; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 10.0|3b 20|Win32|3b 20|x32|3b 20|rv|3a|87.0b4) Gecko/201001 Firefox/87.0|0d 0a|"; reference:md5,9f2fe567dfe655efe8da577990aac077; classtype:trojan-activity; sid:2032951; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2021_05_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"directfood.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027821; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; bsize:24; fast_pattern; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|DNT|3a 20|1|0d 0a|"; http.cookie; content:"OSID="; startswith; pcre:"/^OSID=[a-zA-Z0-9\/+]{171}=$/"; reference:md5,b210c0f7687a9199de870e0cc11996c1; classtype:command-and-control; sid:2032953; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"gradualrain.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027822; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remote Desktop Spy Install Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"tn=remote-desktop-spy"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,4b25cfe19ea5e3778de80058fc99e531; classtype:command-and-control; sid:2032961; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"proapp.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027823; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE (CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound"; flow:established,to_server; http.accept_enc; content:",|20|,"; fast_pattern; reference:url,github.com/0vercl0k/CVE-2021-31166; reference:cve,2021-31166; classtype:attempted-admin; sid:2032962; rev:1; metadata:attack_target Server, created_at 2021_05_17, cve CVE_2021_31166, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_05_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"provincialwake.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027824; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VenusLocker Associated User-Agent Activity"; flow:established,to_server; http.user_agent; content:"gooGgleee"; bsize:9; fast_pattern; reference:md5,9aa3cc9d7c641ea22cfa3e5233e13c94; classtype:trojan-activity; sid:2032967; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family VenusLocker, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"shrek.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027825; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VenusLocker Activity"; flow:established,to_server; http.uri; content:"/dumbdumb?"; startswith; fast_pattern; pcre:"/\=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"text/*"; bsize:6; http.header_names; content:!"Referer"; content:!"Connect"; reference:md5,9aa3cc9d7c641ea22cfa3e5233e13c94; classtype:trojan-activity; sid:2032968; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family VenusLocker, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"thinstop.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027826; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (zolo .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"zolo.pw"; bsize:7; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/; classtype:trojan-activity; sid:2032969; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, signature_severity Major, updated_at 2021_05_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"entreprisecommande.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027827; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (pathc .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"pathc.space"; bsize:11; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/; classtype:trojan-activity; sid:2032970; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, signature_severity Major, updated_at 2021_05_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Generic Style UA Observed (My_App)"; flow:established,to_server; http.user_agent; content:"My_App"; depth:6; fast_pattern; endswith; reference:md5,2978dbadd8fda7d842298fbd476b47b2; classtype:bad-unknown; sid:2027833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category HUNTING, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (dimentos .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dimentos.com"; bsize:12; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; reference:md5,4ffbffbde361609d7f2ea1c410d8272e; classtype:domain-c2; sid:2032963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"emp.web2tor.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (btn_bg)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/btn_bg"; http.request_body; content:"paper="; startswith; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:command-and-control; sid:2032964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"bruhitsnot.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)"; flow:established,to_server; http.cookie; content:"__session__id="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:command-and-control; sid:2032965; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"bruhitsnot.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027851; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (bg)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bg"; bsize:3; http.cookie; content:"SSID="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,5b5a730628dc9eba2c12530d225c2f70; classtype:command-and-control; sid:2032966; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"emptiness.web2tor.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027852; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.date domain"; flow:established,to_server; http.host; content:".date"; fast_pattern; endswith; classtype:bad-unknown; sid:2032983; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"version2.ilove26.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027853; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.cam domain"; flow:established,to_server; http.host; content:".cam"; fast_pattern; endswith; classtype:bad-unknown; sid:2032984; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"luckyhere.mashiro.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027854; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.surf domain"; flow:established,to_server; http.host; content:".surf"; fast_pattern; endswith; classtype:bad-unknown; sid:2032985; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"imtesting.shiina.ga"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027855; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.asia domain"; flow:established,to_server; http.host; content:".asia"; fast_pattern; endswith; classtype:bad-unknown; sid:2032986; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"ggwp.emptiness.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027856; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.tw domain"; flow:established,to_server; http.host; content:".tw"; fast_pattern; endswith; classtype:bad-unknown; sid:2032987; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Mirai.shiina CnC Domain in DNS Query"; dns.query; content:"shiina.mashiro.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027857; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ml domain"; flow:established,to_server; http.host; content:".ml"; fast_pattern; endswith; classtype:bad-unknown; sid:2032988; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup getip.pw"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"getip.pw"; fast_pattern; endswith; classtype:external-ip-check; sid:2027860; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.gq domain"; flow:established,to_server; http.host; content:".gq"; fast_pattern; endswith; classtype:bad-unknown; sid:2032989; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP Variant CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"abc="; depth:4; pcre:"/^[a-z0-9/%=]{100,}$/Ri"; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2027861; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ga domain"; flow:established,to_server; http.host; content:".ga"; fast_pattern; endswith; classtype:bad-unknown; sid:2032990; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .biz TLD"; dns.query; content:".biz"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027863; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.buzz domain"; flow:established,to_server; http.host; content:".buzz"; fast_pattern; endswith; classtype:bad-unknown; sid:2032991; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .okinawa TLD"; dns.query; content:".okinawa"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027864; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Cobalt Strike Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"ESF"; bsize:3; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,5b5a730628dc9eba2c12530d225c2f70; classtype:command-and-control; sid:2032974; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_20;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .cloud TLD"; dns.query; content:".cloud"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027865; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Collector/2.0/settings/"; startswith; fast_pattern; content:"events="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"json"; bsize:4; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; reference:url,www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/; classtype:command-and-control; sid:2032975; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .desi TLD"; dns.query; content:".desi"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027866; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M2"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Authentication|3a 20|skypetoken=eyJhbGciOi"; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"json"; bsize:4; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; reference:url,www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/; classtype:command-and-control; sid:2032976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .life TLD"; dns.query; content:".life"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027867; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CL, L=Santiago, O=Tigomemo Uteendtu GP, OU=Touintsanc Ft4an, CN=cess3wessr.mq"; bsize:79; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf; classtype:domain-c2; sid:2032992; rev:1; metadata:attack_target Client_and_Server, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .work TLD"; dns.query; content:".work"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027868; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=LC, L=Castries, O=Isesem Cooperative, OU=Tinarthar and tha6mate narobiaof and t5he, CN=Udngt5rlura.my"; bsize:103; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf; classtype:domain-c2; sid:2032993; rev:1; metadata:attack_target Client_and_Server, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .ryukyu TLD"; dns.query; content:".ryukyu"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027869; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Google Webcrawler User-Agent (Mediapartners-Google)"; flow:established,to_server; http.user_agent; content:"Mediapartners-Google"; nocase; classtype:not-suspicious; sid:2032978; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .world TLD"; dns.query; content:".world"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027870; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecryptmyFiles Ransomware CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.host; content:"decryptmyfiles.top"; bsize:18; fast_pattern; reference:md5,0e61e496fc218c1c6dc1f5640a3ac7e5; classtype:command-and-control; sid:2032994; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .fit TLD"; dns.query; content:".fit"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027871; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DecryptmyFiles Ransomware User-Agent (uniquesession)"; flow:established,to_server; http.user_agent; content:"uniquesession"; bsize:13; fast_pattern; reference:md5,0e61e496fc218c1c6dc1f5640a3ac7e5; classtype:trojan-activity; sid:2032995; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.okinawa Domain"; flow:established,to_server; http.host; content:".okinawa"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027873; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RiskWare.YouXun.AD CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sc="; content:!"&"; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"; bsize:101; fast_pattern; reference:md5,2292c6acb1e5f139900b9d1942b14b08; classtype:command-and-control; sid:2032977; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.cloud Domain"; flow:established,to_server; http.host; content:".cloud"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027874; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Yandex Webcrawler User-Agent (YandexBot)"; flow:established,to_server; http.user_agent; content:"YandexBot"; nocase; classtype:not-suspicious; sid:2032979; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.desi Domain"; flow:established,to_server; http.host; content:".desi"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027875; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DuckDuckGo Webcrawler User-Agent (DuckDuckBot)"; flow:established,to_server; http.user_agent; content:"DuckDuckBot"; nocase; classtype:not-suspicious; sid:2032980; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.life Domain"; flow:established,to_server; http.host; content:".life"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027876; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Bing Webcrawler User-Agent (BingBot)"; flow:established,to_server; http.user_agent; content:"bingbot"; nocase; classtype:not-suspicious; sid:2032981; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.work Domain"; flow:established,to_server; http.host; content:".work"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027877; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Naver Webcrawler User-Agent (Naver.me)"; flow:established,to_server; http.user_agent; content:"naver.me"; nocase; classtype:not-suspicious; sid:2032982; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.ryukyu Domain"; flow:established,to_server; http.host; content:".ryukyu"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027878; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Ymacco.AA36 User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|deus vult|0d 0a|"; reference:md5,bde62aedd46fcbf7520a22e7375b6254; classtype:trojan-activity; sid:2032972; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.world Domain"; flow:established,to_server; http.host; content:".world"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027879; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST) 2"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/poll2.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; classtype:trojan-activity; sid:2032971; rev:2; metadata:created_at 2021_05_18, former_category MOBILE_MALWARE, updated_at 2021_05_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.fit Domain"; flow:established,to_server; http.host; content:".fit"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027880; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/poll.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; reference:url,twitter.com/bl4ckh0l3z/status/1340960422485213184; reference:md5,43f75535144f3315e402a0aa5f181e7d; classtype:trojan-activity; sid:2031445; rev:2; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027881; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible ELF executable sent when remote host claims to send a Text File"; flow:established,from_server; http.header; content:"Content-Type|3a 20|text/plain"; file.data; content:"|7f 45 4c 46|"; startswith; fast_pattern; isdataat:3000,relative; classtype:bad-unknown; sid:2032973; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_18;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027882; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Bizarro Banker Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|MSIE 6.0|3b 20|Windows|20|NT|20|5.0"; bsize:48; fast_pattern; reference:url,securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/; classtype:trojan-activity; sid:2032998; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; depth:18; fast_pattern; endswith; http.request_body; content:"ajax=1"; content:"&username="; content:"&credential="; content:"&magic="; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:4; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
+alert dns any any -> any any (msg:"ET MALWARE Suspected Sliver DNS CnC"; content:"|00 10 00 01|"; isdataat:!1,relative; dns.query; content:"_"; startswith; pcre:"/^[a-z0-9_]{6}[^a-z0-9_]/R"; content:"_domainkey"; distance:8; fast_pattern; reference:url,github.com/BishopFox/sliver; classtype:trojan-activity; sid:2032936; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, malware_family Sliver, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"Internet Explorer 6.0"; depth:21; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; classtype:pup-activity; sid:2007860; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Baidu Spider Webcrawler User Agent - inbound"; flow:established,to_server; content:"baiduspider"; nocase; http_user_agent; classtype:not-suspicious; sid:2033338; rev:1; metadata:attack_target Web_Server, created_at 2021_05_19, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_19, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Explorer)"; flow:established,to_server; http.user_agent; content:"Explorer"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; classtype:pup-activity; sid:2007921; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Discord Token Grabber"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.request_body; content:"**Account Info**"; fast_pattern; content:"**Token**"; distance:0; content:"NightfallGT"; distance:0; reference:md5,0adc114f1b8ed3336d73d4d0521c39f5; reference:url,github.com/NightfallGT/Token-Grabber-Builder/; classtype:command-and-control; sid:2032999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:27; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; classtype:pup-activity; sid:2007929; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Discord Nitro Ransomware"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.request_body; content:"**Program executed**"; fast_pattern; content:"Status|3a 20|Active|20|"; distance:0; content:"PC|20|Name|3a 20|"; distance:0; content:"IP|20|Address|3a 20|"; distance:0; reference:md5,0adc114f1b8ed3336d73d4d0521c39f5; reference:url,github.com/NightfallGT/Nitro-Ransomware; classtype:command-and-control; sid:2033000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP)"; flow:to_server,established; http.user_agent; content:"HTTP"; depth:4; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:pup-activity; sid:2007943; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Page 2021-05-18"; flow:established,from_server; http.header; content:"|0d 0a|Content-Type|3a 20|text/html"; file.data; content:"<html>"; startswith; content:"<title>Mail Verification</title><script src=|27|http|3a 2f 2f|"; content:!"google."; within:20; content:"/google_analytics_auto.js|27|></script>"; distance:0; within:100; content:"<form method=|22|post|22 20|action=|22|x3d.php|22|"; distance:0; fast_pattern; reference:url,app.any.run/tasks/654f09ca-352f-4d7a-a8eb-ce49c88b4f58/; classtype:credential-theft; sid:2033001; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Wget User-Agent (wget 3.0) - Likely Hostile"; flow:established,to_server; http.user_agent; content:"wget 3.0"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007961; classtype:pup-activity; sid:2007961; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Silver Implant Domain (raspoly .biz in TLS SNI)"; flow:established,to_server; tls.sni; content:"raspoly.biz"; bsize:11; fast_pattern; reference:md5,13816c3ba10d4a3ca4b4c97f248a985f; classtype:domain-c2; sid:2032996; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, signature_severity Major, updated_at 2021_05_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (compatible ICS))"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; endswith; http.host; content:!".iobit.com"; content:!".microsoft.com"; content:!".cnn.com"; content:!".wunderground.com"; content:!".weatherbug.com"; content:!"iobit.com.s3.amazonaws.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; classtype:pup-activity; sid:2008038; rev:15; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Silver Implant)"; flow:established,to_client; tls.cert_subject; content:"CN=raspoly.biz"; bsize:14; fast_pattern; reference:md5,13816c3ba10d4a3ca4b4c97f248a985f; classtype:domain-c2; sid:2032997; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (My Session)"; flow:to_server,established; http.user_agent; content:"My Session"; nocase; depth:10; http.host; content:!".windows.net"; endswith; reference:url,doc.emergingthreats.net/2010677; classtype:pup-activity; sid:2010677; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin (null key) M2"; flow:established,to_server; dsize:100; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; content:"|89 41|"; distance:2; within:2; content:"|46 ad 57 90|"; fast_pattern; endswith; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2033005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_20, deployment Perimeter, former_category MALWARE, malware_family SystemBC, performance_impact Moderate, signature_severity Major, updated_at 2021_05_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"x"; depth:1; endswith; http.host; content:!"update.aida64.com"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; classtype:pup-activity; sid:2013017; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST) 3"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/p.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; classtype:trojan-activity; sid:2033003; rev:2; metadata:created_at 2021_05_20, former_category MOBILE_MALWARE, updated_at 2021_05_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTTP Connection to go2000.cn - Common Malware Checkin Server"; flow:established,to_server; http.host; content:"go2000.cn"; endswith; reference:url,www.mywot.com/en/scorecard/go2000.cn; classtype:pup-activity; sid:2013422; rev:6; metadata:created_at 2011_08_18, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin (null key) M1"; flow:established,to_server; dsize:100; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; content:"|89 40|"; distance:2; within:2; content:"|46 ad 57 90|"; fast_pattern; endswith; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2033004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_20, deployment Perimeter, former_category MALWARE, malware_family SystemBC, performance_impact Moderate, signature_severity Major, updated_at 2021_05_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; http.uri; content:"/dmresources/instructions"; fast_pattern; content:".dat"; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; depth:20; http.protocol; content:"HTTP/1.0"; endswith; http.header_names; content:!"Referer"; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; reference:url,www.virustotal.com/en/file/95e0eaaee080f2c167464ed6da7e4b7a27937ac64fd3e1792a1aa84c1aed488e analysis/; classtype:pup-activity; sid:2017992; rev:11; metadata:created_at 2014_01_20, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; startswith; content:".min.js"; endswith; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Referer|3a 20|"; startswith; fast_pattern; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,4547d3404ceb0436585e11f317eadb7c; classtype:command-and-control; sid:2033008; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Optimizer Pro Adware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/OptimizerPro.exe"; nocase; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:pup-activity; sid:2018743; rev:6; metadata:created_at 2014_07_21, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response"; flow:established,to_client; file.data; content:"/*!|20|jQuery|20|v"; startswith; content:"if|28|e|5b|n|5d 3d 3d 3d|t|29|return n|3b|return|2d|1|7d 2c|P|3d 22|"; fast_pattern; distance:0; content:!"checked"; within:7; reference:md5,09773b90da8f3688faf54750b6a5ecf5; classtype:command-and-control; sid:2033009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PicColor Adware CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?d="; content:"&format=json"; endswith; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,6b173406ffccaa6d0287b795f8de2073; classtype:pup-activity; sid:2020948; rev:6; metadata:created_at 2015_04_20, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.mylnikov.org"; bsize:16; fast_pattern; reference:md5,1bad0cbd09b05a21157d8255dc801778; classtype:policy-violation; sid:2033010; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Informational, updated_at 2021_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/DownloadAssistant.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/launch/"; endswith; http.header_names; content:"X-Crypto-Version"; fast_pattern; content:!"User-Agent"; content:!"Referer"; reference:md5,62a4d32dcb1c495c5583488638452ff9; classtype:pup-activity; sid:2021283; rev:7; metadata:created_at 2015_06_16, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Kimsuky Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"list.php?query=1"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; bsize:57; http.header_names; content:!"Referer"; reference:md5,04a0505cc45d2dac4be9387768efcb7c; reference:md5,d8e817abd5ad765bf7acec5d672cbb8d; classtype:trojan-activity; sid:2033012; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCAcceleratePro PUA/Adware User-Agent"; flow:established,to_server; http.user_agent; content:"PCAcceleratePro"; depth:15; endswith; classtype:pup-activity; sid:2022828; rev:6; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Wifi Geolocation Lookup Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geolocation/wifi"; startswith; fast_pattern; content:"bssid="; http.host; content:"api.mylnikov.org"; bsize:16; reference:md5,1bad0cbd09b05a21157d8255dc801778; classtype:policy-violation; sid:2033011; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2021_05_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/q/"; depth:3; fast_pattern; http.request_body; content:"q="; depth:2; pcre:"/^[a-zA-Z0-9_-]+$/R"; http.connection; content:"close"; nocase; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,f0e02ba660cfcb122b89bc780a6555ac; classtype:pup-activity; sid:2025094; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Internet, former_category ADWARE_PUP, malware_family Adposhel, performance_impact Moderate, signature_severity Major, tag Adware, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (number2g .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"number2g.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2033014; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rogue.WinPCDefender Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?machine_id={"; depth:14; fast_pattern; content:"}"; distance:0; endswith; http.host; content:"anti"; depth:4; http.header_names; content:!"Referer"; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:pup-activity; sid:2025358; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (genericalphabet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"genericalphabet.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2033015; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Observed Malicious SSL Cert (OSX/Calender 2 Mining)"; flow:established,to_client; tls.cert_subject; content:"CN=*.qbix.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x2B.html; classtype:pup-activity; sid:2025424; rev:4; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Activity M14"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"_"; distance:0; content:"*"; distance:0; http.host; content:"bb3u9.com"; fast_pattern; classtype:command-and-control; sid:2033019; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (maraukog .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"maraukog.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Checkin M6"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?&"; fast_pattern; content:"&"; distance:0; content:"-"; distance:0; content:"&"; distance:0; content:"|3a|"; distance:2; within:1; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,293b4a6f18fdf5146b92e87e51cf8aa1; classtype:command-and-control; sid:2033020; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (acinster .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"acinster.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Activity M15"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"_"; distance:0; content:"*"; distance:0; http.host; content:"t."; startswith; fast_pattern; pcre:"/^[a-z0-9]{5}\.com$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; classtype:command-and-control; sid:2033021; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_24;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (aclassigned .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aclassigned.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025489; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT QNAP MusicStation Pre-Auth RCE Inbound (CVE-2020-36197)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/musicstation/api/upload.php?arttype=../../"; fast_pattern; reference:url,www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/; reference:cve,2020-36197; classtype:attempted-admin; sid:2033013; rev:2; metadata:created_at 2021_05_24, cve CVE_2020_36197, former_category EXPLOIT, updated_at 2021_05_24;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (efishedo .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"efishedo.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025490; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M1"; flow:established,to_server; content:"sbyc"; startswith; fast_pattern; content:"/000"; distance:20; within:4; content:"JFIF"; distance:0; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033016; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (enclosely .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"enclosely.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M2"; flow:established,to_server; content:"|0d 0a|clinet|20|utc|20|time|3a 3a 20|"; fast_pattern; content:"Hard|20|Disk|20|Used|20|Sizes|3a 3a|"; nocase; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (insupposity .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"insupposity.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025492; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M3"; flow:established,to_server; content:"|00 00|encrypted|20|local|20|size|20 3a|"; nocase; fast_pattern; content:"|0d 0a|Encrypted|20|Network|20|size|20 3a|"; nocase; distance:0; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (suggedin .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"suggedin.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025493; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rl?tm="; content:"&id="; content:"&cu="; content:"&ci="; content:"&cv="; content:"&iv="; content:"&pchid="; content:"&ug="; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active; classtype:pup-activity; sid:2033028; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_25;)
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (suggedin .info in DNS Lookup)"; dns.query; content:"suggedin.info"; nocase; endswith; reference:md5,dc2c0b6a8824f5ababf18913ad6d0793; classtype:pup-activity; sid:2025531; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/exec.tgz"; endswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit; classtype:pup-activity; sid:2033029; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for LNKR js file M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lnkr5.min.js"; endswith; fast_pattern; http.header_names; content:"User-Agent"; content:"Referer"; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027422; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Sidewinder Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/files-"; offset:25; content:"/data?d="; distance:0; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,344b7370c6e61812eeb1cf1d737f27f3; reference:url,twitter.com/ShadowChasing1/status/1396809305194590211; classtype:trojan-activity; sid:2033032; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for LNKR js file M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lnkr30_nt.min.js"; endswith; fast_pattern; http.header_names; content:"User-Agent"; content:"Referer"; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027423; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/MapperState CnC Domain in DNS Lookup"; dns.query; content:"web.mapperstate.com"; nocase; bsize:19; reference:url,twitter.com/ConfiantIntel/status/1393215825931288580; classtype:domain-c2; sid:2033030; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed OSX/PremierOpinionD Collection Domain in TLS SNI"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; tls.sni; content:"oss-content.securestudies.com"; endswith; reference:url,www.airoav.com/mitm-voicefive; classtype:pup-activity; sid:2027694; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category ADWARE_PUP, malware_family PremierOpinionD, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/MapperState CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"ms"; offset:7; depth:2; content:"|20|(unknown|20|version)|20|"; http.request_body; content:"smc31000"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,twitter.com/ConfiantIntel/status/1393215825931288580; classtype:trojan-activity; sid:2033031; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly Reporting Details to CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?ver="; content:"&t="; distance:0; content:"&domain="; distance:0; content:"&file="; distance:0; content:"&ext="; distance:0; content:"&cache="; distance:0; content:"&res1="; distance:0; http.user_agent; content:"VCSoapClient"; depth:12; fast_pattern; endswith; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027830; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaLoader CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; http.header; http.header; content:"Date|3a 20|"; content:"GMT|0d 0a|"; distance:0; pcre:"/^[a-z]{3,15}\x3a\x20/Rs"; content:"|0d 0a|User-Agent|3a 20|apiutwq|0d 0a|"; fast_pattern; distance:100; http.header_names; content:!"Referer"; reference:md5,96764a0a62e66a147a3d4db0e59a6e34; classtype:command-and-control; sid:2033033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, signature_severity Major, updated_at 2021_05_26;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Kryptik.XSY Data Exfil via SMTP"; flow:established,to_server; content:"|0d 0a|Subject: PW_"; content:"filename|3d 22|PW_"; content:"_"; distance:0; content:"_"; distance:4; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:".html|22 0d 0a 0d 0a|VGltZTog"; distance:2; within:18; fast_pattern; reference:md5,61181c9665789225439d04d6eef5527f; classtype:command-and-control; sid:2030887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; fast_pattern; tls.cert_issuer; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; reference:md5,4cca9a1ec4b92df89a8bc992a6ba961f; classtype:domain-c2; sid:2033034; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<40; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/\/[a-z0-9]+\/[a-z0-9]+\.exe$/i"; http.header; content:!"MstarUpdate"; http.user_agent; content:!"Mozilla/"; http.host; content:!".bitdefender.com"; content:!".homestead.com"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:2020826; rev:10; metadata:created_at 2015_04_01, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".py?action=update&app=WebAssistant/1.0&db=Database/1.0"; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033038; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Adobe Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"adobe"; fast_pattern; content:".github.io"; distance:0; endswith; content:!"adobe.github.io"; depth:15; endswith; content:!"adobe-fonts.github.io"; depth:21; endswith; content:!"adobe-type-tools.github.io"; depth:26; endswith; classtype:policy-violation; sid:2027249; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups (officemodel .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"officemodel.org"; bsize:15; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033039; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - Exfiltration Activity"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/WPSecurity/up.php"; depth:37; fast_pattern; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploadfile|22 3b 20|filename|3d 22|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:18; within:47; http.content_type; content:"multipart/form-data|3b|"; reference:md5,7e52633ffa2c3aee03e8b26f03e07cc4; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:trojan-activity; sid:2027895; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category TROJAN, malware_family Clipsa, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/verify_/.php?flag=false"; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033040; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - CnC Checkin"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/WPSecurity/load.php"; depth:39; fast_pattern; endswith; http.request_body; pcre:"/^[a-zA-Z0-9]+$/"; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; byte_test:0,<=,400,0,string,dec; http.header_names; content:!"Referer"; reference:md5,7e52633ffa2c3aee03e8b26f03e07cc4; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:command-and-control; sid:2027893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category MALWARE, malware_family Clipsa, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups (tcahf .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"tcahf.org"; bsize:9; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:domain-c2; sid:2033041; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTTP-TUNNEL detected"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?crap"; startswith; fast_pattern; threshold:type limit, track by_src,count 5, seconds 30; classtype:policy-violation; sid:2030886; rev:1; metadata:created_at 2020_09_17, former_category POLICY, signature_severity Informational, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups Domain (unohcr .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"unohcr.org"; bsize:10; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:domain-c2; sid:2033042; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"routingzen.com"; nocase; depth:14; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027693; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M1"; flow:established,to_client; file.data; content:"|3c|title|3e 3c 2f|title|3e 3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon"; fast_pattern; content:"|3c 2f|div|3e 3c|script|3e|eval|28|function|28 24|"; distance:0; content:"|2e|replace|28|new|20|RegExp|28 27 5c 5c|b|27|"; distance:0; content:!":<script>"; distance:0; content:"|3c 2f|script|3e 3c 2f|body|3e 3c 2f|html|3e 0a|"; endswith; content:!"|0d 0a|"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033036; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_27;)
-alert http any any -> any 10000 (msg:"ET WEB_SERVER Webmin RCE CVE-2019-15107"; flow:to_server,established; content:"/password_change.cgi"; depth:20; fast_pattern; endswith; http.method; content:"POST"; http.request_body; content:"|7c|"; reference:url,blog.firosolutions.com/exploits/webmin/; reference:cve,2019-15107; classtype:attempted-admin; sid:2027896; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_08_18, deployment Perimeter, deployment Internal, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Critical, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/Action/TestAction"; fast_pattern; http.request_body; content:"$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib"; content:"$value|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:cve,2021-31474; classtype:attempted-admin; sid:2033035; rev:1; metadata:attack_target Server, created_at 2021_05_27, cve CVE_2021_31474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/down.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027900; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups CnC Activity"; flow:established,to_server; http.uri; content:"/verify_.php?uuid="; startswith; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:command-and-control; sid:2033043; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/vers.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027901; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion JavaScript Response M1"; flow:established,to_client; http.content_type; content:"/javascript"; file.data; content:"eval|28|function|28 24|nbrut|2c|"; startswith; content:"function|28 24|charCode|29 20 7b|return|20 28 24|charCode|20|"; distance:0; content:"|3f 20|String|2e|fromCharCode|28|"; within:150; content:"|29 20 3a 20 24|charCode|2e|toString|28|"; within:50; content:"|2e|replace|28|new|20|RegExp|28 27 5c 5c|b|27 20 2b|"; distance:0; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033037; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/64.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027902; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M2"; flow:established,to_client; file.data; content:"|3c|title|3e 3c 2f|title|3e 3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon|22 20 2f 3e 3c 2f|head|3e 3c|body|20|class|3d 22|"; content:"|3e 3c 2f|div|3e 3c|script|3e|document|2e|write|28|atob|28 27|PHNjcmlwdD52YXIgXzB4"; fast_pattern; within:200; content:!":<script>"; distance:0; content:"|27 29 29 3c 2f|script|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; content:!"|0d 0a|"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033049; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipaddress .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myip"; depth:5; endswith; http.host; content:"api.ipaddress.com"; depth:17; fast_pattern; endswith; classtype:external-ip-check; sid:2027905; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".theyardservice.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; classtype:domain-c2; sid:2033050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlitchPOS CnC Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gate.php?ped="; fast_pattern; content:"&s=1"; distance:0; endswith; http.header_names; content:!"Referer"; reference:md5,8cfa2adde150918062eb5d6af59d0e2a; classtype:command-and-control; sid:2027912; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".worldhomeoutlet.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; classtype:domain-c2; sid:2033051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/dnscfg.cgi?dnsPrimary="; fast_pattern; content:"&dnsSecondary="; distance:0; content:"&dnsDynamic=0&dnsRefresh=1"; distance:0; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027906; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SharpPanda APT Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Apricot/"; fast_pattern; http.user_agent; content:"Microsoft|20|Internet|20|Explorer"; bsize:27; reference:md5,d843b58f31c687d22de09a6765b3ba3b; reference:url,twitter.com/ShadowChasing1/status/1395274704366145539; reference:url,research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/; classtype:trojan-activity; sid:2033054; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/form2dns.cgi?dnsmode=1&dns1="; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&submit.htm?dns.htm=send&save=apply"; fast_pattern; endswith; distance:0; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027907; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Rclone Client Response (Mega Storage)"; flowbits:isset,ET.rclone; ja3s.hash; content:"eb1d94daa7e0344597e756a1fb6e7054"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033055; rev:1; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1="; fast_pattern; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&dnsrefresh=1"; distance:0; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027910; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Rclone Client Response (Mega Storage)"; flowbits:isset,ET.rclone; ja3s.hash; content:"b607b6456e5d8a98efa7eb7f15029431"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033056; rev:1; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category TROJAN, malware_family Nemty, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Page 2021-05-24"; flow:established,from_server; http.header; content:"|0d 0a|Content-Type|3a 20|text/html"; file.data; content:"2|0a|<html>"; startswith; content:"<title>|26 23|47700|3b 26 23|51068|3b 20 26 23|49444|3b 26 23|51221|3b 20 7c 20 26 23|51060|3b 26 23|47700|3b 26 23|51068|3b 20 26 23|50629|3b 26 23|44536|3b 26 23|47112|3b 26 23|51060|3b 26 23|46300|3b|</title><script src=|27|/google_analytics_auto.js|27|></script>"; distance:0; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|"; distance:0; reference:url,app.any.run/tasks/e878cb4f-4078-47c8-ac7c-59266940a68e/; classtype:social-engineering; sid:2033048; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category TROJAN, malware_family Nemty, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion JavaScript Response M2"; flow:established,to_client; file.data; content:"var _0x"; startswith; content:"|3d 5b 22|"; distance:4; within:3; content:"|3b|var|20 5f|0x"; distance:0; content:"|3d|function|28|"; within:14; content:"|5b 78 3d 2b 78 5d 3b 76 6f 69 64 20 30 3d 3d 3d 5f 30 78|"; distance:18; within:19; fast_pattern; content:"|2e|replace|28 2f 3d 2b 24 2f 2c 22 22 29|"; distance:86; within:18; content:"return|20|decodeURIComponent|28|"; distance:0; classtype:credential-theft; sid:2033053; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Geo IP Lookup (api .db-ip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2027915; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible Rclone Client Activity"; flowbits:set,ET.rclone; flowbits:noalert; ja3.hash; content:"d0ee3237a14bbd89ca4d2b5356ab20ba"; tls.sni; content:!"grafana.com"; content:!"grafana.org"; content:!"grafana.net"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033047; rev:2; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Chrome)"; flow:established,to_server; http.user_agent; content:"Chrome"; depth:6; endswith; content:"Chrome"; fast_pattern; bsize:6; classtype:bad-unknown; sid:2027916; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO POST to Double Slash in URI"; flow:established,to_server; http.request_line; content:"POST|20|//|20|HTTP/1."; startswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033045; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Alpha Stealer v1.5 PWS Exfil via HTTP"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[A-Za-z]+?/Rsi"; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:0; content:"Screen.jpg"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a55bd3cc5caa47cb45355e9f79d4fc47; classtype:trojan-activity; sid:2027917; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category TROJAN, malware_family Alpha_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M3"; flow:established,to_client; file.data; content:"|3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon|22 20 2f 3e|"; content:"document|2e|write|28|"; distance:0; content:"atob|28|"; within:40; content:"PHNjcmlwdD5ldmFsKGZ1bmN0aW9uKCRuYnJ1dCw"; within:150; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033063; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET 853 -> $HOME_NET any (msg:"ET POLICY Quad9 DNS Over TLS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=California, L=Berkeley, O=Quad9, CN=*.quad9.net"; endswith; fast_pattern; reference:md5,1e686b56ccbcb28667698389703bb13a; classtype:policy-violation; sid:2027918; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JSSLoader Domain (deprivationant .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"deprivationant.com"; bsize:18; fast_pattern; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:domain-c2; sid:2033058; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, signature_severity Major, updated_at 2021_06_01;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed External IP Lookup Domain (ipconfig .cf in TLS SNI)"; flow:established,to_server; tls.sni; content:"ipconfig.cf"; endswith; classtype:external-ip-check; sid:2027919; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; fast_pattern; content:"&p1="; distance:1; within:4; content:"&p2="; distance:16; within:4; pcre:"/\.php\?m=[abcdefgh]&p1=[a-f0-9]{16}&p2=[^\r\n]+$/"; http.user_agent; content:"Android"; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; reference:url,blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor; reference:md5,4626ed60dfc8deaf75477bc06bd39be7; classtype:trojan-activity; sid:2033059; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_06_01, deployment Perimeter, former_category MOBILE_MALWARE, updated_at 2021_06_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"cybersecnet.co.za"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027922; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike C2 Profile (news_indexedimages)"; flow:established,to_server; http.request_line; content:"GET /news_indexedimages_autrzd/"; startswith; fast_pattern; content:"&usqp=CAU HTTP/1.1"; endswith; http.referer; content:"http://www.google.com"; bsize:21; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|compatible|3b 20|MSIE|20|8|2e|0|3b 20|Windows|20|NT|20|6|2e|1|3b 20|Trident|2f|5|2e|0|29|"; bsize:63; reference:md5,8ece22e6b6e564e3cbfb190bcbd5d3b9; classtype:command-and-control; sid:2033065; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"cybersecnet.org"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027923; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike Loader Domain (cybersecyrity .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cybersecyrity.com"; bsize:17; fast_pattern; reference:md5,611d4c566575d5657661766e27292d28; classtype:domain-c2; sid:2033060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"excsrvcdn.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027924; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (defendersecyrity .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"defendersecyrity.com"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033061; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"online-analytic.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027925; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(sendFile)"; flow:established,to_server; http.user_agent; content:"sendFile"; nocase; depth:8; http.host; content:!".tannereda.com"; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016888; rev:6; metadata:created_at 2013_05_21, updated_at 2021_06_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"web-traffic.info"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027926; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed UK Gov Support Landing 2021-06-01"; flow:established,from_server; file.data; content: "<title> Enter your Self Assessment Unique Taxpayer Reference|20 2d 20|Self|2d|Employment Income Support Scheme|20 2d 20|GOV.UK</title>"; fast_pattern; content:"width=device-width"; distance:0; content:"initial-scale=1"; distance:0; content:"viewport-fit=cover|22 3e|"; reference:url,app.any.run/tasks/b1fe8d30-2f22-4f84-bcc8-2643562a8765/; classtype:social-engineering; sid:2033062; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_06_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"web-statistics.info"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027927; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analitycs .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analitycs.site"; bsize:21; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033067; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"dnscachecloud.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027928; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analytics .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analytics.online"; bsize:23; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033068; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"dnscloudservice.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027929; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analytics .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analytics.website"; bsize:24; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033069; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"opendnscloud.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027930; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googletagsmanager .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"googletagsmanager.website"; bsize:25; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033070; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK - Unexpected Victim Location Server Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Sea|20|for|20|a|20|life"; startswith; fast_pattern; endswith; classtype:exploit-kit; sid:2027934; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RigEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Secure Email Portal Lure Landing Page"; flow:established,to_client; file.data; content:"|3c|tr|3e 3c|td|3e 3c|IMG|20|SRC|3d 22|"; content:"name|3d 22|submitButton|22 20|value|3d 22 20 20 20 20|Click|20|to|20|read|20|message|20 20 20 20 22 3e|"; fast_pattern; content:"|3b 20|text|2d|align|3a 20|center|3b 22 3e 20 20 3c|A|20|HREF|3d 22 22|"; content:!"|2f|formpostdir|2f|safeformpost|2e|aspx|22 3e|"; classtype:credential-theft; sid:2033064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_06_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"solkoptions.host"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026858; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evilnum Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/actions/authenticate.php"; bsize:25; fast_pattern; http.cookie; content:"_gid="; startswith; reference:url,twitter.com/ShadowChasing1/status/1399697694491254798; reference:md5,3f230856172f211d5c9ed44ea783f850; classtype:trojan-activity; sid:2033071; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .to TLD"; dns.query; content:".to"; endswith; fast_pattern; classtype:bad-unknown; sid:2027757; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[a-zA-z]{5,10}_[A-F0-9]{12}$/R"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:trojan-activity; sid:2033072; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query; content:".cc"; endswith; fast_pattern; classtype:bad-unknown; sid:2027758; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JSSLoader Variant Domain (legislationient .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"legislationient.com"; bsize:19; fast_pattern; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,58e9f9575c6d908fb32b528064e14004; classtype:domain-c2; sid:2033073; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_02;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a Suspicious *.vv.cc domain"; dns.query; content:".vv.cc"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2012826; rev:5; metadata:created_at 2011_05_19, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[a-zA-z]{5,10}_[A-F0-9]{12}$/R"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:trojan-activity; sid:2033074; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.be Domain"; dns.query; content:".co.be"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013124; rev:7; metadata:created_at 2011_06_28, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vidar Stealer - FaceIt Checkin Response"; flow:established,to_client; file.data; content:"|7b 22|result|22 3a 22|ok|22 2c 22|payload|22 3a 7b 22|country|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|about|22 3a 22|"; pcre:"/^[^\"]+\x7c\x22\x2c\x22/R"; reference:url,medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed; classtype:command-and-control; sid:2033066; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2021_06_02;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .net.tf Domain"; dns.query; content:".net.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013847; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)"; flow:from_server,established; tls.cert_subject; content:"CN=transfer.sh"; fast_pattern; classtype:policy-violation; sid:2033076; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_03, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .eu.tf Domain"; dns.query; content:".eu.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013848; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; content:"&formid="; distance:0; http.header_names; content:!"Referer"; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,twitter.com/360CoreSec/status/1408348476660797440; classtype:trojan-activity; sid:2033083; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .int.tf Domain"; dns.query; content:".int.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013849; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CNRarypt Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/HOW_TO_BACK_YOUR_FILES.txt"; endswith; fast_pattern; http.user_agent; content:"CertUtil URL Agent"; bsize:18; http.header_names; content:!"Referer"; reference:md5,62292df897bf304872aad2dc92c96d70; classtype:trojan-activity; sid:2033075; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .edu.tf Domain"; dns.query; content:".edu.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013850; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT34 Related DNS Tunneling Activity"; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".dnsstatus.org"; endswith; threshold: type both, track by_src, count 3, seconds 5; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,twitter.com/360CoreSec/status/1408348476660797440; classtype:trojan-activity; sid:2033084; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .us.tf Domain"; dns.query; content:".us.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013851; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lyceum Group Activity (DNS)"; threshold: type both, track by_src, count 3, seconds 5; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".defenderlive.com"; endswith; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,securelist.com/lyceum-group-reborn/104586/; classtype:trojan-activity; sid:2033085; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ca.tf Domain"; dns.query; content:".ca.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013852; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert udp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033077; rev:1; metadata:created_at 2021_06_03, former_category INFO, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .bg.tf Domain"; dns.query; content:".bg.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013853; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [!3478,1023:] (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033078; rev:2; metadata:created_at 2021_06_03, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ru.tf Domain"; dns.query; content:".ru.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013854; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033079; rev:1; metadata:attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .pl.tf Domain"; dns.query; content:".pl.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013855; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033080; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .cz.tf Domain"; dns.query; content:".cz.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013856; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033081; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .de.tf Domain"; dns.query; content:".de.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013857; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .at.tf Domain"; dns.query; content:".at.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013858; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SharpPanda APT Maldoc Activity"; flow:established,to_server; http.uri; content:"/Apricot"; startswith; http.user_agent; content:"Office"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/; reference:md5,1e9f1746c2dbea0df5017afdf8b94189; classtype:trojan-activity; sid:2033086; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ch.tf Domain"; dns.query; content:".ch.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013859; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (analiticsweb .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"analiticsweb.site"; bsize:17; fast_pattern; reference:url,twitter.com/rootprivilege/status/1400850998063632389; reference:url,lukeleal.com/research/posts/analiticsweb-skimmer/; classtype:trojan-activity; sid:2033098; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .sg.tf Domain"; dns.query; content:".sg.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013860; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Command Injection Attempt Inbound (CVE-2019-1652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"certificate_handle2.htm?type=4"; fast_pattern; http.request_body; content:"|22|common_name|22 3a|"; nocase; content:"|27 24 28|"; distance:0; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1652; classtype:attempted-admin; sid:2033088; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1652, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .nl.ai Domain"; dns.query; content:".nl.ai"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013861; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Config Disclosure Attempt Inbound (CVE-2019-1653)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/config.exp"; endswith; fast_pattern; flowbits:set,ET.cve20191653.1; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033089; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .xe.cx Domain"; dns.query; content:".xe.cx"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013862; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful Cisco RV320/RV325 Config Disclosure (CVE-2019-1653)"; flow:established,from_server; file.data; content:"sysconfig"; flowbits:isset,ET.cve20191653.1; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033090; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .noip.cn Domain"; dns.query; content:".noip.cn"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013970; rev:5; metadata:created_at 2011_11_28, former_category HUNTING, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Debug Dump Disclosure Attempt Inbound (CVE-2019-1653)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/export_debug_msg.exp"; endswith; fast_pattern; http.request_body; content:"submitdebugmsg|22 3a 20 22|1|22|"; flowbits:set,ET.cve20191653.2; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033091; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; dns.query; content:"gongfu-android.com"; depth:18; endswith; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:command-and-control; sid:2013023; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful Cisco RV320/RV325 Debug Dump Disclosure (CVE-2019-1653)"; flow:established,from_server; file.data; content:"Salted__"; flowbits:isset,ET.cve20191653.2; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033092; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ch.vu Domain"; dns.query; content:".ch.vu"; fast_pattern; nocase; endswith; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:8; metadata:created_at 2012_02_27, former_category HUNTING, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FatalRAT CnC Activity"; flow:established,to_server; stream_size:server,=,1; content:"|bf bc 95|"; depth:3; content:"|8e 8e|"; distance:2; within:2; content:"|8e 8e 2c 1b 80 8e e6 02|"; distance:2; within:8; fast_pattern; reference:md5,99fc53d3d4c2c31fd5b5f0f15dbdeab4; reference:url,twitter.com/c3rb3ru5d3d53c/status/1400075253695537155; classtype:command-and-control; sid:2033093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family FatalRAT, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; dns.query; content:".ez-dns.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013845; rev:6; metadata:created_at 2011_11_04, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE sysrv.ELF Exploit Success Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ldr.sh"; endswith; fast_pattern; http.user_agent; pcre:"/^(?:curl|wget)_?(?:c(?:ve_20(?:1(?:(?:7_1161|8_760)0|9_10758)|20_16846)|url_xxljobUnauth)|tp5)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,mblogs.akamai.com/sitr/2021/03/another-golang-crypto-miner-on-the-loose.html; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:trojan-activity; sid:2033094; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain"; dns.query; content:".dyndns-web.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013863; rev:7; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ALFA Shell APT33 DNS Lookup (solevisible .com)"; dns.query; content:"solevisible.com"; nocase; endswith; threshold:type limit,count 1,track by_src,seconds 120; reference:url,fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:domain-c2; sid:2033095; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain"; dns.query; content:".dyndns-at-home.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013971; rev:7; metadata:created_at 2011_11_28, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/SkinnyBoy Payload Request"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Opera"; bsize:5; http.request_body; content:"id="; startswith; content:"#"; distance:0; content:"#"; distance:0; content:"&cmd=y"; endswith; fast_pattern; reference:url,cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf; classtype:command-and-control; sid:2033097; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family SkinnyBoy, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4irc.com Domain"; dns.query; content:".4irc.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014480; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.7.0_"; content:!"301"; within:3; reference:url,www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html; classtype:bad-unknown; sid:2014297; rev:61; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2012_03_01, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0ne.com Domain"; dns.query; content:".b0ne.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014482; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/NoCry Ransomware Checkin Via Discord"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks/"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=username|0d 0a|"; content:"Content-Disposition: form-data|3b 20|name=content|0d 0a 0d 0a|**New Victim**|0d 0a|"; fast_pattern; distance:0; content:"ID|20 3a 20|"; distance:0; content:"Key|20 3a 20|"; content:"Date&Time|20 3a 20|"; http.header_names; content:!"Referer"; reference:md5,682b432662affb2812ece6b940f5be51; classtype:trojan-activity; sid:2033099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.chatnook.com Domain"; dns.query; content:".chatnook.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014486; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlagueBot User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|PlagueBot|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2142ed343d1020dca9dec439933c1877; classtype:trojan-activity; sid:2033100; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_07;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain"; dns.query; content:".darktech.org"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014488; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ETag HTTP Header Observed at JPCERT Sinkhole"; flow:established,to_client; http.header; content:"ETag|3a 20 22|9-525c24c725e00|22|"; classtype:bad-unknown; sid:2033103; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.deaftone.com Domain"; dns.query; content:".deaftone.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014490; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ETag HTTP Header Observed at CNCERT Sinkhole"; flow:established,to_client; http.header; content:"ETag|3a 20 22|2b1-55fb5d562c37c|22|"; classtype:bad-unknown; sid:2033104; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.effers.com Domain"; dns.query; content:".effers.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014494; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"Server|3a 20|malware-sinkhole"; nocase; classtype:trojan-activity; sid:2033105; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.net Domain"; dns.query; content:".etowns.net"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014496; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"Server|3a 20|360Netlab-sinkhole"; nocase; classtype:trojan-activity; sid:2033106; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_07;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.org Domain"; dns.query; content:".etowns.org"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014498; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkValid"; http.request_body; content:"document=this.constructor"; content:"execSync"; distance:0; fast_pattern; reference:cve,2019-10758; reference:url,github.com/masahiro331/CVE-2019-10758; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033113; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_10758, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_08;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gotgeeks.com Domain"; dns.query; content:".gotgeeks.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014502; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT XXL-Job RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; http.request_body; content:"GLUE_SHELL"; nocase; fast_pattern; content:"glueSource"; nocase; content:"glueUpdatetime"; nocase; reference:url,github.com/jas502n/xxl-job; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033115; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_08;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.scieron.com Domain"; dns.query; content:".scieron.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014504; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uy.txt"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:url,twitter.com/ShadowChasing1/status/1402239834819743746; reference:md5,dfbe17d9dfa3f3bb715e1d8348bd1f50; classtype:trojan-activity; sid:2033116; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_08;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.slyip.com Domain"; dns.query; content:".slyip.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014506; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Unix/Linux Processhider Source Being Downloaded"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/d/processhider.c"; bsize:17; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; content:"m.windowsupdatesupport.org"; bsize:26; reference:md5,4ff3828a2ecc6314bfc7dc22ca194480; reference:url,twitter.com/JAMESWT_MHT/status/1402239031602302983; classtype:bad-unknown; sid:2033117; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_06_08;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.suroot.com Domain"; dns.query; content:".suroot.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014510; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Puzzlemaker Remote Shell Domain (media-seoengine .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"media-seoengine.com"; bsize:19; fast_pattern; reference:url,securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/; reference:md5,d6b850c950379d5ee0f254f7164833e8; classtype:domain-c2; sid:2033127; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.2288.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".2288.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014779; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Puzzlemaker Remote Shell Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/analytics"; bsize:10; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:34; fast_pattern; http.user_agent; content:"Win64|3b|"; content:"Chrome/"; reference:md5,d6b850c950379d5ee0f254f7164833e8; reference:url,securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/; classtype:trojan-activity; sid:2033128; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".3322.net"; fast_pattern; endswith; classtype:misc-activity; sid:2014781; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rose/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,3c71395a0863fcc262e9e819ba4907b1; reference:url,twitter.com/ShadowChasing1/status/1402417050174164993; classtype:trojan-activity; sid:2033129; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.6600.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".6600.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014782; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .dns1 .us"; dns.query; content:".dns1.us"; endswith; fast_pattern; classtype:bad-unknown; sid:2033119; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.7766.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".7766.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014783; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .otzo .com"; dns.query; content:".otzo.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033120; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.9966.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".9966.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014786; rev:9; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .zyns .com"; dns.query; content:".zyns.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033121; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com"; dns.query; content:".dns-stuff.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014868; rev:6; metadata:created_at 2012_06_07, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .zzux .com"; dns.query; content:".zzux.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033122; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; dns.query; content:".onion"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:5; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".hkbusupport.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033123; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.be.ma domain"; dns.query; content:".be.ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2012902; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".4vw37z.cn"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033124; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for a Suspicious *.upas.su domain"; dns.query; content:".upas.su"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2015550; rev:5; metadata:created_at 2012_07_31, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".boshiamys.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033125; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY TOR .exit Pseudo TLD DNS Query"; dns.query; content:".exit"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014941; rev:7; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".96html.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033126; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.cc Domain"; dns.query; content:".co.cc"; fast_pattern; nocase; endswith; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:7; metadata:created_at 2010_09_27, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Spy.Agent.QCL Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/vocha/ogo"; bsize:10; fast_pattern; http.request_body; content:"data="; startswith; http.header_names; content:!"Referer"; reference:md5,8fe3b7be548ab6bba549ddbfdabc90ed; classtype:pup-activity; sid:2033130; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; dns.query; content:"provide.yourtrap.com"; depth:20; fast_pattern; nocase; endswith; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:command-and-control; sid:2016135; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Spy.Agent.QCL Variant Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wiki/Hello_orld_(film)"; bsize:23; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Referer"; reference:md5,8fe3b7be548ab6bba549ddbfdabc90ed; classtype:pup-activity; sid:2033131; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Chewbacca CnC Server"; dns.query; content:"5ji235jysrvwfgmb.onion"; depth:22; fast_pattern; endswith; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,usa.visa.com/download/merchants/Alert-ChewbaccaMalware-030614.pdf; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:command-and-control; sid:2018114; rev:5; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jboss RCE (CVE-2017-12149)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/readonly"; fast_pattern; http.request_body; content:"java.util.HashSet"; reference:cve,2017-12149; reference:url,github.com/gottburgm/Exploits/blob/master/CVE-2017-12149/CVE_2017_12149.pl#L180; classtype:attempted-admin; sid:2033118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, cve CVE_2017_12149, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns.query; content:"jmxkowzoen.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018267; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Office Doc Retrieving Shortened URL (bit .do)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:"bit.do"; bsize:6; fast_pattern; reference:md5,04a303e67b4a2f9f7bb532779aef2c72; classtype:bad-unknown; sid:2033133; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_06_10;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbasic.com Domain"; dns.query; content:".mrbasic.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2018366; rev:6; metadata:created_at 2014_04_04, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING URL Shortening Service Used by Curl (ic9 .in)"; flow:established,to_server; http.user_agent; content:"curl/"; startswith; http.host; content:"ic9.in"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2033134; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_06_10;)
-alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; dns.query; content:"tun.vpnoverdns.com"; depth:18; fast_pattern; nocase; endswith; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:6; metadata:created_at 2014_05_01, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!2038,!3478,!5000,!22466,!3101,!6180,!80,!443,!8080,!8443,!25,!587,!2525] (msg:"ET MALWARE QuasarRAT/zgRAT C2 Activity (set)"; flow:established,to_server; flowbits:set,ET.zgRAT; flowbits:noalert; content:"|19 00 00 00|"; dsize:4; reference:md5,4e893ea0874f70f4972fa93fed96e77c; classtype:command-and-control; sid:2033107; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_10, deployment Perimeter, former_category MALWARE, malware_family Quasar, malware_family VoidRat, malware_family zgRAT, signature_severity Major, updated_at 2021_06_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Possible User trying to visit POSHCODER.A .onion link outside of torbrowser"; dns.query; content:"zpwibfsmoowehdsm.onion"; depth:22; nocase; endswith; reference:md5,01f4b1d9b2aafb86d5ccfa00e277fb9d; classtype:trojan-activity; sid:2018679; rev:5; metadata:created_at 2014_07_15, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Filesharing Domain (privatlab .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"privatlab.com"; bsize:13; fast_pattern; classtype:policy-violation; sid:2033137; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_06_10;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; dns.query; content:".passinggas.net"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018810; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; http.user_agent; content:"Launcher"; nocase; content:!"EpicGamesLauncher"; depth:17; content:!"7Launcher"; reference:url,doc.emergingthreats.net/2010645; classtype:policy-violation; sid:2010645; rev:11; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2021_06_10;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myredirect.us Domain (Sitelutions)"; dns.query; content:".myredirect.us"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018812; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Maldoc CnC Domain (shopweblive .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopweblive.com"; bsize:15; fast_pattern; reference:url,twitter.com/360CoreSec/status/1402920149754155010; reference:md5,4fb3bd661331b10fbd01e5f3e72f476c; reference:md5,b7dbb3bef80d04e4b8981ab4011f4bfe; classtype:domain-c2; sid:2033135; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2021_06_10;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.rr.nu Domain (Sitelutions)"; dns.query; content:".rr.nu"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018814; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin"; fast_pattern; endswith; reference:url,jira.atlassian.com/browse/JRASERVER-71559; reference:cve,2020-36289; reference:url,twitter.com/ptswarm/status/1402644004781633540/photo/1; classtype:attempted-admin; sid:2033136; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_11, cve CVE_2020_36289, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_11;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.kwik.to Domain (Sitelutions)"; dns.query; content:".kwik.to"; nocase; endswith; fast_pattern; classtype:bad-unknown; sid:2018816; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/SkinnyBoy Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Opera"; bsize:5; http.request_body; content:"id="; startswith; content:"#"; distance:0; content:"#"; distance:0; content:"¤t="; distance:0; fast_pattern; content:"&total="; distance:0; content:"&data="; distance:0; reference:url,cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf; classtype:command-and-control; sid:2033096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family SkinnyBoy, performance_impact Low, signature_severity Major, updated_at 2021_06_11;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myfw.us Domain (Sitelutions)"; dns.query; content:".myfw.us"; nocase; endswith; fast_pattern; classtype:bad-unknown; sid:2018818; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN7 CnC Domain (injuryless .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"injuryless.com"; bsize:14; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1403150596849295362; reference:md5,1ac719c744d22f42e4978e7b55828435; reference:md5,526d56017ef5105277fe0d366c95c39d; classtype:domain-c2; sid:2033138; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_06_11;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *ontheweb.nu Domain (Sitelutions)"; dns.query; content:".ontheweb.nu"; nocase; endswith; classtype:bad-unknown; sid:2018820; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed APT41 Malicious SSL Cert (ColunmTK Campaign)"; flow:established,to_client; tls.cert_fingerprint; content:"b3:03:81:01:fd:0e:8b:11:c5:19:f7:39:f1:2c:7e:9b:60:23:4d:3b"; classtype:domain-c2; sid:2033140; rev:2; metadata:attack_target Client_and_Server, created_at 2021_06_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *isthebe.st Domain (Sitelutions)"; dns.query; content:".isthebe.st"; nocase; endswith; classtype:bad-unknown; sid:2018822; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ba.html"; bsize:8; fast_pattern; http.cookie; content:"woocommerce_items_in_cart="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,68abb4a9c6203acca940a49157264497; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033141; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *byinter.net Domain (Sitelutions)"; dns.query; content:".byinter.net"; nocase; endswith; classtype:bad-unknown; sid:2018824; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MyAgent)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:!"www.google-analytics.com"; http.user_agent; content:"MyAgent"; depth:7; fast_pattern; http.host; content:!"driverdl.lenovo.com.cn"; reference:url,doc.emergingthreats.net/bin/view/Main/2005320; classtype:trojan-activity; sid:2005320; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_15;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *findhere.org Domain (Sitelutions)"; dns.query; content:".findhere.org"; nocase; endswith; classtype:bad-unknown; sid:2018826; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?inc="; fast_pattern; http.cookie; content:"affiliate_id="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,1b3d1ca6f439f2b2014643cc8fad9a55; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033142; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *onthenetas.com Domain (Sitelutions)"; dns.query; content:".onthenetas.com"; nocase; endswith; classtype:bad-unknown; sid:2018828; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.uri; content:"/ny.js"; bsize:6; fast_pattern; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,93b24d6de3e38fe3112554355a1ba98f; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033143; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *uglyas.com Domain (Sitelutions)"; dns.query; content:".uglyas.com"; nocase; endswith; classtype:bad-unknown; sid:2018830; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart Skimmer Websocket Domain in DNS Lookup"; dns.query; content:"hotjar.info"; nocase; bsize:11; reference:url,lukeleal.com/research/posts/hotjar-dot-info-skimmer/; reference:url,twitter.com/rootprivilege/status/1404595455065870336; classtype:trojan-activity; sid:2033144; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_15;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *assexyas.com Domain (Sitelutions)"; dns.query; content:".assexyas.com"; nocase; endswith; classtype:bad-unknown; sid:2018832; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload 2021-06-15"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\.[0-9]{6,18}\.dat$/"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; bsize:178; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_15;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *passas.us Domain (Sitelutions)"; dns.query; content:".passas.us"; nocase; endswith; classtype:bad-unknown; sid:2018834; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".css?open="; fast_pattern; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,c49f5361c91208f95a3f4d8a9cccf5cc; reference:url,twitter.com/_brettfitz/status/1404438059962208256; classtype:trojan-activity; sid:2033145; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *atthissite.com Domain (Sitelutions)"; dns.query; content:"athissite.com"; nocase; endswith; classtype:bad-unknown; sid:2018836; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/member.php|20|SSL3.4"; fast_pattern; startswith; reference:url,securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/; reference:md5,569246a3325effa11cb8ff362428ab2c; classtype:command-and-control; sid:2033146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_16, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, signature_severity Major, tag Backdoor, updated_at 2021_06_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *athersite.com Domain (Sitelutions)"; dns.query; content:"athersite.com"; nocase; endswith; classtype:bad-unknown; sid:2018838; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andariel Backdoor Actvity (Response)"; flow:established,to_client; content:"HTTP|20|1.1|20|200|20|OK|20|SSL2.1"; fast_pattern; startswith; reference:url,securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/; reference:md5,569246a3325effa11cb8ff362428ab2c; classtype:command-and-control; sid:2033147; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_16, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2021_06_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *isgre.at Domain (Sitelutions)"; dns.query; content:".isgre.at"; nocase; endswith; classtype:bad-unknown; sid:2018840; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (extension.css)"; flow:established,to_server; http.uri; content:"/extension.css?goto="; startswith; http.cookie; content:"lu="; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:trojan-activity; sid:2033148; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *lookin.at Domain (Sitelutions)"; dns.query; content:".lookin.at"; nocase; endswith; classtype:bad-unknown; sid:2018842; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UNC2628 BEACON Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html|20|/"; content:".html?auth=uid"; distance:0; fast_pattern; http.user_agent; content:"ms-office|3b 20|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html; reference:md5,5f1e9ae81c6a3797bf16b9ee469dc66a; classtype:command-and-control; sid:2033149; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *bestdeals.at Domain (Sitelutions)"; dns.query; content:".bestdeals.at"; nocase; endswith; classtype:bad-unknown; sid:2018844; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible Nessus Client"; ja3.hash; content:"9598288c48f0a784d8e153b0df2b3bd1"; classtype:bad-unknown; sid:2033150; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category JA3, performance_impact Low, signature_severity Informational, updated_at 2021_06_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *lowestprices Domain (Sitelutions)"; dns.query; content:".lowestprices.at"; nocase; endswith; classtype:bad-unknown; sid:2018846; rev:7; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UNC2628 Malicious MSHTA Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ID-508260156241"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html; classtype:trojan-activity; sid:2033151; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_17;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a Suspicious *.orge.pl Domain"; dns.query; content:".orge.pl"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013843; rev:6; metadata:created_at 2011_11_04, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Operation Sidecopy lnk Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/font/js/images/"; startswith; fast_pattern; content:"/css"; endswith; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; http.host; content:".in"; endswith; reference:url,twitter.com/ShadowChasing1/status/1406959698142666756; reference:md5,e05468aaa0c436e953116989ccf9703b; classtype:trojan-activity; sid:2033153; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Query to Known CnC Domain msnsolution.nicaze.net"; dns.query; content:"icaze.net"; depth:9; fast_pattern; endswith; reference:md5,89332c92d0360095e2dda8385d400258; classtype:command-and-control; sid:2014139; rev:8; metadata:created_at 2012_01_21, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Matanbuchus CnC Domain in DNS Lookup (eonsabode .at)"; dns.query; content:"eonsabode.at"; nocase; bsize:12; reference:url,unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/; classtype:domain-c2; sid:2033154; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (sektori.org)"; dns.query; content:"sektori.org"; depth:11; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014573; rev:9; metadata:created_at 2012_04_16, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gelsemium CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=IH, L=IH, O=IH, OU=IH, CN=IH"; bsize:37; fast_pattern; tls.cert_issuer; content:"C=US, ST=CA, L=CA, O=CA, OU=CA, CN=CA"; bsize:37; reference:md5,87eb0975758ecef44e8368914cffe151; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033152; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.bestcomputeradvisor.com"; dns.query; content:".bestcomputeradvisor.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015599; rev:8; metadata:created_at 2012_08_09, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Klingon RAT)"; flow:established,to_client; tls.cert_subject; content:"emailAddress=trump@whitehouse.xyz"; tls.cert_issuer; content:"C=US, ST=Washington, L=Washington, O=White House, OU=Mr President, CN=whitehouse.xyz/emailAddress=trump@whitehouse.xyz"; bsize:118; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/; classtype:command-and-control; sid:2033156; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"chrom-update.online"; nocase; endswith; classtype:command-and-control; sid:2027936; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"eb1d94daa7e0344597e756a1fb6e7054"; reference:url,thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/; classtype:bad-unknown; sid:2033157; rev:1; metadata:created_at 2021_06_22, former_category JA3, updated_at 2021_06_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"mnmnmnmnmnmn.club"; nocase; endswith; classtype:command-and-control; sid:2027937; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile wordpress_ Cookie Test"; flow:established,to_server; http.cookie; content:"wordpress"; fast_pattern; pcre:"/^_?=?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer"; reference:url,thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/; classtype:trojan-activity; sid:2033158; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"asasasqwqq.xyz"; nocase; endswith; classtype:command-and-control; sid:2027938; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET [!443] -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Random Base CharCode JS Encoded String"; flow:from_server,established; file_data; content:"String.fromCharCode("; pcre:"/^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\)/Rsi"; classtype:trojan-activity; sid:2019091; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2021_06_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.guest-access.net"; dns.query; content:".guest-access.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015602; rev:8; metadata:created_at 2012_08_09, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity (wget)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/supermicro_cr.gz"; bsize:21; fast_pattern; http.user_agent; content:"Wget/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033159; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Known Reveton Domain whatwillber.com"; dns.query; content:"whatwillber.com"; depth:15; nocase; endswith; classtype:bad-unknown; sid:2015875; rev:9; metadata:created_at 2012_11_08, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity (curl)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.php?apirequests="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033160; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup msonlinelive.com"; dns.query; content:"msonlinelive.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019586; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Telegram Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot1322235264:AAE7QI-f1GtAF_huVz8E5IBdb5JbWIIiGKI/sendMessage?chat_id="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; content:"api.telegram.org"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033161; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup malwarecheck.info"; dns.query; content:"malwarecheck.info"; depth:17; fast_pattern; nocase; endswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:targeted-activity; sid:2019640; rev:5; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity Attack Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_attack/0.txt"; bsize:19; fast_pattern; http.user_agent; content:"Wget/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033162; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/WireLurker DNS Query Domain www.comeinbaby.com"; dns.query; content:"comeinbaby.com"; depth:14; fast_pattern; nocase; endswith; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019667; rev:7; metadata:created_at 2014_11_06, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-22"; flow:established,to_client; file.data; content:"<title>L|26 23|79|3b|G|20 26 23|73|3b 26 23|78|3b 20|</title>"; fast_pattern; content:"action=need1.php"; distance:0; content:"name=pfw"; distance:0; content:"method|3d|post|3e|"; distance:0 ; reference:url,app.any.run/tasks/fe8b5eb1-7aab-435f-9795-456983adc07e/; classtype:social-engineering; sid:2033155; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/WireLurker DNS Query Domain manhuaba.com.cn"; dns.query; content:"manhuaba.com.cn"; depth:15; fast_pattern; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019718; rev:5; metadata:created_at 2014_11_17, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanClicker Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/test/err.asp?alerr="; startswith; fast_pattern; content:"&time="; distance:0; http.host; content:".cn"; endswith; reference:md5,f990d21e020f4130e58d49cc368921b1; classtype:pup-activity; sid:2033168; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_06_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious cvredirect.no-ip.net Domain - CoinLocker Domain"; dns.query; content:"cvredirect.no-ip.net"; depth:20; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019788; rev:6; metadata:created_at 2014_11_24, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/arm/template.php"; bsize:17; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:"winxpo.live"; bsize:11; reference:url,twitter.com/ShadowChasing1/status/1407636259367899138; reference:md5,e8e866e522b66c16d2ed8e345e48f524; classtype:trojan-activity; sid:2033169; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, updated_at 2021_06_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious cvredirect.ddns.net Domain - CoinLocker Domain"; dns.query; content:"cvredirect.ddns.net"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019790; rev:6; metadata:created_at 2014_11_24, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 0d 0a 0d 0a|"; content:".zip|0d 0a|"; distance:0; within:50; content:"|0d 0a|PK"; distance:0; content:"system.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,8124a572f854007e63cc7337547a37af; reference:md5,673410a381f324b0209abf1175415206; reference:url,3xp0rt.com/posts/mars-stealer; classtype:trojan-activity; sid:2033163; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup adobeincorp.com"; dns.query; content:"adobeincorp.com"; depth:15; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019565; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Downloading from Dropbox via API"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2/files/download"; http.header; content:"Authorization|3a 20|Bearer|20|FLtUsbS3oqcAAAAAAAAAAZ_86BAKGkKPNHeBSV8ETDcqFjlDgagrviCEw0VV6Ecn|0d 0a|"; content:"/Energy/staging/debugps"; fast_pattern; http.host; content:"content.dropboxapi.com"; bsize:22; reference:url,twitter.com/ShadowChasing1/status/1407540607954743297; reference:md5,f123a68eea92b34d76f0ca0b677419bd; classtype:trojan-activity; sid:2033170; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"doosan-job.com"; depth:14; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019851; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Ask Webcrawler User-Agent"; flow:established,to_server; http.user_agent; content:"Ask Jeeves"; nocase; classtype:not-suspicious; sid:2033164; rev:1; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"downloadsservers.com"; depth:20; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019852; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Exabot Webcrawler User Agent"; flow:established,to_server; content:"Exabot"; nocase; http_user_agent; classtype:not-suspicious; sid:2033165; rev:2; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"drivercenterupdate.com"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019853; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN AOL Webcrawler User-Agent"; flow:established,to_server; content:"AOLBuild "; nocase; http_user_agent; classtype:not-suspicious; sid:2033166; rev:1; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"easyresumecreatorpro.com"; depth:24; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019854; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NewGames.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/NewGames.jar"; http_uri; classtype:policy-violation; sid:2011326; rev:5; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"googleproductupdate.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019855; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_ttp"; fast_pattern; bsize:6; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,532acbadb8151944650aaecc0a397965; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033171; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"googleproductupdate.net"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019856; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore CnC Activity"; flow:established,to_server; content:"|3c 7c|"; startswith; content:"SOCKET|7c 3e|"; distance:0; fast_pattern; content:"|3c 7c|END|7c 3e|"; endswith; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; reference:md5,8f8bad9fb9a1f333bd3380e2698b4236; classtype:command-and-control; sid:2033173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family AllaKore, signature_severity Major, tag RAT, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftactiveservices.com"; depth:27; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019858; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChaChi RAT Client CnC (POST)"; flow:established,to_server; flowbits:set,ET.chachirat; http.method; content:"POST"; http.uri; content:"/cert/trust"; bsize:11; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftmiddleast.com"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019859; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ChaChi RAT Server Response"; flow:established,to_client; flowbits:isset,ET.chachirat; http.stat_code; content:"200"; file.data; content:"-zig"; endswith; fast_pattern; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowsserverupdate.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019869; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChaChi RAT Client CnC (POST)"; flow:established,to_server; flowbits:set,ET.chachirat; http.method; content:"POST"; http.uri; content:"/time/sync"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowssecurityupdate.com"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019868; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|43 21 f0 39 ff 82 2c 1c 54 06|"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,63c6febaeff62391187077b5e2f781e7; reference:md5,33a68137c05b0e2c2ee2ca559e038358; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033174; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"northropgrumman.net"; depth:19; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019865; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_t_t_p"; fast_pattern; bsize:8; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,63c6febaeff62391187077b5e2f781e7; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033175; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftwindowsupdate.net"; depth:26; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019864; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+#alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected DNS CnC via TXT queries"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 500, seconds 300; classtype:bad-unknown; sid:2033185; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, deployment Internal, former_category HUNTING, performance_impact Significant, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowscentralupdate.com"; depth:24; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019867; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9]{5,12}&a=/R"; content:"&a=Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:command-and-control; sid:2033176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"teledyne-jobs.com"; depth:17; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019866; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu00.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftserverupdate.com"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019861; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu03.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftonlineupdates.com"; depth:26; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019860; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu01.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftwindowsresources.com"; depth:29; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019863; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu02.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033180; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowsupdateserver.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019870; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE lu0bot Loader HTTP Response"; flow:established,to_client; file.data; content:"cmd"; nocase; startswith; content:"new%2520ActiveXObject%2528%2522WinHttp.WinHttpRequest.5.1"; distance:0; content:"GET%2522%252Cunescape"; distance:0; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:command-and-control; sid:2033181; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"gesunddurchsjahr.de"; depth:19; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019871; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?query=5"; bsize:9; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|UA-CPU|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:84; reference:md5,b567f7aac1574b2ba3a769702d2f6a1e; reference:md5,815c690bfc097b82a8f1d171cd00e775; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033192; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkmalware.org"; dns.query; content:"checkmalware.org"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019582; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (JS WebSkimmer Exfil Site)"; flow:established,to_client; tls.cert_subject; content:"hotjar.info"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?hotjar\.info(?!\.)/"; reference:url,lukeleal.com/research/posts/hotjar-dot-info-skimmer/; classtype:domain-c2; sid:2033188; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup updatesoftware24.com"; dns.query; content:"updatesoftware24.com"; depth:20; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019580; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (init)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=init"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033193; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup windows-updater.com"; dns.query; content:"windows-updater.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019581; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (down)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=down"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033194; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftupdateserver.net"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019862; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (ping)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=ping"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033195; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup updatepc.org"; dns.query; content:"updatepc.org"; depth:12; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019579; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/?d="; fast_pattern; http.uri; pcre:"/^\/\?d=[a-f0-9]{16}$/"; http.header_names; content:"|0d 0a|UA-CPU|0d 0a|Accept-Encoding|0d 0a|"; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033196; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup testsnetcontrol.com"; dns.query; content:"testsnetcontrol.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019578; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Related Downloader User-Agent"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|TAKEMIXTWO|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,23f169e4be475e3eec4dcb9d9a344649; classtype:trojan-activity; sid:2033186; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup testservice24.net"; dns.query; content:"testservice24.net"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019577; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malware Delivery Landing Page via JS Redirect (2021-06-24)"; flow:established,to_client; file.data; content:"|3c|title|3e|File Download|3c 2f|title|3e|"; content:"|24 2e|getJSON|28 20 22|https|3a 2f 2f|"; distance:0; content:"|2f 22 2c 20|function|28|res|29 20 7b 0d 0a 0d 0a|"; within:300; content:"|7d 29 2e|done|28|function|28|res|29 20 7b 0d 0a|"; within:40; content:"params|2e|url|20 3d 20 22|https|3a 2f 2f|"; within:120; fast_pattern; content:"|22 20 2b 20|res|2e|data"; within:300; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:trojan-activity; sid:2033189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup symanttec.org"; dns.query; content:"symanttec.org"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019576; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malware Delivery Domain (analyticsnet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"analyticsnet.top"; bsize:16; fast_pattern; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:domain-c2; sid:2033190; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup securitypractic.com"; dns.query; content:"securitypractic.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019575; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malware Delivery Landing Page Domain (bigeront .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigeront.top"; bsize:12; fast_pattern; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:domain-c2; sid:2033191; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup secnetcontrol.com"; dns.query; content:"secnetcontrol.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019574; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-24"; flow:established,to_client; file.data; content:"<title>Red Link - BANCO DE LA NACION ARGENTINA</title>"; fast_pattern; content:"enctype|3d 22|multipart|2f|form|2d|data|22 20|"; distance:0; content:"id|3d 22|UserNameVerificationForm|22|"; distance:0; content:"name|3d 22|UserNameVerificationForm|22|"; distance:0; content:"method|3d 22|post|22|"; distance:0; content:"action|3d 22|doLoginFirstStep.htm|22 3e|"; distance:0; reference:url,app.any.run/tasks/7ff1092c-4c9e-4915-933a-1f568b5ba83d; classtype:social-engineering; sid:2033187; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup scanmalware.info"; dns.query; content:"scanmalware.info"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019573; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-23 Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"btst="; startswith; fast_pattern; pcre:"/\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cookie|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,f9854aa5bc138498a12af8a45f89dd84; classtype:trojan-activity; sid:2033198; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup microsof-update.com"; dns.query; content:"microsof-update.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019572; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?m="; fast_pattern; offset:4; pcre:"/^[a-z]{1}/R"; content:"&p1="; distance:0; content:"&p2="; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:53; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,739d14336826d078c40c9580e3396d15; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033199; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup microsofi.org"; dns.query; content:"microsofi.org"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019571; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-23 Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mehro"; endswith; fast_pattern; http.request_body; content:"celal="; startswith; content:"&type="; distance:0; content:"&value="; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Connect"; reference:md5,738886d83e8dc379fc463e3869c74217; classtype:trojan-activity; sid:2033200; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkwinframe.com"; dns.query; content:"checkwinframe.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019568; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Ransomware Decryptor Domain in DNS Query (decryptor .top)"; dns.query; content:"decryptor.top"; nocase; bsize:13; reference:url,tria.ge/191216-4rcmytrrka; classtype:domain-c2; sid:2033201; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_06_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup check-fix.com"; dns.query; content:"check-fix.com"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019569; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Ransomware Decryptor Domain in DNS Query (decoder .re)"; dns.query; content:"decoder.re"; nocase; bsize:10; classtype:domain-c2; sid:2033202; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_06_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup adawareblock.com"; dns.query; content:"adawareblock.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019564; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE REvil Exfil SFTP Certificate Inbound"; flow:to_client,established; content:"Kanzas City"; nocase; fast_pattern; content:"System IT Inc"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/; classtype:targeted-activity; sid:2033205; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup azureon-line.com"; dns.query; content:"azureon-line.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019566; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Valyria Downloader Activity"; flow:established,to_client; file.data; content:"|5c|Temp|5c|regles2.cmd|22|"; fast_pattern; content:"|5c|Temp|5c|CMSTPBypass.exe"; distance:0; content:"|5c|Temp|5c|regles.cmd"; distance:0; reference:url,twitter.com/James_inthe_box/status/1409980230379311105; reference:md5,4f8c9ac36ca0268eb7c9ccec4f9d76f5; classtype:trojan-activity; sid:2033206; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkmalware.info"; dns.query; content:"checkmalware.info"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019567; rev:6; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/index.php?member="; startswith; fast_pattern; content:"|20|SSL3.3"; distance:0; reference:url,twitter.com/360CoreSec/status/1405790277034418177; reference:md5,c827d95429b644e918d53b24719dbe6e; classtype:command-and-control; sid:2033207; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"kundenpflege.menrad.de"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019857; rev:7; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Mercurial Grabber"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; http.request_body; content:"|2c 22|username|22 3a 20 22|Mercurial|20|Grabber|22 2c 20 22|"; fast_pattern; reference:md5,252689e3688229ce5e3e26a2ef0a5bf1; reference:url,github.com/NightfallGT/Mercurial-Grabber; classtype:command-and-control; sid:2033197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas ecolines.es"; dns.query; content:"ecolines.es"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019912; rev:6; metadata:created_at 2014_12_10, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)"; flow:established,to_server; http.uri; content:"/openam/oauth2/"; content:"/ccversion/Version"; nocase; pkt_data; content:"jato.pageSession="; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; classtype:attempted-admin; sid:2033208; rev:1; metadata:created_at 2021_06_30, cve CVE_2021_35464, former_category EXPLOIT, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas blackberry-support.herokuapp.com"; dns.query; content:"blackberry-support.herokuapp.com"; depth:32; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019913; rev:6; metadata:created_at 2014_12_10, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Reborn Stealer 2021 Exfil attempt via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; content:"|26|caption|3d|"; content:"|f0 9f 8f b4 20|IP|3a 20|"; distance:0; content:"|20|BASIC|20|INFORMATION|3a 0a 20 20 20 e2 88 9f 20|Passwords|20 2d 20|"; distance:0; fast_pattern; reference:md5,f925449e1f939ca70b5f842d4fc55921; reference:url,github.com/alikaptanoglu/Reborn-Stealer-2021-SOURCE/; classtype:command-and-control; sid:2033209; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Invisible Internet Project Domain (I2P)"; dns.query; content:".i2p"; endswith; fast_pattern; reference:url,geti2p.net; classtype:policy-violation; sid:2019988; rev:6; metadata:created_at 2014_12_22, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)"; flow:established,to_server; http.uri; content:"/openam/oauth2/"; content:"/ccversion/Version"; nocase; pkt_data; content:"jato.pageSession="; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; reference:url,attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464; reference:cve,2021-35464; classtype:attempted-admin; sid:2033210; rev:1; metadata:attack_target Server, created_at 2021_06_30, cve CVE_2021_35464, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (great-codes.com)"; dns.query; content:"great-codes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020035; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!2038,!3478,!5000,!22466,!3101,!6180,!80,!443,!8080,!8443,!25,!587,!2525] (msg:"ET MALWARE QuasarRAT/zgRAT C2 Activity (set)"; flow:established,to_server; flowbits:set,ET.zgRAT; flowbits:noalert; content:"|40 00 00 00|"; dsize:4; reference:md5,43a2f0f6fb1b858e9d7997ba8317df03; reference:url,twitter.com/James_inthe_box/status/1410260077861249028; classtype:command-and-control; sid:2033211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (adguard.name)"; dns.query; content:"adguard.name"; depth:12; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020036; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE zgRAT Activity M2"; flow:established,to_server; flowbits:isset,ET.zgRAT; content:"|2b 00 00 00 1f 8b 08 00 00 00 00 00 04 00 33 b6 51 51 b5 b7|"; depth:20; isdataat:!45,relative; reference:md5,43a2f0f6fb1b858e9d7997ba8317df03; reference:url,twitter.com/James_inthe_box/status/1410260077861249028; classtype:command-and-control; sid:2033212; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (coral-trevel.com)"; dns.query; content:"coral-trevel.com"; depth:16; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020037; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (toolser .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"toolser.pw"; bsize:10; fast_pattern; reference:url,lukeleal.com/research/posts/magecart-group-12-toolser-skimmer/; classtype:trojan-activity; sid:2033213; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, signature_severity Major, updated_at 2021_07_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (ddnservice10.ru)"; dns.query; content:"ddnservice10.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020038; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.2ip.ua"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2033214; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_07_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (paradise-plaza.com)"; dns.query; content:"paradise-plaza.com"; depth:18; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020039; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established, from_server; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|"; distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033216; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (worldnewsonline.pw)"; dns.query; content:"worldnewsonline.pw"; depth:18; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020040; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established, from_server; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|"; distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033217; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (update-java.net)"; dns.query; content:"update-java.net"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; reference:md5,0ad4892ead67e65ec3dd4c978fce7d92; classtype:targeted-activity; sid:2020041; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-25"; flow:established,from_server; file.data; content:"<title>Sign In</title>"; content:"role|3d 22|form|22|"; distance:0; content:"action|3d 22|squ.php|22|"; distance:0; content:"method|3d 22|post|22 3e|"; reference:url,app.any.run/tasks/a0625793-31c1-4538-a5c6-e213eb4b8128/; classtype:credential-theft; sid:2033215; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (allwayshappy.ru)"; dns.query; content:"allwayshappy.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020044; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IndigoZebra APT xCaon/Textpadx Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/kw.asp"; endswith; fast_pattern; http.request_body; content:"d="; startswith; content:"&k="; distance:0; content:"&w="; distance:0; http.header_names; content:!"Referer"; reference:md5,3562bf97997c54d74f58d4c1ad84fcea; reference:url,research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/; classtype:command-and-control; sid:2033219; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (deadwalk32.ru)"; dns.query; content:"deadwalk32.ru"; depth:13; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020047; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IndigoZebra APT BoxCaon DropBox Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/2/files/create_folder_v2"; bsize:25; http.header; content:"Authorization|3a 20|Bearer|20|iioKFUvLMX0AAAAAAAAAARDKLMS9uW1ax9ogdxWVqMC582VLW-CVofMpeFTEVfhU|0d 0a|"; fast_pattern; http.host; content:"api.dropboxapi.com"; bsize:18; reference:md5,974201f7895967bff0b018b95d5f5f4b; reference:url,research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/; classtype:command-and-control; sid:2033220; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (doubleclickads.net)"; dns.query; content:"doubleclickads.net"; depth:18; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020048; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Nivesro Cheat CnC Activity M1"; flow:established,to_server; http.uri; content:"authentication.php?a="; fast_pattern; content:"&b="; distance:0; http.accept; content:"text/*"; bsize:6; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,6aaa1742b89bd72be6ee50709fc457ab; classtype:trojan-activity; sid:2033221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (octoberpics.ru)"; dns.query; content:"octoberpics.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020054; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NivesroCheat CnC Activity M2"; flow:established,to_server; http.uri; content:"version.php?a="; fast_pattern; content:!"&"; distance:0; http.accept; content:"text/*"; bsize:6; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|"; startswith; reference:md5,6aaa1742b89bd72be6ee50709fc457ab; classtype:trojan-activity; sid:2033222; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (server38.info)"; dns.query; content:"server38.info"; depth:13; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020057; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BnpOnspQwtjCA"; endswith; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (ssl-server24.ru)"; dns.query; content:"ssl-server24.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020058; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Register M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BnpOnspQwtjCA/register"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeterplanet.ru)"; dns.query; content:"tweeterplanet.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020059; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Register M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/register"; http.request_body; content:"cid="; content:"&group="; distance:0; content:"ip_local="; distance:0; content:"&ip_local2="; distance:0; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (updatemyhost.ru)"; dns.query; content:"updatemyhost.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020061; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Key Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/key"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (walkingdead32.ru)"; dns.query; content:"walkingdead32.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020062; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Services Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/services"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033227; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (worldnews247.net)"; dns.query; content:"worldnews247.net"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020063; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Priority Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/priority"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (financialnewsonline.pw)"; dns.query; content:"financialnewsonline.pw"; depth:22; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020066; rev:6; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Ignore Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/ignore"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hong Kong SWC Attack DNS Lookup (aoemvp.com)"; dns.query; content:"aoemvp.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:trojan-activity; sid:2020171; rev:5; metadata:created_at 2015_01_12, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Ext Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/ext"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p-netdb.innovatio.no)"; dns.query; content:"i2p-netdb.innovatio.no"; depth:22; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020189; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Wipe Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/wipe"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033231; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p.mooo.com)"; dns.query; content:"i2p.mooo.com"; depth:12; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020190; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Landing Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/landing"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (netdb.i2p2.no)"; dns.query; content:"netdb.i2p2.no"; depth:13; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020191; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol HTTP Cookie Observed"; flow:established,to_server; http.cookie; content:"diavol_session="; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (reseed.i2p-projekt.de)"; dns.query; content:"reseed.i2p-projekt.de"; depth:21; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020192; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Indexsinas CnC Domain"; dns.query; content:".indexsinas.me"; endswith; fast_pattern; reference:url,www.guardicore.com/labs/smb-worm-indexsinas/; classtype:domain-c2; sid:2033234; rev:1; metadata:created_at 2021_07_05, former_category TROJAN, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (uk.reseed.i2p2.no)"; dns.query; content:"uk.reseed.i2p2.no"; depth:17; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020193; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Indexsinas CnC Domain"; dns.query; content:"a.ccmd.website"; endswith; fast_pattern; reference:url,www.guardicore.com/labs/smb-worm-indexsinas/; classtype:domain-c2; sid:2033235; rev:1; metadata:created_at 2021_07_05, former_category TROJAN, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (us.reseed.i2p2.no)"; dns.query; content:"us.reseed.i2p2.no"; depth:17; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020194; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET HUNTING Possible REvil 0day Exploitation Activity Inbound"; flow:established,to_server; content:"|0a|procCreate|28 22|Archive"; content:"procStep|28|"; distance:0; within:50; content:"+++SQLCMD|3a 22|+"; distance:0; within:100; content:"|22|DELETE|20|FROM"; reference:url,blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/; classtype:bad-unknown; sid:2033236; rev:1; metadata:created_at 2021_07_05, former_category HUNTING, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (apple.dynamic-dns.net)"; dns.query; content:"apple.dynamic-dns.net"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020244; rev:5; metadata:created_at 2015_01_22, updated_at 2020_09_17;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Initial CnC Checkin Outbound"; flow:established,to_server; dsize:8; content:"|3e c7 e3 1e 37 47 61 20|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033237; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (autocar.ServeUser.com)"; dns.query; content:"autocar.ServeUser.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020245; rev:5; metadata:created_at 2015_01_22, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Initial CnC Checkin Inbound"; flow:established,to_server; dsize:8; content:"|3e c7 e3 1e 37 47 61 20|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033238; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (coastnews.darktech.org)"; dns.query; content:"coastnews.darktech.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020249; rev:5; metadata:created_at 2015_01_22, updated_at 2020_09_17;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Bot Upload Command Outbound"; flow:established,from_server; dsize:8; content:"|b1 2f de ce cb 89 e1 a0|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033239; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (demon.4irc.com)"; dns.query; content:"demon.4irc.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020250; rev:5; metadata:created_at 2015_01_22, updated_at 2020_09_17;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Info Submission Outbound"; flow:established,to_server; dsize:<300; content:"|3a 31 34 b5 02 00|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033240; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.ddns.info)"; dns.query; content:"logoff.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020259; rev:5; metadata:created_at 2015_01_22, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Info Submission Inbound"; flow:established,to_server; dsize:<300; content:"|3a 31 34 b5 02 00|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033241; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (yellowblog.flnet.org)"; dns.query; content:"yellowblog.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020279; rev:5; metadata:created_at 2015_01_22, updated_at 2020_09_17;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Attack Command Outbound"; flow:established,from_server; dsize:<70; content:"|ad af fe 7f|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033242; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious tolotor.com Domain - Possible CryptoWall Activity"; dns.query; content:"tolotor.com"; depth:11; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020284; rev:5; metadata:created_at 2015_01_22, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Bot Upload Command Inbound"; flow:established,from_server; dsize:8; content:"|b1 2f de ce cb 89 e1 a0|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033244; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (pstcmedia.com)"; dns.query; content:"pstcmedia.com"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020444; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE xCaon Embedded Encrypted Command in Webpage"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 7c 23|"; fast_pattern; content:"|23 7c 2d 2d 3e|"; distance:0; within:300; classtype:command-and-control; sid:2033245; rev:1; metadata:created_at 2021_07_05, former_category MALWARE, updated_at 2021_07_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (mixedwork.com)"; dns.query; content:"mixedwork.com"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020445; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kaseya VSA Exploit Activity M1 (SET)"; flow:established,to_server; http.request_line; content:"POST|20|/dl.asp|20|"; fast_pattern; startswith; http.user_agent; content:"curl/"; startswith; flowbits:set,ET.kaseya1; flowbits:noalert; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033248; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (ahmedfaiez.info)"; dns.query; content:"ahmedfaiez.info"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020446; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kaseya VSA Exploit Activity M2 (SET)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/KUpload.asp"; fast_pattern; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:set,ET.kaseya2; flowbits:noalert; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033249; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (flushupdate.com)"; dns.query; content:"flushupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020447; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit Activity Inbound M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/done.asp"; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:isset,ET.kaseya1; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033250; rev:1; metadata:affected_product Kaseya_VSA, attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (flushupate.com)"; dns.query; content:"flushupate.com"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020448; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit Activity Inbound M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/done.asp"; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:isset,ET.kaseya2; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (ineltdriver.com)"; dns.query; content:"ineltdriver.com"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020449; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit URI Structure Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/userFilterTableRpt.asp"; fast_pattern; endswith; http.method; http.user_agent; content:"curl/"; startswith; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033252; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (mediahitech.info)"; dns.query; content:"mediahitech.info"; depth:16; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020450; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Payload 2021-07-06"; flow:established, to_server; http.uri; pcre: "/\.(?:exe|dll)$/"; http.header; content:"User-Agent|3a 20|charris"; fast_pattern; content:"UA-CPU|3a|"; http.header_names; content:!"Referer"; reference:md5,fda11c3ab0a8f8fb190456842974583c; classtype:trojan-activity; sid:2033253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (plmedgroup.com)"; dns.query; content:"plmedgroup.com"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020451; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE Possible Siloscape IRC CnC JOIN Command Observed"; flow:established,to_server; content:"JOIN|20|#WindowsKubernetes"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/siloscape/; classtype:command-and-control; sid:2033266; rev:1; metadata:created_at 2021_07_07, former_category MALWARE, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (advtravel.info)"; dns.query; content:"advtravel.info"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020452; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO URL Shortening Service Domain in TLS SNI (coki .me)"; flow:established,to_server; tls.sni; content:"coki.me"; bsize:7; fast_pattern; classtype:bad-unknown; sid:2033267; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_07, deployment Perimeter, former_category INFO, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (fpupdate.info)"; dns.query; content:"fpupdate.info"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020453; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC Channel join"; flow:to_server,established; content:"JOIN|20 3a 20 23|"; fast_pattern; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101729; rev:12; metadata:created_at 2010_09_23, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (linksis.info)"; dns.query; content:"linksis.info"; depth:12; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020454; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC Channel join on non-standard port"; flow:to_server,established; content:"JOIN|20 3a 20|#"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; classtype:policy-violation; sid:2000351; rev:12; metadata:created_at 2010_07_30, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (linkedim.in)"; dns.query; content:"linkedim.in"; depth:11; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020459; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET MALWARE IRC Bot Download http Command"; flow:established,from_server; content:"JOIN|20 3a|#"; nocase; content:"dl|20|http|3a 2f 2f|"; distance:0; content:"|2e|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:5; metadata:created_at 2012_03_28, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (androcity.com)"; dns.query; content:"androcity.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020461; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)"; dns.query; content:".nanopool.org"; nocase; endswith; classtype:policy-violation; sid:2033268; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (liptona.net)"; dns.query; content:"liptona.net"; depth:11; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020462; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WaterDropX PRISM UA Observed"; flow:established,to_server; http.user_agent; content:"agent-waterdropx"; fast_pattern; classtype:command-and-control; sid:2033269; rev:1; metadata:created_at 2021_07_07, former_category USER_AGENTS, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (nauss-lab.com)"; dns.query; content:"nauss-lab.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020464; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WaterDropX PRISM CnC Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"@@"; fast_pattern; offset:1; content:"@@"; distance:1; within:2; content:"@@"; distance:0; within:50; isdataat:!6,relative; flowbits:isset,ET.waterdropx; classtype:command-and-control; sid:2033271; rev:2; metadata:created_at 2021_07_07, former_category MALWARE, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (nice-mobiles.com)"; dns.query; content:"nice-mobiles.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020465; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WaterDropX PRISM CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x?v="; content:"&act="; http.user_agent; content:"agent-waterdropx"; fast_pattern; flowbits:set,ET.waterdropx; classtype:command-and-control; sid:2033270; rev:2; metadata:created_at 2021_07_07, former_category MALWARE, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (facebook-emoticons.bitblogoo.com)"; dns.query; content:"facebook-emoticons.bitblogoo.com"; depth:32; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020466; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Command Injection Attempt Inbound (Possible Mirai Activity)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/op_type="; startswith; fast_pattern; content:"|3b|"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; classtype:attempted-user; sid:2033272; rev:1; metadata:created_at 2021_07_07, former_category EXPLOIT, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (abuhmaid.net)"; dns.query; content:"abuhmaid.net"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020467; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Vulnerability Exploit Attempt (Possible Mirai Activity)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/"; startswith; http.request_body; content:"key=|27 3b 60|"; startswith; fast_pattern; content:"wget"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; classtype:attempted-admin; sid:2033273; rev:1; metadata:attack_target Server, created_at 2021_07_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (blogging-host.info)"; dns.query; content:"blogging-host.info"; depth:18; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020468; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (IST)"; flow:to_server,established; http.user_agent; content:"IST"; bsize:3; fast_pattern; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001493; classtype:pup-activity; sid:2001493; rev:37; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (tvgate.rocks)"; dns.query; content:"tvgate.rocks"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020469; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M1"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033247; rev:2; metadata:created_at 2021_07_06, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (iwork-sys.com)"; dns.query; content:"iwork-sys.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020472; rev:6; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M2"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|2f 00|"; content:"|2f|"; distance:0; within:30; classtype:misc-activity; sid:2033274; rev:2; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE 9002 RAT C&C DNS request"; dns.query; content:"cache.dnsde.com"; depth:15; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2020713; rev:5; metadata:created_at 2015_03_19, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M3"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00 3f 00 5c 00|U|00|N|00|C|00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033275; rev:2; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (saveweb.wink.ws)"; dns.query; content:"saveweb.wink.ws"; depth:15; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020814; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M4"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00 3f 00 3f 00 5c 00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033276; rev:1; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (carima2012.site90.com)"; dns.query; content:"carima2012.site90.com"; depth:21; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020815; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - AddPrinterDriverEx with Suspicious Filepath"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c|spool|5c|drivers|5c|x64|5c|3|5c|old|5c|"; fast_pattern; classtype:misc-activity; sid:2033246; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_07_06, cve 2021_34527, former_category POLICY, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (explorerdotnt.info)"; dns.query; content:"explorerdotnt.info"; depth:18; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020816; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CryptoMimic Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sharebusiness.xyz"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033277; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (dotnetexplorer.info)"; dns.query; content:"dotnetexplorer.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020817; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CryptoMimic Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=elwoodasset.xyz"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033278; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (dotntexplorere.info)"; dns.query; content:"dotntexplorere.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020818; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaLoader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.header; pcre:"/^Date\x3a\x20[^\r\n]+[0-9]{2}::[0-9]{2}\x20/"; http.header_names; content:"|0d 0a|Date|0d 0a|Cookie|0d 0a|"; startswith; content:!"Referer"; content:!"Accept"; http.user_agent; content:"Win"; bsize:3; reference:md5,f75e5710a5c84cec8e06b9b5c99e5400; reference:url,twitter.com/malware_traffic/status/1412914497338097664; classtype:trojan-activity; sid:2033279; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (xploreredotnet.info)"; dns.query; content:"xploreredotnet.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020819; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OptiLink ONT1GEW GPON RCE Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boaform/admin/"; pcre:"/^form(?:Ping|Tracert)$/R"; http.request_body; content:"target_addr=|22|"; fast_pattern; content:"|60|"; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033280; rev:2; metadata:created_at 2021_07_08, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (erdotntexplore.info)"; dns.query; content:"erdotntexplore.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020820; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT OptiLink ONT1GEW GPON RCE Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boaform/admin/"; pcre:"/^form(?:Ping|Tracert)$/R"; http.request_body; content:"target_addr=|22|"; fast_pattern; content:"|60|"; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033281; rev:1; metadata:created_at 2021_07_08, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)"; threshold:type limit,track by_src,count 3,seconds 60; dns.query; content:"aa.hostasa.org"; depth:14; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021326; rev:6; metadata:created_at 2015_06_23, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033282; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns1.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns1.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021327; rev:5; metadata:created_at 2015_06_23, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033283; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns2.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns2.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021328; rev:5; metadata:created_at 2015_06_23, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; distance:0; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033284; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_31755, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns3.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021329; rev:5; metadata:created_at 2015_06_23, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; distance:0; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033285; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_31755, updated_at 2021_07_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns4.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns4.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021330; rev:5; metadata:created_at 2015_06_23, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (NHS UK Covid Passport Phish)"; flow:from_server,established; tls.cert_subject; content:"CN=nhs.applyonline20.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033286; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (gh.dsaj2a1.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"gh.dsaj2a1.org"; depth:14; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021331; rev:5; metadata:created_at 2015_06_23, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING jpg download from fileupload .site"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jpg"; endswith; http.host; content:"fileupload.site"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033287; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (navert0p.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"navert0p.com"; depth:12; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021332; rev:5; metadata:created_at 2015_06_23, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO URL Shortening Service Domain in TLS SNI (hyp .ae)"; flow:established,to_server; tls.sni; content:"hyp.ae"; bsize:6; fast_pattern; classtype:policy-violation; sid:2033288; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category INFO, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (wangzongfacai.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"wangzongfacai.com"; depth:17; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021333; rev:5; metadata:created_at 2015_06_23, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8000: (msg:"ET MALWARE Malicious Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dwn/"; startswith; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.header_names; content:!"Referer"; reference:md5,0e0c65c206e1244987db350f3fefabd6; reference:md5,e31b4fb81764e4dd6bacab9baba266b4; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033289; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"gggatat456.com"; depth:14; fast_pattern; nocase; endswith; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/updates"; bsize:8; http.cookie; content:"user="; startswith; fast_pattern; pcre:"/^[A-P]{256}$/R"; http.header_names; content:!"Referer"; reference:md5,5dfb7f863cd291544b9dfdb3de25162f; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033290; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"xxxatat456.com"; depth:14; fast_pattern; nocase; endswith; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Connection|3a 20|Keel-Alive"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59d23f4da9837474d3f2d9f6816bd716; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033291; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; dns.query; content:"tinduongpho.com"; depth:15; fast_pattern; endswith; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_07_14, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BIOPASS RAT Related Domain in DNS Lookup (0x3s .com)"; dns.query; content:"0x3s.com"; nocase; bsize:8; reference:url,www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:domain-c2; sid:2033292; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (v8.f1122.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"v8.f1122.org"; depth:12; fast_pattern; nocase; endswith; classtype:trojan-activity; sid:2021443; rev:5; metadata:created_at 2015_07_20, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033294; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/IptabLesX C2 Domain Lookup (GroUndHog.MapSnode.CoM)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"GroUndHog.MapSnode.CoM"; depth:22; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2021444; rev:5; metadata:created_at 2015_07_20, former_category MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033295; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (drometic.suroot.com)"; dns.query; content:"drometic.suroot.com"; depth:19; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021576; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033296; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (docume.sysbloger.com)"; dns.query; content:"docume.sysbloger.com"; depth:20; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021577; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033297; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (ohio.sysbloger.com)"; dns.query; content:"ohio.sysbloger.com"; depth:18; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021578; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033298; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (specs.dnsrd.com)"; dns.query; content:"specs.dnsrd.com"; depth:15; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021579; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033299; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (np3.Jkub.com)"; dns.query; content:"np3.Jkub.com"; depth:12; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021580; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033300; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (ns8.ddns1.com)"; dns.query; content:"ns8.ddns1.com"; depth:13; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021581; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033301; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (books.mrface.com)"; dns.query; content:"books.mrface.com"; depth:16; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021582; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033302; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (kieti.ipsecsl.net)"; dns.query; content:"kieti.ipsecsl.net"; depth:17; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021583; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033303; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; threshold:type limit,track by_src,count 3,seconds 60; dns.query; content:"s-p-o-o-f-e-d.h-o-s-t.name"; depth:26; fast_pattern; nocase; endswith; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:5; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033304; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger DNSTunnel DNS Lookup (xssok.blogspot.com)"; dns.query; content:"xssok.blogspot.com"; depth:18; nocase; endswith; fast_pattern; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021788; rev:5; metadata:created_at 2015_09_16, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033305; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Gh0ST/PlugX/Various Backdoors DNS Lookup (gameofthrones.ddns.net)"; dns.query; content:"gameofthrones.ddns.net"; depth:22; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021792; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033306; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Likely PlugX DNS Lookup (chrome.servehttp.com)"; dns.query; content:"chrome.servehttp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021793; rev:5; metadata:created_at 2015_09_16, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033307; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Backdoor.GTalkTrojan DNS Lookup (update.gtalklite.com)"; dns.query; content:"update.gtalklite.com"; depth:20; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021794; rev:5; metadata:created_at 2015_09_16, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass Attempt Outbound (CVE-2021-33543)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uapi-cgi/"; fast_pattern; pcre:"/^.{1,50}\/uapi-cgi\//Ui"; content:".cgi"; endswith; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33543; classtype:attempted-admin; sid:2033308; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33543, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger HTTPBrowser DNS Lookup (trendmicro-update.org)"; dns.query; content:"trendmicro-update.org"; depth:21; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021795; rev:5; metadata:created_at 2015_09_16, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass Attempt Inbound (CVE-2021-33543)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uapi-cgi/"; fast_pattern; pcre:"/^.{1,50}\/uapi-cgi\//Ui"; content:".cgi"; endswith; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33543; classtype:attempted-admin; sid:2033309; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33543, former_category EXPLOIT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.icloud-analysis.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021806; rev:5; metadata:created_at 2015_09_21, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BIOPASS RAT Python Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/res/"; startswith; fast_pattern; content:".txt"; endswith; http.user_agent; content:"Python-urllib/"; startswith; http.host; content:"flashdownloadserver.oss-cn-hongkong.aliyuncs.com"; reference:md5,f0b96efe2f714e7bddf76cc90a8b8c88; reference:url,trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:trojan-activity; sid:2033293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.icloud-diagnostics.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021807; rev:5; metadata:created_at 2015_09_21, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BIOPASS RAT Go Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/res/"; startswith; fast_pattern; content:".exe"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.host; content:"flashdownloadserver.oss-cn-hongkong.aliyuncs.com"; reference:md5,f0b96efe2f714e7bddf76cc90a8b8c88; reference:url,trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:trojan-activity; sid:2033310; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.crash-analytics.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021808; rev:5; metadata:created_at 2015_09_21, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DCRat CnC Exfil"; flow:established,to_server; urilen:>150; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^[a-f0-9]{32}\r\n\r\nPK/Rsi"; content:"Browsers/"; fast_pattern; distance:0; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3aa17643535d17db367447e1104e12d9; classtype:trojan-activity; sid:2033087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Naikon DNS Lookup (greensky27.vicp.net)"; dns.query; content:"greensky27.vicp.net"; depth:19; nocase; endswith; fast_pattern; reference:url,threatconnect.com/camerashy-resources/; classtype:trojan-activity; sid:2021831; rev:5; metadata:created_at 2015_09_24, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033311; rev:1; metadata:created_at 2021_07_09, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; dns.query; content:"aps.kemoge.net"; depth:14; fast_pattern; nocase; endswith; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033312; rev:1; metadata:created_at 2021_07_09, updated_at 2021_07_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (googlemanage.com)"; dns.query; content:"googlemanage.com"; depth:16; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021935; rev:5; metadata:created_at 2015_10_08, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SideWinder APT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.pakmarines.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033313; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (websecexp.com)"; dns.query; content:"websecexp.com"; depth:13; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021960; rev:5; metadata:created_at 2015_10_16, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (Brute Force Attacks)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML,|20|like|20|Gecko)|20|Chrome/70."; bsize:91; reference:url,media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF; classtype:bad-unknown; sid:2033314; rev:1; metadata:created_at 2021_07_12, former_category USER_AGENTS, updated_at 2021_07_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX DNS Lookup (mailsecurityservice.com)"; dns.query; content:"mailsecurityservice.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2015/10/targeted-attacks-ngo-burma/; classtype:trojan-activity; sid:2021962; rev:5; metadata:created_at 2015_10_16, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (Brute Force Attacks)"; flow:established,to_server; http.user_agent; content:"Microsoft|20|Office/14.0|20|(Windows|20|NT|20|6.1|3b 20|Microsoft|20|Outlook|20|14.0.7162|3b 20|Pro"; bsize:71; reference:url,media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF; classtype:bad-unknown; sid:2033315; rev:1; metadata:created_at 2021_07_12, former_category USER_AGENTS, updated_at 2021_07_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup"; dns.query; content:"softupdates.info"; depth:16; nocase; endswith; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:targeted-activity; sid:2022121; rev:5; metadata:created_at 2015_11_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WildPressure/Milum CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|pk="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"User-Agent|3a 20|Python-urllib/"; http.request_body; content:"pk="; startswith; content:"&value="; distance:0; pcre:"/^pk=[A-Za-z0-9]{8,50}&value=[a-f0-9]{50,500}$/s"; http.header_names; content:!"Referer"; reference:url,securelist.com/wildpressure-targets-macos/103072/; reference:md5,92a11f0dcb973d1a58d45c995993d854; classtype:trojan-activity; sid:2033316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup"; dns.query; content:"drivres-update.info"; depth:19; nocase; endswith; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:targeted-activity; sid:2022122; rev:5; metadata:created_at 2015_11_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation SpoofedScholars Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect/?memberemailid="; startswith; fast_pattern; pcre:"/^[A-Z]{2}-[A-Z0-9]{10,20}-[A-Z0-9]{6,10}-[A-Z0-9]{2,8}-[A-Z0-9]{2,8}-[0-9]{2,5}$/R"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2033317; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_12, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (alhadath.mobi)"; dns.query; content:"alhadath.mobi"; depth:13; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022148; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Maldoc/Zloader CnC)"; flow:from_server,established; content:"|0f|heavenlygem.com"; nocase; fast_pattern; content:"|2a|.heavenlygem.com"; classtype:domain-c2; sid:2033318; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (big-windowss.com)"; dns.query; content:"big-windowss.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022149; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE PJobRat System Exfil to CnC"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"|7b 22|network|22 3a 22|"; content:"|22 2c 22|type|22 3a 22 5b|"; content:"|22 2c 22|info|22 3a 22|"; content:"|22 2c 22|ipaddr|22 3a 22|"; content:"|22 2c 22|bandwidth|22 3a 22|"; content:"|22 2c 22|downspeed|22 3a 22|"; content:"|22 2c 22|upspeed|22 3a 22|"; content:"|22 2c 22|rip|22 3a 22|"; content:"|22 2c 22|manufacture|22 3a 22|"; content:"|22 2c 22|imei|22 3a 22|"; content:"|22 2c 22|pnumber|22 3a 22|"; content:"|22 2c 22|location|22 3a 22 5b 7b 5c 22|latitude|5c 22 3a 5c 22|"; fast_pattern; content:"|22 2c 22|appname|22 3a 22|"; reference:url,labs.k7computing.com/?p=22537; classtype:command-and-control; sid:2033319; rev:1; metadata:affected_product Android, created_at 2021_07_13, former_category MOBILE_MALWARE, updated_at 2021_07_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (cacheupdate14.com)"; dns.query; content:"cacheupdate14.com"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022150; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE PJobRat CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b|name|3d 22|"; content:"|3b|filename|3d 22|"; content:"|5b 7b 22|cid|22 3a|"; content:"displayName"; content:"phoneNumber|22 3a 22 2b|"; fast_pattern; content:"file|0d 0a 2d 2d 2d 2d 2d 2d|"; content:"contacts|0d 0a 2d 2d 2d 2d 2d 2d|"; http.uri; content:".php"; endswith; reference:url,labs.k7computing.com/?p=22537; classtype:command-and-control; sid:2033320; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_07_13, former_category MOBILE_MALWARE, updated_at 2021_07_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-a.space)"; dns.query; content:"fbstatic-a.space"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022151; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming)"; flow:established,to_client; file.data; content:"RhinoSoft"; content:"Serv-U"; distance:0; content:"\\r\\nCRhinoUintAttr\\r\\nLastHour\\r\\n"; fast_pattern; content:".Archive"; content:"Serv-U-Tray.exe"; content:"window.close|28 29|"; reference:md5,2443968bb4d1c9f5e99d4dd09fd754af; reference:url,www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211; classtype:trojan-activity; sid:2033321; rev:2; metadata:attack_target Server, created_at 2021_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-a.xyz)"; dns.query; content:"fbstatic-a.xyz"; depth:14; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022152; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fareit Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/otproc.asp"; bsize:11; http.user_agent; content:"Indy|20|Library|29|"; endswith; http.request_body; content:"sGbn="; startswith; fast_pattern; content:"&sGbn1="; distance:0; content:"&n5uid="; distance:0; http.header_names; content:!"Referer"; reference:md5,bf0c3851bd0cdd2bbdd3902326e37688; classtype:trojan-activity; sid:2033322; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-akamaihd.com)"; dns.query; content:"fbstatic-akamaihd.com"; depth:21; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022153; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncAddPrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|27 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033255; rev:4; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (gmailtagmanager.com)"; dns.query; content:"gmailtagmanager.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022154; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncCorePrinterDriverInstalled"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|41 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033263; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (haaretz.link)"; dns.query; content:"haaretz.link"; depth:12; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022155; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|2a 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033258; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (haaretz-news.com)"; dns.query; content:"haaretz-news.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022156; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriverEx"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|2b 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033259; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (heartax.info)"; dns.query; content:"heartax.info"; depth:12; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022157; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriverPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|43 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033265; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (img.gmailtagmanager.com)"; dns.query; content:"img.gmailtagmanager.com"; depth:23; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022158; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncEnumPrinterDrivers"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|28 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:bad-unknown; sid:2033254; rev:3; metadata:created_at 2021_07_06, former_category POLICY, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (kernel4windows.in)"; dns.query; content:"kernel4windows.in"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022159; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetCorePrinterDrivers"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|40 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033262; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (main.windowskernel14.com)"; dns.query; content:"main.windowskernel14.com"; depth:24; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022160; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|1a 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033256; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (micro-windows.in)"; dns.query; content:"micro-windows.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022161; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriverDirectory"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|29 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033257; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate15.com)"; dns.query; content:"mswordupdate15.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022162; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriverPackagePath"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|42 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033264; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate16.com)"; dns.query; content:"mswordupdate16.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022163; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AZORult CnC Domain (miscrosoftworrd .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"miscrosoftworrd.000webhostapp.com"; bsize:33; fast_pattern; reference:md5,6610271aeae6daa7df27641cba63115a; classtype:domain-c2; sid:2033323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_14, deployment Perimeter, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate17.com)"; dns.query; content:"mswordupdate17.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022164; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Connectivity Check M2"; flow:to_server,established; http.uri; content:"/proxy.php"; endswith; fast_pattern; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 10.0|3b 20|Win64|3b 20|x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/90.0.4430.85 Safari/537.36 OPR/76.0.4017.94"; bsize:131; http.host; content:"zennolab.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc171ee77dc2d657e0c018fcad17608f; classtype:trojan-activity; sid:2033324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mywindows24.in)"; dns.query; content:"mywindows24.in"; depth:14; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022165; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Connectivity Check M3"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 10.0|3b 20|Win64|3b 20|x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/90.0.4430.85 Safari/537.36 OPR/76.0.4017.94"; bsize:131; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc171ee77dc2d657e0c018fcad17608f; classtype:trojan-activity; sid:2033325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patch7-windows.com)"; dns.query; content:"patch7-windows.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022166; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspicious TikTok Domain Request - Possible Phishing or Scam"; dns.query; content:"tiktok"; fast_pattern; pcre:"/(?:verify|support|account|copyright|help|verified|service|badge|verification|safety)?.{0,30}tiktok(?:verify|support|account|copyright|help|verified|service|badge|verification|safety)?.{0,30}(\.ml$|\.ga$|\.cf$|\.gq$|\.tk$|\.xyz$)/"; classtype:social-engineering; sid:2031492; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patch8-windows.com)"; dns.query; content:"patch8-windows.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022167; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE MSHTML Out-of-Bounds Write Inbound (CVE-2021-33742)"; flow:from_server,established; file.data; content:"innerHTML|20|=|20|Array|28|"; nocase; fast_pattern; byte_test:0,>=,33554431,0,string,dec,relative; content:"|29|.toString|28 29 3b|"; distance:0; within:50; reference:url,googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html; reference:cve,2021-33742; classtype:attempted-admin; sid:2033326; rev:1; metadata:created_at 2021_07_15, cve CVE_2021_33742, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patchthiswindows.com)"; dns.query; content:"patchthiswindows.com"; depth:20; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022168; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/htt_p"; fast_pattern; bsize:6; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,f85752f580eabe38362bea8e9bb61297; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:command-and-control; sid:2033327; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (u.mywindows24.in)"; dns.query; content:"u.mywindows24.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022169; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (msstore .io)"; dns.query; content:"msstore.io"; nocase; bsize:10; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033328; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (walla.link)"; dns.query; content:"walla.link"; depth:10; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022170; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (adtracker .link)"; dns.query; content:"adtracker.link"; nocase; bsize:14; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033329; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (wethearservice.com)"; dns.query; content:"wethearservice.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022171; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (cdnmobile .io)"; dns.query; content:"cdnmobile.io"; nocase; bsize:12; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033330; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (wheatherserviceapi.info)"; dns.query; content:"wheatherserviceapi.info"; depth:23; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022172; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.DPRK MalDoc SysInfo CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|MAX_FILE_SIZE|22 0d 0a|"; content:"name=|22|userfile|22 3b 20|filename=|22|yo|22 0d 0a|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,8a7686430d9ad2832e8a4c3992186b36; classtype:trojan-activity; sid:2033331; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowkernel.com)"; dns.query; content:"windowkernel.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022173; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Checkin M1"; flow:established,to_server; content:"|00 44 a2 62 97 ec 0b db 04 08 1c 3c 59 32 28 08 b7|"; offset:3; depth:17; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-10patch.in)"; dns.query; content:"windows-10patch.in"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022174; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Outbound M1"; flow:established,to_server; content:"|31 36 00 ba fe ef fa 6f d3 df bf 95 83 64 32 67 88 bc 83|"; dsize:19; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows24-kernel.in)"; dns.query; content:"windows24-kernel.in"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022175; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Inbound M1"; flow:established,to_client; content:"|31 36 00 da 1b 70 b5 96 ed a6 4a 18 8e ce 90 cc 5a fc 71|"; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-drive20.com)"; dns.query; content:"windows-drive20.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022176; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Checkin M2"; flow:established,to_server; content:"|00 93 2d 95 a9 6e fb 6c fb e0 02 ba 4b 2a a9 d9 e5|"; offset:3; depth:17; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033335; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-india.in)"; dns.query; content:"windows-india.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022177; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Outbound M2"; flow:established,to_server; content:"|31 36 00 0d 47 53 7a 9b 6b b1 37 a8 9b a9 97 b3 e6 8f 1d|"; dsize:19; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowskernel.in)"; dns.query; content:"windowskernel.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022178; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Inbound M2"; flow:established,to_client; content:"|31 36 00 29 73 c4 34 06 b6 62 c3 2e d4 0f 86 fb f3 35 c0|"; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033337; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-kernel.in)"; dns.query; content:"windows-kernel.in"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022179; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket CnC Checkin"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/cert/trust"; bsize:11; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033339; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family Gasket, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowskernel14.com)"; dns.query; content:"windowskernel14.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022180; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket Requesting Commands from CnC"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/time/sync"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033340; rev:1; metadata:created_at 2021_07_15, former_category MALWARE, malware_family Gasket, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowslayer.in)"; dns.query; content:"windowslayer.in"; depth:15; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022181; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket Submitting Logs to CnC"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/cert/dist"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033341; rev:1; metadata:created_at 2021_07_15, former_category MALWARE, malware_family Gasket, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-my50.com)"; dns.query; content:"windows-my50.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022182; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Chisel SOCKS Proxy Startup Observed"; flow:established,from_server; http.stat_code; content:"101"; file.data; content:"SSH-chisel-v3-server"; offset:2; fast_pattern; classtype:policy-violation; sid:2033342; rev:1; metadata:created_at 2021_07_15, former_category POLICY, tag Proxy, tag Tunnel, updated_at 2021_07_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowssup.in)"; dns.query; content:"windowssup.in"; depth:13; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022183; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mespinoza Ransomware - Pre-Encryption File Exfil to CnC"; flow:established,to_server; http.uri; content:"/upload-"; startswith; fast_pattern; content:"?token="; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; content:"&id="; distance:0; content:"&fullPath="; distance:0; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family Mespinoza, signature_severity Major, tag Ransomware, updated_at 2021_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowsupup.com)"; dns.query; content:"windowsupup.com"; depth:15; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022184; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent (Windows+NT+5.x)"; flow:established,to_server; flowbits:set,ET.webc2ugx; http.user_agent; content:"Windows+NT+5"; startswith; reference:url,www.mandiant.com/apt1; reference:md5,14cfaefa5b8bc6400467fba8af146b71; classtype:targeted-activity; sid:2009486; rev:17; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (inocnation.com)"; dns.query; content:"inocnation.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022273; rev:5; metadata:created_at 2015_12_17, updated_at 2020_09_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Baidu Spider Webcrawler User Agent - inbound"; flow:established,to_server; content:"baiduspider"; nocase; http_user_agent; classtype:not-suspicious; sid:2033002; rev:1; metadata:attack_target Web_Server, created_at 2021_05_19, former_category SCAN, signature_severity Informational, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilGrab or APT.9002 DNS Lookup (secvies.com)"; dns.query; content:"secvies.com"; depth:11; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:targeted-activity; sid:2022355; rev:6; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_tt_p"; fast_pattern; bsize:7; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,14a2b8af48b6db92f047525d893eaeb8; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033172; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TrochilusRAT DNS Lookup (security-centers.com)"; dns.query; content:"security-centers.com"; depth:20; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022356; rev:6; metadata:created_at 2016_01_13, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"all-brain-company.xyz"; bsize:21; fast_pattern; reference:md5,997e848955296560d80ae65a1ec073d5; classtype:domain-c2; sid:2033344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsip.ru Domain"; dns.query; content:".dnsip.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022382; rev:5; metadata:created_at 2016_01_19, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA Authentication Bypass (management) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/management"; http.referer; content:!"/__api__/v1/logon"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033345; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyn-dns.ru Domain"; dns.query; content:".dyn-dns.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022383; rev:6; metadata:created_at 2016_01_19, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (sslvpnclient) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/sslvpnclient"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033346; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsalias.ru Domain"; dns.query; content:".dnsalias.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022381; rev:6; metadata:created_at 2016_01_19, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (portal) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/portal"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033347; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dns-free.ru Domain"; dns.query; content:".dns-free.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022384; rev:6; metadata:created_at 2016_01_19, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/supportInstaller"; endswith; http.request_body; content:"fromEmailInvite"; content:"customerTID"; tag:session,5,packets; reference:url,www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; reference:cve,2019-7481; classtype:web-application-attack; sid:2033348; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2019_7481, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (aynfksddnnfwkd)"; dns.query; content:".aynfksddnnfwkd"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022399; rev:5; metadata:created_at 2016_01_21, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=setting.htm"; content:"TF_submask=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033349; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (krfdnhfnsai3d)"; dns.query; content:".krfdnhfnsai3d"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022400; rev:5; metadata:created_at 2016_01_21, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dhcp.cgi?redirect=setting.htm"; content:"TF_hostname=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 1"; dns.query; content:"9i7ffdgvffibow7.vrnserver.ru"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022411; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ppp.cgi?redirect=setting.htm"; content:"TF_servicename=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033351; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 6"; dns.query; content:"admin.spdns.org"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022416; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/man.cgi?redirect=setting.htm"; content:"TF_port=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 15"; dns.query; content:"dolat.websurprisemail.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022425; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS and Webpass IoT devices CVE-2021-31643"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=EmpRcd.htm"; content:"&username=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3c|"; distance:0; reference:cve,2021-31643; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31643, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 16"; dns.query; content:"dolet.websurprisemail.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022426; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Request via wttr .in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?format="; startswith; http.host; content:"wttr.in"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2033354; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 17"; dns.query; content:"economy.spdns.de"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022427; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows Powershell User-Agent Usage"; flow:established,to_server; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; fast_pattern; classtype:not-suspicious; sid:2033355; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 20"; dns.query; content:"firefox.spdns.de"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022430; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Binary Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"steven-gerrard-liverpool-future-dalglish--goal-"; http.host; content:!"www.liverpool.com"; reference:md5,10f8195621113f9c8de63ba139e91cff; classtype:command-and-control; sid:2033356; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category MALWARE, malware_family DTLoader, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 24"; dns.query; content:"github.ignorelist.com"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022434; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/pop2.html?key="; fast_pattern; content:"&n="; distance:0; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033357; rev:1; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 25"; dns.query; content:"islam.youtubesitegroup.com"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022435; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS CnC Domain in DNS Lookup (opposedarrangement .net)"; dns.query; content:".opposedarrangement.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:domain-c2; sid:2033358; rev:2; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_07_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 26"; dns.query; content:"kissecurity.firewall-gateway.net"; depth:32; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022436; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Megalodon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/megalodon?m="; fast_pattern; content:"&v="; distance:0; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033359; rev:2; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 27"; dns.query; content:"liumingzhen.myftp.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022437; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Megalodon Gatekeeper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/wizard/01-00000000"; fast_pattern; endswith; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033360; rev:1; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 33"; dns.query; content:"opero.spdns.org"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022443; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NitroStealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|nitropacked.zip|22 0d 0a|"; fast_pattern; content:"screenshot"; nocase; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,367ef1b1579a6987d5648bb95f7c9a10; classtype:trojan-activity; sid:2033361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 34"; dns.query; content:"otcgk.border.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022444; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CHIYU IoT Devices - Denial of Service"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=AccLog.htm"; startswith; content:"&type=go_log_page&page=2781000"; endswith; fast_pattern; http.referer; content:"/AccLog.htm"; endswith; reference:cve,2021-31642; reference:url,www.exploit-db.com/exploits/49937; classtype:denial-of-service; sid:2033362; rev:2; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 41"; dns.query; content:"webmail.yourturbe.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022451; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-07-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/s"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; bsize:178; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034452; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns.query; content:"www.googmail.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022455; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncUploadPrinterDriverPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|3f 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033261; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns.query; content:"www.gorlan.cloudns.pro"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022456; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncInstallPrinterDriverFromPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|3e 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033260; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns.query; content:"www.uyghur.25u.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022457; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected DonotGroup Dropper Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/@/"; startswith; content:"/tele.txt"; fast_pattern; http.host; content:"microsoft-updates.servehttp.com"; bsize:31; reference:md5,f23dd9acbf28f324b290b970fbc40b30; classtype:trojan-activity; sid:2033363; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 44"; dns.query; content:"zjhao.dtdns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022461; rev:6; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected DonotGroup Dropper Telegram API Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot1624838777:AAGjNO7By4SqVdmXRlSPcde2DRinvDNYbzA/"; fast_pattern; startswith; http.host; content:"api.telegram.org"; bsize:16; reference:md5,f23dd9acbf28f324b290b970fbc40b30; classtype:trojan-activity; sid:2033364; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CustomRAT DNS lookup"; dns.query; content:"www729448908.f3322.org"; depth:22; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022473; rev:5; metadata:created_at 2016_01_28, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to freemyip .com Domain"; dns.query; content:".freemyip.com"; nocase; endswith; classtype:bad-unknown; sid:2033365; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_20;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.ae.am domain"; dns.query; content:".ae.am"; fast_pattern; endswith; classtype:bad-unknown; sid:2012900; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.sherifu/.k4m3l0t"; bsize:18; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:md5,99639dffa18356f683dbbbf4a6d3d023; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; classtype:trojan-activity; sid:2033366; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.qc.cx domain"; dns.query; content:".qc.cx"; fast_pattern; endswith; classtype:bad-unknown; sid:2012903; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (ifconfig .me)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ifconfig.me"; depth:11; endswith; fast_pattern; reference:md5,52ba2e1f51d16394bf109b42c1166b74; classtype:external-ip-check; sid:2026718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (updates.absentvodka.com)"; dns.query; content:"updates.absentvodka.com"; depth:23; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022555; rev:5; metadata:created_at 2016_02_22, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Loader Activity M1 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.mini/.report_system"; bsize:21; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; reference:md5,92ea08fb8af71468bd74d19b1b9994cd; classtype:trojan-activity; sid:2033367; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (updates.mintylinux.com)"; dns.query; content:"updates.mintylinux.com"; depth:22; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022556; rev:5; metadata:created_at 2016_02_22, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Loader Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.sherifu/"; startswith; fast_pattern; pcre:"/^\.(?:93joshua|purrple|black)$/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; classtype:trojan-activity; sid:2033368; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (eggstrawdinarry.mylittlerepo.com)"; dns.query; content:"eggstrawdinarry.mylittlerepo.com"; depth:32; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022557; rev:5; metadata:created_at 2016_02_22, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=schemics.club"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033369; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (linuxmint.kernel-org.org)"; dns.query; content:"linuxmint.kernel-org.org"; depth:24; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022558; rev:5; metadata:created_at 2016_02_22, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=omeoneha.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033370; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suckfly/Nidiran Backdoor DNS Lookup"; dns.query; content:"microsoft-security-center.com"; depth:29; nocase; endswith; fast_pattern; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120123-5521-99; classtype:trojan-activity; sid:2022626; rev:5; metadata:created_at 2016_03_16, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fceptthis.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033371; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.com)"; dns.query; content:".ngrok.com"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022641; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=oftongueid.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033372; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.io)"; dns.query; content:".ngrok.io"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022642; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=honeiwillre.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033373; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.neokred domain - Likely Hostile"; dns.query; content:".neokred.org"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022643; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=eaconhop.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033374; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerShell/Agent.A DNS Lookup (go0gIe.com)"; dns.query; content:"go0gIe.com"; depth:10; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:trojan-activity; sid:2022835; rev:5; metadata:created_at 2016_05_24, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ssedonthep.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033375; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious dynapoint.pw Domain"; dns.query; content:"dynapoint.pw"; depth:12; endswith; fast_pattern; classtype:bad-unknown; sid:2022876; rev:5; metadata:created_at 2016_06_08, former_category HUNTING, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fjobiwouldli.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033376; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpovider.org)"; dns.query; content:".torpovider.org"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019981; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_19, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=offeranda.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033377; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.org)"; dns.query; content:".torgateway.org"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019983; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_19, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer Domain (cheapfacechange .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"cheapfacechange.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2033378; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bladetor.com)"; dns.query; content:".bladetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020107; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trickbot Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\.[A-F0-9]{32}\//"; http.header; content:"Accept|3a 20|*/*"; depth:12; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b 20|Windows NT 6.1|3b|"; content:"Host|3a 20|"; pcre:"/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])/R"; content:"Connection|3a 20|close"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; pcre:"/Content-Disposition\x3a\x20form-data\x3b\s*name=\x22(?:source|formdata|billinfo|cardinfo)\x22/m"; content:"=|22|billinfo|22|"; fast_pattern; classtype:trojan-activity; sid:2026738; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_19, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bonytor.com)"; dns.query; content:".bonytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020108; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (nltest)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"nltest /domain_trusts"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bortor.com)"; dns.query; content:".bortor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020109; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (ipconfig)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ipconfig /all"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (browsetor.com)"; dns.query; content:".browsetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020110; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (net view)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net view /all"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (door2tor.org)"; dns.query; content:".door2tor.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020111; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (net config)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net config workstation"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_07_21;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (enter2tor.com)"; dns.query; content:".enter2tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020112; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanDownloader.Agent.BXA CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Xingapp|2f 35 2e 30 20 28|windowsxue|29|"; bsize:24; threshold:type limit, track by_src, seconds 600, count 1; reference:md5,d4a8b93cb872a2817a1e7467ea449363; classtype:pup-activity; sid:2033383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_07_22;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (jamator.com)"; dns.query; content:".jamator.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020113; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nova_assets/Sys/_Getcode/keywords="; fast_pattern; startswith; http.cookie; content:"skin="; startswith; content:"sparrow_init="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; content:"cfruid="; distance:0; reference:url,twitter.com/mojoesec/status/1403072399860506638; reference:md5,4ba24c8dd87c35c1d7492eb31a14c2bd; classtype:trojan-activity; sid:2033384; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion2web.com)"; dns.query; content:".onion2web.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020114; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (myexternalip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"myexternalip.com"; endswith; nocase; xbits:set,ET.ipcheck,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033385; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.lt)"; dns.query; content:".onion.lt"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020115; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (freegeoip .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"freegeoip.live"; endswith; nocase; xbits:set,ET.ipcheck,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033386; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay2tor.com)"; dns.query; content:".pay2tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020117; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IPFS Domain (storage .snark .art in TLS SNI)"; flow:established,to_server; tls.sni; content:"storage.snark.art"; endswith; nocase; xbits:set,ET.dropsite,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033388; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay4tor.com)"; dns.query; content:".pay4tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020118; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BOUNCEBEAM Backdoor CnC Activity"; flow:established,to_server; http.uri; content:"/api/getTask?uniqid="; startswith; http.host; content:"cloudflare.5156game.com"; fast_pattern; bsize:23; reference:url,twitter.com/ESETresearch/status/1415542465176735748; reference:md5,429914c2cf45355ca4baa95a1dcdffab; reference:md5,19b8681e4dd4f9698ec324606a642dd6; reference:md5,bded44bf177a52a9ffbd13d077f8747d; classtype:command-and-control; sid:2033389; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (payrobotor.com)"; dns.query; content:".payrobotor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020119; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BOUNCEBEAM Backdoor CnC Domain (cloudflare .5156game .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloudflare.5156game.com"; bsize:23; fast_pattern; reference:url,twitter.com/ESETresearch/status/1415542465176735748; reference:md5,429914c2cf45355ca4baa95a1dcdffab; reference:md5,bded44bf177a52a9ffbd13d077f8747d; reference:md5,19b8681e4dd4f9698ec324606a642dd6; classtype:command-and-control; sid:2033390; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_22;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (poltornik.com)"; dns.query; content:".poltornik.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020120; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)"; flow:established,to_server; dsize:<34; content:"|33 66 99|"; depth:3; byte_test:1,>=,2,3; byte_test:1,<=,30,3; byte_extract:1,4,length; isdataat:!length,relative; pcre:"/^[A-Za-z0-9_-]+$/Rsi"; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030491; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2021_07_22;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (slavetor.com)"; dns.query; content:".slavetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020121; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; endswith; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; http.host; content:!"7zip.org"; content:!".bloomberg.com"; content:!".bitdefender.com"; content:!".microsoft.com"; endswith; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022550; rev:20; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2021_07_22;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tanktor.com)"; dns.query; content:".tanktor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020122; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible DarkRats Tor Traffic"; flow:established,from_server; tls.cert_issuer; content:"CN=www"; startswith; content:".com"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.com$/"; tls.cert_subject; content:"CN=www"; startswith; content:".net"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.net$/"; xbits:isset,ET.ipcheck,track ip_dst; xbits:isset,ET.dropsite,track ip_dst; classtype:trojan-activity; sid:2033387; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_07_22;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2pay.com)"; dns.query; content:".tor2pay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020123; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=UA, ST=Kyev, L=Kyev, O=GG UKR, OU=UA System, CN=monblan.ua"; bsize:60; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1418253931080163328; reference:md5,4d171ef3656ef56354ba8f336eab2cca; classtype:domain-c2; sid:2033391; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2www.com)"; dns.query; content:".tor2www.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020124; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (krinsop .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"krinsop.com"; bsize:11; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; reference:md5,2232b445760712242a0e5ea456fcc700; classtype:domain-c2; sid:2033392; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (toralpacho.com)"; dns.query; content:".toralpacho.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020127; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (charity-wallet .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"charity-wallet.com"; bsize:18; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; reference:md5,a83083f276326a7a4e77416bb0cb1537; classtype:domain-c2; sid:2033393; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torbama.com)"; dns.query; content:".torbama.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020128; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (gmbfrom .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gmbfrom.com"; bsize:11; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:domain-c2; sid:2033394; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torchek.com)"; dns.query; content:".torchek.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020129; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"aa29d305dff6e6ac9cd244a62c6ad0c2"; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:bad-unknown; sid:2033395; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torexplorer.com)"; dns.query; content:".torexplorer.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020130; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"ae4edc6faf64d08308082ad26be60767"; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:bad-unknown; sid:2033396; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforlove.com)"; dns.query; content:".torforlove.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020131; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KPOT Stealer Initial CnC Activity M5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.php?id="; fast_pattern; pcre:"/^[A-F0-9]+$/Rsi"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:md5,1ea7d46d94299fa8bad4043c13100df0; classtype:command-and-control; sid:2033397; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torjam.com)"; dns.query; content:".torjam.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020132; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (cloudflare-cdnjs .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloudflare-cdnjs.com"; bsize:20; fast_pattern; reference:url,twitter.com/MBThreatIntel/status/1416101496022724609; reference:url,twitter.com/AffableKraut/status/1408512205289660429; classtype:domain-c2; sid:2033398; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpacho.com)"; dns.query; content:".torpacho.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020134; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (static-zdassets .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"static-zdassets.com"; bsize:19; fast_pattern; reference:url,twitter.com/MBThreatIntel/status/1416101496022724609; reference:url,twitter.com/AffableKraut/status/1408512205289660429; classtype:domain-c2; sid:2033399; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycash.com)"; dns.query; content:".torpaycash.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020135; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tcp any ![21,25,110,143,443,465,587,636,989:995,5061,5222,8443] -> any any (msg:"ET POLICY TLS possible TOR SSL traffic"; flow:established,from_server; tls.cert_issuer; content:"CN=www"; startswith; content:".com"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.com$/"; tls.cert_subject; content:"CN=www"; startswith; content:".net"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.net$/"; classtype:misc-activity; sid:2018789; rev:4; metadata:created_at 2014_07_28, former_category POLICY, updated_at 2021_07_23;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycnf.com)"; dns.query; content:".torpaycnf.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020136; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Apache Kylin REST API DiagnosisService Command Injection Inbound (CVE-2020-13925)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/kylin/api/diag/project/%7c%7c"; reference:url,github.com/bit4woo/CVE-2020-13925; reference:cve,2020-13925; classtype:attempted-admin; sid:2033404; rev:1; metadata:created_at 2021_07_24, cve CVE_2020_13925, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayeur.com)"; dns.query; content:".torpayeur.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020137; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2019-0230)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"id=%25%7b%23"; reference:url,github.com/bit4woo/CVE-2020-13925; reference:cve,2019-0230; classtype:attempted-admin; sid:2033405; rev:1; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2021_07_24, cve CVE_2019_0230, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayusd.com)"; dns.query; content:".torpayusd.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020138; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING .exec in HTTP URI Inbound - Possible Exploit Activity"; flow:established,to_server; http.uri; content:".exec|28|"; fast_pattern; classtype:bad-unknown; sid:2033406; rev:2; metadata:created_at 2021_07_24, former_category HUNTING, updated_at 2021_07_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torprivatebrowsing.org)"; dns.query; content:".torprivatebrowsing.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020139; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING .exec in HTTP Header Inbound - Possible Exploit Activity"; flow:established,to_server; http.header; content:".exec|28|"; fast_pattern; classtype:bad-unknown; sid:2033407; rev:2; metadata:created_at 2021_07_24, former_category HUNTING, updated_at 2021_07_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsanctions.com)"; dns.query; content:".torsanctions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020140; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbAdminWSService/DbAdminWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:"|3a|addUser>"; content:"<userName>"; content:"<roleName>"; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15976; classtype:attempted-admin; sid:2033409; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15976, updated_at 2021_07_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsona.com)"; dns.query; content:".torsona.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020141; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Information Disclosure Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action=displayServerInfos"; http.header; content:"|20|YWRtaW46bmJ2XzEyMzQ1|0d|"; fast_pattern; reference:url,www.exploit-db.com/exploits/48019; classtype:attempted-admin; sid:2033410; rev:1; metadata:created_at 2021_07_24, updated_at 2021_07_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torvsusd.com)"; dns.query; content:".torvsusd.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020142; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbInventoryWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:"sortType>|3b|"; content:"|3b|--"; distance:0; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15984; classtype:attempted-admin; sid:2033411; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15984, updated_at 2021_07_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwild.com)"; dns.query; content:".torwild.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020143; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Directory Traversal Inbound (CVE-2019-15980)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ReportWSService/ReportWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:">..|2f|..|2f|"; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15980; classtype:attempted-admin; sid:2033412; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15980, updated_at 2021_07_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwinner.com)"; dns.query; content:".torwinner.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020144; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dmechant Exfil Cryptowallets via SMTP"; flow:established,to_server; content:"|0d 0a|Subject|3a 20|Cryptowallets|3a 3a 3a 3a|"; reference:md5,e2da54028e5172ac42c89bc2271a2bb8; reference:url,www.fortinet.com/blog/threat-research/fresh-malware-hunts-for-crypto-wallet-and-credentials; classtype:command-and-control; sid:2033413; rev:1; metadata:created_at 2021_07_25, former_category TROJAN, updated_at 2021_07_25;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (totortoweb.com)"; dns.query; content:".totortoweb.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020145; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dmechant Exfil Passwords via SMTP"; flow:established,to_server; content:"|0d 0a|Subject|3a 20|Passwords|3a 3a 3a 3a|"; fast_pattern; content:"Username|3a 20|"; distance:0; content:"CompName|3a 20|"; distance:0; content:"Password|20 3a 20|"; distance:0; content:"Application|20 3a 20|"; distance:0; content:"========"; reference:md5,e2da54028e5172ac42c89bc2271a2bb8; reference:url,www.fortinet.com/blog/threat-research/fresh-malware-hunts-for-crypto-wallet-and-credentials; classtype:command-and-control; sid:2033414; rev:1; metadata:created_at 2021_07_25, former_category TROJAN, updated_at 2021_07_25;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (vtorchike.com)"; dns.query; content:".vtorchike.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020146; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RustyBuer CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"shipmentofficedepot.com"; endswith; classtype:domain-c2; sid:2033415; rev:1; metadata:created_at 2021_07_25, former_category MALWARE, updated_at 2021_07_25;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (walterwtor.com)"; dns.query; content:".walterwtor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020147; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Webshell Landing Outbound - Possibly Iran-based"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>filesystembrowser<|2f|title>"; content:"action=|22|?operation=upload|22|"; distance:0; fast_pattern; content:"<br>Auth|20|Key|3a|"; distance:0; within:100; classtype:command-and-control; sid:2033416; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforall.com)"; dns.query; content:".torforall.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020183; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Upload Command Inbound - Possibly Iran-based"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?operation=upload"; fast_pattern; http.request_body; content:"name=|22|authKey|22|"; content:"name=|22|file|22|"; distance:0; classtype:command-and-control; sid:2033417; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torman2.com)"; dns.query; content:".torman2.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020184; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Access with Known Password Inbound - Possibly Iran-based"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|authKey|22 0d 0a 0d 0a|woanware|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2033418; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwoman.com)"; dns.query; content:".torwoman.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020185; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Execute Command Inbound - Possibly Iran-based M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__VIEWSTATE="; startswith; content:"&txtAuthKey=20TyG6eQqEopbFMB&txtCommand="; fast_pattern; classtype:command-and-control; sid:2033419; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torroadsters.com)"; dns.query; content:".torroadsters.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020186; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS stickseed Variant CnC Checkin"; dns.query; content:"efkezwpdxpsq3l"; startswith; fast_pattern; pcre:"/\.[dghbcijklmnfqrwxyz23stuopaev4569]{26}\.[a-z0-9_-]{1,50}\.[a-z]{2,8}$/"; classtype:command-and-control; sid:2033420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_07_26, former_category MALWARE, signature_severity Major, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.gq)"; dns.query; content:".onion.gq"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020211; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malsmoke Staging Domain in SNI"; flow:to_server,established; tls.sni; content:"premiumpornotubes.com"; endswith; classtype:social-engineering; sid:2033421; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaysolutions.com)"; dns.query; content:".torpaysolutions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020374; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"yuidskadjna.com"; endswith; classtype:trojan-activity; sid:2033422; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayoptions.com)"; dns.query; content:".torpayoptions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020375; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"odjdnhsaj.com"; endswith; classtype:trojan-activity; sid:2033423; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torinvestment2.com)"; dns.query; content:".torinvestment2.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020376; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC M1 (CVE-2019-16662)"; flow:established,to_server; http.uri.raw; content:"/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.html; reference:cve,2019-16662; classtype:attempted-admin; sid:2028933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_11_04, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwillsmith.com)"; dns.query; content:".torwillsmith.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020377; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Solr DataImport Handler RCE (CVE-2019-0193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/solr/"; content:"dataimport"; distance:0; http.request_body; content:"command=full-import"; fast_pattern; pcre:"/\bexec\b/Ri"; reference:cve,2019-0193; reference:url,github.com/jas502n/CVE-2019-0193; classtype:attempted-admin; sid:2033114; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstorpay22.com)"; dns.query; content:".optionstorpay22.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020390; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Admin Cores"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/admin/cores?_="; startswith; fast_pattern; content:"&indexInfo="; classtype:attempted-recon; sid:2033425; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bananator.com)"; dns.query; content:".bananator.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020391; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/"; startswith; content:"/dataimport?_="; content:"&command=show-config"; fast_pattern; classtype:attempted-recon; sid:2033426; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (monsterbbc.com)"; dns.query; content:".monsterbbc.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020395; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Config URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/"; startswith; content:"/dataimport?_="; content:"&command=status"; fast_pattern; classtype:attempted-recon; sid:2033427; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tostotor.com)"; dns.query; content:".tostotor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020400; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.crud.php?searchTerm="; http.uri.raw; content:"&catCommand=%22%22"; fast_pattern; reference:cve,2019-16663; classtype:attempted-admin; sid:2033428; rev:1; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_16663, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (trusteetor.com)"; dns.query; content:".trusteetor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020401; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Activity M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?u="; http.user_agent; content:"WinHTTP"; bsize:7; http.request_body; content:"p=<br><mark>Hello|3a 20|"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1fe34d84a058156296e86888ddd5cac9; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:command-and-control; sid:2033429; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionstopaytor33.com)"; dns.query; content:".solutionstopaytor33.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020402; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING NOP Sled in HTTP Header Inbound - Possible Exploit Activity"; flow:established,to_server; http.header; content:"|90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern; classtype:bad-unknown; sid:2033430; rev:1; metadata:created_at 2021_07_26, former_category HUNTING, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.am)"; dns.query; content:".onion.am"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020404; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (clank .hazari .ru)"; dns.query; content:"clank.hazari.ru"; nocase; bsize:15; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; reference:md5,ff95a2f9d3f40802afaa528f563feeee; classtype:domain-c2; sid:2033432; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (batmantor.com)"; dns.query; content:".batmantor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020405; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (lump .semara .ru)"; dns.query; content:"lump.semara.ru"; nocase; bsize:14; reference:md5,919b119827ca1a947602096fb6328ba3; reference:md5,8959c893438f4a2d34f6eafcbc6f5e4d; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033433; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (dogotor.com)"; dns.query; content:".dogotor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020406; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (lovers .semara .ru)"; dns.query; content:"lovers.semara.ru"; nocase; bsize:16; reference:md5,b2193f0fb8b5ee8b2fe161cde30f4d65; reference:md5,557a2e80b2a070bb2f873b6489b026ee; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033434; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.glass)"; dns.query; content:".onion.glass"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020574; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_26, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (aconitum .xyz)"; dns.query; content:"aconitum.xyz"; nocase; bsize:12; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033435; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.direct)"; dns.query; content:".onion.direct"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020577; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_26, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (blattodea .ru)"; dns.query; content:"blattodea.ru"; nocase; bsize:12; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033436; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion Proxy Domain (connect2tor.org)"; dns.query; content:"connect2tor.org"; depth:15; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020617; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (hierodula .online)"; dns.query; content:"hierodula.online"; nocase; bsize:16; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033437; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torstorm.org)"; dns.query; content:".torstorm.org"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020618; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (tomond .ru)"; dns.query; content:"tomond.ru"; nocase; bsize:9; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033438; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bolistatapay.com)"; dns.query; content:".bolistatapay.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020619; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ClipBanker Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/report7.4.php"; bsize:14; fast_pattern; http.request_body; content:"p="; startswith; http.header_names; content:!"Referer"; reference:md5,64db07d60025e04128de8b508673b6fe; reference:url,www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf; classtype:trojan-activity; sid:2033439; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (sshowmethemoney.com)"; dns.query; content:".sshowmethemoney.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020620; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Cisco Data Center Network Manager Version Check Inbound (flowbit set)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/fmrest/about/version"; endswith; fast_pattern; flowbits:set,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033441; rev:1; metadata:created_at 2021_07_27, former_category POLICY, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstopaytos.com)"; dns.query; content:".optionstopaytos.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020639; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Cisco Data Center Network Manager - Vulnerable Version Detected 11.1"; flow:established,from_server; file.data; content:"version|22 3a 22|11.1|28|1|29|"; flowbits:isset,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033442; rev:1; metadata:created_at 2021_07_27, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (cheetosnotburitos.com)"; dns.query; content:".cheetosnotburitos.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020640; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Cisco Data Center Network Manager - Vulnerable Version Detected 10.4"; flow:established,from_server; file.data; content:"version|22 3a 22|10.4|28|2|29|"; flowbits:isset,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033443; rev:1; metadata:created_at 2021_07_27, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionsketchupay.com)"; dns.query; content:".optionsketchupay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020641; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/log/fmlogs.zip"; endswith; fast_pattern; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1622; classtype:attempted-recon; sid:2033444; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_1622, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionsaccountor.com)"; dns.query; content:".solutionsaccountor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020642; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)"; flow:established,to_server; content:"Cookie|3a|"; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033445; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_1620, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4free.org)"; dns.query; content:".tor4free.org"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020686; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)"; flow:established,to_server; content:!"Cookie|3a|"; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033446; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_1620, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tordomain.org)"; dns.query; content:".tordomain.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020703; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil via Discord M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:".lunar"; content:"|3b 20|filename="; within:12; content:"|0d 0a 0d 0a|[Username]"; distance:0; content:"[Username][TimeHacked]"; distance:0; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:command-and-control; sid:2033440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, signature_severity Major, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (welcome2tor.org)"; dns.query; content:".welcome2tor.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020704; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Screenshot Uploaded to Discord"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:"filename="; content:"screenshot."; within:12; fast_pattern; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:bad-unknown; sid:2033447; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (clusterpaytor.com)"; dns.query; content:".clusterpaytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021190; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_06_05, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 8888 (msg:"ET EXPLOIT Possible CloudMe Sync Stack-based Buffer Overflow Inbound (CVE-2018-6892)"; flow:established,to_server; content:"|90 90 90 90 90 90 90 90|"; offset:500; depth:800; content:"|90 90 90 90 90 90|"; distance:0; within:64; reference:url,www.exploit-db.com/exploits/44175; reference:cve,2018-6892; classtype:attempted-admin; sid:2033448; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2018_6892, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (statepaytor.com)"; dns.query; content:".statepaytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021191; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_06_05, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Lunar Builder Exfil Response"; flow:established,to_client; http.content_type; content:"application/json"; bsize:16; file.data; content:"|22|title|22 3a 20 22|Lunar|20|Builder|22|"; fast_pattern; content:"|22|name|22 3a 20 22|Stolen|20|From|22 2c|"; distance:0; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:command-and-control; sid:2033449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (paypartnerstodo.com)"; dns.query; content:".paypartnerstodo.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022041; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com)"; dns.query; content:"page.googledocpage.com"; nocase; bsize:22; reference:md5,bcb4a8f190f2124be57496649078e0ae; reference:url,twitter.com/ShadowChasing1/status/1417324113840857092; classtype:domain-c2; sid:2033450; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (allepohelpto.com)"; dns.query; content:".allepohelpto.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022042; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+#alert tcp any any -> [$HOME_NET,$SMTP_SERVERS] [25,143,993,995] (msg:"ET EXPLOIT Possible Dovecot Memory Corruption Inbound (CVE-2019-11500)"; flow:to_server,established; content:"|22|"; content:"|00|"; distance:0; content:"|5c|"; distance:200; reference:url,nickroessler.com/dovecot-cve-2019-11500/; reference:cve,2019-11500; classtype:attempted-admin; sid:2033451; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_11500, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (marketcryptopartners.com)"; dns.query; content:".marketcryptopartners.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022043; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Kibana Prototype Pollution RCE Inbound (CVE-2019-7609)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/timelion/run"; fast_pattern; http.request_body; content:"|7b 22|sheet|22|"; startswith; content:".__proto__."; content:"child_process"; distance:0; content:".exec|28|"; distance:0; reference:url,github.com/mpgn/CVE-2019-7609; reference:cve,2019-7609; classtype:attempted-admin; sid:2033452; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_7609, former_category WEB_SPECIFIC_APPS, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (partnersinvestpayto.com)"; dns.query; content:".partnersinvestpayto.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022044; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Kibana Path Traversal Inbound (CVE-2018-17246)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/api/console/api_server?apis=|2e 2e 2f 2e 2e 2f|"; fast_pattern; reference:url,github.com/mpgn/CVE-2018-17246; reference:cve,2018-17246; classtype:attempted-admin; sid:2033453; rev:1; metadata:created_at 2021_07_27, cve CVE_2018_17246, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (effectwaytopay.com)"; dns.query; content:".effectwaytopay.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022046; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity Sending Windows User Info (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uralchem/"; startswith; fast_pattern; pcre:"/^[a-zA-z]{8}\./R"; http.header_names; content:!"Referer"; reference:md5,7a7bc6e080657fc77acbcf91d1892d31; reference:url,twitter.com/ShadowChasing1/status/1417650046485495808; classtype:trojan-activity; sid:2033454; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tormaster.fr)"; dns.query; content:".tormaster.fr"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022645; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 44Calibar Variant Exfil via Telegram"; flow:established,to_server; http.request_line; content:"POST /bot"; startswith; content:"/sendDocument"; distance:0; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"name|3d|caption|0d 0a 0d 0a|"; content:"44CALIBER"; nocase; within:15; fast_pattern; content:"Grabbed Software|3a|"; distance:0; reference:md5,fc489c5343f6db7d1be798a3ee331bdf; classtype:command-and-control; sid:2033455; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.li)"; dns.query; content:".torgateway.li"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022646; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LibreOffice pydoc RCE Inbound (CVE-2018-16858)"; flow:from_server,established; file.data; content:"<office|3a|document"; depth:100; content:"<office|3a|"; distance:0; content:"<script|3a|"; content:"|2f|pydoc.py|24|tempfilepager"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/46727; reference:cve,2018-16858; classtype:attempted-admin; sid:2033456; rev:1; metadata:created_at 2021_07_27, cve CVE_2018_16858, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (khh5cmzh5q7yp7th)"; dns.query; content:".khh5cmzh5q7yp7th"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022947; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity Sending Windows User Info (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/eabr/"; startswith; fast_pattern; pcre:"/^[a-zA-z]{8}\./R"; http.header_names; content:!"Referer"; reference:md5,c7f14020934ebcc55546fbd73a6e49d0; reference:url,twitter.com/ShadowChasing1/status/1417650046485495808; classtype:trojan-activity; sid:2033457; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Keydnap DNS Query to CnC"; dns.query; content:"g5wcesdfjzne7255.onion.to"; depth:25; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022950; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (stg .pesrado .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"stg.pesrado.com"; bsize:15; fast_pattern; reference:url,twitter.com/mojoesec/status/1418625292105654275; reference:md5,69519748fdb0bedaab25c702bfd0ed9a; classtype:domain-c2; sid:2033458; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Keydnap DNS Query to CnC"; dns.query; content:"r2elajikcosf7zee.onion.to"; depth:25; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022951; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/networkDiag.cgi"; http.request_body; content:"command="; startswith; nocase; content:"&ipAddr="; nocase; content:"&dnsAddr=|24 28|"; nocase; fast_pattern; reference:cve,2021-36380; classtype:attempted-admin; sid:2033459; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_36380, former_category EXPLOIT, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; dns.query; content:"tmdxiawceahpbhmb.com"; depth:20; nocase; endswith; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak Attempt Inbound (CVE-2021-34429)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WEB-INF/web.xml"; fast_pattern; http.uri.raw; content:"/%u002e/"; startswith; flowbits:set,ET.2021.34429.attempt; reference:cve,2021-34429; classtype:attempted-admin; sid:2033460; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_34429, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (rapidcomments.com)"; dns.query; content:"rapidcomments.com"; depth:17; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023020; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak Successful Exploitation (CVE-2021-34429)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<web-app>"; fast_pattern; flowbits:isset,ET.2021.34429.attempt; reference:cve,2021-34429; classtype:attempted-admin; sid:2033461; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_34429, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (bikessport.com)"; dns.query; content:"bikessport.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023021; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/"; content:"downloads.php?cat_id=|24 7b|system"; fast_pattern; reference:url,github.com/r90tpass/CVE-2020-24949/blob/main/exp.py; reference:cve,2020-24949; classtype:attempted-admin; sid:2033462; rev:1; metadata:created_at 2021_07_27, cve CVE_2020_24949, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (flowershop22.110mb.com)"; dns.query; content:"flowershop22.110mb.com"; depth:22; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; classtype:trojan-activity; sid:2023023; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Known Scam/Phishing Domain"; dns.query; content:"creator-partners.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033463; rev:1; metadata:created_at 2021_07_27, former_category PHISHING, updated_at 2021_07_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (wildhorses.awardspace.info)"; dns.query; content:"wildhorses.awardspace.info"; depth:26; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023024; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033464; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel DNS Lookup (apply-wsu.ebizx.net)"; dns.query; content:"apply-wsu.ebizx.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:targeted-activity; sid:2023059; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033465; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel DNS Lookup (apply.ebizx.net)"; dns.query; content:"apply.ebizx.net"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:targeted-activity; sid:2023060; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033466; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (aalaan .tv)"; dns.query; content:"aalaan.tv"; depth:9; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023093; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033467; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (accounts .mx)"; dns.query; content:"accounts.mx"; depth:11; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023094; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033468; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (alawaeltech .com)"; dns.query; content:"alawaeltech.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023096; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033469; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (alljazeera .co)"; dns.query; content:"alljazeera.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023097; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033470; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrararabiya .co)"; dns.query; content:"asrararabiya.co"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023098; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033471; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrararablya .com)"; dns.query; content:"asrararablya.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023099; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033472; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrarrarabiya .com)"; dns.query; content:"asrarrarabiya.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023100; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033473; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bahrainsms .co)"; dns.query; content:"bahrainsms.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023101; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033474; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bulbazaur .com)"; dns.query; content:"bulbazaur.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023103; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033475; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (cnn-africa .co)"; dns.query; content:"cnn-africa.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023105; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033476; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (damanhealth .online)"; dns.query; content:"damanhealth.online"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023106; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033477; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (emiratesfoundation .net)"; dns.query; content:"emiratesfoundation.net"; depth:22; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023107; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033478; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (fb-accounts .com)"; dns.query; content:"fb-accounts.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023108; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033479; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (icloudcacher .com)"; dns.query; content:"icloudcacher.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023110; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033480; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (icrcworld .com)"; dns.query; content:"icrcworld.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023111; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033481; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (manoraonline .net)"; dns.query; content:"manoraonline.net"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023112; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033482; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mz-vodacom .info)"; dns.query; content:"mz-vodacom.info"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023113; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033483; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (newtarrifs .net)"; dns.query; content:"newtarrifs.net"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023114; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033484; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (ooredoodeals .com)"; dns.query; content:"ooredoodeals.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023115; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033485; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (pickuchu .com)"; dns.query; content:"pickuchu.com"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023116; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033486; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (redcrossworld .com)"; dns.query; content:"redcrossworld.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023117; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033487; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (sabafon .info)"; dns.query; content:"sabafon.info"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023118; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033488; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smser .net)"; dns.query; content:"smser.net"; depth:9; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023119; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033489; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (sms .webadv.co)"; dns.query; content:"sms.webadv.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023120; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033490; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (topcontactco .com)"; dns.query; content:"topcontactco.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023121; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033491; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (tpcontact .co.uk)"; dns.query; content:"tpcontact.co.uk"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023122; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033492; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (track-your-fedex-package .org)"; dns.query; content:"track-your-fedex-package.org"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023123; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033493; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkishairines .info)"; dns.query; content:"turkishairines.info"; depth:19; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023125; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033494; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (uaenews .online)"; dns.query; content:"uaenews.online"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023126; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033495; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (univision .click)"; dns.query; content:"univision.click"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023127; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033496; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (whatsapp-app .com)"; dns.query; content:"whatsapp-app.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023129; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033497; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (y0utube .com.mx)"; dns.query; content:"y0utube.com.mx"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023130; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033498; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (bigcrashcar.net)"; dns.query; content:"bigcrashcar.net"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2023142; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033499; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (collge .myq-see.com)"; dns.query; content:"collge.myq-see.com"; depth:18; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023257; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033500; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (sara2011 .no-ip.biz)"; dns.query; content:"sara2011.no-ip.biz"; depth:18; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023258; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033501; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (wininit .myq-see.com)"; dns.query; content:"wininit.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023260; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033502; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (appleupdate .com)"; dns.query; content:"appleupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023299; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033503; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (apple-iclouds .net)"; dns.query; content:"apple-iclouds.net"; depth:17; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023300; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033504; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (itunes-helper .net)"; dns.query; content:"itunes-helper.net"; depth:17; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023301; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033505; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns.query; content:"bonmawp.at"; depth:10; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023331; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033506; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns.query; content:"wallymac.com"; depth:12; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023332; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033507; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed AgentTesla Domain Request"; dns.query; content:"agenttesla.com"; depth:14; nocase; endswith; fast_pattern; reference:md5,32f3fa6b80904946621551399be32207; classtype:trojan-activity; sid:2023354; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, malware_family Keylogger, malware_family AgentTesla, malware_family Backdoor, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033508; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsoftsupp .com)"; dns.query; content:"microsoftsupp.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023355; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033509; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (aljazeera-news .com)"; dns.query; content:"aljazeera-news.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023356; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033510; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (ausameetings .com)"; dns.query; content:"ausameetings.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023357; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033511; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (bbc-press .org)"; dns.query; content:"bbc-press.org"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023358; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033512; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (cnnpolitics .eu)"; dns.query; content:"cnnpolitics.eu"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023359; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033513; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dailyforeignnews .com)"; dns.query; content:"dailyforeignnews.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023360; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033514; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dailypoliticsnews .com)"; dns.query; content:"dailypoliticsnews.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023361; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033515; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (defenceiq .us)"; dns.query; content:"defenceiq.us"; depth:12; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023362; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033516; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (defencereview .eu)"; dns.query; content:"defencereview.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023363; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033517; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (diplomatnews .org)"; dns.query; content:"diplomatnews.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023364; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033518; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (euronews24 .info)"; dns.query; content:"euronews24.info"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023365; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033519; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (euroreport24 .com)"; dns.query; content:"euroreport24.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023366; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033520; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (kg-news .org)"; dns.query; content:"kg-news.org"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023367; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033521; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (military-info .eu)"; dns.query; content:"military-info.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023368; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033522; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (militaryadviser .org)"; dns.query; content:"militaryadviser.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023369; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033523; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (militaryobserver .net)"; dns.query; content:"militaryobserver.net"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033524; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nato-hq .com)"; dns.query; content:"nato-hq.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023371; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033525; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nato-news .com)"; dns.query; content:"nato-news.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023372; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033526; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (natoint .com)"; dns.query; content:"natoint.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023373; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033527; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (natopress .com)"; dns.query; content:"natopress.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023374; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033528; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (osce-info .com)"; dns.query; content:"osce-info.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023375; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033529; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (osce-press .org)"; dns.query; content:"osce-press.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023376; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033530; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (pakistan-mofa .net)"; dns.query; content:"pakistan-mofa.net"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023377; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033531; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (politicalreview .eu)"; dns.query; content:"politicalreview.eu"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023378; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033532; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (politicsinform .com)"; dns.query; content:"politicsinform.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023379; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033533; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (reuters-press .com)"; dns.query; content:"reuters-press.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033534; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (shurl .biz)"; dns.query; content:"shurl.biz"; depth:9; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023381; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033535; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (stratforglobal .net)"; dns.query; content:"stratforglobal.net"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033536; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (thediplomat-press .com)"; dns.query; content:"thediplomat-press.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023383; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033537; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (theguardiannews .org)"; dns.query; content:"theguardiannews.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023384; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033538; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (trend-news .org)"; dns.query; content:"trend-news.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023385; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033539; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (unian-news .info)"; dns.query; content:"unian-news.info"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023386; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033540; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (unitednationsnews .eu)"; dns.query; content:"unitednationsnews.eu"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023387; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033541; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (virusdefender .org)"; dns.query; content:"virusdefender.org"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023388; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033542; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (worldmilitarynews .org)"; dns.query; content:"worldmilitarynews.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023389; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033543; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (worldpoliticsnews .org)"; dns.query; content:"worldpoliticsnews.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023390; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033544; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (capisp .com)"; dns.query; content:"capisp.com"; depth:10; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023391; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033545; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dataclen .org)"; dns.query; content:"dataclen.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023392; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033546; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (mscoresvw .com)"; dns.query; content:"mscoresvw.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023393; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033547; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (windowscheckupdater .net)"; dns.query; content:"windowscheckupdater.net"; depth:23; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023394; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033548; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (acledit .com)"; dns.query; content:"acledit.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023395; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033549; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (biocpl .org)"; dns.query; content:"biocpl.org"; depth:10; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023396; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033550; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; dns.query; content:"info2t.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_10_24, deployment Perimeter, malware_family AndroRAT, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033551; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (ciscohelpcenter .com)"; dns.query; content:"ciscohelpcenter.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023407; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033552; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (timezoneutc .com)"; dns.query; content:"timezoneutc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023408; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033553; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (inteldrv64 .com)"; dns.query; content:"inteldrv64.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023409; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033554; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (advpdxapi .com)"; dns.query; content:"advpdxapi.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023410; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033555; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (cloudflarecdn .com)"; dns.query; content:"cloudflarecdn.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023411; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033556; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (driversupdate .info)"; dns.query; content:"driversupdate.info"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033557; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (kenlynton .com)"; dns.query; content:"kenlynton.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033558; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsoftdriver .com)"; dns.query; content:"microsoftdriver.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033559; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsofthelpcenter .info)"; dns.query; content:"microsofthelpcenter.info"; depth:24; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023415; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033560; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nortonupdate .org)"; dns.query; content:"nortonupdate.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023416; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033561; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (softwaresupportsv .com)"; dns.query; content:"softwaresupportsv.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023417; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033562; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (symantecsupport .org)"; dns.query; content:"symantecsupport.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023418; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033563; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updatecenter .name)"; dns.query; content:"updatecenter.name"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023419; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033564; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updatesystems .net)"; dns.query; content:"updatesystems.net"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023420; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033565; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updmanager .com)"; dns.query; content:"updmanager.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023421; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033566; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (windowsappstore .net)"; dns.query; content:"windowsappstore.net"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023422; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033567; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"securityprotectingcorp.com"; depth:26; nocase; endswith; fast_pattern; classtype:targeted-activity; sid:2023658; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_03, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033568; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query"; dns.query; content:"bigdata.adups.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023515; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033569; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 5"; dns.query; content:"rebootv5.adsunflower.com"; depth:24; nocase; endswith; fast_pattern; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023519; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033570; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .about.jkub.com)"; dns.query; content:"www.about.jkub.com"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023523; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033571; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .eleven.mypop3.org)"; dns.query; content:"www.eleven.mypop3.org"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023524; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033572; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .backus.myftp.name)"; dns.query; content:"www.backus.myftp.name"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033573; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (tibetvoices .com)"; dns.query; content:"tibetvoices.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023526; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033574; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (anonym.to)"; dns.query; content:".anonym.to"; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2023597; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033575; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"microsoftfont.com"; depth:17; nocase; endswith; fast_pattern; classtype:targeted-activity; sid:2023666; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033576; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"xpknpxmywqsr.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023601; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033577; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"bwhrdaumwuvn.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023603; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033578; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"bpmsfckfkrpr.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023604; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033579; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"oornsduuwjli.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023605; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033580; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"kedbuffigfjs.online"; depth:19; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023632; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033581; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"srrys.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023633; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033582; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"kciap.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023635; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033583; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"mziep.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023636; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033584; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"tr069.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023637; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033585; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv602 .ddns.net)"; dns.query; content:"srv602.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023642; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033586; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (updatesync .com)"; dns.query; content:"updatesync.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023643; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033587; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (svnservices .com)"; dns.query; content:"svnservices.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023644; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033588; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (mynetenergy .com)"; dns.query; content:"mynetenergy.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023645; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033589; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (windriversupport .com)"; dns.query; content:"windriversupport.com"; depth:20; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023646; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view.php?id=21504"; fast_pattern; http.host; content:"kr2959.atwebpages.com"; http.header_names; content:!"Referer"; reference:md5,72d43ff8f9ee0819e96ed7fd7d9a551a; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033590; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (truecrypte .org)"; dns.query; content:"truecrypte.org"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023647; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/report.php?key="; startswith; fast_pattern; http.host; content:"kr2959.atwebpages.com"; http.header_names; content:!"Referer"; reference:md5,72d43ff8f9ee0819e96ed7fd7d9a551a; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033591; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (edicupd002 .com)"; dns.query; content:"edicupd002.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023648; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Heracles Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"cwyuno1c7n82bc201et81t627c8e6912r"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; threshold:type limit, track by_src, count 1, seconds 120; reference:md5,e0c6208936aa0cccd6867214145433b3; reference:url,tria.ge/210728-48w5bjla3x; classtype:command-and-control; sid:2033592; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (jourrapid .com)"; dns.query; content:"jourrapid.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023649; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/Heracles Variant CnC Domain (stainless .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"stainless.fun"; bsize:13; fast_pattern; reference:md5,e0c6208936aa0cccd6867214145433b3; reference:url,tria.ge/210728-48w5bjla3x; classtype:domain-c2; sid:2033593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (true-crypte .website)"; dns.query; content:"true-crypte.website"; depth:19; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023650; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/expres.php?op=2"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,be4ab3c46d87b1900137647814f0f305; classtype:trojan-activity; sid:2033594; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (myrappid .com)"; dns.query; content:"myrappid.com"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023651; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?who="; fast_pattern; content:"&secure="; distance:0; content:"&v="; distance:0; content:".exe|20|"; distance:0; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,5b2355014f72dc2714dc5a5f04fe9519; classtype:trojan-activity; sid:2033595; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice.B DNS Lookup (appexsrv .net)"; dns.query; content:"appexsrv.net"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023344; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family DealersChoice_B, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?w="; fast_pattern; content:"&v="; distance:0; content:".exe|20|"; distance:0; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,d7b717134358bbeefc5796b5912369f0; classtype:trojan-activity; sid:2033596; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"globalresearching.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023659; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Script Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/list.php?query=1"; fast_pattern; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,78bdd34f641fb2d1992c8651298f4aff; classtype:trojan-activity; sid:2033597; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"shcserv.com"; depth:11; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023660; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (HEAD)"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".dotm?q=6"; endswith; fast_pattern; http.user_agent; content:"Office"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a9b6cf8d8d0a67da4eea269dab16fe99; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033598; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"adobeupgradeflash.com"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023661; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Monitorr 1.7.6m RCE Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/assets/php/upload.php"; nocase; http.request_body; content:"name=|22|fileToUpload|22|"; nocase; content:"<?"; reference:url,github.com/Monitorr/Monitorr; reference:url,www.exploit-db.com/exploits/48980; classtype:attempted-admin; sid:2033599; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"gpufps.com"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023662; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jenkins Plugin Script RCE Exploit Attempt (CVE-2019-1003001)"; flow:established,to_server; http.uri; content:"CpsFlowDefinition"; nocase; content:"checkScriptCompile"; nocase; content:"GrabResolver"; nocase; content:"GrabConfig"; nocase; content:"Grab("; nocase; reference:url,0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html; reference:url,www.exploit-db.com/exploits/46427; reference:cve,2019-1003001; classtype:attempted-admin; sid:2033600; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2019_1003001, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"adobe-flash-updates.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023663; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Ambari Default Credentials Attempt"; flow:established,to_server; http.uri; content:"/api/v1/users/admin?fields="; nocase; content:"privilege"; nocase; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW4"; nocase; reference:url,docs.cloudera.com/HDPDocuments/Ambari-2.7.4.0/bk_ambari-installation/content/log_in_to_apache_ambari.html; classtype:attempted-admin; sid:2033601; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"versiontask.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023664; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)"; flow:established,to_server; http.uri; content:"/mod/jitsi/sessionpriv.php?avatar="; nocase; content:"&nom="; nocase; reference:cve,2021-26812; reference:url,vuldb.com/?id.173035; classtype:attempted-user; sid:2033602; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2021_26812, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"webcdelivery.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023665; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GraphQL Introspection Query Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"|7b 22 71 75 65 72 79 22 3a 22 71 75 65 72 79 20|"; nocase; startswith; content:"__schema"; nocase; distance:0; content:"queryType"; nocase; distance:0; reference:url,blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/; classtype:attempted-admin; sid:2033603; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/SEDNIT Uploader Variant DNS Lookup"; dns.query; content:"postlkwarn.com"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023667; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php"; nocase; content:"extension=menu"; distance:0; content:"view=menu"; nocase; content:"parent="; nocase; pcre:"/parent=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ui"; reference:url,www.exploit-db.com/exploits/49627; reference:cve,2018-17254; classtype:attempted-admin; sid:2033604; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, cve CVE_2018_17254, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns.query; content:"rockybalboa.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/monitor/messagebroker/amf"; nocase; http.request_body; content:"|00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00|"; fast_pattern; reference:url,github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb; reference:url,twitter.com/pedrib1337/status/1415862996786548736; reference:cve,2016-2510; classtype:attempted-admin; sid:2033605; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2016_2510, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"spora.bz"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; classtype:trojan-activity; sid:2023728; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Spora, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible MobileIron MDM RCE Inbound (CVE-2020-15505)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mifs/|2e 3b|/"; fast_pattern; content:"|63 02 00 48 00 84|"; startswith; content:"B|00|e|00|a|00|n|00|F|00|a|00|c|00|"; content:"r|00|m|00|i|00 3a 00 2f 00 2f|"; distance:0; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2033606; rev:1; metadata:created_at 2021_07_28, cve CVE_2020_15505, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup (gtranm .com)"; dns.query; content:"gtranm.com"; depth:10; nocase; endswith; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:targeted-activity; sid:2023761; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_24, former_category MALWARE, malware_family APT28_DealersChoice, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Socelars Related Domain in DNS Lookup"; dns.query; content:"www.cncode.pw"; nocase; bsize:13; reference:md5,f6c01214414fe2cedaa217c69ab093e1; classtype:bad-unknown; sid:2033607; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category ADWARE_PUP, updated_at 2021_07_28, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup (zpfgr .com)"; dns.query; content:"zpfgr.com"; depth:9; nocase; endswith; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:targeted-activity; sid:2023762; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_24, former_category MALWARE, malware_family APT28_DealersChoice, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DCRat CnC Domain (dud-shotline .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dud-shotline.000webhostapp.com"; bsize:30; fast_pattern; reference:md5,a8c6a612108ac2266263c6a6be7a58cc; classtype:domain-c2; sid:2033608; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, malware_family DCRat, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX Backdoor Quimitchin DNS Lookup"; dns.query; content:"eidk.hopto.org"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/; reference:md5,e4744b9f927dc8048a19dca15590660c; classtype:trojan-activity; sid:2023763; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, malware_family Quimitchin, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".netcatkit.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033609; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (webfile .myq-see.com)"; dns.query; content:"webfile.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023777; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".sqlnetcat.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033610; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadmyhost .zapto.org)"; dns.query; content:"downloadmyhost.zapto.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023778; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".b69kq.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033611; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (help2014 .linkpc.net)"; dns.query; content:"help2014.linkpc.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023779; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zz3r0.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (safara .sytes.net)"; dns.query; content:"safara.sytes.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023780; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ackng.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (exportball .servegame.org)"; dns.query; content:"exportball.servegame.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023781; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zer9g.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (viewnet .better-than.tv)"; dns.query; content:"viewnet.better-than.tv"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023782; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".pp6r1.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (down .downloadoneyoutube.co.vu)"; dns.query; content:"down.downloadoneyoutube.co.vu"; depth:29; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023783; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hwqloan.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (netstreamag .publicvm.com)"; dns.query; content:"netstreamag.publicvm.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023784; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".amynx.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033617; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (subsidiaryohio .linkpc.net)"; dns.query; content:"subsidiaryohio.linkpc.net"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023786; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".bb3u9.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (helpyoume .linkpc.net)"; dns.query; content:"helpyoume.linkpc.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023787; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".js88.ag"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadtesting .com)"; dns.query; content:"downloadtesting.com"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023788; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cdnimages.xyz"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (gameoolines .com)"; dns.query; content:"gameoolines.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023789; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DNS Service)"; flow:from_server,established; tls.cert_subject; content:".sslip.io"; endswith; nocase; fast_pattern; classtype:policy-violation; sid:2033621; rev:1; metadata:created_at 2021_07_30, former_category POLICY, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (onlinesoft .space)"; dns.query; content:"onlinesoft.space"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023790; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=api-cdn.net"; nocase; fast_pattern; classtype:domain-c2; sid:2033625; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (newphoneapp .com)"; dns.query; content:"newphoneapp.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023791; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=api-cdnw5.net"; nocase; fast_pattern; classtype:domain-c2; sid:2033624; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (gamestoplay .bid)"; dns.query; content:"gamestoplay.bid"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023792; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=git-api.com"; nocase; fast_pattern; classtype:domain-c2; sid:2033623; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (smartsftp .pw)"; dns.query; content:"smartsftp.pw"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023793; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=104-168-237-21.sslip.io"; nocase; fast_pattern; classtype:domain-c2; sid:2033622; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (galaxysupdates .com)"; dns.query; content:"galaxysupdates.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023794; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Meterpreter Paranoid Mode CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Texas, L=Austin, O=Development, CN=www.example.com"; bsize:59; fast_pattern; tls.cert_issuer; content:"C=US, ST=Texas, L=Austin, O=Development, CN=www.example.com"; bsize:59; reference:md5,7f969b888db2ac8aec19f2997167253e; reference:url,titanwolf.org/Network/Articles/Article?AID=97b8845a-85d0-407a-b14b-8dc773ed551b; classtype:domain-c2; sid:2033626; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (galaxy-s .com)"; dns.query; content:"galaxy-s.com"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023795; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/USA/precision.dot"; fast_pattern; bsize:18; http.host; content:"usa-national.info"; bsize:17; reference:md5,26b29c539d0d35fd414e36884c380e0e; classtype:trojan-activity; sid:2033627; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (datasamsung .com)"; dns.query; content:"datasamsung.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023796; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer Domain (hellowoodie .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"hellowoodie.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2033628; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (progsupdate .com)"; dns.query; content:"progsupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023797; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CandyOpen/UniClient Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uniplatform/getVersion"; fast_pattern; bsize:23; http.host; content:"uniplatform.snyzt.org"; bsize:21; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf; reference:md5,2ad8bfde025d1a739eee02f3b23365c9; reference:url,www.hybrid-analysis.com/sample/a94d56067aa15f28f66a139eecc90e49b008bfa1f0faf7d65721ecfb68a6a6a2; classtype:trojan-activity; sid:2033629; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (topgamse .com)"; dns.query; content:"topgamse.com"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023798; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup via 3322 .org"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip"; endswith; http.host; content:"3322.org"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2033630; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (bandtester .com)"; dns.query; content:"bandtester.com"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023799; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CandyOpen/UniClient Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uniplatform/getUniclientVersion"; fast_pattern; bsize:32; http.header_names; content:"|0d 0a|accept|0d 0a|User-Agent|0d 0a 0d 0a|"; bsize:24; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf; reference:md5,2ad8bfde025d1a739eee02f3b23365c9; reference:url,www.hybrid-analysis.com/sample/a94d56067aa15f28f66a139eecc90e49b008bfa1f0faf7d65721ecfb68a6a6a2; classtype:trojan-activity; sid:2033631; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (speedbind .com)"; dns.query; content:"speedbind.com"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023800; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M1"; flow:established,to_client; tls.cert_subject; content:"C=IL, O=StartCom Ltd., CN="; startswith; isdataat:!20,relative; tls.cert_subject; content:"CN=*"; endswith; reference:url,community.riskiq.com/article/541a465f; classtype:command-and-control; sid:2033632; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (ukgames .tech)"; dns.query; content:"ukgames.tech"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023801; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M2"; flow:established,to_client; tls.cert_subject; content:"C=KR, O=SGssl, CN="; startswith; isdataat:!20,relative; tls.cert_subject; content:"CN=*"; endswith; reference:url,community.riskiq.com/article/541a465f; classtype:command-and-control; sid:2033633; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (wallanews .publicvm.com)"; dns.query; content:"wallanews.publicvm.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023802; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M3"; flow:established,to_client; tls.cert_subject; content:"C=US, O=GMO GlobalSign, Inc"; startswith; fast_pattern; tls.cert_issuer; content:"C=US, O=GMO GlobalSign, Inc, CN=*"; bsize:33; reference:url,community.riskiq.com/article/642d186e; classtype:command-and-control; sid:2033634; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (wallanews .sytes.net)"; dns.query; content:"wallanews.sytes.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023803; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)"; dns.query; content:"paymenthacks.com"; nocase; bsize:16; reference:url,twitter.com/Arkbird_SOLG/status/1421984944792944643; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:domain-c2; sid:2033635; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (noredirecto .redirectme.net)"; dns.query; content:"noredirecto.redirectme.net"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)"; dns.query; content:"mojobiden.com"; nocase; bsize:13; reference:url,twitter.com/Arkbird_SOLG/status/1421984944792944643; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:domain-c2; sid:2033636; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (dynamicipaddress .linkpc.net)"; dns.query; content:"dynamicipaddress.linkpc.net"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023805; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 Auth Bypass (CVE-2018-3810)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"sgcgoogleanalytic="; nocase; startswith; content:"<script"; nocase; distance:0; content:"savegooglecode"; nocase; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3810; classtype:attempted-admin; sid:2033637; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadlog .linkpc.net)"; dns.query; content:"downloadlog.linkpc.net"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 SQLi (CVE-2018-3811)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"action=saveadwords"; nocase; startswith; content:"oId="; nocase; distance:0; pcre:"/oId=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/i"; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3811; classtype:attempted-admin; sid:2033638; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (havan .qhigh.com)"; dns.query; content:"havan.qhigh.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023807; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)"; flow:established,to_server; http.uri; content:"/compliancepolicies.inc.php"; nocase; fast_pattern; content:"searchOption=contains"; content:"searchField=antani"; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,github.com/theguly/exploits/blob/master/CVE-2020-10546.py; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-10546; classtype:attempted-admin; sid:2033639; rev:2; metadata:attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (kolabdown .sytes.net)"; dns.query; content:"kolabdown.sytes.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023808; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT phpMyAdmin setup.php Local File Include"; flow:established,to_server; http.uri; content:"/scripts/setup.php"; nocase; fast_pattern; http.request_body; content:"action="; nocase; startswith; content:"configuration="; nocase; content:"PMA_Config"; nocase; content:"source"; nocase; reference:url,www.programmersought.com/article/87603212281/; reference:url,github.com/projectdiscovery/nuclei; classtype:attempted-admin; sid:2033640; rev:1; metadata:attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (rotter2 .publicvm.com)"; dns.query; content:"rotter2.publicvm.com"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023809; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Cocoon <= 2.1.x LFI (CVE-2020-11991)"; flow:established,to_server; http.uri; content:"/v2/api/product/manger/getInfo"; nocase; http.request_body; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; content:"file|3a|//"; nocase; distance:0; reference:url,www.cnblogs.com/0day-li/p/13663350.html; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-11991; classtype:attempted-admin; sid:2033641; rev:1; metadata:created_at 2021_08_02, cve CVE_2020_11991, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (ftpserverit .otzo.com)"; dns.query; content:"ftpserverit.otzo.com"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)"; flow:established,to_server; http.uri; content:"/?cffaction=get_data_from_database"; nocase; fast_pattern; content:"query="; pcre:"/^[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,wpscan.com/vulnerability/10287; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-14092; classtype:attempted-admin; sid:2033642; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_14092, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE iKittens OSX MacDownloader DNS Lookup (officialswebsites .info)"; dns.query; content:"officialswebsites.info"; depth:22; nocase; endswith; fast_pattern; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:trojan-activity; sid:2023877; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family MacDownloader, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackMatter CnC Activity"; flow:established,to_server; http.request_line; content:"POST /?"; startswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|keep-alive|0d 0a|Accept-Encoding|3a 20|gzip, deflate, br|0d 0a|Content-Type|3a 20|text/plain|0d 0a|User-Agent|3a 20|"; startswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:104; http.user_agent; content:"/"; content:!"/"; distance:0; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:command-and-control; sid:2033643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"spora.biz"; depth:9; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, malware_family Spora, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (www .msfthelpdesk .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.msfthelpdesk.com"; bsize:20; fast_pattern; reference:md5,37c44fe692371563ebc10fade5142918; reference:url,twitter.com/mojoesec/status/1421198691742986243; classtype:domain-c2; sid:2033644; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (websecuranalityc.com)"; dns.query; content:"websecuranalityc.com"; depth:20; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023894; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/success?q=7b226964223a22"; nocase; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:url,blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html; reference:md5,e3bd6b1694b35bef352b2303b46ce522; classtype:trojan-activity; sid:2033646; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (liveskansys.com)"; dns.query; content:"liveskansys.com"; depth:15; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023895; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![445,139] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND)"; flow:to_server,established; dsize:248; content:"|18 18|"; offset:2; depth:2; content:!"|18 18|"; within:2; content:"|18 18|"; distance:2; within:2; content:!"|18 18|"; within:2; content:"|18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18|"; pcre:"/[^\x18][^\x44\x32\x33\x25\x64\x22\x23\x3a\x27\x24\x26\x34\x3b\x12][\x20\x21\x28-\x2f\x70-\x77\x79-\x7f\x60-\x63\x65\x66\x67-\x6f\x50-\x5f\x40-\x42\x46-\x4f\x30\x31\x35\x36\x38\x3e\x39\x3b]{1,14}\x18/R"; reference:md5,16549f8a09fd5724f2107a8f18dca10b; classtype:command-and-control; sid:2019204; rev:11; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (iusacell-movil .com.mx)"; dns.query; content:"iusacell-movil.com.mx"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023898; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Jupyter Stealer Related Activity (GET)"; flow:established,to_server; http.start; content:"GET /get/"; startswith; content:".ps1 HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,e3bd6b1694b35bef352b2303b46ce522; classtype:trojan-activity; sid:2033645; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smsmensaje .mx)"; dns.query; content:"smsmensaje.mx"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023899; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Rootkit Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/safe/"; startswith; content:"?appid="; distance:0; content:"&m="; distance:0; content:"&nonce_str="; distance:0; content:"&time_stamp="; distance:0; content:"&sign="; distance:0; http.user_agent; content:"Http-connect"; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033647; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (zkdef09i7ola.net)"; dns.query; content:"zkdef09i7ola.net"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023932; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family Qadars, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Rootkit Checkin Activity (getSystemInfo)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/system/getSystemInfo"; bsize:25; fast_pattern; http.user_agent; content:"Http-connect"; bsize:12; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033648; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"androidbak.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xml/"; bsize:5; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|48.0) Gecko/20100101 Firefox/48.0"; bsize:65; http.host; content:"freegeoip.net"; bsize:13; fast_pattern; http.header_names; content:!"Referer"; reference:md5,aabf88d786c8a58cccae674621277a54; classtype:trojan-activity; sid:2033649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, malware_family Quasar, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"droidback.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SSV Agent CnC Activity"; flow:established,to_server; http.request_body; content:"|00 00 00 01 00 00 00 01 00 00 00|"; offset:1; depth:11; fast_pattern; pcre:"/^[A-F0-9]{32}/R"; reference:url,github.com/ptresearch/AttackDetection/tree/master/APT31; reference:md5,db1673a1e8316287cb940725bb6caa68; classtype:command-and-control; sid:2033650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"endpointup.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (edgecloudc .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".edgecloudc.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"goodydaddy.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (be-government .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".be-government.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (chrome-up .date)"; dns.query; content:"chrome-up.date"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023953; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (gitcloudcache .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".gitcloudcache.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033653; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (timezone .live)"; dns.query; content:"timezone.live"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023954; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (hostupoeui .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".hostupoeui.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (servicesystem .serveirc.com)"; dns.query; content:"servicesystem.serveirc.com"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023955; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (drmtake .tk in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".drmtake.tk"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (analytics-google .org)"; dns.query; content:"analytics-google.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023956; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (rsnet-devel .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".rsnet-devel.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (com-adm .in)"; dns.query; content:"com-adm.in"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023957; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (flushcdn .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".flushcdn.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033657; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (microsoftexplorerservices .cloud)"; dns.query; content:"microsoftexplorerservices.cloud"; depth:31; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023958; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)"; dsize:<21; content:"TLPU"; startswith; fast_pattern; content:"|00 00 00 01|"; distance:4; within:4; reference:url,www.armis.com/pwnedPiper; reference:cve,2021-37162; reference:cve,2021-37165; reference:cve,2021-37161; classtype:attempted-admin; sid:2033661; rev:1; metadata:attack_target Server, created_at 2021_08_03, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (msservice .site)"; dns.query; content:"msservice.site"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023959; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Large Malformed Translogic Packet (CVE-2021-37164)"; dsize:>369; content:"TLPU"; startswith; fast_pattern; reference:cve,2021-37164; reference:url,www.armis.com/pwnedPiper; classtype:attempted-admin; sid:2033662; rev:1; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37164, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (com-ho .me)"; dns.query; content:"com-ho.me"; depth:9; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023960; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc CnC Domain in DNS Lookup"; dns.query; content:"cloud-documents.com"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/; classtype:domain-c2; sid:2033663; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (ntg-sa .com)"; dns.query; content:"ntg-sa.com"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023961; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Maldoc CnC Domain (cloud-documents .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloud-documents.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/; classtype:domain-c2; sid:2033664; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (briefl .ink)"; dns.query; content:"briefl.ink"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023962; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS sysWeb User-Agent"; flow:established,to_server; http.user_agent; content:"|20|sysWeb/"; fast_pattern; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033665; rev:1; metadata:created_at 2021_08_04, former_category USER_AGENTS, performance_impact Low, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 1"; dns.query; content:"backup.microsoftappstore.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023968; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed URL Shortening Service Domain (longurl .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"longurl.in"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2033666; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 2"; dns.query; content:"dataserver.cmonkey3.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023969; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (gopstoporchestra .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"gopstoporchestra.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033667; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 3"; dns.query; content:"google-helps.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023970; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (onlineworkercz .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"onlineworkercz.com"; bsize:18; fast_pattern; reference:url,thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/; classtype:domain-c2; sid:2033668; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 4"; dns.query; content:"kpupdate.amz80.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; urilen:3; http.method; content:"GET"; http.cookie; content:"reg_fb_gate="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,bed512b1b901f03d421d39132a6c75b6; reference:url,thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/; classtype:trojan-activity; sid:2033669; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 5"; dns.query; content:"mail-help.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Thallium CnC Domain in DNS Lookup"; dns.query; content:"tksrpdl.atwebpages.com"; nocase; bsize:22; reference:url,twitter.com/cyberwar_15/status/1422692746909786112; classtype:domain-c2; sid:2033670; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 6"; dns.query; content:"mail-issue.top"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023973; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrickBot Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/r/tomkruzback.bazar"; fast_pattern; bsize:20; http.host; content:"dns."; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad938b03f3719bf14f1e14c90a73ff2b; classtype:trojan-activity; sid:2033660; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 7"; dns.query; content:"microsoftupdating.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023974; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup (societyf500 .ddns .net)"; dns.query; content:"societyf500.ddns.net"; nocase; bsize:20; reference:url,twitter.com/JAMESWT_MHT/status/1422813422828331009; classtype:domain-c2; sid:2033671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 8"; dns.query; content:"microsoftwww.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023975; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (quantumbots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"quantumbots.xyz"; bsize:15; fast_pattern; reference:md5,daba8377d281c48c1c91e2fa7f703511; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033672; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 9"; dns.query; content:"ns1.ccccc.work"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023976; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (marcobrando .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"marcobrando.xyz"; bsize:15; fast_pattern; reference:md5,eaf0524ba3214b35a068465664963654; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033673; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 10"; dns.query; content:"ns1.superman0x58.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023977; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (montanatony .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"montanatony.xyz"; bsize:15; fast_pattern; reference:md5,0d1df5c35c3c43e1b8bb7daec2495c06; reference:md5,f73ebc6f645926bf8566220b14173df8; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033674; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 11"; dns.query; content:"ns1.xssr.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023978; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (smoothcbots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"smoothcbots.xyz"; bsize:15; fast_pattern; reference:md5,8daf9ba69c0dcf9224fd1e4006c9dad3; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033675; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 12"; dns.query; content:"ns2.ccccc.work"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023979; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (omegabots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"omegabots.xyz"; bsize:13; fast_pattern; reference:md5,de51b859f41b6a9138285cf26a1fad84; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033676; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 13"; dns.query; content:"ns2.superman0x58.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023980; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (gogleadser .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gogleadser.xyz"; bsize:14; fast_pattern; reference:md5,205861bca8f26430981f9762a50eab3a; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033677; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 14"; dns.query; content:"ns2.xssr.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023981; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (callbinary .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"callbinary.xyz"; bsize:14; fast_pattern; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033678; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 15"; dns.query; content:"qr1.3jd90dsj3df.website"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023982; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideCopy Group Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/css/css/b/l/i2.php"; bsize:19; fast_pattern; http.accept_enc; content:"gzip,|20|deflate"; bsize:13; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1422914152381616134; reference:url,twitter.com/c3rb3ru5d3d53c/status/1422982036365750275; reference:md5,896793b5a446fb3a648a7f290a2b38cd; reference:md5,8e07953b96ffa7ee7f5d0fa6fea71a6a; classtype:trojan-activity; sid:2033680; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 16"; dns.query; content:"r4.microsoftupdating.org"; depth:24; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023983; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Oscorp/UBEL Activity"; flow:established,to_server; http.uri; content:"/api/app/device/"; startswith; fast_pattern; http.user_agent; content:"|3b 20|Android|3b 20|"; http.host; content:".xyz"; endswith; http.header_names; content:!"Referer"; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:trojan-activity; sid:2033679; rev:2; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 17"; dns.query; content:"rouji.xssr.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023984; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Microsoft Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"microsoft"; content:".github.io"; endswith; fast_pattern; content:!"microsoft.github.io"; depth:19; endswith; content:!"microsoftedge.github.io"; depth:23; endswith; classtype:policy-violation; sid:2027274; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2021_08_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 18"; dns.query; content:"t2z0n9.microsoftappstore.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023985; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Roboto - Possible Encrypted Roboto P2P Payload Requested M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roboto."; fast_pattern; pcre:"/^tt[cf]$/R"; http.user_agent; content:!"Windows"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029040; rev:3; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2021_08_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 19"; dns.query; content:"temp.mail-issue.top"; depth:19; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023986; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert tls [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Observed SSL/TLS Cert (Splashtop Remote Support)"; flow:from_server,established; tls.cert_subject; content:"CN=Splashtop Inc. Self CA"; nocase; fast_pattern; classtype:domain-c2; sid:2033685; rev:1; metadata:attack_target Client_and_Server, created_at 2021_08_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 20"; dns.query; content:"time-service.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023987; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover?"; nocase; content:"/mapi/nspi"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033682; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 21"; dns.query; content:"update.microsoftwww.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)"; flow:established,from_server; http.stat_code; content:"302"; flowbits:isset,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033683; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 22"; dns.query; content:"updatecz.mykorean.net"; depth:21; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023989; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST)"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"sk="; startswith; fast_pattern; content:"&cs="; distance:0; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033686; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 23"; dns.query; content:"uriupdate.newsbs.net"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023990; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M2"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"gs="; startswith; content:"&sk="; distance:0; fast_pattern; content:"&di="; distance:0; content:"&t="; distance:0; content:"&st="; distance:0; content:"&dt="; distance:0; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033687; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 24"; dns.query; content:"wwgooglewww.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023991; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M3"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"s="; startswith; content:"&gfu="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033688; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 25"; dns.query; content:"www.microsoftwww.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023992; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M4"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"s="; startswith; content:"&gd="; distance:0; content:"&v=5"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033689; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 26"; dns.query; content:"wwwgooglewww.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023993; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"mariamistado.com"; nocase; bsize:16; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 27"; dns.query; content:"zy.xssr.org"; depth:11; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023994; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"arctiusa.com"; nocase; bsize:12; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FakeM SSL DNS Lookup (islamhood .net)"; dns.query; content:"islamhood.net"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2024005; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, malware_family FakeM_SSL, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"onecoloradosport.com"; nocase; bsize:20; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (63ghdye17.com)"; dns.query; content:"63ghdye17.com"; depth:13; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020839; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_03, deployment Perimeter, former_category POLICY, malware_family TeslaCrypt, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"fivefkl.com"; nocase; bsize:11; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (2kjb7.net)"; dns.query; content:"2kjb7.net"; depth:9; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024105; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category POLICY, malware_family TeslaCrypt, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"amusient.com"; nocase; bsize:12; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (1e100 .tech)"; dns.query; content:"1e100.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024143; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"fondfbr.com"; nocase; bsize:11; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (1m100 .tech)"; dns.query; content:"1m100.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024144; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed OneDrive Phishing Landing Page 2021-08-09"; flow:established,from_server; file.data; content:"<title>|0d 0a 09|Files - OneDrive|0d 0a|</title>"; fast_pattern; content:"<form method|3d 22|post|22|"; distance:0; content:"action|3d 22|link.php|22|"; distance:0; reference:url,app.any.run/tasks/7d82fceb-ac0f-452a-9b37-4c87478f2df6; classtype:social-engineering; sid:2033696; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (ads-youtube .online)"; dns.query; content:"ads-youtube.online"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024145; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Zimbra Phishing Landing Page 2021-08-09"; flow:established,from_server; file.data; content:"<title>Zimbra Web Client Sign In</title>"; content:"<form method|3d 22|post|22|"; distance:0; content:"name|3d 22|loginForm|22|"; distance:0; content:"action|3d 22|mll.php|22|"; distance:0; fast_pattern; content:"accept-charset|3d 22|UTF-8|22|"; reference:url,app.any.run/tasks/bda22930-0bfb-4ccd-b5c4-26f526b8cba7; classtype:social-engineering; sid:2033697; rev:1; metadata:created_at 2021_08_09, former_category PHISHING, updated_at 2021_08_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (akamaitechnology .com)"; dns.query; content:"akamaitechnology.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024146; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Sharepoint Resource Infection"; flow:established,to_client; http.response_line; content:"HTTP/1.1|20|409|20|CONFLICT"; http.header; content:"|0d 0a|x-virus-infected|3a 20|"; content:"-location|3a 20|"; distance:0; reference:url,docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-wsshp/ba4ee7a8-704c-4e9c-ab14-fa44c574bdf4; classtype:bad-unknown; sid:2033698; rev:1; metadata:attack_target Client_and_Server, created_at 2021_08_10, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_08_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (alkamaihd .net)"; dns.query; content:"alkamaihd.net"; depth:13; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024147; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (yuxicu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"yuxicu.com"; bsize:10; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt; classtype:domain-c2; sid:2033699; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (azurewebsites .tech)"; dns.query; content:"azurewebsites.tech"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024148; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (gojihu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gojihu.com"; bsize:10; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt; classtype:domain-c2; sid:2033700; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (broadcast-microsoft .tech)"; dns.query; content:"broadcast-microsoft.tech"; depth:24; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024149; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TeamTNT Linux Miner Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s3f715/"; startswith; http.host; content:"oracle.htxreceive.top"; fast_pattern; bsize:21; reference:url,blog.netlab.360.com/wei-xie-kuai-xun-teamtntxin-huo-dong-tong-guo-gan-ran-wang-ye-wen-jian-ti-gao-chuan-bo-neng-li/; classtype:trojan-activity; sid:2033702; rev:1; metadata:attack_target Linux_Unix, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (chromeupdates .online)"; dns.query; content:"chromeupdates.online"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024150; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Campo Loader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/campo/"; startswith; fast_pattern; pcre:"/^[a-z](?:[0-9])?\/[a-z](?:[0-9]?)$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/; reference:md5,c865db24e6a0ca317424eb1c1543426e; reference:md5,dd6c4275c1b7b761b6f96a7e1e2f3607; classtype:trojan-activity; sid:2032352; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (cloudmicrosoft .net)"; dns.query; content:"cloudmicrosoft.net"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024151; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif Injects)"; flow:established,to_client; tls.cert_subject; content:"inbizintesansanpaolo.com"; bsize:24; fast_pattern; classtype:domain-c2; sid:2033703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_10, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (dnsserv .host)"; dns.query; content:"dnsserv.host"; depth:12; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024152; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Malicious VBS Script Activity"; flow:established,to_server; http.uri; content:"/user/get/"; startswith; fast_pattern; http.user_agent; content:"Microsoft BITS/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blog.group-ib.com/prometheus-tds; classtype:trojan-activity; sid:2033704; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (elasticbeanstalk .tech)"; dns.query; content:"elasticbeanstalk.tech"; depth:21; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024153; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IIStealer CnC Domain in DNS Lookup (xinxx .allsoulu .com)"; dns.query; content:"xinxx.allsoulu.com"; nocase; bsize:18; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; reference:url,www.welivesecurity.com/2021/08/06/iistealer-server-side-threat-ecommerce-transactions/; classtype:command-and-control; sid:2033705; rev:1; metadata:attack_target Web_Server, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (fdgdsg .xyz)"; dns.query; content:"fdgdsg.xyz"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024154; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IIStealer Inbound Exfil Request"; flow:established,to_server; http.uri; content:"/privacy.aspx"; bsize:13; http.header; content:"|0d 0a|X-IIS-Data|3a 20|"; fast_pattern; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; classtype:trojan-activity; sid:2033706; rev:1; metadata:attack_target Server, created_at 2021_08_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (jguery .net)"; dns.query; content:"jguery.net"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024155; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IIStealer Inbound Exfil Request M2"; flow:established,to_server; http.uri; content:"/checkout/Payment.aspx"; bsize:22; http.header; content:"|0d 0a|X-IIS-Data|3a 20|"; fast_pattern; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; classtype:trojan-activity; sid:2033707; rev:1; metadata:attack_target Server, created_at 2021_08_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (jguery .online)"; dns.query; content:"jguery.online"; depth:13; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024156; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown DPRK Threat Actor Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccom"; startswith; pcre:"/^(?:[1-3]?)\/download\.php\?filename=ccom/R"; http.host; content:".atwebpages.com"; endswith; reference:url,asec.ahnlab.com/ko/26183; reference:md5,833794f663ddecd3533c661c9ac5fef6; reference:md5,857a0eb7dcd9c63f4474a069012a3389; classtype:trojan-activity; sid:2033708; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (microsoft-ds .com)"; dns.query; content:"microsoft-ds.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024157; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVASVT RCE Test String in HTTP Request Inbound"; flow:established,to_server; content:"T3BlblZBU1ZUIFJDRSBUZXN0"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,github.com/greenbone/openvas-scanner/blob/622e205327ea374d1ccbb3b0e8dcb3fe5c1bb87d/nasl/nasl_http.c#L120; classtype:bad-unknown; sid:2033101; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_08_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (microsoft-security .host)"; dns.query; content:"microsoft-security.host"; depth:23; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024158; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DownloadAdmin Activity"; flow:established,to_server; http.uri; content:"install|3f|"; nocase; content:"country|3d|"; nocase; http.user_agent; content:"Tightrope Bundle Manager"; nocase; http.header_names; content:"|0d 0a|x|2d|webinstallcode|0d 0a|"; nocase; content:"|0d 0a|x|2d|exename|0d 0a|"; nocase; content:"|0d 0a|x|2d|webinstallurl|0d 0a|"; nocase; threshold: type limit, track by_src, seconds 180, count 1; reference:md5,36d8c484882c961b2f351bb4c73536e1; classtype:trojan-activity; sid:2033709; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (nameserver .win)"; dns.query; content:"nameserver.win"; depth:14; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024159; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN OpenVASVT RCE Test String in HTTP Request Outbound"; flow:established,to_server; content:"T3BlblZBU1ZUIFJDRSBUZXN0"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,github.com/greenbone/openvas-scanner/blob/622e205327ea374d1ccbb3b0e8dcb3fe5c1bb87d/nasl/nasl_http.c#L120; classtype:bad-unknown; sid:2033102; rev:2; metadata:created_at 2021_06_07, former_category ATTACK_RESPONSE, updated_at 2021_08_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (newsfeeds-microsoft .press)"; dns.query; content:"newsfeeds-microsoft.press"; depth:25; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024160; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http any any -> any any (msg:"ET MALWARE Suspected Praying Mantis Threat Actor Activity"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0+(Windows+NT+10.0|3b|+WOW64|3b|+Trident/7.0|3b|+rv|3a|11.0)+like+Gecko"; bsize:69; fast_pattern; reference:url,f.hubspotusercontent30.net/hubfs/8776530/TG1021%20-%20Praying%20Mantis%20Threat%20Actor.pdf; classtype:trojan-activity; sid:2033710; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (owa-microsoft .online)"; dns.query; content:"owa-microsoft.online"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024161; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:"ET EXPLOIT Possible Microsoft Exchange RCE with Python PSRP Client UA Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover/autodiscover.json?"; http.user_agent; content:"Python|20|PSRP|20|Client"; fast_pattern; reference:cve,2021-34473; classtype:attempted-admin; sid:2033712; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (primeminister-goverment-techcenter .tech)"; dns.query; content:"primeminister-goverment-techcenter.tech"; depth:39; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024162; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M1 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<s"; content:"SerializedSecurityContext>"; distance:0; content:"Message>"; distance:0; content:"Attachments>"; distance:0; content:"Content>"; distance:0; content:"|60 c2 ac c2 aa|"; distance:0; within:200; reference:cve,2021-34473; classtype:attempted-admin; sid:2033684; rev:3; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (qoldenlines .net)"; dns.query; content:"qoldenlines.net"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024163; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (msresearchcenter .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"msresearchcenter.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033714; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_08_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (sharepoint-microsoft .co)"; dns.query; content:"sharepoint-microsoft.co"; depth:23; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024164; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Server Response"; flow:established,to_client; dsize:10; content:"|7e 62 6c 61 63 6b 20 68 61 74|"; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; classtype:command-and-control; sid:2033715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_08_12;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (ssl-gstatic .online)"; dns.query; content:"ssl-gstatic.online"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024165; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Chinese Threat Actor Malicious Redirect Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/public/"; startswith; fast_pattern; pcre:"/^x?\/jquery\.min\.js\?ver=[0-9a-f]{24}$/R"; http.referer; content:"/s/02B"; pcre:"/^[a-z]$/R"; reference:url,imp0rtp3.wordpress.com/2021/08/12/tetris/; classtype:trojan-activity; sid:2033720; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (trendmicro .tech)"; dns.query; content:"trendmicro.tech"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024166; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown Chinese Threat Actor CnC Domain in DNS Lookup"; dns.query; content:"googledrivers.com"; nocase; bsize:17; reference:url,imp0rtp3.wordpress.com/2021/08/12/tetris/; classtype:domain-c2; sid:2033721; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns.query; content:"ntp.gtpnet.ir"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024244; rev:5; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (office360-expert .online)"; dns.query; content:"office360-expert.online"; nocase; bsize:23; reference:md5,fbc037e68f5988df9190cdadf7424752; reference:url,twitter.com/NinjaOperator/status/1354526362627936258; classtype:domain-c2; sid:2033722; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla Snake OSX DNS Lookup (car-service .effers.com)"; dns.query; content:"car-service.effers.com"; depth:22; nocase; endswith; fast_pattern; reference:url,blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/; classtype:targeted-activity; sid:2024271; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category TROJAN, malware_family Turla, malware_family Snake, performance_impact Low, signature_severity Critical, tag APT, tag RUAPT, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sell/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:md5,fbc037e68f5988df9190cdadf7424752; reference:url,twitter.com/NinjaOperator/status/1354526362627936258; classtype:trojan-activity; sid:2033723; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Proton.B DNS Lookup"; dns.query; content:"handbrake.biz"; depth:13; nocase; endswith; fast_pattern; reference:url,objective-see.com/blog/blog_0x1D.html; classtype:trojan-activity; sid:2024284; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, malware_family OSX_Proton, performance_impact Low, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-48 Related CnC Domain in DNS Lookup (ntc-pk .sytes .net)"; dns.query; content:"ntc-pk.sytes.net"; nocase; bsize:16; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; reference:md5,dc7044f273b0a161279ddce8c5dff0a7; classtype:domain-c2; sid:2033724; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla SHIRIME DNS Lookup"; dns.query; content:"tnsc.webredirect.org"; depth:20; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html; classtype:targeted-activity; sid:2024286; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, malware_family Turla, malware_family SHIRIME, performance_impact Low, tag APT, tag 0day, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-48 Related Activity Retrieving ConsoleHost (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Index-out/"; startswith; content:"/raw/main/ConsoleHost"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.host; content:"github.com"; bsize:10; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; reference:md5,2d8a0bd2b45683d9c00d7e1cb0999e3a; classtype:trojan-activity; sid:2033725; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (fkksjobnn43 . org)"; dns.query; content:"fkksjobnn43.org"; depth:15; fast_pattern; endswith; nocase; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024289; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-48 Related CnC Domain in DNS Lookup (nitb .pk-gov .org)"; dns.query; content:"nitb.pk-gov.org"; nocase; bsize:15; reference:md5,1255eb3e81ec17d030da6884e0d3c724; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; classtype:domain-c2; sid:2033726; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"check.paidprefund.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024330; rev:6; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to IP Lookup Domain (me .shodan .io)"; dns.query; content:"me.shodan.io"; nocase; bsize:12; classtype:policy-violation; sid:2033729; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"syn.timeizu.net"; depth:15; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024331; rev:6; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Vultr Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/grpc.Rpc/Registration"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"grpc-java-okhttp/"; http.header_names; content:!"Referer|3a 20|"; reference:url,www.threatfabric.com/blogs/vultur-v-for-vnc.html; classtype:command-and-control; sid:2033730; rev:2; metadata:attack_target Mobile_Client, created_at 2021_08_13, former_category MOBILE_MALWARE, updated_at 2021_08_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"blog.docksugs.org"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024332; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCRat/Gh0st CnC Beacon Request (Xfire variant)"; flow:established,to_server; stream_size:server,=,1; content:"|58 66 69 72 65|"; startswith; content:!"|00 00|"; within:2; content:"|00 00|"; distance:2; within:2; content:!"|00 00|"; within:2; content:"|00 00|"; distance:2; within:2; byte_jump:4,5,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:md5,7a55388f877ce40d2abf72ea5ee2a6b8; classtype:command-and-control; sid:2033731; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"news.lightpress.info"; depth:20; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024333; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Agent.OMP Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.request_body; content:"pc="; startswith; content:"&g-passwds="; fast_pattern; distance:0; reference:md5,61f9fc4c3fe06dca2fcaa678144bb59a; classtype:command-and-control; sid:2033732; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"mobile.pagmobiles.info"; depth:22; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024334; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"sparrowsgroup.org"; nocase; bsize:17; classtype:domain-c2; sid:2035799; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (orhangazitur . com)"; dns.query; content:"orhangazitur.com"; depth:16; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024339; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"electroboard.net"; nocase; bsize:16; classtype:domain-c2; sid:2035800; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT SUSPICIOUS DNS Request for Grey Advertising Often Leading to EK"; dns.query; content:"roughted.com"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:exploit-kit; sid:2024349; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"exprogroup.org"; nocase; bsize:14; classtype:domain-c2; sid:2035801; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (secure-access10 .mx)"; dns.query; content:"secure-access10.mx"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024405; rev:5; metadata:created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"elecresearch.org"; nocase; bsize:16; classtype:domain-c2; sid:2035802; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (network190 .com)"; dns.query; content:"network190.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024406; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig ajaxArchiveFiles.php Command Injection Inbound (CVE-2019-19509)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; fast_pattern; http.uri.raw; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; pcre:"/^%(?:3B|0A|26|60|7C|24)/Ri"; reference:url,www.exploit-db.com/exploits/47982; reference:cve,2019-19509; classtype:attempted-admin; sid:2033424; rev:3; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_19509, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_08_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mymensaje-sms .com)"; dns.query; content:"mymensaje-sms.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024407; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Apache SkyWalking GraphQL SQL Injection Inbound (CVE-2020-13921)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/graphql"; fast_pattern; http.request_body; content:"|7b 22|query"; nocase; startswith; content:"|27 29|"; pcre:"/^\s?.{0,100}(?:SELECT|UNION|CHAR|LONGVARCHAR|SCHEMA|FROM|WHERE|IFNULL|INSERT|UPDATE)/R"; reference:url,blog.csdn.net/caiqiiqi/article/details/107857173; reference:cve,2020-13921; classtype:attempted-admin; sid:2033403; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_13921, updated_at 2021_08_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smscentro .com)"; dns.query; content:"smscentro.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024408; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"V2luZG93cyBJUCBDb25maWd1cmF0aW9uDQoNCiAgIEhvc3QgTmFtZSAuI"; classtype:bad-unknown; sid:2033734; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (ideas-telcel .com.mx)"; dns.query; content:"ideas-telcel.com.mx"; depth:19; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024409; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"aW5kb3dzIElQIENvbmZpZ3VyYXRpb24NCg0KICAgSG9zdCBOYW1lIC4g"; classtype:bad-unknown; sid:2033735; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (twiitter .com.mx)"; dns.query; content:"twiitter.com.mx"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024410; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dpbmRvd3MgSVAgQ29uZmlndXJhdGlvbg0KDQogICBIb3N0IE5hbWUgLi"; classtype:bad-unknown; sid:2033736; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (resume .immigrantlol .com)"; dns.query; content:"resume.immigrantlol.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024458; rev:5; metadata:created_at 2017_07_12, updated_at 2020_09_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 65535 (msg:"ET MALWARE DarkWay Client Checkin"; flow:established,to_server; content:"|1f 8b 08 00 00 00 00 00 04 00|"; startswith; fast_pattern; content:"|00 00|"; endswith; reference:md5,afe88d8042a796816c8a7251a6e2fddc; reference:md5,bf95d7062c1c7df67ce9fff64a213cf2; reference:url,twitter.com/_jsoo_/status/1423975922164633601; classtype:command-and-control; sid:2033737; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (job .yoyakuweb .technology)"; dns.query; content:"job.yoyakuweb.technology"; depth:24; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024457; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING NOP Sled in HTTP URI Inbound - Possible Exploit Activity"; flow:established,to_server; http.uri.raw; content:"|90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern; classtype:bad-unknown; sid:2033431; rev:3; metadata:created_at 2021_07_26, former_category HUNTING, updated_at 2021_08_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (vps2java .securitytactics .com)"; dns.query; content:"vps2java.securitytactics.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024456; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|60|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:attempted-admin; sid:2033738; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (macos .exoticlol .com)"; dns.query; content:"macos.exoticlol.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024459; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLUELIGHT Payload Domain (storage .jquery .services in TLS SNI)"; flow:established,to_server; tls.sni; content:"storage.jquery.services"; bsize:23; fast_pattern; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:domain-c2; sid:2033739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, signature_severity Major, updated_at 2021_08_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (css .google-statics .com)"; dns.query; content:"css.google-statics.com"; depth:22; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024460; rev:5; metadata:created_at 2017_07_12, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BLUELIGHT OAuth Login Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth20_token.srf"; bsize:18; nocase; http.request_body; content:"client_id=b893cacd-9d41-4457-9e7d-47081a065095&client_secret=KT_onD~A9uRpIyjzoL_O1w3pDZ~1Zz488C"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,0b649bc5dbbf21801c21aaa5e5f79fc6; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:trojan-activity; sid:2033740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BLUELIGHT, signature_severity Major, updated_at 2021_08_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Fenrir Ransomware CnC Domain"; dns.query; content:"fenrir-ransomware.000webhostapp.com"; depth:35; nocase; endswith; fast_pattern; reference:md5,a5ecf27bfab7fbb1ace3ec9a390b23bd; classtype:command-and-control; sid:2024467; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Fenrir, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BLUELIGHT OAuth Login Attempt M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth20_token.srf"; bsize:18; nocase; http.header; content:"|0d 0a|User-Agent|3a 20|Myapp|0d 0a|"; fast_pattern; http.request_body; content:"client_id="; startswith; content:"&client_secret="; distance:36; within:15; content:"&refresh_token="; distance:0; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,0b649bc5dbbf21801c21aaa5e5f79fc6; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:trojan-activity; sid:2033741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, former_category MALWARE, malware_family BLUELIGHT, signature_severity Major, updated_at 2021_08_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpres.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024472; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|24|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:bad-unknown; sid:2033742; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpress.net"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024473; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.DNL CnC Activity M1"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|TaskResult|22|"; content:"|22|Date|22|"; content:"|22|owner|22|"; fast_pattern; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:command-and-control; sid:2033743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_08_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpress.org"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024474; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.DNL Server Response Task (whoami)"; flow:established,to_client; http.content_type; content:"application/json|3b|"; startswith; file.data; content:"|7b 22|command|22 3a 22|d2hvYW1p|22 7d|"; bsize:22; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Date|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:40; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:command-and-control; sid:2033744; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpross.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024475; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded whoami in HTTP Server Response"; flow:established,to_client; file.data; content:"d2hvYW1p"; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:bad-unknown; sid:2033745; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2021_08_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"datalink.one"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Malgent!MSR Dropper Requesting Payload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api"; endswith; http.request_body; content:"4F440D71527A05240C72440216527C015109"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,4c1e57a0388a703307319d17ae5e9039; classtype:trojan-activity; sid:2033746; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"secuerserver.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024477; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Malgent!MSR User-Agent"; flow:established,to_server; http.user_agent; content:"Not a Virus Download A"; bsize:22; fast_pattern; http.header_names; content:!"Referer"; reference:md5,4c1e57a0388a703307319d17ae5e9039; classtype:trojan-activity; sid:2033747; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"vnews.hk"; depth:8; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024479; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Pulse Secure VPN Version Disclosure Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/misc/admin.cgi"; fast_pattern; classtype:attempted-recon; sid:2033749; rev:1; metadata:affected_product Pulse_Secure, created_at 2021_08_20, former_category INFO, updated_at 2021_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shifr Ransomware CnC DNS Query (v5t5z6a55ksmt3oh)"; dns.query; content:".v5t5z6a55ksmt3oh"; fast_pattern; endswith; nocase; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:command-and-control; sid:2024491; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Shifr, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 3 Inbound - Execute Mal Config Trigger (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/setcookie.cgi"; fast_pattern; xbits:isset,ET.2020_8260.2,track ip_src,expire 10; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033752; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shifr Ransomware CnC DNS Query (ojdue4474qghybjb)"; dns.query; content:".ojdue4474qghybjb"; fast_pattern; endswith; nocase; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:command-and-control; sid:2024492; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Shifr, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure VPN RCE Chain Stage 3 Inbound - Execute Mal Config Trigger, PoC Based (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/setcookie.cgi"; fast_pattern; http.header; pcre:"/^[A-Z]{8}\x3a/m"; xbits:isset,ET.2020_8260.2,track ip_src,expire 10; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033753; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Matryoshka DNS Lookup 1 (winupdate64 . com)"; dns.query; content:"winupdate64.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024495; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, malware_family Matryoshka, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange ProxyLogon Activity - OABVirtualDirectory SetObject (CVE-2021-27065)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ecp/"; content:"/SetObject?"; content:"schema=OABVirtualDirectory"; fast_pattern; http.header; content:"msExchLogonMailbox|3a|"; http.request_body; content:"__type"; content:"Microsoft.Exchange.Management.ControlPanel"; distance:0; content:"ExternalUrl"; distance:0; reference:url,github.com/praetorian-inc/proxylogon-exploit/blob/main/exploit.py; reference:cve,2021-27065; classtype:attempted-admin; sid:2033754; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_27065, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Matryoshka DNS Lookup 2 (twiter-statics . info)"; dns.query; content:"twiter.statics.info"; depth:19; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity; sid:2024496; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, malware_family Matryoshka, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Initial Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/setTargetObject"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b|null|5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5bnull\x5d/"; xbits:set,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033755; rev:1; metadata:created_at 2021_08_20, cve CVE_2021_21985, updated_at 2021_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Cobalt Strike DNS Lookup (cloudflare-analyse . com)"; threshold:type limit, track by_src, count 1, seconds 60; dns.query; content:"cloudflare.analyse.com"; depth:22; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:targeted-activity; sid:2024497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Final Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/invoke"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b 5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5b\x5d/"; xbits:isset,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033756; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_21985, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ISMAgent DNS Tunneling (microsoft-publisher . com)"; threshold:type limit, track by_src, count 1, seconds 60; dns.query; content:"microsoft-publisher.com"; depth:23; nocase; endswith; fast_pattern; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024504; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category TROJAN, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; http.uri; content:".exe"; fast_pattern; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/"; http.header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http.host; content:!".bloomberg.com"; content:!"leg1.state.va.us"; content:!"7-zip.org"; content:!"virginia.gov"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:45; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022566; rev:8; metadata:created_at 2016_02_26, former_category MALWARE, updated_at 2021_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Reborn/Ovidiy Stealer CnC Domain"; dns.query; content:"stealur.info"; depth:12; nocase; endswith; fast_pattern; reference:md5,4daca05b0015efeaacebc58d007c32c4; classtype:command-and-control; sid:2024506; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_31, deployment Perimeter, former_category MALWARE, malware_family Reborn_Stealer, malware_family Ovidiy_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any ![902] -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 3"; flow:established; content:"|82 f4 de d4 d3 c2 ca f5 c8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020019; rev:3; metadata:created_at 2014_12_23, updated_at 2021_08_20;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; dns.query; content:"updatmaster.top"; depth:15; fast_pattern; endswith; nocase; reference:url,reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_08_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/card_scan"; startswith; fast_pattern; content:".php"; distance:0; within:15; content:"=|60|"; reference:cve,2019-7256; classtype:attempted-admin; sid:2033757; rev:1; metadata:created_at 2021_08_22, cve CVE_2019_7256, former_category EXPLOIT, updated_at 2021_08_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LokiBot Related DNS query"; dns.query; content:"coffeinoffice.xyz"; depth:17; fast_pattern; nocase; endswith; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024488; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_07_21, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sys_config_valid.xgi?exeshell="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2021-29003; classtype:attempted-admin; sid:2033758; rev:1; metadata:attack_target Server, created_at 2021_08_22, cve CVE_2021_29003, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LokiBot Related DNS query"; dns.query; content:"french-cooking.com"; depth:18; fast_pattern; nocase; endswith; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024487; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_07_21, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Target Application Command Injection Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nrdh.php?cmd"; fast_pattern; content:"="; distance:0; within:3; pcre:"/^.{0,5}(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2033759; rev:1; metadata:attack_target Server, created_at 2021_08_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Mughthesec/SafeFinder/OperatorMac DNS Query Observed"; dns.query; content:"api.mughthesec.com"; depth:18; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2024529; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category TROJAN, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?q="; content:"o543n"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64|29|"; http.request_body; content:"|7b 22|Data|22 3a 5b 22|"; startswith; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; content:"|22 5d 7d|"; classtype:command-and-control; sid:2033762; rev:1; metadata:created_at 2021_08_22, former_category MALWARE, malware_family Shark, updated_at 2021_08_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Mughthesec/SafeFinder/OperatorMac Rogue Search Engine DNS Query Observed"; dns.query; content:"default27061330-a.akamaihd.net"; depth:30; nocase; endswith; fast_pattern; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:2024530; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category TROJAN, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"/images/"; fast_pattern; content:".gif"; distance:100; pcre:"/\/images(?:\/[a-zA-Z0-9_]+)+\.gif$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; pcre:"/^User-Agent\x3a\x20(?:Mozilla\/|Shockwave)/mi"; http.user_agent; content:!"ms-office"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021813; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_08_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 1"; dns.query; content:"nylalobghyhirgh.com"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024588; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .magicalgirlonlive .com)"; dns.query; content:"www.magicalgirlonlive.com"; nocase; bsize:25; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033763; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 2"; dns.query; content:"ribotqtonut.com"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024589; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .getkiplayer .com)"; dns.query; content:"www.getkiplayer.com"; nocase; bsize:19; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033764; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 3"; dns.query; content:"jkvmdmjyfcvkf.com"; depth:17; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024590; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .supapureigemu .com)"; dns.query; content:"www.supapureigemu.com"; nocase; bsize:21; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033765; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 4"; dns.query; content:"bafyvoruzgjitwr.com"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024591; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .chirigame .com)"; dns.query; content:"www.chirigame.com"; nocase; bsize:17; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033766; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 5"; dns.query; content:"xmponmzmxkxkh.com"; depth:17; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024592; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FlyTrap Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/cookies"; bsize:12; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"app=FBManager&type=cookie&account="; startswith; content:"&cookies="; distance:0; content:"&deleted="; http.header_names; content:!"Referer"; reference:url,blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/; classtype:trojan-activity; sid:2033767; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_23, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 6"; dns.query; content:"tczafklirkl.com"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024593; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|D3|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033768; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 7"; dns.query; content:"notped.com"; depth:10; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|D4|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 8"; dns.query; content:"dnsgogle.com"; depth:12; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024595; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M3"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|BUNIFU|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033770; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 9"; dns.query; content:"operatingbox.com"; depth:16; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024596; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M4"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|EXE|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033771; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 10"; dns.query; content:"paniesx.com"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware CnC Checkin"; http.method; content:"POST"; http.uri; content:"|2f|key|2f|"; http.host; content:"karen|2e|"; startswith; fast_pattern; http.user_agent; content:"Go|2d|http|2d|client"; http.request_body; content:"id|3d|"; startswith; content:"|2d|"; distance:8; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|26|key|3d|"; distance:12; within:5; isdataat:!513,relative; pcre:"/id\x3d[a-z0-9]{8}\x2d[a-z0-9]{4}\x2d[a-z0-9]{4}\x2d[a-z0-9]{4}\x2d[a-z0-9]{12}\x26key\x3d[a-z0-9]{512}/"; http.header_names; content:!"Referer"; reference:md5,f155ec35d67f746593ce8cc4e64d33e5; reference:url,twitter.com/fbgwls245/status/1427610307283677186; classtype:trojan-activity; sid:2033772; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 11"; dns.query; content:"techniciantext.com"; depth:18; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024598; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware Powershell Loader"; http.method; content:"GET"; http.uri; content:"|2f|loader|2f|loader2.ps1"; fast_pattern; http.host; content:"karen|2e|"; startswith; http.user_agent; content:"Go|2d|http|2d|client"; http.header_names; content:!"Referer"; reference:md5,f155ec35d67f746593ce8cc4e64d33e5; reference:url,twitter.com/fbgwls245/status/1427610307283677186; classtype:trojan-activity; sid:2033773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; dns.query; content:"axclick.store"; depth:13; fast_pattern; endswith; nocase; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_08_28, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_WireX, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware Domain (karen .h07 .wlh .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"karen.h07.wlh.io"; bsize:16; fast_pattern; reference:url,twitter.com/fbgwls245/status/1427610307283677186; reference:url,F155EC35D67F746593CE8CC4E64D33E5; classtype:trojan-activity; sid:2033774; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT12 THREEBYTE DNS Lookup"; dns.query; content:"bsksac.au-syd.mybluemix.net"; depth:27; nocase; endswith; fast_pattern; reference:url,blog.macnica.net/blog/2017/08/post-fb81.html; classtype:targeted-activity; sid:2024619; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category MALWARE, malware_family THREEBYTE, performance_impact Low, signature_severity Major, tag APT, tag APT12, updated_at 2020_09_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Use-After-Free in QuickTimePluginReplacement (CVE-2021-1879)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var"; pcre:"/^\s*(?P<worker>[A-Za-z0-9_-]{1,20})\s*=\s*null\x3b.{1,300}(?P=worker)\s*=\s*document\.getElementById\([\x22\x27](?P=worker)[\x22\x27]\)\x3b.{1,300}\.addEventListener\([\x22\x27]DOMNodeInserted[\x22\x27]\s*,\s*(?P<callback0>[A-Za-z0-9_-]{1,20}).{0,300}(?P=worker)(?P<worker_ext>(\.\w{1,20})+)\s*=\s*\d+\x3b.{1,300}function\s*(?P=callback0)\([^\)]+\)\s*\{\s*.{1,300}\.requestAnimationFrame\((?P<callback>[A-Za-z0-9_-]{1,20})\)\x3b.{1,300}function\s*(?P<garbagecollector>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*.{0,100}for\s*\(let\s*(?P<gc_counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=gc_counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=gc_counter)(?:\+{2}|-{2})\s*\)\s*.{1,300}function\s*(?P=callback)\([^\)]+\)\s*\{\s*.{1,300}(?P=garbagecollector)\(\)\s*\x3b\s*.{1,300}\((?P=worker)(?P=worker_ext)\)/Rs"; content:"document.getElementById|28|"; content:".addEventListener|28 22|DOMNodeInserted"; content:"window.requestAnimationFrame"; fast_pattern; reference:cve,2021-1879; classtype:attempted-admin; sid:2033781; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2021_1879, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ISMAgent DNS Lookup (msoffice-cdn . com)"; dns.query; content:"msoffice-cdn.com"; depth:16; nocase; endswith; fast_pattern; reference:md5,812d3c4fddf9bb81d507397345a29bb0; reference:url,www.clearskysec.com/ismagent/; classtype:trojan-activity; sid:2024620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InjectJsBuiltInLibraryCode Use-After-Free Inbound (CVE-2019-0568)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<opt>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*let\s*(?P<o_var>[A-Za-z0-9_-]{1,20})\s*=\s*\{\}\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=o_var)\.(?P<x_prop>[A-Za-z0-9_-]{1,20}).{1,300}for\s*\(\s*let\s*(?P<counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=counter)(?:\+{2}|-{2})\).{1,100}(?P=opt)\(\).{1,300}let\s*(?P<leaked_stack_obj>[A-Za-z0-9_-]{1,20})\s*=\s*null.{1,100}let\s*(?P<obj_proto>[A-Za-z0-9_-]{1,20})\s*=\s*\(\{\}\)\.__proto__\x3b.{1,300}(?P=obj_proto)\.__defineGetter__\([\x22\x27](?P=x_prop)[\x22\x27],\s*Error\.prototype\.toString\)\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=obj_proto)\.__defineGetter__\([\x22\x27](?P<message_proto>[A-Za-z0-9_-]{1,20})[\x22\x27].{1,300}delete\s*(?P=obj_proto)\.(?P=message_proto)\x3b.{1,300}(?P=obj_proto)\.\w+\s*=\s*Array\.prototype.{1,300}(?P=opt)/Rs"; content:"|28 7b 7d 29|.__proto__"; fast_pattern; content:"Error.prototype.toString"; reference:cve,2019-0568; classtype:attempted-admin; sid:2033775; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2019_0568, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gazer DNS query observed (soligro . com)"; dns.query; content:"soligro.com"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024641; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category TROJAN, malware_family Gazer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; fast_pattern; http.request_body; content:"g="; startswith; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033776; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gazer DNS query observed (mydreamhoroscope . com)"; dns.query; content:"mydreamhoroscope.com"; depth:20; fast_pattern; endswith; nocase; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024642; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category TROJAN, malware_family Gazer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?di="; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------"; startswith; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033777; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KHRAT DNS Lookup (upload-dropbox .com)"; dns.query; content:"upload-dropbox.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/; classtype:trojan-activity; sid:2024658; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_04, deployment Perimeter, former_category TROJAN, malware_family KHRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; fast_pattern; http.request_body; content:"silly=./"; startswith; content:"&kusr="; distance:0; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033778; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4pay.com)"; dns.query; content:".tor4pay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020126; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE a310Logger Stealer Exfil (SMTP)"; flow:established,to_server; content:"Subject|3a 20|Passwords:::"; fast_pattern; content:"CompName|3a 20|"; content:"Windows|20|Version|3a 20|"; content:"Url"; content:"============================="; reference:md5,3ad8fcbd4c1f1d525207679eb23f3e3c; reference:url,twitter.com/James_inthe_box/status/1407463890078691331; reference:url,app.any.run/tasks/f403243a-ee3c-4797-ba30-616c766d6005/; classtype:trojan-activity; sid:2033167; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torminater.com)"; dns.query; content:".torminater.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020133; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/a310Logger Clipboard Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|Keylogger|3a 3a 3a|"; fast_pattern; content:"[CLIPBOARD]"; distance:0; reference:md5,5f04cfa0c174af13b9825337bfa7691f; classtype:trojan-activity; sid:2033779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.city)"; dns.query; content:".onion.city"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020430; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/a310Logger Data Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|Data|3a 3a 3a|"; fast_pattern; content:".zip|22 0d 0a 0d 0a|UEsDB"; distance:0; reference:md5,5f04cfa0c174af13b9825337bfa7691f; classtype:trojan-activity; sid:2033780; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgate.es)"; dns.query; content:".torgate.es"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022644; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M1 (CVE-2018-8617)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<func_opt>[\w-]{1,20})\((?P<var_a>[\w-]{1,20})\s*,\s*(?P<var_b>[\w-]{1,20}).{1,300}(?:(?P=var_a)\.(?P=var_b)|(?P=var_b)\.(?P=var_a))\s*=\s*\d+\x3b\s*(?:(?P=var_a)|(?P=var_b))\.push\(\d+\)\x3b\s*(?:(?P=var_a)\.(?P=var_a)|(?P=var_b)\.(?P=var_b))\s*=\s*0x.{1,300}Object\.prototype\.push\s*=\s*Array\.prototype\.push\x3b\s*for\s*\(\s*let\s*(?P<counter>[\w-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=counter)(?:\+{2}|-{2})\).{1,300}let\s*(?:(?P=var_a)|(?P=var_b))\s*=\s*\{(?:(?P=var_a):\s*\d+\s*,\s*(?P=var_b):\s*\d+|(?:(?P=var_b):\s*\d+\s*,\s*(?P=var_a):\s*\d+))\}\x3b.{1,300}(?P=func_opt)\((?:(?P=var_a)|(?P=var_b)),\s*\{\}.{1,300}let\s*(?P<var_o>[\w-]{1,20})\s*=\s*\{(?:(?P=var_a):\s*\d+\s*,\s*(?P=var_b):\s*\d+|(?:(?P=var_b):\s*\d+\s*,\s*(?P=var_a):\s*\d+))\}.{1,300}(?P=func_opt)\((?P=var_o)/Rs"; content:"Object.prototype.push = Array.prototype.push"; fast_pattern; content:".push|28|"; reference:cve,2018-8617; classtype:attempted-admin; sid:2033782; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2018_8617, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Zloader CnC Domain Detected"; dns.query; content:".chinaandkoreacriminalaffairs"; fast_pattern; endswith; nocase; reference:md5,7a57fcc1afab791f9995fbc479fe340e; classtype:command-and-control; sid:2024680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zloader, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - NewScObjectNoCtor InitProtoType Confusion Inbound (CVE-2019-0567)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<func_a>[\w-]{1,20})\((?P<obj1>[\w-]{1,20})\s*,\s*(?P<tmp_obj>[\w-]{1,20})\s*,\s*(?P<value>[\w-]{1,20})\).{1,300}(?P=obj1)\.\w+\s*=\s*\d+\.\d+\x3b\s*var\s*\w+\s*=\s*\{__proto__:\s*(?P=tmp_obj)\}\x3b\s*(?P=obj1)\.\w+\s*=\s*(?P=value)\x3b.{1,300}var\s*(?P=obj1)\s*=\s*\{\w+:\s*\d+\.\d+\s*,\s*\w+:\s*\d+\.\d+\}\x3b\s*for\s*\(\s*var\s*(?P<counter>[\w-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=counter)(?:\+{2}|-{2})\)\s*\{\s*(?P=func_a)\((?P=obj1)\s*,\s*(\x22{2}|\x27{2})\s*,\s*(\x22{2}|\x27{2})\)\x3b.{1,300}(?P=func_a)\((?P=obj1)\s*,\s*(?P=obj1)\s*,\s*\d+\.\d{8,}.{1,300}eval\((?P=obj1)\./Rs"; content:" = |7b|__proto__|3a|"; fast_pattern; content:"eval|28|"; reference:cve,2019-0567; classtype:attempted-admin; sid:2033783; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2019_0567, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"lookingpersonals.top"; depth:20; fast_pattern; endswith; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024728; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SparklingGoblin/Winnti Group SideWalk Domain in DNS Lookup"; dns.query; content:"update.facebookint.workers.dev"; nocase; bsize:30; reference:url,www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:domain-c2; sid:2033784; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Winnti_related, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (chromup)"; dns.query; content:"chromup.com"; depth:11; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024730; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SparklingGoblin/Winnti Group SideWalk Domain in DNS Lookup"; dns.query; content:"cdn.cloudfiare.workers.dev"; nocase; bsize:26; reference:url,www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:domain-c2; sid:2033785; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Winnti_related, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (securityupdated)"; dns.query; content:"securityupdated.com"; depth:19; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FerociousKitten CnC Domain in DNS Lookup (microsoft .microcaft .xyz)"; dns.query; content:"microsoft.microcaft.xyz"; nocase; bsize:23; reference:url,twitter.com/Timele9527/status/1430351736921681928; classtype:domain-c2; sid:2033786; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor / NanoCore CnC (microsoftupdated)"; dns.query; content:"microsoftupdated.net"; depth:20; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024733; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FerociousKitten CnC Domain in DNS Lookup (microsoft .com-view .space)"; dns.query; content:"microsoft.com-view.space"; nocase; bsize:24; reference:url,twitter.com/Timele9527/status/1430351736921681928; classtype:domain-c2; sid:2033787; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (syn.broadcaster)"; dns.query; content:"syn.broadcaster.rocks"; depth:21; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024734; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"HTTP_X_KEY|3a 20|BM6OAa1XCpH4x4"; fast_pattern; content:"SEnJYZXmyHhJG8JxC|0d|"; distance:1; within:18; http.header_names; content:"HTTP_X_CNT|0d|"; content:"HTTP_X_CMD|0d|"; classtype:attempted-admin; sid:2033788; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; dns.query; content:"b1k51.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"HTTP_X_KEY|3a 20|zzdibweoQxffnDEi2UKacJlEekplJ7uwrt|0d|"; fast_pattern; http.header_names; content:"HTTP_X_CNT|0d|"; content:"HTTP_X_CMD|0d|"; classtype:attempted-admin; sid:2033789; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; dns.query; content:"b1j3aas.life"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/licenseserverproto.cgi"; content:"serverid="; content:"csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa"; distance:0; within:35; fast_pattern; classtype:attempted-admin; sid:2033790; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; dns.query; content:"wechaatt.gdn"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni RAT Exfiltrating Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?name="; fast_pattern; http.request_body; content:"name=|22|fileToUpload|22 3b|"; content:"Upload|20|Image|0d 0a|----"; distance:0; content:"|00 00 00 00 00 00|"; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/; classtype:command-and-control; sid:2033791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; dns.query; content:"10as05.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sinresby.B Downloader CnC Activity M1"; flow:established,to_server; http.request_line; content:"POST /?c=Public&a=get_config"; startswith; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|9|2e|0|3b 20|Windows|20|NT|20|6|2e|1|29|"; bsize:50; http.referer; content:"/?c=Public&a=get_config"; endswith; reference:md5,8049009d9675d5ac345ce96d1a7c9e67; classtype:command-and-control; sid:2033792; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; dns.query; content:"ch0ck4.life"; depth:11; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sinresby.B Downloader CnC Activity M2"; flow:established,to_server; content:"|00 00 00 7b 22 63 67 69 22 3a 31|"; offset:1; depth:11; content:"|22|data|22 3a 7b 22|mac|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|pc|22 3a 22|"; distance:0; reference:md5,8049009d9675d5ac345ce96d1a7c9e67; classtype:command-and-control; sid:2033793; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; dns.query; content:"fatur1s.life"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni RAT Querying CnC for Commands"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&prefix=tt"; endswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/; classtype:trojan-activity; sid:2033794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; dns.query; content:"b5k31.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; content:"&user="; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"-"; offset:2; depth:1; content:"-"; distance:2; within:1; content:"-"; distance:2; within:1; content:"-"; distance:2; within:1; content:"-"; distance:1; within:1; isdataat:!2,relative; bsize:15; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:command-and-control; sid:2033795; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; dns.query; content:"erd0.gdn"; depth:8; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET [!25,!587] -> $HOME_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"649d6810e8392f63dc311eecb6b7098b"; tls.cert_subject; content:!"servicebus.windows.net"; flowbits:isset,ET.cobaltstrike.ja3; classtype:command-and-control; sid:2028832; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; dns.query; content:"b1v2a5.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; bsize:24; fast_pattern; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Accept-Encoding|3a 20|gzip,|20|deflate,|20|br|0d 0a|sec-fetch-dest|3a 20|empty|0d 0a|"; http.cookie; content:"ANID="; startswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:md5,4d9798fee3636a228dc420d338fd6f59; classtype:command-and-control; sid:2033796; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; dns.query; content:"b1502b.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (windowsupdatesc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"windowsupdatesc.com"; bsize:19; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033797; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; dns.query; content:"elsssee.gdn"; depth:11; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (securityupdateav .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"securityupdateav.com"; bsize:20; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033798; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; dns.query; content:"kvp41.life"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (defenderupdateav .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"defenderupdateav.com"; bsize:20; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033799; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; dns.query; content:"servertestapi.ltd"; depth:17; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LIST)"; flow: to_server,established; tls.sni; content:"LIST-"; startswith; fast_pattern; pcre:"/^LIST-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; dns.query; content:"taxii.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LS)"; flow: to_server,established; tls.sni; content:"LS-"; startswith; fast_pattern; pcre:"/^LS-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033801; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; dns.query; content:"p0w3r.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (SIZE)"; flow: to_server,established; tls.sni; content:"SIZE-"; startswith; fast_pattern; pcre:"/^SIZE-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; dns.query; content:"4r3a.gdn"; depth:8; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LD)"; flow: to_server,established; tls.sni; content:"LD-"; startswith; fast_pattern; pcre:"/^LD-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (googlmail)"; threshold: type both, track by_src, count 1, seconds 5; dns.query; content:"googlmail.net"; depth:13; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CB)"; flow: to_server,established; tls.sni; content:"CB-"; startswith; fast_pattern; pcre:"/^CB-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033804; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS request for Monero mining pool"; dns.query; content:"pool.minexmr.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2017_09_monero_malware.txt; reference:url,www.welivesecurity.com/2017/09/28/monero-money-mining-malware/; classtype:trojan-activity; sid:2024789; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CD)"; flow: to_server,established; tls.sni; content:"CD-"; startswith; fast_pattern; pcre:"/^CD-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033805; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 1"; dns.query; content:"download.ns360.info"; depth:19; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024803; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EX)"; flow: to_server,established; tls.sni; content:"EX-"; startswith; fast_pattern; pcre:"/^EX-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033806; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 2"; dns.query; content:"update.craftx.biz"; depth:17; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (ALIVE)"; flow: to_server,established; tls.sni; content:"ALIVE-"; startswith; fast_pattern; pcre:"/^ALIVE-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033807; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 3"; dns.query; content:"mozilla.tftpd.net"; depth:17; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024805; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EXIT)"; flow: to_server,established; tls.sni; content:"EXIT-"; startswith; fast_pattern; pcre:"/^EXIT-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033808; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 4"; dns.query; content:"checkupdates.flashserv.net"; depth:26; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (finito)"; flow: to_server,established; tls.sni; content:"finito-"; startswith; fast_pattern; pcre:"/^finito-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033809; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Netsolhost SSL Proxying - Possible Phishing Nov 24 2015"; dns.query; content:"secure.netsolhost.com"; depth:21; nocase; endswith; fast_pattern; classtype:social-engineering; sid:2022136; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Default CobaltStrike SSL Certificate"; flow:established,to_client; tls.cert_issuer; content:"C=Earth"; nocase; content:"ST=Cyberspace"; nocase; content:"L=Somewhere"; nocase; content:"O=cobaltstrike"; nocase; content:"OU=AdvancedPenTesting"; nocase; content:"CN=Major Cobalt Strike"; nocase; fast_pattern; reference:url,fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html; classtype:trojan-activity; sid:2030111; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"ssrsec.com"; depth:10; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024854; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Custom Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.cookie; content:"wordpress_"; startswith; fast_pattern; pcre:"/^(?:[a-f0-9]{32})=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Cookie|0d 0a|"; startswith; content:!"Referer"; reference:md5,926ecee0190a5211a9670f369007ec3a; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:command-and-control; sid:2033810; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"sqlmapff.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024856; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdn .net)"; dns.query; content:"api-cdn.net"; nocase; bsize:11; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033811; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"outerlol.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024858; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (git-api .com)"; dns.query; content:"git-api.com"; nocase; bsize:11; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033812; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"microsoftsec.com"; depth:16; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024860; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdnw5 .net)"; dns.query; content:"api-cdnw5.net"; nocase; bsize:13; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033813; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"martianlol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024862; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Actiivty"; flow:established,to_server; http.request_line; content:"POST /?opt=put&type=text"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"&mac="; content:"&pcname="; distance:12; within:8; reference:md5,db7ffa8d3fa480e489c9062b18067f36; classtype:command-and-control; sid:2033814; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"dnslog.mobi"; depth:11; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024865; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Javascript Click and Removal of Download Element"; flow:established, to_client; http.stat_code; content:"200"; file.data; content:"e|2e|setAttribute|28 22|download|22 2c 22 22 29|"; fast_pattern; content:"e|2e|click|28 29 2c|e|2e|remove|28 29|"; distance:0; reference:url,www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/; classtype:social-engineering; sid:2033816; rev:1; metadata:created_at 2021_08_26, former_category MALWARE, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"alienlol.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024867; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; content:"onedrivelive.me"; nocase; bsize:15; classtype:domain-c2; sid:2035796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"yoyakuweb.technology"; depth:20; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024869; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; content:"librarycollection.org"; nocase; bsize:21; classtype:domain-c2; sid:2035797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"exoticlol.com"; depth:13; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024870; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Javascript Displays malicious download page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|22 26|gt|3b 26|lt|3b|div|26|gt|3b 26|lt|3b|h1|26|gt|3b|Your|20|download|20|will|20|start|20|shortly|2e 26|lt|3b 2f|h1|26|gt|3b 26|lt|3b|p|26|gt|3b|If|20|your|20|download|20|does|20|not|20|start|2c 20|please|20 26|lt|3b|a|20|href|3d 22|"; fast_pattern; reference:url,www,bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/; classtype:social-engineering; sid:2033815; rev:2; metadata:created_at 2021_08_26, former_category MALWARE, updated_at 2021_08_26;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (google-statics .com)"; dns.query; content:"google-statics.com"; depth:18; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024871; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (ywbgrcrupasdiqxknwgceatlnbvmezti .com)"; dns.query; content:"ywbgrcrupasdiqxknwgceatlnbvmezti.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033822; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (google-searching .com)"; dns.query; content:"google-searching.com"; depth:20; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024872; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Prestashop Orderfiles Module Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; startswith; nocase; content:"module=orderfiles"; nocase; content:"controller=filesmanager"; nocase; fast_pattern; http.request_body; content:"addfile"; nocase; content:"file|5b|"; nocase; classtype:attempted-admin; sid:2033826; rev:1; metadata:attack_target Server, created_at 2021_08_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"awsstatics.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024873; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Prestashop Supercheckout Module Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; startswith; nocase; content:"module=supercheckout"; nocase; content:"controller=supercheckout"; nocase; content:"method=SaveFilesCustomField"; nocase; fast_pattern; http.request_body; content:"custom_fields|5b|"; nocase; classtype:attempted-admin; sid:2033827; rev:1; metadata:attack_target Server, created_at 2021_08_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"immigrantlol.com"; depth:16; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024874; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (pdjwebrfgdyzljmwtxcoyomapxtzchvn .com)"; dns.query; content:"pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033828; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M1"; dns.query; content:"hl852.com"; depth:9; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024921; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (etzndtcvqvyxajpcgwkzsoweaubilflh .com)"; dns.query; content:"etzndtcvqvyxajpcgwkzsoweaubilflh.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033831; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M2"; dns.query; content:"hl859.com"; depth:9; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024922; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/br.ico"; fast_pattern; http.header; content:"Connection|3a 20|Close|0d 0a|"; http.user_agent; content:"Mozilla/5.0|20|(iPhone|3b 20|CPU|20|iPhone|20|OS|20|12_0|20|like Mac|20|OS|20|X)|20|AppleWebKit/605.1.15|20|(KHTML,|20|like|20|Gecko)|20|Version/12.0"; bsize:108; http.header_names; content:!"Referer"; http.accept; content:"image/*"; bsize:7; reference:md5,efcf2797aaa1ff0bb8914aba8e3a5e15; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033820; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M3"; dns.query; content:"hi8520.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024923; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/fam_newspaper.ico"; fast_pattern; http.header; content:"Connection|3a 20|Close|0d 0a|"; http.user_agent; content:"Mozilla/5.0|20|(Linux|3b 20|Android|20|7.0|3b 20|Pixel|20|C|20|Build/NRD90M|3b 20|wv)|20|AppleWebKit/537.36|20|(KHTML,|20|like|20|Gecko)|20|Version/4.0"; bsize:109; http.header_names; content:!"Referer"; reference:md5,3dd7eb4707c960948f24367ecd652971; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033821; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (myhomemusic. com)"; dns.query; content:"myhomemusic.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023022; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, former_category TROJAN, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Document Stealer Exfil"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|nnnnnnnmmmmmmmmmmmeeeee|0d 0a|"; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header; content:"__IIIIMMMMM|0d 0a|"; fast_pattern; reference:md5,8df25eee669d222ab9e002ac7d81228f; classtype:trojan-activity; sid:2033818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup"; dns.query; content:"myhomemusic.com"; depth:15; nocase; endswith; fast_pattern; reference:md5,985eba97e12c3e5bce9221631fb66d68; reference:url,researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/; classtype:command-and-control; sid:2022842; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GenCBL.XS CnC Activity"; flow:established,to_server; content:"|30 32 bc|"; startswith; content:"|bc 4d 4a 56 3a 20|"; distance:0; content:"|20 31 20 2d 20 42 75 69 6c 64 20 3a 20|"; distance:0; fast_pattern; reference:md5,9dfd2f831b3672dc0c50b98550d3aa06; classtype:command-and-control; sid:2033819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious e5b57288.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"e5b57288.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023229; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (esnoptdkkiirzewlpgmccbwuynvxjumf .name)"; dns.query; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033832; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 33db9538.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"33db9538.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023227; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (nfcomizsdseqiomzqrxwvtprxbljkpgd .name)"; dns.query; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033829; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 9507c4e8.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"9507c4e8.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023228; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (hkxpqdtgsucylodaejmzmtnkpfvojabe .com)"; dns.query; content:"hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; nocase; bsize:36; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033830; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 54dfa1cb.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"54dfa1cb.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023230; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (ruciplbrxwjscyhtapvlfskoqqgnxevw .name)"; dns.query; content:"ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033825; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KHRAT DragonOK DNS Lookup (inter-ctrip .com)"; dns.query; content:"inter-ctrip.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.forcepoint.com/blog/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor; classtype:trojan-activity; sid:2024108; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (yhgrffndvzbtoilmundkmvbaxrjtqsew .com)"; dns.query; content:"yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; nocase; bsize:36; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033823; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Lookup of Malware Domain twothousands.cm Likely Infection"; dns.query; content:"twothousands.cm"; depth:15; fast_pattern; endswith; nocase; classtype:pup-activity; sid:2012176; rev:6; metadata:created_at 2011_01_12, former_category ADWARE_PUP, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (wcmbqxzeuopnvyfmhkstaretfciywdrl .name)"; dns.query; content:"wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033824; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (startupfraction)"; dns.query; content:"startupfraction.com"; depth:19; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024722; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Cobalt Strike Beacon Activity (DNS)"; threshold: type both, track by_src, count 3, seconds 5; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".defenderupdateav.com"; endswith; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033817; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (search.feedvertizus)"; dns.query; content:"search.feedvertizus.com"; depth:23; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024723; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/44Caliber Stealer Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; http.request_body; content:"44CALIBER|20|MODIFIED|20|BY"; nocase; fast_pattern; content:"Build|3a 20|"; distance:0; content:"PC|3a 20|"; distance:0; reference:url,twitter.com/James_inthe_box/status/1431366451231801346; reference:url,app.any.run/tasks/366ad91a-2b9d-4ca0-8e1d-269f61558aa6/; reference:md5,32595ac79386e97e05f876c5dd2ab874; classtype:command-and-control; sid:2033833; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_30;)
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (opurie)"; dns.query; content:"opurie.com"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024725; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange - Information Disclosure flowbit set (CVE-2021-33766)"; flow:established,to_server; http.uri; content:"/ecp/"; nocase; fast_pattern; http.cookie; content:"SecurityToken="; flowbits:set,ET.proxytoken; reference:cve,2021-33766; classtype:attempted-admin; sid:2033834; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_33766, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query Targeted Tibetan Android Malware C2 Domain"; dns.query; content:"android.uyghur.dnsd.me"; depth:22; nocase; fast_pattern; endswith; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:command-and-control; sid:2016711; rev:7; metadata:created_at 2013_04_03, former_category MOBILE_MALWARE, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange - InboxRules.svc Access Observed Following Successful ProxyToken Attack"; flow:established,to_server; http.uri; content:"/ecp/"; nocase; content:"RulesEditor/InboxRules.svc/"; fast_pattern; content:"?msExchEcpCanary="; xbits:isset,ET.proxytoken.500,track ip_src,expire 30; classtype:attempted-admin; sid:2033836; rev:1; metadata:attack_target Server, created_at 2021_08_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (asrgd-uz .weedns.com)"; dns.query; content:"asrgd-uz"; fast_pattern; depth:8; content:".weedns.com"; nocase; distance:0; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023025; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/"; pcre:"/^form(RebootCheck|Wsc)$/R"; http.request_body; content:"submit-url="; fast_pattern; isdataat:2000,relative; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35392; classtype:attempted-user; sid:2033837; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35392, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (sx4-ws42 .yi.org)"; dns.query; content:"sx4-ws42"; fast_pattern; depth:8; content:".yi.org"; nocase; distance:0; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023026; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formStaticDHCP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formStaticDHCP"; endswith; fast_pattern; http.request_body; content:"hostname="; pcre:"/^[^&]{42,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033841; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)"; dns.query; content:"we"; depth:2; content:".q.tcow.eu"; nocase; distance:0; fast_pattern; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023027; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlanMultipleAP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlanMultipleAP"; endswith; fast_pattern; http.request_body; content:"submit-url="; pcre:"/^[^&]{512,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033842; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a .tk domain - Likely Hostile"; dns.query; content:".tk"; fast_pattern; nocase; endswith; content:!"www.google.tk"; classtype:bad-unknown; sid:2012811; rev:7; metadata:created_at 2011_05_15, former_category DNS, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.uri; content:"/upnp/"; http.header; content:"Callback|3a 20 3c|http"; fast_pattern; pcre:"/^Callback\x3a\x20\x3chttp[^\x3a]+\x3a\d{1,5}[^\/]/Hmi"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033843; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)"; dns.query; content:".29a.de"; nocase; fast_pattern; endswith; pcre:"/^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.29a\.de$/"; reference:url,morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick; classtype:trojan-activity; sid:2021416; rev:5; metadata:created_at 2015_07_15, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033845; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Maldoc CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/software-protection/app.php"; startswith; fast_pattern; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:url,blog.telsy.com/zebrocy-dropbox-remote-injection/; classtype:targeted-activity; sid:2027939; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%22%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033846; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Evil Eye Android Malware Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:65.0) Gecko/20100101 Firefox/65.0"; depth:78; http.request_body; content:"{|22|device_id|22 3a 22|"; depth:14; fast_pattern; http.accept_lang; content:"zh-CN"; depth:5; endswith; reference:url,www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/; classtype:trojan-activity; sid:2027940; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%27%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033847; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".serveo.net"; nocase; endswith; classtype:policy-violation; sid:2027942; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=|22 3e 3c|script|3e|"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033848; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".pagekite.net"; nocase; endswith; classtype:policy-violation; sid:2027943; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Microsoft Exchange - Successful msExchEcpCanary Disclosure (CVE-2021-33766)"; flow:established,from_server; http.stat_code; content:"500"; http.cookie; content:"msExchEcpCanary="; fast_pattern; flowbits:isset,ET.proxytoken; flowbits:unset,ET.proxytoken; xbits:set,ET.proxytoken.500,track ip_src,expire 30; reference:cve,2021-33766; classtype:attempted-admin; sid:2033835; rev:2; metadata:created_at 2021_08_30, cve CVE_2021_33766, former_category EXPLOIT, updated_at 2021_08_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Laturo Stealer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.header; content:"Os|3a 20|WIN_"; nocase; fast_pattern; content:"Hwid|3a 20|"; nocase; content:"Elevated|3a 20|"; nocase; content:"Arch|3a 20|"; nocase; content:"Special|3a 20|"; nocase; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,06a1eaa62d8de97aec8a151f2ca6569b; classtype:command-and-control; sid:2027944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_04, deployment Perimeter, former_category MALWARE, malware_family Laturo, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlSiteSurvey Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlSiteSurvey"; fast_pattern; endswith; http.request_body; content:"ifname="; pcre:"/^[^&]{90,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033838; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:policy-violation; sid:2027671; rev:5; metadata:created_at 2019_07_03, former_category POLICY, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; endswith; http.request_body; content:"sysCmd="; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033839; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Glupteba CnC Domain (venoxcontrol .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"venoxcontrol.com"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Injection Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWsc"; fast_pattern; endswith; http.request_body; content:"peerPin="; content:"|3b|"; distance:0; within:50; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033840; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"okonewacon.com"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027947; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Shellcode Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shellcode/"; fast_pattern; startswith; content:".txt"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"python-requests/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,8f21b629ef0aa2558962644a4a1605ca; classtype:bad-unknown; sid:2033844; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"bigtext.club"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|"; fast_pattern; reference:cve,2021-32305; classtype:attempted-admin; sid:2033849; rev:1; metadata:attack_target Server, created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"blackempirebuild.com"; nocase; depth:20; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027949; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M1"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"r|00|u|00|n|00|C|00|o|00|m|00|m|00|a|00|n|00|d"; fast_pattern; classtype:attempted-admin; sid:2033850; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"clubhouse.site"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027950; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M1"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"runCommand"; fast_pattern; classtype:attempted-admin; sid:2033851; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"nxtfdata.xyz"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027951; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M2"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"g|00|e|00|t|00|R|00|u|00|n|00|t|00|i|00|m|00|e"; fast_pattern; classtype:attempted-admin; sid:2033852; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"lienews.world"; nocase; depth:13; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027952; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M2"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"getRuntime"; fast_pattern; classtype:attempted-admin; sid:2033853; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"phonemus.net"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027953; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".|00|e|00|x|00|e|00|c|00 28|"; fast_pattern; classtype:attempted-admin; sid:2033854; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"takebad1.com"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".exec|28|"; fast_pattern; classtype:attempted-admin; sid:2033855; rev:1; metadata:created_at 2021_08_31, former_category EXPLOIT, updated_at 2021_08_31;)
-alert http any any -> any any (msg:"ET MALWARE HTTP Request for Possible ELF/LiLocked Ransomware Note"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"README.lilocked"; fast_pattern; endswith; reference:url,www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/; classtype:trojan-activity; sid:2027967; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category TROJAN, malware_family LiLocked, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6168f11bb42ff767a224396c2656ea87; classtype:command-and-control; sid:2020780; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible PHP.MAILER WebShell Generic Request Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/start_cache1.php"; fast_pattern; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/; classtype:trojan-activity; sid:2027969; rev:3; metadata:attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,262d04177c4bec3215db085fc4c44493; classtype:command-and-control; sid:2020770; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible PHP.MAILER WebShell Register Shutdown Function Request Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"r=register_shutdown_function"; startswith; fast_pattern; content:"&d="; distance:0; content:"&s="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/; classtype:trojan-activity; sid:2027970; rev:3; metadata:attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 72"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1bb5562b08bae781086095c439fc9e8b; classtype:command-and-control; sid:2020773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/svchost.exe"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2016696; rev:16; metadata:created_at 2013_04_01, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 85"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9f/s"; content:!"POST /"; content:!"microsoft.com"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6bc0070240a714175e44dd2d6bf98481; classtype:command-and-control; sid:2020786; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious explorer.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/explorer.exe"; nocase; endswith; fast_pattern; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:16; metadata:created_at 2013_04_01, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|c3 70|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xc3\x70/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,23bb9c2ed95e942f886d544fefd20d70; classtype:command-and-control; sid:2019083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious winlogin.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/winlogon.exe"; nocase; endswith; fast_pattern; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:16; metadata:created_at 2013_04_01, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 88"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,e3ac512a1978cec5eb8bc12fbb384e1f; classtype:command-and-control; sid:2020789; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious services.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/services.exe"; nocase; endswith; fast_pattern; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:16; metadata:created_at 2013_04_01, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10"; flow:established,to_server; stream_size:server,<,5; dsize:>11; byte_jump:4,0,from_beginning,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; fast_pattern; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:command-and-control; sid:2017916; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious smss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/smss.exe"; nocase; endswith; fast_pattern; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:15; metadata:created_at 2013_04_01, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 40"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:command-and-control; sid:2018880; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_02, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious csrss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/csrss.exe"; nocase; fast_pattern; endswith; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:15; metadata:created_at 2013_04_01, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 28"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9b|"; offset:8; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,52849773bc0d08eb9dfcb0df2b7caf33; classtype:command-and-control; sid:2018166; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious rundll32.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/rundll32.exe"; nocase; fast_pattern; endswith; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:15; metadata:created_at 2013_04_01, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1fa6460563cddcb165511c6b17ff4637; classtype:command-and-control; sid:2020791; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious lsass.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/lsass.exe"; nocase; endswith; fast_pattern; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:16; metadata:created_at 2013_04_01, former_category INFO, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"HALF"; bsize:4; fast_pattern; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032351; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_08_31;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=trans-pre.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.secrss.com/articles/13390; classtype:command-and-control; sid:2028567; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M2"; flow:established,to_client; http.header; content:!"X-LI-UUID|3a|"; nocase; file.data; content:"<title"; nocase; content:"Sign In|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025338; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_08_31;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=trans-can.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.secrss.com/articles/13390; classtype:command-and-control; sid:2028568; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,178f7f122f1de5c759a6538d78d67277; classtype:command-and-control; sid:2020775; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Absent)"; flow:established,to_server; http.user_agent; content:"Absent"; depth:6; endswith; classtype:bad-unknown; sid:2028571; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 5e|"; offset:13; depth:2; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,aa717cce1ccfc766e0c8ad7a217f4be3; classtype:command-and-control; sid:2018193; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Maldoc CnC Checkin"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"relay=y"; startswith; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Connection"; content:!"Accept"; reference:url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA; classtype:targeted-activity; sid:2028569; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TransparentTribe, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"AngeL"; depth:5; byte_jump:4,0,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2018007; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_23, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=suport.worldupdate.site"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET"; flow:established,to_server; stream_size:server,<,5; dsize:8; content:"|00 00|"; offset:2; depth:2; content:"|00 00|"; distance:2; within:2; flowbits:set,ET.gh0stFmly; flowbits:noalert; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:command-and-control; sid:2017935; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=full.devinelive.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|da 41|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xda\x41/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,69ffa441a8c3cf4d8fe643174bebb51d; classtype:command-and-control; sid:2020607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"suport.worldupdate.site"; nocase; endswith; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028586; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,32652a6c74e5358549a7c536c3080d58; classtype:command-and-control; sid:2020788; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"full.devinelive.top"; nocase; endswith; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028587; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3f a6|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3f\xa6/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0045ce5ce7d697ecc86f1e44398bf404; classtype:command-and-control; sid:2020696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"roundworld.club"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3d10b1c4471c7d29e968d9059f844aab; classtype:command-and-control; sid:2020792; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"postnews.club"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028593; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|39 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f42a5b709bf9a1377d2464f936fc841; classtype:command-and-control; sid:2020614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"fstyline.xyz"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-6,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2b0f0479b14069b378fb454c92086897; classtype:command-and-control; sid:2018032; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"weekdanys.com"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028595; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Office Retrieving .rtf (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rtf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1433038639961804800; reference:md5,c9f8addb927c3b96aee6a9f671a1f801; classtype:bad-unknown; sid:2033858; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-09-17 1)"; flow:established,to_client; tls.cert_subject; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=dapoerwedding.com"; endswith; fast_pattern; reference:url,https://twitter.com/jeFF0Falltrades/status/1173300902242988032; reference:md5,db51f2715c81c4357d11d69ac96bf582; classtype:domain-c2; sid:2028596; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET HUNTING Suspicious Request to iplogger .org Contains Period"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|"; http.host; content:"iplogger|2e|org"; bsize:12; fast_pattern; reference:md5,dcef208fcdac3345c6899a478d16980f; classtype:bad-unknown; sid:2033859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tflower Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&state=start"; distance:0; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,53c923d4e39b966ab951f9a3b9d090be; reference:url,www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/; classtype:command-and-control; sid:2028597; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Tflower_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (decoding .at)"; dns.query; content:"decoding.at"; nocase; bsize:11; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; classtype:bad-unknown; sid:2033860; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"contextjs.info"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028606; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (bigblog .at)"; dns.query; content:"bigblog.at"; nocase; bsize:10; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; classtype:bad-unknown; sid:2033861; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"nexcesscdh.net"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028607; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (lockbit-decryptor .com)"; dns.query; content:"lockbit-decryptor.com"; nocase; bsize:21; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; reference:md5,5b741c6abf44d2eecd853addeafdcf24; classtype:bad-unknown; sid:2033862; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"ossmaxcdn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028608; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (lockbit-decryptor .top)"; dns.query; content:"lockbit-decryptor.top"; nocase; bsize:21; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; reference:md5,69bec32d50744293e85606a5e8f80425; classtype:bad-unknown; sid:2033863; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"contextjs.info"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028609; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Pegasus Domain (hooklevel .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hooklevel.com"; bsize:13; fast_pattern; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magento-order.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028610; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Pegasus Domain (api1r3f4 .redirectweburl .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".api1r3f4.redirectweburl.com"; endswith; fast_pattern; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033865; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magelib.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028611; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (start-anew .net)"; dns.query; content:"start-anew.net"; nocase; bsize:14; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033866; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BundledInstaller PUA/PUP Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.host; content:"down.freefullversion.org"; depth:24; fast_pattern; reference:md5,8edee795e16433717eab784938060198; classtype:pup-activity; sid:2028613; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_09_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (news-now .co)"; dns.query; content:"news-now.co"; nocase; bsize:11; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.online)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.host; content:".online"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (reunionlove .net)"; dns.query; content:"reunionlove.net"; nocase; bsize:15; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033868; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.club)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.host; content:".club"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026490; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (helpusfind .biz)"; dns.query; content:"helpusfind.biz"; nocase; bsize:14; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Facebook Phishing Domain in DNS Lookup"; dns.query; content:"www.oitunmy.com"; nocase; depth:15; endswith; reference:url,twitter.com/bomccss/status/1175173176596152320; classtype:credential-theft; sid:2028616; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_20, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"wp-extension.cloud"; nocase; bsize:18; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033870; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"bsodsupport.icu"; nocase; endswith; classtype:domain-c2; sid:2028614; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"wp-extension.work"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033871; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"en-content.com"; nocase; endswith; pcre:"/(?:^|\.)en-content\.com$/"; classtype:domain-c2; sid:2028615; rev:3; metadata:created_at 2019_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.business"; nocase; bsize:20; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033872; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tortoiseshell/HMH Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asmx/GetUpdate?val="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a194e3bf830104922295c37e6d19d9a2; reference:url,blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html; classtype:command-and-control; sid:2028617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.org"; nocase; bsize:15; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/GMERA.A CnC Domain (appstockfolio .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"appstockfolio.com"; depth:17; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website; classtype:domain-c2; sid:2028619; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.us"; nocase; bsize:14; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033874; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=skillsnew.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"xenapp.blog"; nocase; bsize:11; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033875; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (cmyip.com in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"cmyip.com"; fast_pattern; endswith; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:9; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.quest"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Blockchain Domain (api .blockcypher .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.blockcypher.com"; bsize:19; fast_pattern; classtype:bad-unknown; sid:2033877; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_09_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"windsecdown.info"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028637; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category MALWARE, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"data-update.site"; nocase; bsize:16; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"downloadsecurity.info"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category MALWARE, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"data-log.site"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"tratatata.space"; nocase; endswith; reference:md5,e5eeb5560fcea89abdfb3ea8ec2091ec; classtype:command-and-control; sid:2028640; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"ticket-stat.site"; nocase; bsize:16; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"rmedia15.ru"; nocase; endswith; reference:md5,3f9f8a007ad6982b14fb74d4583bdd4b; classtype:command-and-control; sid:2028641; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"cdn-plugin.us"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".connectioncdn.com"; nocase; endswith; classtype:trojan-activity; sid:2028649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_04, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"google-stats.work"; nocase; bsize:17; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033882; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WSFuzzer Web Application Fuzzing"; flow:to_server,established; http.uri; content:"/ServiceDefinition"; fast_pattern; http.user_agent; content:"Python-urllib/"; depth:14; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; classtype:attempted-recon; sid:2008628; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"pro-cdn2.site"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Esion CnC Checkin"; flow:established,to_server; http.uri; content:"/bot/gate.php"; fast_pattern; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-052510-1535-99&tabid=2; classtype:command-and-control; sid:2013211; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"google-info.us"; nocase; bsize:14; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033884; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com"; flow:established,to_server; http.header; content:"myip.ozymo.com"; fast_pattern; nocase; classtype:external-ip-check; sid:2013217; rev:4; metadata:created_at 2011_07_06, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"formstats.us"; nocase; bsize:12; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; http.uri; content:"/upload/UploadFiles.aspx?askId="; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response"; flow:established,to_client; dsize:3; content:"|33 66 99|"; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030489; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Rebate Informer User-Agent (REBATEINF)"; flow: established,to_server; http.user_agent; content:"REBATEINF"; fast_pattern; startswith; reference:url,www.rebategiant.com; classtype:trojan-activity; sid:2014030; rev:4; metadata:created_at 2011_12_19, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3b d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,844ddc8d762f94e8cf04bbc6eb483121; classtype:command-and-control; sid:2020779; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iebar Spyware User Agent (iebar)"; flow:established,to_server; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"|3b 20|iebar"; fast_pattern; reference:url,doc.emergingthreats.net/2007583; classtype:trojan-activity; sid:2007583; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,d9d1fd5025f47caaaa276d747657e01b; classtype:command-and-control; sid:2020771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Ixeshe"; flow:to_server,established; http.header; content:"User-Agent|3a 20|User-Agent|3a 20|"; nocase; http.uri; content:"/ym/Attachments?YY="; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2012/03/dirty-rat.html; classtype:trojan-activity; sid:2014410; rev:7; metadata:created_at 2012_03_22, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"kuroro"; depth:6; byte_jump:4,0,relative,little,from_beginning; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:command-and-control; sid:2022885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAvCn-A Checkin 1"; flow:established,to_server; urilen:10; http.method; content:"GET"; nocase; http.uri; content:"/support/s"; fast_pattern; http.user_agent; content:"Internet Explorer"; bsize:17; classtype:command-and-control; sid:2014855; rev:5; metadata:created_at 2012_06_04, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ec6b10b55732f68a174bb5b751bff840; classtype:command-and-control; sid:2020767; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"type="; content:"lien_2="; fast_pattern; nocase; pcre:"/lien_2=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:7; metadata:created_at 2011_09_19, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x95/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:command-and-control; sid:2017913; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce)"; flow:established,to_server; http.uri; content:"~1"; fast_pattern; pcre:"/([\*\?]~1|~1\.?[\*\?]|\/~1\/)/"; reference:url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf; classtype:network-scan; sid:2015023; rev:5; metadata:created_at 2012_07_04, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,00d4c1faeacaf45cfb02c592efe61a1d; classtype:command-and-control; sid:2020764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; http.uri; content:"/net/?u="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.0)"; startswith; http.host; content:"net"; startswith; content:"net.net"; distance:2; within:7; endswith; pcre:"/^net[0-4]{2}net\.net$/i"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_16, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,little,post_offset -10; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5,}.{8}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2021716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; http.user_agent; content:"PTX"; endswith; fast_pattern; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:6; metadata:created_at 2011_10_19, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8026990bea6f95613f6111b9a5506941; classtype:command-and-control; sid:2020769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User-Agent 2"; flow:established,to_server; http.user_agent; content:"w3af.sf.net"; fast_pattern; classtype:attempted-recon; sid:2015484; rev:4; metadata:created_at 2012_07_17, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5ad0bb62806297fb8bf159d94f82dbb9; classtype:command-and-control; sid:2020606; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; http.uri; content:"/tuner/?StationId="; fast_pattern; http.header; content:"tunein.com|0d 0a|"; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:4; metadata:created_at 2012_07_17, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"Chrome_Default.txt"; nocase; distance:0; fast_pattern; classtype:bad-unknown; sid:2033886; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hello controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/114893/Joomla-Hello-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015498; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Cookies/Firefox_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"Cookies/Firefox_"; nocase; distance:0; fast_pattern; content:".default.txt"; within:25; classtype:bad-unknown; sid:2033887; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeformcr view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jeformcr"; fast_pattern; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/94549/Joomla-Jeformcr-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015568; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (History/Firefox_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"History/Firefox_"; nocase; distance:0; fast_pattern; content:".default.txt"; within:25; classtype:bad-unknown; sid:2033888; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Bsadv controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bsadv"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/94540/Joomla-Basdv-Local-File-Inclusion-Directory-Traversal.html; classtype:web-application-attack; sid:2015569; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[A-Z]{14}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/; reference:md5,bf23c48d111f5a2d3169062428940b1c; classtype:trojan-activity; sid:2033889; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN7, updated_at 2021_09_02;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_mailchimpccnewsletter controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_mailchimpccnewsletter"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95332/Joomla-MailChimpCCNewsletter-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015570; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed nc (netcat) EXE Inbound"; flow:established,from_server; file.data; content:"MZ"; depth:10; content:"!This program"; distance:0; content:"www.vulnwatch.org/netcat/"; distance:0; fast_pattern; content:"nc [-options]"; distance:0; content:"nc -l -p port"; distance:0; reference:md5,e0db1d3d47e312ef62e5b0c74dceafe5; classtype:policy-violation; sid:2033890; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lile.A DoS Outbound"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.header; content:"UserAgent|3a|"; content:"Windows 98"; fast_pattern; http.host; content:"www.fbi.gov"; startswith; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:5; metadata:created_at 2012_08_06, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious Request nc.exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nc.exe"; fast_pattern; nocase; endswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sutra TDS /simmetry"; flow:to_server,established; http.uri; content:"/simmetry?"; fast_pattern; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:exploit-kit; sid:2015593; rev:4; metadata:created_at 2012_08_08, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)"; dns.query; content:"nowautomation.com"; nocase; bsize:17; reference:url,twitter.com/James_inthe_box/status/1433481199939297308; reference:md5,18c7c940bc6a4e778fbdf4a3e28151a8; classtype:domain-c2; sid:2033892; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_09_02, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; http.uri; content:"/spl_data/"; fast_pattern; http.header; content:"|20|Java/"; classtype:exploit-kit; sid:2015603; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; threshold:type threshold, track by_dst, count 10, seconds 30; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033893; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh/Bublik Checkin /was/uid.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/was/uid.php"; fast_pattern; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8; reference:url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb; reference:url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24; classtype:command-and-control; sid:2015623; rev:4; metadata:created_at 2012_08_13, former_category MALWARE, malware_family URLZone, tag Banking_Trojan, updated_at 2020_09_17;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; content:"|ec 19 0e 80 01|"; distance:0; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033894; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SimpleTDS go.php (sid)"; flow:established,to_server; http.uri; content:"/go.php?sid="; fast_pattern; classtype:trojan-activity; sid:2015675; rev:5; metadata:created_at 2012_09_04, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x71\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,b316680fd2578a2781ee9497888bd1e4; classtype:command-and-control; sid:2018085; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Inbound /uploadify.php Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploadify.php"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2015687; rev:4; metadata:created_at 2012_09_07, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!11000,!11001,!12000] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9e|"; fast_pattern; pcre:"/^[\x20-\x7e]*?.{8}\x79\x9e/s"; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017707; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; http.uri; content:"/1."; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//"; classtype:exploit-kit; sid:2015693; rev:4; metadata:created_at 2012_09_11, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 27"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7c\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,29aabeba14f6b5950edcd2a5d99acc94; classtype:command-and-control; sid:2018153; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; http.header; content:"-Disposition|3a 20|inline"; nocase; content:".jar"; fast_pattern; pcre:"/[=\"]\w{8}\.jar/i"; file.data; content:"PK"; within:2; classtype:exploit-kit; sid:2015695; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 52"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,61c03cdd39f0618d1643af15594da3e4; classtype:command-and-control; sid:2020611; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"username="; nocase; isdataat:250,relative; content:!"|0A|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; http.uri; content:"/login.uix"; fast_pattern; nocase; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2102703; rev:7; metadata:created_at 2010_09_23, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 38"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|49 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa5/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,c8564898ab2598a075cbb478d104e750; classtype:command-and-control; sid:2018638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; http.uri; content:"/iLog.php?dl="; fast_pattern; content:"&log="; http.user_agent; content:"IE"; startswith; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:command-and-control; sid:2013534; rev:9; metadata:created_at 2011_09_03, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 98"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,79dd610cc7a62ad237d21c050eae32ec; classtype:command-and-control; sid:2020799; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; http.uri; content:"utl_inaddr.get_host"; nocase; fast_pattern; classtype:attempted-admin; sid:2015749; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning; isdataat:!7,relative; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:command-and-control; sid:2017934; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Fareit.A/Pony Downloader Checkin (2)"; flow:to_server,established; http.uri; content:"ch=1"; fast_pattern; pcre:"/ch=1$/"; http.request_body; content:"ch=1"; depth:4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:command-and-control; sid:2015799; rev:8; metadata:created_at 2012_10_12, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:established,to_server; stream_size:server,<,5; flowbits:isset,ET.gh0stFmly; content:"|78 9c 0b cf cc|"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:command-and-control; sid:2017936; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; urilen:39; http.method; content:"POST"; http.uri; content:"/?ptrxcz_"; fast_pattern; pcre:"/^\/\?ptrxcz_[a-z0-9A-Z]{30}$/"; reference:md5,58ffe2b79be4e789be80f92b7f96e20c; classtype:command-and-control; sid:2015807; rev:5; metadata:created_at 2012_10_05, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7d\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:command-and-control; sid:2018287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_03_18, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fujacks Activity"; flow:to_server,established; http.header; content:".whboy.net|0d 0a|"; nocase; fast_pattern; http.user_agent; content:"QQ"; bsize:2; classtype:trojan-activity; sid:2015814; rev:14; metadata:created_at 2012_10_18, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 93"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,29ac81a0607f6456bc886f6099fdb5c8; classtype:command-and-control; sid:2020794; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 9"; nocase; fast_pattern; classtype:trojan-activity; sid:2015822; rev:5; metadata:created_at 2012_10_19, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:command-and-control; sid:2018485; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot initial checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?ver="; content:"&p=cert123"; fast_pattern; content:"&id="; classtype:command-and-control; sid:2015854; rev:4; metadata:created_at 2012_10_31, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enemyfear Stealer Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?act="; http.content_type; content:"multipart/form-data"; startswith; http.request_body; content:".zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; content:"Stealer|20|Work|2e|txt"; fast_pattern; reference:md5,8206d5fdc88e2c8c07fe2731d6ffeac3; classtype:command-and-control; sid:2033895; rev:1; metadata:created_at 2021_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot checkin"; flow:to_server,established; http.uri; content:".php?ver="; content:"&p=bot123"; fast_pattern; content:"&id="; classtype:command-and-control; sid:2015855; rev:4; metadata:created_at 2012_10_31, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ThunderUnion Install Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"peerid="; content:"&userid="; distance:0; content:"referfrom="; distance:0; content:"&OS="; distance:0; content:"&OSversion="; distance:0; content:"productname="; distance:0; http.user_agent; content:"ThunderUnion"; bsize:12; fast_pattern; reference:md5,ae4c9b58510bd358745caf3b7ad81003; classtype:pup-activity; sid:2033896; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category ADWARE_PUP, updated_at 2021_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 2 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 2"; nocase; fast_pattern; classtype:trojan-activity; sid:2015899; rev:5; metadata:created_at 2012_11_19, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Honeygain Domain (api .honeygain .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.honeygain.com"; bsize:17; fast_pattern; reference:url,blog.talosintelligence.com/2021/08/proxyware-abuse.html; classtype:domain-c2; sid:2033900; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category ADWARE_PUP, malware_family PUP, signature_severity Informational, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 3 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 3"; nocase; fast_pattern; classtype:trojan-activity; sid:2015900; rev:6; metadata:created_at 2012_11_19, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/Hack Browser Data Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.content_type; content:"multipart/form-data|3b 20|boundary="; bsize:90; pcre:"/^multipart/form-data\x3b\x20boundary=[a-f0-9]{60}$/"; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|"; content:"_=_"; distance:0; fast_pattern; content:"_=_"; distance:0; content:"_=_"; distance:0; content:"_=_"; distance:0; content:".json|22 0d 0a|"; distance:0; reference:md5,4a13256c1c9701146ad9ce6682b1a12e; classtype:command-and-control; sid:2033899; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Unknown - .php?x=img&img="; flow:established,to_server; http.uri; content:".php?x=img&img="; fast_pattern; classtype:web-application-activity; sid:2015926; rev:4; metadata:created_at 2012_11_23, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to herominers Domain (herominers .com)"; dns.query; content:".herominers.com"; nocase; endswith; fast_pattern; classtype:coin-mining; sid:2033901; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2021_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SFTP/FTP Password Exposure via sftp-config.json"; flow:to_server,established; http.uri; content:"/sftp-config.json"; fast_pattern; reference:url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html; classtype:attempted-recon; sid:2015940; rev:4; metadata:created_at 2012_11_26, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 Related CnC Domain in DNS Lookup (tnskvggujjqfcskwk .com)"; dns.query; content:"tnskvggujjqfcskwk.com"; nocase; bsize:21; fast_pattern; reference:url,www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor; reference:url,twitter.com/Circuitous__/status/1433516145752035331; reference:url,twitter.com/JAMESWT_MHT/status/1433706754555138066; classtype:domain-c2; sid:2033897; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag FIN7, updated_at 2021_09_03;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access"; flow:established,to_server; http.uri; content:"/core/Loader.php?"; fast_pattern; nocase; content:"g="; content:"s="; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015947; rev:5; metadata:created_at 2012_11_27, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 Related CnC Domain in DNS Lookup (bypassociation .com)"; dns.query; content:"bypassociation.com"; nocase; bsize:18; fast_pattern; reference:url,www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor; reference:url,twitter.com/Circuitous__/status/1433516145752035331; reference:url,twitter.com/JAMESWT_MHT/status/1433706754555138066; classtype:domain-c2; sid:2033898; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag FIN7, updated_at 2021_09_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing URL"; flow:established,to_server; http.uri; content:".php?dentesus=208779"; fast_pattern; classtype:exploit-kit; sid:2015964; rev:13; metadata:created_at 2012_11_29, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleachGap Ransomware Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|username|22 3a 20 22|BleachGap|20|"; content:"|22|name|22 3a 20 22|Hacker$quad|22|"; content:"discord.gg"; reference:md5,4809f621c6dbaf0c93f1a92def0f592e; classtype:trojan-activity; sid:2033902; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_09_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; http.uri; content:"/js/java.js"; fast_pattern; http.host; content:"."; offset:2; depth:1; pcre:"/^[a-z]{2}\./"; classtype:exploit-kit; sid:2015982; rev:4; metadata:created_at 2012_12_03, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Related Domain (share .bloomcloud .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"share.bloomcloud.org"; bsize:20; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1433807018867912705; reference:md5,a224350ce67eea6a8d818b85436c5309; reference:md5,02904e802b5dc2f85eec83e3c1948374; reference:md5,bac4acc2544626bac6377fb32c5f244c; classtype:command-and-control; sid:2033903; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_09_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/admin/admin_header.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016002; rev:5; metadata:created_at 2012_12_07, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Syndicasec Encoded Response Embedded in XML HTML Title Tags Inbound"; flow:established,to_client; content:"|3c 3f|xml"; content:"|3c|title|20|type|3d 27|text|27 3e 40|"; distance:0; fast_pattern; content:"|40 3c 2f|title|3e|"; distance:0; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations/; reference:md5,f339bbca8e7a5d0f1629212f61b7d351; classtype:command-and-control; sid:2033904; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2021_09_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/ajax_list_tree.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016003; rev:4; metadata:created_at 2012_12_07, updated_at 2020_09_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload"; http.request_body; content:"name=|22|"; content:"filename=|22|../../"; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/previews_functions.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016004; rev:4; metadata:created_at 2012_12_07, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M1"; flow:established,to_server; http.request_line; content:"POST /action "; startswith; http.user_agent; content:"Statistics"; bsize:10; http.request_body; content:"|7b 22|hwid|22 3a 22|"; startswith; content:"|22 2c 22|macAddress|22 3a 22|"; distance:0; content:"|22 2c 22|ipAddressLocal|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|installDate|22 3a 22|"; distance:0; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033909; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/dispatch.php?"; nocase; content:"atkaction=search"; fast_pattern; nocase; content:"atknodetype="; nocase; reference:url,packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html; classtype:web-application-attack; sid:2016005; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M2"; flow:established,to_server; http.request_line; content:"GET /action?hwid="; startswith; content:"&macAddress="; distance:0; content:"&ipAddressLocal="; distance:0; fast_pattern; content:"&installDate="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033910; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/consulta_fact.php?"; nocase; fast_pattern; content:"fact_num="; nocase; pcre:"/fact_num\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016008; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M3"; flow:established,to_server; http.request_line; content:"POST /sysinfo "; startswith; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"hwid="; startswith; content:"&macAddress="; distance:0; content:"&ipAddressLocal="; distance:0; fast_pattern; content:"&date="; distance:0; content:"&cpu="; distance:0; content:"&cpuUsage="; distance:0; content:"&os="; distance:0; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/newinventario.php?"; nocase; fast_pattern; content:"sn="; nocase; pcre:"/sn\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016009; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bingoml!tr CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/message?mac="; startswith; bsize:30; fast_pattern; content:!"="; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,82732a7bdac99e2a9ce4e9a706947423; classtype:command-and-control; sid:2033912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/newtransact.php?"; nocase; fast_pattern; content:"ref="; nocase; pcre:"/ref\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016010; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Beapy/Lemon_Duck CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?ID="; content:"&GUID="; distance:0; content:"&MAC="; distance:0; content:"&OS=Win"; distance:0; content:"&BIT="; distance:0; content:"&CARD="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,21e49843502325b063b4d52e8c297f79; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027147; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeBot grab data plaintext"; flow:established,to_server; http.request_body; content:"cmd=grab&data="; fast_pattern; content:"&login="; classtype:trojan-activity; sid:2016011; rev:6; metadata:created_at 2012_12_07, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Coinminer Checkin"; flow:established,to_server; content:"|7b 22|CPU_Model|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|Elevated|22 3a|"; distance:0; content:"|22|GPU_Model|22 3a 22|"; distance:0; content:"|22|Identity|22 3a 22|"; distance:0; reference:md5,a98df471bde22b7b2d25aae974237363; classtype:coin-mining; sid:2033906; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/hava_user.php?"; nocase; fast_pattern; content:"userId="; nocase; pcre:"/userId\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html; classtype:web-application-attack; sid:2016039; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mingloa CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page=querycpc/items/&duid="; fast_pattern; content:"&pid="; distance:0; content:"&time="; distance:0; content:"&hash="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service; classtype:command-and-control; sid:2033913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"module="; nocase; content:"view="; nocase; content:"having="; nocase; fast_pattern; pcre:"/having\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing 2021-06-29"; flow:established,from_server; file.data; content:"Webmail Login"; fast_pattern; content:"action|3d 22|process.php|22|"; distance:0; content:"method|3d 22|post|22|"; distance:0; content:"target|3d 22 5f|top|22|"; distance:0; content:"style|3d 22|visibility|3a 22|>"; distance:0; reference:url,app.any.run/tasks/5fcdc0a0-7a79-4bcb-b2fb-3d358571d858/; classtype:social-engineering; sid:2033218; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ssi_examples.php?"; nocase; fast_pattern; content:"view="; nocase; pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016036; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Android/iprdr.php"; fast_pattern; bsize:18; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/Timele9527/status/1435495701329317895; reference:md5,28ffba0b074218b0c9ff0360d8791bfd; classtype:trojan-activity; sid:2033914; rev:1; metadata:created_at 2021_09_08, former_category MALWARE, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mahara query Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/group/members.php?"; nocase; fast_pattern; content:"id="; nocase; content:"query="; nocase; pcre:"/query\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,securityfocus.com/bid/56718; classtype:web-application-attack; sid:2016156; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Apple/script.php?a="; fast_pattern; startswith; http.user_agent; content:"Mozilla/3.0|20 28|compatible|3b 20|Indy|20|Library|29|"; bsize:38; http.header_names; content:!"Referer"; reference:url,twitter.com/Timele9527/status/1435495701329317895; reference:md5,28ffba0b074218b0c9ff0360d8791bfd; classtype:trojan-activity; sid:2033915; rev:1; metadata:created_at 2021_09_08, former_category MALWARE, updated_at 2021_09_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free Blog Arbitrary File Deletion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/up.php?del="; nocase; fast_pattern; content:"del="; nocase; reference:url,packetstormsecurity.com/files/119385/Free-Blog-1.0-Shell-Upload-Arbitrary-File-Deletion.html; classtype:web-application-attack; sid:2016198; rev:5; metadata:created_at 2013_01_11, updated_at 2020_09_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SiameseKitten/Lyceum/Hexane MSIL/Shark Response - 1 Byte XOR Key"; flow:established,from_server; file.data; base64_decode:offset 0; base64_data; content:"|6e 4b 5e 4b|"; content:"|27 20|"; classtype:command-and-control; sid:2033761; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_22, deployment Perimeter, deprecation_reason Performance, former_category MALWARE, malware_family Shark, performance_impact Significant, signature_severity Major, updated_at 2021_09_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Iyus.H Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/run1/pr.php?p1="; fast_pattern; content:"&p2="; content:"&id="; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:command-and-control; sid:2016206; rev:5; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?q="; content:"&qi="; distance:0; content:"&q1="; distance:0; content:"&q2="; distance:0; content:"&q3="; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64|29|"; http.header_names; content:"If-None-Match|0d 0a|Sec-Fetch-Dest|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-User|0d 0a|"; nocase; http.header; content:"Sec-Fetch-Dest|3a 20|document|0d|"; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; reference:url,www.clearskysec.com/siamesekitten/; classtype:command-and-control; sid:2033760; rev:2; metadata:created_at 2021_08_22, former_category MALWARE, malware_family Shark, updated_at 2021_09_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Iyus.H work_troy.php CnC Request"; flow:established,to_server; http.uri; content:"/work_troy.php?id="; fast_pattern; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:command-and-control; sid:2016207; rev:5; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IceRat CnC Acitivty"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow_"; startswith; fast_pattern; content:".txt"; endswith; http.user_agent; content:"Java/"; startswith; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; classtype:trojan-activity; sid:2031485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader Secondary Download Request - W32/Hupigon.Backdoor Likely Secondary Payload"; flow:established,to_server; http.uri; content:"/pir/bfg.php?dll="; fast_pattern; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; sid:2016208; rev:5; metadata:created_at 2013_01_15, updated_at 2020_09_18;)
+alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/SWNetPerfMon.db.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_collector Component Arbitrary File Upload Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_collector"; nocase; fast_pattern; content:"view="; nocase; reference:url,exploit-db.com/exploits/24228/; classtype:web-application-attack; sid:2016288; rev:5; metadata:created_at 2013_01_25, updated_at 2020_09_18;)
+alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web.config.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031459; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible JDB Exploit Kit Class Request"; flow:established,to_server; http.uri; content:"/jdb/"; nocase; content:".class"; nocase; pcre:"/\/jdb\/[^\/]+\.class$/i"; http.header; content:"|20|Java/1"; fast_pattern; classtype:exploit-kit; sid:2016308; rev:8; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Stitch Variant Backdoor CnC"; flow:established,to_server; content:"|00 00 00 0f|stitch626hctits"; fast_pattern; content:!"Referer|3a 20|"; content:!"User-Agent|3a 20|"; content:!"Connection|3a 20|"; content:!"Host|3a 20|"; content:!"Keep-Alive:|3a 20|"; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; reference:md5,ec993ff561cbc175953502452bfa554a; classtype:command-and-control; sid:2029794; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, malware_family Stitch, performance_impact Low, signature_severity Major, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; http.uri; content:"/lib/adobe.php?id="; nocase; fast_pattern; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/i"; classtype:exploit-kit; sid:2016310; rev:7; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB ASCII"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,!&,0x80,7,relative; content:"puiframeworkproresenu|2E|dll"; nocase; distance:0; fast_pattern; reference:cve,2018-12589; reference:url,exploit-db.com/exploits/44985; classtype:attempted-user; sid:2025790; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category NETBIOS, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Pattern"; flow:established,to_server; http.uri; content:"/i.php?token="; fast_pattern; nocase; pcre:"/\/i.php?token=[a-z0-9]+$/i"; classtype:exploit-kit; sid:2015998; rev:5; metadata:created_at 2012_12_07, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB Unicode"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,&,0x80,7,relative; content:"p|00|u|00|i|00|f|00|r|00|a|00|m|00|e|00|w|00|o|00|r|00|k|00|p|00|r|00|o|00|r|00|e|00|s|00|e|00|n|00|u|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; reference:cve,2018-12589; reference:url,exploit-db.com/exploits/44985; classtype:attempted-user; sid:2025791; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category NETBIOS, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Beebus HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/s/asp?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3B 20 29 0D 0A|"; startswith; reference:url,blog.fireeye.com/research/2013/02/operation-beebus.html; classtype:command-and-control; sid:2016342; rev:4; metadata:created_at 2013_02_05, former_category MALWARE, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Muhstik Botnet Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; pcre:"/^(?:curl|wget)/i"; http.uri; content:"/dk"; startswith; fast_pattern; pcre:"/^[0-9]{2}$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/; reference:md5,898b3dc58bc5d05d3034a1c259b5a915; classtype:trojan-activity; sid:2033916; rev:1; metadata:created_at 2021_09_09, former_category ATTACK_RESPONSE, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; http.uri; content:"/jerk.cgi?"; fast_pattern; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016352; rev:4; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2acd1b235e12dc9b961e7236f6db8144; classtype:command-and-control; sid:2018486; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Secondary Landing"; flow:established,to_server; http.uri; content:".js"; pcre:"/^[a-z]+\.js$/"; http.referer; content:"/i.html"; fast_pattern; pcre:"/^(\?[^=]{1,10}=[^&\r\n]{100,})?$/Ri"; classtype:exploit-kit; sid:2016347; rev:8; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 62"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,bcb626c7cca304f927ec97450008e600; classtype:command-and-control; sid:2020763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP tag in UA"; flow:established,to_server; http.user_agent; content:"<?php"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016415; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 58"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 ad|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x31\xad/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,20a72c5af06e054ff840915b6632965f; classtype:command-and-control; sid:2020693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER base64_decode in UA"; flow:established,to_server; http.user_agent; content:"base64_decode("; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016416; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 65"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|40 a3|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x40\xa3/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a2ae5eada44872675561a97ea56c0df; classtype:command-and-control; sid:2020766; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Zbot.ivgw Downloading EXE"; flow:to_server,established; http.uri; content:"/forum/images.php?id"; nocase; fast_pattern; http.user_agent; content:"Mozilla/6"; depth:9; content:"|20|MSIE|20|"; distance:0; reference:md5,e8e3d22203f9549d6c5f361dfe51f8c6; classtype:trojan-activity; sid:2016425; rev:7; metadata:created_at 2013_02_18, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 97"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0c014b17729784f905f55e43347469ed; classtype:command-and-control; sid:2020798; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBeplay Downloading Design"; flow:established,to_server; http.uri; content:".CAB.bin"; fast_pattern; pcre:"/[a-z]{2}\.CAB.bin/"; http.header; content:"|20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)|0d 0a|"; classtype:trojan-activity; sid:2016489; rev:6; metadata:created_at 2013_02_22, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 45"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9a|"; offset:13; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x7a\x9a/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,eb7909105fd05064b14a21465742952c; classtype:command-and-control; sid:2020371; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Caphaw CnC Configuration File Request"; flow:established,to_server; http.uri; content:"&id="; content:"&inst="; content:"&net"; content:"&cmd=cfg"; fast_pattern; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:command-and-control; sid:2016508; rev:4; metadata:created_at 2013_02_26, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 95"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9d/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,599fc172ebcd9f41557ba1293522f424; classtype:command-and-control; sid:2020796; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; http.uri; content:"/send.php?a_id="; content:"&telno="; fast_pattern; content:"&m_addr="; http.user_agent; content:"Android"; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:command-and-control; sid:2014161; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:command-and-control; sid:2017915; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Exploit Request"; flow:established,to_server; http.uri; content:"/module.php?e="; fast_pattern; pcre:"/\.php\?e=[^&]+?$/"; classtype:exploit-kit; sid:2016523; rev:4; metadata:created_at 2013_03_04, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !5800 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}\x70\x94[\x20-\x7e]/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3ae76f6b76e743fd8063e1831236ce24; classtype:command-and-control; sid:2018057; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for fake postal receipt from e-mail link"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"receipt="; nocase; fast_pattern; pcre:"/\.php\?(print_)?receipt=(s00|\d{3})_\d+$/i"; classtype:trojan-activity; sid:2016359; rev:5; metadata:created_at 2013_02_06, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 36"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 da|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xda/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5b50cc5215694841b9faea0fde472648; classtype:command-and-control; sid:2018636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LetsGo.APT Sleep CnC Beacon"; flow:established,to_server; http.uri; pcre:"/\.html\?[0-9]{10}$/"; http.user_agent; content:"sleep|20|"; fast_pattern; startswith; pcre:"/^sleep \d+[\r\x2c]/"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/the-dingo-and-the-baby.html; classtype:targeted-activity; sid:2016568; rev:4; metadata:created_at 2013_03_13, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 89"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|30 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x30\xa5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3fb6b63928996a2fab06ba634710740b; classtype:command-and-control; sid:2020790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT_NGO_wuaclt C2 Check-in"; flow:to_server,established; http.uri; content:"/news/show.asp?id1="; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1"; startswith; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016572; rev:4; metadata:created_at 2013_03_13, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 86"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4af85987c9aca11196eb1a603b40b18d; classtype:command-and-control; sid:2020787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; http.uri; content:"/RegistUid.asp"; fast_pattern; nocase; content:"?pid="; nocase; content:"&cid="; nocase; content:"&imei="; nocase; content:"&sim="; nocase; content:"&imsi="; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9a3309620c23d821ea4e2f41538454a7; classtype:command-and-control; sid:2020776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/usr/bin/perl"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016641; rev:8; metadata:created_at 2013_03_21, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,132c66e47afb0c1b969140713b09d625; classtype:command-and-control; sid:2020781; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/bin/sh"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016642; rev:8; metadata:created_at 2013_03_21, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9c44da3c6326deb5b802b1494b202a1d; classtype:command-and-control; sid:2020774; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<?php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:8; metadata:created_at 2010_09_28, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a037b3241c0b957efe6037b25570292f; classtype:command-and-control; sid:2018054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Galock Ransomware Check-in"; flow:established,to_server; http.uri; content:"&os="; content:"&hostname="; content:"&codepage="; content:"&account"; http.header; content:"|3a 20|Mozilla/4.1|20|"; fast_pattern; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016644; rev:4; metadata:created_at 2013_03_22, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 50"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1701f8c71b5861a2f2890dc609ef6eda; classtype:command-and-control; sid:2020609; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"error in your SQL syntax"; fast_pattern; classtype:bad-unknown; sid:2016672; rev:4; metadata:created_at 2013_03_27, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 56"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|2e 96|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x2e\x96/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fc4f20426ab1da2c705a4523d3baa0b; classtype:command-and-control; sid:2020691; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"svchost.exe"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.01|3b 20|Windows NT 5.0)"; reference:md5,539d3b15e9c3882ac70bb1ac7f90a837; classtype:command-and-control; sid:2016707; rev:6; metadata:created_at 2013_04_01, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9c/s"; reference:md5,b0c2a5a3cfef4e759979b7d0869b7612; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2021753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BaneChant.APT Data Exfiltration POST to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adserv/get.php"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV2)"; bsize:55; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016727; rev:4; metadata:created_at 2013_04_05, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 77"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,010c49cb69591e1738b7bdd78a54d8f8; classtype:command-and-control; sid:2020778; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BaneChant.APT Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/adserv/logo.jpg"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV2)"; bsize:55; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016728; rev:4; metadata:created_at 2013_04_05, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 105"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|4a ae|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xae/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ba6eaf301344de6fe1e079fa960bc698; classtype:command-and-control; sid:2022773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"&os="; content:"&bot_id="; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&os=\d\.\d[^&]*&bot_id=/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016731; rev:6; metadata:created_at 2013_04_05, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 101"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8776e617b59da52bcac43b380a354aa0; classtype:command-and-control; sid:2021065; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Activity"; flow:established,to_server; http.uri; content:".php?id="; content:"&gr"; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}\.){3}\d{1,3}&gr/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016732; rev:6; metadata:created_at 2013_04_05, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; fast_pattern; byte_jump:4,0,little,post_offset 1; isdataat:!2,relative; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017876; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Haxdoor Reporting User Activity 2"; flow:established,to_server; http.uri; content:"param="; content:"&socksport="; content:"&httpport="; fast_pattern; content:"&uptime"; content:"&uid="; content:"&ver="; reference:url,doc.emergingthreats.net/2002929; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; reference:md5,0995ecb8bb78f510ae995a50be0c351a; classtype:trojan-activity; sid:2002929; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; fast_pattern; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017877; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PDF - Acrobat Enumeration - pdfobject.js"; flow:established,to_server; http.uri; content:"/pdfobject.js"; fast_pattern; classtype:misc-activity; sid:2016765; rev:4; metadata:created_at 2013_04_17, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14"; flow:established,to_server; stream_size:server,<,5; dsize:>11; byte_extract:4,0,c_size,little; byte_test:4,>,c_size,4,little; content:"|08 01|"; offset:2; depth:2; content:"|79 94|"; offset:13; depth:2; pcre:"/^.{8}[\x20-\x7e]+?\x79\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,9fae15fa8ab6bb8d78d609bdceafe28e; classtype:command-and-control; sid:2017944; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin User-Agent Likely Bitcoin Miner"; flow:established,to_server; http.user_agent; content:"BitCoin"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:coin-mining; sid:2013457; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 46"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|84 60|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x84\x60/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,019ab136fd79147b10ddb3e4162709db; classtype:command-and-control; sid:2020586; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (AMD)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"|3b|c|3a|AMD-"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3aAMD-/"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:9; metadata:created_at 2012_10_12, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|40 d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x40\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2978e52da3503e33c65cd286a322bd2; classtype:command-and-control; sid:2020783; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"|3b|c|3a|INT-"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3aINT-/"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:10; metadata:created_at 2012_10_12, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 92"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1dabf462f9c07878f6cd0b58cabf6538; classtype:command-and-control; sid:2020793; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO myobfuscate.com Encoded Script Calling home"; flow:to_server,established; http.uri; content:"/?getsrc="; content:"&url="; http.header; content:"api.myobfuscate.com|0d|"; nocase; fast_pattern; classtype:misc-activity; sid:2016802; rev:6; metadata:created_at 2013_04_30, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"FWKJGH"; offset:8; depth:6; byte_jump:4,0,little,from_beginning,post_offset 5; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,edd8c8009fc1ce2991eef6069ae6bf82; classtype:command-and-control; sid:2017974; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medfos Connectivity Check"; flow:established,to_server; http.uri; content:"/uploading/id="; fast_pattern; http.uri.raw; pcre:"/^\/uploading\/id=\d{2,20}&u=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:misc-activity; sid:2016800; rev:8; metadata:created_at 2013_04_30, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7e 95|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,17274afd768cd0cbc2aa236cf82ab951; classtype:command-and-control; sid:2018488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cookies/Cookiebag Checkin"; flow:to_server,established; http.uri; content:"/indexs.zip"; fast_pattern; reference:md5,840BD11343D140916F45223BA05ABACB; classtype:command-and-control; sid:2016808; rev:4; metadata:created_at 2013_05_01, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 64"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2a6c1f4e14533d9f2af8d9e4fcf53338; classtype:command-and-control; sid:2020765; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Activity"; flow:established,to_server; http.uri; content:".php?version="; fast_pattern; content:"&user="; content:"&server="; content:"&crc="; pcre:"/user=[a-f0-9]{31,32}&/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014275; rev:6; metadata:created_at 2012_02_24, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 51"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4b70f302c72c94d0b9214808d9f72419; classtype:command-and-control; sid:2020610; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Zusy.45802 Checkin"; flow:to_server,established; http.uri; content:".php?uid="; fast_pattern; content:"&affid="; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)"; pcre:"/^$/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2016816; rev:5; metadata:created_at 2013_05_03, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 81"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7e 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7e\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,733d252921fa9b74b268c1e451d2e0c8; classtype:command-and-control; sid:2020782; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Fake Opera 10 User-Agent"; flow:established,to_server; http.user_agent; content:"Opera/10|20|"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:2016823; rev:6; metadata:created_at 2013_05_04, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9b|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:command-and-control; sid:2017988; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A CnC"; flow:established,to_server; http.uri; content:"/favicon.iso?"; fast_pattern; reference:url,code.google.com/p/malware-lu/wiki/en_malware_cdorked_A; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:command-and-control; sid:2016850; rev:4; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 99"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|39 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\x99/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2499b8a890b084b9d4eb76d2bfaeff56; classtype:command-and-control; sid:2020800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Chrome Plugin install"; flow:to_server,established; http.uri; content:"|2f|crx|2f|blobs"; nocase; fast_pattern; http.user_agent; content:"|20|Chrome/"; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:2016847; rev:5; metadata:created_at 2013_05_14, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|49 a2|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa2/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0928c98b9702e3c8df4e44f31bea56ac; classtype:command-and-control; sid:2020797; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover Campaign Keylogger Checkin"; flow:established,to_server; http.uri; content:".php?fol="; fast_pattern; content:"&ac="; content:"AVs"; content:"OS"; content:"SystemDT"; content:"AppVersion"; content:"DropPath"; reference:md5,023d82950ebec016cd4016d7a11be58d; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016861; rev:4; metadata:created_at 2013_05_20, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 37"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,f80fc82b5ff8f65f02ba7af363f84264; classtype:command-and-control; sid:2018637; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.VB.cefz Checkin"; flow:established,to_server; http.uri; content:"/hyper/fm.php?tp=in"; fast_pattern; content:"&tg="; reference:md5,0cace87b377a00df82839c659fc3adea; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016863; rev:4; metadata:created_at 2013_05_20, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 57"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,06be359c6e6396fe105e8b59ac5a992e; classtype:command-and-control; sid:2020692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.bjjv Checkin"; flow:established,to_server; http.uri; content:"/wakeup/access.php"; fast_pattern; http.user_agent; content:"UPHTTP"; depth:6; reference:md5,06ba10a49c8cea32a51f0bbe8f5073f1; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016864; rev:5; metadata:created_at 2013_05_20, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 71"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8b69118f7c25f79c4c7de5b0830dda39; classtype:command-and-control; sid:2020772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Firefox Plugin install"; flow:to_server,established; http.uri; content:".xpi"; nocase; fast_pattern; endswith; http.user_agent; content:"|20|Firefox/"; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:2016846; rev:6; metadata:created_at 2013_05_14, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 60"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fbca8d9f71265f44513e4f885587301; classtype:command-and-control; sid:2020695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Registering Client"; flow:established,to_server; http.uri; content:"/gate.php?reg="; fast_pattern; pcre:"/\/gate\.php\?reg=(?:[a-z]{10}|[A-Za-z]{15})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016899; rev:6; metadata:created_at 2013_05_21, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 59"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|44 df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x44\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6a263de8d3f6d82e73330c84a83057bf; classtype:command-and-control; sid:2020694; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Briba CnC POST Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index"; depth:6; content:".asp"; distance:9; within:4; http.header; content:"Content-Length|3a 20|00"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.host; content:"update.microsoft.com"; startswith; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; classtype:command-and-control; sid:2016911; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3134e62b117f9994e173c262b1bcbca5; classtype:command-and-control; sid:2018639; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Antavmu.guw Checkin"; flow:to_server,established; http.uri; content:"/smadstat.php?mac="; fast_pattern; content:"&key="; content:"&name="; content:"&os="; content:"&build="; content:"&old="; content:"&comp="; http.user_agent; content:"Smart-RTP"; depth:9; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:url,www.securelist.com/en/descriptions/16150989/Trojan.Win32.Antavmu.guw?print_mode=1; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; classtype:command-and-control; sid:2016914; rev:5; metadata:created_at 2013_05_22, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1f46b1e0a7fe83d24352e98b3ab3fc3f; classtype:command-and-control; sid:2018013; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution"; flow:established,to_server; http.uri; content:"xwork"; nocase; content:"MethodAccessor"; nocase; content:"denyMethodExecution"; nocase; fast_pattern; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-admin; sid:2016920; rev:4; metadata:created_at 2013_05_23, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 43"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|83 7f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x83\x7f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f0c10c1705783d3f32742bce3b2aea5; classtype:command-and-control; sid:2019602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific"; flow:established,to_server; pcre:"/^[\r\n\s]*?[^\r\n]+HTTP\/1\.\d[^\r\n]*?\r?\n((?!(\r?\n\r?\n)).)*?Transfer-Encoding\x3a[^\r\n]*?Chunked((?!(\r?\n\r?\n)).)*?\r?\n\r?\n[\r\n\s]*?(f{6}[8-9a-f][0-9a-f]|[a-f0-9]{9})/si"; http.header; content:"chunked"; nocase; fast_pattern; pcre:"/Transfer-Encoding\x3a[^\r\n]*?chunked/i"; reference:url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb; classtype:attempted-admin; sid:2016918; rev:8; metadata:created_at 2013_05_22, former_category WEB_SERVER, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9f|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7c\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,0be9e3f4507a8ee23bb0c2b6c218d1cc; classtype:command-and-control; sid:2018076; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] ![139,445] (msg:"ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|1a 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|24 00 00 00 06 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; isdataat:!5,relative; threshold: type limit, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:2030871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 67"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,142b8df89b9ae5019c1f1855d2212e9f; classtype:command-and-control; sid:2020768; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-#alert tcp-pkt any any -> any any (msg:"ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) UUID flowbit set"; flow:established,to_server; content:"|05 00 0B|"; depth:3; content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 cf fb|"; distance:0; flowbits:set,dcerpc.rpcnetlogon; flowbits:noalert; reference:cve,2020-1472; classtype:attempted-admin; sid:2030888; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_18, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !5938 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 104"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; depth:21; fast_pattern; byte_test:4,<,65535,-14,relative,little; byte_test:4,<,65535,-10,relative,little; byte_jump:4,-10,relative,little,post_offset 3; isdataat:!2,relative; pcre:"/^.{9,28}\x78\x9c/s"; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2022401; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-#alert tcp-pkt any any -> any any (msg:"ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; content:"|05 00 00|"; depth:3; content:"|1a 00|"; distance:19; within:3; content:"|00 00 00 00 00 00 00 00|"; isdataat:!5,relative; threshold:type both, track by_src, seconds 60, count 3; reference:cve,2020-1472; classtype:attempted-admin; sid:2030889; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_18, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 100"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]{5}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:command-and-control; sid:2021012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE"; flow:established,to_server; http.uri; content:"LOAD_FILE("; nocase; fast_pattern; reference:url,dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-file; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016936; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|4a d5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xd5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,096fd620508d929b3422c6dca836e718; classtype:command-and-control; sid:2020785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP connection to net78.net Free Web Hosting (Used by Various Trojans)"; flow:established,to_server; http.host; content:".net78.net"; endswith; fast_pattern; reference:url,www.net78.net; classtype:bad-unknown; sid:2016944; rev:4; metadata:created_at 2013_05_29, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 49"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2e99b9462f95154e9f5b94eeed33a6e3; classtype:command-and-control; sid:2020608; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Trup.CX Checkin 1"; flow:to_server,established; http.uri; content:"/sms/do|2e|php?userid="; nocase; fast_pattern; content:"&time="; nocase; content:"&msg="; nocase; content:"&pauid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Agent.AAE; classtype:command-and-control; sid:2016951; rev:7; metadata:created_at 2011_03_14, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 54"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4d6e0de81f57461337ccfbcce6dc1056; classtype:command-and-control; sid:2020613; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (AuthenticAMD)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"AuthenticAMD|3b|"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+AuthenticAMD\x3b/"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016960; rev:12; metadata:created_at 2013_05_31, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 5d|"; offset:8; byte_jump:4,-12,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{10}\x7a\x5d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,794eac549f98320b818037b8074da320; classtype:command-and-control; sid:2018077; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (GenuineIntel)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"GenuineIntel|3b|"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+GenuineIntel\x3b/"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016961; rev:13; metadata:created_at 2013_05_31, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|74 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3063e7406947d00b792cb013ca667a69; classtype:command-and-control; sid:2018487; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER allow_url_include PHP config option in uri"; flow:established,to_server; http.uri; content:"allow_url_include"; fast_pattern; pcre:"/\ballow_url_include\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016977; rev:5; metadata:created_at 2013_06_05, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443,9000] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13"; flow:established,to_server; stream_size:server,<,5; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!8,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; content:"|7c 9e|"; offset:13; depth:8; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7c\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2017938; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER safe_mode PHP config option in uri"; flow:established,to_server; http.uri; content:"safe_mode"; fast_pattern; pcre:"/\bsafe_mode\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016978; rev:5; metadata:created_at 2013_06_05, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 22"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2018069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER open_basedir PHP config option in uri"; flow:established,to_server; http.uri; content:"open_basedir"; fast_pattern; pcre:"/\bopen_basedir\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016981; rev:6; metadata:created_at 2013_06_05, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 53"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5a0e030383c472f7d94c0bcd6af71a90; classtype:command-and-control; sid:2020612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER auto_prepend_file PHP config option in uri"; flow:established,to_server; http.uri; content:"auto_prepend_file"; fast_pattern; pcre:"/\bauto_prepend_file\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016982; rev:5; metadata:created_at 2013_06_05, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 76"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3b df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1e3f91c46410d5205c7b6f6b53a45cff; classtype:command-and-control; sid:2020777; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; http.uri; content:"suhosin.simulation"; fast_pattern; pcre:"/\bsuhosin\.simulation\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016979; rev:6; metadata:created_at 2013_06_05, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 83"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|47 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x47\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4bd54550a23cb5bf40e0924dea7bad76; classtype:command-and-control; sid:2020784; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER disable_functions PHP config option in uri"; flow:established,to_server; http.uri; content:"disable_functions"; fast_pattern; pcre:"/\bdisable_functions[\s\+]*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016980; rev:7; metadata:created_at 2013_06_05, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,be92836bee1e8abc1d19d1c552e6c115; classtype:command-and-control; sid:2017914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Travnet.A Checkin"; flow:to_server,established; http.uri; content:".asp?hostid="; content:"&hostname="; content:"&hostip="; content:"&filename="; content:"&filestart="; content:"&filetext=begin|3a 3a|"; fast_pattern; pcre:"/\?hostid=[0-9A-F]+?&/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; reference:url,www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:command-and-control; sid:2016968; rev:7; metadata:created_at 2013_03_01, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 29"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9af77f89a565143983fa008bbd8eedee; classtype:command-and-control; sid:2018181; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tobfy.S"; flow:established,from_client; http.uri; content:"/upload/img.jpg"; fast_pattern; pcre:"/^\/[a-z0-9]{3,}\/upload\/img\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ac03c5980e2019992b876798df2df9ab; classtype:trojan-activity; sid:2017004; rev:6; metadata:created_at 2013_06_12, updated_at 2020_09_18;)
+alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!5721,!5938] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"PWHDR"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:command-and-control; sid:2016922; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_23, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi xp_cmdshell POST body"; flow:established,to_server; http.request_body; content:"xp_cmdshell"; nocase; fast_pattern; classtype:bad-unknown; sid:2017010; rev:5; metadata:created_at 2013_06_12, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-18,relative,little,from_beginning, post_offset 1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?.{2}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:command-and-control; sid:2018075; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TripleNine RAT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/999"; fast_pattern; bsize:4; http.header; content:".0|0d 0a|Host"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2017021; rev:7; metadata:created_at 2013_06_14, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 44"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|96 71|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x96\x71/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a09c176351398922770153bdd54c594; classtype:command-and-control; sid:2020214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor"; flow:established,to_server; http.user_agent; content:"SEX/1"; nocase; fast_pattern; startswith; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017026; rev:4; metadata:created_at 2013_06_17, updated_at 2020_09_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 94"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,7403a3a7c924a50cb205c5936cb57821; classtype:command-and-control; sid:2020795; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Activity related to APT.Seinup Checkin 1"; flow:established,to_server; urilen:>87; http.method; content:"GET"; nocase; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?[a-zA-Z0-9]+?=[a-zA-Z0-9]+?&[a-zA-Z0-9]+?=(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})(&[a-zA-Z0-9]+?=[a-f0-9]{32}){2}$/"; http.header; content:"User-Agent|3a|"; depth:11; http.user_agent; content:"|20|MSIE 6.0|3b|"; content:".NET CLR 1.1.4322"; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:targeted-activity; sid:2017036; rev:5; metadata:created_at 2013_06_19, former_category MALWARE, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Seetrol Software Download (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/"; startswith; content:".exe"; endswith; http.host; content:"www.seetrol."; startswith; fast_pattern; classtype:bad-unknown; sid:2033917; rev:1; metadata:created_at 2021_09_09, former_category POLICY, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 1"; flow:to_server,established; http.uri; content:".php?ver="; content:"&cver="; fast_pattern; content:"&id="; pcre:"/\.php\?ver=\d\&cver=\d\&id=\d{5}$/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011848; rev:7; metadata:created_at 2010_10_25, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.WOW.NLZ CnC Activity"; flow:established,to_server; http.request_line; content:"GET /in/3/"; startswith; content:"?d56tdrf2z="; distance:0; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,2bf730c712910a18f09e4d53750594d2; classtype:command-and-control; sid:2033918; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (5)"; flow:established,to_server; http.uri; content:".txt?e="; nocase; fast_pattern; pcre:"/\.txt\?e=\d+(?:&[fh]=\d+)?$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016414; rev:10; metadata:created_at 2013_02_16, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.microsoft-secure-cdn.com"; bsize:51; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; reference:md5,83d664b0078d46952baf9ee1d8732d7a; classtype:domain-c2; sid:2033919; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; http.uri; content:"/?wps="; depth:6; fast_pattern; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017068; rev:4; metadata:created_at 2013_06_26, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.brian-krebs-erectile-dysfunction.com"; bsize:63; fast_pattern; reference:md5,83d664b0078d46952baf9ee1d8732d7a; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033920; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirect to DotkaChef EK Landing"; flow:established,from_server; http.stat_code; content:"302"; http.location; pcre:"/^[^\r\n]+\/[A-Fa-f0-9]+\.js\?cp=/i"; http.header; content:".js?cp="; fast_pattern; classtype:exploit-kit; sid:2017077; rev:5; metadata:created_at 2013_06_28, updated_at 2020_09_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.krebsonsecurity.info"; bsize:47; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; reference:md5,83d664b0078d46952baf9ee1d8732d7a; classtype:domain-c2; sid:2033921; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - Pouya - URI - action="; flow:established,to_server; http.uri; content:".asp?action="; nocase; fast_pattern; pcre:"/\.asp\?action=(?:txt(?:edit|view)|upload|info|del)(?:&|$)/i"; classtype:trojan-activity; sid:2017091; rev:4; metadata:created_at 2013_07_02, updated_at 2020_09_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.krebsonfellatio.net"; bsize:46; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033922; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT - Possible Redkit 1-4 char JNLP request "; flow:established,to_server; urilen:<11; http.uri; content:".jnlp"; endswith; nocase; fast_pattern; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; classtype:exploit-kit; sid:2016811; rev:8; metadata:created_at 2013_05_02, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.552-39-1658.com"; bsize:42; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033923; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CRLF Injection - Newline Characters in URL"; flow:established,to_server; http.uri; content:"|0D 0A|"; fast_pattern; pcre:"/[\n\r](?:content-(?:type|length)|set-cookie|location)\x3a/i"; reference:url,www.owasp.org/index.php/CRLF_Injection; classtype:web-application-attack; sid:2017143; rev:5; metadata:created_at 2013_07_12, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M1"; flow:established,to_server; http.request_line; content:"GET /delonl.php?hwid="; startswith; content:!"&"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033924; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Compromise svchost.jpg Beacon - Java Zeroday"; flow:established,to_server; http.uri; content:"/svchost.jpg"; fast_pattern; http.user_agent; content:"Java/1."; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:6; metadata:created_at 2013_03_01, former_category CURRENT_EVENTS, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M2"; flow:established,to_server; http.request_line; content:"GET /gateonl.php?hwid="; startswith; fast_pattern; content:"&cpuname="; distance:0; content:"&gpuname="; distance:0; content:"&cpu="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,from_client; http.uri; content:"/vw.php?i="; fast_pattern; pcre:"/\/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$/"; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017007; rev:8; metadata:created_at 2013_06_12, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M3"; flow:established,to_server; http.request_line; content:"GET /del.php?hwid="; startswith; fast_pattern; content:!"&"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit JAR Download"; flow:established,to_server; http.uri; content:".php?id="; nocase; pcre:"/\.php\?id=[a-f0-9]{32}$/i"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2016309; rev:9; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"&info="; http.user_agent; content:"REBOL"; startswith; fast_pattern; reference:md5,3a8a6702523f9f53866fb2682fdaaf66; classtype:command-and-control; sid:2034012; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; http.uri; content:"/Java-SPLOIT.jar"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2016521; rev:7; metadata:created_at 2013_03_04, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/topstories"; bsize:11; fast_pattern; http.cookie; content:"__cfduid="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT 6.1|29 20|Gecko/14.0|20|Firefox/14.0"; bsize:52; reference:md5,432e0676db09997f78e133263737b401; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033927; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pony Loader default URI struct"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pony"; fast_pattern; content:"/gate.php"; nocase; classtype:trojan-activity; sid:2017065; rev:6; metadata:created_at 2013_06_25, former_category CURRENT_EVENTS, updated_at 2020_09_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; bsize:20; fast_pattern; http.cookie; content:"__cfduid="; startswith; http.user_agent; content:"Mozilla/5.0|20 28|Windows|20|NT|20|6.3|3b 20|Trident/7.0|3b 20|rv|3a|11.0|29 20|like|20|Gecko"; bsize:61; reference:md5,b3f3de10b3c1c15491c53223f1b5979f; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033928; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBReplay.P Ransomware"; flow:established,to_server; urilen:33; http.uri; pcre:"/^\/[a-f0-9]{32}$/"; http.user_agent; content:"MSIE 9.0|3b|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:trojan-activity; sid:2017269; rev:4; metadata:created_at 2013_08_01, updated_at 2020_09_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lv?access=true"; bsize:15; fast_pattern; http.cookie; content:"SSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; http.host; content:".workers.dev"; endswith; reference:md5,9dca269e64ebea04fe6060afe0015820; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033929; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StealRat.SpamBot Configuration File Request"; flow:established,to_server; flowbits:set,et.stealrat.config; http.uri; content:"/lts.txt"; fast_pattern; pcre:"/^\x2Flts\x2Etxt$/"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017274; rev:4; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2020_09_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Checkin"; flow:established,to_server; content:"|7e 5c 77 6f 72 6d 73 5c 2e 42 6c 61 63 6b 20 48 61 74 20 57 6f 72 6d|"; startswith; content:"|62 6c 61 63 6b 20 68 61 74|"; distance:0; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; classtype:command-and-control; sid:2033716; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_09_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StealRat.SpamBot Email Template Request"; flow:established,to_server; http.uri; content:"/ae1.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017276; rev:4; metadata:created_at 2013_08_05, updated_at 2020_09_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vermilion Stager Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/microsoft/en-us/logo.aspx"; bsize:26; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,6310a2c9f45fd46cd405e31eda2ad7d3; reference:url,www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/; classtype:trojan-activity; sid:2033930; rev:1; metadata:created_at 2021_09_13, former_category MALWARE, updated_at 2021_09_13;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; http.uri; content:"/${"; fast_pattern; pcre:"/\/\$\{[^\}\x2c]+?=/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, updated_at 2020_09_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vermilion Stager Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/g.pixel"; bsize:8; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:"|0d 0a|Content-Type|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.cookie; pcre:"/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:md5,6310a2c9f45fd46cd405e31eda2ad7d3; reference:url,www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/; classtype:trojan-activity; sid:2033931; rev:1; metadata:created_at 2021_09_13, former_category MALWARE, updated_at 2021_09_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FortDisco Reporting Hacked Accounts"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bruteres.php"; fast_pattern; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; classtype:trojan-activity; sid:2017311; rev:5; metadata:created_at 2013_08_12, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Server Response"; flow:established,to_client; stream_size:client,<,5; content:"|2d 62 6c 61 63 6b 20 68 61 74|"; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; reference:md5,42c130f8d037d6cc0ca4342b6e8794b4; classtype:command-and-control; sid:2033932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_13;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Upload File Filter Bypass"; flow:established,to_server; http.uri; content:"option=com_media"; nocase; fast_pattern; http.request_body; content:"Filedata[]"; nocase; pcre:"/filename[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[^\r\n\x22\x27\x3b]+?\.[\r\n\x3b\x22\x27]/i"; classtype:attempted-user; sid:2017327; rev:4; metadata:created_at 2013_08_14, updated_at 2020_09_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ImageMagick Malformed SVG Upload Leading to RCE"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|svg|20|"; content:"|28|%pipe%/"; fast_pattern; content:"/|3b|"; distance:0; within:100; classtype:attempted-admin; sid:2033933; rev:1; metadata:attack_target Server, created_at 2021_09_13, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxychecker Lookup"; flow:established,to_server; http.uri; content:"/proxy/proxychecker/"; nocase; fast_pattern; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis; classtype:trojan-activity; sid:2017344; rev:5; metadata:created_at 2013_08_19, updated_at 2020_09_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"domains=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033934; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Troj.Cidox Checkin"; flow:established,to_server; http.uri; content:".php?sign="; fast_pattern; content:"&key="; content:"&av="; content:"&os="; content:"&vm="; content:"&digital="; reference:md5,0ce7f9dde5c273d7e71c9f1301fe505d; classtype:command-and-control; sid:2017349; rev:5; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_09_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"clients=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033935; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632"; flow:to_server; http.method; content:"POST"; http.uri; content:"/adminapi/administrator.cfc?"; nocase; content:"method"; nocase; content:"login"; nocase; http.request_body; content:"rdsPasswordAllowed"; nocase; fast_pattern; pcre:"/rdsPasswordAllowed[\r\n\s]*?=[\r\n\s]*?(?:true|1)/i"; reference:url,www.exploit-db.com/exploits/27755/; reference:cve,2013-0632; classtype:attempted-user; sid:2017366; rev:4; metadata:created_at 2013_08_21, updated_at 2020_09_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GenKryptik.FKJZ CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&pass="; content:"&cookie="; content:"&cc="; content:"&chrome="; content:"&firefox="; content:"&binancepass="; fast_pattern; content:"&paypalpass="; content:"&hwid="; content:"&bit="; http.request_body; content:"PK|03 04|"; reference:md5,b369e6f7f7ed1771110e9017741be7b3; classtype:trojan-activity; sid:2033936; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegSubsDat Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"0000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:command-and-control; sid:2014310; rev:7; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewalk CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|gtuvid|0d 0a|"; fast_pattern; content:"|0d 0a|gtsid|0d 0a|"; reference:url,welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:command-and-control; sid:2033937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitcoin variant Checkin"; flow:to_server,established; http.uri; content:"/register_slave.php"; fast_pattern; http.header_names; content:!"|0d 0a|Referer"; nocase; reference:url,blog.avast.com/2013/08/01/malicious-bitcoin-miners-target-czech-republic/; classtype:coin-mining; sid:2017369; rev:4; metadata:created_at 2013_08_23, former_category MALWARE, updated_at 2020_09_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Checkin"; flow:established,to_server; content:"|20 5b 20|"; content:"|20 5b 20|"; distance:0; content:"[endof]"; endswith; reference:md5,8db6655c0a5cb219c3bbc4bb5fc92e1a; classtype:command-and-control; sid:2033938; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, malware_family njrat, performance_impact Low, signature_severity Major, updated_at 2021_09_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Vabushky.A Malicious driver download"; flow:established,to_server; http.uri; content:".bmp.gz"; fast_pattern; pcre:"/\/[a-z]{2,3}\/(?:\d{3,4}x\d{3,4}|default)\.bmp\.gz$/i"; reference:url,welivesecurity.com/2013/08/27/the-powerloader-64-bit-update-based-on-leaked-exploits/; classtype:trojan-activity; sid:2017377; rev:4; metadata:created_at 2013_08_27, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot update)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=bots.update&botid="; startswith; fast_pattern; content:"¶m="; distance:0; content:"&value="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033940; rev:2; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SERVER["; fast_pattern; pcre:"/[&\?]_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017436; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (number update)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=number.update&botid="; startswith; fast_pattern; content:"&phoneNumber="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033941; rev:2; metadata:created_at 2021_09_14, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_GET["; fast_pattern; pcre:"/[&\?]_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017437; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (session cookie delete)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=command.delete&id="; startswith; fast_pattern; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033942; rev:2; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_POST["; fast_pattern; pcre:"/[&\?]_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017438; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot registration)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=bots.new&botid="; startswith; fast_pattern; content:"&botip="; distance:0; content:"&sdkVersion="; distance:0; content:"&deviceModel="; distance:0; content:"&typeConnection="; distance:0; content:"&battery="; distance:0; content:"&access="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,03f51334546586d0b56ee81d3df9fd7a; classtype:trojan-activity; sid:2033943; rev:1; metadata:created_at 2021_09_14, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017439; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (log post)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/logpost.php"; bsize:12; fast_pattern; http.request_body; content:"botid="; startswith; content:"&text="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,03f51334546586d0b56ee81d3df9fd7a; classtype:trojan-activity; sid:2033944; rev:1; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017440; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NitroStealer/exoStub CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Upload.zip|22 0d 0a|"; fast_pattern; nocase; content:"screenshot"; nocase; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,3594572488e00679a144001e24c675ab; classtype:trojan-activity; sid:2032417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017441; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eyoorun.D Variant Checkin"; flow:established,to_server; http.request_line; content:"GET /?opt=put&mq="; startswith; fast_pattern; http.uri; content:"&mac="; content:"&pcname="; distance:12; within:8; content:"&bootid="; distance:0; reference:md5,957c7bf090944fb437e1b9f20bbea1ff; classtype:pup-activity; sid:2033945; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017442; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.BEH Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?release="; startswith; fast_pattern; content:"&model="; distance:0; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport="; distance:0; content:"&manf="; distance:0; content:"&sid="; distance:0; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"contactsList"; content:"phoneNo"; distance:0; http.header_names; content:!"Referer"; reference:md5,72670e5480849637e86e0daeddbdb43b; reference:url,twitter.com/malwrhunterteam/status/1437787922816806914; classtype:trojan-activity; sid:2033946; rev:1; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SERVER["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017443; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Client Cloaking Javascript Observed"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|html|3e 3c|head|3e 3c|script|20|src|3d 27|"; content:"Aes|2e|Ctr|2e|decrypt|28|"; nocase; fast_pattern; pcre:"/^(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*256\)\x3b/Ri"; content:"document|2e|write|28|output|29|"; distance:0; reference:url,unit42.paloaltonetworks.com/javascript-based-phishing/; classtype:credential-theft; sid:2033947; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Minor, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_GET["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017444; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/btn_bg.html?contact=true"; fast_pattern; bsize:25; http.cookie; content:"HSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"image/jpeg"; bsize:10; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1437787000690683911; reference:url,github.com/pan-unit42/tweets/blob/master/2021-09-13-IOCs-for-TA551-Trickbot-with-Cobalt-Strike-and-DarkVNC.txt; reference:md5,3963abbca3932a7d1e2b77cef1f6d57e; classtype:trojan-activity; sid:2033948; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_POST["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017445; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Delf.OKR Variant CnC M1"; flow:established,to_server; stream_size:server,<,5; content:"|3d 22 3f 4b 0a|"; startswith; reference:md5,320564554767ddd328932997067f64a5; classtype:command-and-control; sid:2033949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017446; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Delf.OKR Variant CnC M2"; flow:established,to_server; stream_size:server,<,5; dsize:4; content:"|6d 35 30 0a|"; startswith; reference:md5,320564554767ddd328932997067f64a5; classtype:command-and-control; sid:2033950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017447; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=netfoundationmtgcorp.com"; nocase; endswith; reference:md5,9845a9edb7484874171c80e3cb26135d; reference:url,twitter.com/benkow_/status/1437376463305596929; classtype:domain-c2; sid:2033951; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017448; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M1"; flow:established,to_server; http.request_line; content:"GET|20|/?s="; startswith; fast_pattern; content:"&q="; distance:0; content:"&g="; distance:0; pcre:"/^[a-f0-9]{32}/R"; http.header_names; content:!"User-Agent"; content:!"Accept|0d 0a|"; reference:md5,9284526d864c785b1d6bedd7830e8c19; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033953; rev:1; metadata:created_at 2021_09_15, updated_at 2021_09_15;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017449; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?arch="; content:"&s="; distance:0; content:"&q="; distance:0; http.request_body; content:"continuebtn="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,9284526d864c785b1d6bedd7830e8c19; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033954; rev:2; metadata:created_at 2021_09_15, updated_at 2021_09_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac FACEPUNCH Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.header; content:"X-Request-Kind-Code|3a 20|"; fast_pattern; http.user_agent; content:"Mozilla"; startswith; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_infiltrating_the_waledac_botnet_v2.pdf; classtype:trojan-activity; sid:2017455; rev:8; metadata:created_at 2013_09_11, updated_at 2020_09_20;)
+alert tls any [5986,5985,1270] -> any any (msg:"ET INFO Possible Microsoft OMI Agent Default TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"cloudapp.net"; tls.cert_issuer; content:".cloudapp.net"; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; classtype:bad-unknown; sid:2033955; rev:2; metadata:attack_target Server, created_at 2021_09_15, deployment Perimeter, deployment Internet, former_category POLICY, signature_severity Informational, updated_at 2021_09_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dipverdle.A Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cp/?"; nocase; fast_pattern; pcre:"/\/cp\/\?(?:logo\.jpg|adm)/i"; http.request_body; content:"token="; nocase; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:md5,182ea2f564f6211d37a6c35a4bd99ee6; classtype:trojan-activity; sid:2017475; rev:4; metadata:created_at 2013_09_16, updated_at 2020_09_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteScript"; fast_pattern; nocase; content:"|3c|p|3a|Script|3e|"; nocase; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033952; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_15, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unicorn Stealer Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename="; content:"form-data|3b 20|name=|22|filename|22 0d 0a|"; content:"form-data|3b 20|name=|22|submit|22 0d 0a|"; content:"form-data|3b 20|name=|22|id|22 0d 0a|"; content:"form-data|3b 20|name=|22|src|22 0d 0a|"; fast_pattern; content:"form-data|3b 20|name=|22|type|22 0d 0a|"; content:"form-data|3b 20|name=|22|on|22 0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1307025445536239616; reference:md5,852646191db6768157a7fddcc13afed2; classtype:trojan-activity; sid:2030894; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Inbound Powershell Creating .hta File"; flow:established,to_client; file.data; content:".hta|22 3b|"; content:"|28|New-Object|20|-COM"; classtype:bad-unknown; sid:2033956; rev:1; metadata:created_at 2021_09_15, former_category HUNTING, updated_at 2021_09_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; http.uri; content:".swf"; offset:66; depth:4; endswith; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/i"; classtype:exploit-kit; sid:2016799; rev:5; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Inbound Powershell Creating .lnk File"; flow:established,to_client; file.data; content:".lnk|22|"; content:"|28|New-Object|20|-COM|20|WScript.Shell|29|.CreateShortcut|28|"; classtype:bad-unknown; sid:2033957; rev:1; metadata:created_at 2021_09_15, former_category HUNTING, updated_at 2021_09_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Caphaw Requesting Additional Modules From CnC"; flow:established,to_server; http.uri; content:"/ping.html?r="; fast_pattern; content:!"/utils/"; pcre:"/\x2Fping\x2Ehtml\x3Fr\x3D[0-9]{5,14}$/"; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:command-and-control; sid:2016507; rev:7; metadata:created_at 2013_02_26, former_category MALWARE, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanDownloader.Adload.NSD Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?commandline="; fast_pattern; content:"&country="; distance:0; content:"&username="; distance:0; content:"&newpc="; distance:0; content:"&av="; distance:0; http.user_agent; content:"WinHttpClient"; bsize:13; reference:md5,dd6dca8dd2f53fdedeb5513f103ab711; classtype:pup-activity; sid:2033958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-driver)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-driver"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017519; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING DNS Lookup for 8+ hexadecimal only duckdns domain"; dns.query; content:".duckdns.org"; fast_pattern; pcre:"/^[a-f0-9]{8,}\.duckdns\.org$/"; reference:md5,cfaed1a20d1d7e877f58d54272361df1; classtype:bad-unknown; sid:2033959; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Major, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-process)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-process"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017521; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M3"; flow:established,to_server; http.request_line; content:"GET|20|/?s="; startswith; fast_pattern; content:"&q="; distance:0; content:"&hmac="; distance:0; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033961; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-cmd-shell)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-cmd-shell"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017522; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe Related CnC Activity"; flow:established,to_server; content:"x999"; startswith; fast_pattern; content:">"; distance:0; pcre:"/>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}>/"; content:"|20|>>"; reference:md5,ae20da9a88c7624a6b3f81a20bc8065c; reference:url,twitter.com/s1ckb017/status/1435888576710029315; reference:url,blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/; classtype:trojan-activity; sid:2033962; rev:1; metadata:created_at 2021_09_16, former_category MALWARE, malware_family TransparentTribe, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DATA-BROKER BOT Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"g="; depth:2; content:"&cmd="; fast_pattern; pcre:"/^g=[A-Z0-9]+&cmd=/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/; reference:md5,adcfe50aaaa0928adf2785fefe7307cc; classtype:trojan-activity; sid:2017524; rev:5; metadata:created_at 2013_09_25, updated_at 2020_09_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal Backdoor CnC Domain in DNS Lookup"; dns.query; content:"ergencucur.com"; nocase; bsize:14; reference:url,twitter.com/nao_sec/status/1438460553479921665; reference:md5,60490ea995531924f77af5f1bfb38eec; classtype:domain-c2; sid:2033963; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK POST Compromise POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?id="; nocase; content:"&v1="; nocase; content:"&v2="; nocase; fast_pattern; content:"&q="; nocase; http.header; content:"Content-Length|3a 20|0"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017544; rev:4; metadata:created_at 2013_09_30, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal Backdoor CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/post.asp"; endswith; http.host; content:".com#.com"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,60490ea995531924f77af5f1bfb38eec; reference:url,twitter.com/nao_sec/status/1438460553479921665; classtype:trojan-activity; sid:2033964; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Bisonal, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK Payload Download (java only alternate method may overlap with 2017454)"; flow:established,to_server; urilen:>48; flowbits:set,et.exploitkitlanding; http.uri; content:".php?"; pcre:"/\.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}&/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2017554; rev:5; metadata:created_at 2013_10_02, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/ZuRu Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u.php?id="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,objective-see.com/blog/blog_0x66.html; reference:md5,2786ebc3b917866d30e622325fc6f5f3; classtype:trojan-activity; sid:2033965; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages"; flow:established,to_server; http.method; content:"POST"; http.host; content:".atwebpages.com"; fast_pattern; classtype:misc-activity; sid:2030890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, signature_severity Informational, updated_at 2020_09_21;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Telegram API Domain in DNS Lookup"; dns.query; content:"api.telegram.org"; nocase; bsize:16; classtype:misc-activity; sid:2033966; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign"; flow:established,to_server; http.uri; content:".js?cp="; fast_pattern; pcre:"/\/[A-F0-9]{8}\.js\?cp=/"; classtype:exploit-kit; sid:2017555; rev:4; metadata:created_at 2013_10_02, updated_at 2020_09_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.telegram.org"; bsize:16; fast_pattern; classtype:misc-activity; sid:2033967; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_09_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Forum Injection"; flow:established,to_server; urilen:27<>33; http.uri; content:".js?"; fast_pattern; pcre:"/^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$/"; classtype:trojan-activity; sid:2017453; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteShellCommand"; fast_pattern; nocase; content:"|3c|p|3a|command|3e|"; nocase; reference:url,github.com/horizon3ai/CVE-2021-38647/blob/main/omigod.py; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033968; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_16, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FiestaEK js-redirect"; flow:established,to_server; http.uri; content:"/?"; fast_pattern; pcre:"/^\/[a-z0-9]+[0-9][a-z0-9]+\/\?\d$/"; classtype:exploit-kit; sid:2017567; rev:5; metadata:created_at 2013_10_07, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno CVE-2021-41314 (new line injection)"; http.method; content:"POST"; http.uri; content:"/cgi/set.cgi?cmd=home_loginAuth"; fast_pattern; http.request_body; content:"_ds="; content:"pwd="; distance:0; pcre:"/^[^&\x0d\r]+[\n\x0a]/R"; reference:url,gynvael.coldwind.pl/?id=742; reference:cve,2021-41314; classtype:attempted-dos; sid:2033969; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_16;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade.php"; nocase; fast_pattern; http.header; content:"Origin|3a|"; http.request_body; content:"&customerid="; nocase; content:"&htmlsubmit="; content:"username"; nocase; content:"confirmpassword"; nocase; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017575; rev:4; metadata:created_at 2013_10_09, updated_at 2020_09_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain (phonefix .bar in TLS SNI)"; flow:established,to_server; tls.sni; content:"phonefix.bar"; bsize:12; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566?s=20; reference:url,tria.ge/210913-nebwkaded5; classtype:domain-c2; sid:2033972; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, signature_severity Major, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/KanKan tools.ini Request"; flow:established,to_server; http.uri; content:"/tools.ini"; fast_pattern; bsize:10; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017585; rev:5; metadata:created_at 2013_10_13, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//l/f/"; startswith; fast_pattern; pcre:"/^[A-Za-z0-9_]{20}\/[a-f0-9]{40}$/R"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033973; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kovter Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?mode="; nocase; content:"&OS="; nocase; content:"&OSbit="; nocase; fast_pattern; reference:url,www.botnets.fr/index.php/Kovter; reference:md5,82d0e4f8b34d6d39ee4ff59d0816ec05; classtype:trojan-activity; sid:2016690; rev:14; metadata:created_at 2013_04_01, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; http.content_type; content:"multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cV"; fast_pattern; bsize:62; reference:md5,8b45338ac11f819c85dd86d13a1cc2bb; classtype:command-and-control; sid:2033974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Egobot Checkin"; flow:to_server,established; http.uri; content:".php?arg1="; nocase; fast_pattern; content:"&arg2="; pcre:"/&arg2=((?:[a-f0-9]{32})|(?:[A-Za-z0-9\x2b\x2f]{4})*(?:[A-Za-z0-9\x2b\x2f]{2}==|[A-Za-z0-9\x2b\x2f]{3}=|[A-Za-z0-9\x2b\x2f]{4}))(?:&|$)/i"; reference:url,symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign; classtype:command-and-control; sid:2017600; rev:4; metadata:created_at 2013_10_15, former_category MALWARE, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v4/api_t.php?id="; startswith; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034038; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt"; flow:established,to_server; http.uri; content:"/WEB-INF/web.xml"; nocase; fast_pattern; http.uri.raw; content:"|2e 2e 2f|"; reference:url,security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html; reference:cve,2013-3815; classtype:web-application-attack; sid:2017611; rev:4; metadata:created_at 2013_10_17, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v4/down/"; startswith; fast_pattern; http.host; content:".cc"; endswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034039; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Install"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/stats/debug/"; fast_pattern; content:"/?ts="; content:"&ver="; content:"&group="; content:"&token="; reference:md5,d1663e13314a6722db7cb7549b470c64; classtype:trojan-activity; sid:2017647; rev:4; metadata:created_at 2013_10_30, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v4/api_t.php"; bsize:13; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.request_body; content:"id="; startswith; content:"&mid="; distance:0; content:"&username="; distance:0; content:"&os_info="; distance:0; content:"&version="; distance:0; content:"&computername="; distance:0; content:"&memory="; distance:0; content:"&screen="; distance:0; content:"&drives="; distance:0; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034040; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS msctcd.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/msctcd.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017672; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v4/api_t.php"; bsize:13; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.request_body; content:"id="; startswith; content:"&mid="; distance:0; content:"&cmd_id="; distance:0; content:"&msg_id="; distance:0; content:"&msg="; distance:0; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034041; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS taskmgr.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/taskmgr.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017673; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed APT-C-23 Related Domain (linda-gaytan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"linda-gaytan.website"; bsize:20; fast_pattern; reference:md5,af0e580b67938afaeb783b72cf2a1c61; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; classtype:domain-c2; sid:2033978; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, signature_severity Major, updated_at 2021_09_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS wsqmocn.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wsqmocn.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017674; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE APT-C-23 Related CnC Domain in DNS Lookup (linda-gaytan .website)"; dns.query; content:"linda-gaytan.website"; nocase; bsize:20; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east; reference:md5,af0e580b67938afaeb783b72cf2a1c61; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; classtype:domain-c2; sid:2033979; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_09_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connhost.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017675; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE APT-C-23 Related CnC Domain in DNS Lookup (javan-demsky .website)"; dns.query; content:"javan-demsky.website"; nocase; bsize:20; reference:md5,dd4596cf68c85eb135f7e0ad763e5dab; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/; classtype:domain-c2; sid:2033980; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_09_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?computer-name="; fast_pattern; content:"&username="; distance:0; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Cache"; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:command-and-control; sid:2030895; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/amazed/alternative.jng"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; http.host; content:".ru"; endswith; reference:md5,0c6eb0ff9121eae3ce6e15f7af8f9909; reference:url,twitter.com/s1ckb017/status/1438458210147520514; classtype:trojan-activity; sid:2033981; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=afalr-sharepoint.com"; nocase; fast_pattern; endswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:domain-c2; sid:2030896; rev:1; metadata:created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; bsize:24; file.data; content:"|0d 0d 0d 09 09 09 0a 0a 0a|"; startswith; fast_pattern; pcre:"/^.{4}(?:R(?:k(?:Z(?:GQkBG|CQEY)|BCRUVG)|0FFRkFH|UJDQUE)|Q(?:U(?:V(?:CQ0FB|GQUc)|NCRkI)|kFDQkZC|EJFRUY)|(?:Z(?:AQkVF|GRkJA)R|JBQ0JGQ)g|FFQkNBQQ|dBRUZBRw)/R"; content:"|0a 0a 0a 09 09 09 0d 0d 0d|"; endswith; reference:url,twitter.com/jaydinbas/status/1437708323038564352; classtype:command-and-control; sid:2033982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family SQUIRRELWAFFLE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=afalr-onedrive.com"; nocase; fast_pattern; endswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:domain-c2; sid:2030897; rev:1; metadata:created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jbossmq-httpil/HTTPServerILServlet"; fast_pattern; http.request_body; content:"|AC ED 00|"; reference:url,www.programmersought.com/article/1033574325/; reference:cve,2017-7504; classtype:attempted-admin; sid:2033985; rev:1; metadata:attack_target Server, created_at 2021_09_17, cve CVE_2017_7504, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Usrname="; fast_pattern; content:"&0S-Name="; distance:0; content:"&Pt-Name="; distance:0; content:"&ToolsIsActive"; endswith; http.user_agent; content:"Python-urllib/"; startswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:command-and-control; sid:2030898; rev:1; metadata:created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Bitter Related CnC Domain in DNS Lookup"; dns.query; content:"olmajhnservice.com"; nocase; bsize:18; reference:md5,be9bd8ed8a4c052be5cedb0266f50c0d; reference:url,twitter.com/ShadowChasing1/status/1439929215919411206; classtype:domain-c2; sid:2033986; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, signature_severity Major, updated_at 2021_09_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017676; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561_CVE_2021_27562, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS wimhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wimhost.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017677; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=sammitng.com"; nocase; endswith; reference:md5,b656845e2755920db24364b42ce2ea18; reference:url,thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/; classtype:domain-c2; sid:2033988; rev:1; metadata:attack_target Client_and_Server, created_at 2021_09_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winlog.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017679; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WP Download From Files Plugin <= 1.48 Arbitrary File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; bsize:4; http.uri; content:"/wp-admin/admin-ajax.php"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|files[]|22 3b 20|filename=|22|"; content:"<?"; content:"download_from_files_617_fileupload"; fast_pattern; reference:url,cxsecurity.com/issue/WLB-2021090097; classtype:attempted-admin; sid:2033989; rev:1; metadata:created_at 2021_09_20, former_category EXPLOIT, updated_at 2021_09_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS waulct.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/waulct.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017680; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Socelars.S CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST|20|/base/api/getData.php|20|HTTP/1.1"; startswith; fast_pattern; http.request_body; content:"data="; startswith; isdataat:50,relative; http.header_names; content:!"Referer"; reference:md5,064f0d6900675bed580da1291a566cfa; classtype:trojan-activity; sid:2034192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS alg.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/alg.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017681; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK Server Response"; flow:established,to_client; file.data; content:"|ce f8 f4 fc fb c8 98 9f|"; startswith; fast_pattern; content:"|98 9f|"; content:"|98 9f|"; endswith; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS mssrs.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mssrs.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017682; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Syndicasec Encoded Response Embedded in HTML Title Tags Inbound"; flow:established,to_client; content:"|3c|title|3e 40|"; content:"|40 3c 2f|title|3e|"; distance:0; within:150; fast_pattern; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations/; reference:md5,f339bbca8e7a5d0f1629212f61b7d351; classtype:command-and-control; sid:2033905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2021_09_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winhosts.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winhosts.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017683; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike)"; flow:established,to_client; tls.cert_subject; content:"CN=systemmentorsec.com"; bsize:22; fast_pattern; reference:url,twitter.com/Unit42_Intel/status/1440027013595766784; reference:url,www.malware-traffic-analysis.net/2021/09/20/index.html; classtype:domain-c2; sid:2033993; rev:1; metadata:attack_target Client_and_Server, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Stitur Secondary Download"; flow:established,from_server; http.header; content:".file|0d 0a|"; fast_pattern; content:"Content-Description|3a 20|File Transfer|0d 0a|"; content:"Content-Transfer-Encoding|3a 20|binary|0d 0a|"; pcre:"/filename=[a-f0-9]{13}\.file\r\n/"; classtype:trojan-activity; sid:2017700; rev:5; metadata:created_at 2013_11_08, updated_at 2020_09_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:!"Mozilla"; content:"-"; offset:2; depth:1; content:"-"; distance:0; http.header_names; content:!"Referer"; reference:md5,064f0d6900675bed580da1291a566cfa; classtype:command-and-control; sid:2033995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Monitor Request CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/monitor.php?resp=ID|3a|"; fast_pattern; content:"Target|3a|"; content:"Message|3a|"; pcre:"/\/monitor\.php\?resp=ID\x3a[A-Za-z]{15}/"; http.user_agent; content:"Mozilla/4.0 (SEObot)"; depth:20; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017717; rev:5; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA XSS Attempt (CVE-2020-3580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/+CSCOE+/saml/sp/acs?tgname="; fast_pattern; http.request_body; content:"=|22|><"; reference:url,twitter.com/ptswarm/status/1408050644460650502; reference:cve,2020-3580; classtype:web-application-attack; sid:2033994; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2021_09_21, cve CVE_2020_3580, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Command Request CnC Beacon"; flow:established,to_server; http.uri; content:"/gate.php?cmd="; fast_pattern; pcre:"/\/gate\.php\?cmd=(?:get(?:installconfig|exe)|urls)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017723; rev:4; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_09_22;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M2 (CVE-2018-8617)"; flow:established,from_server; file_data; content:"function"; pcre:"/^\s*(?P<func_a>[\w\-]{1,20})\((?P<obj_1>[\w\-]{1,20})\s*,\s*(?P<obj_2>[\w\-]{1,20}).{1,300}(?P=obj_1)\.(?P<prop_2>[\w\-]{1,20})\s*=\s*\d+(?:\.\d+)?.{1,300}?(?P=obj_2)\.pop\(\).{1,300}?(?P=obj_1)\.(?P<prop_1>[\w\-]{1,20})\s*=\s*\d+(?:\.\d+)?.{1,500}Object\.prototype\.p(op|ush)\s*=\s*Array\.prototype\.p(op|ush)\x3b.{1,500}var\s*(?P<obj_3>[\w\-]{1,20})\s*=\s*\{\s*(?P=prop_1)\s*\x3a\s*\d+(?:\.\d+)?\s*,\s*(?:(?P=prop_2)\s*\x3a\s*\d+(?:\.\d+)?|(?P=prop_2)\s*\x3a\s*\d+(?:\.\d+)?\s*,\s*(?P=prop_1)\s*\x3a\s*\d+(?:\.\d+)).{1,500}(?P=func_a)\(\s*(?:(?P=obj_3)\s*,\s*new\s*Object\(\)|\s*new\s*Object\(\)\s*,\s*(?P=obj_3)\s*).{1,500}?(?P=func_a)\((?P=obj_3)/Rsi"; content:"Object.prototype.p"; content:"|20|=|20|Array.prototype.p"; fast_pattern; reference:cve,2018-8617; classtype:attempted-admin; sid:2034004; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_21, cve CVE_2018_8617, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL pwn.jsp shell"; flow:established,to_server; http.uri; content:"/pwn.jsp?"; nocase; fast_pattern; content:"cmd="; nocase; reference:url,nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html; reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; classtype:attempted-admin; sid:2017734; rev:6; metadata:created_at 2013_11_19, updated_at 2020_09_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot Generic URI/Header Struct .bin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"aocdn.net"; content:!"kankan.com"; endswith; content:!"conf.v.xunlei.com"; endswith; content:!"burstek.com"; endswith; http.request_line; content:".bin HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018052; rev:11; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2021_09_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PeopleSoft Portal Command with Default Creds"; flow:to_server,established; http.uri; content:"cmd="; nocase; content:"pwd=dayoff"; nocase; fast_pattern; pcre:"/[&?]pwd=dayoff(?:&|$)/i"; pcre:"/[&?]cmd=/i"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017801; rev:5; metadata:created_at 2013_12_06, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download"; flow:from_server,established; http.header; content:!"ztunnelversion|3a 20|"; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; content:!"trust.zscaler.com"; pcre:"/(?:www\.(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|espa)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:antander(?:banespa|net)?|erasa(?:experian)?)|uolhost)\.com\.br|c(?:(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov))\.br|redicard\.com(?:\.br)?)|itau(?:p(?:ersonnalite|rivatebank)|uniclass)?\.com\.br,|ame(?:ricanexpress\.com(?:\.br)?|x\.com\.br))|(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|risul)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:erasa(?:experian)?|antander)|uolhost)\.com|c(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov)|redicard\.com))\.br|itau(?:(?:p(?:ersonnalite|rivatebank)|uniclass)\.com\.br|\.com\.br,)|ame(?:ricanexpress.com(?:\.br)?|x\.com\.br)|\*(?:linhadefensiva*|hsbc*))/"; reference:md5,3baae632d2476cbd3646c5e1b245d9be; reference:md5,ace343a70fbd26e79358db4c27de73db; classtype:trojan-activity; sid:2014435; rev:16; metadata:created_at 2012_02_28, updated_at 2021_09_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER IIS ISN BackDoor Command GetLog"; flow:established,to_server; http.uri; content:"isn_getlog"; nocase; fast_pattern; pcre:"/[?&]isn_getlog/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017820; rev:7; metadata:created_at 2013_12_09, updated_at 2020_09_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ntuser.txt"; bsize:11; fast_pattern; http.user_agent; content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; bsize:20; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winhost(32|64).exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winhost"; nocase; fast_pattern; pcre:"/\/winhost(?:32|64)\.(exe|pack)$/i"; classtype:trojan-activity; sid:2017842; rev:4; metadata:created_at 2013_12_11, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/max.txt"; bsize:8; fast_pattern; http.user_agent; content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; bsize:20; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS pony.exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pony."; nocase; fast_pattern; pcre:"/\/pony\.(exe|pack)$/i"; classtype:trojan-activity; sid:2017843; rev:4; metadata:created_at 2013_12_11, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive Custom JS Components"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/js/"; fast_pattern; pcre:"/^[a-f0-9]{42}\.js\x27\x29\.then\x28(?:.{1,1000}themes\/js\/[a-f0-9]{42}\.js\x27\x29\.then\x28){5,}/Rsi"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034002; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, performance_impact Moderate, signature_severity Major, updated_at 2021_09_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kryptik Check-in"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"&bot_id="; nocase; fast_pattern; pcre:"/\.php\?(q|name)=/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:attempted-user; sid:2017741; rev:5; metadata:created_at 2013_11_21, updated_at 2020_09_22;)
+alert http any any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Checks if New Visitor"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|28|store|2e|getters|5b 27|"; fast_pattern; pcre:"/\w{1,255}\/\w{1,255}'\]\s*==\s*"\w{1,255}\"/Ri"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033999; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.BMW.APT Campaign CnC Beacon"; flow:established,to_server; urilen:35<>37; http.method; content:"POST"; http.uri; content:".aspx?Random="; fast_pattern; pcre:"/^\x2F(?:acheb|bajree|cyacrin|dauber|eaves)\x2Easpx\x3FRandom\x3D[a-z]{16}$/i"; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017858; rev:4; metadata:created_at 2013_12_13, former_category MALWARE, updated_at 2020_09_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.host; content:"|2e|"; offset:16; depth:1; pcre:"/^[a-f0-9]{16}\./"; http.request_body; content:"info="; startswith; fast_pattern; pcre:"/^[A-Za-z0-9\-_~]{75,}$/R"; http.header_names; content:!"Referer"; reference:md5,b0110812a72552902f0bd69d640b8e1c; classtype:trojan-activity; sid:2031926; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion cfcexplorer Directory Traversal"; flow:established,to_server; content:"path="; nocase; pcre:"/^[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; http.uri; content:"/cfcexplorer.cfc"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:attempted-user; sid:2017875; rev:4; metadata:created_at 2013_12_16, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fgt_lang?lang="; fast_pattern; content:"|2e 2e 2f|"; distance:0; reference:url,devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/; reference:url,github.com/milo2012/CVE-2018-13379/blob/master/CVE-2018-13379.py; reference:cve,2018-13379; classtype:attempted-admin; sid:2034005; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2021_09_22, cve CVE_2018_13379, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request"; flow:established,to_server; http.uri; content:"/j.php?t=u00"; fast_pattern; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2015960; rev:14; metadata:created_at 2012_11_28, former_category EXPLOIT_KIT, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Phishkit Javascript Response with Phishy Text"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"click OK or reload"; nocase; fast_pattern; content:"longtime to request"; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2034003; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Informational, updated_at 2021_09_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FOCA uri"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/*F0C4~1*/foca.aspx?aspxerrorpath=/"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017950; rev:5; metadata:created_at 2014_01_09, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Config Variables"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"ID_CUS_SP_NBR_"; nocase; fast_pattern; content:"EMAILRESULT_NBR"; nocase; content:"LINKRE_RESULT"; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StartPage jsp checkin"; flow:to_server,established; urilen:27<>40; threshold:type both,track by_src,count 2,seconds 60; http.method; content:"POST"; http.uri; content:"/201"; fast_pattern; content:".jsp"; pcre:"/^\/201\d{5,8}\/\d{6,11}\/\d{5,10}\.jsp$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.2|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 2.0.50727|3b 20|InfoPath.1)"; bsize:101; http.header_names; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,bb7bbb0646e705ab036d73d920983256; classtype:command-and-control; sid:2017967; rev:5; metadata:created_at 2014_01_13, former_category MALWARE, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Outdated Browser Landing Page M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|5c|nUpdate your browser"; nocase; content:"is out-of-date"; fast_pattern; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033997; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_09_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Possible Process Dump in POST body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"System Idle Process"; fast_pattern; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; classtype:trojan-activity; sid:2017968; rev:6; metadata:created_at 2014_01_14, former_category INFO, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Outdated Browser Landing Page M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Your browser is"; nocase; fast_pattern; content:"work well in"; nocase; distance:0; content:"your browser to view this"; nocase; distance:0; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033996; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_09_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG JAVAFOG JAR checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:"?title=2.0_-"; fast_pattern; http.user_agent; content:"Java"; startswith; http.request_body; content:"content=HostName|3a 20|"; depth:18; content:"|0d 0a|Java Version|3a 20|"; distance:0; content:"|0d 0a 20|HostIp|3a 20|"; distance:0; http.header_names; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; reference:url,jsunpack.jeek.org/dec/go?report=6b63068d3259f5032a301e0d3f935b4d3f2e2998; classtype:command-and-control; sid:2017972; rev:6; metadata:created_at 2014_01_15, former_category MALWARE, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [exec] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=exec"; fast_pattern; content:"&newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034006; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LockscreenBEI.Scareware Cnc Beacon"; flow:established,to_server; urilen:18; http.method; content:"GET"; http.uri; content:"/reboot/index.html"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,04948b6045730d4ec626f79504c7f9ad; reference:md5,9fff65c23fe403d25c08a5cdd3dc775d; classtype:command-and-control; sid:2018023; rev:4; metadata:created_at 2014_01_27, former_category MALWARE, updated_at 2020_09_22;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [exec] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=exec"; fast_pattern; content:"?newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034007; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY myip.ru IP lookup"; flow:established,to_server; http.host; content:"myip.ru"; fast_pattern; endswith; classtype:policy-violation; sid:2018021; rev:6; metadata:created_at 2014_01_27, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [upload] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=upload"; fast_pattern; content:"&path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034009; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; http.request_body; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; classtype:trojan-activity; sid:2018056; rev:4; metadata:created_at 2014_02_03, updated_at 2020_09_22;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033856; rev:3; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_09_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/StoredBt.A Activity"; flow:to_server,established; http.uri; content:".php?a1="; fast_pattern; pcre:"/\.php\?a1=\d+&a2=(?:[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}|(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4}))(?:&a\d+=[^&]+)+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,e8e9eb1cd4be7ab27743887be2aa28e9; classtype:trojan-activity; sid:2018074; rev:4; metadata:created_at 2014_02_05, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033857; rev:2; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_09_22;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; content:"Content-Type|3a|"; nocase; pcre:"/^[^\r\n]*?boundary\s*?=\s*?[^\r\n]/Ri"; isdataat:4091,relative; content:!"|0A|"; within:4091; http.header; content:"multipart/form-data"; fast_pattern; reference:url,blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html; reference:cve,2014-0050; classtype:web-application-attack; sid:2018113; rev:4; metadata:created_at 2014_02_12, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SQUIRRELWAFFLE Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; bsize:24; file.data; content:"|0d 0d 0d 09 09 09 0a 0a 0a|"; startswith; fast_pattern; content:"|0a 0a 0a 09 09 09 0d 0d 0d|"; endswith; classtype:command-and-control; sid:2033984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family SQUIRRELWAFFLE, signature_severity Major, updated_at 2021_09_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Jackpos Checkin 2"; flow:to_server,established; http.uri; content:"/post/echo"; fast_pattern; bsize:10; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:command-and-control; sid:2018128; rev:4; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno Vulnerability (post-auth shell injection)"; http.method; content:"POST"; http.uri; content:"/set.cgi?cmd=diag_traceroute"; fast_pattern; http.request_body; content:"&hostname="; pcre:"/^[^&\r\n]+(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:url,gynvael.coldwind.pl/?id=742; classtype:attempted-admin; sid:2033971; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alman Dropper Checkin"; flow:established,to_server; http.uri; content:"?action=post&HD="; fast_pattern; content:"&OT="; content:"&IV="; pcre:"/&HD=[A-F0-9]{32}&/"; reference:url,doc.emergingthreats.net/2009203; classtype:command-and-control; sid:2009203; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno Vulnerability (fake packet upload)"; http.method; content:"POST"; http.uri; content:"/cgi/get.cgi?cmd=home_login"; http.content_type; content:"multipart/form-data"; http.content_len; byte_test:0,>=,300000000,0,string,dec; reference:url,gynvael.coldwind.pl/?id=742; classtype:attempted-admin; sid:2033970; rev:3; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.BSYO Checkin 2"; flow:to_server,established; http.uri; content:"/cmd?version="; fast_pattern; content:"&aid="; content:"&id="; content:"&os="; pcre:"/&id=[a-f0-9]{8}(-[a-f0-9]{4}){4}[a-f0-9]{8}&os=/"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:command-and-control; sid:2018198; rev:6; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2020_09_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Monitor.PCTattletale.A Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Prod/api/pctt/devices/"; fast_pattern; bsize:23; http.header_names; content:!"Referer"; content:!"User-Agent"; http.request_body; content:"{|22|MemberID|22 3a|"; startswith; content:"|22 2c 22|DeviceName|22 3a 22|"; distance:0; content:"|22 2c 22|DeviceDescription|22 3a 22|"; distance:0; content:"|22 2c 22|SoftwareVersion|22 3a 22|"; distance:0; reference:md5,d76d32487a84bb529a94ee39444f8212; reference:url,www.vice.com/en/article/m7ezj8/stalkerware-leaking-phone-screenshots-pctattletale; classtype:trojan-activity; sid:2034013; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Geral Checkin"; http.uri; content:".asp?MAC="; nocase; fast_pattern; content:"&ver="; nocase; pcre:"/\.asp\?MAC=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&VER=[^&]+$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f01260fff3d6fb705fc8afaa3ea54564; classtype:command-and-control; sid:2018201; rev:4; metadata:created_at 2014_03_03, former_category MALWARE, updated_at 2020_09_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/diag/diag.cgi"; fast_pattern; content:"&options="; distance:0; content:"-r"; distance:0; reference:url,packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html; reference:url,packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html; reference:cve,2019-11539; classtype:attempted-admin; sid:2034014; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_09_23, cve CVE_2019_11539, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_09_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER log4jAdmin access from non-local network (can modify logging levels)"; flow:established,to_server; http.uri; content:"/log4jAdmin.jsp"; fast_pattern; reference:url, gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018202; rev:4; metadata:created_at 2014_03_03, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/FamousSparrow Activity (POST)"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.host; content:"credits.offices-analytics.com"; bsize:29; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Host|0d 0a|"; content:!"Referer"; reference:url,www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/; reference:url,twitter.com/ESETresearch/status/1441013111469879300; classtype:trojan-activity; sid:2034015; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.BSYO Checkin"; flow:to_server,established; http.uri; content:"/log?"; content:"|7c|aid="; fast_pattern; content:"|7c|version="; content:"|7c|id="; content:"|7c|os="; pcre:"/\/log\?(start|install)\x7caid=/"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:command-and-control; sid:2018205; rev:5; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/FamousSparrow CnC Domain in DNS Lookup (credits.offices-analytics .com)"; dns.query; content:"credits.offices-analytics.com"; nocase; bsize:29; reference:url,twitter.com/ESETresearch/status/1441013111469879300; reference:url,www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/; classtype:domain-c2; sid:2034016; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Adultdns.net"; flow:established,to_server; http.host; content:".adultdns.net"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018211; rev:4; metadata:created_at 2014_03_04, updated_at 2020_09_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nagiosxi/includes/components/autodiscovery/?mode=newjob"; fast_pattern; http.request_body; content:"job=|2e 2e 2f|"; reference:url,claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/; reference:cve,2021-37343; classtype:attempted-admin; sid:2034017; rev:1; metadata:affected_product Nagios, attack_target Server, created_at 2021_09_23, cve CVE_2021_37343, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_09_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?r=cmd"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,e47a296bac49284371ac396a053a8488; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030904; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyTurla CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Title|0d 0a|"; fast_pattern; http.header; content:"Title|3a 20|"; content:"-"; distance:8; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"|0d 0a|"; distance:12; within:2; reference:url,blog.talosintelligence.com/2021/09/tinyturla.html; classtype:command-and-control; sid:2034018; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Servehttp.com"; flow:established,to_server; http.host; content:".servehttp.com"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018212; rev:4; metadata:created_at 2014_03_04, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Autodiscover Credentials Leak via Basic Auth"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/autodiscover/autodiscover.xml"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|"; reference:url,guardicore.com/labs/autodiscovering-the-great-leak/; classtype:policy-violation; sid:2034019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_23, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_09_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Redirectme.net"; flow:established,to_server; http.host; content:".redirectme.net"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018214; rev:4; metadata:created_at 2014_03_04, updated_at 2020_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Spy.Agent.AW Download"; flow:established,to_client; http.response_body; content:"var"; startswith; content:"|5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34 5c 78 35 46 5c 78 36 36 5c 78 36 46 5c 78 37 32 5c 78 36 44 5c 78 35 46 5c 78 36 33 5c 78 36 33 5c 78 37 33 5c 78 36 31 5c 78 37 36 5c 78 36 35|"; within:90; fast_pattern; content:"|5c 78 36 35 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 35 46 5c 78 37 33 5c 78 36 35 5c 78 36 33 5c 78 37 35 5c 78 37 32 5c 78 36 35 5c 78 35 46 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34|"; distance:62; within:76; reference:md5,ade43b2b2cf95ca908b82fe0e76ea54d; classtype:trojan-activity; sid:2034020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Zapto.org"; flow:established,to_server; http.host; content:".zapto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018215; rev:4; metadata:created_at 2014_03_04, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (REBOL)"; flow:established,to_server; http.user_agent; content:"REBOL"; nocase; startswith; reference:url,twitter.com/James_inthe_box/status/1441140639169609736; classtype:bad-unknown; sid:2034021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2021_09_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain serveblog.net"; flow:established,to_server; http.host; content:".serveblog.net"; fast_pattern; endswith; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018217; rev:4; metadata:created_at 2014_03_04, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=bmFtZT"; fast_pattern; pcre:"/(?:JmJ1aWxkP|YnVpbGQ9|ZidWlsZD)/R"; http.user_agent; content:"REBOL"; startswith; reference:url,twitter.com/ffforward/status/1441137165329649664; reference:md5,6b59a4657eb90d92590f5a183d9d1e77; classtype:command-and-control; sid:2034022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain myftp.com"; flow:established,to_server; http.host; content:".myftp.com"; fast_pattern; endswith; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018218; rev:4; metadata:created_at 2014_03_04, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=dXVpZD"; fast_pattern; content:"LT"; distance:18; within:2; content:"t"; distance:5; within:1; http.user_agent; content:"REBOL"; startswith; reference:url,twitter.com/ffforward/status/1441137165329649664; reference:md5,6b59a4657eb90d92590f5a183d9d1e77; classtype:command-and-control; sid:2034023; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/Installiq.Adware Install Information Beacon"; flow:established,to_server; http.uri; content:"/ping/installping.aspx"; fast_pattern; content:"shortname="; content:"&os="; content:"&parents="; content:"&browserNames="; content:"&DefaultBrowserName="; content:"&langid="; content:"&installdate="; http.header; content:".installiq.com|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d28e9e62c83ef2308ddcdbad91fe9cb9; classtype:policy-violation; sid:2018210; rev:5; metadata:created_at 2014_03_04, updated_at 2020_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc CnC Domain in DNS Lookup (r .significantbyte .com)"; dns.query; content:"r.significantbyte.com"; fast_pattern; nocase; bsize:21; reference:url,twitter.com/h2jazi/status/1440418522950107140; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; classtype:domain-c2; sid:2034029; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2021_09_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Payload Download"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; content:"&h="; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016499; rev:16; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2020_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc Domain in DNS Lookup (aljazeera .cc)"; dns.query; content:"aljazeera.cc"; fast_pattern; nocase; bsize:12; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; reference:url,twitter.com/h2jazi/status/1440418522950107140; classtype:domain-c2; sid:2034030; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2021_09_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RDP Brute Force Bot Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cmd.php"; http.user_agent; content:"Browser"; depth:7; http.request_body; content:"name=|22|data|22|"; content:"{ |22|bad|22 20 3a 20|"; content:", |22|bruting|22 20 3a 20|"; fast_pattern; content:", |22|checked|22 20 3a 20|"; reference:md5,c0c1f1a69a1b59c6f2dab18135a73919; reference:md5,e310cf7385ae4d15956e461c6d118c91; reference:md5,d316d208a66248c09986896f671f1db1; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018253; rev:8; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Netconnection Domain in DNS Lookup"; dns.query; content:"internetbeacon.msedge.net"; fast_pattern; nocase; bsize:25; reference:url,lazyadmin.nl/powershell/test-netconnection/; classtype:bad-unknown; sid:2034025; rev:2; metadata:created_at 2021_09_24, former_category INFO, updated_at 2021_09_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Expiro.CD Check-in"; flow:established,to_server; http.uri; content:"/gate.php?user="; fast_pattern; content:"&id="; nocase; content:"&type="; pcre:"/\.php\?user=[a-f0-9]{32}&id=\d+&type=\d+(?:$|&)/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,c6e161a948f4474849d5740b2f27964a; classtype:trojan-activity; sid:2018255; rev:4; metadata:created_at 2014_03_12, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Sending Windows System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/t/"; startswith; content:".php?"; http.host; content:"r.significantbyte.com"; fast_pattern; bsize:21; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; reference:url,twitter.com/h2jazi/status/1440418522950107140; classtype:trojan-activity; sid:2034031; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF URI Struct March 12 2014"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; pcre:"/^\/1[34]\d{8}\.pdf$/"; http.header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2018258; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sabsik.FL.B!ml CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client"; startswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"|ef bc 9a|"; depth:40; content:"Memorytotal|ef bc 9a|"; fast_pattern; content:"|ef bc 9a 5b|System|20|Process|5d 20|"; distance:0; reference:md5,84fffb6b0ee44238261a21a0af066c12; classtype:command-and-control; sid:2034032; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".htm"; fast_pattern; pcre:"/^\/1[34]\d{8}\.htm$/"; http.header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2018259; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix ShareFile RCE Inbound (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"upload.aspx"; content:"id=../"; fast_pattern; content:"bp="; content:"accountid="; reference:url,codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html; reference:cve,2021-22941; classtype:attempted-admin; sid:2034033; rev:1; metadata:attack_target Server, created_at 2021_09_27, cve CVE_2021_22941, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Goon EK Java Payload"; flow:established,to_server; http.uri; content:".mp3"; pcre:"/\/\d{6}\.mp3$/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2017755; rev:7; metadata:created_at 2013_11_25, former_category EXPLOIT_KIT, updated_at 2020_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FoggyWeb Backdoor Incoming Request (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adfs/portal/images/theme/light01/"; startswith; content:".webp"; endswith; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034034; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_SLOTH.A Checkin"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/help.html"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,185e930a19ad1a99c226d59ef563e28c; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/; reference:url,fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html; classtype:command-and-control; sid:2018285; rev:6; metadata:created_at 2014_03_17, former_category MALWARE, updated_at 2020_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FoggyWeb Backdoor Incoming Request (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adfs/portal/images/theme/light01/"; startswith; content:".webp"; endswith; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus GameOver Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a 20|"; http.host; content:"default"; fast_pattern; startswith; content:!"."; reference:md5,bd850c21254c33cd9f6be41aafc6bf46; classtype:command-and-control; sid:2018296; rev:4; metadata:created_at 2014_03_18, former_category MALWARE, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FoggyWeb Backdoor Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/webp"; bsize:10; file.data; content:"|52 49 46 46|"; startswith; content:"|57 45 42 50 56 50 38 20|"; distance:4; within:8; content:"|10 32 00 9d 01 2a|"; distance:4; within:6; fast_pattern; pcre:"/^[\x80|\x40]\x00[\x80|\x40]\x00\x00\x00/R"; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"; bsize:101; fast_pattern; tls.cert_issuer; content:"C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"; bsize:101; reference:url,twitter.com/bryceabdo/status/1308802052487774210; classtype:domain-c2; sid:2030901; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer CnC Checkin"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Host|3a 20|"; startswith; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; bsize:38; fast_pattern; http.content_len; byte_test:0,>=,200,0,string,dec; byte_test:0,<=,999,0,string,dec; http.connection; content:"Keep-Alive"; bsize:10; http.request_body; content:!"|0d 0a|"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:url,blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer; reference:md5,c4772d76029004a5512ea6e2ff3be39b; classtype:command-and-control; sid:2034024; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Jupyter, performance_impact Significant, signature_severity Major, updated_at 2021_09_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bookmark/getServiceCode?price="; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:5; metadata:created_at 2014_03_24, updated_at 2020_09_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter RCE Exploitation Attempt M2 (CVE-2021-22005)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&_i=."; content:"../../"; fast_pattern; reference:cve,2021-22005; classtype:attempted-admin; sid:2034037; rev:1; metadata:attack_target Server, created_at 2021_09_28, cve CVE_2021_22005, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hesperus.Banker Nlog.php Variant Sending Data To CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nlog/nlog"; fast_pattern; content:".php"; http.header; content:"Content-Length|3a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:command-and-control; sid:2017465; rev:6; metadata:created_at 2013_09_16, former_category MALWARE, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReflectiveGnome Download Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin"; endswith; http.user_agent; content:"msie"; bsize:4; fast_pattern; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2034042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=conwaytools.me"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,twitter.com/bryceabdo/status/1308743381099646976; classtype:domain-c2; sid:2030902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M1 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3b"; distance:0; pcre:"/^(?:%[a-f0-9]{2}){5,}/R"; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034043; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_29;)
-alert http any any -> any 5000 (msg:"ET SCAN Hikvision DVR attempted Synology Recon Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webman/info.cgi?host="; fast_pattern; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018343; rev:4; metadata:created_at 2014_04_01, former_category SCAN, updated_at 2020_09_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3bimport|20|"; distance:0; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034044; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mal/Ransom-CE Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/windows"; fast_pattern; endswith; http.user_agent; content:"MSIE"; http.host; content:"www.microsoft.com"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,6faa7077de347ee0fa8c991934c2c3a5; reference:md5,a1fe3a7ff1ec997411b71212483eea33; reference:md5,97c0000473c5004d2e8c0464e322f429; classtype:trojan-activity; sid:2018295; rev:5; metadata:created_at 2014_03_18, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/TrojanDownloader.Age Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; http.user_agent; content:"unknown"; fast_pattern; bsize:7; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,fd59dd7bb54210a99c1ed677bbfc03a8; classtype:trojan-activity; sid:2034048; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=TR, ST=Istanbul, L=Istanbul Buyuksehir Belediyesi, O=EsT Country, OU=ESTTKEY, CN=alahuakber"; bsize:93; fast_pattern; reference:url,twitter.com/bryceabdo/status/1308778721797640195; classtype:domain-c2; sid:2030903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=check&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/Rs"; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:md5,9bf1574b794c7937cdbd12a9ff6fba76; classtype:command-and-control; sid:2034049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 8"; nocase; fast_pattern; content:!"NOKIA"; nocase; classtype:trojan-activity; sid:2015821; rev:6; metadata:created_at 2012_10_19, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Password-Processing URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"phishing-processor"; fast_pattern; content:".php"; distance:0; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/counter.img?theme="; fast_pattern; content:"&digits="; content:"&siteId="; http.user_agent; content:"Opera/9 (Windows NT"; reference:url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:command-and-control; sid:2015723; rev:6; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 ClumsyCover Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session/downexlog/cd/"; fast_pattern; startswith; http.header_names; content:!"Refer"; classtype:trojan-activity; sid:2034883; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
-#alert http any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; flowbits:set,ET.Rbrute.incoming; http.user_agent; content:"BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831"; fast_pattern; nocase; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:5; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 fa 28 39 fb 28 39 f9 4c 48 8d 28 39 fe 28 38 8c 4f|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034050; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbasic.com Domain"; flow:established,to_server; http.host; content:".mrbasic.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018365; rev:4; metadata:created_at 2014_04_04, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3f 2f fb 3e 2f fb 3c 4b 8a 48 2f fb 3b 2f fa 49 48|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp"; flow:established,to_server; http.uri; content:".asp?mevla=1"; nocase; fast_pattern; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018370; rev:6; metadata:created_at 2014_04_07, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 38 ed 3e 39 ed 3e 3b 89 4f 4f ed 3e 3c ed 3f 4e 8a|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Moist Stealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=moist.company"; nocase; endswith; classtype:domain-c2; sid:2030899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|26 67 ea 26 66 9c 26 66 9d 26 66 9f 42 17 eb 26 66 98 41 70 9c 47|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (Download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"seCurEstrInGTogloBALAlLoCUnicOdE|28 20 24 28 27|76492d1116743f0423413b16050a5345MgB8A"; nocase; fast_pattern; reference:md5,fc30e902d1098b7efd85bd2651b2293f; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030905; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|70 9c 47 70 9d 31 70 9d 30 70 9d 32 14 ec 46 70 9d 35 17 8b 31 11|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moist Stealer CnC Exfil"; flow:established,to_server; http.uri; content:".php?id="; content:"&caption="; distance:0; content:"|20|Moist|20|Stealer|20|gate|20|detected|20|new|20|log!"; nocase; distance:0; fast_pattern; content:"User|3a|"; nocase; distance:0; content:"IP|3a|"; nocase; distance:0; http.request_body; content:"].zip|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,f855dffcbd21d4e4a59eed5a7a392af9; classtype:command-and-control; sid:2030900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Moist_Stealer, signature_severity Major, updated_at 2020_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|8b 31 11 8b 30 67 8b 30 66 8b 30 64 ef 41 10 8b 30 63 ec 26 67 ea|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?p="; fast_pattern; content:"&s="; content:"&v="; distance:0; content:"uid="; distance:0; content:"&q="; distance:0; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2009299; classtype:trojan-activity; sid:2009299; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Megalodon/Gomorrah/CosaNostra HTTP Bot CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; isdataat:!17,relative; http.request_body; content:".txt|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"|22|PC Name|22|"; content:"|22|Operating System|22|"; content:"|22|Anti virus|22|"; fast_pattern; content:"|22|Firewall|22|"; content:"|22|Processor|22|"; content:"|22|Memory|20|(RAM)|22|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/moneermasoud/CosaNostra-HTTP-Botnet/blob/master/stub/keylogger/keylogger/Form1.vb; reference:md5,0dad0861840cb73b4cefce3dcce28fa5; classtype:command-and-control; sid:2034056; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE hacker87 checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/AppEn.php"; fast_pattern; http.request_body; content:"parameter="; depth:10; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:command-and-control; sid:2018420; rev:4; metadata:created_at 2014_04_24, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-ajaxSuccess.js"; fast_pattern; bsize:22; http.cookie; content:"__cfduid="; startswith; pcre:"/^[a-zA-Z0-9_-]{171}$/R"; reference:md5,cc13942c46fb85a5754570c2b2c06e35; classtype:trojan-activity; sid:2034057; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest - Post Data Form 01"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/post.aspx?"; fast_pattern; pcre:"/^\/post\.aspx\?[^&]+=[0-9]{9,10}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018425; rev:4; metadata:created_at 2014_04_28, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .me)"; dns.query; dotprefix; content:".samuelblog.me"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034058; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.qgxi Checkin"; flow:to_server,established; http.uri; content:".php?bot="; fast_pattern; http.cookie; content:"bot="; depth:4; reference:md5,0b450a92f29181065bc6601333f01b07; reference:md5,548fbf4dde27e725c0a1544f61362b50; reference:url,arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising; classtype:command-and-control; sid:2018412; rev:10; metadata:created_at 2013_10_31, former_category MALWARE, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .site)"; dns.query; dotprefix; content:".samuelblog.site"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034059; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin"; flow:established,to_server; http.uri; content:"/0001"; fast_pattern; pcre:"/^\/j\/[a-f0-9]{8}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{12}\/0001\/?$/"; reference:url,www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103; classtype:command-and-control; sid:2018448; rev:5; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .info)"; dns.query; dotprefix; content:".samuelblog.info"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034060; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HelloBridge.Backdoor Register CnC Beacon"; flow:established,to_server; urilen:55; http.uri; content:"/el/sregister.php?name="; fast_pattern; pcre:"/^\x2Fel\x2Fsregister\x2Ephp\x3Fname\x3D[a-f0-9]{32}$/"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:command-and-control; sid:2018474; rev:4; metadata:created_at 2014_05_14, former_category MALWARE, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .website)"; dns.query; dotprefix; content:".samuelblog.website"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034061; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HelloBridge.Backdoor Login CnC Beacon"; flow:established,to_server; urilen:51; http.uri; content:"/el/slogin.php?uid="; fast_pattern; pcre:"/^\x2Fel\x2Fslogin\x2Ephp\x3Fuid\x3D[a-f0-9]{32}$/"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:command-and-control; sid:2018475; rev:4; metadata:created_at 2014_05_14, former_category MALWARE, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .xyz)"; dns.query; dotprefix; content:".samuelblog.xyz"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034062; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hicrazyk.A Downloader Install CnC Beacon"; flow:established,to_server; http.uri; content:"/setup/?name="; fast_pattern; content:"&ini="; content:"&v="; http.user_agent; content:"NSISDL/"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FHicrazyk.A&ThreatID=-2147281007; reference:md5,ddb8110ec415b7b6f43c0ef2b4076d45; classtype:command-and-control; sid:2018435; rev:9; metadata:created_at 2014_04_29, former_category MALWARE, updated_at 2020_09_24;)
+alert smb any any -> $HOME_NET any (msg:"ET MALWARE CobaltStrike SMB P2P Default Msagent Named Pipe Interaction"; flow:established,to_server; content:"SMB"; depth:8; content:"|5c 00|m|00|s|00|a|00|g|00|e|00|n|00|t|00|_|00|"; nocase; distance:0; fast_pattern; content:!"s|00|p|00|_|00|M|00|S|00|a|00|g|00|e|00|n|00|t|00|_|00|"; reference:url,blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/; reference:url,www.cobaltstrike.com/help-malleable-c2; reference:url,posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456; classtype:targeted-activity; sid:2027325; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Agent.ksja"; flow:established,to_server; http.uri; content:".php?m="; fast_pattern; pcre:"/\.php\?m=[A-F0-9]{12}/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (Compatible|3b 20|MSIE 6.0|3b 29 0d 0a|Host|3a|"; depth:54; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,3b440e052da726942763d11cf9e3f72c; classtype:trojan-activity; sid:2018507; rev:5; metadata:created_at 2014_05_29, updated_at 2020_09_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response"; flow:established,from_server; http.header; content:!"Keep-Alive|3a 20|"; nocase; content:!"Conncection|3a 20|Keep-Alive"; nocase; file_data; content:"|3c 21 2d 2d|havexhavex|2d 2d 3e|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018243; rev:3; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Crypt.nc Checkin"; flow:to_server,established; http.uri; content:".php?l"; content:"&rvz1="; fast_pattern; content:"&rvz2="; pcre:"/&rvz1=\d+&rvz2=\d+?$/"; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2008567; classtype:command-and-control; sid:2008567; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE S400 RAT Client Checkin"; flow:established,to_server; stream_size:server,<,5; dsize:5; content:"|33 00|FCC"; fast_pattern; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034063; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; http.uri; content: "device_id="; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/Ri"; content:"&app_id="; pcre:"/^[a-f0-9]{30,35}&app_package_name=/Ri"; content: "screen_density="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE S400 RAT Server Response"; flow:established,to_client; stream_size:client,<,10; content:"|7c|S400|7c|"; within:16; content:"|7c|S400|7c|"; distance:32; within:6; content:"|7c|S400|7c|"; distance:0; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2021_09_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P zzima_loader"; flow:established, to_server; http.method; content: "GET"; http.uri; content:"/zzima_loader/"; fast_pattern; http.user_agent; content:"zzima-nloader/ 1.0.3.1"; depth:22; http.header_names; content:!"Referer|0d 0a|"; reference:md5,810b4464785d8d007ca0c86c046ac0ef; classtype:trojan-activity; sid:2018532; rev:5; metadata:created_at 2014_06_05, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"ywbgrcrupasdiqxknwgceatlnbvmezti.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034067; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Trojan.Agent.U3D7V0 Checkin"; flow:established, to_server; http.method; content: "GET"; http.uri; content:"/getc"; content:"/?c="; fast_pattern; pcre:"/^\/getc(?:loud|onf)\/\?c=/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,97572a7a0690ba1643525bf6666b74c6; classtype:command-and-control; sid:2018530; rev:5; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034068; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Etumbot.B Requesting RC4 Key"; flow:to_server,established; http.uri; content:"/home/index.asp?typeid="; nocase; fast_pattern; pcre:"/^\/home\/index\.asp\?typeid=(?:1[13]?|[3579])$/i"; http.referer; content:"http|3a|//www.google.com/"; bsize:22; reference:md5,82d4850a02375a7447d2d0381b642a72; reference:md5,ff5a7a610746ab5492cc6ab284138852; reference:url,arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf; classtype:trojan-activity; sid:2018552; rev:5; metadata:created_at 2014_06_09, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034069; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JCE Joomla Extension"; flow:to_server,established; http.uri; content:".php"; content:"option="; content:"&task="; content:"&plugin=imgmanager"; content:"&file="; content:"&version="; content:"&cid="; http.request_body; content:"folderRename"; fast_pattern; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:web-application-attack; sid:2018326; rev:5; metadata:created_at 2014_03_26, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034070; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar Downloader Request"; flow:established,to_server; http.uri; content:"/tasksz.php?"; fast_pattern; pcre:"/\/tasksz\.php\?(?:dc|load)/"; http.user_agent; content:"Google Bot"; bsize:10; reference:url,www.f-secure.com/v-descs/trojan_w32_scar_a.shtml; reference:url,doc.emergingthreats.net/2010288; classtype:trojan-activity; sid:2010288; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034071; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS EXE Download from Google Common Data Storage with no Referer"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.host; content:"commondatastorage.googleapis.com"; bsize:32; http.header_names; content:!"Referer|0d 0a|"; reference:md5,9fcbc6def809520e77dd7af984f82fd5; reference:md5,71e752dd4c4df15a910c17eadb8b15ba; classtype:trojan-activity; sid:2018556; rev:4; metadata:created_at 2014_06_11, former_category CURRENT_EVENTS, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034072; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/netsend/nmsm_json.jsp"; fast_pattern; http.user_agent; content:"Apache-HttpClient/"; depth:18; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:command-and-control; sid:2013694; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_09_23, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034073; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sasfis Botnet Client Reporting Back to Controller After Command Execution"; flow:established,to_server; http.uri; content:"/bb.php"; nocase; fast_pattern; content:"id="; nocase; content:"v="; nocase; content:"tm="; nocase; content:"b="; nocase; reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; reference:url,doc.emergingthreats.net/2010756; classtype:trojan-activity; sid:2010756; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034074; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miuref/Boaxxe Checkin"; flow:to_server,established; urilen:>400; http.method; content:"GET"; http.uri.raw; content:"%2b"; fast_pattern; content:"%2f"; content:!"|2e|"; content:!"|3f|"; content:!"|26|"; pcre:"/^\/(?:[a-zA-Z0-9]|%2[fb]){400,}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/01/17/boaxxe-adware-a-good-advert-sells-the-product-without-drawing-attention-to-itself-part-2/; reference:url,blogs.technet.com/b/mmpc/archive/2014/05/13/msrt-may-2014-miuref.aspx; classtype:command-and-control; sid:2018582; rev:12; metadata:created_at 2013_11_21, former_category MALWARE, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"etzndtcvqvyxajpcgwkzsoweaubilflh.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034075; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/youxi_up.php"; fast_pattern; http.request_body; content:"--*****|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|npki|22|"; depth:52; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:5; metadata:created_at 2014_06_19, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (newtrendmicro .com)"; dns.query; dotprefix; content:".newtrendmicro.com"; fast_pattern; nocase; endswith; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; reference:md5,cbbd0addd5eb6cab479a1f188f7f5af0; reference:md5,897bfb316d2e8ff72031a3332842be0f; classtype:domain-c2; sid:2034076; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 1"; flow:established,to_server; http.uri; content:"/PSBlock"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018585; rev:6; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (centralgoogle .com)"; dns.query; dotprefix; content:".centralgoogle.com"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; reference:md5,38bf0d130c73fd59c950a2fdac1b70e3; classtype:domain-c2; sid:2034077; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 2"; flow:established,to_server; http.uri; content:"/PSStore"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018586; rev:7; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (microsoft-support .net)"; dns.query; dotprefix; content:".microsoft-support.net"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:domain-c2; sid:2034078; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override URI"; flow:to_server,established; http.uri; content:"c99shcook["; nocase; fast_pattern; pcre:"/[&?]c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018601; rev:4; metadata:created_at 2014_06_24, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (cdn-chrome .com)"; dns.query; dotprefix; content:".cdn-chrome.com"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:domain-c2; sid:2034079; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Client Body"; flow:to_server,established; http.request_body; content:"c99shcook["; nocase; fast_pattern; pcre:"/(?:^|&)c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018603; rev:4; metadata:created_at 2014_06_24, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (mcafee-upgrade .com)"; dns.query; dotprefix; content:".mcafee-upgrade.com"; nocase; endswith; fast_pattern; content:!"www"; classtype:domain-c2; sid:2034080; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TimThumb Remote Command Execution"; flow:established,to_server; http.uri; content:".php"; content:"webshot="; fast_pattern; content:"src="; content:"|24 28|"; pcre:"/[&?]src=https?[^&]+\x24\x28/"; reference:url,cxsecurity.com/issue/WLB-2014060134; classtype:attempted-user; sid:2018605; rev:4; metadata:created_at 2014_06_25, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Home.aspx"; bsize:10; http.host; content:"www.funding-exchange.org"; bsize:24; fast_pattern; http.cookie; content:"ASP.NET_SessionId="; startswith; http.header_names; content:"Accept|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|DNT|0d 0a|Cache-Control|0d 0a|"; content:!"Referer"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:trojan-activity; sid:2034081; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?secue="; fast_pattern; content:"&pro="; content:"|2c|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,secureworks.com/resources/blog/research/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761/; reference:md5,1c29b24d4d4ef7568f519c470b51bbed; classtype:targeted-activity; sid:2018631; rev:6; metadata:created_at 2014_05_19, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/L._SX2_.jpg"; bsize:19; http.host; content:"static.mhysl.org"; bsize:24; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0)|20|like|20|Gecko"; bsize:68; http.header_names; content:!"Referer"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:trojan-activity; sid:2034082; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 2"; flow:established,to_server; http.uri; content:".php?file"; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Ffile(?:index\x3D[A-Z]|n\x3Dnoexist|wh\x3Dfalse)/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018632; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fake Anti-Pegasus AV CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect?hwid="; fast_pattern; content:"&os="; distance:0; content:"&bits=x"; distance:0; content:"&av="; distance:0; http.header_names; content:!"Referer"; reference:url,blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html; classtype:command-and-control; sid:2034083; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 3"; flow:established,to_server; http.uri; content:".php?Re="; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3FRe\x3D/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018633; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (JPEG)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|ff d8 ff|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034084; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 4"; flow:established,to_server; http.uri; content:".php?verify="; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Fverify\x3D/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018634; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (PNG)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|89 50 4e 47|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Exorcist 2.0 Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header.raw; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)|20 0d 0a|"; fast_pattern; http.request_body; content:"d="; depth:2; isdataat:100,relative; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; http.header_names; content:!"Referer"; reference:md5,9e5c89c84cdbf460fc6857c4e32dafdf; classtype:command-and-control; sid:2030906; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_24, deployment Perimeter, former_category MALWARE, malware_family Exorcist_Ransomware, signature_severity Major, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (RIFF)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|52 49 46 46|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034086; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/SunCrypt Ransomware CnC Activity"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:!"."; http.request_body; content:"|19 10 03 41 24 29 70 24|"; depth:8; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,c171bcd34151cbcd48edbce13796e0ed; classtype:command-and-control; sid:2030907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_24, former_category MALWARE, malware_family SunCrypt, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ELENAPC/principles/"; startswith; nocase; content:".mp3"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/s1ckb017/status/1443950604968149010; reference:md5,b345a53a6a432fa2467a0f7931bd79ae; classtype:trojan-activity; sid:2034087; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banload.BTQP Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?IDPC="; fast_pattern; pcre:"/\.asp\?IDPC=[^\x26]*?\x26(?:Status=|Msg=)[^\x26]*?$/i"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:command-and-control; sid:2018649; rev:6; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MachO.Netwire Connectivity Check"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; endswith; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.netwire; classtype:trojan-activity; sid:2034088; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Banload2.KZU Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.request_body; content:"OPC="; nocase; fast_pattern; pcre:"/^OPC=\d/i"; http.header_names; content:!"Referer"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:command-and-control; sid:2018653; rev:4; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Netwire Connectivity Check"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; endswith; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.netwire; classtype:trojan-activity; sid:2034089; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Banload2.KZU Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".hlp"; nocase; fast_pattern; pcre:"/^\/[^\x2f]+?\.hlp$/i"; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:command-and-control; sid:2018654; rev:5; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup via ad4989 .co .kr"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ipcheck.asp"; endswith; http.host; content:".ad4989.co.kr"; endswith; fast_pattern; classtype:policy-violation; sid:2034090; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Uroburos/Turla CnC (OUTBOUND) 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/auth.cgi?mode="; fast_pattern; content:"&id="; content:"&serv="; distance:0; content:"&lang="; distance:0; content:"&q="; distance:0; content:"&date="; distance:0; reference:url,circl.lu/pub/tr-25/; classtype:command-and-control; sid:2018669; rev:4; metadata:created_at 2014_07_11, former_category MALWARE, updated_at 2020_09_24;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DOS Possible Microsoft Windows HTTP2 Reset Flood Denial of Service Inbound (CVE-2019-9514)"; flow:established,to_server; dsize:9; content:"|00 00 00 01 04 00 00 00|"; startswith; fast_pattern; threshold:type threshold, count 45, seconds 60, track by_src; reference:cve,2019-9514; classtype:denial-of-service; sid:2034093; rev:1; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9514, deployment Perimeter, deployment Internal, former_category DOS, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Uroburos/Turla CnC (OUTBOUND) 2"; flow:established,to_server; http.uri; content:"/default.asp?act="; fast_pattern; content:"&id="; content:"&item="; distance:0; content:"&cln="; distance:0; content:"&flt="; distance:0; content:"&serv="; distance:0; content:"&t="; distance:0; content:"&mode="; distance:0; content:"&lang="; distance:0; content:"&date="; distance:0; reference:url,circl.lu/pub/tr-25/; classtype:command-and-control; sid:2018670; rev:5; metadata:created_at 2014_07_11, former_category MALWARE, updated_at 2020_09_24;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed AutoDesk Domain in TLS SNI (autodesk360 .com)"; flow:established,to_server; tls.sni; dotprefix; content:".autodesk360.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2034097; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya Credit Card Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"&ccnum="; fast_pattern; content:"mode="; depth:5; content:"&compinfo="; distance:0; content:"&type="; distance:0; content:"&track="; distance:0; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; reference:url,fortinet.com/sites/default/files/whitepapers/soraya_WP.pdf; classtype:trojan-activity; sid:2018680; rev:4; metadata:created_at 2014_07_16, updated_at 2020_09_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed AutoDesk Domain in TLS SNI (api .autodesk .com)"; flow:established,to_server; tls.sni; content:"developer.api.autodesk.com"; bsize:26; fast_pattern; classtype:bad-unknown; sid:2034098; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category HUNTING, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asterope Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; content:"&id="; distance:0; content:"&os="; distance:0; content:"&res="; distance:0; http.header; content:"Accept-Asterope|3a|"; fast_pattern; reference:md5,19190ef53877979191f6889c6a795f31; classtype:command-and-control; sid:2018750; rev:5; metadata:created_at 2014_06_23, former_category MALWARE, updated_at 2020_09_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"yawero.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:command-and-control; sid:2034099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WordPress xmlrpc.php wp.getUsersBlogs Flowbit Set"; flow:established,to_server; flowbits:set,ET.XMLRPC.PHP; flowbits:noalert; http.uri; content:"/xmlrpc.php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018754; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"sazoya.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034100; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kbot.Backdoor Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/stat.php"; nocase; http.request_body; content:"id="; depth:3; content:"&build_id="; fast_pattern; pcre:"/&build_id=[A-F0-9]+$/i"; reference:md5,1df0ceab582ae94c83d7d2c79389e178; classtype:command-and-control; sid:2018078; rev:5; metadata:created_at 2014_02_05, former_category MALWARE, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (securetourspd .com)"; dns.query; content:"securetourspd.com"; nocase; bsize:17; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034101; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/message.php"; fast_pattern; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (secure-daddy .com)"; dns.query; content:"secure-daddy.com"; nocase; bsize:16; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; classtype:domain-c2; sid:2034102; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; http.host; content:".passinggas.net"; fast_pattern; endswith; classtype:bad-unknown; sid:2018809; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"http"; pcre:"/\/[0-9A-Za-z]{8,13}\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; fast_pattern; http.host; content:!".freeip.com"; http.content_len; byte_test:0,<,2000,0,string,dec; http.request_body; pcre:"/(?:Q(?:k(?:MIdh|UMcR)|0IPdR)|(?:DQg91|FRghw)F|(?:NCD3U|VGCHA)X|C(?:Qwh2E|RQxxF)|J(?:DCHYT|FDHEW)|R(?:UYIcB|kIJcR)|GQglxE|ZCCXEQ)/"; reference:md5,2933e342334bdb24ba99f70c15506294; reference:md5,e4f16cbac43141987a39f9841642fe90; reference:url,twitter.com/ffforward/status/1437688494017728516; reference:url,twitter.com/ffforward/status/1437473409542262795; classtype:trojan-activity; sid:2033939; rev:6; metadata:created_at 2021_09_13, former_category MALWARE, malware_family SQUIRRELWAFFLE, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myredirect.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".myredirect.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018811; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (centr-security .com)"; dns.query; content:"centr-security.com"; nocase; bsize:18; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034103; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.rr.nu Domain (Sitelutions)"; flow:established,to_server; http.host; content:".rr.nu"; fast_pattern; endswith; classtype:bad-unknown; sid:2018813; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (securemanag .com)"; dns.query; content:"securemanag.com"; nocase; bsize:15; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034104; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.kwik.to Domain (Sitelutions)"; flow:established,to_server; http.host; content:".kwik.to"; fast_pattern; endswith; classtype:bad-unknown; sid:2018815; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:".xml"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034105; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myfw.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".myfw.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018817; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:".txt"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034106; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.ontheweb.nu Domain (Sitelutions)"; flow:established,to_server; http.host; content:".ontheweb.nu"; fast_pattern; endswith; classtype:bad-unknown; sid:2018819; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Retrieving Task"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"/getcommand?username="; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034107; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isthebe.st Domain (Sitelutions)"; flow:established,to_server; http.host; content:".isthebe.st"; fast_pattern; endswith; classtype:bad-unknown; sid:2018821; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"/getanswer.php?username="; nocase; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034108; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.byinter.net Domain (Sitelutions)"; flow:established,to_server; http.host; content:".byinter.net"; fast_pattern; endswith; classtype:bad-unknown; sid:2018823; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Client Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data="; fast_pattern; pcre:"/(?:fCxTeXN0ZW0gSWRsZS|wsU3lzdGVtIElkbGUg|8LFN5c3RlbSBJZGxlI)/R"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,254022730f51ee770452015b6987b939; reference:url,twitter.com/rcwht_/status/1443867650686439489; classtype:command-and-control; sid:2034091; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Moderate, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.findhere.org Domain (Sitelutions)"; flow:established,to_server; http.host; content:".findhere.org"; fast_pattern; endswith; classtype:bad-unknown; sid:2018825; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity (GET) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"serverHttpRequest"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034109; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.onthenetas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".onthenetas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018827; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".rb|0d 0a|"; within:32; http.cookie; content:"XSRF-TOKEN=eyJpdiI6I"; pcre:"/(?:I(?:iwidmFsdWUiO|sInZhbHVlIjo)i|iLCJ2YWx1ZSI6I)/R"; content:"load_session=eyJpdiI6I"; fast_pattern; pcre:"/(?:I(?:iwidmFsdWUiO|sInZhbHVlIjo)i|iLCJ2YWx1ZSI6I)/R"; classtype:command-and-control; sid:2034110; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.uglyas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".uglyas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018829; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+#alert tcp any any -> any any (msg:"ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Denial of Service Inbound (CVE-2019-9515)"; flow:established,to_server; content:"|04|"; offset:3; depth:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; threshold:type threshold, track by_dst, count 20, seconds 10; flowbits:isset,ET.http2; flowbits:set,ET.CVE20199515; flowbits:noalert; reference:cve,2019-9515; classtype:denial-of-service; sid:2034095; rev:2; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9515, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category DOS, performance_impact Significant, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.assexyas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".assexyas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018831; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+#alert tcp any any -> any any (msg:"ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Error Response (CVE-2019-9515)"; flow:established,to_client; content:"|00 00 00 04 01|"; depth:5; content:"|00 00 00 04 01|"; distance:4; within:5; content:"|00 00 00 04 01|"; distance:4; within:5; threshold:type threshold, track by_src, count 20, seconds 10; flowbits:isset,ET.CVE20199515; reference:cve,2019-9515; classtype:denial-of-service; sid:2034096; rev:2; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9515, deployment Perimeter, deployment Internal, former_category DOS, performance_impact Moderate, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passas.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".passas.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018833; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+#alert tcp any any -> any any (msg:"ET INFO HTTP/2 Traffic (SET)"; flow:established,to_server; stream_size:server,<,5; content:"|50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a 0d 0a 53 4d 0d 0a 0d 0a|"; startswith; flowbits:set,ET.http2; flowbits:noalert; classtype:misc-activity; sid:2034094; rev:2; metadata:created_at 2021_10_04, former_category INFO, updated_at 2021_10_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athissite.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".athissite.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018835; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Known PUA Host Domain"; dns.query; content:"honeypoc.io"; endswith; fast_pattern; classtype:bad-unknown; sid:2034111; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athersite.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".athersite.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018837; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known PUA Host Domain"; dns.query; content:"givemeyourpasswords.ninja"; endswith; fast_pattern; classtype:bad-unknown; sid:2034112; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isgre.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".isgre.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018839; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed HTTP Request to Known PUA Host Domain"; http.host; content:"honeypoc.io"; endswith; fast_pattern; classtype:bad-unknown; sid:2034113; rev:1; metadata:created_at 2021_10_05, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lookin.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".lookin.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018841; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed HTTP Request to Known PUA Host Domain"; http.host; content:"givemeyourpasswords.ninja"; endswith; fast_pattern; classtype:bad-unknown; sid:2034114; rev:1; metadata:created_at 2021_10_05, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.bestdeals.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".bestdeals.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018843; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Retrieving Commands"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/../users/"; fast_pattern; startswith; content:".php"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034115; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lowestprices.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".lowestprices.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018845; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M4 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\.(?:com|eu|va|lt|sk|)\//"; content:".php?v="; fast_pattern; pcre:"/^[0-9a-f]{64}$/R"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034116; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff POS Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"&op="; depth:4; content:"&id="; content:"&ui="; content:"&wv="; fast_pattern; content:"&bv="; pcre:"/^&op=\d{1,2}&id=\w+?&ui=.+?&bv=\d{1,2}\.\d{1,2}($|&)/"; reference:md5,d0c74483f20c608a0a89c5ba05c2197f; classtype:command-and-control; sid:2018857; rev:8; metadata:created_at 2014_03_05, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M5 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\.(?:com|eu|va|lt|sk|)\//"; content:".nsf?v="; fast_pattern; pcre:"/^[0-9a-f]{64}$/R"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034117; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 1"; flow:established,to_server; urilen:18; http.method; content:"POST"; http.uri; content:"/project/check.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|)"; bsize:25; http.header_names; content:"Content-Length|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,12854bb8d1e6a590e1bd578267e4f8c9; classtype:command-and-control; sid:2018882; rev:6; metadata:created_at 2014_07_14, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AmeriTechnology Group - CHARM Client"; flow:established,to_server; http.request_line; content:"GET /check.asp?co="; startswith; fast_pattern; http.uri; content:"&pc="; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,451f2852e35977a150066afdc5acb318; classtype:policy-violation; sid:2034118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 2"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/dr.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|)"; bsize:25; http.header_names; content:"Content-Length|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,c0656b66b9f4180e59e1fd2f9f1a85f2; classtype:command-and-control; sid:2018883; rev:5; metadata:created_at 2014_07_14, former_category MALWARE, updated_at 2020_09_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Tomiris C2 (init)"; flow:established,to_server; content:"|74 00 2b 00 77 00 6c 00 7c 00 76 00 76 00 27 00 30 00 79 00 20 00 29 00|"; offset:0; reference:url,securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/; classtype:trojan-activity; sid:2034119; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pgift.Backdoor APT CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pgift.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b|)"; bsize:25; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:targeted-activity; sid:2018869; rev:6; metadata:created_at 2014_08_01, former_category MALWARE, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Message Variables"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"MS_TXT_LOGIN"; nocase; content:"ChangPass_"; nocase; content:"Login_"; nocase; content:"i18nGobal"; nocase; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Mysayad Checkin 1"; flow:established,to_server; urilen:17; http.method; content:"HEAD"; http.uri; content:"/GlobalUpdate.upt"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent|0d 0a|"; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:command-and-control; sid:2018889; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive Custom CSS Components"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/css/"; fast_pattern; pcre:"/^[a-f0-9]{42}\.css\x27\x29\.then\x28(?:.{1,1000}themes\/css\/[a-f0-9]{42}\.css\x27\x29\.then\x28){5,}/Rsi"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034001; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, performance_impact Moderate, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Mysayad Checkin 2"; flow:established,to_server; urilen:9; http.method; content:"HEAD"; http.uri; content:"/all.wipe"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent|0d 0a|"; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:command-and-control; sid:2018890; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Landing Page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/css/"; nocase; content:".css"; nocase; distance:45; content:"themes/css/"; nocase; content:".css"; nocase; distance:45; content:"script nonce="; nocase; fast_pattern; content:"themes/"; nocase; content:".js"; nocase; distance: 42; content:"script nonce="; nocase; content:"themes/"; nocase; content:".js"; nocase; distance: 32; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034027; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upfornow/connect.php"; fast_pattern; http.header; content:"Content-Length|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f085395253a40ce8ca077228c2322010; reference:url,securityblog.s21sec.com/2014/08/kronos-is-here.html; classtype:command-and-control; sid:2018891; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Variable"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"init_notworkingbrowser"; nocase; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Config Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/soft"; content:".dll"; fast_pattern; pcre:"/\/soft(?:32|64)\.dll$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; content:"User-Agent|3a|"; http.header_names; content:!"Referer"; reference:md5,5a99a6a6cd8600ea88a8fcc1409b82f4; classtype:trojan-activity; sid:2018661; rev:5; metadata:created_at 2014_07_09, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (get-europe-group .bar)"; flow:established,to_server; tls.sni; content:"get-europe-group.bar"; bsize:20; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; classtype:domain-c2; sid:2034120; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OneLouder Common URI Struct"; flow:established,to_server; http.uri; content:"/ord/"; fast_pattern; content:".exe"; nocase; pcre:"/\/ord\/[^\x2f]+?\.exe$/i"; classtype:trojan-activity; sid:2018929; rev:4; metadata:created_at 2014_08_13, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (download-serv-234116 .xyz)"; flow:established,to_server; tls.sni; content:"download-serv-234116.xyz"; bsize:24; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; reference:md5,157105990ae7e4673035fd9224b793c9; classtype:domain-c2; sid:2034121; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Downloading Config"; flow:established,to_server; http.uri; content:"/zConfig/"; fast_pattern; pcre:"/\/zConfig\/\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-99; classtype:trojan-activity; sid:2018960; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (manholi .xyz)"; flow:established,to_server; tls.sni; content:"manholi.xyz"; bsize:11; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; reference:md5,03a80daa82c29b55aa02a276ff58e22e; classtype:domain-c2; sid:2034122; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Activity"; flow:established,to_server; http.uri; content:"/zImprimer/"; fast_pattern; pcre:"/\/zImprimer\/\d+-/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018961; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (phonefix .bar)"; flow:established,to_server; tls.sni; content:"phonefix.bar"; bsize:12; fast_pattern; classtype:domain-c2; sid:2034123; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python.Ragua Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebCam/Cam.txt"; nocase; fast_pattern; http.user_agent; content:"Python-urllib/"; depth:14; nocase; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66108/el-machete/; reference:md5,a8602b4c35f426107c9667d804470745; classtype:command-and-control; sid:2018968; rev:5; metadata:created_at 2014_08_20, former_category MALWARE, updated_at 2020_09_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 756"; flow:established,to_server; content:"|bf cd 35 03 80 a5 a0 21 05 b6 42|"; startswith; fast_pattern; content:"|8c 21|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2034236; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR Download"; flow:established,to_server; http.uri; content:"/Signed_Update.jar"; nocase; fast_pattern; http.user_agent; content:"Java/1."; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018969; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2020_09_25;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Apache HTTP Server 2.4.49 Observed - Vulnerable to CVE-2021-41773"; flow:established,to_client; http.server; content:"Apache/2.4.49"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:cve,2021-41773; classtype:bad-unknown; sid:2034126; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category POLICY, signature_severity Informational, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX variant"; flow:to_server,established; threshold: type both, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:"/p/"; depth:3; pcre:"/^\/p\/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/"; http.header; content:"code.google.com"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Connection|0d 0a|"; reference:md5,f92e9e3e86856b5c0ee465f77a440abb; reference:url,researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; classtype:trojan-activity; sid:2018984; rev:9; metadata:created_at 2014_08_21, updated_at 2020_09_25;)
+alert tcp any [!80] -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Attack Command Inbound"; flow:established,to_server; dsize:<70; content:"|ad af fe 7f|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033243; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Tuscas"; flow:established,to_server; http.uri; content:"?version="; fast_pattern; content:"&group="; content:"&client="; content:"&computer="; content:"&os="; content:"&latency="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,stopmalvertising.com/malware-reports/analysis-of-tuscas.html; classtype:trojan-activity; sid:2018999; rev:4; metadata:created_at 2014_08_25, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Wordpress Plugin TheCartPress Privilege Escalation Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-ajax.php?action=tcp_register_and_login_ajax"; fast_pattern; http.request_body; content:"tcp_role|27 3a 20|"; content:"tcp_new_user_pass|27 3a 20|"; classtype:attempted-admin; sid:2034129; rev:1; metadata:attack_target Server, created_at 2021_10_06, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_10_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/fd/"; flow:established,to_server; http.uri; content:"/proc/self/fd/"; nocase; fast_pattern; classtype:web-application-attack; sid:2019110; rev:4; metadata:created_at 2014_09_04, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Suspicious POST to Axis OS (smtptest.cgi)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/axis-cgi/smtptest.cgi"; fast_pattern; reference:url,nozominetworks.com/blog/new-axis-os-security-research-aided-by-transparent-design/; reference:cve,2021-31986; classtype:attempted-admin; sid:2034130; rev:1; metadata:attack_target Server, created_at 2021_10_06, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bapy.Downloader PE Download Request"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/tmps."; fast_pattern; pcre:"/[a-z]\d{2}$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,e256976cedda8c9d07a21ca0e5c2f86c; classtype:trojan-activity; sid:2019127; rev:4; metadata:created_at 2014_09_05, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (sharemanage .elwoodasset .xyz)"; dns.query; content:"sharemanage.elwoodasset.xyz"; nocase; bsize:27; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034131; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup maxmind.com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/locate_my_ip"; fast_pattern; http.header; content:"maxmind.com"; reference:md5,0559c56d6dcf6ffe9ca18f43e225e3ce; classtype:external-ip-check; sid:2019140; rev:4; metadata:created_at 2014_09_08, former_category POLICY, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (dshellelink .gcloud-share .com)"; dns.query; content:"dshellelink.gcloud-share.com"; nocase; bsize:28; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034132; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Huge IT Image Gallery 1.0.0 SQL Injection"; flow:established,to_server; http.uri; content:"wp-admin/admin.php"; content:"page=gallerys_huge_it_gallery"; fast_pattern; content:"task=edit_cat"; content:"removeslide="; reference:url,packetstormsecurity.com/files/128118/wphugeitig-sql.txt; classtype:web-application-attack; sid:2019139; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_09_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (dev .sslsharecloud .net)"; dns.query; content:"dev.sslsharecloud.net"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034133; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; http.uri; content:".pdf"; nocase; fast_pattern; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/"; classtype:exploit-kit; sid:2016405; rev:9; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (signverydn .sharebusiness .xyz)"; dns.query; content:"signverydn.sharebusiness.xyz"; nocase; bsize:28; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034134; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check 2"; flow:established,to_server; urilen:1; http.host; content:"windowsupdate.microsoft.com"; bsize:27; http.connection; content:"Close"; fast_pattern; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,236bde81355e075e7ed6bcdc60daefcb; classtype:trojan-activity; sid:2019155; rev:4; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (gsheet .gdocsdown .com)"; dns.query; content:"gsheet.gdocsdown.com"; nocase; bsize:20; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034135; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webmin Directory Traversal"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save_env.cgi"; fast_pattern; http.request_body; content:"&user="; content:"|2e 2e 2f|"; distance:0; reference:url,sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/; classtype:misc-attack; sid:2019157; rev:5; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Client Request M2"; flow:established,to_server; http.request_line; content:"GET /?data="; startswith; fast_pattern; content:!"="; distance:0; content:"|3a|"; within:17; content:"|3a|"; distance:0; isdataat:!261; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,8b6199f5d5465c327c8c30ac9fdfd23a; classtype:command-and-control; sid:2034136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Moderate, signature_severity Major, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JackPOS XOR Encoded HTTP Client Body (key AA)"; flow:established,to_server; http.request_body; content:"|AB AB|"; depth:2; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; fast_pattern; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019164; rev:4; metadata:created_at 2014_09_11, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (share .devprocloud .com)"; dns.query; content:"share.devprocloud.com"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034137; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; http.uri; content:"/images2/"; nocase; fast_pattern; pcre:"/\/images2\/[0-9a-fA-F]{500}/"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:command-and-control; sid:2012799; rev:8; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (product .onlinedoc .dev)"; dns.query; content:"product.onlinedoc.dev"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034138; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.de.ms domain"; flow:to_server,established; http.host; content:".de.ms"; fast_pattern; endswith; classtype:bad-unknown; sid:2013378; rev:5; metadata:created_at 2011_08_08, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (www .googlesheetpage .org)"; dns.query; content:"www.googlesheetpage.org"; nocase; bsize:23; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034139; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.eu.tf domain"; flow: to_server,established; http.host; content:".eu.tf"; fast_pattern; endswith; classtype:bad-unknown; sid:2013828; rev:5; metadata:created_at 2011_11_04, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Gloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"gloderuniok.website"; bsize:19; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034140; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a .noip.cn domain"; flow:to_server,established; http.host; content:".noip.cn"; fast_pattern; endswith; classtype:bad-unknown; sid:2013969; rev:5; metadata:created_at 2011_11_28, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Vloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"vloderuniok.website"; bsize:19; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034141; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Predator Variant Dropper Activity"; flow:established,to_server; http.request_line; content:"GET|20|/FDpb|20|HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3679a900a8895e242e97e9d54cd2f5fa; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-268a; reference:url,twitter.com/craiu/status/1309449368559378432; classtype:trojan-activity; sid:2030908; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Gojihu.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034142; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.upas.su domain"; flow:to_server,established; http.host; content:".upas.su"; fast_pattern; endswith; classtype:bad-unknown; sid:2015551; rev:5; metadata:created_at 2012_07_31, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Yuxicu.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP POST Generic eval of base64_decode"; flow:established,to_server; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; http.request_body; content:"base64_decode"; nocase; fast_pattern; classtype:trojan-activity; sid:2019182; rev:4; metadata:created_at 2014_09_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSecSoft Remote Monitoring Update/Download Activity M1"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|NSEC-UID|0d 0a|"; fast_pattern; http.request_body; content:"|3c|sessions|20|uid|3d 22|"; startswith; content:"|22 20|user|3d 22|"; distance:0; content:"|2f 3e 3c 2f|sessions|3e|"; endswith; reference:md5,4a14459e5dbadb86417483dba7174ffa; classtype:bad-unknown; sid:2034144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2021_10_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHPMyAdmin BackDoor Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/server_sync.php?"; fast_pattern; content:"c="; pcre:"/\/server_sync.php\?(?:.+?&)?c=/i"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:8; metadata:created_at 2012_09_25, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ESPecter Bootkit Initialization Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Heart.aspx?ti="; startswith; fast_pattern; content:"&tn="; distance:0; content:"&tg="; distance:0; content:"&tv="; distance:0; http.header_names; content:!"Referer"; reference:url,www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/; classtype:trojan-activity; sid:2034145; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader GetBooks UA"; flow:established,to_server; http.user_agent; content:"GetBooks"; nocase; fast_pattern; classtype:trojan-activity; sid:2015756; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_10_03, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ELENAPC/"; startswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,05aca0e7e247224adebecc3239a4cfbc; reference:md5,4f70faa3c0ad89de6a862f729678fc77; reference:url,twitter.com/s1ckb017/status/1445704873345896455; reference:url,twitter.com/s1ckb017/status/1445706513956306950; classtype:trojan-activity; sid:2034147; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kelihos.K Executable Download DGA"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.host; content:".ru"; offset:7; depth:6; endswith; pcre:"/^(?:u(?:wf(?:ekfyj|ubpeb)|d(?:xowub|zycaf)|h(?:duxic|zubvo)|x(?:fokur|osgik)|celgos|ggifym|mpefan|qlahaf)|s(?:u(?:t(?:fasof|imjy)|kbewli)|i(?:ttanyg|webheb|hemuj)|e(?:suhror|xjereh)|o(?:haxim|qvaqo)|axyjuw)|r(?:i(?:zsebym|firac|sytfa|trios)|e(?:bfelqi|kvyfo)|u(?:xymqic|jfeag)|y(?:buhoq|kafeh)|acadpuh)|j(?:y(?:meegom|vvozoz|kyvca|torqu)|a(?:mwazer|ibzup)|e(?:btelyx|dytlu)|o(?:dkymy|kenqi))|o(?:t(?:geguuz|xolpow|pipug)|q(?:lapjim|jogxi)|cgaextu|gdowkys|jpaxlam|vquqaip|smuryf)|i(?:r(?:ojvuqu|hegre)|v(?:kikcop|nuvuk)|hmytog|kevzaq|mgohut|pdehas|wvahin|zxirfy)|b(?:y(?:(?:cmolh|vbym)y|gotbys|jlegta)|i(?:pulte|wuvba)|o(?:pwyeb|wbaiv))|p(?:e(?:dugtap|gyrgun|vhyvys)|y(?:nxomoj|ykxug)|a(?:gube|waha)v|ogwytfy)|d(?:e(?:afesqy|hjujuq)|o(?:hwapih|xilik)|a(?:lwoza|rabub)|inymak)|t(?:a(?:hfifak|ixcih)|i(?:wciwu|koqo)x|ecviqir|ozfyma|uriwil)|g(?:i(?:jevsog|nnyjyb)|olhysux|ywilhof|azuzoz|edopan|ubahvi)|y(?:(?:n(?:japru|kicy)|kocna)r|bsahov|dabxag|xyqwiz|zsabuq)|h(?:a(?:hsekju|poneg)|e(?:ztymut|dybih)|uquqxov|itakat)|w(?:a(?:pifnu|rkafo)c|e(?:tifjam|fecfo)|ibveces|yjenqo)|a(?:d(?:nedat|tesok)|qzepylu|baxhad|smukuf|wewsip)|l(?:u(?:(?:fseki|pylzu)m|ditla)|eqgugom|opoqyv)|z(?:u(?:pivzed|qijcel)|aefofin|idamuk|ylhomu)|v(?:u(?:njuet|ohsub)|ijsixem|otqygiq|euwhyz)|m(?:u(?:zupdyg|hipew|wosiv)|osjinme|abuhos)|x(?:o(?:fsimi|gitaj|moqol)|ikmonej|enacoz)|f(?:e(?:vnotow|tucxo)|i(?:dedhah|xavpu))|k(?:u(?:btyhuz|irfufo)|ejejib|ycufvy)|n(?:(?:iliqri|obzeky)x|eluzjiv)|c(?:ylqiduh|aqxaro|itsibe)|q(?:aijroke|iquzcy|uohdit)|e(?:gnisje|stesgo|vdyvaz))\.ru$/"; classtype:trojan-activity; sid:2016029; rev:5; metadata:created_at 2012_12_12, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2"; flow:established,to_server; http.request_line; content:"POST|20|/service/communication.php|20|HTTP/1.1"; startswith; fast_pattern; http.request_body; content:"data="; startswith; isdataat:50,relative; http.header_names; content:!"Referer"; reference:md5,9a112488064fd03d4a259e0f1db9d323; classtype:trojan-activity; sid:2034202; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zbot.Variant Fake MSIE 6.0 UA"; flow:to_server,established; flowbits:set,ET.zbot.ua.2106509; http.uri; content:".htm?"; fast_pattern; pcre:"/\/[a-z]\.htm\?[A-Za-z0-9]+$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; classtype:trojan-activity; sid:2016509; rev:7; metadata:created_at 2013_02_26, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (ppadoaolnwod .xyz)"; dns.query; dotprefix; content:".ppadoaolnwod.xyz"; nocase; endswith; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034148; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Wav.exe Request"; flow:established,to_server; http.uri; content:"/wav.exe"; fast_pattern; classtype:trojan-activity; sid:2018082; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (officeframework .online)"; dns.query; dotprefix; content:".officeframework.online"; nocase; endswith; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034149; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Heap.exe Request"; flow:established,to_server; http.uri; content:"/heap.exe"; fast_pattern; classtype:trojan-activity; sid:2018083; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (web.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/WEB-INF/web.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034150; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Unknown Initial CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ppp/ta.php"; fast_pattern; http.header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:command-and-control; sid:2018183; rev:6; metadata:created_at 2014_02_26, former_category MALWARE, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (seraph-config.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/WEB-INF/classes/seraph-config.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034151; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Downloader 2p (Zeus) May 07 2014"; flow:to_server,established; http.uri; content:"2p/"; fast_pattern; pcre:"/\/p?2p\/[a-z]{3}$/"; http.header_names; content:!"Accept-Language"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018453; rev:7; metadata:created_at 2014_05_07, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.properties) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034152; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/333"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018894; rev:8; metadata:created_at 2014_08_04, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034153; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/222"; fast_pattern; http.header; content:"|20|MSIE|20|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018971; rev:5; metadata:created_at 2014_08_20, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style Service paste .c-net in DNS Query"; dns.query; content:"paste.c-net.org"; nocase; endswith; reference:md5,144cf514759595e65f3468f6fdb66d59; classtype:policy-violation; sid:2034154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2"; flow:established,to_server; http.request_body; content:"|25|28|25|29|25|20|25|7b|25|20"; fast_pattern; pcre:"/(:?(:?\x5e|%5e)|(:?[=?&]|\x25(:?3d|3f|26)))\s*?(:?%28|\x28)(:?%29|\x29)(:?%20|\x20)(:?%7b|\x7b)(:?%20|\x20)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019234; rev:6; metadata:created_at 2014_09_24, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed SSL Cert (Pastebin-style Service paste .c-net)"; flow:established,to_server; tls.sni; content:"paste.c-net.org"; fast_pattern; classtype:policy-violation; sid:2034155; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy v2 POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; content:"&bid="; content:"&dv="; content:"&dpv="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,948cd0bf83a670c05401c8b67d2eb310; classtype:trojan-activity; sid:2019281; rev:4; metadata:created_at 2014_09_26, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PR_KYY/"; fast_pattern; startswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1445115785454788615; reference:md5,00f61bdf5d04a8551b5e15c1f74083c0; reference:md5,ab4ac6236cb487fed4768e1e4d2dd8b6; reference:md5,92b9a1db86b631fc9de68915de446756; classtype:trojan-activity; sid:2034156; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CURL Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"curl|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bcurl\s[^\r\n]*?-(?:[Oo]|-(?:remote-name|output))[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019308; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BEST-KOMP/"; fast_pattern; startswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1445115787870707715; classtype:trojan-activity; sid:2034157; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"wget|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bwget\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019309; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (mimeversion .top)"; dns.query; content:"mimeversion.top"; nocase; bsize:15; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034158; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER lwp-download Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"lwp-download|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019310; rev:4; metadata:created_at 2014_09_29, former_category WEB_SERVER, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Set flow on bmp file get"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bmp"; http.request_line; content:".bmp HTTP/1."; fast_pattern; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_10_08;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server; http.uri; content:"|28 29 20 7b|"; fast_pattern; pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019231; rev:6; metadata:created_at 2014_09_24, updated_at 2020_09_25;)
+#alert tcp $EXTERNAL_NET !5665 -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; pcre:"/^[\x01-\x4c]$/R"; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:command-and-control; sid:2018283; rev:8; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2021_10_08;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; http.header; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:6; metadata:created_at 2014_09_24, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=set_metric_gw_selections&account_name="; fast_pattern; content:"../../"; distance:0; within:10; content:"&data="; reference:cve,2021-40870; classtype:attempted-admin; sid:2034159; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_40870, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 3"; flow:established,to_server; http.request_body; content:"()|25|20|25|7b"; fast_pattern; pcre:"/(:?(?:\x5e|%5e)|([=?&]|\x25(?:3d|3f|26)))\s*?\(\)(?:%20|\x20)(?:%7b|\x7b)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019241; rev:5; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/admin_itsm/ajax.php"; http.request_body; content:"|0d 0a 0d 0a|<?php"; fast_pattern; content:"name=|22|itsm_type_request|22|"; distance:0; reference:cve,2021-27513; classtype:attempted-admin; sid:2034160; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_27513, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt URI"; flow:to_server,established; http.uri; content:"/token.cgi"; nocase; content:"&realname=login_name"; nocase; fast_pattern; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019364; rev:4; metadata:created_at 2014_10_08, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT RUIJIE NBR/RGNBR Command Injection Attempt Inbound M1"; flow:established,to_server; http.uri; content:"/wget_test.asp?"; fast_pattern; content:"="; distance:0; within:5; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2034161; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/usdeclar.txt"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5f3530edbe1fce44e05ad0c96e54efb4; reference:md5,279fc5e6181d58f883a15d5089ce541b; reference:url,krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019380; rev:6; metadata:created_at 2014_10_09, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT RUIJIE NBR/RGNBR Command Injection Attempt Inbound M2"; flow:established,to_server; http.uri; content:"/wget_test.asp?"; fast_pattern; http.uri.raw; content:"="; pcre:"/^%(?:3b|0a|26|60|7C|24)/R"; classtype:attempted-admin; sid:2034162; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neverquest Request URI Struct"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?sid="; fast_pattern; pcre:"/\/\d\.php\?sid=[0-9A-F]{32}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019384; rev:5; metadata:created_at 2014_10_09, updated_at 2020_09_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious FIN12 Related SSL Cert (serviceswork .net)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=TX, L=Texas, O=serviceswork, OU=, CN=serviceswork.net"; bsize:62; fast_pattern; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; reference:md5,f1c35cf848d984785e9c0621958fe5ae; classtype:trojan-activity; sid:2034163; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_11;)
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt Client Body"; flow:to_server,established; http.uri; content:"/token.cgi"; nocase; http.request_body; content:"&realname=login_name"; nocase; fast_pattern; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019365; rev:7; metadata:created_at 2014_10_08, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/AhMyth RAT Init Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/socket.io/?model="; startswith; fast_pattern; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport=polling&release="; distance:0; content:"&manf="; distance:0; http.header_names; content:!"Referer"; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034164; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BlackEnergy Dirconf CnC Beacon"; flow:established,to_server; http.uri; content:"/dirconf/check.php"; fast_pattern; http.header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/mi"; reference:url,www.f-secure.com/weblog/archives/00002721.html; classtype:command-and-control; sid:2019412; rev:4; metadata:created_at 2014_10_15, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/AhMyth RAT WebSocket Session"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/socket.io/?release="; startswith; fast_pattern; content:"&model="; distance:0; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport=websocket&manf="; distance:0; content:"&sid="; distance:0; http.header_names; content:!"Referer"; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034165; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Location Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000lm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034166; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; http.request_body; content:"name%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Contacts Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000cn|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034167; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; http.request_body; content:"nam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (SMS Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000sm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034168; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; http.request_body; content:"nam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Call Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000cl|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034169; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; http.request_body; content:"na%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Files Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000fm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034170; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; http.request_body; content:"na%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Camera Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000fm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034171; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; http.request_body; content:"na%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)"; flow:established,to_server; content:"|eb 32 90 90 7f a6 38 7c|"; fast_pattern; content:"|20|HTTP/"; distance:0; content:"|0d 0a 0d 0a|"; distance:3; within:4; reference:cve,2019-16724; classtype:attempted-admin; sid:2034092; rev:2; metadata:attack_target Server, created_at 2021_10_01, cve CVE_2019_16724, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; http.request_body; content:"na%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.Perinet CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ceb.aspx"; endswith; http.user_agent; content:"Mozila"; fast_pattern; bsize:6; http.header_names; content:!"Referer"; reference:md5,c1c94bd5effc12455d7d0fe22e29feb5; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/Perion; classtype:pup-activity; sid:2034175; rev:1; metadata:created_at 2021_10_12, former_category ADWARE_PUP, updated_at 2021_10_12;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; http.request_body; content:"n%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M1"; flow:established,to_server; content:"/.%%32%65/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"/.%%32%65/"; reference:cve,2021-42013; classtype:attempted-admin; sid:2034172; rev:2; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_42013, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; http.request_body; content:"n%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M2"; flow:established,to_server; content:"/%%32%65%%32%65/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"/%%32%65%%32%65/"; reference:cve,2021-42013; classtype:attempted-admin; sid:2034173; rev:2; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_42013, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; http.request_body; content:"n%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (Unassigned CVE)"; flow:established,to_server; content:"%%%25%33%32%25%36%35/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"%%%25%33%32%25%36%35/"; classtype:attempted-admin; sid:2034174; rev:2; metadata:attack_target Server, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; http.request_body; content:"n%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Related Domain (docs .gsheetpage .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"docs.gsheetpage.com"; bsize:19; fast_pattern; reference:md5,42e6310ffbdd24cf9a2b5d200190359e; reference:url,twitter.com/ShadowChasing1/status/1447900397935362053; classtype:trojan-activity; sid:2034176; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, signature_severity Major, updated_at 2021_10_12;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; http.request_body; content:"n%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious FIN12 Related SSL Cert"; flow:established,to_client; tls.cert_subject; content:"OU=Delegated Licensor,KYP SDT LTD"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?OU=Delegated\ Licensor,KYP\ SDT\ LTD(?!\.)/"; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034177; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_12;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; http.request_body; content:"n%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSecSoft Remote Monitoring Update/Download Activity M2"; flow:established,to_server; stream_size:server,=,1; dsize:512; content:"MFjOLrqOLbmPnAKuM7cBwxcPgaqvM7cNcoZKIYmscocPnAOuM7jRJYJy2YBEmEORcoZKLSuscOByLFZL2rZunrfOrFqNJazEJ7GXgYNocF24J8EocoZOgST/Ja3sceRocazuJaOEIYsvnYNsce5ocxkV"; startswith; fast_pattern; reference:md5,9b9f3a3b03831b6f98ca1b935dd0eb51; classtype:bad-unknown; sid:2034178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_12;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; http.request_body; content:"n%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN12 Related Cobalt Strike Domain (netrie .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"netrie.com"; bsize:10; fast_pattern; reference:md5,21b4d9c046db511738232582b41f453c; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:command-and-control; sid:2034180; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; http.request_body; content:"n%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related ICECANDLE/Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-includes/admin.gif"; fast_pattern; bsize:22; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:49; reference:md5,256fa0ae50b4e199b631047f2fe98b58; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034181; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; http.request_body; content:"%6eame["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN12 Related Domain (hdhuge .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hdhuge.com"; bsize:10; fast_pattern; reference:md5,cf3027fa4e3d5597487691dff1831b97; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:domain-c2; sid:2034182; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, signature_severity Major, updated_at 2021_10_13;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; http.request_body; content:"%6eame%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M1"; flow:established,from_server; content:"|2c 31 25 25 27 3a 7e|"; content:"|2c 31 25 25 27 3a 7e|"; distance:0; pcre:"/[-\d]{1,4}(?:\x2c\x31\x25\x25\x27\x3a\x7e[-\d]{1,4}){10}/R"; reference:md5,abd0a49fda67547639eeaced7955a01a; classtype:misc-attack; sid:2034183; rev:1; metadata:created_at 2021_10_13, former_category ATTACK_RESPONSE, updated_at 2021_10_13;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; http.request_body; content:"%6eam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M2"; flow:established,from_server; content:"%%comspec|3a|"; nocase; content:"%%programfiles|3a|"; content:"%commonprogramfiles|3a|"; nocase; fast_pattern; reference:md5,abd0a49fda67547639eeaced7955a01a; classtype:misc-attack; sid:2034184; rev:1; metadata:created_at 2021_10_13, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_10_13;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; http.request_body; content:"%6eam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert tls $EXTERNAL_NET [!5222,!7687] -> $HOME_NET any (msg:"ET MALWARE Generic AsyncRAT Style SSL Cert"; flow:established,to_client; content:!"infinitecampus.com"; content:"|0f 39 39 39 39 31 32 33 31 32 33 35 39 35 39 5a|"; fast_pattern; content:"|55 04 03|"; pcre:"/^.(?P<servercert>[\x00-\xff][\x20-\x7f]{1,50})\x30.+?\x55\x04\x03.(?P=servercert)\x30/Rsi"; tls.cert_subject; content:"CN="; startswith; content:!"O="; content:!"OU="; content:!"ST="; tls.cert_issuer; content:"CN="; startswith; content:!"O="; content:!"OU="; content:!"ST="; content:!".com"; reference:md5,7ed7bf7ea7a1551218f73774d28be76c; classtype:domain-c2; sid:2035595; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, signature_severity Major, updated_at 2021_10_13;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; http.request_body; content:"%6ea%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related WHITEDAGGER/Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/files/remove.gif|20|HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:57; reference:md5,cf3027fa4e3d5597487691dff1831b97; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034185; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; http.request_body; content:"%6ea%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related WEIRDLOOP/Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/image-directory/bn.ico|20|HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; reference:md5,fd81452a3a8f9460ffac8aff6e20431a; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034186; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; http.request_body; content:"%6ea%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishkit Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?cmd=login_submit&id="; fast_pattern; content:"session="; distance:0; reference:url,twitter.com/JCyberSec_/status/14474927402840268803112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_14;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; http.request_body; content:"%6ea%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishkit Landing Page M2"; flow:established,to_client; file.data; content:"|2e|php"; content:"onSubmit|3d 22|return|20|validateMyForm|28 29 3b 22|"; distance:0; content:"id|3d 27 5f|form|5f|"; distance:0; content:"enctype|3d 27|multipart|2f|form|2d|data|27|"; fast_pattern; distance:0; reference:md5,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034190; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_13;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; http.request_body; content:"%6e%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishkit Landing Page M3"; flow:established,to_client; file.data; content:"url|3d|Thanks|2e|php|22|"; fast_pattern; content:"src|3d 22|images|2f|animation|5f|processing|2e|gif|22| alt|3d 22 22| title|3d 22 22|"; distance:0; reference:md5,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034191; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_13;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; http.request_body; content:"%6e%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.host; content:"www.onlinedocpage.org"; bsize:21; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c44d866adf8c6845b7dda742c59c6b59; reference:url,twitter.com/ShadowChasing1/status/1448150917912559616; classtype:trojan-activity; sid:2034187; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2021_10_14;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; http.request_body; content:"%6e%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Limbozar Ransomware Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/postme"; bsize:7; http.header; content:"|0d 0a|from|3a 20|me|0d 0a|"; fast_pattern; content:"|0d 0a|user-agent|3a 20|libsfml-network/"; http.request_body; content:"&ip="; startswith; content:"&disk="; distance:0; content:"&id="; distance:0; content:"&mail="; distance:0; http.header_names; content:!"Referer"; reference:url,securelist.com/cis-ransomware/104452/; reference:md5,91332f289d3e577b57d878b55c5cf18a; classtype:trojan-activity; sid:2034195; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_10_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; http.request_body; content:"%6e%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)"; dns.query; dotprefix; content:".my-ip.io"; nocase; endswith; classtype:bad-unknown; sid:2034196; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_10_15;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; http.request_body; content:"%6e%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/xmlpserver/ReportTemplateService.xls"; bsize:37; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"|3c 21|DOCTYPE|20|soap|3a|envelope|20|PUBLIC|20 22 2d 2f 2f|B|2f|A|2f|EN|22 20 22|http"; startswith; reference:url,nvd.nist.gov/vuln/detail/CVE-2019-2616; reference:cve,2019-2616; classtype:attempted-admin; sid:2034199; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_15, cve CVE_2019_2616, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_15;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; http.request_body; content:"%6e%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Interactsh Control Panel (DNS)"; threshold: type both, track by_src, count 1, seconds 600; dns.query; pcre:"/^[a-z0-9]{33}/"; content:".interact.sh"; endswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:trojan-activity; sid:2034201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/MysterySnail RAT CnC Domain in DNS Lookup"; dns.query; content:"http.ddspadus.com"; nocase; bsize:17; reference:url,securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/; reference:md5,e2f2d2832da0facbd716d6ad298073ca; classtype:domain-c2; sid:2034197; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, signature_severity Major, updated_at 2021_10_15;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Interactsh Domain in DNS Lookup (.interact .sh)"; dns.query; dotprefix; content:".interact.sh"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:bad-unknown; sid:2034198; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_10_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod_jshoppi"; fast_pattern; pcre:"/^\/mod_jshoppi(?:-|ng|\/)/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019459; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.RTQ CnC Activity"; flow:established,to_server; content:"|0b 00 00 00|"; startswith; content:"|57 69 6e 64 6f 77 73 20|"; distance:4; within:8; content:"|00 00 00 cc ec b7 a3 20 56 65 72 20|"; distance:0; fast_pattern; reference:md5,1f2d30b383d332972d8a36b23d1d726e; classtype:command-and-control; sid:2034193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_15;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt"; flow:established,to_server; http.uri; content:"[$ne]"; fast_pattern; reference:url,blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html; reference:url,docs.mongodb.org/manual/reference/operator/query/ne/; classtype:web-application-attack; sid:2019460; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRAT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content: "&"; pcre: "/^(?:[a-f0-9]{2}){16}=(?:[a-f0-9]{2}){16}&(?:[a-f0-9]{2}){16}=(?=[a-z0-9A-Z]{0,32}[A-Z][a-z][A-Z][a-z][A-Z])/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:56; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1448751827046985746; reference:md5,60cf8c1093d596a44dc997d00caae463; classtype:trojan-activity; sid:2034194; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 1"; flow:established,to_server; http.uri; content:"=1/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.header; content:"Accept-Encoding|3a|"; content:"User-Agent|3a|"; distance:0; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019481; rev:4; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M1 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>Windows|20|code|20|firewall0x"; fast_pattern; content:".mp3|22 20|type=|22|audio/mpeg|22|"; content:"<span>Windows-Firewall"; classtype:social-engineering; sid:2034203; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 2"; flow:established,to_server; http.uri; content:"=2/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.header; content:"Accept-Encoding|3a|"; content:"User-Agent|3a|"; distance:0; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:4; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M2 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|firewall0x"; fast_pattern; content:"src=|22|virus-scan.png|22|"; content:"<span>Scan|20|quickly"; classtype:social-engineering; sid:2034204; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 3"; flow:established,to_server; http.uri; content:"=1/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019483; rev:4; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M3 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:">Scanned|20|items|20|<"; fast_pattern; content:">Threats|20|found<"; content:"<p>Detected|20|items|20|Item<"; classtype:social-engineering; sid:2034205; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 4"; flow:established,to_server; http.uri; content:"=2/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019484; rev:5; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M4 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"i>|20|Looking|20|for|20|updates<"; fast_pattern; content:"i>|20|Scan|20|memory<"; content:"<span>Windows|20|registry|20|scan"; classtype:social-engineering; sid:2034206; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE vSkimmer.PoS Checkin"; flow:to_server,established; http.uri; content:"/process.php?xy="; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,a99d5d1652dfcda190c3d412828dcf6d; reference:md5,82d9cab2692ae13fc5b835ea2cbb36d7; reference:url,anubis.iseclab.org/action=result&task_id=1b92f08cdbfb73e64450fd07ec88849b3; classtype:command-and-control; sid:2018109; rev:6; metadata:created_at 2013_03_12, former_category MALWARE, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M5 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|22|>Contact|20|Technical|20|Support|3a 20|<"; content:"|22|>Windows|0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20|was|20|banned|20|for"; fast_pattern; content:"PLEASE|20|call|20|us"; classtype:social-engineering; sid:2034207; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Siggen.Dropper CnC Beacon"; flow:established,to_server; http.uri; content:".jpg?log="; fast_pattern; content:"&ts="; offset:11; content:"&act="; distance:0; http.header; content:"client|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ee363de2168aab353c829434189350e4; classtype:command-and-control; sid:2019515; rev:4; metadata:created_at 2014_10_27, former_category MALWARE, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Generic Components"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|22|>Contact|20|Technical|20|Support|3a 20|<"; content:"src=|22|fullscreen.js|22|"; content:"toggleFullScreen|28 29 3b|"; classtype:social-engineering; sid:2034208; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight URI Struct (noalert)"; flow:established,to_server; flowbits:set,et.Nuclear.SilverLight; flowbits:noalert; http.uri; content:"/14"; fast_pattern; pcre:"/\/14\d{8}(?:\.xap)?$/"; classtype:exploit-kit; sid:2019668; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mummyvich.xyz"; fast_pattern; classtype:domain-c2; sid:2034209; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Roficor.A (Darkhotel) Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/view.php"; fast_pattern; pcre:"/\/images\/view\.php$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:targeted-activity; sid:2019687; rev:4; metadata:created_at 2014_11_10, former_category MALWARE, updated_at 2020_09_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dxb/mx_cmd.php"; endswith; classtype:command-and-control; sid:2034210; rev:1; metadata:created_at 2021_10_17, former_category MALWARE, updated_at 2021_10_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinSpy Related WinRAR Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?attachmentid="; content:"&d="; distance:0; http.request_body; content:"|2e 8a 83 32 1f 36 bb 08 cb fc 19 52 92 2e c3 3c|"; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,4994952020da28bb0aa023d236a6bf3b; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; classtype:trojan-activity; sid:2030913; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dxb/mx_jscript.php"; endswith; classtype:command-and-control; sid:2034211; rev:1; metadata:created_at 2021_10_17, former_category MALWARE, updated_at 2021_10_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinSpy Related Flash Installer Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?attachmentid="; content:"&d="; distance:0; http.request_body; content:"|c3 d6 21 f6 77 d7 95 61 2a 27 22 8b 2a d4 c9 16|"; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,a55aa68518586381213cd85441aa4e16; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; classtype:trojan-activity; sid:2030914; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stealbit Variant Data Exfil M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".html"; http.request_body; content:"&filesize="; content:"&framesize="; fast_pattern; content:"&framenum="; content:"&filecrc="; content:"&filename="; content:"&pcname="; reference:md5,f05af511670dba679d845e3d477e789d; reference:url,twitter.com/James_inthe_box/status/1425921372987944961; reference:url,blog.reversinglabs.com/blog/data-exfiltrator; classtype:command-and-control; sid:2033727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"<email_accounts_list>"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e24831e3f808116b30d85731c545e3ee; classtype:command-and-control; sid:2019704; rev:4; metadata:created_at 2014_11_12, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stealbit Variant Data Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".html"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"key="; startswith; fast_pattern; content:"&data="; within:100; pcre:"/^key=\w+\&data=/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1425921372987944961; reference:url,blog.reversinglabs.com/blog/data-exfiltrator; classtype:command-and-control; sid:2033728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,to_server; flowbits:set,ET.WireLurkerUA; http.method; content:"GET"; http.uri; content:"/getversion.php?sn="; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019662; rev:5; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Outbound .png HTTP GET flowbit set"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png"; endswith; flowbits:set,ET.httpget.png; flowbits:noalert; classtype:misc-activity; sid:2034212; rev:1; metadata:created_at 2021_10_18, former_category INFO, updated_at 2021_10_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check wtfismyip.com"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:text|json|xml)?$/"; http.host; content:"wtfismyip.com"; endswith; fast_pattern; classtype:policy-violation; sid:2019737; rev:4; metadata:created_at 2014_11_18, updated_at 2020_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible BlackByte Ransomware Encryption Key Inbound (fake .png)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:!"|89 50 4E 47 0D 0A 1A 0A|"; startswith; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; flowbits:isset,ET.httpget.png; classtype:command-and-control; sid:2034213; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackByte, signature_severity Major, tag Ransomware, updated_at 2021_10_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1599)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rtpd.cgi?"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019801; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.feedbackfileweb.club"; fast_pattern; classtype:domain-c2; sid:2034214; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1600)"; flow:established,to_server; urilen:17; http.method; content:"GET"; http.uri; content:"/upnp/asf-mp4.asf"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019802; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.iserunifish.club"; fast_pattern; classtype:domain-c2; sid:2034215; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1601)"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/md/lums.cgi"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019803; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"gsterangsic.buzz"; endswith; classtype:domain-c2; sid:2034216; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Katana/"; fast_pattern; startswith; classtype:attempted-admin; sid:2030909; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_09_28, deployment Perimeter, signature_severity Minor, updated_at 2020_09_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"oscanonamik.club"; endswith; classtype:domain-c2; sid:2034217; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Katana/"; fast_pattern; startswith; classtype:web-application-attack; sid:2030910; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"riderskop.top"; endswith; classtype:domain-c2; sid:2034218; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 2"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".html"; fast_pattern; pcre:"/\/[A-Za-z0-9-_]{75,}\.html$/"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE|20|"; depth:42; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016567; rev:8; metadata:created_at 2013_03_13, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wiki0509.html"; fast_pattern; bsize:14; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1438602464765386757; reference:md5,41dacae2a33ee717abcc8011b705f2cb; classtype:trojan-activity; sid:2034221; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HompesA Activity"; flow:established,to_server; http.uri; content:"/me/"; fast_pattern; pcre:"/^\/me\/(?:get(?:ref|ua)\.php|videos\.txt)$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,8cc58bc4d63f4b78b635d45aa69108f7; classtype:trojan-activity; sid:2019838; rev:4; metadata:created_at 2014_12_02, updated_at 2020_09_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/FontOnLake Related CnC Domain in DNS Lookup (hm2 .yrnykx .com)"; dns.query; content:"hm2.yrnykx.com"; nocase; bsize:14; reference:url,www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf; reference:md5,fa73b2fd914a0cfd5e7d3161af903b6c; reference:md5,5ecf30b7a6221af8f209a7b6681f91f9; classtype:domain-c2; sid:2034222; rev:1; metadata:created_at 2021_10_18, former_category MALWARE, updated_at 2021_10_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/MSIL.bfsx Checkin"; flow:to_server,established; http.uri; content:"/infect"; fast_pattern; content:".php"; offset:7; pcre:"/\/infect(?:-\d)?\.php$/"; http.user_agent; content:"Microsoft"; bsize:9; reference:md5,506cd65bdd06f41f8219cd1ed78eac7d; reference:md5,0c39b39ee4a59a8ac5fc1df500da2a88; classtype:command-and-control; sid:2019840; rev:6; metadata:created_at 2014_12_02, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Harvester Group Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/Values_V2/Getting3210"; bsize:26; fast_pattern; http.host; content:".azurewebsites.net"; endswith; http.header_names; content:"|0d 0a|MC|0d 0a|Ath|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia; reference:md5,2578bf48da48c262e4a83e2a9ae47c68; classtype:trojan-activity; sid:2034223; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fin4.InfoStealer Uploading User Credentials CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?msg="; fast_pattern; content:"&uname="; content:"&pword="; reference:url,www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html; classtype:command-and-control; sid:2019829; rev:6; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Actiivty M2"; flow:established,to_server; http.request_line; content:"GET /?opt=put&mq=loader_tx_report"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.uri; content:"&mac="; content:"&pcname="; distance:12; within:8; reference:md5,c52f17b858b143310dc1cb218feca5c8; classtype:command-and-control; sid:2034220; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to WebDAV CloudMe Service"; flow:established,to_server; http.host; content:"webdav.cloudme.com"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:policy-violation; sid:2019914; rev:4; metadata:created_at 2014_12_10, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Graphon Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/Values_V1/AuthAsyncComplete_V1?Identity="; fast_pattern; startswith; http.uri.raw; content:"=%3E"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:30; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia; reference:md5,ff81a65150e318c1ffbeaba7a56bb09f; classtype:command-and-control; sid:2034224; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cloud Atlas CnC Beacon"; flow:established,to_server; urilen:10; threshold:type limit, count 1, seconds 120, track by_src; http.method; content:"POST"; http.uri; content:"/check.jsp"; fast_pattern; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:command-and-control; sid:2019919; rev:4; metadata:created_at 2014_12_11, former_category MALWARE, updated_at 2020_09_28;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE [CISA AA21-291A] Possible BlackMatter Ransomware Lateral Movement"; content:"|01 00 00 00 00 00 05 00 01 00|"; content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; fast_pattern; detection_filter:track by_src, count 4, seconds 1; classtype:command-and-control; sid:2034225; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family BlackMatter, signature_severity Major, tag Ransomware, updated_at 2021_10_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Agent.AIXD Checkin"; flow:to_server,established; http.uri; content:"/cnc.php?id="; fast_pattern; content:"&uid="; http.user_agent; content:"AppleMac"; bsize:8; reference:md5,801e450679e9d60f8c64675c432aab33; reference:md5,ad2e8210ca7c2b4b433b3fba65e87b94; reference:md5,f6ea10f719885fbcfb6743724faa94f7; classtype:command-and-control; sid:2019945; rev:5; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_09_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=swissarny.store"; fast_pattern; classtype:exploit-kit; sid:2034226; rev:1; metadata:created_at 2021_10_19, former_category TROJAN, updated_at 2021_10_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Symmi.46846 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/notify.php"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fe5dc2a4ee8aa084c9da42cd2d1ded2e; classtype:command-and-control; sid:2019948; rev:4; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_09_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=rtpdn14.com"; fast_pattern; classtype:exploit-kit; sid:2034227; rev:1; metadata:created_at 2021_10_19, former_category TROJAN, updated_at 2021_10_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic PHP Remote File Include"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"allow_url_include"; content:"safe_mode"; http.uri.raw; content:"php|3a 2f 2f|input"; http.request_body; content:"<?php"; fast_pattern; content:"chmod 777"; classtype:attempted-user; sid:2019957; rev:4; metadata:affected_product Any, attack_target Server, created_at 2014_12_17, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Wireless IP Camera (P2) WIFICAM Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/set_ftp.cgi?"; fast_pattern; content:"loginuse="; content:"next_url=ftp.htm"; content:"loginpas="; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:attempted-admin; sid:2030309; rev:4; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2021_10_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Poweliks.A Checkin 2"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; http.method; content:"GET"; http.uri; content:"/query?version="; fast_pattern; content:"&sid="; content:"&builddate="; distance:0; content:"&q="; distance:0; content:"&ua="; content:"&lang="; content:"&wt="; content:"&lr="; distance:0; content:"&ls="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2019966; rev:4; metadata:created_at 2014_12_17, former_category MALWARE, updated_at 2020_09_28;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan:Win32/Sabsik.FL.B!ml CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|0c 22 38 4e 5a 7b 2d 43 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; content:"//"; distance:0; reference:md5,956e62df6ea59dfc9a459ea85d7bb2eb; classtype:command-and-control; sid:2034229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Flash Redirector to RIG EK Dec 17 2014"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf?myid="; fast_pattern; pcre:"/\.swf\?myid=[a-zA-Z0-9]+$/"; classtype:exploit-kit; sid:2019967; rev:4; metadata:created_at 2014_12_18, updated_at 2020_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Fake AppleWebKit User-Agent Version Number Observed"; flow:established,to_server; http.user_agent; content:"AppleWebKit/"; fast_pattern; byte_test:3,>,605,0,string,dec,relative; reference:url,bugs.webkit.org/show_bug.cgi?id=180365; classtype:bad-unknown; sid:2034228; rev:1; metadata:created_at 2021_10_19, former_category INFO, updated_at 2021_10_19;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030911; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"IP retriever"; fast_pattern; bsize:12; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/; reference:md5,fbf7ba464d564dbf42699c34b239b73a; classtype:trojan-activity; sid:2034230; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030912; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"IP retriever"; fast_pattern; bsize:12; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/; reference:md5,fbf7ba464d564dbf42699c34b239b73a; classtype:trojan-activity; sid:2034231; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT39/Chafer Payload - CnC Checkin M1"; flow:established,to_server; http.method; content:"BITS_POST"; http.uri; content:"/googleyou_"; startswith; fast_pattern; http.header_names; content:"BITS-"; classtype:command-and-control; sid:2030915; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishkit Landing Page M1"; flow:established,to_client; file.data; content:"if|28 21|document|2e|getElementById|28 22|honeypot|22 29 2e|value|29|"; content:"|2e|php"; distance:0; content:"method|3d 22|post|22 20|id|3d 27 5f|form|5f|"; distance:0; content:"enctype|3d 27|multipart|2f|form|2d|data|27|"; fast_pattern; distance:0; content:"placeholder|3d 22|Username|22|"; distance:0; content:"placeholder|3d 22|Password|22|"; distance:0; reference:url,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Minor, updated_at 2021_10_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT39/Chafer Payload - CnC Checkin M2"; flow:established,to_server; http.method; content:"BITS_POST"; http.uri; content:"/winfoxupdate_"; startswith; fast_pattern; http.header_names; content:"BITS-"; classtype:command-and-control; sid:2030916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M1 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; fast_pattern; content:"<h2>YOUR|20|CART<|2f|h2>"; content:"|20|EXTRA|20|BONUS|22|"; content:"An|20|agent|20|will|20|contact"; classtype:social-engineering; sid:2034232; rev:1; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicious Panda Checkin"; flow:established,to_server; dsize:50<>400; content:"|46 45 79 4e 56 59 6c 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:md5,07328ad6efcf16b532499cbb8daa7633; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign/; reference:url,twitter.com/dewan202/status/1244595728175030272; classtype:trojan-activity; sid:2030920; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M2 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; fast_pattern; content:"|22|>Upload|20|front|20|"; content:"Driver|20|License|20|ID|28|Bold"; classtype:social-engineering; sid:2034233; rev:1; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicious Panda CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tel/1214"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; bsize:26; http.accept; content:"image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; bsize:56; reference:md5,3009db32ca8895a0f15f724ba12a6711; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign/; reference:url,twitter.com/dewan202/status/1244595728175030272; classtype:command-and-control; sid:2030921; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M3 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; content:"<strong>Wait |3b 20|few|20|secs"; fast_pattern; content:"ID|20|to|20|uploaded"; classtype:social-engineering; sid:2034234; rev:2; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound HTTP Request with BITS_POST Method"; flow:established,to_server; http.method; content:"BITS_POST"; fast_pattern; classtype:policy-violation; sid:2030917; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M4 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>EDD-Detr|20|Government|20|Stimulus"; fast_pattern; content:"|22|>Upload|20|front|20|"; content:"Driver|20|License|20|ID|28|Bold"; classtype:social-engineering; sid:2034235; rev:1; metadata:created_at 2021_10_21, former_category PHISHING, updated_at 2021_10_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Downloading PE"; flow:established,to_server; http.uri; content:".exe?dummy="; fast_pattern; pcre:"/\.exe\?dummy=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6b7759565454fb7d02fb5bc638136f31; classtype:trojan-activity; sid:2020032; rev:4; metadata:created_at 2014_12_23, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING TodayZoo Phishing Kit GET M1"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//"; pcre:"/[\w\d]{8}\./Ri"; http.host; content:"|2e|ujsd|2e|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-built-from-other-phishing-kits/; classtype:credential-theft; sid:2034250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/connect.php?a=1"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Content-Type|0d 0a|"; classtype:command-and-control; sid:2020077; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING TodayZoo Phishing Kit GET M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/"; pcre:"/[\w\d]{8}/Ri"; http.host; content:"|2e|ujsd|2e|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-built-from-other-phishing-kits/; classtype:credential-theft; sid:2034251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Length|3a 20|74|0d 0a|"; fast_pattern; http.request_body; pcre:"/^(?P<v1>.).{33}(?P=v1).{9}(?P<v2>.)(?:.{4}(?P=v2)){3}/s"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Content-Type"; classtype:command-and-control; sid:2020080; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Microsoft Office"; startswith; fast_pattern; pcre:"/^[^\x3b\x2f\x28]+$/R"; content:!"2014"; endswith; content:!"Discovery"; endswith; content:!"OneNote"; endswith; reference:url,twitter.com/silv0123/status/1437869745961832455; classtype:bad-unknown; sid:2033960; rev:3; metadata:created_at 2021_09_16, former_category HUNTING, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Stealer"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/uploads/images/201"; fast_pattern; pcre:"/\.png$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"User-Agent|0d 0a|"; reference:md5,5f50e810668942e8d694faeabab08260; reference:url,blog.0x3a.com/post/107195908164/analysis-of-steam-stealers-and-the-steam-stealer; classtype:trojan-activity; sid:2020095; rev:5; metadata:created_at 2015_01_05, updated_at 2020_09_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker Checkin M1"; flow:established,to_server; stream_size:server,<,5; dsize:11; content:"#PRINCIPAL#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034238; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISRStealer Checkin"; flow:to_server,established; http.uri; content:"?action="; content:"&username="; content:"&password="; content:"&app="; content:"&pcname="; fast_pattern; content:"&sitename="; reference:url,www.threatexpert.com/report.aspx?md5=44be7c6d4109ae5fb0ceb2824facf2dd; reference:url,cert.pl/news/8706/langswitch_lang/en; classtype:command-and-control; sid:2016941; rev:8; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker Server Response M1"; flow:established,to_client; stream_size:server,<,40; dsize:9; content:"#Convite#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034239; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_25, former_category MALWARE, malware_family Ousaban, tag Banker, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Codenox.gyezu CnC Activity"; flow:established,to_server; http.request_line; content:"GET /__wendaoQuery.ashx?t=getcoklist&area="; startswith; fast_pattern; content:"&tb="; content:"&min="; content:"&rnd="; content:" HTTP/1.1"; distance:18; within:9; endswith; reference:md5,2c8495e13ba334324574be52dbdce173; classtype:command-and-control; sid:2030918; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker Checkin M2"; flow:established,to_server; stream_size:server,<,40; content:"#ConvitRC#<#>"; startswith; content:"<#>"; distance:0; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Adrom.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?page="; content:"&enckey="; fast_pattern; pcre:"/\x26enckey\x3D[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c621055803c68e89f3cb141608fd0894; reference:md5,3c2be5202d2d68047c76bdf7e1dfc2be; classtype:command-and-control; sid:2020293; rev:4; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker Server Response M2"; flow:established,to_client; stream_size:server,<,40; content:"#SocketMain#<#>"; startswith; pcre:"/^\d+$/R"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Generic revslider Arbitrary File Download"; flow:established,to_server; http.uri; content:"/admin-ajax.php?"; fast_pattern; content:"slider_show_image"; pcre:"/^[^\r\n]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Rim"; reference:url,blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html; classtype:web-application-attack; sid:2020221; rev:6; metadata:created_at 2015_01_20, updated_at 2020_09_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker KeepAlive"; flow:established,to_client; dsize:9; content:"#ON-LINE#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress PingBack Possible GHOST attempt"; flow:established,to_server; http.uri; content:"/xmlrpc.php"; nocase; http.request_body; content:"pingback.ping"; nocase; fast_pattern; content:"<string>"; pcre:"/^\s*?https?\x3a\/\//Rs"; isdataat:1024,relative; content:!"|2f|"; within:1024; content:!"</string>"; within:1033; pcre:"/^\d[\d\x2e]{255}/R"; classtype:web-application-attack; sid:2020327; rev:8; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_01_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker KeepAlive Response"; flow:established,to_server; dsize:11; content:"#strPingOk#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FancyBox Remote Code Inclusion POST Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/admin-post.php?page=fancybox-for-wordpress"; fast_pattern; http.request_body; content:"INPUTBODY|3a|"; content:"action=update"; content:"mfbfw"; content:"extraCalls"; nocase; reference:url,blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html; classtype:attempted-admin; sid:2020368; rev:7; metadata:created_at 2015_02_05, updated_at 2020_09_29;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"Cylul007 Webshell V 2.0</title>"; fast_pattern; classtype:web-application-attack; sid:2034246; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast C2 Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?cstring="; fast_pattern; content:"&tom="; content:"&id="; distance:0; http.request_body; content:"|00 00 00 00|"; depth:4; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020378; rev:4; metadata:created_at 2015_02_06, former_category MALWARE, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"Cylul007 Webshell V 2.0</title>"; fast_pattern; classtype:web-application-attack; sid:2034247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS *.rar.exe in HTTP URL"; flow:to_server,established; http.uri; content:".rar.exe"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2020386; rev:4; metadata:created_at 2015_02_09, former_category POLICY, updated_at 2020_09_29;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"MARIJUANA</title>"; fast_pattern; content:"|e2 80 94 20|DIOS|20 e2 80 94 20|NO|20 e2 80 94 20|CREA|20 e2 80 94 20|NADA|20 e2 80 94 20|EN|20 e2 80 94 20|VANO|20 e2 80 94|"; distance:0; classtype:web-application-attack; sid:2034248; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre External IP Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"checkip.dyndns.org"; fast_pattern; http.header; pcre:"/^(?:Accept\x3a\x20text\/\*, application\/\*\r\n)?User-Agent\x3a[^\r\n\x3b\x28\x29]+\r\nHost\x3a[^\r\n]+checkip\.dyndns\.org\r\nCache-Control\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2020370; rev:6; metadata:created_at 2015_02_05, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"MARIJUANA</title>"; fast_pattern; content:"|e2 80 94 20|DIOS|20 e2 80 94 20|NO|20 e2 80 94 20|CREA|20 e2 80 94 20|NADA|20 e2 80 94 20|EN|20 e2 80 94 20|VANO|20 e2 80 94|"; distance:0; classtype:web-application-attack; sid:2034249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_10_25;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Monitoring Software Domain (sneek .io) in TLS SNI"; flow:established,to_server; tls.sni; content:"sneek.io"; bsize:8; classtype:policy-violation; sid:2030922; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)"; flow:established,to_server; http.user_agent; content:"Embarcadero URI Client/1.0"; bsize:26; reference:md5,c0e620ed4e96aa1fe8452a3f8b7e2e8d; classtype:bad-unknown; sid:2034244; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mayhem Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"Pragma|3a 20|1337|0d 0a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:command-and-control; sid:2018456; rev:5; metadata:created_at 2014_05_08, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webhooks/aws"; nocase; fast_pattern; http.request_body; content:"|22|SubscribeURL|22 20 3a 20 22 7c|"; nocase; content:"|22|Signature|22 3a|"; nocase; reference:url,0day.click/recipe/discourse-sns-rce/; reference:cve,2021-41163; classtype:attempted-admin; sid:2034252; rev:1; metadata:attack_target Server, created_at 2021_10_25, cve CVE_2021_41163, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.KeyLogger.ODN Checkin"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/newage.txt"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:command-and-control; sid:2019467; rev:5; metadata:created_at 2014_10_17, former_category MALWARE, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Zoom.us Phish 2021-10-25"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://static.zoom.us"; bsize:22; fast_pattern; reference:md5,eb5994afdc8da491c862867784956a5b; classtype:credential-theft; sid:2034245; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY I2P Seeds File Request"; flow:established,to_server; http.uri; content:"/i2pseeds.su3"; fast_pattern; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020415; rev:4; metadata:created_at 2015_02_12, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 ClumsyCover Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session/downexlog/cdfd/"; fast_pattern; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034884; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct Feb 12 2015"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/0/"; fast_pattern; pcre:"/\/(?:5[12]|6[0-3])\/0\/[A-Z]*$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020419; rev:5; metadata:created_at 2015_02_13, former_category CURRENT_EVENTS, updated_at 2020_09_29;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/WinDealer CnC Activity (Checkin)"; dsize:<200; content:"|06 81 da 91 ce c7 9f 43|"; startswith; fast_pattern; content:"|14 00|"; distance:4; within:4; reference:url,blogs.jpcert.or.jp/en/2021/10/windealer.html; reference:md5,5a7a90ceb6e7137c753d8de226fc7947; classtype:trojan-activity; sid:2034254; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gulcrypt.B Downloading components - set"; flow:established,to_server; urilen:8; flowbits:set,ET.Gulcrypt; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/manager"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020420; rev:4; metadata:created_at 2015_02_13, former_category MALWARE, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN FTPSync Settings Disclosure Attempt"; flow:to_server,established; http.uri; content:"/ftpsync.settings"; fast_pattern; endswith; reference:url,github.com/NoxArt/SublimeText2-FTPSync; classtype:attempted-recon; sid:2034253; rev:2; metadata:created_at 2021_10_26, former_category SCAN, updated_at 2021_10_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"&user="; pcre:"/&user=\d+$/"; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020434; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Shiro 1.2.4 Cookie RememberME Deserial RCE (CVE-2016-4437)"; flow:established,to_server; http.cookie; content:"rememberMe="; startswith; fast_pattern; bsize:>125; reference:url,issues.apache.org/jira/browse/SHIRO-550; reference:cve,2016-4437; classtype:attempted-admin; sid:2034256; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2016_4437, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Exfiltrating files"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"account="; depth:8; content:"&name="; content:"&folder="; fast_pattern; content:"&fname="; content:"&s="; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020435; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 37777 (msg:"ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)"; flow:established,to_server; http.cookie; content:"|62 00 00 00|"; startswith; content:"Protocol|3a 20|"; distance:0; fast_pattern; content:"|0d 0a|"; distance:200; reference:url,www.exploit-db.com/exploits/48304; reference:cve,2016-4437; reference:cve,2020-5735; classtype:attempted-admin; sid:2034257; rev:2; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_5735, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checking filename"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"path="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020437; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8983 (msg:"ET EXPLOIT Apache Solr RCE via Velocity Template M1 (CVE-2019-17558)"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; content:"/solr/test/config"; nocase; endswith; http.request_body; content:"solr.VelocityResponseWriter"; nocase; fast_pattern; content:"params.resource.loader.enabled"; nocase; pcre:"/[^\r\n]*true/Ri"; reference:url,www.exploit-db.com/exploits/48338; reference:cve,2019-17558; classtype:attempted-admin; sid:2034258; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_17558, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
-alert udp any any -> any any (msg:"ET MALWARE Mozi Botnet DHT Config Sent"; flow:established,to_client; content:"|64 31 3a 72 64 32 3a 69 64 32 30 3a 38 38 38 38 38 38 38 38|"; content:"|3a 6e 6f 64 65 73 36 32 34 3a 15 15|"; distance:13; within:12; reference:url,blog.netlab.360.com/mozi-another-botnet-using-dht/; reference:url,securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/; reference:md5,5616a3471565d34d779b5b3d0520bb70; reference:md5,891158b3c43e621956558cd0b5b41e81; classtype:command-and-control; sid:2030919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, malware_family Mozi, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8983 (msg:"ET EXPLOIT Apache Solr RCE via Velocity Template M2 (CVE-2019-17558)"; flow:established,to_server; http.method; content:"GET"; bsize:3; http.uri; content:"/select"; nocase; endswith; content:"wt=velocity"; nocase; distance:0; content:"v.template=custom"; nocase; content:"v.template.custom="; nocase; fast_pattern; reference:url,www.exploit-db.com/exploits/48338; reference:cve,2019-17558; classtype:attempted-admin; sid:2034259; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_17558, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT File information"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"&user="; content:"&file="; distance:0; content:"&type="; distance:0; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020438; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8080 (msg:"ET EXPLOIT Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution (CVE-2020-12133)"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; pcre:"/\x2f(?:FURUKAWA|APROS)\x2f/i"; http.request_body; content:"javax.faces.ViewState"; nocase; fast_pattern; content:"|3a|"; distance:0; content:"|22|"; distance:0; reference:url,packetstormsecurity.com/files/157383/Furukawa-Electric-ConsciusMAP-2.8.1-Java-Deserialization-Remote-Code-Execution.html; reference:cve,2020-12133; classtype:attempted-admin; sid:2034260; rev:2; metadata:created_at 2021_10_27, cve CVE_2020_12133, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Transmitting Serial"; flow:established,to_server; http.uri; content:".php?name="; fast_pattern; content:"&serial="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020439; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8090 (msg:"ET EXPLOIT Confluence Server Path Traversal Vulnerability (CVE-2019-3398)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"plugins/drag-and-drop/upload.action"; nocase; fast_pattern; content:"draftId="; nocase; distance:0; content:"filename="; nocase; content:"/shell.jsp"; nocase; content:"atl_token"; nocase; http.request_body; content:"<%"; reference:url,github.com/superevr/cve-2019-3398/blob/master/poc.py; reference:cve,2019-3398; classtype:attempted-admin; sid:2034261; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_3398, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Transmitting Date"; flow:established,to_server; http.uri; content:".php?name="; fast_pattern; content:"&date="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020440; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M1 (CVE-2020-3452)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/translation-table?"; nocase; fast_pattern; content:"type=mst"; content:"textdomain="; content:"&lang="; content:"|2e 2e|"; reference:url,twitter.com/aboul3la/status/1286012324722155525; reference:cve,2020-3452; classtype:attempted-admin; sid:2034262; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_3452, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (SK)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"SK"; nocase; fast_pattern; bsize:2; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020441; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M2 (CVE-2020-3452)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem-customization?"; nocase; fast_pattern; content:"app=AnyConnect"; nocase; content:"type=oem"; nocase; content:"platform="; nocase; content:"resource-type="; nocase; content:"name="; nocase; content:"|2e 2e|"; reference:url,twitter.com/aboul3la/status/1286141887716503553; reference:cve,2020-3452; classtype:attempted-admin; sid:2034263; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_3452, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (Skype)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"Skype"; nocase; fast_pattern; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020442; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (magento-plugin .com)"; dns.query; content:"magento-plugin.com"; nocase; bsize:18; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034264; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (Skypee)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"Skypee"; nocase; fast_pattern; bsize:6; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020443; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (cdn-cgi .net)"; dns.query; content:"cdn-cgi.net"; nocase; bsize:11; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034265; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_rtemp.php?n="; fast_pattern; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5efc02d416b15554b25d9acec362148e; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020436; rev:4; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (trustdomains .net)"; dns.query; content:"trustdomains.net"; nocase; bsize:16; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034266; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Beaugrit.gen.AAAA"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/attach/1759CB3B5124F217143044"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fbfe6c2673aec9098e1fc9bf6d7fc059; classtype:trojan-activity; sid:2020479; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/loadercrypt_"; startswith; fast_pattern; content:".php?vid="; distance:32; within:9; isdataat:171,relative; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|6.1)|20|AppleWebKit/587.38"; bsize:47; reference:url,twitter.com/malwrhunterteam/status/1452992872928661512; reference:md5,aa1add403d79f0ae38f8b0aed2fcb0c2; classtype:trojan-activity; sid:2034267; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_10_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.NSIS.Comame.A Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/9.php?safe="; fast_pattern; http.user_agent; content:"NSIS_Inetc (Mozilla)"; bsize:20; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6a15f19a3ccd05f74537464e6df64dab; classtype:command-and-control; sid:2020480; rev:5; metadata:created_at 2015_02_19, former_category MALWARE, updated_at 2020_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Middle East Threat Group Domain in DNS Lookup (liveupdatedriver .com)"; dns.query; dotprefix; content:".liveupdatedriver.com"; nocase; endswith; reference:url,twitter.com/kyleehmke/status/1453352660766269451; classtype:domain-c2; sid:2034268; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible dlink-DSL2640B DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ddnsmngr.cmd?action=apply"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020485; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Middle East Threat Group Domain in DNS Lookup (dnsnamefinder .com)"; dns.query; dotprefix; content:".dnsnamefinder.com"; nocase; endswith; reference:url,twitter.com/kyleehmke/status/1453352660766269451; classtype:domain-c2; sid:2034269; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShuttleTech 915WM DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020486; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vid="; content:"|2d 27 20|AND|20 28|SELECT|20|"; content:"|28|SELECT|28|SLEEP|28 5b|SLEEPTIME|5d 29 29 29 2d 2d|"; distance:9; fast_pattern; reference:url,"vulnerability-lab.com/get_content.php?id=2295"; classtype:trojan-activity; sid:2034270; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_27, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"dnsPrimary="; fast_pattern; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020487; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session-error-active/"; content:"/config/?id="; fast_pattern; distance:0; content:"&ath="; distance:0; reference:md5,3a95182c1461c1f396795b328e879e4b; classtype:credential-theft; sid:2034273; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"dnsDynamic="; content:"dnsRefresh="; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vid="; content:"UNION|20|ALL|20|SELECT|20|NULL|2c|NULL|2c|NULL|2c|NULL|2c|NULL|2c|NULL"; fast_pattern; distance:0; reference:url,"vulnerability-lab.com/get_content.php?id=2295"; classtype:trojan-activity; sid:2034271; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_27, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperFish CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/verify.php?version="; fast_pattern; content:"&GUID=|7b|"; http.user_agent; content:"Mozilla/4.0"; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020490; rev:5; metadata:created_at 2015_02_19, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/session-error-active/"; content:"/config/connect.php?id="; fast_pattern; distance:0; content:"&ath="; distance:0; http.request_body; content:"&profile.long_session="; distance:0; reference:md5,3a95182c1461c1f396795b328e879e4b; classtype:credential-theft; sid:2034274; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Arid Viper APT Advtravel Campaign GET Keepalive"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php/customer/onlin"; fast_pattern; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020432; rev:7; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"url|3d 25|25"; fast_pattern; distance:0; content:"&mb_id="; distance:0; content:"&mb_password="; distance:0; reference:md5,9939c621f58183455bf56914c3957e51; classtype:credential-theft; sid:2034272; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen CnC Beacon 2"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/cou.php"; fast_pattern; http.header; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:command-and-control; sid:2020504; rev:4; metadata:created_at 2015_02_23, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IP Phones Web Server Vulnerability (CVE-2020-3161)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/deviceconfig/setActivationCode?params="; nocase; fast_pattern; isdataat:150,relative; reference:url,github.com/tenable/poc/blob/master/cisco/ip_phone/cve_2020_3161.txt; reference:cve,2020-3161; classtype:attempted-admin; sid:2034277; rev:1; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2020_3161, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality.3 Checkin"; flow:to_server,established; http.uri; content:"/?f"; fast_pattern; pcre:"/\/\?f$/"; http.header; content:!"Cache-Control|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer"; reference:md5,df9516919e75853742e63db318e7d346; classtype:command-and-control; sid:2020505; rev:4; metadata:created_at 2015_02_23, former_category MALWARE, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco RV320/RV325 RCE (CVE-2019-1653)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"certificate_handle2.htm"; nocase; fast_pattern; http.request_body; content:"page=self_generator.htm"; nocase; content:"common_name="; pcre:"/[^\r\n]*(?:\x60|\x24|\x7c|\bsh\b)/Ri"; reference:url,www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection; reference:cve,2019-1653; classtype:attempted-admin; sid:2034278; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_28, cve CVE_2019_1653, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe download with no referer (noalert)"; flow:established,to_server; flowbits:set,exe.no.referer; flowbits:noalert; http.uri; content:".exe"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2020573; rev:4; metadata:created_at 2015_02_26, former_category INFO, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_browser?lang="; nocase; fast_pattern; isdataat:100,relative; reference:url,shaqed.github.io/dlink/; reference:cve,2020-29557; classtype:attempted-admin; sid:2034280; rev:1; metadata:created_at 2021_10_28, cve CVE_2020_29557, former_category EXPLOIT, updated_at 2021_10_28;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Superlinks Plugin SQL Injection"; flow:established,to_server; http.uri; content:"/superlinks.php?"; nocase; fast_pattern; pcre:"/[?&]id=\d*?[^\d]\d*?(?:&|$)/i"; reference:url,www.exploit-db.com/exploits/33809/; classtype:attempted-user; sid:2018612; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_06_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 2 Inbound - Upload Malicious Config (CVE-2020-8260)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-admin/cached/config/import.cgi"; http.referer; content:"/dana-admin/cached/config/config.cgi?type=system"; fast_pattern; xbits:isset,ET.2020_8260.1,track ip_src,expire 10; xbits:set,ET.2020_8260.2,track ip_src,expire 10; noalert; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033751; rev:2; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Update check"; flow:established,to_server; http.uri; content:"/update.inf"; http.header; content:"X-TA-ClientVer|3a 20|"; fast_pattern; content:"X-TA-ClientOS|3a 20|"; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020580; rev:4; metadata:created_at 2015_02_27, updated_at 2020_09_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 1 Inbound - Request Config Backup (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/cached/config/config.cgi?type=system"; fast_pattern; xbits:set,ET.2020_8260.1,track ip_src,expire 10; noalert; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033750; rev:2; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (ping.ccp) 2015-1187"; flow:to_server,established; urilen:9; http.method; content:"POST"; http.uri; content:"/ping.ccp"; fast_pattern; http.request_body; content:"ccp_act=ping_v6&ping_addr="; depth:26; pcre:"/ping_addr=[\d.]*[^\d.]/"; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020590; rev:4; metadata:created_at 2015_03_03, updated_at 2020_09_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE TinyNuke VNC Checkin"; flow:established,to_server; dsize:7; content:"MELTED|00|"; fast_pattern; reference:url,app.any.run/tasks/cad45c57-d1fd-4e3b-9e1f-4e6742affb56/; reference:md5,e82aae34a54d0398bd099a0c33db9266; reference:url,twitter.com/Jane_0stin/status/1453441977014497280; classtype:trojan-activity; sid:2034281; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family TinyNuke, signature_severity Major, tag RAT, updated_at 2021_10_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xunpf.A Retrieving DLL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web_"; fast_pattern; content:".jpg"; pcre:"/\/web_[0-9A-F]{12}\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dfb7dd8b6975b73dc9c731319a05f86d; classtype:trojan-activity; sid:2020601; rev:4; metadata:created_at 2015_03_03, updated_at 2020_09_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CloudAtlas APT Related Domain (checklicensekey .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"checklicensekey.com"; bsize:19; fast_pattern; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:domain-c2; sid:2034282; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, signature_severity Major, updated_at 2021_10_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/fwupgrade.ccp"; fast_pattern; http.request_body; content:"|0d 0a|fwupgrade"; content:"|0d 0a|resolv.conf"; nocase; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:4; metadata:created_at 2015_03_03, updated_at 2020_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CloudAtlas APT Related CnC Domain in DNS Lookup (checklicensekey .com)"; dns.query; content:"checklicensekey.com"; nocase; bsize:19; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:domain-c2; sid:2034283; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; fast_pattern; http.request_body; content:"set_general"; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:5; metadata:created_at 2015_03_02, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CloudAtlas APT Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dotm"; endswith; http.host; content:"checklicensekey.com"; fast_pattern; bsize:19; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:trojan-activity; sid:2034284; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Downloading Module"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".pack"; nocase; fast_pattern; endswith; http.user_agent; content:"Mozilla"; startswith; pcre:"/^Mozilla(?:\/4\.0)?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,65125129418e07ce1000aa677b66b72f; classtype:trojan-activity; sid:2018604; rev:7; metadata:created_at 2014_06_24, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sabsik Config Downloader"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_body; content:"|24|url|3d 22|http|3a 2f 2f|"; startswith; content:"|2e|txt|22 3b 0d 0a 24|web|20 3d 20|New|2d|Object|20|System|2e|Net|2e|WebClient|3b|"; distance:0; within:63; fast_pattern; reference:md5,49eb944fb7f86a9d6649c6a190c782e8; classtype:trojan-activity; sid:2034288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor Based Locker Page (Torrentlocker)"; flow:established,to_server; http.uri; content:"/buy.php?"; fast_pattern; http.header; pcre:"/Host\x3a\x20[a-z0-9]{16}\.[^\r\n]*?(?:tor|onion)/mi"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018951; rev:6; metadata:created_at 2014_08_18, updated_at 2020_09_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DonotGroup Maldoc Related Domain (digitalresolve .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"digitalresolve.live"; bsize:19; fast_pattern; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:domain-c2; sid:2034285; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M2 Feb 06 2015"; flow:established,to_server; http.uri; content:".php?rnd="; fast_pattern; content:"&id="; pcre:"/\.php\?rnd=[0-9]{3,7}&id=[0-9A-F]{44,54}$/"; classtype:exploit-kit; sid:2020644; rev:4; metadata:created_at 2015_03_06, updated_at 2020_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Maldoc Related Domain in DNS Lookup (digitalresolve .live)"; dns.query; content:"digitalresolve.live"; nocase; bsize:19; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:domain-c2; sid:2034286; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trapwot FakeAV Post Infection CnC Beacon"; flow:established,to_server; http.uri; content:"/rp?"; fast_pattern; content:"v="; content:"a="; content:"u="; content:"d="; pcre:"/^\/(?:[^\x2f]+\/)?rp\?[a-z]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,fc962cb08f62e3d6368500a8e747cf73; classtype:command-and-control; sid:2020645; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_09_29;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Application.ThunderN.A Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|1b 00 0c|"; startswith; content:"Startup102_embedding|ea 03 01 00 00 00|"; endswith; fast_pattern; reference:md5,1f1ef30f55a9b69bf0b8706e479beca0; classtype:command-and-control; sid:2034275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Onkods.A Downloader Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/^\/(?:[a-z]+\/)*?[a-z]+\.exe$/"; http.header; content:"User-Agent|3a 20|"; depth:12; pcre:"/^User-Agent\x3a\x20(?=\d*[a-z])[a-z0-9]+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,fb570e6d68e708daeceae5dfc544fba2; classtype:command-and-control; sid:2018121; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; urilen:80<>90; http.method; content:"GET"; http.host; content:"digitalresolve.live"; bsize:19; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:trojan-activity; sid:2034287; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaoutra.ru)"; flow:to_server,established; http.header; content:"bagacaoutra.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacaoutra\.ru\r\n/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020650; rev:6; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed ApoioViewer Remote Access Tool Domain (apoioviewer .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"apoioviewer.com"; bsize:15; fast_pattern; reference:md5,b27ede7c569f27d96c66b4d3c7a84a95; classtype:policy-violation; sid:2034276; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_10_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacavoltou.ru)"; flow:to_server,established; http.header; content:"bagacavoltou.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacavoltou\.ru/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020651; rev:5; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE slock Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/slock.php?ip="; fast_pattern; content:"&&user="; distance:0; content:"&&host="; distance:0; content:"&&domain="; distance:0; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|10|2e|0|3b 20|WOW64|3b 20|Trident|2f|7|2e|0|3b 20|rv|3a|11|2e|0|29 20|like|20|Gecko"; bsize:69; reference:md5,45a430e2bcba867f4d8a537354a98a73; classtype:command-and-control; sid:2034291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaveia.ru)"; flow:to_server,established; http.header; content:"bagacaveia.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacaveia\.ru/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020652; rev:5; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casbaneiro CnC Host Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?AT="; fast_pattern; content:"Microsoft Windows"; distance:0; content:"&MD="; distance:0; content:!"&"; distance:0; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,6716f7a0e6f96617c9ba4b47ff9f41eb; classtype:trojan-activity; sid:2034292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Casbaneiro, performance_impact Low, signature_severity Major, tag Banker, updated_at 2021_10_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trapwot FakeAV Checkin"; flow:established,to_server; http.uri; content:"v="; content:"a="; content:"u="; content:"i=0"; fast_pattern; pcre:"/^\/(?:[a-z]+\/)?[a-z_]+\?[a-z]=/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,baf71ace207afd3f330c4aba3784e074; classtype:command-and-control; sid:2020646; rev:6; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_09_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (croperdate .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"croperdate.com"; bsize:14; fast_pattern; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; reference:md5,67c916ed405a3163d19f7642734d94be; classtype:domain-c2; sid:2034302; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Checkin"; flow:established,to_server; http.uri; content:"/?user="; fast_pattern; content:"os="; content:"&os2="; content:"&ver="; content:"&host="; content:!"|2e|"; content:"type="; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2019678; rev:5; metadata:created_at 2014_11_07, former_category MALWARE, updated_at 2020_09_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (kaslose .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"kaslose.com"; bsize:11; fast_pattern; reference:md5,0b10e6fe7db4421f4807e08bd3b5982a; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; classtype:domain-c2; sid:2034303; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|13|0d 0a|"; fast_pattern; http.request_body; content:"|00 04 00 00 00|"; offset:4; depth:5; content:!"|00 00 00 00|"; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,e610d3c383a4f1c8a27aaf018b12c370; classtype:command-and-control; sid:2020568; rev:6; metadata:created_at 2015_02_25, former_category MALWARE, updated_at 2020_09_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (cdnwin .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"cdnwin.xyz"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; classtype:domain-c2; sid:2034304; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; fast_pattern; pcre:"/\.php\?id=\d+$/"; http.header; content:!"Content-T"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,693ca229558aab99e0a9d3385cacc40c; classtype:command-and-control; sid:2020706; rev:4; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"from=CIA"; startswith; content:"|26|body|3d|Your|20|Subject|20|is|20|Online|20 3a|P|20|Victim|20|Name|3a 20|"; fast_pattern; content:"Clients|20|Conneted|3a 20|"; distance:0; reference:md5,7055137624d83f3c6025caf1e62e85f6; classtype:command-and-control; sid:2034293; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FindPOS Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"oprat="; fast_pattern; content:"&uid="; content:"&uinfo="; content:"&win="; content:"&vers="; reference:md5,fe0f997d81d88bc11cc03e4d1fd61ebe; classtype:command-and-control; sid:2020723; rev:5; metadata:created_at 2015_03_20, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action=log&ip="; content:"&usrname="; distance:0; content:"&server=C|2e|I|2e|A"; distance:0; fast_pattern; reference:md5,7055137624d83f3c6025caf1e62e85f6; classtype:command-and-control; sid:2034294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fileless infection dropped by EK CnC Beacon"; flow:established,to_server; http.uri; content:"hl="; content:"source="; content:"aq="; content:"aqi="; content:"aql="; fast_pattern; content:"oq="; http.header; content:!"google."; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:49; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020734; rev:4; metadata:created_at 2015_03_24, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Microsoft-ATL-Native/9.00)"; flow:established,to_server; http.user_agent; content:"Microsoft-ATL-Native/9.00"; bsize:25; reference:md5,783aef84f5b315704ff6b064a00e2573; classtype:bad-unknown; sid:2034296; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_10_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanProxy.JpiProx.B CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"ext="; content:"&pid="; content:"&country="; content:"®d="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020738; rev:4; metadata:created_at 2015_03_24, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Systweak Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a 20 22|http://tempuri.org/IsUserAuthenticated|22 0d 0a|"; http.request_body; content:"<sUsername>"; content:"</sUsername><sPassword>"; distance:0; fast_pattern; content:"</sPassword><sMacId>"; distance:0; content:"</sMacId><refno>"; distance:0; reference:md5,cb5de25d798ed63a781926c903317f70; classtype:pup-activity; sid:2034297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_10_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Teslacrypt Ransomware HTTP CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/state"; fast_pattern; content:".php?"; pcre:"/\/state[^\x2f]*\.php\?[A-Za-z0-9+/]*={0,2}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:command-and-control; sid:2020717; rev:7; metadata:created_at 2015_03_20, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (urlRequest)"; flow:established,to_server; http.user_agent; content:"urlRequest"; bsize:10; reference:md5,988fbcfeebf2a49af4072030dead68f9; classtype:bad-unknown; sid:2034298; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2021_10_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hyteod CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.header; content:"|5f 5e 5b 8b e5 5d|"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; bsize:63; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept-"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f2ad19a08063171b039accd24b0c27ca; classtype:command-and-control; sid:2020821; rev:4; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HNBU CryptoMiner - GetTasks Request"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//get-tasks.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|HWID|0d 0a|Host|0d 0a 0d 0a|"; bsize:16; reference:md5,c81af89afb924196c0a9f50bce4df130; classtype:command-and-control; sid:2034299; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mikey Variant HTTP CnC Beacon 2"; flow:established,to_server; http.header; content:"Accept|3a 20|*/*,|20|"; content:", MZ"; fast_pattern; pcre:"/^Accept\x3a\x20\*\/\*,[^\r\n]+, MZ/mi"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020834; rev:4; metadata:created_at 2015_04_02, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HNBU CryptoMiner - Report Request"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//report.php"; endswith; http.header; content:"IPINFO|3a 20 7b 22|status|22 3a 22|"; fast_pattern; http.header_names; content:"|0d 0a|UN|0d 0a|MN|0d 0a|"; reference:md5,c81af89afb924196c0a9f50bce4df130; classtype:command-and-control; sid:2034300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F exe Download 2"; flow:to_server,established; urilen:<13; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; endswith; pcre:"/^\/[^\x2f]+?\.exe$/i"; http.host; content:".ru"; endswith; http.header; content:".ru|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,1303188d039076998b170fffe48e4cc0; classtype:trojan-activity; sid:2017190; rev:8; metadata:created_at 2013_07_24, updated_at 2020_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Google Chrome Notifications Installer"; flow:established,to_client; http.response_body; content:"|28|function|20 28 29|"; startswith; content:"callbackName|3a 20 27|onSubInit|27|"; distance:0; content:"workerName|3a 20 27|"; distance:0; content:"serverUrl|3a 20 27|"; distance:0; content:"applicationServerKey|3a 20|"; distance:0; content:"cookieNameS|3a 20 27|notify|2d|p|27|"; fast_pattern; distance:0; reference:url,rapid7.com/blog/post/2021/10/28/sneaking-through-windows-infostealer-malware-masquerades-as-windows-application; reference:md5,45602bfa86ee9a5e31758a24a0d5cd08; classtype:trojan-activity; sid:2034307; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; threshold: type threshold, track by_dst, count 20, seconds 40; http.method; content:"GET"; http.uri; content:"/random"; nocase; fast_pattern; pcre:"/\x2Frandom\w+?\x2E(?:c(?:f[cm]|gi)|ht(?:ml?|r)|(?:ws|x)dl|a(?:sp|xd)|p(?:hp3|l)|bat|swf|vbs|do)/i"; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.NO Checkin"; flow:established,to_server; stream_size:server,<,5; dsize:76; content:"MB|00 00|"; offset:32; depth:9; content:"|32 2e 32 d5 fd ca bd b0 e6 00 00 00|"; endswith; fast_pattern; reference:md5,e09e70ae301e0816355ad0bfa0ab8707; classtype:command-and-control; sid:2034301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.sanlorenzoyacht.com"; bsize:23; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SecureDriverUpdater Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/driverupdateservicenewsdu/updateservice.asmx"; bsize:45; http.header; content:"SOAPAction|3a 20 22|http://systweak.com/GetDriverUpdatesData1|22 0d 0a|"; fast_pattern; reference:md5,783aef84f5b315704ff6b064a00e2573; classtype:pup-activity; sid:2034295; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .automercado .co .cr in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.automercado.co.cr"; bsize:21; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.UWW Variant Activity (Retrieving Commands)"; flow:established,to_server; http.request_line; content:"GET|20|/console.php|20|HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:34; reference:md5,c028d598f8ba842bc03631f92bc6f242; reference:url,twitter.com/malwrhunterteam/status/1454160943471079425; classtype:trojan-activity; sid:2034305; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.ne-ba.org"; bsize:13; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.UWW Variant Activity (Sending System Information)"; flow:established,to_server; http.request_line; content:"POST|20|/console.php|20|HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.request_body; content:"FROM|20|"; startswith; content:"User|20|accounts|20|for"; content:"Directory|20|of|20|"; http.header_names; content:!"Referer"; reference:md5,c028d598f8ba842bc03631f92bc6f242; reference:url,twitter.com/malwrhunterteam/status/1454160943471079425; classtype:trojan-activity; sid:2034306; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/cgi-bin/webcm"; fast_pattern; http.request_body; content:"getpage="; depth:10; content:"errorpage="; distance:0; content:"/html/index.html&login|3a|command"; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:5; metadata:created_at 2015_04_08, updated_at 2020_09_30;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)"; dns.query; content:"transfer.sh"; nocase; bsize:11; classtype:bad-unknown; sid:2034316; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_01;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/setup.cgi?todo=wan_dns1="; fast_pattern; reference:url,www.rapid7.com/db/modules/exploit/linux/http/netgear_dgn1000b_setup_exec; classtype:attempted-admin; sid:2020874; rev:5; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PinkBot CnC Domain in DNS Lookup (cnc .pinklander .com)"; dns.query; content:"cnc.pinklander.com"; nocase; bsize:18; reference:url,blog.netlab.360.com/pink-en/; classtype:domain-c2; sid:2034317; rev:1; metadata:attack_target IoT, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_01;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/apply.cgi?wan_primary_dns="; fast_pattern; content:"&wan_secondary_dns="; reference:url,malwr.com/analysis/MGY1ZDFhYjE1MzQ4NDAwM2EyZTI5YmY3MWZjMWE5OGM; classtype:attempted-admin; sid:2020876; rev:4; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sabsik.FL.B!ml Checkin"; flow:established,to_server; content:"|02|"; startswith; content:"|05 4c 41 75 74 6f 20 28|"; offset:5; depth:8; fast_pattern; content:"|29|"; distance:0; isdataat:!30,relative; reference:md5,0792e225ebae5021f0dd6c333026ee00; classtype:command-and-control; sid:2034313; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_01;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/router/add_dhcp_segment.cgi?"; fast_pattern; content:"is_router_as_dns=1"; content:"&dns1="; content:"submitbutton="; reference:url,wepawet.cs.ucsb.edu/view.php?hash=5e14985415814ed1e107c0583a27a1a2&t=1384961238&type=js; classtype:attempted-admin; sid:2020877; rev:4; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lantern Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getlantern/data?action=startup&deviceID="; startswith; fast_pattern; content:"&goarch="; distance:0; content:"&osName="; distance:0; content:"&secret="; distance:0; reference:md5,0d79f6cae6898ab27f2df1740aedbbec; classtype:pup-activity; sid:2034314; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, updated_at 2021_11_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/loader.php?name="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,7e47a518561c46123d4facd43effafbf; classtype:command-and-control; sid:2020883; rev:7; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault CnC Beacon M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hwid="; depth:5; content:"&knock="; distance:0; content:"&keylog="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020907; rev:4; metadata:created_at 2015_04_14, former_category MALWARE, updated_at 2020_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)"; flow:established,to_server; http.uri; content:"/login.php"; endswith; fast_pattern; http.cookie; content:"user_id="; nocase; startswith; pcre:"/^[^\r\n=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-9465; classtype:attempted-admin; sid:2034309; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_9465, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ruckguv.A Requesting Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/id.exe"; fast_pattern; http.user_agent; content:"MSIE"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,227365242cc97fa611fdac295b732d82; reference:md5,b9eec5be1d2f5d0007bd94fdd8c7ea57; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3801; classtype:trojan-activity; sid:2020910; rev:5; metadata:created_at 2015_04_14, updated_at 2020_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ttint XORed CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.connection; content:"Upgrade"; http.request_body; content:"|a1 8a ee 02 e8 91 ff 04 be ac f7 09 b3 9c|"; offset:8; fast_pattern; reference:url,blog.netlab.360.com/ttint-an-iot-rat-uses-two-0-days-to-spread/; classtype:command-and-control; sid:2030924; rev:2; metadata:affected_product IoT, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, malware_family Ttint, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; http.stat_code; content:"302"; http.stat_msg; content:"Found"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:4; metadata:created_at 2015_04_15, updated_at 2020_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/eurekaservice/fetchLogFiles"; endswith; fast_pattern; http.request_body; content:"instanceId"; nocase; content:"logLevel"; nocase; content:"logFileNameList"; nocase; content:"|2e 2e|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; reference:cve,2020-4430; classtype:attempted-admin; sid:2034312; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_4430, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; http.stat_code; content:"301"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:4; metadata:created_at 2015_04_15, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/PSW.Agent_AGen.A Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; content:!"-"; distance:0; http.user_agent; content:"GRequests/0.10"; bsize:14; http.request_body; content:"|5c 5c 2f|arch|2e|zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; reference:md5,662002d61f1aebd64fc204ce40fd65f2; classtype:command-and-control; sid:2034315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/command.php?id="; fast_pattern; content:"&os="; content:"&com="; content:"&ver="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020918; rev:4; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/languages/mode"; fast_pattern; content:".php?user="; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sysget/HelloBridge HTTP GET CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?fn="; fast_pattern; pcre:"/&(?:uid|name|file)=[a-f0-9]+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020921; rev:4; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content: "POST"; http.referer; content:"/wp-content/languages/mode"; fast_pattern; http.uri; content:".php"; endswith; http.request_body; content:"user="; content:"&amount="; content:"&submit="; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".asp?HostID="; fast_pattern; pcre:"/\?HostID=([A-F0-9]{2}(?:-|<>)){5}[A-F0-9]{2}$/"; http.header; content:"Windows NT 5.0|3b 20|.NET CLR 1.1.4322|29 0d 0a|"; reference:md5,e397a68bf4fbb7a9b4d1b6da1fe2172b; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020928; rev:5; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible GoCD Authentication Bypass URI Path - add-on"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add-on/"; nocase; fast_pattern; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034330; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dalexis CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|uploaded|22 3b 20|filename=|22|"; fast_pattern; content:".jpg"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept"; nocase; classtype:command-and-control; sid:2020933; rev:5; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GoCD Authentication Bypass URI Path - add-on"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add-on/"; nocase; fast_pattern; content:"pluginName="; content:"|2e 2e 2f|"; distance:0; within:5; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034331; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP GET CnC Beacon"; flow:established,to_server; flowbits:set,ET.CozyDuke.HTTP; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; pcre:"/[A-Z]{100}(?:&\w+=[a-zA-Z0-9/+=]+){0,2}$/"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020963; rev:4; metadata:created_at 2015_04_22, former_category MALWARE, updated_at 2020_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible GoCD Authentication Bypass URI Path - cruise_config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cruise_config"; nocase; fast_pattern; flowbits:set,ET.gocd.auth; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034332; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?$/"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:61; http.request_body; pcre:"/^\w+=(?:[a-zA-Z0-9/+=]{1,30}&\w+=)?[a-zA-Z0-9+/]{0,13}[A-Z]{200}/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020964; rev:4; metadata:created_at 2015_04_22, former_category MALWARE, updated_at 2020_09_30;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT GoCD Authentication Bypass Successful Leak"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"agentAutoRegisterKey="; nocase; fast_pattern; content:"webhookSecret="; nocase; content:" tokenGenerationKey="; nocase; flowbits:isset,ET.gocd.auth; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034333; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; http.stat_code; content:"307"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:4; metadata:created_at 2015_04_23, updated_at 2020_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Payment Credential Phish Debit Card or Check Data Exfil"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|d5.php|22|"; fast_pattern; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034329; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; http.stat_code; content:"303"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020977; rev:4; metadata:created_at 2015_04_23, updated_at 2020_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential Phish Direct Deposit Payment Data Exfil"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|b5.php|22|"; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; fast_pattern; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BUILDINGCAN CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:69; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) Chrome/28.0.1500.95 Safari/537.36"; fast_pattern; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.request_body; content:"id="; startswith; pcre:"/(?:&(?:boardid|bbsNo|strBoardID|userid|bbs|filename|code|pid|seqNo|ReportID|v|PageNumber|num|view|read|action|page|mode|idx|cateId|bbsId|pType|pcode|index|tbl|idx_num|act|bbs_id|bbs_form|bid|bbscate|menu|tcode|b_code|bname|tb|borad01|borad02|borad03|mid|newsid|table|Board_seq|bc_idx|seq|ArticleID|B_Notice|nowPage|webid|boardDiv|sub_idxa)=[^&]+){3}$/R"; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:targeted-activity; sid:2030932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Payment Credential Phish Form"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; distance:0; content:".php"; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; fast_pattern; distance:0; content:"id|3d 22|edit|2d|submit|2d|pup|2d|efile|2d|provider|2d|search|22|"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed DownloadAssistant User-Agent"; flow:established,to_server; http.user_agent; content:"DLA/"; startswith; reference:md5,521875fc63f4b2c004deb75e766cb8c5; classtype:pup-activity; sid:2030933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Internet, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/U"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20|.NET4.0C|3b 20|.NET4.0E|3b 20|.NET|20|CLR|20|2.0.50727|3b 20|.NET|20|CLR|20|3.0.30729|3b 20|.NET|20|CLR|20|3.5.30729|3b 20|InfoPath.3)"; fast_pattern; bsize:162; http.header_names; content:!"Referer"; reference:md5,8eb1525db6bdadce7dae53b15f544bd2; classtype:trojan-activity; sid:2034464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/"; classtype:exploit-kit; sid:2020991; rev:4; metadata:created_at 2015_04_24, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual CnC Activity"; flow:established,to_server; urilen:<50; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]+/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"CharSet|3a 20|UTF-8|0d 0a|"; fast_pattern; http.request_body; content:"vl="; startswith; pcre:"/^[0-9D]+$/R"; reference:md5,b0ab12a5a4c232c902cdeba421872c37; classtype:command-and-control; sid:2034325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag TA450, updated_at 2021_11_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DownloadAssistant Activity"; flow:established,to_server; http.start; content:"POST /v2/events HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Length|3a 20|"; fast_pattern; http.request_body; content:"4F44"; startswith; reference:md5,d6d20eef805a4719f0771321f832bbed; classtype:pup-activity; sid:2030934; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows VBScript Engine VbsErase Memory Corruption (CVE-2019-0667)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"Class|20|"; pcre:"/^(?P<class>[A-Z0-9_-]{1,20})\s*.*?(?P<var>[A-Z0-9_-]{1,15})\s*=\s*(?:&\x3b|0x|\\x|&?h)*\d{8}\s*.*?(?:ReDim|Dim)\s*(?P=var)\(\d{4,20}\).*?set\s*(?P=var)\(\d+\)\s*=\s*new\s*(?P=class).*?Erase\s*(?P=var).*?Erase\s*(?P=var)/Rsi"; content:"Erase|20|"; fast_pattern; content:"Dim|20|"; reference:cve,2019-0667; classtype:attempted-admin; sid:2033733; rev:4; metadata:attack_target Server, created_at 2021_08_13, cve CVE_2019_0667, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_03;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; threshold: type both, track by_dst, count 10, seconds 60; http.method; content:"POST"; http.uri; content:"/apply_noauth.cgi"; fast_pattern; http.request_body; content:"timestamp="; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:4; metadata:created_at 2015_04_27, updated_at 2020_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious PHP UNZIP Tool Accessed on External Possibly Compromised Server"; flow:established,to_client; file_data; content:"<head><title>PHP UnZIP"; nocase; fast_pattern; content:"<div class=|22|header|22|>PHP UnZIP!!!</div>"; classtype:web-application-attack; sid:2034336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_11_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Checkin"; flow:to_server,established; urilen:7; http.method; content:"GET"; http.uri; content:"/dw/gtk"; fast_pattern; http.header; content:"Host|3a|"; depth:5; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:command-and-control; sid:2021028; rev:4; metadata:created_at 2015_04_28, former_category MALWARE, updated_at 2020_09_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspicious PHP UNZIP Tool Accessed on Internal Possibly Compromised Server"; flow:established,to_client; file.data; content:"<head><title>PHP UnZIP"; nocase; fast_pattern; content:"<div class=|22|header|22|>PHP UnZIP!!!</div>"; classtype:web-application-attack; sid:2034337; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_11_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim payload retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/app.exe"; fast_pattern; pcre:"/\/app\.exe$/"; http.user_agent; content:"Wget"; depth:4; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020350; rev:6; metadata:created_at 2015_02_03, updated_at 2020_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Windows Defender"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"reg|20|delete|20 22|HKLM|5c|Software|5c|Policies|5c|Microsoft|5c|Windows|20|Defender|22 20 2f|f"; distance:0; fast_pattern; classtype:trojan-activity; sid:2034338; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline|3b|"; content:".xap"; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/m"; file.data; content:"AppManifest.xaml"; fast_pattern; classtype:exploit-kit; sid:2020982; rev:5; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Real Time Monitoring"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"powershell.exe Set-MpPreference -DisableRealtimeMonitoring|20 24|true"; within:66; fast_pattern; classtype:trojan-activity; sid:2034339; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Xenu Link Sleuth Scanner Outbound"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"Xenu Link Sleuth"; fast_pattern; classtype:attempted-recon; sid:2021058; rev:5; metadata:created_at 2015_05_05, updated_at 2020_09_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-59 Related Domain in DNS Lookup"; dns.query; content:"itoxtlthpw.com"; nocase; bsize:14; reference:url,otx.alienvault.com/pulse/61811ddc259f23fdd630e196; classtype:domain-c2; sid:2034334; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, malware_family apt_c_59, signature_severity Major, updated_at 2021_11_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M1 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^1\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"1"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021067; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; http.header; content:"|28 29 20 7b|"; fast_pattern; content:"bash|20 2d|c"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:7; metadata:created_at 2014_09_25, updated_at 2021_11_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M2 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^2\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"2"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021068; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Connection Manager Administration Kit (cmdl32.exe) User-Agent"; flow:established,to_server; http.user_agent; content:"Microsoft(R) Connection Manager Vpn File Update"; bsize:47; reference:url,twitter.com/ElliotKillick/status/1455897435063074824; reference:url,www.hexacorn.com/blog/2017/04/30/the-archaeologologogology-3-downloading-stuff-with-cmdln32; classtype:policy-violation; sid:2034335; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M3 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^3\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"3"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021069; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.MSIL CnC Traffic - GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Vv/"; fast_pattern; startswith; pcre:"/\.(dll|exe|zip|json)$/i"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,2a93655114ec83db8d38aea680e39453; reference:md5,f7744662b78e045946678b3aab34f5b5; classtype:trojan-activity; sid:2034340; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M4 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^4\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"4"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021070; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.MSIL CnC Traffic - POST"; flow:established,to_server; http.request_line; content:"POST /log HTTP/1.1"; fast_pattern; startswith; http.header; content:"Expect|3a 20|100-continue|0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,2a93655114ec83db8d38aea680e39453; reference:md5,f7744662b78e045946678b3aab34f5b5; classtype:trojan-activity; sid:2034341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M5 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^5\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"5"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021071; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Related Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/details.php?image="; fast_pattern; content:".PRJ"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1455489336850325519; reference:md5,606695bae4f0eb5ba0f35b8897b9f57a; classtype:trojan-activity; sid:2034342; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M6 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^6\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"6"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021072; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt STrike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /EbhM HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(compatible|3b 20|MSIE|20|9.0|3b 20|Windows|20|NT|20|6.0|3b 20|Trident/5.0)"; bsize:63; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,72dac7c7f9c50d8ab420acb75132f631; reference:url,twitter.com/BlackLotusLabs/status/1456314419215020043; classtype:trojan-activity; sid:2034346; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M7 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^7\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021073; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /9Wla HTTP/1.1"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,ac45cc9b586d30836bb2997745a5208e; reference:url,twitter.com/malwrhunterteam/status/1455885521905934339; classtype:trojan-activity; sid:2034347; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M8 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^8\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021074; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SolarMarker Backdoor Related Domain in DNS Lookup (noelfpar .com)"; dns.query; content:"noelfpar.com"; nocase; bsize:12; reference:url,twitter.com/MBThreatIntel/status/1456395490820440065; classtype:domain-c2; sid:2034348; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M9 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^9\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"9"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021075; rev:4; metadata:created_at 2015_05_07, updated_at 2020_09_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (google-play .serveftp .com)"; dns.query; content:"google-play.serveftp.com"; nocase; bsize:24; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:targeted-activity; sid:2034349; rev:1; metadata:attack_target Mobile_Client, created_at 2021_11_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enfal CnC GET"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"docs/"; fast_pattern; pcre:"/^\/(?:tran|http)docs\//"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:command-and-control; sid:2021080; rev:4; metadata:created_at 2015_05_08, former_category MALWARE, updated_at 2020_09_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (bitsadmin .ddns .net)"; dns.query; content:"bitsadmin.ddns.net"; nocase; bsize:18; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:targeted-activity; sid:2034350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA428 Tmanger Checkin"; flow:established,to_server; content:"|8f 98 45 59 08 12 b2 aa ea 9d 7b 27 15 96 5f 00 2b b5 00|"; offset:8; depth:19; reference:url,vblocalhost.com/uploads/VB2020-20.pdf; classtype:targeted-activity; sid:2030938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (list-sert .ddns .net)"; dns.query; content:"list-sert.ddns.net"; nocase; bsize:18; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:domain-c2; sid:2034351; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_05;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA428 Infostealer CnC Host Checkin"; flow:established,to_server; content:"|54 0b 54|"; offset:16; depth:3; fast_pattern; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|08 00|"; distance:0; content:"|01|"; endswith; reference:md5,a5a4046989fa0f99c2076aec3ea0ab2a; reference:url,vblocalhost.com/uploads/VB2020-20.pdf; classtype:targeted-activity; sid:2030939; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon/Armageddon CnC Activity (Sending Windows System Information)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_540AD80E/walt.html"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:trojan-activity; sid:2034352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M5"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; fast_pattern; file.data; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; classtype:social-engineering; sid:2030936; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Vanguard v2.1 (Search) POST Inject Web Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"phps_query|3d 22 3e 25 32 30 3c|iframe src="; startswith; fast_pattern; content:"onload="; distance:0; content:"|29 3e 26|phps_search|3d 3b 29|"; endswith; reference:url,exploit-db.com/exploits/50491; classtype:attempted-admin; sid:2034354; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_05, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M6"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; fast_pattern; file.data; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; classtype:social-engineering; sid:2030937; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon/Armageddon Activity (Retrieving Remote .dot)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/prior/energy/bidding.dot"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:trojan-activity; sid:2034353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SPEAR CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".asp?"; fast_pattern; pcre:"/\.asp\?(?:[A-Za-z0-9+*]{4})*(?:[A-Za-z0-9+*]{2}==|[A-Za-z0-9+*]{3}=|[A-Za-z0-9+*]{4})$/"; http.user_agent; content:"|20|MSIE|20|"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,a69ac85c7e723ae37377516d7054fa0b; classtype:command-and-control; sid:2021118; rev:5; metadata:created_at 2015_05_20, former_category MALWARE, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Datoploader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9]{9,12}\/t\.html$/U"; http.request_line; content:"/t.html HTTP/1.1"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|"; startswith; content:!"Referer"; reference:md5,1b18012902faa7670ceef2b6a12953f8; reference:md5,1a23e15c82ebc19f52a4da440cec596e; reference:url,twitter.com/Max_Mal_/status/1456555275326996497; classtype:trojan-activity; sid:2034355; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_11_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SPEAR CnC Beacon 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?wd="; fast_pattern; pcre:"/\?wd=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,1beb162fc327101c01b07240a924202f; classtype:command-and-control; sid:2021119; rev:4; metadata:created_at 2015_05_20, former_category MALWARE, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/BlackNet Checkin"; flow:established,to_server; urilen:100<>325; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; content:!"?key="; content:!"?token="; content:!"/index.php"; content:!"act=bkw9"; nocase; content:!"?data="; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:!"DriverUpdate"; http.host; content:!"remocam.com"; content:!"desktopad.com"; content:!"mydlink.com"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019378; rev:16; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2021_11_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaScriptBackdoor HTTP GET CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action="; fast_pattern; content:"&guid="; content:"&version="; distance:0; pcre:"/&version=\d+$/"; http.header; content:"WinHttp.WinHttpRequest."; http.header_names; content:!"Referer|0d 0a|"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:command-and-control; sid:2021132; rev:4; metadata:created_at 2015_05_21, former_category MALWARE, updated_at 2020_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M1"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"GetObject|28 22|winmgmts|3a 22 2b 22 7b|impersonationLevel=impersonate|7d 22 2b 22|"; fast_pattern; distance:0; content:"ExecQuery|28 22|Select|20 2a 20 22 2b 22|from|20 22 2b 22|Win32|5f 22 2b 22|Process|22 29 3b|"; distance:0; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE H1N1 Loader CnC Beacon M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http.request_body; pcre:"/^[A-Za-z0-9/_]+={0,2}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:command-and-control; sid:2021139; rev:4; metadata:created_at 2015_05_22, former_category MALWARE, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citibank Phish 2021-11-10"; flow:established,to_server; flowbits:isset,ET.genericphish; http.uri; content:"/citi/"; nocase; fast_pattern; content:".php"; distance:0; http.host; content:".otzo.com"; distance:0; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bancos URL Structure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/infects/"; fast_pattern; pcre:"/\/[a-z]\/infects\/[a-z]\?[a-z]=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis; reference:md5,9766c5eca8d229f1af9dfb9bd97f02a0; classtype:trojan-activity; sid:2021142; rev:4; metadata:created_at 2015_05_22, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Cobalt Strike SSL Certificate (cloudflace-network .digital)"; flow:established,to_client; tls.cert_subject; content:"CN=cloudflace-network.digital"; bsize:29; fast_pattern; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/; classtype:domain-c2; sid:2034356; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Autorun.AD Checkin"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/loglogin.html"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; reference:md5,3d652375fd511878f410fb1048e47f83; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AMSIL/Autorun.AD; reference:md5,3d652375fd511878f410fb1048e47f83; classtype:command-and-control; sid:2021143; rev:6; metadata:created_at 2015_05_22, former_category MALWARE, updated_at 2020_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M2"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"|3d 22|Explore|22 3b|"; distance:0; content:"|22|W|22 2b 22|scr"; distance:0; content:"|2b 22|ipt|22 2b 22 2e|S|22 3b|"; distance:0; content:"|3d 22|aHR0cHM6Ly9kb2NzLmdvb2dsZS5jb20vc3ByZWFkc2hlZXRzL2Qv"; distance:0; fast_pattern; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Red-Is-Sus Server"; nocase; endswith; reference:md5,de232dfbef55fa3803b15f4fa01c9f95; classtype:domain-c2; sid:2030935; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, signature_severity Major, updated_at 2020_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Citibank Phish Landing Page"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; file.data; content:"<title>Citibank Online</title>"; nocase; content:"form|20|name|3d 22|undefined|22|"; fast_pattern; distance:0; content:"|2e|php|3f|sessionid"; distance:0; content:"|26|sslchannel|3d|true|22 20|method|3d 22|POST|22|"; distance:0; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034397; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE TransparentTribe AhMyth RAT Variant Activity (POST)"; flow:established,to_server; content:"|20|gzip|0d 0a 0d 0a|5d|0d 0a|--"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"U|3b 20|Android"; http.request_body; content:"form-data|3b 20|name=|22|imei|22 0d 0a|"; content:"form-data|3b 20|name=|22|image|22 3b 20|filename=|22|sm.csv|22 0d 0a|"; distance:0; reference:url,securelist.com/transparent-tribe-part-2/98233/; reference:md5,b8006e986453a6f25fd94db6b7114ac2; classtype:trojan-activity; sid:2030940; rev:1; metadata:attack_target Mobile_Client, created_at 2020_10_01, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Domain in TLS SNI (stackpatc-technologies .digital)"; flow:established,to_server; tls.sni; content:"stackpatc-technologies.digital"; bsize:30; fast_pattern; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009; classtype:domain-c2; sid:2034357; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Backspace CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.header; content:"HOST|3a 20|"; http.user_agent; content:"SJZJ (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ddf0981aebeea6ba9abdae6ddf8ed4e2; classtype:targeted-activity; sid:2021184; rev:4; metadata:created_at 2015_06_04, former_category MALWARE, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oscp/"; startswith; fast_pattern; pcre:"/^[a-z]{256}$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:57; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009; reference:md5,f790bea81673806479e30337629fa605; classtype:trojan-activity; sid:2034358; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?type=notification&machinename="; fast_pattern; content:"&machinetime="; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fa6f24a18ef772d9cdaa1d6cd1e24d1b; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:command-and-control; sid:2021188; rev:4; metadata:created_at 2015_06_05, former_category MALWARE, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (rackspare-technology .digital)"; dns.query; content:"rackspare-technology.digital"; nocase; bsize:28; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034391; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zacom.A CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".py"; fast_pattern; endswith; http.user_agent; content:"Windows NT 5.0|3b|"; http.request_body; pcre:"/^\d{4}/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:command-and-control; sid:2021213; rev:4; metadata:created_at 2015_06_08, former_category MALWARE, updated_at 2020_10_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Cobalt Strike SSL Cert (asurecloud .tech)"; flow:established,to_client; tls.cert_subject; content:"CN=asurecloud.tech"; bsize:18; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034392; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip2location.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip2location.com"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021162; rev:5; metadata:created_at 2015_05_28, former_category POLICY, updated_at 2020_10_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Domain (asureupdate .tech in TLS SNI)"; flow:established,to_server; tls.sni; content:"asureupdate.tech"; bsize:16; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; reference:md5,80447e4ec87e319bdc6895e04b18363e; classtype:domain-c2; sid:2034393; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup ip.webmasterhome.cn"; flow:established,to_server; http.host; content:"ip.webmasterhome.cn"; fast_pattern; bsize:19; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021250; rev:4; metadata:created_at 2015_06_11, former_category POLICY, updated_at 2020_10_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)"; flow:established,to_server; http.uri; content:"/./RestAPI/"; startswith; fast_pattern; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034362; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Retrieving Config"; flow:to_server,established; urilen:22; http.method; content:"GET"; http.uri; content:"/css/bootstrap.min.css"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/i"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021261; rev:4; metadata:created_at 2015_06_12, updated_at 2020_10_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; distance:0; within:30; content:"|20|name=|22|Save|22|"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034363; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; pcre:"/\/win\.html$/"; http.header; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?[^\r\n]*?\/(?:index.html)?\r\n.*?\r\nHost\x3a\x20(?P=refhost)[\x3a\r]/si"; classtype:exploit-kit; sid:2021292; rev:4; metadata:created_at 2015_06_18, updated_at 2020_10_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; distance:0; within:30; content:"|20|name=|22|Save|22|"; content:"filename=|22|"; pcre:"/^[^\x22]+\.jsp\x22/R"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034364; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/page_"; nocase; fast_pattern; content:".html"; nocase; pcre:"/\/[a-f0-9]{8}\/page_\d{8,10}\.html$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0"; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021274; rev:6; metadata:created_at 2015_06_16, former_category MALWARE, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (asureupdate .pro)"; dns.query; content:"asureupdate.pro"; nocase; bsize:15; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034394; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup www.whatsmyip.us"; flow:established,to_server; http.host; content:"www.whatsmyip.us"; fast_pattern; bsize:16; classtype:external-ip-check; sid:2021371; rev:4; metadata:created_at 2015_06_30, former_category POLICY, updated_at 2020_10_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/Connection"; http.request_body; content:"methodToCall=openSSLTool"; nocase; content:"+-providerclass"; fast_pattern; content:"+-providerpath"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034365; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/5.0 (Windows NT 5.2|29 20|"; startswith; http.request_body; content:"appid="; depth:6; content:"&model="; content:"&imei="; fast_pattern; content:"&connect="; content:"&dpi="; content:"&width="; content:"&cpu="; content:"&phoneno="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded Script Disables Firewall/Antivirus"; flow:established,to_client; http.content_type; content:"text/plain"; file.data; content:"|22|C:|5c|Windows|5c|debug|5c|m|5c|winlogon.exe|22|"; content:"netsh advfirewall set allprofiles state off"; within:45; fast_pattern; content:"name like |27 25|Eset|25 27 22| call uninstall /nointeractive"; reference:md5,fcfc0feed527d188d6b2ed3445758511; classtype:trojan-activity; sid:2034395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"uuid="; content:"language="; content:"appkey"; content:"model="; content:"operatorsname="; fast_pattern; content:"networkname="; content:"networktype="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"mt-xmlrpc.cgi"; fast_pattern; http.request_body; content:"<?"; content:"<base64>"; distance:0; base64_decode:offset 0,relative; base64_data; content:"|60|"; startswith; reference:cve,2021-20837; classtype:attempted-admin; sid:2034366; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_20837, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matsnu Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; bsize:70; http.request_body; content:"="; depth:7; content:"AA"; distance:3; within:2; pcre:"/^[a-z]{1,7}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.connection; content:"Keep-AliveCache-Control|3a 20|no-cache"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7ff6912828faedbf39c4c66c7ba0260d; reference:md5,0361c2685bf799c04d796a6d18e1f075; reference:url,blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf; classtype:command-and-control; sid:2021399; rev:5; metadata:created_at 2015_07_10, former_category MALWARE, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Beacon)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"s6rt&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034367; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adm/contador.php"; fast_pattern; http.user_agent; content:"Firefox/15.0.1"; bsize:14; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:command-and-control; sid:2021403; rev:4; metadata:created_at 2015_07_10, former_category MALWARE, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Download)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"xrtf&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi_test.cgi?write_"; fast_pattern; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/i"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:4; metadata:created_at 2015_07_13, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Upload)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"o543n&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious SWF filename movie(dot)swf in doc root"; flow:established,to_server; urilen:10; http.uri; content:"/movie.swf"; fast_pattern; classtype:trojan-activity; sid:2021414; rev:4; metadata:created_at 2015_07_15, former_category CURRENT_EVENTS, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M1"; flow:established,to_server; http.uri; content:"/?proto="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SLOTHFULMEDIA RAT CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v?m="; startswith; fast_pattern; content:"&i="; distance:0; http.accept; content:"application/octet-stream,application/xhtml"; bsize:42; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-275a; reference:md5,448838b2a60484ee78c2198f2c0c9c85; classtype:command-and-control; sid:2030960; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M2"; flow:established,to_server; http.uri; content:"/?kind="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Delete Log"; flow:established,to_server; http.uri; content:"isn_logdel"; nocase; fast_pattern; pcre:"/[?&]isn_logdel/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017821; rev:8; metadata:created_at 2013_12_09, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M3"; flow:established,to_server; http.uri; content:"/?pt="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034372; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Get Logpath"; flow:established,to_server; http.uri; content:"isn_logpath"; nocase; fast_pattern; pcre:"/[?&]isn_logpath/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017822; rev:8; metadata:created_at 2013_12_09, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LNK/Agent.GX CnC Traffic"; flow:established,to_server; http.method; content:"GET"; http.header; content:!"Referer"; content:"UA-CPU"; http.uri; pcre:"/^\/[a-zA-Z0-9+=]{29,44}.{0,8}=$/U"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|Trident|2f|7.0|3b 20|.NET4.0C|3b 20|.NET4.0E|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.0.30729|3b 20|.NET CLR 3.5.30729)"; bsize:156; fast_pattern; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034410; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php/"; fast_pattern; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/"; http.header; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/mi"; http.request_body; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021520; rev:4; metadata:created_at 2015_07_23, former_category MALWARE, updated_at 2020_10_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WBK Download from dotted-quad Host"; flow:established,to_server; http.uri; content:".wbk"; endswith; nocase; http.host; content:"."; offset:1; depth:3; content:"."; within:4; content:"."; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".wbk HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2034396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload M2"; flow:established,from_server; flowbits:isset,ET.BARTALEX; content:"text/plain|0d 0a 0d 0a|http"; fast_pattern; http.stat_code; content:"200"; file.data; content:"http"; within:4; pcre:"/^s?\x3a\x2f+[^\r\n\s]+\.exe/Ri"; classtype:trojan-activity; sid:2021532; rev:4; metadata:created_at 2015_07_24, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".digitalmarketingagency.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034373; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Goon/Infinity/Magnitude EK SilverLight Exploit"; flow:established,to_server; http.uri; content:".xap"; nocase; fast_pattern; pcre:"/\/\d{2,}\.xap$/i"; classtype:exploit-kit; sid:2018402; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_21, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".centosupdatecdn.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034374; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup trackip.net"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ip?json"; fast_pattern; http.host; content:"trackip.net"; classtype:external-ip-check; sid:2021550; rev:4; metadata:created_at 2015_07_29, former_category POLICY, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".wsuslink.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034375; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malicious Redirect 8x8 script tag URI struct"; flow:established,to_server; http.uri; content:".php?id="; fast_pattern; pcre:"/\/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$/"; classtype:trojan-activity; sid:2021552; rev:4; metadata:created_at 2015_07_30, former_category CURRENT_EVENTS, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hpesystem.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034376; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 7"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?vid="; fast_pattern; pcre:"/\.jpg\?vid=\d+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021570; rev:5; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ndianmombais.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034377; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Androm.gnlb Checkin"; flow:established,to_server; http.uri; content:"/Count.asp?ver="; fast_pattern; nocase; content:"&mac="; http.header; content:"Content-Length|3a 20|0"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c7e6ebf91c03a2bcaa8053f149870fad; classtype:command-and-control; sid:2021608; rev:4; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".micrsoftonline.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034378; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest CnC Beacon"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:".php?"; content:"/0"; content:"=0000"; fast_pattern; content:"=?"; pcre:"/\.php\?[a-z]+=0000[a-fA-F0-9]{4}&[a-z]+=\?[A-F0-9]+&[a-z]=\d{4}&[a-z]=\d{4}$/"; http.header; content:"Accept"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,1b820dda5833f802be829d468884884e; classtype:command-and-control; sid:2025089; rev:4; metadata:created_at 2015_08_25, former_category MALWARE, updated_at 2020_10_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnscdn.org"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert tcp any any -> $HOME_NET 40006 (msg:"ET EXPLOIT [401TRG] HPDM Backdoor Login"; flow:established,to_server; content:"user|00|dm_postgres|00|database|00|hpdmdb|00|"; fast_pattern; reference:url,twitter.com/nickstadb/status/1310853783765815297; classtype:attempted-admin; sid:2030961; rev:2; metadata:created_at 2020_10_02, former_category EXPLOIT, performance_impact Low, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".uctpostgraduate.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030941; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zonestatistic.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030942; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".akastatus.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailgun Phishing Landing"; flow:to_client,established; file.data; content:"<title>Log In to Mailgun"; nocase; content:"function checkUsername()"; nocase; distance:0; content:"function checkPassword()"; nocase; distance:0; content:".php|22|,"; nocase; distance:0; content:"type|3a 20 22|POST|22|,"; nocase; distance:0; content:"data|3a 20|{username|3a 20|$('#username').val(),password|3a|$('#password').val()"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2030943; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".updatecdn.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDMonitor Sending Debug Messages"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?usid="; fast_pattern; content:"&txt=00"; distance:0; pcre:"/^[0-9a-f]+$/R"; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030954; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".sysadminnews.info"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034384; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030944; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".windowsupdatecdn.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034385; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030945; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnsanalizer.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034386; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030946; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".defenderstatus.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034387; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030947; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".checkinternet.org"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034388; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Uploading Files"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lup.php?name="; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".securednsservice.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034389; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030948; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnscatalog.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034390; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030949; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; dotprefix; content:".ncdn.space"; nocase; endswith; classtype:trojan-activity; sid:2031111; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2021_11_09;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030950; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akastat .app)"; dns.query; content:"akastat.app"; nocase; bsize:11; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034398; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030951; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious Cobalt Strike SSL Cert (cdnengine .biz)"; flow:established,to_client; tls.cert_subject; content:"CN=cdnengine.biz"; bsize:16; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034399; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_10;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030952; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (azurestat .app in TLS SNI)"; flow:established,to_server; tls.sni; content:"azurestat.app"; bsize:13; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034400; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030953; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (akamaclouds .tech)"; dns.query; content:"akamaclouds.tech"; nocase; bsize:16; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034401; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Sending File Upload Progress"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"me="; distance:0; content:"&info=bot|2c 20|file|20|"; distance:0; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rpc"; bsize:4; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; reference:md5,f7810878118c08539c0cb0c60e4a23b7; reference:md5,8ccc051bbaf6dc9cb76bfea2bbd8f6d4; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:trojan-activity; sid:2034402; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Sending Screenshot Upload Progress"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"me="; distance:0; content:"&info=bot|2c 20|src|20|"; distance:0; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious Cobalt Strike SSL Cert (setupfastonline .com)"; flow:established,to_client; tls.cert_subject; content:"CN=setupfastonline.com"; bsize:22; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034403; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDMonitor Checkin Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/data/"; content:".xd"; isdataat:!2,relative; http.user_agent; bsize:17; content:"internet explorer"; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, signature_severity Major, updated_at 2020_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akamalupdate .site)"; dns.query; content:"akamalupdate.site"; nocase; bsize:17; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034404; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FinSpy Domain (browserupdate .download in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".browserupdate.download"; endswith; fast_pattern; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; reference:url,github.com/AmnestyTech/investigations/blob/master/2020-09-25_finfisher/domains.txt; classtype:domain-c2; sid:2030962; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible SombRAT Initial DNS Lookup"; dns.query; content:!".amazonaws.com"; content:"images"; nocase; depth:6; fast_pattern; content:!"images."; depth:7; content:"."; distance:8; within:1; pcre:"/^images[a-f0-9]{8}\./i"; reference:md5,f43377b04b66d1aed783cd6037e3298d; reference:url,blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced; classtype:trojan-activity; sid:2031251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 3"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:"/r.php?"; fast_pattern; pcre:"/\/r\.php\?[A-F0-9]+=?$/"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,0a4d0e5d0b69560414bbd20127bd8176; classtype:command-and-control; sid:2021723; rev:6; metadata:created_at 2015_08_27, former_category MALWARE, updated_at 2020_10_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (c2 .hax .vg)"; dns.query; content:"c2.hax.vg"; nocase; bsize:9; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034405; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Reconyc.equo Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; content:"&mac="; fast_pattern; content:"&auth="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,32c17edee5b29e41f31eda05e78b2241; classtype:command-and-control; sid:2021744; rev:5; metadata:created_at 2015_09_04, former_category MALWARE, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http.content_len; byte_test:0,>,60,0,string,dec; byte_test:0,<,150,0,string,dec; http.connection; content:"close"; bsize:5; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})([\r\n](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/i"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,41c33fdb9a95353a3b109393543f90dd; classtype:command-and-control; sid:2016223; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_30, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt Connectivity Check 1"; flow:established,to_server; urilen:4; http.uri; content:"/raw"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,d0e3471f4963496cefd73744e98340aa; classtype:trojan-activity; sid:2021775; rev:4; metadata:created_at 2015_09_15, updated_at 2020_10_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (azuresecure .tech)"; dns.query; content:"azuresecure.tech"; nocase; bsize:16; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034406; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; http.uri; content:".php?rnd="; fast_pattern; content:"&id="; pcre:"/\.php\?rnd=\d+&id=[0-9A-F]{32,}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2021786; rev:4; metadata:created_at 2015_09_16, updated_at 2020_10_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (securesurvey .cloud)"; dns.query; content:"securesurvey.cloud"; nocase; bsize:18; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034407; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; http.uri; content:".php?v="; content:"&brok="; fast_pattern; content:"&u="; content:"&id="; pcre:"/&id=\d{15}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:8; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akabox .tech)"; dns.query; content:"akabox.tech"; nocase; bsize:11; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034408; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StartPage Userclass HTTP Request"; flow:established,to_server; urilen:10; http.uri; content:"/Userclass"; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent|0d 0a|"; content:!"Referer"; reference:md5,92ecb8cedb226a27e354b45a56f0353f; classtype:trojan-activity; sid:2021922; rev:4; metadata:created_at 2015_10_07, updated_at 2020_10_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (electronicwhosaleonline .com)"; dns.query; content:"electronicwhosaleonline.com"; nocase; bsize:27; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034409; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; urilen:25; http.method; content:"POST"; http.uri; content:"/getInstalledPackages.jsp"; fast_pattern; http.request_body; content:"sdCardFree="; depth:11; content:"&imei="; distance:0; content:"&hasSd="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET 30003 (msg:"ET INFO Observed Initial NKN POST Request"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.host.raw; content:"seed.nkn.org|3a|"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|id|22 3a 22|"; reference:md5,aedebba95462e9db10b834551e3abc03; classtype:policy-violation; sid:2034414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_11_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Nemim Checkin"; flow:to_server,established; http.uri; content:".php?a1="; nocase; fast_pattern; content:"&a2="; nocase; content:"&a3="; nocase; pcre:"/\.php\?a1=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&a2=[a-f0-9]{32}&a3=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; reference:url,symantec.com/connect/blogs/infostealernemim-how-pervasive-infostealer-continues-evolve; classtype:command-and-control; sid:2017599; rev:6; metadata:created_at 2013_10_15, former_category MALWARE, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PlayerUnknown's Battlegrounds Phish 2021-11-10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; distance:0; http.referer; content:"otzo.com"; distance:0; http.request_body; content:"email="; distance:0; content:"&password="; content:"&nick="; distance:0; content:"&playid="; fast_pattern; distance:0; content:"&phone="; distance:0; content:"&level="; distance:0; content:"&tier="; distance:0; content:"&rpt="; distance:0; content:"&rpl="; distance:0; content:"&platform="; distance:0; content:"&login=Facebook"; distance:0; reference:md5,11133fb1cdc61aa33e3de226dcdf92d4; classtype:credential-theft; sid:2034413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"&act="; fast_pattern; pcre:"/\/(?:im(?:age|g)|pict)\.(?:jpg|php)\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; reference:url,www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2022007; rev:4; metadata:created_at 2015_10_28, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; content:"/mx_cmd.php"; distance:3; within:11; endswith; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:command-and-control; sid:2034427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MosaicRegressor WinHTTP Downloader)"; flow:established,to_client; tls.cert_subject; content:"CN=ezan.yikongjian.cc"; bsize:21; fast_pattern; tls.cert_issuer; content:"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA"; bsize:86; reference:url,securelist.com/mosaicregressor/98849/; reference:url,74DB88B890054259D2F16FF22C79144D; classtype:domain-c2; sid:2030963; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; content:"/mx_jscript.php"; distance:3; within:15; endswith; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:command-and-control; sid:2034428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Ransom.Win32.Blocker.dham Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?ID="; content:"&Serial="; content:"&acao="; content:"&Log="; content:"&PCInfo="; fast_pattern; reference:md5,e15b38251aed80298ba07169eb6ee2fa; classtype:command-and-control; sid:2022091; rev:4; metadata:created_at 2015_11_13, former_category MALWARE, updated_at 2020_10_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uaic.nl"; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:domain-c2; sid:2034429; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Buhtrap CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/menu.php"; fast_pattern; endswith; http.user_agent; content:"rv|3a|20.0"; content:"Firefox/20.0"; distance:0; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:command-and-control; sid:2020891; rev:6; metadata:created_at 2015_04_10, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M14"; flow:established,to_client; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:isset,ET.Parallax-14; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:command-and-control; sid:2032527; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP/LuciferHTTP Client Action"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/\.php\?hwid=[A-F0-9]{16}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; reference:md5,d543973bd33d45d515e8dfc251411c4b; classtype:trojan-activity; sid:2022127; rev:4; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Parallax CnC Activity (set) M14"; flow:established,to_server; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:set,ET.Parallax-14; flowbits:noalert; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:command-and-control; sid:2032526; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 1"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"/img/"; depth:5; content:"/"; distance:32; within:1; content:"/general.png"; endswith; fast_pattern; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/general\.png$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022146; rev:4; metadata:created_at 2015_11_25, former_category MALWARE, updated_at 2020_10_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity (set) M16"; flow:established,to_server; content:"|a0 cd 78 e6|"; startswith; fast_pattern; content:"|ff fc 36|"; distance:1; within:3; flowbits:set,ET.Parallax-16; flowbits:noalert; reference:md5,36439a5f029df1777b51a34bd454b9d2; classtype:command-and-control; sid:2034432; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip2nation.com"; flow:established,to_server; http.host; content:"www.ip2nation.com"; fast_pattern; bsize:17; classtype:external-ip-check; sid:2022222; rev:4; metadata:created_at 2015_12_07, former_category POLICY, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M15"; flow:established,to_client; content:"|ed 69 e6 bd|"; startswith; fast_pattern; content:"|fb 5f 07|"; distance:1; within:3; flowbits:isset,ET.Parallax-15; reference:md5,bf815840ff00a0c3ba04d47cc2d158ee; classtype:command-and-control; sid:2034431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN COMMIX Command injection scan attempt"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"|55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6f 6d 6d 69 78|"; fast_pattern; reference:url,github.com/stasinopoulos/commix/blob/master/README.md; classtype:web-application-activity; sid:2022243; rev:4; metadata:created_at 2015_12_11, updated_at 2020_10_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Parallax CnC Activity (set) M15"; flow:established,to_server; content:"|ed 69 e6 bd|"; startswith; fast_pattern; content:"|fb 5f 07|"; distance:1; within:3; flowbits:set,ET.Parallax-15; flowbits:noalert; reference:md5,bf815840ff00a0c3ba04d47cc2d158ee; classtype:command-and-control; sid:2034430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:4; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET 30003 (msg:"ET MALWARE Possible NGLite Backdoor C2 Traffic (NKN)"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.host.raw; content:"seed.nkn.org|3a|"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"|22|address|22 3a|"; content:"|2e|monitor_03|2e|"; within:20; reference:url,unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; reference:md5,aedebba95462e9db10b834551e3abc03; classtype:command-and-control; sid:2034438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family NGLite, signature_severity Major, tag c2, updated_at 2021_11_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (exe) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".exe"; nocase; fast_pattern; classtype:misc-activity; sid:2022264; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (lurkingnet .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lurkingnet.com"; bsize:14; fast_pattern; classtype:domain-c2; sid:2034434; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (msi) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".msi"; nocase; fast_pattern; classtype:misc-activity; sid:2022265; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (autoconfirmations .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"autoconfirmations.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2034435; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (msp) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".msp"; nocase; fast_pattern; classtype:misc-activity; sid:2022266; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (singlefunctionapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"singlefunctionapp.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2034436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:4; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|29 2a 28|"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ragnarok Ransomware CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&prv_ip="; fast_pattern; content:".doc"; content:".xls"; content:".ppt"; content:".sql"; content:".pdf"; reference:url,twitter.com/malwrhunterteam/status/1256263426441125888; reference:md5,32ed52d918a138ddad24dd3a84e20e56; classtype:command-and-control; sid:2030117; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M16"; flow:established,to_client; content:"|a0 cd 78 e6|"; startswith; fast_pattern; content:"|ff fc 36|"; distance:1; within:3; flowbits:isset,ET.Parallax-16; reference:md5,36439a5f029df1777b51a34bd454b9d2; classtype:command-and-control; sid:2034433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (Internet Explorer)"; flow:established,to_server; http.user_agent; content:"Internet Explorer"; depth:17; endswith; nocase; http.host; content:!"pnrws.skype.com"; content:!"iecvlist.microsoft.com"; content:!".lenovo.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; classtype:bad-unknown; sid:2008052; rev:20; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Compromised Domain (cryptoarenastore .com in TLS SNI) (2021-11-12)"; flow:established,to_server; tls.sni; dotprefix; content:".cryptoarenastore.com"; endswith; fast_pattern; reference:md5,4965ac0316d652fe5026b4b92d563672; classtype:trojan-activity; sid:2034441; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Evil Macro Downloading Trojan Dec 16 2015 Post to EXE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/^[\x2fa-z\d]+\.exe$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|Connection|3a 20|"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022270; rev:4; metadata:created_at 2015_12_17, former_category CURRENT_EVENTS, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M1"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Application"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034442; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; nocase; http.request_body; content:"{|22|type|22 3a|"; depth:8; content:",|22|text|22 3a|"; content:",|22|code|22 3a|"; fast_pattern; content:",|22|from|22 3a|"; content:"|22|}"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M2"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Name"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034443; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IOS Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; http.uri; content:".ipa"; nocase; http.host; content:"appvv.com"; endswith; fast_pattern; classtype:policy-violation; sid:2022296; rev:4; metadata:created_at 2015_12_22, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M3"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Email"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034444; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; http.uri; content:".apk"; nocase; http.host; content:"appvv.com"; endswith; fast_pattern; classtype:policy-violation; sid:2022297; rev:4; metadata:created_at 2015_12_22, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M4"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Server"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034445; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Dimegup.A Downloading Image Common URI Struct"; flow:established,to_server; http.uri; content:"/444.jpg"; fast_pattern; http.host; content:"postimg.org"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,914c58df5d868f7c3438921d682f7fe5; classtype:trojan-activity; sid:2018022; rev:7; metadata:created_at 2014_01_27, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M5"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Secured"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034446; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Htbot.B Checkin"; flow:to_server,established; http.uri; content:".php?command="; fast_pattern; pcre:"/\.php\?command=(?:g(?:hl|et(?:ip|id|backconnect))|update2?|dl|log)(?:$|&)/"; http.user_agent; content:"pb"; bsize:2; reference:md5,bdd2328d466e563a650bb7ccdb9aca79; reference:md5,ba1404af71ecf3ca8b0e30a2b365f6fd; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FHtbot.B; classtype:command-and-control; sid:2020089; rev:6; metadata:created_at 2015_01_05, former_category MALWARE, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M6"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Type"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034447; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Downloader fake image zip"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".zip"; endswith; nocase; fast_pattern; pcre:"/\.(?:gif|jpe?g)\.zip$/i"; http.content_type; content:"text/plain|3b 20|Charset=UTF-8"; bsize:25; reference:md5,7b678a25c533652dbb0c2a2ac37cf1e3; classtype:trojan-activity; sid:2022334; rev:4; metadata:created_at 2016_01_05, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M7"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=User"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034448; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; flowbits:set,ET.And.CruseWin; flowbits:noalert; http.uri; content:"/flash/test.xml"; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:command-and-control; sid:2013193; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M8"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Password"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034449; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL Linux/Torte Uploaded"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"JGVudiA9ICJYRFZTTl9TRVNTSU9OX0NPT0tJR"; fast_pattern; content:"eval(base64_decode($_REQUEST["; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:attempted-admin; sid:2022359; rev:4; metadata:created_at 2016_01_13, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M9"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=SMTP"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034450; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL JSP/Backdoor Shell Access"; flow:established,to_server; http.uri; content:".war?cmd="; fast_pattern; content:"&winurl="; content:"&linurl="; pcre:"/\.war\?cmd=[a-zA-Z0-9+/=]+&winurl=[a-zA-Z0-9+/=]*&linurl=[a-zA-Z0-9+/=]*/"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:successful-admin; sid:2022348; rev:5; metadata:created_at 2016_01_11, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M10"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|2f 2a 5c|"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034451; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip.tyk.nu"; flow:established,to_server; urilen:1; http.host; content:"ip.tyk.nu"; fast_pattern; bsize:9; classtype:external-ip-check; sid:2022368; rev:4; metadata:created_at 2016_01_14, former_category POLICY, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034439; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tabDialog.html?dialog=login"; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022374; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_10_05;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034440; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - meuip.net.br"; flow:established,to_server; http.host; content:"meuip.net.br"; fast_pattern; bsize:12; classtype:external-ip-check; sid:2022405; rev:4; metadata:created_at 2016_01_25, former_category POLICY, updated_at 2020_10_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Engineers Online Portal System Webshell Upload (CVE-2021-42669)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"teacher_avatar.php"; fast_pattern; http.request_body; content:"<?php"; reference:cve,2021-42669; classtype:attempted-admin; sid:2034453; rev:1; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_42669, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; http.uri; content:"/?keyword="; fast_pattern; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/"; classtype:exploit-kit; sid:2022493; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_05, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_10_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Engineers Online Portal System Access Control Bypass (CVE-2021-42671)"; flow:established,to_server; http.uri; content:"/nia_munoz_monitoring_system/admin/uploads"; fast_pattern; reference:cve,2021-42671; classtype:attempted-admin; sid:2034454; rev:1; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_42671, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen CnC HTTP Pattern"; flow:established,to_server; http.method; content:"GET"; http.uri; content:",0x"; fast_pattern; pcre:"/(?:,0x[0-9a-f]{2}){10}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,8df8d0cd70f96538211c65fb6361704d; classtype:command-and-control; sid:2022494; rev:4; metadata:created_at 2016_02_08, former_category MALWARE, updated_at 2020_10_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploads/user"; http.request_body; content:"Content-Type|3a 20|image/jpeg"; content:"DJVMDIRM|00|"; content:"DJVIANT"; content:"|7b|"; content:"|7d|"; distance:0; within:400; reference:cve,2021-22205; classtype:attempted-admin; sid:2034455; rev:2; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_22205, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HydraCrypt CnC Beacon 1"; flow:established,to_server; urilen:11; http.method; content:"GET"; http.uri; content:"/flamme.php"; fast_pattern; http.header; content:"Cache-Control|3a 20|no-cache"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; classtype:command-and-control; sid:2022495; rev:4; metadata:created_at 2016_02_08, former_category MALWARE, updated_at 2020_10_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=Sfgh"; bsize:7; fast_pattern; tls.cert_issuer; content:"CN=Sfgh"; bsize:7; reference:md5,353bf835f7858ee5a1a77e70cef01607; classtype:domain-c2; sid:2034456; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda HTTPClient CnC HTTP Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Microsoft"; nocase; content:"/default.asp"; distance:0; content:"?tmp="; fast_pattern; pcre:"/\/default\.aspx?\?tmp=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,resources.crowdstrike.com/putterpanda/; reference:md5,544fca6eb8181f163e2768c81f2ba0b3; classtype:command-and-control; sid:2018554; rev:6; metadata:created_at 2014_06_10, former_category MALWARE, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Terse HTTP Request to textbin"; flow:established,to_server; http.request_line; content:"GET /raw/"; startswith; http.host; content:"textbin.net"; bsize:11; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; classtype:bad-unknown; sid:2034461; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2021_11_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.TreasureHunter Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; content:"request=true"; fast_pattern; http.request_body; content:"request="; depth:8; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; reference:md5,070e9a317ee53ac3814eb86bc7d5bf49; reference:url,isc.sans.edu/forums/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/; classtype:command-and-control; sid:2022681; rev:3; metadata:created_at 2016_03_29, former_category MALWARE, updated_at 2020_10_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Possible BitCoin Miner User-Agent (miner)"; flow:established,to_server; http.user_agent; content:"miner"; nocase; content:!"IdleMiner"; content:!"CFNetwork"; pcre:"/miner[^a-z]/i"; http.host; content:!".kaspersky.com"; endswith; reference:url,abcpool.co/mining-software-comparison.php; classtype:coin-mining; sid:2016067; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, deployment Datacenter, former_category COINMINER, signature_severity Informational, tag Bitcoin_Miner, updated_at 2021_11_15;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-sale.com"; bsize:18; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030969; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_10_06;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)"; dns.query; content:".publicvm.com"; nocase; endswith; content:!"www.publicvm.com"; classtype:bad-unknown; sid:2034457; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".html"; nocase; fast_pattern; pcre:"/\/\d{8,10}\.html$/i"; http.content_len; byte_test:0,=,0,0,string,dec; http.host; content:!"www.youdao.com"; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,cfa7954722d4277d26e96edc3289a4ce; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021276; rev:6; metadata:created_at 2015_06_16, former_category MALWARE, updated_at 2020_10_06;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (linkpc .net)"; dns.query; content:".linkpc.net"; nocase; endswith; content:!"www.linkpc.net"; classtype:bad-unknown; sid:2034458; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via dawhois.com"; flow:established,to_server; http.host; content:"www.dawhois.com"; fast_pattern; bsize:15; classtype:external-ip-check; sid:2022687; rev:4; metadata:created_at 2016_03_30, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith; reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034481; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion External IP Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; http.host; content:"www.dawhois.com"; fast_pattern; bsize:15; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:external-ip-check; sid:2022688; rev:4; metadata:created_at 2016_03_30, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith; reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034482; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion HTTP CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.request_body; content:"|40 24|"; depth:2; pcre:"/^\x40\x24[^\x20-\x7e\r\n]+$/s"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:command-and-control; sid:2022689; rev:4; metadata:created_at 2016_03_30, former_category MALWARE, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Emotet CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header_names; content:"|0d 0a|Cookie|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; http.header; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.cookie; bsize:>250; pcre:"/^[A-Za-z0-9]{1,15}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:md5,bc3532085a0b4febd9eed51aac2180d0; classtype:command-and-control; sid:2034459; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2021_11_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; http.uri; content:".php?"; content:"co"; content:"untry="; content:"phone="; content:"&op="; content:"imei="; fast_pattern; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:command-and-control; sid:2017588; rev:8; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_10_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (awsmcafee .com)"; dns.query; content:"awsmcafee.com"; nocase; bsize:13; reference:md5,a8e97752bb385cc263d89350518633c2; reference:url,twitter.com/fr0s7_/status/1458150977278726147; classtype:domain-c2; sid:2034462; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http any any -> $HOME_NET 8080 (msg:"ET EXPLOIT Linksys Router Unauthenticated Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; nocase; http.header; content:"Authorization|3a 20|Basic"; http.request_body; content:"%74%74%63%70%5f%69%70%3d%2d%68%20%60"; fast_pattern; reference:url,sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902; classtype:attempted-user; sid:2022758; rev:4; metadata:created_at 2016_04_25, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M5"; flow:established,to_server; http.request_line; content:"GET /jquery-3.3.2.slim.min.js HTTP/1.1"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:47; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:url,twitter.com/fr0s7_/status/1458150977278726147; reference:md5,a8e97752bb385cc263d89350518633c2; classtype:trojan-activity; sid:2034463; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer Data Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ga.php?analytic=WyJ1cmwl"; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030979; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY KeepAlive M1"; dsize:16; flow:established,to_server; stream_size:client,>,200; content:"|68 78 20 10 00 00 00 01 00 00 00 01 00 00 00 c9|"; reference:md5,0428de20539f8341f0987457bc96fd9f; reference:md5,57e582c2a00cfb50a748b78b6c17ee74; classtype:command-and-control; sid:2035632; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3718 SSRF Inbound (mvg + fill + url)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"fill"; content:"url("; distance:0; nocase; pcre:"/^\s*https?\x3a\/\//Ri"; classtype:web-application-attack; sid:2022791; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"=eyIzQ0VrIjoi"; fast_pattern; pcre:"/(?:IiwiM2ZlMTEiOi|IsIjNmZTExIjoi|iLCIzZmUxMSI6I)/R"; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034466; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3715 File Deletion Inbound (ephermeral:+ mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"ephemeral"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022792; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"=eyIzbTd4Ijoi"; fast_pattern; pcre:"/(?:IiwiYXU1byI6I|IsImF1NW8iOi|iLCJhdTVvIjoi)/R"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:trojan-activity; sid:2034469; rev:1; metadata:created_at 2021_11_16, updated_at 2021_11_16;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3716 Move File Inbound (msl: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"msl"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022793; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Matanbuchus Loader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_len; byte_test:0,<,100,0,string,dec; http.response_body; content:"eyJoc3pBIjoi"; startswith; fast_pattern; pcre:"/(?:ifQ==|In0=|J9)$/"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034470; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3717 Local File Read Inbound (label: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"label"; nocase; pcre:"/^\s*\x3a\s*\x40/Ri"; classtype:web-application-attack; sid:2022794; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Post)"; flow:established,to_server; http.uri; content:!"/uup.php"; http.header; content:!".360.cn|0d 0a|"; content:!".360.com|0d 0a|"; content:!".360safe.com|0d 0a|"; http.user_agent; content:"Post"; fast_pattern; bsize:4; classtype:trojan-activity; sid:2014366; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2021_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xbagger Macro Encrypted DL"; flow:established,to_server; http.uri; content:".jpg?"; fast_pattern; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/"; http.header; content:"Range"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; classtype:trojan-activity; sid:2022500; rev:7; metadata:created_at 2016_02_10, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ghayt_Zone Phishing Kit"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"INFORMATION"; content:"TELEGRAM|20 3a 20 40|ghayt|5f|Zone"; distance:0; fast_pattern; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034472; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality-GR Checkin 2"; flow:to_server,established; http.uri; content:".png?"; fast_pattern; pcre:"/\.png\x3f[0-9a-f]{4,8}\x3d\d+?$/"; http.header_names; content:!"Accept"; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,99d614964eafe83ec4ed1a4537be35b9; classtype:command-and-control; sid:2022804; rev:4; metadata:created_at 2016_05_13, former_category MALWARE, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Made And Morocco"; nocase; content:"Nourblog1"; fast_pattern; nocase; distance:0; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enfal CnC POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; fast_pattern; endswith; http.header; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:command-and-control; sid:2021079; rev:5; metadata:created_at 2015_05_08, former_category MALWARE, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Made And Morocco"; nocase; content:"Nour|2e|blog1"; fast_pattern; nocase; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034476; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; pcre:"/https\x3a.+(?<!\x5c)(:[\x22\x27]|\\x2[27])\s*?[\x3b&\x7c><].*?(:[\x22\x27]|\\x2[27])/si"; classtype:web-application-attack; sid:2022789; rev:6; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (bg .knonwsec .com)"; dns.query; content:"bg.knonwsec.com"; nocase; bsize:15; reference:url,twitter.com/malwrhunterteam/status/1425771461499920385; reference:md5,e31a96ce2760c27a4f1cf83a0b5da83b; classtype:domain-c2; sid:2034473; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_16;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (svg)"; flow:established,to_server; http.request_body; content:"<svg|20|"; nocase; fast_pattern; content:"xlink"; nocase; pcre:"/xlink\s*?\x3a\s*?href\s*?=\s*?(:[\x22\x27]|\\x2[27])https.+?"\s*?\x3b(?:\x7c|&(?:[gl]t|amp)\s*?\x3b)/si"; classtype:web-application-attack; sid:2022790; rev:6; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Coded By Noureddine Tkodar"; nocase; content:"Nourblog1"; fast_pattern; nocase; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034478; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b|)"; http.accept; content:"*/*"; bsize:3; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:4; metadata:created_at 2016_05_19, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image/"; startswith; pcre:"/^[a-z]{256}-\.jpg$/R"; http.header_names; content:"|0d 0a|Referer|0d 0a|Accept|0d 0a|Pragma|0d 0a|Cache-Control|0d 0a|"; startswith; fast_pattern; reference:md5,e31a96ce2760c27a4f1cf83a0b5da83b; reference:url,twitter.com/malwrhunterteam/status/1425771461499920385; classtype:trojan-activity; sid:2034474; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Unusually Fast HTTP Requests With Referer Url Matching DoS Tool"; flow:to_server,established; threshold: type both, track by_src, count 15, seconds 30; http.referer; content:"/slowhttptest/"; fast_pattern; reference:url,community.qualys.com/blogs/securitylabs/2012/01/05/slow-read; classtype:web-application-activity; sid:2014103; rev:6; metadata:created_at 2012_01_09, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WIN-"; startswith; content:"/source.jng"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,5aba4f68dcb7107f921d12410b62b538; reference:url,twitter.com/h2jazi/status/1457759124037439491; classtype:trojan-activity; sid:2034475; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M1"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022848; rev:4; metadata:created_at 2016_06_01, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot Associated Activity (GET)"; flow:established,to_server; http.request_line; content:"GET / HTTP/1.1"; http.user_agent; content:"Power Off"; bsize:9; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/spike-danabot-malware-activity; classtype:trojan-activity; sid:2034471; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_16;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M2"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 22 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022849; rev:4; metadata:created_at 2016_06_01, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".pdf/?"; fast_pattern; pcre:"/\.pdf\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023912; rev:4; metadata:created_at 2016_06_09, former_category MALWARE, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET 26800 (msg:"ET MALWARE ABCbot CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/postip"; bsize:11; http.header_names; content:!"Referer"; http.connection; content:"close"; http.content_type; content:"application/x-www-form-url encoded"; http.request_body; content:"OS|3a 20|"; startswith; content:"CPU:"; distance:0; content:"os-name:"; fast_pattern; distance:0; content:"lanip:"; distance:0; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034483; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".zip/?"; fast_pattern; pcre:"/\.zip\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023913; rev:4; metadata:created_at 2016_06_09, former_category MALWARE, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"VARIABLES"; nocase; distance:0; content:!"twitter.com"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; classtype:web-application-attack; sid:2010965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".htm/?"; fast_pattern; pcre:"/\.htm\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023914; rev:4; metadata:created_at 2016_06_09, former_category MALWARE, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"goform/setUsbUnload"; nocase; fast_pattern; content:"deviceName="; nocase; distance:0; content:"tmp"; distance:0; content:"wget"; distance:0; reference:url,cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; reference:cve,2020-10987; classtype:attempted-admin; sid:2034489; rev:1; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".xml/?"; fast_pattern; pcre:"/\.xml\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023915; rev:4; metadata:created_at 2016_06_09, former_category MALWARE, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"goform/setUsbUnload"; endswith; nocase; fast_pattern; http.request_body; content:"deviceName="; nocase; reference:url,blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68; reference:cve,2020-10987; classtype:attempted-admin; sid:2034490; rev:1; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip-score.com"; flow:established,to_server; http.host; content:"ip-score.com"; fast_pattern; bsize:12; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2022892; rev:4; metadata:created_at 2016_06_13, former_category POLICY, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (stop)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73746f707d1|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034479; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; http.uri; content:".jpg?"; fast_pattern; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header; content:"Range"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022895; rev:4; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (syn)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73796e|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034484; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRatReporter check-in"; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php?filename="; fast_pattern; http.header; content:"Accept: */*"; http.accept_enc; content:"utf-8"; bsize:5; http.header_names; content:!"Referer"; content:!"Content-Type"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022903; rev:4; metadata:created_at 2016_06_15, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (dns)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"646e73|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034485; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Continuum Arbitrary Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/saveInstallation.action"; fast_pattern; http.request_body; content:"&installation.varValue="; content:"|25|60"; classtype:attempted-user; sid:2022912; rev:4; metadata:created_at 2016_06_22, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (bigudp)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"626967756470|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034486; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit Connectivity Check 0 Byte POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"=http"; content:"/?"; pcre:"/\.[a-z]{3,4}\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Content-Length|3a 20|0|0D 0A|"; fast_pattern; http.host; content:"google."; within:10; pcre:"/^(?:www\.)?google(?:\.[a-z]{2,3})+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used; classtype:targeted-activity; sid:2021506; rev:6; metadata:created_at 2015_07_22, former_category MALWARE, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri"; reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:1; metadata:created_at 2021_11_17, cve CVE_2017_18362, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SFG Client Information POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".log"; pcre:"/\.log$/"; http.host; content:"nullptr"; fast_pattern; bsize:7; reference:url,sentinelone.com/blogs/sfg-furtims-parent/; classtype:trojan-activity; sid:2022963; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family Futrim, malware_family SFG, signature_severity Major, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/HNAP1/"; nocase; http.header; content:"SOAPAction|3a 20 22|http|3a 2f 2f|purenetworks|2e|com|2f|HNAP1|2f|GetDeviceSettings|2f 60|"; fast_pattern; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; classtype:attempted-admin; sid:2034491; rev:2; metadata:created_at 2021_11_17, cve CVE_2015_2051, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server; http.uri; content:!".exe"; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/"; http.user_agent; content:"Microsoft BITS"; startswith; fast_pattern; http.host; content:!".microsoft.com"; endswith; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted IDSVSE IP Camera RCE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ctrl.cgi?language=ie&sntpip="; startswith; content:"uname"; distance:0; content:"telnet"; distance:0; content:"&timezone="; content:"&timezone=13&setdaylight=0&timeformat=2&tstampformat=2"; reference:url,en.0day.today/exploit/27569; classtype:attempted-admin; sid:2034480; rev:1; metadata:created_at 2021_11_17, former_category EXPLOIT, updated_at 2021_11_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Lady CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pm.sh?"; fast_pattern; pcre:"/^\/pm\.sh\?\d+$/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:command-and-control; sid:2023034; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Linux_Lady, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - XR300 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|b7 05 00|"; content:"|e0 e7 02|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034493; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monsoon Tinytyphon CnC Beacon GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dw.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:command-and-control; sid:2023049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category MALWARE, malware_family MONSOON, malware_family Tinytyphon, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - R6700V3 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|d0|j|06 00|"; content:"|81 01 00|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034494; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monsoon Tinytyphon CnC Beacon Exfiltrating Docs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|MD5|22|"; content:"name=|22|fname|22|"; distance:0; content:"name=|22|compname|22|"; distance:0; content:"name=|22|uploadedfile|22 3b|"; fast_pattern; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:command-and-control; sid:2023050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from External Host - SUBSCRIBE/UNSUBSCRIBE"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034495; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern; classtype:social-engineering; sid:2023068; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_10_06;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from Internal Host - SUBSCRIBE/UNSUBSCRIBE"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034496; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTA Application Download"; flow:established,to_server; flowbits:set,ET.HTA.Download; http.method; content:"GET"; http.uri; content:".hta"; nocase; fast_pattern; endswith; http.host; content:!"kaspersky.com"; endswith; reference:url,www.trustedsec.com/july-2015/malicious-htas/; classtype:bad-unknown; sid:2022520; rev:6; metadata:created_at 2016_02_15, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from External Host - NOTIFY"; flow:established,to_server; http.method; content:"NOTIFY"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034497; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET MALWARE PNScan.2 Inbound Status Check - set"; flow:established,to_server; urilen:6; flowbits:set,ET.PNScan.2; flowbits:noalert; http.uri; content:"/check"; fast_pattern; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023087; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from Internal Host - NOTIFY"; flow:established,to_server; http.method; content:"NOTIFY"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034498; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
-alert http $HOME_NET 9000 -> $EXTERNAL_NET any (msg:"ET MALWARE PNScan.2 Inbound Status Check Response"; flow:established,from_server; flowbits:isset,ET.PNScan.2; http.header; content:"Content-Length|3a 20|12|0d 0a|"; file.data; content:"{|22|status|22 3a|1}"; fast_pattern; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023088; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated VBS Inbound - Underscore Var/Chr/math"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"Set|20|"; nocase; fast_pattern; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"Chr|28|"; nocase; pcre:"/^\d+(\+|\-|\\|\*)\d+/R"; classtype:bad-unknown; sid:2034499; rev:1; metadata:created_at 2021_11_18, former_category ATTACK_RESPONSE, updated_at 2021_11_18;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"NotRift/"; depth:8; fast_pattern; nocase; classtype:attempted-admin; sid:2030964; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_06, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Unattributed WebShell Access - File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"exec_code=put"; fast_pattern; content:"delimiter="; content:"dst="; reference:url,thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/; classtype:attempted-admin; sid:2034500; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"NotRift/"; depth:8; fast_pattern; nocase; classtype:web-application-attack; sid:2030965; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Unattributed WebShell Access - Command Execution"; flow:established,to_server; http.uri; content:"exec_code=put"; fast_pattern; content:"delimiter="; content:!"dst="; reference:url,thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/; classtype:attempted-admin; sid:2034501; rev:1; metadata:created_at 2021_11_18, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Google Adwords Conversion not from Google"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pagead/conversion_async.js"; endswith; fast_pattern; http.host; content:!"googleadservices.com"; content:!"doubleclick.net"; content:!"google.com"; classtype:bad-unknown; sid:2030980; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2020_10_06;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/AbcBot CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/postip"; fast_pattern; http.request_body; content:"OS|3a|"; content:"CPU|3a|"; distance:0; content:"os-name|3a|"; distance:0; content:"lanip|3a|"; distance:0; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en/; classtype:command-and-control; sid:2034502; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, malware_family AbcBot, updated_at 2021_11_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Card Skimmer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".tags-manager.com"; endswith; fast_pattern; reference:url,blogs.akamai.com/2020/11/a-new-skimmer-uses-websockets-and-a-fake-credit-card-form-to-steal-sensitive-data.html; classtype:domain-c2; sid:2031205; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_10_06;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/AbcBot Requesting Commands from CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/getlist"; fast_pattern; http.content_len; content:"1"; bsize:1; http.request_body; content:"1"; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en/; classtype:command-and-control; sid:2034503; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, malware_family AbcBot, updated_at 2021_11_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer JavaScript Inbound"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"var SendFlag = []|3b 0a|function Base64Function(e) {|0d|"; startswith; fast_pattern; content:"|0a|function SendData(vals){|0a|"; distance:0; content:"var b = document.createElement|28 22|img|22 29 3b|b.width = |22|1px|22 3b|b.height = |22|1px|22 3b 20|b.id = img_id|3b|b.src = atob|28 22|"; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Bash Script Inbound - Kill Coin Mining Related Processes"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|0d 0a|ps|20|aux"; fast_pattern; pcre:"/^[^\r\n]+(?:mine\.moneropool|xmr\.crypto-pool|monerohash)[^\r\n]+kill\x20\-9/R"; content:"kill|20|-9"; classtype:bad-unknown; sid:2034504; rev:1; metadata:created_at 2021_11_18, former_category ATTACK_RESPONSE, updated_at 2021_11_18;)
-alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:13; metadata:created_at 2012_05_03, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA408 Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /?query=5 HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; content:!"Referer"; reference:url,twitter.com/AhnLab_SecuInfo/status/1460101266760089600; reference:md5,e521c68ac280c00b0e27cbd2fed4c9c4; classtype:trojan-activity; sid:2034511; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_18, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2021_11_18;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:10; metadata:created_at 2012_05_03, updated_at 2020_10_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; fast_pattern; content:"&p1="; distance:1; within:4; pcre:"/\.php\?m=[abcdefgh]&p1=[a-f0-9]{16}$/"; http.user_agent; content:"Android"; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; reference:url,twitter.com/AhnLab_SecuInfo/status/1460101266760089600; reference:md5,e7caf25de7ce463a6f22ecb8689389ad; classtype:trojan-activity; sid:2034512; rev:1; metadata:attack_target Mobile_Client, created_at 2021_11_18, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Kimsuky, updated_at 2022_04_18, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:10; metadata:created_at 2012_05_03, updated_at 2020_10_06;)
+alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; content:"|7F|ELF"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:3; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2000418; rev:17; metadata:created_at 2010_07_30, updated_at 2021_11_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=z55gc.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_10_07, former_category MALWARE, malware_family BazaLoader, tag SSL_Malicious_Cert, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Burp Collaborator Domain in DNS Query"; dns_query; content:".burpcollaborator.net"; nocase; endswith; classtype:policy-violation; sid:2034505; rev:1; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2021_11_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pony Variant FOX Reporting Adfraud Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php/data"; fast_pattern; pcre:"/\.php\/data$/"; http.request_body; content:"http|3a 2f 2f|"; offset:20; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cdfb7e5544c9aa49c17217fdfe04e854; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:trojan-activity; sid:2023293; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, malware_family Pony, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Burp Collaborator Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=*.burpcollaborator.net"; nocase; classtype:policy-violation; sid:2034507; rev:1; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot URI Struct"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/catalog/"; fast_pattern; pcre:"/\/catalog\/\d{3,}$/"; http.header; content:!"nap.edu|0d 0a|"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019458; rev:5; metadata:created_at 2014_10_17, updated_at 2020_10_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET SCAN Laravel Debug Mode Information Disclosure Probe Inbound"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"0x%5B%5D=androxgh0st"; nocase; fast_pattern; reference:url,thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/; classtype:attempted-recon; sid:2034508; rev:1; metadata:created_at 2021_11_18, former_category SCAN, updated_at 2021_11_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Anuna PHP Backdoor Attempt"; flow:established,to_server; flowbits:set,ET.Anuna.Backdoor; http.uri; content:".php?cookie=1"; fast_pattern; pcre:"/\.php\?cookie=1$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2023305; rev:4; metadata:affected_product PHP, attack_target Web_Server, created_at 2016_09_28, deployment Perimeter, malware_family Anuna, signature_severity Major, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-0646)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"_vti_bin"; content:"/webpartpages.asmx"; endswith; http.request_body; content:"<?xml"; content:"System.Diagnostics.Process.Start"; fast_pattern; reference:url,dl.packetstormsecurity.net/2003-exploits/sharepoint_workflows_xoml.rb.txt; reference:cve,2020-0646; classtype:attempted-admin; sid:2034509; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_0646, former_category EXPLOIT, updated_at 2021_11_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Aerial Keylogger DNS Request"; dns.query; content:"aerial-keylogger.com"; nocase; endswith; classtype:trojan-activity; sid:2030983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Major, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-1147)"; flow:established,to_server; http.method; content:"POST"; http.uri; http.request_body; content:"__SUGGESTIONSCACHE__"; fast_pattern; content:"<DataSet"; nocase; distance:0; content:"System.Data.Services.Internal.ExpandedWrapper"; nocase; distance:0; reference:url,srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html; reference:cve,2020-1147; classtype:attempted-admin; sid:2034510; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_1147, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Checkin"; flow:established,to_server; flowbits:set,et.citadel; http.method; content:"POST"; http.uri; content:"/file.php"; fast_pattern; pcre:"/^\/[A-Za-z0-9]+?\/file\.php$/"; http.header; content:"Content-Length|3a 20|128|0d 0a|"; nocase; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|"; depth:25; http.header_names; content:!"Referer"; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:command-and-control; sid:2018598; rev:5; metadata:created_at 2014_06_24, former_category MALWARE, updated_at 2020_10_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Pdf.exe Observed in Zeus/Luminosity Link"; flow:established,to_server; http.uri; content:"/pdf.exe"; fast_pattern; classtype:trojan-activity; sid:2018080; rev:6; metadata:created_at 2014_02_05, former_category MALWARE, updated_at 2020_10_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Burp Collaborator Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".burpcollaborator.net"; endswith; fast_pattern; classtype:policy-violation; sid:2034506; rev:2; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 Ransomware Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"User-Agent|3a 20 70 6f 73 74 5f 65 78 61 6d 70 6c 65|"; fast_pattern; http.request_body; content:"=0x"; content:"|2c|0x"; distance:2; within:5; content:"|3c 62 72 3e|"; distance:0; reference:md5,ad2c80611ebc7f6d45bd3e46de38b776; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:command-and-control; sid:2023397; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryptFile2, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Possible Trojan-Banker.AndroidOS.Sharkbot Activity (DNS Lookup)"; dns_query; content:"dhjhzmy0nnbvakjjoux"; isdataat:!1,relative; reference:md5,f7dfd4eb1b1c6ba338d56761b3975618; classtype:domain-c2; sid:2034514; rev:2; metadata:created_at 2021_11_18, former_category MOBILE_MALWARE, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.science) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".science"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023454; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Possible Trojan-Banker.AndroidOS.Sharkbot Activity (DNS Lookup) 2"; dns_query; content:"sharkedtest1.xyz"; isdataat:!1,relative; reference:md5,f7dfd4eb1b1c6ba338d56761b3975618; classtype:trojan-activity; sid:2034515; rev:2; metadata:created_at 2021_11_18, updated_at 2021_11_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.top) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".top"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023455; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:!"&"; content:"=ey"; depth:13; fast_pattern; pcre:"/^[IJKL].*(?:PT0iLC|09Iiwi|9PSIsI)[a-zA-Z0-9+\/]+(?:PT0iLC|09Iiwi|9PSIsI)/R"; http.header_names; content:!"Referer"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034468; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.stream) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".stream"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023456; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kimsuky Related FTP File Download"; flow:established,to_server; content:"RETR|20|/mongo/"; fast_pattern; pcre:"/[a-z]{8}.(:?tif|gif)/Ri"; classtype:trojan-activity; sid:2034513; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_18, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.download) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".download"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023457; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9]{5,12}&a=/R"; content:"&a=|20|Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; reference:md5,a86f56aa7d6ce07b9639cf34e798b102; classtype:command-and-control; sid:2034516; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_19, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.biz) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".biz"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023459; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE lu0bot Loader HTTP Response M2"; flow:established,to_client; http.response_body; content:"/d/s/c"; depth:20; fast_pattern; content:"node.exe"; distance:0; content:"7C%"; distance:0; content:"7C%"; within:10; content:"ActiveXObject"; distance:0; content:"252Cunescape%25"; distance:0; content:"WScript"; within:23; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp; reference:md5,79b9a5e7b2e87ad7f99fbcd7d7d0a9ed; classtype:command-and-control; sid:2034517; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_19, deployment Perimeter, former_category MALWARE, malware_family lu0bot, signature_severity Major, updated_at 2021_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.accountant) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".accountant"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023460; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SHLAYER CnC"; flow:established,to_server; http.request_line; content:"POST http://"; fast_pattern; http.uri; content:"/l"; bsize:2; http.host; content:"api."; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; http.request_body; content:"cs="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,4d86ae25913374cfcb80a8d798b9016e; reference:url,securelist.com/shlayer-for-macos/95724/; classtype:command-and-control; sid:2030231; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.click) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".click"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023461; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)"; flow:established,to_server; http.uri; content:"/api/geojson?url=file|3a 2f|"; fast_pattern; reference:url,github.com/0x0021h/expbox/blob/main/CVE-2021-41277.yaml; reference:cve,2021-41277; classtype:attempted-admin; sid:2034518; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_41277, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.link) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".link"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023462; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Delete User Configuration - xbit set 1 (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|DeleteUserConfiguration>"; xbits:set,ET.2021.42321.1,track ip_src,expire 30; noalert; reference:cve,2021-42321; classtype:attempted-admin; sid:2034519; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.win) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".win"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023463; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Create User Configuration - xbit set 2 (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|CreateUserConfiguration>"; content:"|3a|UserConfiguration>"; content:"|3a|BinaryData>"; base64_decode:offset 0, relative; base64_data; content:"|00|"; depth:10; xbits:isset,ET.2021.42321.1,track ip_src,expire 30; xbits:unset,ET.2021.42321.1,track ip_src,expire 30; xbits:set,ET.2021.42321.2,track ip_src,expire 30; noalert; reference:cve,2021-42321; classtype:attempted-admin; sid:2034520; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Tor Module Download"; flow:established,to_server; http.uri; content:"/tor/"; fast_pattern; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/i"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Server Remote Code Execution Inbound (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|GetClientAccessToken>"; content:"|3a|TokenRequests>"; xbits:isset,ET.2021.42321.2,track ip_src,expire 30; xbits:unset,ET.2021.42321.2,track ip_src,expire 30; reference:cve,2021-42321; classtype:attempted-admin; sid:2034521; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moose CnC Request M1"; flow:to_server,established; urilen:1; content:"PP|3b 20|nhash="; fast_pattern; http.method; content:"GET"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|nhash="; distance:0; content:"|3b 20|chash="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023477; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Requesting Command"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand.php?id="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029180; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2021_11_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Moose CnC Response"; flow:from_server,established; content:"PP|3b 20|expires="; fast_pattern; http.stat_code; content:"200"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|expires="; distance:0; content:"WL="; content:"PP|3b 20|expires="; distance:0; http.content_type; content:"text/html"; startswith; file.data; content:"<html><body><h1>It works!</h1>"; nocase; depth:30; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023478; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fpui/uploadConfigServlet?fileNumber="; nocase; fast_pattern; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034530; rev:1; metadata:attack_target Server, created_at 2021_11_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?id="; fast_pattern; pcre:"/\.jpg\?id=\d+$/"; http.header; content:!"tagesschau.de"; http.user_agent; content:!"ClipOrganizer"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2021203; rev:6; metadata:created_at 2015_06_08, former_category MALWARE, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (llink .link)"; dns.query; content:"llink.link"; nocase; bsize:10; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034522; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit/APT28/Sofacy Delphocy CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"as_q="; content:"as_ft="; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.welivesecurity.com/post_paper/en-route-with-sednit-part-3-a-mysterious-downloader/; classtype:targeted-activity; sid:2023486; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family Sofacy, malware_family Sednit_Delphocy, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (cuturl .app)"; dns.query; content:"cuturl.app"; nocase; bsize:10; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034523; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/NotifyLog"; fast_pattern; pcre:"/\/NotifyLog$/"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"{|22|ClientId|22 3a|"; depth:12; content:",|22|Date|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (url-tiny .co)"; dns.query; content:"url-tiny.co"; nocase; bsize:11; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034524; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Adups Firmware Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"{|22|dc_date|22 3a|"; depth:11; content:",|22|dc_type|22 3a|"; fast_pattern; content:",|22|keyword|22 3a|"; content:",|22|md5|22 3a|"; content:",|22|msg_date|22 3a|"; content:",|22|msg_type|22 3a|"; content:",|22|tell|22 3a|"; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023514; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (bitly .tel)"; dns.query; content:"bitly.tel"; nocase; bsize:9; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034525; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mida eFramework RCE Attempt Inbound (CVE-2020-15922)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ipaddress0|22|"; fast_pattern; content:"|3b|"; within:6; reference:url,www.exploit-db.com/exploits/48835; reference:cve,2020-15922; classtype:attempted-admin; sid:2030989; rev:1; metadata:created_at 2020_10_07, cve CVE_2020_15922, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (instagrarn .co)"; dns.query; content:"instagrarn.co"; nocase; bsize:13; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034526; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
-alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE "; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, signature_severity Major, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (cuturl .space)"; dns.query; content:"cuturl.space"; nocase; bsize:12; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034527; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
-alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; http.request_body; content:"|3c 75 3a 47 65 74 53 65 63 75 72 69 74 79 4b 65 79 73|"; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023549; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/3"; bsize:6; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:65; reference:md5,c3c7bfb6c4f0e5c7a455ee1066893552; reference:url,blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html; classtype:trojan-activity; sid:2034528; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Adobe Connectivity check"; flow:established,to_server; urilen:18; http.method; content:"POST"; http.uri; content:"/support/main.html"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,3a128a9e8668c0181d214c20898f4a00; classtype:trojan-activity; sid:2018676; rev:6; metadata:created_at 2014_07_14, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/2"; bsize:6; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:49; reference:md5,1cc3c8d9bdc43fd4f792b40fdf1333bc; reference:url,blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html; classtype:trojan-activity; sid:2034529; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Microsoft Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fwlink/?LinkId="; fast_pattern; http.header; content:!"SOAPAction|3a|"; http.user_agent; content:!"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; http.host; content:"go.microsoft.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,467b786f7c645c73d5c29347d35cae11; classtype:trojan-activity; sid:2022124; rev:8; metadata:created_at 2015_11_20, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains"; dns.query; content:"crpt"; fast_pattern; depth:4; pcre:"/^[a-zA-Z0-9]{12}\.onion/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020292; rev:5; metadata:created_at 2015_01_23, updated_at 2021_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DistTrack/Shamoon CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?shinu="; fast_pattern; pcre:"/\.php\?shinu=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:command-and-control; sid:2023570; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex CnC Request - Spam/Worm Component"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PJ3ZQWVJPYCYDCA9A6Q2Y6YA"; bsize:25; fast_pattern; classtype:command-and-control; sid:2034532; rev:1; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE User-Agent (Visbot)"; flow:to_server,established; http.user_agent; content:"Visbot"; fast_pattern; startswith; reference:url,www.bleepingcomputer.com/news/security/visbot-malware-found-on-6-691-magento-online-stores/; classtype:trojan-activity; sid:2023575; rev:4; metadata:affected_product Magento, attack_target Web_Server, created_at 2016_12_02, deployment Datacenter, malware_family Visbot, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex CnC Returning Email Addresses - Possible Spam Module"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"@"; content:"|22|,|22|"; pcre:"/^\x7b(?:\x22[a-z0-9_\-\.]+@[a-z0-9_\-\.]+\.[a-z]{2,10}\x22,){4}\x22[a-z0-9_\-\.]+@[a-z0-9_\-\.]+\.[a-z]{2,10}\x22\x7d$/"; flowbits:isset,ET.Dridex.Email.Sets.1; classtype:command-and-control; sid:2034534; rev:1; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin HTTP Pattern"; flow:to_server,established; http.method; content:"POST"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; fast_pattern; content:"www-form-urlencoded|0d 0a|"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/m"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023577; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SideCopy Related Domain in DNS Lookup (securedesk .one)"; dns.query; content:"securedesk.one"; nocase; bsize:14; reference:url,twitter.com/h2jazi/status/1460744936635224064; reference:md5,a42ea41f21e36173bb0fc268262a15ae; classtype:domain-c2; sid:2034538; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Click Fraud Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/link.txt?"; fast_pattern; pcre:"/^\/link\.txt\?[0-9]{1,2}\x3a[0-9]{1,2}\x3a[0-9]{1,2}/"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; classtype:command-and-control; sid:2023669; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (a .pwn-t .tk)"; dns.query; content:"a.pwn-t.tk"; nocase; bsize:10; reference:url,twitter.com/TheDFIRReport/status/1463175512000368640; reference:md5,36be5b491426de64f9ac85c50f85808c; classtype:domain-c2; sid:2034539; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Braincrypt Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?uuid="; fast_pattern; pcre:"/\.php\?uuid=[a-z0-9]{32}$/i"; http.user_agent; content:"Go-http-client/"; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,6b938ca31a55e743112ab34dc540a076; classtype:command-and-control; sid:2023675; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Braincrypt, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image/"; startswith; pcre:"/^[a-z]{256}\.gif$/R"; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*l|3b|q=0.8|0d 0a|"; fast_pattern; reference:url,twitter.com/TheDFIRReport/status/1463175512000368640; reference:md5,36be5b491426de64f9ac85c50f85808c; classtype:trojan-activity; sid:2034540; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; http.uri; content:"lm="; content:"/watch/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, malware_family Fancy_Bear, signature_severity Major, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Snojan.BNQKZQH User-Agent"; flow:established,to_server; http.user_agent; content:"|29 20|leee Maxwe"; endswith; nocase; reference:md5,83d2fa0e16b39ee2280dea9d8f89aa48; classtype:command-and-control; sid:2034536; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; http.uri; content:"lm="; content:"/find/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, malware_family Fancy_Bear, signature_severity Major, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Snojan.BNQKZQH CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action="; content:"&id="; distance:0; isdataat:!18,relative; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"eyJwYXNzIjoi"; startswith; fast_pattern; reference:md5,83d2fa0e16b39ee2280dea9d8f89aa48; classtype:command-and-control; sid:2034537; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; http.uri; content:"lm="; content:"/results/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, malware_family Fancy_Bear, signature_severity Major, updated_at 2020_10_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; pcre:"/^[\s\x22\x27]*upload\b/Ri"; content:"name="; distance:0; pcre:"/^[\s\x22\x27]*uploadedfile\b/Ri"; content:"filename="; distance:0; pcre:"/^[\s\x22\x27]*check_ping\b/Ri"; content:"check_ping"; nocase; fast_pattern; reference:url,github.com/jakgibb/nagiosxi-root-rce-exploit/blob/master/exploit.php; reference:cve,2019-15949; classtype:attempted-admin; sid:2034535; rev:1; metadata:attack_target Server, created_at 2021_11_23, cve CVE_2019_15949, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; http.uri; content:"lm="; content:"/open/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, malware_family Fancy_Bear, signature_severity Major, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (zuppohealth .com)"; dns.query; content:"zuppohealth.com"; nocase; bsize:15; reference:url,github.com/pan-unit42/tweets/blob/master/2021-11-22-IOCs-for-Contact-Forms-campaign-activity.txt; reference:url,twitter.com/Unit42_Intel/status/1463178309160906753; classtype:domain-c2; sid:2034541; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; http.uri; content:"lm="; content:"/close/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, malware_family Fancy_Bear, signature_severity Major, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 11.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/11.0."; content:!"13"; within:2; reference:url,www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html; classtype:bad-unknown; sid:2028867; rev:8; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Informational, updated_at 2021_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HydraCrypt CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upd.php"; fast_pattern; endswith; http.header; pcre:"/^(?:Referer\x3a[^\r\n]+\r\n)?Host\x3a[^\r\n]+[\r\n]+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:command-and-control; sid:2020503; rev:6; metadata:created_at 2015_02_23, former_category MALWARE, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Variation of Mozilla 4.0 - Likely Trojan"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 29|"; fast_pattern; endswith; http.header_names; content:!"BlueCoat"; nocase; http.host; content:!".bluecoat.com"; classtype:trojan-activity; sid:2014002; rev:12; metadata:created_at 2011_12_08, updated_at 2021_11_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI struct Oct 24 2016 (RIG-v)"; flow:established,to_server; flowbits:set,ET.RIGEKExploit; http.uri; content:"/?"; depth:2; content:"q="; content:"oq="; fast_pattern; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/"; classtype:exploit-kit; sid:2023401; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/InfoTester Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"JTU3JTY5JTZFJTY0JTZGJTc3JTczJTNBJTIw"; startswith; fast_pattern; pcre:"/(?:JTBEJTBBJTBEJTBBJTREJTY1JTZEJTZGJTcyJTc5JTNBJTIw|UwRCUwQSUwRCUwQSU0RCU2NSU2RCU2RiU3MiU3OSUzQSUyM|lMEQlMEElMEQlMEElNEQlNjUlNkQlNkYlNzIlNzklM0ElMj)/R"; reference:md5,1d081e356b0593df10bcb12de2931ffa; classtype:command-and-control; sid:2034543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Strongpity CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=7ea7494e71e9"; nocase; endswith; reference:md5,989af6e0bb7fa4d62815f4fdc4696b85; classtype:domain-c2; sid:2030982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category MALWARE, malware_family StrongPity, signature_severity Major, updated_at 2020_10_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (wordfile .live)"; dns.query; content:"wordfile.live"; nocase; bsize:13; reference:md5,5c45a038846aea315595b97b0a619f1a; reference:md5,67abe8b04f62eb55b6b880668fb8a634; reference:url,twitter.com/ShadowChasing1/status/1463498326481932289; classtype:domain-c2; sid:2034544; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2021_11_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"<title>DocuSign"; fast_pattern; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; classtype:social-engineering; sid:2030984; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[A-Za-z0-9]{16}\/[A-Za-z0-9]{16}\.php$/"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:59; fast_pattern; reference:md5,5c45a038846aea315595b97b0a619f1a; reference:url,twitter.com/ShadowChasing1/status/1463498326481932289; reference:md5,67abe8b04f62eb55b6b880668fb8a634; classtype:trojan-activity; sid:2034545; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Moderate, signature_severity Major, updated_at 2021_11_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">PASSW0RD <span class=|22|form-required|22|>*</span></label>"; fast_pattern; distance:0; classtype:social-engineering; sid:2030985; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Dotted Quad CnC Request (flowbit set)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; pcre:"/^[A-Z0-9]{15,40}$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d+)?$/"; flowbits:set,ET.Dridex.Email.Sets.1; flowbits:noalert; classtype:command-and-control; sid:2034533; rev:2; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">Password <span class=|22|form-required|22|>*</span></label>"; fast_pattern; distance:0; content:">Confirm Password <span class=|22|form-required|22|>*</span></label>"; distance:0; classtype:social-engineering; sid:2030986; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex CnC Request - Spam/Worm Component"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG"; bsize:38; fast_pattern; classtype:command-and-control; sid:2034542; rev:1; metadata:created_at 2021_11_24, former_category MALWARE, updated_at 2021_11_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">P a s s <span class=|22|form-not-required|22|>*</span></label>"; fast_pattern; distance:0; classtype:social-engineering; sid:2030987; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Datoploader Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9]{9,12}\/x\.html$/"; http.request_line; content:"/x.html HTTP/1.1"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|"; startswith; content:!"Referer"; reference:md5,d868b389f2f824a32367767a17b397b8; reference:url,www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html; classtype:trojan-activity; sid:2034546; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_11_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Second Stage VBS Downloader with URL Padding"; flow:established,to_server; http.uri; content:".exe???????????????"; nocase; fast_pattern; pcre:"/\.exe\?+$/i"; http.user_agent; content:"WinHttp.WinHttpRequest."; reference:md5,57ce6f966c6b441fe82a211647c6e863; classtype:trojan-activity; sid:2023739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Bobik CnC Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?key="; http.user_agent; content:"test-upload"; bsize:11; fast_pattern; http.request_body; content:"lang="; startswith; content:"&image=iVBORw"; distance:0; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:command-and-control; sid:2034547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS SideStep User-Agent"; flow: to_server,established; http.user_agent; content:"SideStep"; reference:url,doc.emergingthreats.net/2002078; reference:url,github.com/chetan51/sidestep/; classtype:misc-activity; sid:2002078; rev:32; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:bad-unknown; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Chrome WebEx Extension RCE Attempt"; flow:to_server,established; http.uri; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1096; classtype:attempted-user; sid:2023756; rev:4; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_10_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (checkauj .com)"; dns.query; content:"checkauj.com"; nocase; bsize:12; reference:md5,ab3a744545a12ba2f6789e94b789666a; reference:url,thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/; classtype:domain-c2; sid:2034551; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; http.method; content:"POST"; nocase; http.header; content:!".bitdefender.net|0d 0a|"; http.request_body; content:"id="; nocase; content:"&cn="; nocase; content:"&bid="; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,doc.emergingthreats.net/2010875; classtype:command-and-control; sid:2010875; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Retrieving Images"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; pcre:"/\.(?:jpe?g|png|svg)$/"; classtype:credential-theft; sid:2034553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; http.header; content:"Font_Update.exe"; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/mi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:social-engineering; sid:2023817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VNCStartServer BOT Variant CnC Beacon"; flow:established,to_server; dsize:<100; content:"|00 00 00 19 00 00 00|"; offset:1; depth:7; content:"|01 00 00|"; distance:1; within:3; content:"BOT-"; distance:1; within:7; fast_pattern; content:"|00|"; endswith; reference:md5,d66956e0ee70a60e19a4f310339d28a9; classtype:command-and-control; sid:2035524; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Evil Download wsf Double Ext No Referer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".wsf"; nocase; fast_pattern; pcre:"/\/[^\x2f]+\.[^\x2f]+\.wsf$/i"; http.header; content:!"User-Agent|3a 20 2a|"; classtype:trojan-activity; sid:2022271; rev:5; metadata:created_at 2015_12_17, former_category INFO, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Retrieving Resources"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; pcre:"/\.(?:css|ttf|woff2?|js)$/"; classtype:credential-theft; sid:2034554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant Retrieving Payload (x32)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"X32.jpg"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023871; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family ursnif, signature_severity Major, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Redirect"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; content:"/redirect-to-url.php?key="; distance:0; classtype:credential-theft; sid:2034555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant Retrieving Payload (x64)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"X64.jpg"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family ursnif, signature_severity Major, updated_at 2020_10_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY owncloud .online Hosted Site Observed in TLS SNI"; flow:established,to_server; tls.sni; content:".owncloud.online"; endswith; reference:url,tria.ge/210809-35bb7j7tne/behavioral2; classtype:trojan-activity; sid:2034549; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?f="; fast_pattern; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; startswith; http.header_names; content:!"Referer"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Owncloud Observed Self Signed TLS Certificate"; flow:established,to_client; tls.cert_subject; content:"CN=owncloud"; nocase; tls.cert_issuer; content:"CN=owncloud"; classtype:policy-violation; sid:2034550; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tonto_SPM Backdoor CnC Activity"; flow:to_server,established; http.uri; content:"spm=xx{}:>*()_!"; endswith; classtype:trojan-activity; sid:2030990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_08, deployment Perimeter, signature_severity Major, updated_at 2020_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING BulletProofLink Phishkit Template"; flow:established,to_client; file_data; content:"<html><head></head><body><template id="; startswith; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}a-f0-9]{12}/R"; classtype:credential-theft; sid:2034556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke Variant CnC Beacon via WebDAV"; flow:established,to_server; http.uri; content:"/catalog/outgoing"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV-MiniRedir/"; startswith; reference:md5,f3459924f8b657359cb0bd0984a1d0fa; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023930; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)"; dns.query; dotprefix; content:".trycloudflare.com"; nocase; endswith; classtype:bad-unknown; sid:2034552; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2021_11_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"&method="; fast_pattern; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:command-and-control; sid:2023933; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_02_16, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity Sending Windows Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/info.php?"; startswith; content:"=C|3a 5c|Program"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.request_body; content:"v="; startswith; content:"|20|svchost.exe|20|"; content:"&r="; reference:md5,40de99fb06e52e3364f2cd70f100ff71; reference:url,twitter.com/h2jazi/status/1465402736996933640; classtype:trojan-activity; sid:2034560; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/functions.php"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"apslst="; depth:7; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (hello)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=hello"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.FETCH Retrieving Malicious PowerShell"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/pro.bat"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,97454efcab28e64ac5400e63780af764; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/; classtype:trojan-activity; sid:2023948; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_FETCH, signature_severity Major, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (command)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=command"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034563; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - Evil Twitter Callback"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/api/asyncTwitter.php"; fast_pattern; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023967; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_Implant8, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (result)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=result"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Uploader Variant Fake Request to Google"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"."; content:"/?"; distance:0; content:"="; distance:1; within:3; pcre:"/\/\?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.host; content:"google.com"; bsize:10; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:targeted-activity; sid:2023917; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family APT28_Uploader, signature_severity Major, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (file)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=file"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Chinotto, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (tinytools.nu)"; flow:established,to_server; http.uri; content:"/MyIPAddress/"; nocase; http.host; content:"www.tinytools.nu"; fast_pattern; bsize:16; classtype:external-ip-check; sid:2023520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_08;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server SSRF (CVE-2021-40438)"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/?unix|3a|"; nocase; fast_pattern; content:"|7c|http"; reference:cve,2021-40438; classtype:attempted-admin; sid:2034566; rev:2; metadata:attack_target Server, created_at 2021_11_30, cve CVE_2021_40438, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; http.uri; content:"/i_info_proxy.php?cmd="; fast_pattern; content:"&data="; http.uri.raw; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/"; http.header; content:"|3b 20|iPhone|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.DarkVNC Variant Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|4a 01 4f 97 00 1c 84 df cd 3f 1f eb 14 28 b1 ba fa 0e 7e de 22 e0 33 cb a5 8c 23 75 ea e4 e4 3e|"; startswith; fast_pattern; reference:md5,1e081d3f09f24a81194327628a25c214; reference:url,www.malware-traffic-analysis.net/2021/11/05/index.html; classtype:command-and-control; sid:2034557; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP"; flow:established,to_server; http.host; content:"check.torproject.org"; endswith; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:external-ip-check; sid:2017927; rev:5; metadata:created_at 2014_01_03, updated_at 2020_10_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (stanculinaryblog .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"stanculinaryblog.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2034558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/KeyLogger.ACQH!tr Checkin"; flow:to_server,established; http.uri; content:".php?cn"; content:"&str="; fast_pattern; content:"&file="; pcre:"/\.php\?cn(ame)?=/"; http.user_agent; content:"WinInetGet/"; depth:11; reference:md5,eddce1a6c0cc0eb7b739cb758c516975; reference:md5,c0d9352ad82598362a426cd38a7ecf0e; reference:url,www.fortiguard.com/av/VID4225990; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016912; rev:7; metadata:created_at 2012_12_12, former_category MALWARE, updated_at 2020_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5938,!1935,!3265,!2394,!1514] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; stream_size:server,<,5; dsize:>11; content:"|00 00|"; offset:2; depth:2; content:!"|00 00|"; depth:2; content:"|9c 4b|"; offset:8; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -9; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,edc84c505d101301459dafab296fb743; classtype:command-and-control; sid:2023349; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Major, tag Gh0st, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mutter Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.aspx?i="; fast_pattern; http.header; pcre:"/^(Host\x3a [^\r\n]+?\r\nConnection\x3a Keep-Alive|Connection\x3a Keep-Alive\r\nHost\x3a [^\r\n]+?)\r\n(\r\n)?$/i"; reference:url,fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html; classtype:command-and-control; sid:2016773; rev:5; metadata:created_at 2013_04_18, former_category MALWARE, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NetSupport GeoLocation Lookup Request"; flow:established,to_server; http.request_line; content:"GET /location/loca.asp"; startswith; http.host; content:"geo.netsupportsoftware.com"; bsize:26; reference:md5,f76954b68cc390f8009f1a052283a740; classtype:policy-violation; sid:2034559; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Download Request to Hotfile.com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; http.header; content:"hotfile.com|0d 0a|"; fast_pattern; classtype:policy-violation; sid:2015015; rev:4; metadata:created_at 2012_07_03, former_category POLICY, updated_at 2020_10_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to Commonly Abused Preview Domain (preview-domain .com)"; dns.query; dotprefix; content:".preview-domain.com"; nocase; endswith; classtype:bad-unknown; sid:2034561; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_11_30;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Drupal Object Unserialize Exploit Attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/user/login"; http.request_body; content:"username"; content:"SelectQuery"; fast_pattern; http.content_type; content:"application/vnd.php.serialized"; bsize:30; reference:url,www.ambionics.io/blog/drupal-services-module-rce; classtype:web-application-attack; sid:2024039; rev:4; metadata:affected_product Drupal_Server, attack_target Server, created_at 2017_03_08, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Minor, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Request)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"update.php?id="; fast_pattern; pcre:"/^[0-9]{9}/R"; content:"&stat="; pcre:"/^[0-9a-zA-Z]{32}/R"; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034573; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_01;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; http.header; content:"Content-Disposition|3a|"; nocase; content:"|43 68 72 ce bf 6d 65|"; nocase; fast_pattern; content:"|66 ce bf 6e 74|"; nocase; content:"|2e 65 78 65|"; nocase; file.data; content:"MZ"; within:2; classtype:social-engineering; sid:2024040; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"curl/"; nocase; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:6; metadata:created_at 2011_06_14, updated_at 2021_12_01;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; classtype:exploit-kit; sid:2024055; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family terror_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING curl User-Agent to Dotted Quad"; flow:established,to_server; http.user_agent; content:"curl/"; startswith; nocase; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:bad-unknown; sid:2034567; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS Downloader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?file="; fast_pattern; pcre:"/\.php\?file=(?:64|86)$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024064; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, malware_family MagikPOS, performance_impact Low, signature_severity Major, tag POS, updated_at 2020_10_08;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Edgewater Networks Edgemarc Blind Command Injection Attempt (CVE-2017-6079)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config?page=50&form=mainForm"; nocase; fast_pattern; reference:url,github.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit/blob/master/CVE-2017-6079.py; reference:cve,2017-6079; classtype:attempted-admin; sid:2034575; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_12_01, cve CVE_2017_6079, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/?act=in"; fast_pattern; pcre:"/\/api\/\?act=in$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:command-and-control; sid:2024067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, malware_family MagikPOS, performance_impact Low, signature_severity Major, tag POS, updated_at 2020_10_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart Exfil Domain in DNS Lookup (convert-server .com)"; dns.query; content:"convert-server.com"; nocase; bsize:18; reference:url,twitter.com/rootprivilege/status/1465763408901337092; classtype:trojan-activity; sid:2034568; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_01;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PoetRAT Domain (slimip .accesscam .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"slimip.accesscam.org"; bsize:20; fast_pattern; reference:url,blog.talosintelligence.com/2020/10/poetrat-update.html; classtype:domain-c2; sid:2030991; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_08, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Sidewinder APT Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.rtf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,e096b33467e6018944c05fb6e4bb03a0; reference:url,twitter.com/ShadowChasing1/status/1466001768765018116; classtype:trojan-activity; sid:2034569; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Uploading Directory Listting"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name="; startswith; content:"&usid="; distance:0; fast_pattern; content:"&part="; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (ny .silvergatehr .com)"; dns.query; content:"ny.silvergatehr.com"; nocase; bsize:19; reference:md5,69c9881a6b7b89a648074328292da7e8; reference:md5,84dd7ccb69d0010c97c1fc336650d5e2; reference:url,twitter.com/ShadowChasing1/status/1465998020734898176; classtype:domain-c2; sid:2034570; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2021_12_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; http.uri; content:"/search?hl="; content:"q="; content:"meta="; fast_pattern; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/"; http.host; content:!"sogou.com"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_05_28, deployment Perimeter, former_category TROJAN, malware_family HIMAN, performance_impact Moderate, signature_severity Major, updated_at 2020_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/September/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,3182b68be6c01537d466415d4eda7933; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; classtype:trojan-activity; sid:2034571; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_12_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cmd="; content:"version="; content:"quality="; fast_pattern; content:"av="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2018580; rev:7; metadata:created_at 2014_06_18, former_category MALWARE, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sequence/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6cc602c79e906a64af6c30581ca77906; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; classtype:trojan-activity; sid:2034572; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_12_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino CC dump"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dumpgrab="; fast_pattern; content:"track_type="; content:"track_data="; content:"process_name="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020094; rev:5; metadata:created_at 2015_01_05, former_category TROJAN, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Response)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|21|lexec|3b|http"; startswith; fast_pattern; content:"|2e|exe"; endswith; reference:md5,fbfd9afac42ae8e86193a8e4be085eaf; reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034574; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; http.uri; content:"/getTask.php?"; fast_pattern; nocase; content:"imei="; content:"balance="; http.header_names; content:!"Referer|0d 0a|"; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:command-and-control; sid:2017587; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_10_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Windows-AzureAD-Authentication-Provider/"; startswith; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034467; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_12_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mang.bbk"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Moderate, signature_severity Major, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for .txt - Likely Hostile"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; bsize:6; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2034581; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download"; flow:established,to_server; http.uri; content:"e=cve"; fast_pattern; pcre:"/[&?]e=cve\d{8}(?:&|$)/"; pcre:"/=[a-f0-9]{32,}(?:&|$)/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2024180; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Code Execution"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; fast_pattern; startswith; content:"&curpath=/¤tsetting.htm=1"; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2034576; rev:3; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2021_12_02, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/sdk_api.php?id="; fast_pattern; content:"&type="; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/"; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_11, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ewind, signature_severity Major, tag Android, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"document.getelementbyid|28|"; nocase; content:".scroll"; nocase; fast_pattern; content:"Set"; nocase; pcre:"/^\s*(?P<obj>[\w\-]{1,20})\s*=\s*document\.getElementById\(.{1,500}Class\s*(?P<class>[\w\-]{1,20}).{1,500}End\s*Class.{1,500}set\s*(?P=obj)\.scroll((Left|Top)(Max)?|Height|Width)\s*=\s*New\s*(?P=class)/Rsi"; reference:cve,2019-0752; classtype:attempted-user; sid:2034578; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, cve CVE_2019_0752, deployment Perimeter, former_category EXPLOIT, performance_impact Significant, signature_severity Major, tag Exploit, updated_at 2021_12_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy Request Outbound"; flow:established,to_server; http.uri; content:"/?"; content:"&ai="; fast_pattern; content:!"&adurl="; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/"; http.user_agent; content:"Windows NT"; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2019545; rev:1238; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Agent.NL Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getconfig.php?r="; fast_pattern; pcre:"/^[0-9]+$/R"; http.content_type; content:"application/json"; bsize:16; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"|7b 22|data|22 3a 22|"; startswith; content:!"|3a|"; distance:0; reference:md5,d37bb6fc88cd71f86a3d4211a064d80b; classtype:command-and-control; sid:2034580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2"; flow:established,to_client; flowbits:isset,Office.UA; http.content_type; content:"application/hta"; nocase; endswith; fast_pattern; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Communicating with CnC Server"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"p="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9%+\/]{4,6})*(?:[A-Za-z0-9%+\/]{2}==|[A-Za-z0-9%+\/]{3}=|[A-Za-z0-9%+\/]{4})$/R"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,274ff72c29b0711d01254c95770ca193; classtype:command-and-control; sid:2034579; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2021_12_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Betabot Checkin 5"; flow:established,to_server; http.uri; content:"/order.php"; fast_pattern; pcre:"/\.php$/"; http.request_body; pcre:"/(?:^|=)[A-F0-9]{70,}(?:$|&)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:command-and-control; sid:2023765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_09;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [exec] M3 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=exec"; fast_pattern; content:"&newid="; content:"?pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034008; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Unknown Possibly Ransomware (Dropped by RIG) CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Accept|3a 20|*|0d 0a|"; fast_pattern; http.request_body; content:"|0a|"; offset:64; depth:1; pcre:"/^[A-Za-z0-9+/]{64}\x0a/"; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:md5,26b21902548e3b821387c90d729bace6; classtype:command-and-control; sid:2024233; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_21, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_09;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [upload] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=upload"; fast_pattern; content:"?path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034010; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Abnormal HTTP Headers high likelihood of Poweliks infection"; flow:established,to_server; http.method; content:"GET"; http.header; content:"builddate|3a 20|"; fast_pattern; content:"version|3a 20|"; content:"id|3a 20|"; classtype:trojan-activity; sid:2019606; rev:6; metadata:created_at 2014_10_30, former_category TROJAN, updated_at 2020_10_09;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [upload] M3 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=upload"; fast_pattern; content:"&path="; content:"?context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034011; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"; flow:established,to_server; http.host; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024298; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Low, signature_severity Critical, tag Ransomware, updated_at 2020_10_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter Unauthorized File Read Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=file|3a|"; classtype:attempted-admin; sid:2034582; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_05;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Lucy Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Phishing Server"; fast_pattern; content:"system.appName =|20 22|Phishing Server|22 3b|"; content:"href=|22|/admin/login|22|>Phishing Server"; content:"title=|22|Lucy|22|"; reference:url,lucysecurity.com/; classtype:web-application-attack; sid:2030992; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter SSRF Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=http"; classtype:attempted-admin; sid:2034583; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_05;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lucy Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Phishing Server"; fast_pattern; content:"system.appName =|20 22|Phishing Server|22 3b|"; content:"href=|22|/admin/login|22|>Phishing Server"; content:"title=|22|Lucy|22|"; classtype:web-application-attack; sid:2030993; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".careers-finder.com"; nocase; endswith; classtype:trojan-activity; sid:2035803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; http.host; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024300; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Low, signature_severity Critical, tag Ransomware, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hancitor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; http.request_body; content:"DATA="; startswith; base64_decode:bytes 156, relative; base64_data; content:"GUID="; content:"&BUILD="; distance:20; content:"&INFO="; distance:0; fast_pattern; content:"&EXT="; distance:0; content:"&IP="; distance:0; content:"&TYPE="; distance:0; content:"&WIN="; distance:0; reference:md5,655d778bd44bf0c6660f92f69e48fd64; reference:url,twitter.com/Jane_0stin/status/1467804081708318722; reference:url,app.any.run/tasks/ca223281-a12f-4f03-b0f7-d152747baefb/; classtype:trojan-activity; sid:2034585; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family Hancitor, signature_severity Major, updated_at 2021_12_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neverquest/Vawtrak Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/viewforum.php?f="; fast_pattern; pcre:"/\/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$/"; http.content_type; content:"application/octet-stream"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0400671fd3804fbf3fd1d6cf707bced4; reference:md5,1dfaeb7b985d2ba039cd158f63b8ae54; classtype:trojan-activity; sid:2018543; rev:5; metadata:created_at 2014_06_06, former_category CURRENT_EVENTS, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WIN32/KOVTER.B Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:!"DoPost"; nocase; http.host; content:!".foxitservice.com"; http.content_len; byte_test:0,<,1000,0,string,dec; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; fast_pattern; content:!"Referer"; content:!"Accept"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:md5,7943a103d7b79f87843655e6b2f8e80c; classtype:command-and-control; sid:2020181; rev:11; metadata:created_at 2015_01_15, former_category MALWARE, performance_impact Significant, updated_at 2021_12_06;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)"; flow:to_server,established; http.uri; content:".php?"; content:"option="; content:"view="; content:"layout="; content:"&list[fullordering]="; fast_pattern; pcre:"/&list\[fullordering\]=(?:[a-zA-Z0-9])*[\x22\x27\x28]/i"; reference:url,blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html; reference:cve,2017-8917; classtype:web-application-attack; sid:2024342; rev:5; metadata:affected_product Joomla, attack_target Web_Server, created_at 2017_06_01, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA505 P2P CnC Checkin"; flow:established,to_server; http.uri; content:"/c/p1/dnsc.php?n="; fast_pattern; reference:url,research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/; classtype:command-and-control; sid:2034584; rev:1; metadata:created_at 2021_12_06, former_category TROJAN, updated_at 2021_12_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload URI T1 Jun 02 2017"; flow:established,to_server; http.uri; content:"/d/"; content:"/?q=r4&"; fast_pattern; pcre:"/\&e=(?:cve|flash)/i"; classtype:exploit-kit; sid:2024344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (afrepublic .xyz)"; dns.query; content:"afrepublic.xyz"; nocase; bsize:14; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034586; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request"; flow:established,to_server; http.uri; content:".hta"; nocase; fast_pattern; http.user_agent; content:"Microsoft Office"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:cve,2017-0199; classtype:trojan-activity; sid:2024224; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (newsroom247 .xyz)"; dns.query; content:"newsroom247.xyz"; nocase; bsize:15; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034587; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Madness Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mk="; fast_pattern; content:"&rs="; content:"&rq="; content:"&ver="; pcre:"/\?uid=\d{8}&ver=\d\.\d{2}&mk=[0-9a-zA-Z]{6}&os=[A-Za-z0-9]+&rs=[a-z]+&c=\d+&rq=\d/"; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,f1ed53c4665d2893fd116a5b0297fc68; classtype:command-and-control; sid:2018028; rev:6; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (afghannewsnetwork .com)"; dns.query; content:"afghannewsnetwork.com"; nocase; bsize:21; reference:md5,e9647fa7c1b4a2403b32689298fdee53; reference:md5,99dc4221019a3892c612356d8e9b6ef1; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034588; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; http.uri; content:"/inj/injek-1.php?id="; fast_pattern; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:command-and-control; sid:2024426; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_06_26, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Marcher, signature_severity Major, tag Android, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (republicofaf .xyz)"; dns.query; content:"republicofaf.xyz"; nocase; bsize:16; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034589; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup whoer.net"; flow:established,to_server; http.host; content:"whoer.net"; fast_pattern; bsize:9; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021195; rev:5; metadata:created_at 2015_06_08, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM (TA421) EnvyScout Fingerprint Checkin"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|7b 22|io|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|tu|22 3a 22|"; distance:0; content:"|22 2c 22|sd|22 3a 22|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset; classtype:command-and-control; sid:2033052; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family EnvyScout, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M1"; flow:established,to_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.uri; content:".sct"; nocase; fast_pattern; endswith; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".doggroomingnews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"text/scriptlet"; nocase; fast_pattern; startswith; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024551; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cityloss.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034603; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M3"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; content:"Content-Disposition|3a 20|"; nocase; content:".sct"; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]*\.sct[\x22\x27\s\r\n]/mi"; classtype:trojan-activity; sid:2024552; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_11_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ideasofbusiness.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_bkid="; content:"_bkpass="; fast_pattern; content:"_accn="; classtype:credential-theft; sid:2019784; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".trendignews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034605; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Nov 24 2014 "; flow:established,to_server; http.request_body; content:"_fulln="; fast_pattern; content:"_ccn="; content:"_ccv="; classtype:credential-theft; sid:2019783; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".giftbox4u.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034606; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_fn="; content:"_ln="; content:"_birthd="; fast_pattern; classtype:credential-theft; sid:2019782; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".rchosts.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034607; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/HTA Downloader Behavior M3"; flow:to_server,established; http.uri; content:".php?cmd=p&id="; fast_pattern; content:"&rnd="; pcre:"/\.php\?cmd=p&id=\w+.*?&rnd=[\x2e\d]+$/i"; http.header_names; content:!"Referer"; reference:md5,d3abaa6736d7d549eca8644c67e9fcfe; classtype:trojan-activity; sid:2023485; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_07, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".businesssalaries.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034608; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba Checkin 4"; flow:established,to_server; flowbits:set,ET.Tinba.Checkin; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|157"; nocase; fast_pattern; http.request_body; content:"|00 80 00 00 00|"; offset:24; depth:5; http.header_names; content:!"Content-Type"; nocase; content:!"Accept"; nocase; content:!"Referer:"; nocase; content:!"User-Agent|0d 0a|"; nocase; reference:md5,ade4d8f0447dac5a8edd14c3d44f410d; classtype:command-and-control; sid:2024659; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_04, deployment Perimeter, former_category MALWARE, malware_family Tinba, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stonecrestnews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034609; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Andromeda File Request"; flow:established,to_server; http.uri; content:"myguy"; fast_pattern; pcre:"/myguy\.(?:xls(?:\.hta)?|exe)$/"; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference:cve,2017-0199; classtype:trojan-activity; sid:2024490; rev:5; metadata:created_at 2017_07_21, former_category TROJAN, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dailydews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034610; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; http.header; content:"User-Agent|3a|Mozilla"; nocase; fast_pattern; content:!"BlackBerry|3b|"; content:!"PlayBook|3b|"; content:!"Konfabulator"; content:!"masterconn.qq.com"; content:!"QQPCMgr"; classtype:trojan-activity; sid:2011800; rev:12; metadata:created_at 2010_10_12, former_category POLICY, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".newminigolf.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034611; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RelevantKnowledge Adware CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&os="; content:"&osmajorver="; distance:0; content:"&osminorver="; distance:0; content:"&osmajorsp="; distance:0; content:"&lang="; distance:0; content:"&country="; distance:0; content:"&ossname="; distance:0; content:"&brand="; distance:0; content:"&bits="; distance:0; http.header; content:"X-OSSProxy|3a|"; fast_pattern; reference:md5,d93b888e08693119a1b0dd3983b8d1ec; classtype:command-and-control; sid:2018174; rev:6; metadata:created_at 2014_02_25, former_category INFO, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".celebsinformation.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nolja Trojan User-Agent (FileNolja)"; flow:established,to_server; http.user_agent; content:"FileNolja"; nocase; fast_pattern; classtype:trojan-activity; sid:2013376; rev:5; metadata:created_at 2011_08_05, former_category USER_AGENTS, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".newstepsco.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon with default account"; flow:to_server,established; http.request_body; content:"=OIMINTERNAL"; fast_pattern; reference:cve,CVE-2017-10151; reference:url,oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html; classtype:attempted-admin; sid:2024941; rev:4; metadata:affected_product Oracle_Identity_Manager, attack_target Web_Server, created_at 2017_11_01, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stockmarketon.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:10; http.uri; content:"/top2.html"; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015478; rev:5; metadata:created_at 2012_07_16, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".tacomanewspaper.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Book of Eli CnC Checkin "; flow:to_server,established; http.method; content:"POST"; nocase; http.header; content:"CharSet|3a 20|windows-1256|0d 0a|"; http.request_body; content:"id_serial="; depth:10; content:"&id_cpu="; content:"&go_and_fuck_this_life="; content:"&system__="; fast_pattern; content:"&hard_id="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,blog.eset.ie/2016/09/22/malware-in-libya-book-of-eli-african-targeted-attacks/; reference:md5,25e5744979b365dc58cce23d377b3835; reference:md5,d22857cebad4200c3b1e8ec17836b451; reference:url,www.virustotal.com/en/file/faa20341f7a7277114f5c61e5013b9871ab2b0356f383b6798013ce333a30ae5/analysis/; classtype:command-and-control; sid:2023254; rev:6; metadata:created_at 2013_05_16, former_category MALWARE, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".alifemap.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Invoice EXE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/invoice"; nocase; fast_pattern; pcre:"/\/invoice[^a-z\/]*?\.(?:exe|zip|7z|rar|com|vbs|ps1)$/i"; reference:md5,bdf12366779ce94178c2d1e495565d2b; classtype:trojan-activity; sid:2019158; rev:7; metadata:created_at 2014_09_11, former_category TROJAN, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".myexpertforum.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034617; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".jsp/"; nocase; fast_pattern; pcre:"/\.jsp\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024808; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".teachingdrive.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".jspx/"; nocase; fast_pattern; pcre:"/\.jspx\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024809; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hanproud.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".shtml/"; nocase; fast_pattern; pcre:"/\.shtml\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024810; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".enpport.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".jsp/"; nocase; fast_pattern; pcre:"/\.jsp\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024811; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cbdnewsandreviews.net"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034621; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".jspx/"; nocase; fast_pattern; pcre:"/\.jspx\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024812; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ANTa|00 00|"; fast_pattern; pcre:"/[^\r\n]*\x5c(?:n|c)[^\r\n]{0,100}[\x60\x24]/Ri"; reference:url,blogs.blogs.blackberry.com/en/2021/06/from-fix-to-exploit-arbitrary-code-execution-for-cve-2021-22204-in-exiftool; classtype:attempted-admin; sid:2034626; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_07, cve CVE_2021_22204, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".shtml/"; nocase; fast_pattern; pcre:"/\.shtml\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024813; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stonecrestnews.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034622; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metasploit Framework Checking For Update"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/updateserver"; fast_pattern; http.user_agent; content:"MSFX/"; depth:5; http.header_names; content:!"Referer"; classtype:misc-activity; sid:2020475; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_02_18, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".nordicmademedia.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034623; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_07;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"_v="; content:"deleteid="; http.method; content:"POST"; http.uri; content:"/centralbackup.php?"; fast_pattern; classtype:trojan-activity; sid:2017060; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_06_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CEELOADER CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".theandersonco.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034624; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kazy Checkin"; flow:established,to_server; urilen:65; http.uri; content:"AAA=="; endswith; fast_pattern; pcre:"/\/[\x2f\x2bA-Za-z0-9]{59}AAA==$/"; http.host; content:!"mvds1.org"; classtype:command-and-control; sid:2018401; rev:5; metadata:created_at 2014_04_18, former_category MALWARE, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CEELOADER CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".tomasubiera.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034625; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Belkin N600DB Wireless Router Request Forgery Attempt"; flow:to_server,established; http.uri; content:"/proxy.cgi?chk&url="; fast_pattern; classtype:attempted-user; sid:2025223; rev:3; metadata:attack_target IoT, created_at 2018_01_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Anatsa Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/update"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"|3b 20|Android|20|"; http.header_names; content:!"Referer|3a 20|"; http.request_body; content:"{|22|hwid|22 3a|"; depth:8; content:",|22|phone_name|22 3a|"; content:",|22|update_installed|22 3a|"; reference:md5,4a01cad9af92247b828478d5e1b3e00d; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034591; rev:2; metadata:attack_target Mobile_Client, created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change Request"; flow:to_server,established; http.uri; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"Enable_DNSFollowing=1"; classtype:attempted-user; sid:2025222; rev:4; metadata:affected_product D_Link_DSL_2640R, attack_target IoT, created_at 2018_01_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (protectionguardapp .club in DNS Lookup)"; dns_query; content:"protectionguardapp.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:trojan-activity; sid:2034592; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"lm="; content:"/search/?"; fast_pattern; content:!"&clid="; content:!"&banerid="; content:!"&win="; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, signature_severity Major, updated_at 2020_10_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (protectionguardapp .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"protectionguardapp.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034593; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke Checkin"; flow:to_server,established; http.uri; content:"/create.php?"; fast_pattern; pcre:"/^\/[^\x2f]+?\/create\.php\?[a-z0-9]+\x3d[a-z0-9\x5f\x2d]+?$/i"; http.host; content:!"maplelegends.com"; content:!"violinlab.com"; reference:url,welivesecurity.com/2014/05/20/miniduke-still-duking/; classtype:targeted-activity; sid:2018491; rev:7; metadata:created_at 2014_05_20, former_category MALWARE, updated_at 2020_10_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner .club in DNS Lookup)"; dns_query; content:"readyqrscanner.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034594; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"valor="; depth:6; content:"verde"; content:"branco"; content:"vermelho"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:command-and-control; sid:2018516; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"readyqrscanner.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034595; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Key|3a 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; startswith; nocase; reference:md5,5ba6cf36f57697a1eb5ac8deaa377b4b; classtype:command-and-control; sid:2025381; rev:6; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_10_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club in DNS Lookup)"; dns_query; content:"flowdivison.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034596; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.men) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".men"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025495; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"flowdivison.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034597; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.webcam) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".webcam"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025497; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in DNS Lookup)"; dns_query; content:"multifuctionscanner.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034598; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.yokohama) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".yokohama"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025498; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in DNS Lookup)"; dns_query; content:"onlinefitnessanalysis.com"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034599; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.tokyo) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".tokyo"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025499; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS-Officecmd Remote Code Execution Attempt"; flow:established,to_client; file.data; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern; content:"filename"; nocase; distance:0; content:"|2d 2d|gpu|2d|launcher|3d|"; nocase; distance:0; reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-user; sid:2034627; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.gq) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".gq"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025500; rev:4; metadata:created_at 2018_04_16, former_category HUNTING, updated_at 2020_10_10;)
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Response (MS-Officecmd)"; flow:established,to_client; http.response_body; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern; reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-admin; sid:2034628; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.work) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".work"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025501; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"multifuctionscanner.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:trojan-activity; sid:2034600; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Download non Jar file"; flow:established,to_server; flowbits:set,ET.JavaNotJar; flowbits:noalert; http.uri; content:!".jar"; nocase; content:!".jnlp"; nocase; content:!".hpi"; nocase; http.user_agent; content:"Java/1."; fast_pattern; content:!"ArduinoIDE/"; classtype:bad-unknown; sid:2016539; rev:9; metadata:created_at 2013_03_05, former_category CURRENT_EVENTS, updated_at 2020_10_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"onlinefitnessanalysis.com"; isdataat:!1,relative; nocase; classtype:command-and-control; sid:2034601; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MobileIron RCE Attempt Inbound (CVE-2020-15505)"; flow:established,to_server; http.uri; content:"|2f 2e 3b 2f|"; fast_pattern; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2030997; rev:1; metadata:created_at 2020_10_12, cve CVE_2020_15505, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".midcitylanews.com"; nocase; endswith; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:domain-c2; sid:2034867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Pastebin-style Service nrecom)"; flow:from_server,established; tls.cert_subject; content:"CN=ngn.gg"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:policy-violation; sid:2031000; rev:1; metadata:created_at 2020_10_12, former_category POLICY, signature_severity Informational, updated_at 2020_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dom-news.com"; nocase; endswith; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:domain-c2; sid:2034869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Spy/TVRat Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&stat="; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:command-and-control; sid:2021747; rev:12; metadata:created_at 2015_09_04, former_category MALWARE, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM - Cobalt Strike Malleable Profile M1"; flow:established,to_server; urilen:>150; http.method; content:"GET"; http.uri; content:"v1.5472"; endswith; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:command-and-control; sid:2034868; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi Checkin"; flow:established,to_server; urilen:100<>325; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; content:!"/index.php"; content:!"act=bkw9"; nocase; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:!"DriverUpdate"; http.host; content:!"remocam.com"; content:!"desktopad.com"; content:!"mydlink.com"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019378; rev:15; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (set)"; flow:established,to_server; flowbits:set,ET.maldoc.trick; flowbits:noalert; http.method; content:"GET"; http.uri; content:".png"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; content:"|0d 0a|Connection|0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,e6258c27362df0668295258b69a5a74d; classtype:trojan-activity; sid:2034631; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/is-ready"; fast_pattern; nocase; reference:md5,d2e799904582f03281060689f5447585; reference:url,www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf; classtype:command-and-control; sid:2017516; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2013_08_27, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family H_worm, performance_impact Low, signature_severity Major, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Maldoc Retrieving Binary"; flow:established,to_client; flowbits:isset,ET.maldoc.trick; http.start; content:"HTTP/1.1 200 OK|0d 0a|Server|3a 20|fasthttp|0d 0a|"; fast_pattern; file.data; content:"MZ"; startswith; reference:md5,e6258c27362df0668295258b69a5a74d; reference:md5,91314d1cdd3bfb38daba9273730ed1a4; classtype:trojan-activity; sid:2034632; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts memberAccess inbound OGNL injection remote code execution attempt"; flow:to_server,established; threshold:type both, track by_dst, count 1, seconds 60; http.uri; content:"|23|_memberAccess"; fast_pattern; content:"new|20|"; nocase; pcre:"/new\s+(java|org|sun)/i"; reference:cve,2018-11776; classtype:attempted-admin; sid:2026035; rev:4; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO webhook .site in TLS SNI"; flow:established,to_server; tls.sni; content:"webhook.site"; endswith; nocase; reference:md5,58f8070803608bd0bd2cb6b18351918e; reference:url,isc.sans.edu/forums/diary/InfoStealer+Using+webhooksite+to+Exfiltrate+Data/28088/; classtype:misc-activity; sid:2034634; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SA Banker Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?role="; fast_pattern; content:"&os="; content:"&bits="; content:"&av="; content:"&host="; content:"&plugins="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d42c4395cb4cfa3cd6c4798b8c5e493a; classtype:command-and-control; sid:2023424; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/SDK/webLanguage"; bsize:16; fast_pattern; http.request_body; content:"|3c|language|3e|"; nocase; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/CVE-2021-36260.py; reference:url,watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:cve,2021-36260; classtype:attempted-admin; sid:2034630; rev:2; metadata:affected_product IP_Camera, attack_target Networking_Equipment, created_at 2021_12_08, cve CVE_2021_36260, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_12_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mera Keylogger POSTing keystrokes"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/log/index.php"; fast_pattern; http.request_body; content:"text="; depth:5; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,techhelplist.com/index.php/spam-list/695-financial-statement-malware; classtype:trojan-activity; sid:2019965; rev:5; metadata:created_at 2014_12_17, former_category TROJAN, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request (Likely Pentester CnC)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentest-macro?computer=c_"; fast_pattern; reference:md5,f7ddcef3607b41c593284dde397e35b8; classtype:command-and-control; sid:2034637; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware User-Agent (Envolo)"; flow: established,to_server; http.user_agent; content:"Envolo"; fast_pattern; reference:url,doc.emergingthreats.net/2001706; classtype:pup-activity; sid:2001706; rev:38; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $HOME_NET any -> any any (msg:"ET INFO Python SimpleHTTP ServerBanner"; flow:established; http.server; content:"SimpleHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware User-Agent (SAH)"; flow: established,to_server; http.user_agent; content:"SAH Agent"; fast_pattern; reference:url,doc.emergingthreats.net/2001707; classtype:pup-activity; sid:2001707; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT15/NICKEL KETRUM CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?q="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; startswith; reference:md5,002267297066965505e5e2ea1db867b4; reference:url,www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe; classtype:trojan-activity; sid:2034633; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, malware_family APT15, signature_severity Major, updated_at 2021_12_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Spyware User-Agent (MyWay)"; flow: established,to_server; threshold:type limit, count 1, seconds 360, track by_src; http.user_agent; content:"MyWay"; fast_pattern; reference:url,doc.emergingthreats.net/2001864; classtype:pup-activity; sid:2001864; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT15/NICKEL Related CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /?newfrs"; startswith; fast_pattern; content:"setssion="; distance:0; http.header_names; content:!"Referer"; http.accept; content:"Accept|3a 20|"; reference:md5,95507bd09d464582e82ed0b2fdf46a31; reference:md5,8a5e766065ea81d1470e4955f0c7f402; reference:url,www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/; classtype:trojan-activity; sid:2034645; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, malware_family APT15, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Spyware User-Agent (MyWebSearch)"; flow: established,to_server; http.user_agent; content:"MyWebSearch"; fast_pattern; reference:url,doc.emergingthreats.net/2001865; classtype:pup-activity; sid:2001865; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"V2luZG93cyBJUCBDb25maWd1cmF0aW9u"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034641; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Engine 2000 Spyware User-Agent (searchengine)"; flow: established,to_server; http.header; content:"|20|searchengine|0d 0a|"; fast_pattern; pcre:"/User-Agent\:[^\n]+searchengine/i"; reference:url,doc.emergingthreats.net/2001867; classtype:pup-activity; sid:2001867; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dpbmRvd3MgSVAgQ29uZmlndXJhdGlvb"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034642; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (sureseeker)"; flow: established,to_server; http.user_agent; content:"sureseeker.com"; reference:url,doc.emergingthreats.net/2001868; classtype:pup-activity; sid:2001868; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"XaW5kb3dzIElQIENvbmZpZ3VyYXRpb2"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfplayer Spyware User-Agent (SurferPlugin)"; flow: established,to_server; http.header; content:"SurferPlugin"; fast_pattern; pcre:"/User-Agent\:[^\n]+SurferPlugin/i"; reference:url,doc.emergingthreats.net/2001870; classtype:pup-activity; sid:2001870; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Dropbox Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Dropbox"; fast_pattern; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"_csp_external_script_nonce"; content:!"when_ready_configure_requirejs"; distance:0; content:!"DETERMINISTIC_MONKEY_CHECK"; distance:0; content:!"<title>Dropbox Status</title>"; classtype:social-engineering; sid:2025659; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Better Internet Spyware User-Agent (thnall)"; flow: to_server,established; http.header; content:"THNALL"; fast_pattern; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/i"; reference:url,doc.emergingthreats.net/2002002; classtype:pup-activity; sid:2002002; rev:33; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/ImportTechnicians"; fast_pattern; http.request_body; content:"filename=|22|msiexec.exe|22|"; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-336a; reference:cve,2021-44077; reference:url,attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis; classtype:attempted-admin; sid:2034577; rev:2; metadata:attack_target Server, created_at 2021_12_03, cve CVE_2021_44077, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP XupiterToolbar Spyware User-Agent (XupiterToolbar)"; flow: to_server,established; http.header; content:"XupiterToolbar"; fast_pattern; pcre:"/User-Agent\:[^\n]+XupiterToolbar/i"; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; classtype:pup-activity; sid:2002071; rev:19; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static-directory/bn.png"; fast_pattern; bsize:24; http.header_names; content:!"Referer"; http.user_agent; content:"Linux|3b 20|Android|20|"; reference:url,twitter.com/kienbigmummy/status/1468836018560192512; reference:md5,f3e31cd5f0972e4dbc789807ad2d129b; classtype:trojan-activity; sid:2034646; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware User-Agent (spywareaxe)"; flow:to_server,established; http.header; content:"spywareaxe"; fast_pattern; pcre:"/User-Agent\:[^\n]+spywareaxe/"; reference:url,doc.emergingthreats.net/2002808; classtype:pup-activity; sid:2002808; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert tcp $EXTERNAL_NET ![443,80] -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Keep Alive"; flow:established,to_client; dsize:4; content:"|13 11 18 19|"; threshold:type threshold, count 4, seconds 40, track by_src; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034639; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errorsafe.com Fake antispyware User-Agent (ErrorSafe)"; flow:to_server,established; http.user_agent; content:"ErrorSafe|20|"; fast_pattern; reference:url,doc.emergingthreats.net/2003346; classtype:pup-activity; sid:2003346; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert tcp $EXTERNAL_NET ![443,80] -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response M2"; flow:established,to_client; dsize:<48; content:"|00 00 00 3c|"; startswith; fast_pattern; content:"|01|"; distance:1; within:1; content:"|20|"; distance:4; within:1; pcre:"/^[\x01-\x04]/R"; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034640; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_12_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com User-Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; http.user_agent; content:"GAMEHOUSE"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003347; classtype:pup-activity; sid:2003347; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![443,80] (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M3"; flow:established,to_server; stream_size:server,<,5; dsize:6; content:"|13 11 18 19 01 68|"; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034638; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment SSLDecrypt, former_category MALWARE, signature_severity Minor, updated_at 2021_12_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Yourscreen.com Spyware User-Agent (FreezeInet)"; flow:to_server,established; http.user_agent; content:"FreezeInet"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003355; classtype:pup-activity; sid:2003355; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; threshold: type limit, count 1, seconds 300, track by_src; http.user_agent; content:"SpamBlockerUtility|20|"; fast_pattern; reference:url,doc.emergingthreats.net/2003384; classtype:pup-activity; sid:2003384; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus)"; flow:to_server,established; http.user_agent; content:"Morpheus"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003396; classtype:pup-activity; sid:2003396; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; threshold:type both, count 1, seconds 300, track by_src; http.user_agent; content:"Seekmo"; fast_pattern; nocase; classtype:pup-activity; sid:2003397; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; http.user_agent; content:"SmartInstaller"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003398; classtype:pup-activity; sid:2003398; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; http.header; content:"iMeshBar"; fast_pattern; pcre:"/User-Agent\:[^\n]+iMeshBar/i"; reference:url,doc.emergingthreats.net/2003406; classtype:pup-activity; sid:2003406; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; http.user_agent; content:"SF Installer"; fast_pattern; reference:url,doc.emergingthreats.net/2003428; classtype:pup-activity; sid:2003428; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; http.user_agent; content:"DSInstall"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003439; classtype:pup-activity; sid:2003439; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; http.header; content:"|20|Oemji"; fast_pattern; pcre:"/User-Agent\:[^\n]+Oemji/i"; reference:url,doc.emergingthreats.net/2003468; classtype:pup-activity; sid:2003468; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; threshold:type limit, count 2, seconds 360, track by_src; http.user_agent; content:"AskSearch"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003493; classtype:pup-activity; sid:2003493; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Win95)"; flow:to_server,established; http.user_agent; content:"Win95"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:pup-activity; sid:2008015; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; http.uri; content:"?action="; content:"&pc_id="; content:"&abbr="; fast_pattern; content:"&err="; reference:url,doc.emergingthreats.net/2008282; classtype:pup-activity; sid:2008282; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Unknown Malware patchlist.xml Request"; flow:established,to_server; http.uri; content:"/update/patchlist.xml"; fast_pattern; classtype:pup-activity; sid:2013200; rev:5; metadata:created_at 2011_07_05, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![5938,1433] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 107"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|14 24|"; offset:8; fast_pattern; content:!"|00 00|"; distance:-10; within:2; content:"|00 00|"; distance:-4; within:2; byte_jump:4,-8,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2023611; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Major, tag Gh0st, updated_at 2021_12_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; http.uri; content:".php?pi="; fast_pattern; content:"&gu="; content:"&ac="; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 6.0)"; bsize:33; classtype:pup-activity; sid:2013540; rev:8; metadata:created_at 2011_09_06, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)"; flow:established,to_server; http.request_line; content:"POST /cgi?2"; startswith; fast_pattern; http.request_body; content:"|5b|IPPING|5f|DIAG|23|"; nocase; content:"host="; distance:0; nocase; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,k4m1ll0.com/cve-2021-41653.html; reference:url,www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; reference:cve,2021-41653; classtype:attempted-admin; sid:2034677; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_12_11, cve CVE_2021_41653, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; http.uri; content:"/LogProc.php?"; fast_pattern; content:"mac="; content:"mode="; content:"&pCode="; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:pup-activity; sid:2013797; rev:7; metadata:created_at 2011_10_24, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034667; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Ezula Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/download/UVid.asp?"; fast_pattern; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:pup-activity; sid:2016938; rev:6; metadata:created_at 2013_05_28, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034668; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Successful Install Beacon"; flow:established,to_server; http.uri; content:"/api/success/?s="; fast_pattern; content:"&c="; content:"&cv="; content:"&context="; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:pup-activity; sid:2017880; rev:9; metadata:created_at 2013_12_17, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034661; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; http.uri; content:"/downloads/icons.dat"; fast_pattern; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:pup-activity; sid:2017881; rev:6; metadata:created_at 2013_12_17, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034662; rev:2; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GMUnpackerInstaller.A Checkin"; flow:to_server,established; http.uri; content:"/new/rar.xml"; fast_pattern; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:pup-activity; sid:2017892; rev:5; metadata:created_at 2013_12_19, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034663; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.PUQD Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/debug/Version/"; fast_pattern; startswith; content:"/trace/"; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:pup-activity; sid:2017945; rev:6; metadata:created_at 2014_01_08, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034664; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Toolbar.CrossRider.A Checkin"; flow:to_server,established; http.uri; content:".gif?action="; content:"&browser="; content:"&ver="; content:"&bic="; fast_pattern; content:"&app="; content:"&appver="; content:"&verifier="; reference:md5,55668102739536c1b00bce9e02d8b587; classtype:pup-activity; sid:2018301; rev:6; metadata:created_at 2012_10_05, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY dnslog .cn Observed in DNS Query"; dns.query; dotprefix; content:".dnslog.cn"; nocase; endswith; classtype:domain-c2; sid:2034669; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_11, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yotoon.hs Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/product-am.php?id="; fast_pattern; content:"&v="; content:"&offer["; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; depth:20; http.header_names; content:!"Referer|0d 0a|"; reference:md5,20c7226185ed7999e330a46d3501dccb; classtype:pup-activity; sid:2018307; rev:7; metadata:created_at 2014_03_19, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034665; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Successful Install Beacon (2)"; flow:established,to_server; http.uri; content:"/api/software/?s="; fast_pattern; content:"&os="; content:"&output="; content:"&v="; content:"&l="; content:"&np="; content:"&osv="; content:"&b="; content:"&bv="; content:"&c="; content:"&cv="; reference:url,webroot.com/blog/2014/03/25/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications/; classtype:pup-activity; sid:2018323; rev:6; metadata:created_at 2014_03_26, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (udp) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034666; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/iBryte.Adware Affiliate Campaign Executable Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?mode="; fast_pattern; content:"&subid="; content:"&filedescription="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,65e5b8e84772f55d761a85bf53c14169; reference:md5,cfda690ebe7bccc5c3063487f6e54086; classtype:pup-activity; sid:2018367; rev:10; metadata:created_at 2014_04_07, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com)"; dns.query; dotprefix; content:".bingsearchlib.com"; nocase; endswith; reference:url,twitter.com/sans_isc/status/1469305954835521539; reference:cve,2021-44228; classtype:domain-c2; sid:2034670; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_11, cve CVE_2121_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/evt/?nexcb="; startswith; fast_pattern; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:pup-activity; sid:2018565; rev:6; metadata:created_at 2014_06_16, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1469399194435735553; reference:md5,9127505386ade0774a1671e146e40ed7; classtype:trojan-activity; sid:2034679; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Optimizer Pro Adware GET or POST to C2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?q="; offset:4; depth:8; pcre:"/^\/(?:get|install)\/\?q=/"; http.header; content:"optpro"; fast_pattern; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:pup-activity; sid:2018744; rev:7; metadata:created_at 2014_07_21, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideCopy APT Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /ab.vbs HTTP/1.1"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"powershell/"; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1469399194435735553; reference:md5,64fff1f62c8771e2f558e5cb8694326f; classtype:trojan-activity; sid:2034680; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Stan Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[a-f0-9]{50,}$/"; http.header; content:"Proxy-Authorization|3a 20|Basic"; http.host; content:"stan|2E|"; fast_pattern; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019145; rev:5; metadata:created_at 2014_09_09, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY File Sharing Site in DNS Lookup (satoshidisk .com)"; dns.query; content:"satoshidisk.com"; nocase; bsize:15; classtype:policy-violation; sid:2034681; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Kyle Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[\w-]{50,}$/"; http.host; content:"kyle|2E|"; fast_pattern; startswith; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019156; rev:5; metadata:created_at 2014_09_10, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034676; rev:1; metadata:attack_target Server, created_at 2021_12_13, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:13<>18; http.method; content:"POST"; http.uri; content:"/?pcrc="; fast_pattern; pcre:"/^\/\?pcrc=[0-9]{7,10}$/"; http.request_body; content:"0A0Czut"; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:pup-activity; sid:2019511; rev:8; metadata:created_at 2014_10_27, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/var/"; startswith; content:"pty"; fast_pattern; endswith; bsize:11; pcre:"/^\/var\/(?:run|tmp)\/pty$/U"; http.user_agent; content:"Wget"; startswith; content:!"Referer"; classtype:trojan-activity; sid:2034686; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pxl/"; fast_pattern; content:"e=-1"; content:"&c="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c6ebffb418813ed68ac5ed9f51f83946; classtype:pup-activity; sid:2019622; rev:5; metadata:created_at 2014_10_31, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"traderstruthrevealed.com"; nocase; bsize:24; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034682; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update.php?p="; fast_pattern; content:"&v="; content:"&id="; distance:0; http.user_agent; content:"AutoUpdate"; bsize:10; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:pup-activity; sid:2021401; rev:5; metadata:created_at 2015_07_10, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"usrfiles.com"; nocase; bsize:12; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034687; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney User Agent"; flow:established,to_server; http.user_agent; content:"Downloader|20|"; startswith; fast_pattern; pcre:"/^Downloader \d\.\d$/"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024249; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky Related Domain in DNS Lookup"; dns.query; content:"ausq.inaver.org"; nocase; bsize:15; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034688; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 3"; flow:to_server,established; http.uri; content:"/get_download_xml_"; fast_pattern; content:"?id="; http.user_agent; content:"tiny-dl"; startswith; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024252; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky Related Domain in DNS Lookup"; dns.query; content:"wnqd.navercloud.org"; nocase; bsize:19; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034689; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 6"; flow:to_server,established; http.uri; content:"/get_xml?story="; fast_pattern; content:"&file"; http.user_agent; content:"Downloader"; depth:10; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024254; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related FTP File Download"; flow:established,to_server; content:"RETR|20|/board/"; fast_pattern; pcre:"/[a-z]{8}.(:?psd|dib)/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 7"; flow:to_server,established; http.uri; content:"/info?story="; fast_pattern; content:"&file="; http.user_agent; content:"Downloader"; depth:10; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024255; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_16, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php?dhk="; fast_pattern; content:"&user="; distance:0; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 5"; flow:to_server,established; http.uri; content:"/getspfile.php?id="; fast_pattern; http.user_agent; content:"tiny-dl"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024256; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_19, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kimsuky Related Malicious VBScript Inbound M3"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"reg add"; nocase; fast_pattern; content:"ftp://"; distance:0; within:200; pcre:"/[a-z]{8}.(:?dib|psd)/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 1"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/ppu.php"; fast_pattern; http.request_body; content:"xml_req="; depth:8; content:"system"; distance:0; content:"os+version"; distance:0; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024258; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kimsuky Related Malicious VBScript Inbound M4"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"open"; nocase; content:"GET"; distance:0; within:10; content:".php?dhk="; fast_pattern; content:"&user="; content:"&fore="; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 3"; flow:established,to_server; http.uri; content:"/get_json?"; fast_pattern; content:"&name="; content:"rnd="; http.user_agent; content:"Downloader|20|"; startswith; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024261; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Kimsuky Related Malicious VBScript Inbound"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"reg add"; nocase; fast_pattern; content:"ftp://"; distance:0; within:200; pcre:"/[a-z]{8}.[a-z]{3}/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Java.Deathbot Requesting Proxies"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Socks"; fast_pattern; content:".txt"; endswith; distance:1; within:4; pcre:"/\/Socks[45]\.txt$/"; http.user_agent; content:"Java/1."; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:pup-activity; sid:2024794; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, signature_severity Major, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/https:\/\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.[a-z]{3,12}.com\/[a-z]{3,4}\/[a-z0-9]{6}_[a-z0-9]{32}/"; content:".xls?dn="; fast_pattern; content:".xls"; endswith; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoetRAT Upload via HTTP"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Max-Downloads|0d 0a|Max-Days|0d 0a|"; fast_pattern; reference:url,blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html; classtype:command-and-control; sid:2031002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, malware_family PoetRat, performance_impact Moderate, signature_severity Major, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ugd/"; fast_pattern; pcre:"/^[a-z0-9]{6}_[a-z0-9]{32}/R"; content:".txt"; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:md5,d74f268b986fecfa03b81029dd134811; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:attempted-admin; sid:2030995; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Minor, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"naver.com"; content:"naver"; fast_pattern; pcre:"/\.php\?[a-z]{3}=(baby|child|adult)/i"; content:"&user="; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:web-application-attack; sid:2030996; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gasti.tm Checkin Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|blob|22 0d 0a|"; fast_pattern; content:"name|3d 22|blob|5f|num|22 0d 0a|"; distance:0; content:"name|3d 22|blob|5f|num|22|name|3d 22|total|5f|blob|5f|num|22 0d 0a|"; distance:0; content:"name|3d 22|hashCode|22 0d 0a 0d 0a|"; content:"|0d 0a 2d 2d|"; distance:32; within:4; reference:md5,0b7504c8770d109f0bc326c1dd4cbee4; classtype:command-and-control; sid:2034678; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_12_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex DL Pattern Feb 18 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?."; fast_pattern; pcre:"/\.exe\?\.\d+$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022549; rev:6; metadata:created_at 2016_02_18, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034699; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; http.method; content:"GET"; http.uri; content:".exe"; endswith; fast_pattern; pcre:"/^\/\d+\/\d+\.exe$/"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:5; metadata:created_at 2015_04_16, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034659; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock CVE-2014-6271"; flow:established,to_server; http.uri; content:"authLogin.cgi"; http.header; content:"|28 29 20 7b|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:5; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034660; rev:3; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; http.method; content:"GET"; nocase; http.referer; content:"?//"; fast_pattern; pcre:"/\/(?:(?:index|toc)\.html?)?\?\/\//i"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:5; metadata:created_at 2013_06_20, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034671; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2012-1533 altjvm (jvm.dll) Requested Over WebDAV"; flow:established,to_server; http.uri; content:"/jvm.dll"; fast_pattern; endswith; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:7; metadata:created_at 2013_06_13, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034672; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"method=devicestatus"; fast_pattern; content:"&app_key="; offset:19; content:"&imei="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034700; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Lanfiltrator Checkin"; flow:established,to_server; http.uri; content:"/ralog.cgi?action="; nocase; fast_pattern; content:"&ip="; nocase; content:"&servertype="; nocase; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:command-and-control; sid:2009078; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034701; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup myip.kz"; flow:established,to_server; http.host; content:"myip.kz"; fast_pattern; bsize:7; classtype:external-ip-check; sid:2021533; rev:4; metadata:created_at 2015_07_27, former_category POLICY, updated_at 2020_10_13;)
+#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034702; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.33db9538.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"33db9538.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023231; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034703; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.9507c4e8.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"9507c4e8.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023232; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034706; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.e5b57288.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"e5b57288.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023233; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034707; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.54dfa1cb.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"54dfa1cb.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023234; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034708; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"pjl_ready_message="; nocase; fast_pattern; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_10_13;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034709; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE indux.php check-in"; flow:established,to_server; http.uri; content:"/indux.php?U="; nocase; fast_pattern; content:"@"; http.referer; content:"http|3a|//www.google.com"; nocase; bsize:21; classtype:trojan-activity; sid:2011387; rev:8; metadata:created_at 2010_09_28, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034710; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanDynamicIpCfgRpm.htm?"; depth:32; content:"&dnsserver="; content:"&Save=Save"; fast_pattern; reference:url,www.exploit-db.com/exploits/34583; classtype:attempted-admin; sid:2020856; rev:5; metadata:created_at 2015_04_07, updated_at 2020_10_13;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034711; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"; flow:established,to_server; http.header; content:"Range|3a|"; nocase; content:"18446744073709551615"; fast_pattern; distance:0; pcre:"/^Range\x3a[^\r\n]*?18446744073709551615/mi"; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:5; metadata:created_at 2015_04_15, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034712; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; http.uri; content:"/level/15/exec/-/"; fast_pattern; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/i"; reference:url,doc.emergingthreats.net/2010623; classtype:web-application-attack; sid:2010623; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034713; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Felismus CnC Beacon 2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:"/products.php?"; fast_pattern; pcre:"/\.php\?[a-z]{15,}$/"; http.header; content:"Referer|3a|"; content:"/products.php|0d 0a|"; distance:0; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:command-and-control; sid:2024177; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Felismus, performance_impact Low, signature_severity Major, tag Felismus, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034714; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"new.odgarsupport.world"; nocase; endswith; classtype:domain-c2; sid:2028660; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_13;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034715; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".windows-updates.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028662; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034716; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".windows64x.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028663; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034717; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".firewallsupports.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Adobe_Coldfusion, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; flowbits:set,ET.http.javaclient; flowbits:noalert; http.user_agent; content:"Java/"; classtype:misc-activity; sid:2013035; rev:5; metadata:created_at 2011_06_16, updated_at 2021_12_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".winx64-microsoft.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028665; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/2345.H Variant Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /dmdt/dmdt_data.php HTTP/1.1"; fast_pattern; http.request_body; content:"data_version="; startswith; content:"&client_data="; http.header_names; content:!"Referer"; reference:md5,3b2806dc35cb7bc4db464a5fe017ab4e; reference:md5,0b1f16f067ba71f5b8ec87c9f1a544c6; classtype:pup-activity; sid:2034724; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:!"Taitus"; content:!"Sling/"; content:!"Updexer/"; http.host; content:!"sophosupd.com"; content:!"sophosupd.net"; http.accept; content:"text/*,|20|application/*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:14; metadata:created_at 2014_07_03, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup"; dns.query; content:"api.musicbee.getlist.destinycraftpe.com"; nocase; bsize:39; reference:url,twitter.com/Unit42_Intel/status/1470778363254128651; reference:md5,b873bfa8dec8c3a1f62c30903e59e849; classtype:domain-c2; sid:2034725; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:22; content:"CN=superlatinradio.com"; fast_pattern; reference:md5,ce879fb552e7740bb2e940c65746aad2; classtype:domain-c2; sid:2028672; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response"; flow:established,to_client; content:"|30 81|"; startswith; content:"|02 01|"; distance:1; within:2; content:"|64|"; distance:1; within:1; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0d|javaClassName"; within:20; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0c|javaCodeBase"; within:19; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|objectClass"; within:18; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|javaFactory"; within:18; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034722; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_12_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; content:"CN=corpcougar.in"; endswith; fast_pattern; reference:md5,f7a490fcf756f9ddbaedc2441fbc3c0c; classtype:domain-c2; sid:2028673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /azure/v2/api HTTP/1.1"; fast_pattern; http.user_agent; content:"MusicBee/3.4"; bsize:12; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a|"; startswith; http.cookie; content:"HSID="; startswith; reference:url,twitter.com/Unit42_Intel/status/1470778363254128651; reference:md5,b873bfa8dec8c3a1f62c30903e59e849; classtype:trojan-activity; sid:2034726; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, tag c2, updated_at 2021_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (bqtconsulting .com)"; dns.query; content:"bqtconsulting.com"; nocase; bsize:17; reference:url,twitter.com/malware_traffic/status/1470812160427233294; reference:md5,c681c785d6055a1d5a8fe74403c9dfe9; classtype:domain-c2; sid:2034727; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; http.user_agent; content:"NetInstaller"; nocase; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003528; classtype:pup-activity; sid:2003528; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /image-directory/templates.mp3 HTTP/1.1"; fast_pattern; http.accept; content:"image/jpeg"; bsize:10; http.header_names; content:!"Referer"; reference:url,twitter.com/malware_traffic/status/1470812160427233294; reference:md5,c681c785d6055a1d5a8fe74403c9dfe9; classtype:trojan-activity; sid:2034728; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (double dashes)"; flow:to_server,established; http.user_agent; content:"|2d 2d |"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; classtype:pup-activity; sid:2007948; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxpro/"; fast_pattern; http.request_body; content:"|5f 5f|type"; content:"Object"; nocase; reference:url,twitter.com/sirifu4k1/status/1470647490; reference:cve,2021-23758; classtype:attempted-admin; sid:2034729; rev:2; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_23758, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET MALWARE Downloader.Win32.Small CnC Beacon"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"MSDN SurfBear"; depth:13; endswith; reference:url,doc.emergingthreats.net/2011269; classtype:command-and-control; sid:2011269; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Khonsri Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zambos_caldo_de_p.txt"; startswith; fast_pattern; http.header_names; content:!"User-Agent"; reference:url,businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild; classtype:command-and-control; sid:2034723; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_12_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Moxilla"; flow:established,to_server; http.user_agent; content:"Moxilla"; depth:7; classtype:trojan-activity; sid:2012313; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY GIOP/IIOP Request Outbound"; flow:established,to_server; flowbits:set,ET.GIOPsession; stream_size:server,<,5; content:"|47 49 4f 50 01|"; startswith; content:"|00|"; distance:2; within:1; classtype:policy-violation; sid:2034730; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino Related Spyware User-Agent Detected (Viper 4.0)"; flow:established,to_server; http.header; content:"Viper 4.0|29|"; nocase; fast_pattern; distance:2; within:10; http.user_agent; content:"Mozilla|2f|5|2e|0 |28|compatible"; depth:23; reference:url,doc.emergingthreats.net/2008586; classtype:pup-activity; sid:2008586; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful GIOP/IIOP Request Outbound"; flow:established,to_client; flowbits:isset,ET.GIOPsession; stream_size:server,<,50; content:"|47 49 4f 50 01|"; startswith; content:"|01|"; distance:2; within:1; classtype:policy-violation; sid:2034731; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (VMozilla)"; flow:to_server,established; http.user_agent; content:"VMozilla"; depth:8; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF; reference:url,www.avira.com/en/support-threats-description/tid/6259/tlang/en; classtype:trojan-activity; sid:2012555; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_25, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_setdata&__ds_setdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious User Agent (Lotto)"; flow:to_server,established; http.user_agent; content:"Lotto"; depth:5; classtype:trojan-activity; sid:2012695; rev:4; metadata:created_at 2011_04_20, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .carelessnessing .com)"; dns.query; content:"www.carelessnessing.com"; nocase; bsize:23; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; reference:md5,2f602c6feaa750e7d3b64276b630498a; classtype:domain-c2; sid:2034733; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/taskx.txt"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; reference:url,www.threatexpert.com/report.aspx?md5=9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:4; metadata:created_at 2011_04_29, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .weekendorg .com)"; dns.query; content:"www.weekendorg.com"; nocase; bsize:18; reference:md5,04662666c8a97998fb1b2fcf907526e8; reference:md5,1454d4feacdd503c0542f70f44a8edc1; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034734; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; flow:to_server,established; http.user_agent; content:"VERTEXNET"; depth:9; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:5; metadata:created_at 2011_03_30, former_category USER_AGENTS, updated_at 2020_10_13;)
+alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M13"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_getdata&__ds_getdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (mdms)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"mdms"; depth:4; endswith; classtype:trojan-activity; sid:2012761; rev:4; metadata:created_at 2011_05_03, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Interactsh Domain in DNS Lookup (.interactsh .com)"; dns.query; dotprefix; content:".interactsh.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:bad-unknown; sid:2034732; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (asd)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"asd"; nocase; depth:3; endswith; classtype:trojan-activity; sid:2012762; rev:4; metadata:created_at 2011_05_03, updated_at 2020_10_13;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPSBindRequest; stream_size:server,<,50; content:"|30 24 02 01|"; startswith; content:"|78 1f 0a 01 00 04 00 04 00 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:policy-violation; sid:2034720; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"EmailSiphon"; nocase; depth:11; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013032; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPSBindRequest; flowbits:isnotset,ET.LDAPSBindRequest; stream_size:server,<,5; content:"|30 1d 02 01|"; startswith; content:"|77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:bad-unknown; sid:2034719; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Binget PHP Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013049; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPSBindRequest; stream_size:server,<,50; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|78 07 0a 01 00 04 00 04 00|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:policy-violation; sid:2034721; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Binget PHP Library User Agent Outbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013050; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .aexhausts .com)"; dns.query; content:"www.aexhausts.com"; nocase; bsize:17; reference:md5,23d4cfceb70d19cf5dc15ea0e8ea1acd; reference:md5,1f3a2e8058411cc04f474a68501b3045; reference:md5,fa80669685cf12de62b4e3156b997553; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034735; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER pxyscand Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013051; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortner Domain in DNS Lookup (urlz .fr)"; dns.query; content:"urlz.fr"; nocase; bsize:7; reference:md5,947c34579e51417d9290c0cd8475cc54; classtype:bad-unknown; sid:2034742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS pxyscand/ Suspicious User Agent Outbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013052; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (news .networkslaoupdate .com)"; dns.query; content:"news.networkslaoupdate.com"; nocase; bsize:26; reference:md5,b9fecf531ebd323cd25b4dbb179a8969; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034736; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, malware_family TAG_33, signature_severity Major, updated_at 2021_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PyCurl Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013053; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (koltary .com)"; dns.query; content:"koltary.com"; nocase; bsize:11; reference:md5,91cde71b55ae86e9d64f4ea2c233790f; classtype:domain-c2; sid:2034737; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS PyCurl Suspicious User Agent Outbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; depth:6; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013054; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9=]{5,12}&ap=/R"; content:"&ap=|20|Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,twitter.com/benkow_/status/1469238517066838018; reference:md5,8e343598ba830d20ffc22d2a9c82ad5a; classtype:command-and-control; sid:2034738; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Peach C++ Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Peach"; nocase; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013055; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Muhstik Botnet CnC Activity"; flow:established,to_server; content:"NICK|20|"; content:"USER|20|"; content:"|3a|muhstik-"; fast_pattern; pcre:"/^[0-9]{8}$/Rm"; reference:md5,81fbe69a36650504b88756074a36c183; reference:md5,d20478a01344026a0ecd60b0b29e9bc1; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034743; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Muhstik, signature_severity Major, updated_at 2021_12_15;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Inbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013057; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Mirai Botnet CnC Activity"; flow:established,to_server; dsize:11; content:"SWATunknown"; fast_pattern; reference:md5,1348a00488a5b3097681b6463321d84c; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034744; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_12_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Outbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013058; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Octopus Backdoor Related Domain in DNS Lookup"; dns.query; content:"movetolight.xyz"; nocase; bsize:15; classtype:command-and-control; sid:2034746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_16;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN DominoHunter Security Scan in Progress"; flow:established,to_server; http.user_agent; content:"DominoHunter"; nocase; depth:12; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:2013171; rev:4; metadata:created_at 2011_07_02, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BazarLoader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header; content:"User-Agent|3a 20|Win|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; reference:md5,c70d6690d2d6fcead1e752195985fc54; classtype:trojan-activity; sid:2034752; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, signature_severity Major, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yandexbot Request Outbound"; flow:established,to_server; http.user_agent; content:"YandexBot"; depth:9; classtype:trojan-activity; sid:2013254; rev:4; metadata:created_at 2011_07_12, updated_at 2020_10_13;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY RMI Request Outbound"; flow:established,to_server; stream_size:server,<,5; flowbits:set,ET.RMIRequest; flowbits:isnotset,ET.RMIRequest; content:"|4a 52 4d 49 00|"; startswith; fast_pattern; pcre:"/^(?:\x01|\x02)(?:\x4b|\x4c|\x4d)/R"; reference:url,docs.oracle.com/javase/9/docs/specs/rmi/protocol.html; reference:url,github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/lib/rex/proto/rmi/model.rb; classtype:policy-violation; sid:2034718; rev:3; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_16;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phish Landing 2020-10-13"; flow:established,to_client; content:"|0d 0a 0a|<!doctype|20|"; http.stat_code; content:"200"; file.data; content:".lollol|20|{|0d 0a|"; fast_pattern; content:"|20|chase logo|22|></div>|0d 0a|"; classtype:social-engineering; sid:2031010; rev:1; metadata:created_at 2020_10_13, former_category PHISHING, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (gawocag .com)"; dns.query; dotprefix; content:".gawocag.com"; nocase; endswith; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; classtype:trojan-activity; sid:2034753; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent String (AskPartnerCobranding)"; flow:to_server,established; http.user_agent; content:"AskPartner"; depth:10; classtype:trojan-activity; sid:2012734; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_04_28, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (rce .ee)"; dns.query; dotprefix; content:".rce.ee"; nocase; endswith; reference:url,www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228; reference:cve,2021-44228; classtype:domain-c2; sid:2034747; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; http.user_agent; content:"BlackSun"; nocase; depth:8; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hiduwu .com)"; dns.query; content:"hiduwu.com"; nocase; bsize:10; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; classtype:domain-c2; sid:2034754; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Toata Scanner User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Toata dragostea|20|"; depth:16; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; classtype:attempted-recon; sid:2009159; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat CnC Activity M11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data=active"; endswith; fast_pattern; pcre:"/^\/[a-z0-9]{45,60}\/[a-z0-9]{35,65}\/[a-z0-9]{38,60}\.php\?data=active$/U"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034739; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BSSID Location Lookup via api .mylnikov .org"; flow:established,to_server; http.host; content:"api.mylnikov.org"; fast_pattern; http.uri; content:"/geolocation/wifi?"; content:"&bssid="; distance:0; reference:md5,b666dc5379e31680a5621870210f0619; classtype:bad-unknown; sid:2031008; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Serialized Java Payload via RMI Response"; flow:established,to_client; stream_size:client,<,100; flowbits:isset,ET.RMIRequest; content:"|51 ac ed|"; startswith; reference:url,blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi; classtype:bad-unknown; sid:2034748; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_17, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Phishing Landing 2020-10-13"; flow:established,to_client; file.data; content:"<title>Copyright|20 7c 20|Help Instagram"; fast_pattern; content:"<form method=|22|post|22 20|action=|22|"; distance:0; content:".php|22|"; within:50; classtype:social-engineering; sid:2031003; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Unserialized Java Payload via RMI Response"; flow:established,to_client; stream_size:client,<,100; flowbits:isset,ET.RMIRequest; content:"|51 ca fe ba be|"; startswith; reference:url,blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi; classtype:bad-unknown; sid:2034749; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Phishing Landing 2020-10-13"; flow:established,to_client; file.data; content:"Amazon Sign In</title>"; content:"#zwimel {"; distance:0; fast_pattern; classtype:social-engineering; sid:2031004; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_13;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034757; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Instagram Phishing Domain"; flow:established,to_server; http.host; content:"lnstagram"; fast_pattern; pcre:"/\.(?:tk|gq|ga|xyz|ml|cf)$/"; classtype:social-engineering; sid:2031005; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_13;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034758; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"AskInstall"; depth:10; nocase; reference:url,doc.emergingthreats.net/2011225; classtype:policy-violation; sid:2011225; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_13;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034759; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Data Exfil via Telegram"; flow:established,to_server; http.host; bsize:16; content:"api.telegram.org"; http.uri; content:"/sendMessage?chat_id="; content:"text=|0a|"; content:"|20 f0 9f|"; distance:0; content:"*|0a|Date|3a 20|"; distance:0; content:"|0a|System|3a 20|"; content:"|20|Bit)|0a|Username|3a 20|"; reference:md5,00171267979ca2e972336e751a5725b7; reference:url,github.com/LimerBoy/StormKitty; classtype:command-and-control; sid:2031009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family StormKitty, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034760; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Login Hosted on Firebasestorage"; flow:established,to_client; http.header; content:"X-GUploader-UploadID|3a 20|"; content:"|0d 0a|x-goog-"; file.data; content:"<title>Sign in to your Microsoft account</title>"; fast_pattern; classtype:social-engineering; sid:2031006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034761; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Windows+NT"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; classtype:trojan-activity; sid:2008600; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034762; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; http.uri; content:"/envia.php"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; nocase; http.request_body; content:"praquem="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008256; classtype:command-and-control; sid:2008256; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034763; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping)"; flow:to_server,established; http.user_agent; content:"Installer Ping"; depth:14; classtype:trojan-activity; sid:2013190; rev:5; metadata:created_at 2011_07_05, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034764; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; flow:established,to_server; http.user_agent; content:"Museon"; depth:6; reference:url,doc.emergingthreats.net/2006418; classtype:pup-activity; sid:2006418; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034765; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-#alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious User-Agent (asp2009)"; flow: established, to_server; http.user_agent; content:"asp2009"; depth:7; endswith; reference:url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; classtype:trojan-activity; sid:2010136; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034766; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (??)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 3f 3f 0d 0a|"; reference:url,doc.emergingthreats.net/2007689; classtype:trojan-activity; sid:2007689; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034767; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WScript/VBScript XMLHTTP downloader likely malicious get?src="; flow:established,to_server; content:"|0d 0a|Request|3a 20|"; nocase; content:"run|0d 0a|"; within:5; http.uri; content:"/get?src="; nocase; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest"; nocase; depth:54; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010838; classtype:trojan-activity; sid:2010838; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034768; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zentom FakeAV Checkin"; flow:established,to_server; http.uri; content:".php?prodclass="; fast_pattern; content:"&coid="; content:"&fff="; content:"&IP="; content:"&lct="; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; classtype:command-and-control; sid:2013785; rev:5; metadata:created_at 2011_10_20, former_category MALWARE, updated_at 2020_10_13;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Obfuscated log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|env|3a|NaN|3a|-j|7d|ndi|24 7b|env|3a|NaN|3a|"; nocase; fast_pattern; content:"|24 7b|env|3a|NaN|3a|-l|7d|dap|24|"; reference:url,twitter.com/bad_packets/status/1471253695459332102; reference:cve,2021-44228; classtype:attempted-admin; sid:2034755; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P p2p Related User-Agent (eChanblard)"; flow:to_server,established; http.user_agent; content:"eChanblard"; depth:10; endswith; reference:url,doc.emergingthreats.net/2011232; classtype:trojan-activity; sid:2011232; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /dequeue/paypal"; startswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,b96171a46e7a83815b90271f711727aa; reference:url,twitter.com/malwrhunterteam/status/1471915892980264962/; classtype:trojan-activity; sid:2034756; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Automated Injection Tool User-Agent (AutoGetColumn)"; flow:established,to_server; http.user_agent; content:"AutoGetColumn"; depth:13; reference:url,doc.emergingthreats.net/2009154; classtype:attempted-recon; sid:2009154; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034750; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B Connectivity check"; flow:from_client,established; http.method; content:"GET"; http.uri; content:"/search?qu="; fast_pattern; http.header; content:"Content-Length|3a 20|4|0D 0A|"; http.user_agent; content:"Firefox/2.0.0.2"; depth:15; endswith; http.host; content:"www.google.com"; distance:0; bsize:14; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; classtype:trojan-activity; sid:2014173; rev:5; metadata:created_at 2012_01_31, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034751; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; http.user_agent; content:"asafaweb.com"; depth:12; endswith; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:5; metadata:created_at 2012_02_16, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034781; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PEx.942728546 Checkin"; flow:established,to_server; http.uri; content:".com.exe"; fast_pattern; http.user_agent; content:"GetRight/"; depth:9; reference:md5,25e9e3652e567e70fba00c53738bdf74; reference:url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546; classtype:command-and-control; sid:2014290; rev:4; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (Outbound) (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034782; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Graybird Checkin"; flow:to_server,established; http.uri; content:"/count.asp?mac="; content:"&os="; content:"&av="; http.user_agent; content:"Post"; depth:4; endswith; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:command-and-control; sid:2014365; rev:5; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034783; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (ld)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008342; classtype:trojan-activity; sid:2008342; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034784; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Banker.PWS POST Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"IDMAQUINA="; reference:url,doc.emergingthreats.net/2009127; classtype:command-and-control; sid:2009127; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034785; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos/Banker Info Stealer Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; nocase; http.request_body; content:"op="; nocase; content:"servidor="; nocase; content:"senha="; nocase; content:"usuario="; nocase; content:"base="; nocase; content:"sgdb="; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; classtype:trojan-activity; sid:2009471; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034787; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker PWS/Infostealer HTTP GET Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"guid="; nocase; content:"ver="; nocase; content:"stat="; nocase; content:"ie="; nocase; content:"os="; nocase; content:"ut="; nocase; content:"cpu="; nocase; fast_pattern; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; endswith; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,doc.emergingthreats.net/2009550; classtype:command-and-control; sid:2009550; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034788; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"tipo="; reference:url,doc.emergingthreats.net/2007863; classtype:command-and-control; sid:2007863; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034789; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE contacy.info Trojan Checkin (User agent clk_jdfhid)"; flow:to_server,established; http.user_agent; content:"clk_jdfhid"; depth:10; endswith; reference:url,doc.emergingthreats.net/2008399; classtype:command-and-control; sid:2008399; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034790; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DMSpammer HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/stat"; content:".php"; pcre:"/\/stat\d+\.php/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; endswith; fast_pattern; http.request_body; content:"x|9c|"; reference:url,doc.emergingthreats.net/2008271; classtype:command-and-control; sid:2008271; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034791; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (MzApp)"; flow:established,to_server; http.user_agent; content:"MzApp"; depth:5; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2009988; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034792; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.MC(vf) HTTP Request - Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"mode="; content:"&PartID="; content:"&mac="; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2007913; classtype:command-and-control; sid:2007913; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034793; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; http.user_agent; content:"MSID ["; nocase; depth:6; reference:url,doc.emergingthreats.net/2003590; classtype:trojan-activity; sid:2003590; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034794; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Irc.MFV User Agent Detected (IRC-U)"; flow:established,to_server; http.user_agent; content:"IRC-U v"; depth:7; nocase; reference:url,doc.emergingthreats.net/2003647; classtype:trojan-activity; sid:2003647; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034795; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Screenblaze SCR Related Backdoor - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?id="; nocase; content:"&serial="; nocase; content:"ver="; nocase; http.user_agent; content:"WinInetHTTP"; depth:11; endswith; nocase; reference:url,vil.nai.com/vil/content/v_156782.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none; reference:url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7; reference:url,doc.emergingthreats.net/2009804; classtype:trojan-activity; sid:2009804; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034796; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV/Security Application Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?url="; nocase; content:"&affid="; fast_pattern; nocase; pcre:"/\?url=[0-9]&affid=[0-9]{5}/i"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows XP)"; depth:46; endswith; nocase; reference:url,doc.emergingthreats.net/2009554; classtype:command-and-control; sid:2009554; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034797; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Free File Hosting Service (uplovd .com))"; flow:established,to_client; tls.cert_subject; content:"CN=api.uplovd.com"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:md5,b666dc5379e31680a5621870210f0619; classtype:policy-violation; sid:2031018; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2020_10_14;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034798; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FraudLoad.aww HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/instlog/?"; nocase; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient"; depth:45; reference:url,doc.emergingthreats.net/2008322; classtype:command-and-control; sid:2008322; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+#alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034834; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE AV HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; depth:46; http.request_body; content:"action="; nocase; content:"uid="; nocase; content:"cnt="; nocase; content:"lng="; nocase; content:"type="; nocase; content:"user_id="; nocase; content:"pc_id="; nocase; content:"abbr="; nocase; reference:url,doc.emergingthreats.net/2009455; classtype:command-and-control; sid:2009455; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+#alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034835; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fruspam polling for IP likely infected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/automation/n09230945.asp"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|U|3b 20|Linux i686|3b 20|en-US|3b 20|rv|3a|1.9.0.4) Ubuntu/8.04 (hardy) Firefox/3.0.0"; depth:85; endswith; reference:url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx; reference:url,doc.emergingthreats.net/2011072; classtype:trojan-activity; sid:2011072; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034799; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lost Door Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"subject=Lost|20|door|20|"; fast_pattern; content:"by|20|OussamiO"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; depth:55; nocase; reference:url,doc.emergingthreats.net/2008340; classtype:command-and-control; sid:2008340; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034800; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mac User-Agent Typo INBOUND Likely Hostile"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Macintosh|3b|"; depth:23; content:"(KHTML, like Geco,"; distance:0; fast_pattern; reference:url,doc.emergingthreats.net/2008955; classtype:trojan-activity; sid:2008955; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034801; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Obitel Downloader Request"; flow: established,to_server; http.uri; content:".php?id="; pcre:"/\.php\?id=[0-9a-f]{8}$/"; http.user_agent; content:"ie"; bsize:2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T; reference:url,doc.emergingthreats.net/2010244; classtype:trojan-activity; sid:2010244; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034802; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poebot Related User Agent (SPM_ID=)"; flow:established,to_server; http.user_agent; content:"SPM_ID="; depth:7; nocase; reference:url,doc.emergingthreats.net/2006391; classtype:trojan-activity; sid:2006391; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034803; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/update?id="; http.header; content:"X-Status|3a|"; content:"X-Size|3a|"; content:"X-Sn|3a|"; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b|SV1|3b |"; depth:54; endswith; classtype:trojan-activity; sid:2014231; rev:5; metadata:created_at 2012_02_16, updated_at 2020_10_14;)
+#alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034836; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)"; flow:to_server,established; http.user_agent; content:"Babylon"; depth:7; fast_pattern; reference:md5,54e482d6c0344935115d04b411afdb27; reference:md5,54dfd618401a573996b2b32bdd21b2d4; reference:md5,546888f8a18ed849058a5325015c29ef; reference:url,www.babylon.com; classtype:policy-violation; sid:2012735; rev:9; metadata:created_at 2011_04_28, updated_at 2020_10_14;)
+#alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034804; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established; http.uri; content:"/search"; content:"?h1="; fast_pattern; content:"&h2="; distance:0; content:"&h3="; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b|"; depth:24; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014174; rev:6; metadata:created_at 2012_01_31, former_category MALWARE, updated_at 2020_10_14;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034806; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (XXX) Often Sony Update Related"; flow:established,to_server; http.user_agent; content:"XXX"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2010157; classtype:not-suspicious; sid:2010157; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2020_10_14;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034807; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; http.uri; content:"/do/SDM"; nocase; content:"action="; nocase; http.user_agent; content:"AHTTPConnection"; nocase; depth:15; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:7; metadata:created_at 2011_09_28, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /alpha_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034773; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fullstuff Initial Checkin"; flow:established,to_server; http.uri; content:"/version.txt?type="; content:"&GUID="; content:"&rfr="; content:"&bgn="; http.user_agent; content:"FULLSTUFF"; depth:9; classtype:command-and-control; sid:2013887; rev:5; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /beta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034774; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Capfire4 Checkin (register machine)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/registraMaquina"; http.user_agent; content:"Clickteam"; depth:9; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:command-and-control; sid:2014952; rev:5; metadata:created_at 2012_06_22, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /gamma_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034775; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pift Checkin 1"; flow:established,to_server; urilen:7; http.uri; content:"/plg3.z"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015458; rev:4; metadata:created_at 2012_07_12, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /delta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034776; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pift Checkin 2"; flow:established,to_server; urilen:7; http.uri; content:"/ext1.z"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015459; rev:4; metadata:created_at 2012_07_12, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /epsilon_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034777; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Playtech Downloader Online Gaming Checkin"; flow:to_server,established; http.uri; content:"/client_update_urls.php"; http.user_agent; content:"Playtech|20|"; depth:9; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:command-and-control; sid:2008365; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /zeta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034778; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; http.header; content:!"Tree"; within:4; http.user_agent; content:"Peach"; nocase; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:6; metadata:created_at 2011_06_17, updated_at 2020_10_14;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2"; flow:established,to_client; content:"|30|"; startswith; content:"|04 0d|javaClassName"; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 12|javaSerializedData"; within:25; content:"|ac ed|"; within:10; content:"|2e|exec"; distance:0; content:"FromCharCode"; nocase; distance:0; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034769; rev:2; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category ATTACK_RESPONSE, updated_at 2021_12_20;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Free File Hosting Service (api .anonfiles .com))"; flow:established,to_client; tls.cert_subject; content:"CN=api.anonfiles.com"; bsize:20; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:md5,74d2206a0f29c6d975cba20028284ca2; classtype:policy-violation; sid:2031019; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2020_10_14;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|lower|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034808; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Web.App Hosted Phish 2020-10-14"; flow:established,to_server; http.method; content:"POST"; http.host; content:".web.app"; isdataat:!1,relative; fast_pattern; http.request_body; content:"password="; depth:9; nocase; classtype:credential-theft; sid:2031011; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_14;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (CVE-2021-44228)"; content:"|24 7b|lower|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034809; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Exfil via AnonFiles"; flow:established,to_server; http.start; content:"POST /upload?token=43a7df2f0395152e HTTP/1.1|0d 0a|Content-Type|3a 20|multipart/form-data|3b|"; startswith; fast_pattern; http.host; content:"api.anonfiles.com"; bsize:17; reference:md5,74d2206a0f29c6d975cba20028284ca2; classtype:command-and-control; sid:2031020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family StormKitty, performance_impact Low, signature_severity Major, updated_at 2020_10_14;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|upper|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034810; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; isdataat:!1,relative; http.host; content:".000webhostapp.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2031013; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_14;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (CVE-2021-44228)"; content:"|24 7b|upper|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034811; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"6."; depth:2; pcre:"/^6\.[0-2]\x20\d\d\x3a\d\d\x20/i"; reference:md5,b5e9ce72771217680efaeecfafe3da3f; reference:url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016433; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPAnonBindRequest; stream_size:server,<,50; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|61 07 0a 01 00 04 00 04 00|"; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034705; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"0"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016435; rev:7; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPAnonBindRequest; flowbits:isnotset,ET.LDAPAnonBindRequest; stream_size:server,<,5; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|60 07 02 01 03 04 00 80 00|"; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034704; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 2 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"1"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016436; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY JavaClass Returned Via Anonymous Outbound LDAPv3 Bind Request"; flow:established,to_client; flowbits:isset,ET.LDAPAnonBindRequest; content:"javaClassName"; fast_pattern; nocase; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034770; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 3 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"2"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016437; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart Skimmer Domain in DNS Lookup (bootstrap2 .xyz)"; dns.query; content:"bootstrap2.xyz"; nocase; bsize:14; reference:url,twitter.com/MBThreatIntel/status/1472995976507916290; classtype:domain-c2; sid:2034779; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TABMSGSQL/Sluegot.C Checkin"; flow:established,to_server; http.uri; content:"?rands="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:26; endswith; reference:url,www.cyberesi.com/2011/06/15/trojan-letsgo-analysis/; reference:url,www.mandiant.com/apt1; reference:md5,052ec04866e4a67f31845d656531830d; classtype:command-and-control; sid:2016446; rev:6; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY Non-Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPBindRequest; flowbits:isnotset,ET.LDAPBindRequest; content:"|30|"; startswith; content:"|02 01|"; within:4; content:"|60|"; distance:1; within:1; byte_test:1,>,7,0,relative; content:"|02 01 03 04|"; distance:1; within:4; fast_pattern; byte_jump:1,0,relative; content:"|80|"; within:1; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034812; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WARP Win32/Barkiofork.A"; flow:established,to_server; http.uri; content:"/s/asp?"; fast_pattern; content:"p=1"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:26; endswith; reference:url,www.mandiant.com/apt1; reference:md5,7acb0d1df51706536f33bbdb990041d3; classtype:trojan-activity; sid:2016447; rev:4; metadata:created_at 2013_02_20, updated_at 2020_10_14;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful Non-Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPBindRequest; content:"|30|"; startswith; content:"|02 01|"; distance:0; content:"|61|"; distance:0; content:"|07 0a 01 00 04 00 04 00|"; within:12; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034771; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031014; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle Coherence Deserialization RCE (CVE-2020-2555)"; flow:established,to_server; content:"|74 33 20 31 32 2e 32 2e 31 0a 41 53 3a 32 35 35|"; content:"javax.management.BadAttributeValueExpException"; nocase; fast_pattern; content:"weblogic.common.internal.PackageInfo"; reference:url,github.com/Y4er/CVE-2020-2555/blob/master/weblogic_t3.py; reference:url,www.zerodayinitiative.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server; reference:cve,2020-2555; classtype:attempted-admin; sid:2034780; rev:1; metadata:attack_target Server, created_at 2021_12_20, cve CVE_2020_2555, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031015; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_14;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY JavaClass Returned Via Non-Anonymous Outbound LDAPv3 Bind Request"; flow:established,to_client; flowbits:isset,ET.LDAPBindRequest; content:"javaClassName"; fast_pattern; nocase; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034772; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031016; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 14.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/14.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/14u-relnotes.html; classtype:bad-unknown; sid:2034814; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031017; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 15.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/15.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/15u-relnotes.html; classtype:bad-unknown; sid:2034815; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-DIV UA"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer Exelon|20|"; depth:35; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,1e5ec6c06e4f6bb958dcbb9fc636009d; classtype:command-and-control; sid:2016454; rev:4; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 16.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/16.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/16u-relnotes.html; classtype:bad-unknown; sid:2034816; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; http.user_agent; content:"IPHONE"; depth:6; pcre:"/^IPHONE\d+\x2e\d+\x28(host\x3a|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/i"; reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016461; rev:6; metadata:created_at 2011_06_27, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 17.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/17.0."; content:!"1"; within:1; reference:url,www.oracle.com/java/technologies/javase/17u-relnotes.html; classtype:bad-unknown; sid:2034817; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-RAVE UA"; flow:established,to_server; http.user_agent; content:"HTTP Mozilla/5.0(compatible+MSIE)"; depth:33; endswith; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:command-and-control; sid:2016458; rev:5; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OWOWA Stealer CnC Domain in DNS Lookup"; dns.query; content:"s3crt.biz"; nocase; bsize:9; reference:url,securelist.com/owowa-credential-stealer-and-remote-access/105219/; classtype:domain-c2; sid:2034833; rev:1; metadata:attack_target Server, created_at 2021_12_21, deployment Perimeter, signature_severity Major, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMO)"; flow:established,to_server; http.user_agent; content:"DEMO"; nocase; depth:4; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016886; rev:4; metadata:created_at 2013_05_21, updated_at 2020_10_14;)
+alert tcp any any -> $HOME_NET any (msg:"ET POLICY Serialized Java Object returned via LDAPv3 Response"; flow:established,to_client; content:"|30|"; depth:1; content:"|04 0d|javaClassName"; fast_pattern; content:"|04 12|javaSerializedData"; distance:0; content:"|ac ed|"; within:10; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:bad-unknown; sid:2034818; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(UPHTTP)"; flow:established,to_server; http.user_agent; content:"UPHTTP"; nocase; depth:6; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016887; rev:7; metadata:created_at 2013_05_21, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4j .binaryedge .io)"; dns.query; dotprefix; content:".log4j.binaryedge.io"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034819; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sv="; fast_pattern; content:"&tq="; pcre:"/(?:1|2)\.(?:p(?:hp|ng)|jpe?g|cgi|gif)\?sv=\d{2,3}&tq=/i"; http.user_agent; content:"chrome/9.0"; depth:10; classtype:command-and-control; sid:2013795; rev:11; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4shell .huntress .com)"; dns.query; dotprefix; content:".log4shell.huntress.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034820; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Blackbeard Downloader"; flow:established,to_server; http.uri; content:"/load"; content:"p="; content:"&t="; pcre:"/[\?&]p=\d&t=\d(&|$)/"; http.user_agent; content:"IE"; depth:2; endswith; fast_pattern; reference:md5,2f6f13eced7fce495168059530246d77; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018110; rev:7; metadata:created_at 2014_01_23, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (kryptoslogic-cve-2021-44228 .com)"; dns.query; dotprefix; content:".kryptoslogic-cve-2021-44228.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034821; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Ping"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/history/"; fast_pattern; depth:9; content:".asp"; pcre:"/^\x2fhistory\x2f[A-Za-z0-9+_-]+\x2easp$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018547; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (ceye .io)"; dns.query; dotprefix; content:".ceye.io"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034822; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XPSecurityCenter FakeAV Checkin"; flow:to_server,established; http.uri; content:"/XPSecurityCenter/"; http.user_agent; content:"Internet Explorer 6.0"; depth:21; endswith; reference:md5,1c5eb2ea27210cf19c6ab24b7cc104b9; classtype:command-and-control; sid:2018761; rev:5; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (oob .li)"; dns.query; dotprefix; content:".oob.li"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034823; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.DF Checkin"; flow:to_server,established; urilen:7; http.uri; content:"/ip.txt"; http.user_agent; content:"Huai_Huai"; depth:9; endswith; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:command-and-control; sid:2018762; rev:5; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (pwn .af)"; dns.query; dotprefix; content:".pwn.af"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034824; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel Web Scan - Default User Agent Detected"; flow:to_server,established; threshold: type limit, track by_dst, count 1, seconds 60; http.header; content:"http|3a|//www.grendel-scan.com"; nocase; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|Grendel-Scan"; nocase; depth:37; fast_pattern; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; classtype:attempted-recon; sid:2009480; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (notburpcollaborator .net)"; dns.query; dotprefix; content:".notburpcollaborator.net"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034825; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)"; flow:to_server,established; http.user_agent; content:"czxt2s"; nocase; depth:6; endswith; reference:url,doc.emergingthreats.net/2011174; classtype:web-application-attack; sid:2011174; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scannermcscanface-edgescan .com)"; dns.query; dotprefix; content:".scannermcscanface-edgescan.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034826; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; http.uri; content:"backupdata"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012286; rev:7; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (service .exfil .site)"; dns.query; dotprefix; content:".service.exfil.site"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034827; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backup_data"; flow:established,to_server; http.uri; content:"backup_data"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012287; rev:6; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scanworld .net)"; dns.query; dotprefix; content:".scanworld.net"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034828; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"5|2e|"; startswith; pcre:"/^5\.[0-2]\x20\d\d\x3a\d\d\x20/"; reference:url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016450; rev:6; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Observed CVE-2021-44228 Security Scanner Domain (dns .cyberwar .nl)"; dns.query; dotprefix; content:".dns.cyberwar.nl"; nocase; endswith; reference:cve,2021-44228; classtype:policy-violation; sid:2034829; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla Scanner"; flow:established,to_server; http.user_agent; content:"BOT/0.1 (BOT for JCE)"; depth:21; classtype:web-application-attack; sid:2016032; rev:5; metadata:created_at 2012_12_13, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (log .exposedbotnets .ru)"; dns.query; dotprefix; content:".log.exposedbotnets.ru"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034830; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok User-Agent Detected (Rivest)"; flow:established,to_server; http.user_agent; content:"Rivest"; depth:6; endswith; nocase; reference:md5,c83b55ab56f3deb60858cb25d6ded8c4; classtype:trojan-activity; sid:2020179; rev:4; metadata:created_at 2015_01_13, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (canarytokens .com)"; dns.query; content:".l4j."; nocase; content:".canarytokens.com"; nocase; endswith; fast_pattern; reference:cve,2021-44228; classtype:domain-c2; sid:2034832; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; threshold: type both, count 1, seconds 60, track by_src; http.user_agent; content:"Bittorrent"; depth:10; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:4; metadata:created_at 2015_03_18, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN WordPress HelloThinkCMF Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?a=fetch&content="; startswith; content:"die(@md5(HelloThinkCMF))"; fast_pattern; distance:0; http.header_names; content:!"Referer"; classtype:network-scan; sid:2034838; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_12_22, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Payment Info"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"spShopId="; content:"&spShopPaymentId="; fast_pattern; distance:0; content:"&spCurrency="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020827; rev:4; metadata:created_at 2015_04_02, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"Java/1.5."; nocase; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011581; rev:12; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2021_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"action=showPaymentForm&"; fast_pattern; content:"psAgreement="; distance:0; content:"&paymentSystemId="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020828; rev:4; metadata:created_at 2015_04_02, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.8.0_"; content:!"291"; within:3; reference:url,www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html; classtype:bad-unknown; sid:2019401; rev:35; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xoxofuck.cyou"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/member.php="; fast_pattern; startswith; content:"SSL3."; distance:0; reference:url,threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/; classtype:command-and-control; sid:2034837; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_22, deployment Perimeter, former_category MALWARE, malware_family Andariel, signature_severity Major, updated_at 2021_12_22;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"flathommy.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality.3 Checkin"; flow:established,to_server; http.uri; content:"/?f"; fast_pattern; endswith; http.header; content:!"broadcastify.com"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Cache-Control|0d 0a|"; reference:md5,df9516919e75853742e63db318e7d346; classtype:command-and-control; sid:2020505; rev:6; metadata:created_at 2015_02_24, deprecation_reason Relevance, former_category MALWARE, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"minishtab.cyou"; bsize:14; fast_pattern; classtype:domain-c2; sid:2031023; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j Uncontrolled Recursion Lookup (CVE-2021-45105)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b 24 7b 3a 3a 2d 24 7b 3a 3a 2d 24 24 7b 3a 3a 2d|"; fast_pattern; content:"|7d 7d 7d 7d|"; distance:0; within:6; reference:cve,2021-45105; classtype:attempted-admin; sid:2034839; rev:1; metadata:created_at 2021_12_22, cve CVE_2021_45105, former_category EXPLOIT, updated_at 2021_12_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog HTTP POST Fake UA CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|29 |"; depth:69; endswith; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020925; rev:5; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".2o2.lol"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; reference:md5,c5dcbd49126fff30970e849207d47c9d; classtype:credential-theft; sid:2034237; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ldrpeset.casa"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".strongencryption.org"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029833; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper Installing PUP 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ohupdate.php?"; content:"localip="; distance:0; content:"&macaddr="; distance:0; content:"&program="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; fast_pattern; reference:md5,9bfae378e38f0eb2dfff87fffa0dfe37; classtype:trojan-activity; sid:2021100; rev:4; metadata:created_at 2015_05_15, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".comano.us"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029835; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper Installing PUP 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ohupdate.php?program="; content:"&q="; distance:0; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; classtype:trojan-activity; sid:2021101; rev:4; metadata:created_at 2015_05_15, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M5"; flow:established,to_server; http.request_line; content:"GET /pages/"; startswith; fast_pattern; content:"/"; distance:13; within:1; pcre:"/^[A-Za-z0-9+\/]{50,}={0,2} HTTP\//R"; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2031609; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_10, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"smalleryurta.club"; bsize:17; fast_pattern; classtype:domain-c2; sid:2031025; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phishtrain.org"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029830; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Deep Panda User-Agent"; flow:established,to_server; http.header; content:!"Host|3a 20|iecvlist.microsoft.com"; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|29 |"; depth:158; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020380; rev:5; metadata:created_at 2015_02_06, updated_at 2020_10_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".microransom.us"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029836; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ispen BADNEWS Fake User-Agent"; flow:established,to_server; http.user_agent; content:"UserAgent|3a|Mozilla/5.0(Windows|20|"; depth:30; fast_pattern; reference:md5,f974bb8a5b5220a061cb92a16fc6a1c6; reference:url,unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/; classtype:targeted-activity; sid:2030361; rev:4; metadata:created_at 2016_06_03, former_category MALWARE, updated_at 2020_10_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phishing.guru"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029832; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swrort.A Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; pcre:"/^\/[A-Za-z0-9-_]{30,}\/$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 |"; depth:46; endswith; http.request_body; content:"RECV"; depth:4; fast_pattern; reference:md5,61dacbf1fc20af3afdc432a0dd78eaf3; reference:md5,a3ef217825ce310c41e6edaee2db5eb9; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32/Swrort.A; classtype:command-and-control; sid:2019841; rev:5; metadata:created_at 2014_12_02, former_category MALWARE, updated_at 2020_10_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phish.farm"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029831; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious UA Mozilla / 4.0"; flow:to_server,established; http.host; content:!"captive.apple.com"; endswith; content:!".google.com"; endswith; http.user_agent; content:"Mozilla / 4.0"; nocase; bsize:13; classtype:trojan-activity; sid:2013964; rev:6; metadata:created_at 2011_11_23, updated_at 2020_10_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".password.land"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029829; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Xmaker)"; flow:to_server,established; http.user_agent; content:"Xmaker"; depth:6; reference:url,www.pcapanalysis.com/tag/trickster-google-drive-malware-trojan-pcap-file-download-traffic-sample/; classtype:trojan-activity; sid:2023746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M3"; flow:established,to_client; file.data; content:"|3c|div|20|class|3d 22|oops|2d|banner|2d|header|22 3e 3c|strong|3e|OOPS|21 20|YOU|20|CLICKED|20|ON|20|A|20|SIMULATED|20|PHISHING|20|TEST|2e 3c 2f|strong|3e 3c 2f|div|3e 0d 0a|"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031518; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; http.user_agent; content:"build"; depth:5; pcre:"/^build\d/"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M4"; flow:established,to_client; file.data; content:"|3c|div|20|class|3d 22|disclaimer|22 3e 0d 0a 3c|p|3e|Please|20|Note|3a 20|This|20|message|20|came|20|from|20|KnowBe4|2c 20|Inc|2e 20|"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031519; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)"; flow:established,to_server; http.user_agent; content:"Jcomers Bot"; nocase; depth:11; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011285; rev:8; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M1"; flow:established,to_client; file.data; content:"/popcorn/logos/Popcorn+Training+Logo.png|22 20 2f 3e|"; fast_pattern; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031516; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (Unknown)"; flow:to_server,established; http.user_agent; content:"Unknown"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007991; classtype:trojan-activity; sid:2007991; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M2"; flow:established,to_client; file.data; content:"|3c|meta|20|name|3d 22|IMPORTANT|22 20|content|3d 22|This|20|page|20|is|20|part|20|of|20|a|20|simulated|20|phishing|20|attack|20|initiated|20|by|20|KnowBe4"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031517; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Metafisher/Goldun User-Agent (z)"; flow:to_server,established; http.user_agent; content:"z"; depth:1; endswith; reference:url,doc.emergingthreats.net/2002874; classtype:trojan-activity; sid:2002874; rev:17; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Retrieving Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id=1"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,51fa8bf006d80f5e140d84df313c650f; reference:url,twitter.com/ShadowChasing1/status/1465549330744414215; classtype:trojan-activity; sid:2034840; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent outbound (bot)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"bot/"; depth:4; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003622; classtype:trojan-activity; sid:2003622; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET GAMES Moonlight Hack Domain in DNS Lookup"; dns.query; content:"moonsoft.eu3.biz"; nocase; bsize:16; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034841; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic.Malware.SFL User-Agent (Rescue/9.11)"; flow:established,to_server; http.user_agent; content:"Rescue/9.11"; depth:11; reference:url,doc.emergingthreats.net/2003645; classtype:trojan-activity; sid:2003645; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET GAMES Moonlight Hack Domain in DNS Lookup"; dns.query; content:"moonlight.uno"; nocase; bsize:13; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034842; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTPTEST) - Seen used by downloaders"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:!"PlayStation"; http.user_agent; content:"HTTPTEST"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2003927; classtype:trojan-activity; sid:2003927; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Moonlight Hack Actvity (GET)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"moonlight.uno"; bsize:13; fast_pattern; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034843; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, deployment SSLDecrypt, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Ms)"; flow:established,to_server; http.user_agent; content:"Ms"; depth:2; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003933; classtype:trojan-activity; sid:2003933; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.host; content:"content.dropboxapi.com"; bsize:22; http.header_names; content:"Authorization: Bearer 88THpJioM6QAAAAAAAAAAQKMa4g-5-qcnYv1lIQi3ue3U41FJvH_p23jQR_5c146"; fast_pattern; classtype:command-and-control; sid:2035120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; http.user_agent; content:"ExampleDL"; depth:9; reference:url,doc.emergingthreats.net/2004440; classtype:trojan-activity; sid:2004440; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats External IP Lookup Activity"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:15; content:"api.ipstack.com"; http.uri; content:"?access_key=5b9ed178f9687b4a92d196168c0282ca="; fast_pattern; classtype:external-ip-check; sid:2035121; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Dialer-967 User-Agent"; flow:to_server,established; http.user_agent; content:"del"; depth:3; endswith; nocase; reference:url,doc.emergingthreats.net/2006364; classtype:trojan-activity; sid:2006364; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Malware Domain in DNS Lookup"; dns.query; dotprefix; content:".easyuploadservice.com"; nocase; endswith; classtype:domain-c2; sid:2035122; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MYURL)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"MYURL"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2006365; classtype:trojan-activity; sid:2006365; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Malware Domain in DNS Lookup"; dns.query; dotprefix; content:".uggboots4sale.com"; nocase; endswith; classtype:domain-c2; sid:2035123; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent Detected (Windows Updates Manager|3.12|...)"; flow:established,to_server; http.user_agent; content:"Windows Updates Manager|7c|"; depth:24; reference:url,doc.emergingthreats.net/2006387; classtype:trojan-activity; sid:2006387; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Observed Malicious SSL Cert (showmypc.com)"; flow:established,to_client; tls.cert_subject; content:"showmypc.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?showmypc\.com(?!\.)/"; classtype:pup-activity; sid:2034846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_12_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent Detected (ld)"; flow:established,to_server; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/2006394; classtype:trojan-activity; sid:2006394; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected MuddyWater Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getTargetInfo?guid="; startswith; fast_pattern; content:"&status="; distance:0; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,c9ab403bd43649b5fd57efac4bf83b7c; reference:md5,748ae5af58e52e940ab806bdbbe61c4c; reference:url,twitter.com/ShadowChasing1/status/1475819281648553986; classtype:trojan-activity; sid:2034845; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_28, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2021_12_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Mz)"; flow:established,to_server; http.user_agent; content:"Mz"; depth:2; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EUPUDS.A Requests for Boleto replacement"; flow:established,to_server; urilen:10; http.request_line; content:"POST /index.php HTTP/1."; fast_pattern; http.header_names; content:"Content-Type|0d 0a|"; content:"Content-Length|0d 0a|"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Cache-Control|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; http.host; content:!"antia-client-log.puzzleplusgames.net"; bsize:36; reference:url,blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research-July-2-FINALr2.pdf; classtype:trojan-activity; sid:2018793; rev:7; metadata:created_at 2014_07_28, former_category MALWARE, updated_at 2021_12_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; http.user_agent; content:"Ismazo"; nocase; depth:6; reference:url,doc.emergingthreats.net/2007633; classtype:trojan-activity; sid:2007633; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/X-Files Stealer Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.content_len; byte_test:0,>,90000,0,string,dec; http.request_body; content:"zipx="; startswith; fast_pattern; reference:md5,43379d3c3faf5d7e37df398de90ee58b; reference:url,twitter.com/h2jazi/status/1476292943027871755; reference:url,twitter.com/3xp0rtblog/status/1473323635469438978; classtype:trojan-activity; sid:2034848; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_30, deployment Perimeter, former_category MALWARE, malware_family X_Files, signature_severity Major, updated_at 2021_12_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (WINDOWS_LOADS)"; flow:established,to_server; http.user_agent; content:"WINDOWS_LOADS"; depth:13; reference:url,doc.emergingthreats.net/2007699; classtype:trojan-activity; sid:2007699; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /googleapi HTTP/1.1"; fast_pattern; http.referer; content:"http|3a 2f 2f|code.google.com/"; bsize:23; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; reference:md5,f7ac5192404c8dea43fdeedf01d1d66e; reference:url,twitter.com/malwrhunterteam/status/1476211484103524366; classtype:trojan-activity; sid:2034849; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm C&C with typo'd User-Agent (Windoss)"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windoss NT"; depth:45; fast_pattern; reference:url,doc.emergingthreats.net/2007742; classtype:trojan-activity; sid:2007742; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; content:"filename="; distance:0; pcre:"/\.(?:(php\d{0,}|phps|pht|phtm|phtml|shtml|htaccess|phar|inc))/Ri"; content:"base64_decode"; fast_pattern; distance:0; http.content_type; content:"image/gif"; distance:0; reference:url,www.exploit-db.com/exploits/18287; reference:cve,2011-5148; classtype:attempted-admin; sid:2034850; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Tear Application User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Tear Application"; depth:16; endswith; reference:url,doc.emergingthreats.net/2007770; classtype:trojan-activity; sid:2007770; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mod_simplefileuploadv1.3"; fast_pattern; reference:url,www.cvedetails.com/cve/CVE-2011-5148/; classtype:attempted-admin; sid:2034851; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_12_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)"; flow:established,to_server; http.user_agent; content:"WinInet"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007837; classtype:trojan-activity; sid:2007837; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (s .id)"; dns.query; dotprefix; content:".s.id"; nocase; endswith; classtype:bad-unknown; sid:2034852; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Possible Trojan Downloader Shell"; flow:established,to_server; http.user_agent; content:"Shell"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2007840; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:2007840; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (s .id in TLS SNI)"; flow:established,to_server; tls.sni; content:"s.id"; bsize:4; fast_pattern; classtype:misc-activity; sid:2034858; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_31, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_01_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kpang.com Related Trojan User-Agent (alertup)"; flow:established,to_server; http.user_agent; content:"alertup"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007849; classtype:trojan-activity; sid:2007849; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"h378576.atwebpages.com"; nocase; bsize:22; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (https)"; flow:established,to_server; http.user_agent; content:"https"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2008019; classtype:trojan-activity; sid:2008019; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"i758769.atwebpages.com"; nocase; bsize:22; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (c \windows)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"c|3a 5c|"; depth:3; reference:url,doc.emergingthreats.net/bin/view/Main/2008043; classtype:trojan-activity; sid:2008043; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"455686.c1.biz"; nocase; bsize:13; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Version 1.23)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Version|20|"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008048; classtype:trojan-activity; sid:2008048; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4j. leakix .net)"; dns.query; content:"log4j.leakix.net"; nocase; endswith; reference:cve,2021-44228; reference:url,twitter.com/VessOnSecurity/status/1473414886533304322; classtype:domain-c2; sid:2034831; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (INSTALLER)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"INSTALLER"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008096; classtype:trojan-activity; sid:2008096; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed JavaScript Event Listener with Clipboard Data"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<script>"; content:"addEventListener|28 27|copy|27|"; distance:0; content:"clipboardData|2e|setData|28 27|text|2f|plain|27|"; fast_pattern; distance:0; content:"sh"; distance:0; content:"|5c|n"; distance:0; content:"</script>"; distance:0; reference:url,www.bleepingcomputer.com/news/security/dont-copy-paste-commands-from-webpages-you-can-get-hacked; classtype:web-application-activity; sid:2034860; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Informational, updated_at 2022_01_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IEMGR)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"IEMGR"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008097; classtype:trojan-activity; sid:2008097; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RDP Authentication Bypass Attempt"; flow:established,to_server; content:"|03 00 00 2f 2a|"; startswith; content:"Cookie: mstshash="; dsize:<60; reference:url,pastebin.com/PSbQXJYL; classtype:attempted-admin; sid:2034857; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2022_01_04, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2022_01_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (GOOGLE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"GOOGLE"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008098; classtype:trojan-activity; sid:2008098; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; content:"?=1"; within:7; fast_pattern; pcre:"/^[678]\d{8}$/R"; http.host; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; reference:md5,c398b504f74500d6a1a47f72bb45bc83; classtype:command-and-control; sid:2034859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_05, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_01_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (RBR)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"RBR"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008147; classtype:trojan-activity; sid:2008147; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; http.cookie; content:"HFS_SID_="; startswith; http.response_body; content:"Rar!|1a 07 01 00|"; startswith; content:"rundll3222.exe"; within:150; fast_pattern; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:trojan-activity; sid:2034856; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_05, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_01_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Otwycal User-Agent (Downing)"; flow:to_server,established; http.user_agent; content:"Downing"; depth:7; endswith; reference:url,doc.emergingthreats.net/2008159; classtype:trojan-activity; sid:2008159; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; content:".zip?="; within:7; fast_pattern; pcre:"/^(?:0|1[678]\d{8})$/R"; http.host; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; reference:md5,465dae978a41d566c7fabc9f5808487c; classtype:command-and-control; sid:2034871; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_07, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_01_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MS Internet Explorer)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"MS Internet Explorer"; depth:20; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008181; classtype:trojan-activity; sid:2008181; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ELEFANTE/ElephantBeetle WebShell Access Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp"; content:"zc="; distance:0; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:web-application-attack; sid:2034861; rev:1; metadata:created_at 2022_01_10, former_category EXPLOIT, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (QQ)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!"|0d 0a|Q-UA|3a 20|"; http.user_agent; content:"QQ"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:20; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Command Tunneling M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|GET"; content:"|22|xp_cmdshell"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034862; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SERVER2_03)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"SERVER"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008209; classtype:trojan-activity; sid:2008209; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Command Tunneling M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|474554"; content:"78705f636d647368656c6c"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034863; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WinProxy)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WinProxy"; nocase; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008211; classtype:trojan-activity; sid:2008211; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Enumeration Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|GET"; content:"whoami"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:attempted-recon; sid:2034864; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (sickness29a/0.1)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"sickness"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008214; classtype:trojan-activity; sid:2008214; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Enumeration Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|474554"; content:"77686f616d69"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:attempted-recon; sid:2034865; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (up2dash updater)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"up2dash"; nocase; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008215; classtype:trojan-activity; sid:2008215; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Lateral Movement Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?kmd=|22|"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034866; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (NSIS_DOWNLOAD)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"NSIS_DOWNLOAD"; nocase; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008216; classtype:pup-activity; sid:2008216; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|37 39 78|"; startswith; content:"|98 98 98|"; distance:1; within:3; content:"|98 98|"; distance:2; within:2; content:"|98 98 98 20 fc|"; distance:1; within:5; fast_pattern; reference:md5,465dae978a41d566c7fabc9f5808487c; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:command-and-control; sid:2034873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Low, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP my247eshop.com User-Agent"; flow:established,to_server; http.user_agent; content:"EShopee"; depth:7; endswith; reference:url,doc.emergingthreats.net/2008243; classtype:pup-activity; sid:2008243; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/latest/"; startswith; fast_pattern; pcre:"/^(?:update|designs)$/R"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,447e3c337f206ff59a727223bddd13ad; reference:md5,2bac793cfaf071a37366d3331cc99518; reference:url,twitter.com/ShadowChasing1/status/1480493639545470976; classtype:trojan-activity; sid:2034875; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"IE"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Maldoc Activity"; flow:established,to_server; http.uri; content:"/nt.php/?dt="; startswith; content:"-EX-1&ct="; distance:0; fast_pattern; reference:md5,be9bd8ed8a4c052be5cedb0266f50c0d; reference:url,twitter.com/ShadowChasing1/status/1439929215919411206; classtype:trojan-activity; sid:2033987; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Nimo Software HTTP Retriever 1.0)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Nimo Software HTTP"; depth:18; reference:url,doc.emergingthreats.net/bin/view/Main/2008257; classtype:pup-activity; sid:2008257; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Related Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/userlog.php?id="; fast_pattern; content:"&&user="; distance:0; content:"&&OsI="; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,cc7ddf9ed230ad4e060dfd0f32389efb; reference:url,twitter.com/ShadowChasing1/status/1478259210110775297; classtype:command-and-control; sid:2034876; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm 1)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WebForm"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; classtype:trojan-activity; sid:2008262; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Sidewinder CnC Domain in DNS Lookup (afcat .xyz)"; dns.query; content:"afcat.xyz"; nocase; bsize:9; reference:url,twitter.com/h2jazi/status/1479502335328112645; reference:md5,e7c7916f7bf0ddc511466ce106137e66; classtype:domain-c2; sid:2034877; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (opera)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"opera"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008264; classtype:trojan-activity; sid:2008264; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Donot Group CnC Domain in DNS Lookup (request .soundedge .live)"; dns.query; content:"request.soundedge.live"; nocase; bsize:22; reference:md5,209050f85af2786248bd4d7ec0f5a808; reference:url,twitter.com/h2jazi/status/1476946007741108249; reference:md5,7be9832a01b3004f02ff5bc0691d1700; classtype:domain-c2; sid:2034878; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (123)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"123"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008343; classtype:trojan-activity; sid:2008343; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Donot Group Checkin Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /access/fps_ips_cp_ifpcspf_ifis_p HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,209050f85af2786248bd4d7ec0f5a808; reference:md5,7be9832a01b3004f02ff5bc0691d1700; reference:url,twitter.com/h2jazi/status/1476946007741108249; classtype:command-and-control; sid:2034879; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (angel)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"angel"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008355; classtype:trojan-activity; sid:2008355; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".inject1byte.com"; nocase; endswith; reference:url,twitter.com/malwrhunterteam/status/1479767752885874688; classtype:trojan-activity; sid:2034880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Accessing)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Accessing"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008361; classtype:trojan-activity; sid:2008361; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".black-crystal.net"; nocase; endswith; reference:url,twitter.com/malwrhunterteam/status/1479767752885874688; classtype:trojan-activity; sid:2034881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ISMYIE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ISMYIE"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008363; classtype:trojan-activity; sid:2008363; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible cs2nginx Proxy Redirect"; flow:established,to_client; content:"302"; http_stat_code; content:"|0d 0a|Server|3a 20|Server|0d 0a|Referrer-Policy|3a 20|no-referrer|0d 0a|"; http_header; isdataat:!1,relative; fast_pattern; reference:url,github.com/threatexpress/cs2modrewrite/blob/d6516e153dfd2a19cc3fba6c26b948e2b0933708/cs2nginx.py; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/; classtype:bad-unknown; sid:2034874; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (svchost)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"svchost"; depth:7; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008391; classtype:trojan-activity; sid:2008391; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com (set) 2016-02-02"; flow:to_server,established; urilen:1; flowbits:set,ET.weebly.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:".weebly.com"; fast_pattern; content:!"www.weebly.com"; depth:14; content:!"runumoviw.weebly.com"; classtype:social-engineering; sid:2032365; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ReadFileURL)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ReadFileURL"; depth:11; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008400; classtype:trojan-activity; sid:2008400; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|2e|zip|3b 20|filename="; distance:1; within:15; content:"|2e|zip"; distance:1; within:4; endswith; http.response_body; content:"PK|03 04|"; startswith; content:"|2e|exe"; within:150; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:command-and-control; sid:2034872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_07, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Significant, signature_severity Major, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Inet_read)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Inet_read"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2008422; classtype:trojan-activity; sid:2008422; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible NOBELIUM CnC Traffic (Observed UA)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|6|2e|2|29 20|AppleWebKit|2f|537|2e|36|20 28|KHTML|2c 20|like|20|Gecko|29 20|Chrome|2f|90|2e|0|2e|4430|2e|85|20|Safari|2f|537|2e|36"; bsize:101; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:bad-unknown; sid:2034870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_01_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (CFS Agent)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"CFS Agent"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2008423; classtype:trojan-activity; sid:2008423; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Qianxin Netcom NGFW Command Injection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/directdata/direct/router"; http.request_body; content:"SSLVPN_Resource"; fast_pattern; content:"deleteImage"; content:"f8839p7rqtj"; reference:url,www.fatalerrors.org/a/national-hw-action-part-0-day-loopholes-reappear-in-2021.html; classtype:attempted-admin; sid:2034885; rev:1; metadata:created_at 2022_01_11, deployment Perimeter, former_category EXPLOIT, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (CFS_DOWNLOAD)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"CFS_DOWNLOAD"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008424; classtype:trojan-activity; sid:2008424; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0standavalue0 .xyz)"; dns.query; dotprefix; content:".0standavalue0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034886; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP Downloader)"; flow: established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HTTP Downloader"; depth:15; reference:url,doc.emergingthreats.net/bin/view/Main/2008428; classtype:trojan-activity; sid:2008428; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0storageatools0 .xyz)"; dns.query; dotprefix; content:".0storageatools0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034887; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HttpDownload)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HttpDownload"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008429; classtype:trojan-activity; sid:2008429; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0brandaeyes0 .xyz)"; dns.query; dotprefix; content:".0brandaeyes0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034888; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Download App)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Download App"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008440; classtype:trojan-activity; sid:2008440; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034674; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent (AutoDL\/1.0)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"AutoDL/1.0"; depth:10; endswith; reference:url,doc.emergingthreats.net/2008458; classtype:trojan-activity; sid:2008458; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (hacker)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"hacker"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008460; classtype:trojan-activity; sid:2008460; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034673; rev:3; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (NULL)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"NULL"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008488; classtype:trojan-activity; sid:2008488; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034786; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ieagent)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"ieagent"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008494; classtype:trojan-activity; sid:2008494; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http.uri; content:"/Api/"; startswith; http.request_body; content:"Data="; startswith; http.header_names; content:!"Referer"; content:"|0d 0a|Content-type|0d 0a|Content-length|0d 0a|"; fast_pattern; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:trojan-activity; sid:2034889; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT35, malware_family CharmingKitten, malware_family Phosphorus, signature_severity Major, updated_at 2022_01_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (antispyprogram)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"antispyprogram"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2008495; classtype:trojan-activity; sid:2008495; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 Related Activity (FTP)"; flow:established,to_server; content:"VICTIM-PC__"; fast_pattern; content:"/screen/"; content:".jpg"; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:trojan-activity; sid:2034890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SUiCiDE/1.5)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"SUiCiDE"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008504; classtype:trojan-activity; sid:2008504; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (jersydok .com)"; dns.query; dotprefix; content:".jersydok.com"; nocase; endswith; reference:url,medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489; classtype:domain-c2; sid:2034891; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_11;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"|5c|xa2|5c|xa2HttpClient"; depth:18; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008510; classtype:trojan-activity; sid:2008510; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zloader Related Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/processingSetRequest"; fast_pattern; content:"/?servername="; distance:3; http.user_agent; content:"powershell"; nocase; http.header_names; content:!"Referer"; reference:md5,06ca129910fd79de8bdc7a319949fb25; reference:url,medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489; classtype:trojan-activity; sid:2034892; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (C slash)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!"|5c|Citrix|5c|"; content:!"|5c|Panda S"; nocase; content:!"|5c|Mapinfo"; nocase; http.user_agent; content:"C|3a 5c|"; depth:3; fast_pattern; classtype:trojan-activity; sid:2008512; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Banking Phish 2022-01-11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"banks"; fast_pattern; http.request_body; content:"username="; content:"&pin="; distance:0; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034894; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (msIE 7.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"msIE"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008513; classtype:trojan-activity; sid:2008513; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Emotet HTML Template Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b|charset=UTF-8"; depth:24; file.data; content:"id|3d 22|uid|22 3e 3c 2f|h1|3e 3c|br|3e|"; content:"File|20 27|Preview Complaint Report in XLS|27 3c|br|3e|is|20|ready|20|for|20|open"; fast_pattern; content:"|22 3e|Preview XLS"; distance:0; content:"getElementById|28 27|uid|27 29 2e|innerHTML|20 3d 20 27|Name|3a 20 27|"; classtype:command-and-control; sid:2034882; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2022_01_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AVP2006IE)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"AVP200"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008514; classtype:trojan-activity; sid:2008514; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Banking Phish 2022-01-11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"banks"; fast_pattern; http.request_body; content:"username="; http.referer; content:"questions.html"; endswith; content:"&forgot_nextButton="; distance:0; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034895; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (winlogon)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"winlogon"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008544; classtype:trojan-activity; sid:2008544; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain DNS Lookup (ip .dnsexit .com)"; dns.query; content:"ip.dnsexit.com"; nocase; bsize:14; classtype:external-ip-check; sid:2034898; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Internet HTTP"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008564; classtype:trojan-activity; sid:2008564; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO External IP Lookup HTTP Request (ip .dnsexit .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip.dnsexit.com"; bsize:14; fast_pattern; classtype:misc-activity; sid:2034899; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Downloader1.2)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Downloader"; depth:10; pcre:"/^Downloader\d+\.\d/"; reference:url,doc.emergingthreats.net/bin/view/Main/2008643; classtype:trojan-activity; sid:2008643; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delf.TJJ Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getcfg?id="; fast_pattern; pcre:"/^\d$/R"; http.user_agent; content:"Mozilla|2f|3|2e|0|20 28|compatible|3b 20|Indy|20|Library|29|"; bsize:38; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,0751e43ec2a6ce78407b95b1d0326776; classtype:command-and-control; sid:2034900; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2022_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Compatible)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Compatible"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008657; classtype:trojan-activity; sid:2008657; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TellYouThePass Ransomware Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery.js?v="; startswith; fast_pattern; pcre:"/^[0-9]{2,8}$/R"; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a80$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,39a9b92a69a191db0a7e2bc1e78d55e4; reference:md5,c05f8b395c6356bf99aad9c84c13a867; reference:url,www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/; reference:md5,b99c4684f7eac1f2af37e6de609e936c; classtype:trojan-activity; sid:2034904; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (GetUrlSize)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"GetUrlSize"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008658; classtype:trojan-activity; sid:2008658; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET GAMES UnknownApps Game Cheat Service Checkin (auth .hwidspoof .me)"; dns.query; content:"auth.hwidspoof.me"; nocase; bsize:17; reference:md5,26c643629102e506561890596fb2dd5c; reference:md5,dc4b2c44289288d64fa757311515304f; classtype:misc-activity; sid:2034901; rev:1; metadata:created_at 2022_01_12, updated_at 2022_01_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (aguarovex-loader v3.221)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"aguarovex-loader v"; depth:18; reference:url,doc.emergingthreats.net/bin/view/Main/2008663; classtype:trojan-activity; sid:2008663; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET GAMES UnknownApps Game Cheat Service Checkin (auth .unknownp .one)"; dns.query; content:"auth.unknownp.one"; nocase; bsize:17; reference:md5,26c643629102e506561890596fb2dd5c; reference:md5,dc4b2c44289288d64fa757311515304f; classtype:misc-activity; sid:2034902; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WINS_HTTP_SEND"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2008734; classtype:trojan-activity; sid:2008734; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2022-01-12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"adobe.php"; fast_pattern; endswith; http.referer; content:"callbackwsid"; reference:md5,b6fd669c9bb5e4e2469b00705f2bd678; classtype:credential-theft; sid:2034905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (checkonline)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"checkonline"; depth:11; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008749; classtype:trojan-activity; sid:2008749; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; content:"|2e 2f|"; distance:0; within:3; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20040; classtype:attempted-admin; sid:2034896; rev:1; metadata:attack_target Server, created_at 2022_01_12, cve CVE_2021_20040, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Kvadrlson 1.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Kvadrlson|20|"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008756; classtype:trojan-activity; sid:2008756; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phish Landing Page 2022-01-12"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"to access this"; nocase; content:"adobe.php"; fast_pattern; distance:0; content:"id|3d 22|password|22|"; distance:0; content:"id|3d 22|fon|22|"; distance:0; content:"value|3d 22|View|20|PDF|20|Document|22|"; distance:0; reference:md5,b6fd669c9bb5e4e2469b00705f2bd678; classtype:credential-theft; sid:2034906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_12;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Kangkio User-Agent (lsosss)"; flow:established,to_server; http.user_agent; content:"lsosss"; depth:6; endswith; reference:url,doc.emergingthreats.net/2008767; classtype:trojan-activity; sid:2008767; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; http.request_body; content:"bmName="; startswith; pcre:"/^[^&]{100,}/R"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20043; classtype:attempted-admin; sid:2034897; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20043, updated_at 2022_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (miip)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"miip"; depth:4; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008797; classtype:trojan-activity; sid:2008797; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownWare.V Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"av="; content:"&mac="; content:"&os="; distance:17; within:4; content:"&secret="; distance:0; fast_pattern; content:"&sid="; pcre:"/^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$/R"; reference:md5,68b8cd6e7905578b21dd2ad02b33648c; classtype:pup-activity; sid:2034903; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozil1a)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Mozil1a"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008847; classtype:trojan-activity; sid:2008847; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kuwo Music Installer Log"; flow:established,to_server; http.request_line; content:"POST|20|/music.yl|20|"; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.request_body; pcre:"/(SU5TVEFMTF9JTkZP|lOU1RBTExfSU5GT|JTlNUQUxMX0lORk)/"; reference:md5,9387e26f309874d834d4bb699808654d; classtype:pup-activity; sid:2034907; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_01_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Errordigger.com related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"min"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008912; classtype:trojan-activity; sid:2008912; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/RemoteUtilities Checkin via SMTP M2"; flow:established,to_server; content:"|0d 0a 0d 0a|UmVtb3RlIFV0aWxpdGllcy"; fast_pattern; pcre:"/(?:DQpTZXJ2ZXI6I|0KU2VydmVyOi|NClNlcnZlcjog)/R"; reference:md5,8574a1f23e4292f6d76857df1f70ff0e; classtype:pup-activity; sid:2034644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_01_12;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Trojan.Hijack.IrcBot.457 related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla/1.0 (compatible|3b 20|MSIE 8.0|3b|"; depth:34; reference:url,doc.emergingthreats.net/bin/view/Main/2008913; classtype:trojan-activity; sid:2008913; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Coper Banking Trojan Related Domain in DNS Lookup"; dns.query; content:"s22231232fdnsjds.top"; nocase; bsize:20; reference:url,cert-pl.translate.goog/posts/2021/12/aktywacja-aplikacji-iko/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=op; classtype:domain-c2; sid:2034910; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (xr - Worm.Win32.VB.cj related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"xr"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008914; classtype:trojan-activity; sid:2008914; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Hao123.C Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|ufile01|22 3b 20|filename|3d 22|boundary|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a 2f 78 ec 05 67|"; fast_pattern; reference:md5,dd2a33d25cea02f25513940751a36649; classtype:pup-activity; sid:2034908; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_01_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Yandesk)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Yandesk"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008916; classtype:trojan-activity; sid:2008916; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (solo-hoy .com)"; dns.query; content:"solo-hoy.com"; nocase; bsize:12; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034917; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent pricers.info related (section)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"sections"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008919; classtype:trojan-activity; sid:2008919; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mobile-analytics .netweb-cloud-services .com)"; dns.query; content:"mobile-analytics.netweb-cloud-services.com"; nocase; bsize:42; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034918; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HELLO)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HELLO"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008941; classtype:trojan-activity; sid:2008941; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (deportes24-7 .com)"; dns.query; content:"deportes24-7.com"; nocase; bsize:16; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034919; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE/1.0)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"IE/1.0"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008956; classtype:trojan-activity; sid:2008956; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain"; dns.query; content:"informados24h.com"; nocase; bsize:32; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034920; rev:2; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow:established,to_server; http.user_agent; content:"AV1"; depth:3; endswith; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:11; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain"; dns.query; content:"info-urbano.com"; nocase; bsize:15; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034921; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (runUpdater.html)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"runUpdater|2e|html"; depth:15; reference:url,doc.emergingthreats.net/2009355; classtype:trojan-activity; sid:2009355; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Related CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|db f6 94 f6 9f f6 82 f6 f6 f6|"; fast_pattern; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 f6 f6|"; distance:3; within:3; endswith; reference:url,twitter.com/ShadowChasing1/status/1480853604609126403; reference:md5,1cdc2c0f6834b37da085c0deb9d3461a; classtype:targeted-activity; sid:2034909; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (runPatch.html)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"runPatch|2e|html"; depth:13; reference:url,doc.emergingthreats.net/2009356; classtype:trojan-activity; sid:2009356; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Additional Resources (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Profile.html"; bsize:13; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/; reference:md5,eb47824fe3b93f30e6805938814b9cca; classtype:trojan-activity; sid:2034911; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Poker)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Poker"; depth:5; endswith; nocase; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009534; classtype:trojan-activity; sid:2009534; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Metawallet Phish Landing Page 2022-01-13"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"metawallet"; fast_pattern; content:".php"; endswith; http.host; content:".xyz"; endswith; reference:md5,7ddee3930807ab2a21afe8c5760b2b13; classtype:credential-theft; sid:2034916; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InHold) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"InHold"; depth:6; endswith; nocase; reference:url,doc.emergingthreats.net/2009544; classtype:trojan-activity; sid:2009544; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dns.alidns.com"; bsize:14; fast_pattern; classtype:misc-activity; sid:2034912; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2022_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (INet)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"INet"; depth:4; endswith; reference:url,doc.emergingthreats.net/2009703; classtype:trojan-activity; sid:2009703; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Windows Defender POWERLIKS Detection Bypass"; flow:established,to_client; file.data; content:"|3c 21 5b|CDATA|5b 0a|var"; content:"|20 3d 20 22|6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E2"; fast_pattern; content:"str|20 2b 3d 20|String.fromCharCode|28|parseInt"; reference:url,exploit-db.com/exploits/50654; classtype:trojan-activity; sid:2034914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (STEROID Download)"; flow:established,to_server; http.user_agent; content:"STEROID Download"; nocase; depth:16; endswith; reference:url,anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10; reference:url,security.thejoshmeister.com/2009/09/new-malware-ddos-botexe-etc-and.html; reference:url,doc.emergingthreats.net/2009994; classtype:trojan-activity; sid:2009994; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FluBot Trojan Sending Information (POST)"; flow:established,to_server; http.request_line; content:"POST /p.php HTTP/1.1"; fast_pattern; http.user_agent; content:"Dalvik/"; startswith; http.header_names; content:!"Referer"; http.host; pcre:"/^[a-z]{15}\.(?:ru|su|cn)$/"; reference:md5,a65d00f3688dc02e2544e02eb57a06c1; reference:url,www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond; classtype:trojan-activity; sid:2034913; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0(compatible|3b 20|TALWinHttpClient)"; depth:41; endswith; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010261; classtype:trojan-activity; sid:2010261; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic DarkX Phish 2022-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wells-darkx"; fast_pattern; reference:url,twitter.com/hyperdefined/status/1481635709261914113; classtype:credential-theft; sid:2034937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_01_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32.OnLineGames User-Agent (BigFoot)"; flow:to_server,established; http.user_agent; content:"BigFoot"; nocase; depth:7; reference:url,doc.emergingthreats.net/2010678; classtype:trojan-activity; sid:2010678; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/SysJoker Retrieving CnC Information (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uc?id="; startswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"WinHttpClient"; bsize:13; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Referer"; http.host; content:"drive.google.com"; fast_pattern; bsize:16; reference:md5,53f1bb23f670d331c9041748e7e8e396; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034922; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Nine Ball User-Agent Detected (NQX315)"; flow:established,to_server; http.user_agent; content:"NQX315"; depth:6; endswith; reference:url,doc.emergingthreats.net/2011188; classtype:trojan-activity; sid:2011188; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Dropper Related Domain in DNS Lookup (github .url-mini .com)"; dns.query; content:"github.url-mini.com"; nocase; bsize:19; reference:md5,d71e1a6ee83221f1ac7ed870bc272f01; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034923; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Artro Downloader User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|wget 3.0|3b 20|rv|3a|5.0) Gecko/20100101 Firefox/5.0"; depth:73; fast_pattern; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:pup-activity; sid:2013184; rev:9; metadata:created_at 2011_07_04, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (bookitlab .tech)"; dns.query; content:"bookitlab.tech"; nocase; bsize:14; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034924; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (GUIDTracker)"; flow:to_server,established; http.user_agent; content:"GUIDTracker"; depth:11; reference:url,threatexpert.com/report.aspx?md5=7a8807f4de0999dba66a8749b2366def; classtype:trojan-activity; sid:2013455; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (graphic-updater .com)"; dns.query; content:"graphic-updater.com"; nocase; bsize:19; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034925; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delphi Trojan Downloader User-Agent (JEDI-VCL)"; flow:established,to_server; http.host; content:!"apexwin.com"; http.user_agent; content:"JEDI-VCL"; depth:8; classtype:trojan-activity; sid:2013559; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_12, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (office360-update .com)"; dns.query; content:"office360-update.com"; nocase; bsize:20; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034926; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (windsoft)"; flow:established,to_server; http.user_agent; content:"WindSoft"; depth:8; endswith; classtype:trojan-activity; sid:2013561; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_12, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (winaudio-tools .com)"; dns.query; content:"winaudio-tools.com"; nocase; bsize:18; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034927; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent (NOPE)"; flow:established,to_server; http.user_agent; content:"N0PE"; depth:4; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=b0b7c391d084974b2666c1c57b349b62&id=711369; reference:url,www.virustotal.com/file-scan/report.html?id=54dcad20b326a409c09f1b059925ba4ba260ef58297cda1421ffca79942a96a5-1305296734; classtype:trojan-activity; sid:2013702; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-01-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"http|2d|equiv|3d|refresh"; content:"email="; distance:0; content:"&.rand=13InboxLight.aspx?n="; fast_pattern; distance:0; content:"&fid="; distance:0; content:"n="; distance:0; content:"&fid="; distance:0; content:"&fav="; distance:0; reference:md5,43ac0c5346bf8aefc0068c30a34b7d39; classtype:credential-theft; sid:2034928; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Aldibot.A User-Agent (Aldi Bot)"; flow:to_server,established; http.user_agent; content:"Aldi Bot"; nocase; depth:8; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013747; rev:7; metadata:created_at 2011_09_23, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (dik .si in TLS SNI)"; flow:established,to_server; tls.sni; content:"dik.si"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2034932; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (NateFinder)"; flow:to_server,established; http.user_agent; content:"NateFinder"; depth:10; classtype:trojan-activity; sid:2013881; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)"; dns.query; content:"wtools.io"; nocase; bsize:9; reference:md5,19c6520ed056e9dec48778a3e3d4203d; classtype:policy-violation; sid:2034938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (webfile)"; flow:to_server,established; http.user_agent; content:"webfile"; depth:7; reference:url,threatexpert.com/reports.aspx?find=upsh.playmusic.co.kr; classtype:trojan-activity; sid:2013883; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT Related Domain in DNS Lookup (gooeglle .mypressonline .com)"; dns.query; content:"gooeglle.mypressonline.com"; nocase; bsize:26; reference:md5,2de3ab14e582ed83da376345abfb81da; reference:url,twitter.com/ShadowChasing1/status/1482976392958865413; classtype:domain-c2; sid:2034933; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DARecover)"; flow:to_server,established; http.user_agent; content:"DARecover"; depth:9; reference:url,threatexpert.com/reports.aspx?find=clients.mydealassistant.com; classtype:trojan-activity; sid:2013884; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/restore"; http.request_body; content:"_token="; startswith; content:"&postback=1"; content:"&login=admin"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034929; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1-|20|"; depth:56; fast_pattern; reference:url,doc.emergingthreats.net/2010868; classtype:bad-unknown; sid:2010868; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/reset/1/"; http.request_body; content:"{"; startswith; content:"_token"; content:"postback"; content:"id"; content:"code"; content:"true"; content:"password"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034930; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer User-Agent (ROGUE)"; flow: to_server,established; http.user_agent; content:"ROGUE"; depth:5; reference:url,www.internet-optimizer.com; reference:url,doc.emergingthreats.net/2002405; classtype:pup-activity; sid:2002405; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus APT Related Domain in DNS Lookup (confusion-cerulean-samba .glitch .me)"; dns.query; content:"confusion-cerulean-samba.glitch.me"; nocase; bsize:34; reference:md5,92f5f40db8df7cbb1c7c332087619afa; reference:url,twitter.com/ShadowChasing1/status/1483011032612499460; classtype:domain-c2; sid:2034934; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2022_01_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User Agent (_)"; flow:to_server,established; http.user_agent; content:"_"; depth:1; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; classtype:trojan-activity; sid:2007942; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Sending System Information (POST)"; flow:established,to_server; http.request_line; content:"POST /proxy HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"NewFolderName="; startswith; pcre:"/\*\*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\*\*/R"; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034935; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat Web Application Manager scanning"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/manager/html"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic"; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2010019; classtype:attempted-recon; sid:2010019; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.NQT!tr CnC Activity"; flow:established,to_server; content:"|49 4d 49 4e 20|"; startswith; fast_pattern; content:"|40|"; distance:0; content:"|0a|"; endswith; reference:md5,07d0d60fbcf30f7ab7861ad9981a2eed; classtype:command-and-control; sid:2034931; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; http.user_agent; content:"Agent"; depth:5; pcre:"/^Agent\d{5,6}$/i"; http.host; content:!"cloud.10jqka.com.cn"; content:!".maxthon.com"; classtype:trojan-activity; sid:2013315; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /publish HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"token="; startswith; content:"&Category="; distance:0; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034939; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ezula Related User-Agent (mez)"; flow: to_server,established; http.user_agent; content:"mez"; nocase; depth:3; endswith; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:pup-activity; sid:2000586; rev:35; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /bills HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|App-Logic|0d 0a|Authorization|0d 0a|Session|0d 0a|"; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034940; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP YourSiteBar User-Agent (istsvc)"; flow: to_server,established; http.user_agent; content:"istsvc"; nocase; depth:6; endswith; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:pup-activity; sid:2001699; rev:264; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (lm-career .com)"; dns.query; content:"lm-career.com"; nocase; bsize:13; reference:md5,3f326da2affb0f7f2a4c5c95ffc660cc; reference:url,twitter.com/h2jazi/status/1483521532433473536; classtype:domain-c2; sid:2034942; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware User-Agent (Bundle)"; flow: established,to_server; http.user_agent; content:"Bundle"; depth:6; reference:url,doc.emergingthreats.net/2001702; classtype:pup-activity; sid:2001702; rev:40; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (printerjobs .xyz)"; dns.query; dotprefix; content:".printerjobs.xyz"; nocase; endswith; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034943; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 404Search Spyware User-Agent (404search)"; flow:established,to_server; http.user_agent; content:"404search"; depth:9; reference:url,doc.emergingthreats.net/2001852; classtype:pup-activity; sid:2001852; rev:31; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (seasonsbackup .xyz)"; dns.query; dotprefix; content:".seasonsbackup.xyz"; nocase; endswith; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; reference:url,github.com/eset/malware-ioc/tree/master/donot; classtype:domain-c2; sid:2034944; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Easy Search Bar Spyware User-Agent (ESB)"; flow: established,to_server; http.user_agent; content:"ESB"; depth:3; reference:url,doc.emergingthreats.net/2001853; classtype:pup-activity; sid:2001853; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (dBrowser CallGetResponse)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"dBrowser"; startswith; content:"CallGetResponse:"; fast_pattern; distance:3; within:16; pcre:"/^dBrowser\x20\d\x20CallGetResponse\x3a\d$/V"; reference:md5,e09ad59bff10bd4b730ee643809ec9a7; classtype:trojan-activity; sid:2034948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZULA Spyware User Agent"; flow: established,to_server; http.user_agent; content:"ezula"; depth:5; nocase; reference:url,doc.emergingthreats.net/2001854; classtype:pup-activity; sid:2001854; rev:27; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (submitonline .club)"; dns.query; dotprefix; content:".submitonline.club"; nocase; endswith; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (Sidesearch)"; flow: established,to_server; http.user_agent; content:"Sidesearch"; depth:10; reference:url,doc.emergingthreats.net/2001869; classtype:pup-activity; sid:2001869; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (oceansurvey .club)"; dns.query; content:"oceansurvey.club"; nocase; bsize:16; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034947; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Target Saver Spyware User-Agent (TSA)"; flow: established,to_server; http.user_agent; content:"TSA/"; depth:4; reference:url,doc.emergingthreats.net/2001871; classtype:pup-activity; sid:2001871; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Injector.VVP Downloader Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; pcre:"/^\/wp\x2dcontent\/[a-z]{3}\/[0-9]{16}\.exe$/U"; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT|3b 20|Windows NT 6.1|3b 20|en-US|29 20|WindowsPowerShell/5.1.14409.1005"; fast_pattern; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:md5,009934cd29110745347705ec4f877b6d; classtype:trojan-activity; sid:2034949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware User-Agent (EI)"; flow: to_server,established; http.user_agent; content:"EI"; depth:2; endswith; reference:url,doc.emergingthreats.net/2001996; classtype:pup-activity; sid:2001996; rev:18; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (s3r .io)"; dns.query; content:"s3r.io"; nocase; bsize:6; classtype:bad-unknown; sid:2034950; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolWebSearch Spyware (Feat)"; flow: to_server,established; http.user_agent; content:"Feat"; nocase; depth:4; pcre:"/^Feat[^\r\n]+(?:Install|Updat)er/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; reference:url,doc.emergingthreats.net/2002160; classtype:pup-activity; sid:2002160; rev:21; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (dataupdates .live)"; dns.query; content:"dataupdates.live"; nocase; bsize:16; reference:md5,43a909814aa5467cb45f8e59ed2fd3b0; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034951; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_20;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Spyware User-Agent (host)"; flow: to_server,established; http.header; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; http.user_agent; content:"host"; nocase; depth:4; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; reference:url,doc.emergingthreats.net/2002164; classtype:pup-activity; sid:2002164; rev:16; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Suspected Reverse Shell Connection"; flow:established,to_server; content:"Microsoft|20|Windows|20|"; content:"|5b|Version|20|"; distance:0; content:"|5d|"; content:"|20|Microsoft|20|Corp"; fast_pattern; content:"|43 3a 5c|"; content:"|3e|"; content:!"Host"; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; reference:md5,039d8e77b65faae44d5e7e39d4cc9c59; classtype:trojan-activity; sid:2034945; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miva User-Agent (TPSystem)"; flow: to_server,established; http.user_agent; content:"TPSystem"; nocase; depth:8; reference:url,www.miva.com; reference:url,www.findwhat.com; reference:url,doc.emergingthreats.net/2002395; classtype:pup-activity; sid:2002395; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /api/market HTTP/1.1"; fast_pattern; http.cookie; content:"nyt-a="; startswith; pcre:"/^[A-Za-z0-9-_]{176}$/R"; reference:md5,31b8467ad176116d238afa2fa6bf6497; reference:url,twitter.com/h2jazi/status/1483504922003968003; classtype:trojan-activity; sid:2034941; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miva Spyware User-Agent (Travel Update)"; flow: to_server,established; http.user_agent; content:"Travel Update"; depth:13; endswith; reference:url,www.miva.com; reference:url,doc.emergingthreats.net/2002396; classtype:pup-activity; sid:2002396; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MoonBounce Backdoor Related Domain in DNS Lookup (kinopoisksu .com)"; dns.query; dotprefix; content:".kinopoisksu.com"; nocase; endswith; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034952; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family APT41, signature_severity Major, updated_at 2022_01_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus User-Agent (PTS)"; flow: to_server,established; http.user_agent; content:"PTS"; depth:3; reference:url,www.contextplus.net; reference:url,doc.emergingthreats.net/2002403; classtype:pup-activity; sid:2002403; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MoonBounce Backdoor Related Domain in DNS Lookup (glbaitech .com)"; dns.query; dotprefix; content:".glbaitech.com"; nocase; endswith; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034953; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family APT41, signature_severity Major, updated_at 2022_01_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Install)"; flow: to_server,established; http.uri; content:"/checkhttp.htm"; nocase; http.header; content:"freeze.com"; nocase; http.user_agent; content:"Wise"; nocase; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; classtype:pup-activity; sid:2002840; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Microcin Backdoor Related Domain in DNS Lookup (m .necemarket .com)"; dns.query; content:"m.necemarket.com"; nocase; bsize:16; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034954; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; http.uri; content:"/ping/?shortname="; nocase; http.header; content:"freeze.com"; nocase; http.user_agent; content:"Wise"; nocase; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; classtype:pup-activity; sid:2002841; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Microcin Backdoor Related Domain in DNS Lookup (holdmem .dbhubspi .com)"; dns.query; content:"holdmem.dbhubspi.com"; nocase; bsize:20; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034955; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; http.uri; content:"/checkin.php?"; nocase; content:"unq="; nocase; content:"version="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:pup-activity; sid:2003209; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Maldoc Related Domain in DNS Lookup (markettrendingcenter .com)"; dns.query; content:"markettrendingcenter.com"; nocase; bsize:24; reference:md5,a27a9324d282d920e495832933d486ee; reference:url,twitter.com/s1ckb017/status/1484451637653614592; classtype:domain-c2; sid:2034956; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family Lazarus, signature_severity Major, updated_at 2022_01_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Install"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"&pais="; nocase; content:"unq="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:pup-activity; sid:2003210; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - File Upload Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/agentLogUploader?"; distance:0; content:"filename="; nocase; distance:0; pcre:"/^[a-zA-Z0-9]+\.(?:zip|7z|gz)/Ri"; content:"branchofficeid="; nocase; http.cookie; content:"STATE_COOKIE="; reference:url,attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis; reference:cve,2021-44515; classtype:attempted-admin; sid:2034957; rev:2; metadata:attack_target Server, created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; http.user_agent; content:"Download Agent"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:pup-activity; sid:2003243; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; http.uri; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:1; metadata:attack_target Server, created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; http.user_agent; content:"YourScreen"; depth:10; reference:url,doc.emergingthreats.net/2003405; classtype:pup-activity; sid:2003405; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST /?opt=put&type="; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"|22|mac|22 3a 22|"; content:"|22|pcname|22 3a 22|"; distance:14; within:10; reference:md5,4e24d219ba1790b93347110fd1bfcb6b; classtype:trojan-activity; sid:2034959; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; http.user_agent; content:"RX Bar"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003407; classtype:pup-activity; sid:2003407; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/helpdesk/assetReport"; nocase; startswith; fast_pattern; http.request_body; content:"select"; nocase; content:"password"; nocase; http.content_type; content:"text/plain"; reference:url,blog.assetnote.io/2022/01/23/solarwinds-webhelpdesk-hsql-eval-harcoded-creds/; reference:cve,2021-35232; classtype:attempted-admin; sid:2034971; rev:1; metadata:created_at 2022_01_25, cve CVE_2021_35232, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; http.user_agent; content:"Updater"; depth:7; endswith; reference:url,doc.emergingthreats.net/2003470; classtype:pup-activity; sid:2003470; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/irq"; startswith; fast_pattern; bsize:8; pcre:"/^\/\.x\/irq\d$/U"; http.user_agent; content:"Wget"; startswith; content:!"Referer"; classtype:trojan-activity; sid:2034685; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; http.user_agent; content:"ad-protect"; nocase; depth:10; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; reference:url,doc.emergingthreats.net/2003476; classtype:pup-activity; sid:2003476; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.PSAttack Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/powershell_attack.txt"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,f9eb044f8b537aa5d9164b1784d618a2; classtype:trojan-activity; sid:2032793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; http.user_agent; content:"DInstaller"; nocase; depth:10; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; reference:url,doc.emergingthreats.net/2003477; classtype:pup-activity; sid:2003477; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Chrome)"; flow:established,to_server; content:"User-Agent|3a 20|Chrome|0d 0a|"; http_header; fast_pattern; classtype:bad-unknown; sid:2027916; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; http.user_agent; content:"ERRORNUKER"; nocase; depth:10; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; reference:url,doc.emergingthreats.net/2003478; classtype:pup-activity; sid:2003478; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Spark Backdoor Related Domain in DNS Lookup (bundanesia .com)"; dns.query; dotprefix; content:".bundanesia.com"; nocase; endswith; reference:url,www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east; classtype:domain-c2; sid:2034963; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; http.user_agent; content:"MalwareWipe"; nocase; depth:11; endswith; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; classtype:pup-activity; sid:2003489; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/"; startswith; fast_pattern; bsize:7; content:"sh"; endswith; pcre:"/^\/\.x\/\dsh$/U"; http.user_agent; content:"Wget"; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034683; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; http.user_agent; content:"Mirar_KeywordContent"; nocase; depth:20; endswith; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; classtype:pup-activity; sid:2003490; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx"; content:"id"; content:"|40|"; distance:0; content:"|2e 2e 2f|"; distance:0; content:"|2e|cshtml"; distance:0; fast_pattern; content:"bp"; content:"accountid"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; reference:cve,2021-22941; classtype:attempted-admin; sid:2034972; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_22941, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ms)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"ms"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:pup-activity; sid:2003497; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/var/run/tty"; startswith; fast_pattern; pcre:"/^\/\.x\/var\/run\/tty\d$/U"; http.user_agent; content:"Wget"; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034684; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; http.user_agent; content:"Sprout Game"; nocase; depth:11; endswith; reference:url,doc.emergingthreats.net/2003498; classtype:pup-activity; sid:2003498; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (portal .gfinanzen .net)"; dns.query; content:"portal.gfinanzen.net"; nocase; bsize:20; reference:md5,b371e1c2ca2e5718e151760bc4664366; reference:url,twitter.com/czy_1116/status/1485813878550597632; classtype:domain-c2; sid:2034964; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; http.user_agent; content:"SpyDawn"; nocase; depth:7; endswith; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; classtype:pup-activity; sid:2003499; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE AndroidOS/Basbanke.A Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /rdc?method="; fast_pattern; startswith; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,220ec1e3effb6f4a4a3acb6b3b3d2e90; reference:url,www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account; classtype:trojan-activity; sid:2034965; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_25, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; http.user_agent; content:"STBHOGet"; nocase; depth:8; endswith; reference:url,doc.emergingthreats.net/2003500; classtype:pup-activity; sid:2003500; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup (wordkeyvpload .net)"; dns.query; content:"wordkeyvpload.net"; nocase; bsize:17; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; reference:md5,8e2f8c95b1919651fcac7293cb704c1c; classtype:domain-c2; sid:2034966; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; http.user_agent; content:"Alawar Toolbar"; nocase; depth:14; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; reference:url,doc.emergingthreats.net/2003506; classtype:pup-activity; sid:2003506; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup"; dns.query; content:"wordkeyvpload.org"; nocase; bsize:17; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; classtype:domain-c2; sid:2034967; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, signature_severity Major, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; http.user_agent; content:"CommonName"; nocase; depth:10; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; reference:url,doc.emergingthreats.net/2003532; classtype:pup-activity; sid:2003532; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup (jimbeam .live)"; dns.query; content:"jimbeam.live"; nocase; bsize:12; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; classtype:domain-c2; sid:2034968; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; http.user_agent; content:"WinFixMaster"; nocase; depth:12; reference:url,doc.emergingthreats.net/2003544; classtype:pup-activity; sid:2003544; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/portals/office/log.php?Data="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"Microsoft Internet Explorer"; bsize:27; reference:url,twitter.com/ShadowChasing1/status/1485514043679199233; reference:md5,9521e4138fd0e6996072778cd4f1f06a; reference:md5,2ee3ae478e7d1f2f473b191b1be5e14f; classtype:trojan-activity; sid:2034969; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (DIALER)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"DIALER"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003566; classtype:pup-activity; sid:2003566; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/getServices?name"; fast_pattern; pcre:"/^(?:\x28|\x29|\x3c|\x3e|\x26|\x2a|\xe2|\x80|\x98|\x7c|\x3f|\x3b|\x5b|\x5d|\x5e|\x7e|\x21|\x2e|\xe2|\x80|\x9d|\x25|\x40|\x2f|\x5c|\x3a|\x2b|\x2c|\x60)/R"; content:"|3d|"; distance:0; within:10; reference:cve,2021-21315; classtype:attempted-admin; sid:2034973; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21315, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; http.user_agent; content:"iefeatsl"; nocase; depth:8; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; classtype:pup-activity; sid:2003570; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sonicwall Unauthenticated Stack-Based Buffer Overflow (CVE-2021-20038)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f 04 3f 7f 3f 18 3f 7f 3f 18 3f 7f 3f 64 3f 06 08 3b|"; startswith; fast_pattern; content:"|3b 3f|"; distance:0; bsize:>200; http.header_names; content:!"Referer"; reference:url,psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026; reference:cve,2021-20038; classtype:attempted-admin; sid:2034970; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2022_01_25, cve CVE_2021_20038, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_25;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; http.user_agent; content:"MalwareWiped"; nocase; depth:12; reference:url,doc.emergingthreats.net/2003582; classtype:pup-activity; sid:2003582; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible vRealize Operations Manager API SSRF Attempt (CVE-2021-21975)"; flow:established,to_server; http.request_line; content:"POST /casa/nodes/thumbprints HTTP/1.1"; fast_pattern; http.request_body; content:"|5b|"; http.content_type; content:"application/json|3b|charset=UTF-8"; bsize:30; reference:cve,2021-21975; classtype:attempted-admin; sid:2034974; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21975, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (update)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"update"; depth:6; endswith; reference:url,doc.emergingthreats.net/2003583; classtype:pup-activity; sid:2003583; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DazzleSpy Related Domain in DNS Lookup"; dns.query; content:"fightforhk.com"; nocase; bsize:14; reference:url,www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/; classtype:trojan-activity; sid:2034975; rev:1; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EELoader Malware Packages User-Agent (EELoader)"; flow:to_server,established; http.user_agent; content:"EELoader"; nocase; depth:8; reference:url,doc.emergingthreats.net/2003613; classtype:pup-activity; sid:2003613; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DazzleSpy Related Domain in DNS Lookup"; dns.query; content:"amnestyhk.org"; nocase; bsize:13; reference:url,www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/; classtype:trojan-activity; sid:2034976; rev:1; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; http.user_agent; content:"KRSystem"; nocase; depth:8; reference:url,doc.emergingthreats.net/2003625; classtype:pup-activity; sid:2003625; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 109"; flow:established,to_server; stream_size:server,<,5; dsize:<250; content:"|00 00 01 78 9c|"; offset:10; depth:5; fast_pattern; byte_jump:2,0,little,from_beginning, post_offset 3; isdataat:!2,relative; pcre:"/^(?<len>.{2})\xc0\xff(?P=len)\x00\x00.{2}\x00\x00\x01\x78\x9c/s"; reference:md5,edacdc76bb11e8db5c1a1b8917b5deb0; classtype:command-and-control; sid:2034977; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, malware_family Gh0st, performance_impact Moderate, signature_severity Major, updated_at 2022_01_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; http.user_agent; content:"ProxyDown"; nocase; depth:9; reference:url,doc.emergingthreats.net/2003639; classtype:pup-activity; sid:2003639; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P<addr>(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%64%b8%06%08"; distance:0; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034984; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; http.user_agent; content:"91cast"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003640; classtype:pup-activity; sid:2003640; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P<addr>(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%08%b7%06%08"; distance:0; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034985; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; http.user_agent; content:"GTBank"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003654; classtype:pup-activity; sid:2003654; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style Service (paste .ee) in TLS SNI"; flow:established,to_server; tls.sni; content:"paste.ee"; bsize:8; fast_pattern; classtype:policy-violation; sid:2034978; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_01_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; http.user_agent; content:"Internet 1."; nocase; depth:11; reference:url,doc.emergingthreats.net/2003655; classtype:pup-activity; sid:2003655; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Shared via Zoom"; flow:established,to_server; http.method; content:"GET"; http.host; content:"support.zoom.us"; bsize:15; fast_pattern; http.uri; content:"/attachments/token/"; startswith; content:"/?name="; distance:0; classtype:bad-unknown; sid:2034981; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Informational, updated_at 2022_01_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; http.user_agent; content:"PWMI/"; nocase; depth:5; reference:url,doc.emergingthreats.net/2003926; classtype:pup-activity; sid:2003926; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Powershell Request for paste .ee Page"; flow:established,to_server; http.method; content:"GET"; http.host; content:"paste.ee"; fast_pattern; http.user_agent; content:") WindowsPowerShell/"; classtype:bad-unknown; sid:2034979; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; http.user_agent; content:"Mbar"; nocase; depth:4; endswith; reference:url,doc.emergingthreats.net/2003928; classtype:pup-activity; sid:2003928; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039"; flow:established,to_server; http.request_line; content:"POST /cgi-bin/viewcert HTTP/1.1"; fast_pattern; http.request_body; content:"delete"; nocase; content:"CERT"; nocase; distance:0; content:"n"; nocase; content:"perl"; nocase; distance:0; content:"base64"; nocase; within:30; reference:cve,2021-20039; classtype:attempted-admin; sid:2034986; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20039, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; http.user_agent; content:"Mirar_Toolbar"; nocase; depth:13; reference:url,doc.emergingthreats.net/2003929; classtype:pup-activity; sid:2003929; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded"; flow:established,to_client; http.content_type; content:"text/plain"; startswith; http.response_body; content:"RUNPE"; nocase; content:"31,139,8,0,0,0,0,0,4,0,237,189,7,96"; within:50; fast_pattern; content:"82,101,109,111,116,101,83,105,103,110,101,100"; distance:0; reference:url,blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader; classtype:trojan-activity; sid:2034980; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; http.user_agent; content:"fetcher"; nocase; depth:7; endswith; reference:url,doc.emergingthreats.net/2005318; classtype:pup-activity; sid:2005318; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious File Sharing Domain in DNS Lookup (drive .cloudplus .one)"; dns.query; content:"drive.cloudplus.one"; nocase; bsize:19; reference:md5,934c7b7c31d84728f0086be9b80ee1e4; reference:url,twitter.com/ShadowChasing1/status/1486542725692284930; reference:url,twitter.com/malwrhunterteam/status/1483853345924255745; classtype:bad-unknown; sid:2034987; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; http.user_agent; content:"NavHelper"; nocase; depth:9; reference:url,doc.emergingthreats.net/2005321; classtype:pup-activity; sid:2005321; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GrandaMisha Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload?tags="; startswith; fast_pattern; content:"&pass="; distance:0; content:"&cookie="; distance:0; content:"&cc="; distance:0; content:"&hwid="; distance:0; content:"&ip="; distance:0; http.user_agent; content:"ureq/"; startswith; http.request_body; content:"form-data|3b 20|name=|22|document|22 3b 20|filename="; content:"Content-Type|3a 20|application/x-ms-dos-executable"; reference:md5,256ad62aa30b6dfb7755627698d31156; reference:url,twitter.com/benkow_/status/1486700404482134021; classtype:trojan-activity; sid:2034988; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; http.user_agent; content:"Huai_Huai"; depth:9; endswith; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:pup-activity; sid:2006361; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"plugin_output_len="; pcre:"/^[0-9]{1,10}\x3b/R"; reference:cve,2021-25296; classtype:attempted-admin; sid:2034992; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; http.user_agent; content:"IBSBand-"; depth:8; reference:url,doc.emergingthreats.net/2006362; classtype:pup-activity; sid:2006362; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_27;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031026; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com (set)"; flow:to_server,established; urilen:1; flowbits:set,ET.moonfruit.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"moonfruit.com"; endswith; fast_pattern; content:!"www.moonfruit.com"; classtype:social-engineering; sid:2032096; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031027; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (docusign .agency)"; dns.query; dotprefix; content:".docusign.agency"; nocase; endswith; reference:md5,993cecde0cd707f795e00181414d97bd; reference:url,twitter.com/ShadowChasing1/status/1486530954382348290; classtype:domain-c2; sid:2034991; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (yourblogcenter .com)"; dns.query; content:"yourblogcenter.com"; nocase; bsize:18; reference:md5,8df7777ac7315c5e256ce35ea36cc73f; reference:url,twitter.com/h2jazi/status/1486448926081302536; classtype:domain-c2; sid:2034989; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_01_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031029; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (allinfostudio .com)"; dns.query; content:"allinfostudio.com"; nocase; bsize:17; reference:md5,8df7777ac7315c5e256ce35ea36cc73f; reference:url,twitter.com/h2jazi/status/1486448926081302536; classtype:domain-c2; sid:2034990; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; http.user_agent; content:"atsu"; depth:4; endswith; reference:url,doc.emergingthreats.net/2006370; classtype:pup-activity; sid:2006370; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/principles/"; fast_pattern; content:".mp3"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,4c61eeb1745d24e2c4ee67c6e56af8f3; reference:url,twitter.com/500mk500/status/1486791607311548423; classtype:trojan-activity; sid:2035006; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (006)"; flow:established,to_server; http.user_agent; content:"00"; depth:2; pcre:"/00\d+$/"; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:pup-activity; sid:2006388; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perfectly/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,74c22fd7a20072c8719cd7cfbc4abe84; reference:url,twitter.com/500mk500/status/1486791607311548423; classtype:trojan-activity; sid:2035007; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; http.user_agent; content:"WTRecover"; depth:9; reference:url,doc.emergingthreats.net/2006392; classtype:pup-activity; sid:2006392; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 1"; dns_query; content:"bigdata.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:trojan-activity; sid:2034994; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; http.user_agent; content:"WTInstaller"; depth:11; reference:url,doc.emergingthreats.net/2006393; classtype:pup-activity; sid:2006393; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 1"; flow:established,to_server; tls_sni; content:"bigdata.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034995; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycashbank.co.kr Spyware User-Agent (pint_agency)"; flow:established,to_server; http.user_agent; content:"pint_agency"; depth:11; reference:url,doc.emergingthreats.net/2006413; classtype:pup-activity; sid:2006413; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 2"; dns_query; content:"api.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034996; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner)"; flow:established,to_server; http.user_agent; content:"anycleaner"; depth:10; reference:url,doc.emergingthreats.net/2006419; classtype:pup-activity; sid:2006419; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"api.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034997; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine)"; flow:established,to_server; http.user_agent; content:"DoctorVaccine"; depth:13; reference:url,doc.emergingthreats.net/2006421; classtype:pup-activity; sid:2006421; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 3"; dns_query; content:"my2022.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034998; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM)"; flow:established,to_server; http.user_agent; content:"WT_GET_COMM"; depth:11; reference:url,doc.emergingthreats.net/2006422; classtype:pup-activity; sid:2006422; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"my2022.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034999; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Spyware User-Agent (doctorpro1)"; flow:established,to_server; http.user_agent; content:"doctorpro"; depth:9; reference:url,doc.emergingthreats.net/2006423; classtype:pup-activity; sid:2006423; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)"; flow:established,to_server; http.request_line; content:"POST|20|/api/schema|20|HTTP/1.1"; http.request_body; content:"ruleConfiguration"; nocase; content:"encryptor"; nocase; content:"|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n"; nocase; fast_pattern; content:"dataSourceName:"; nocase; content:"Object"; nocase; distance:0; within:60; reference:cve,2020-1947; classtype:attempted-admin; sid:2035008; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_1947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Karine.co.kr Related Spyware User-Agent (Access down)"; flow:established,to_server; http.user_agent; content:"Access down"; depth:11; endswith; reference:url,doc.emergingthreats.net/2006430; classtype:pup-activity; sid:2006430; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Struts RCE Attempt (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"="; pcre:"/^(%25|%)(%7b|{)(%28|\()(%23|#)/R"; content:"instancemanager"; nocase; fast_pattern; pcre:"/^(%3d|=)(%23|#)application(%5b|\[)(%22|")org(%2e|\.)apache(%2e|\.)tomcat(%2e|\.)instancemanager(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)(ognlstack|stack)(%3d|=)(%23|#)attr(%5b|\[)(%22|")com(%2e|\.)opensymphony(%2e|\.)xwork2(%2e|\.)util(%2e|\.)valuestack(%2e|\.)valuestack(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)/Rsi"; content:"bean"; distance:0; within:200; content:"java"; distance:0; within:400; content:"execute"; distance:0; pcre:"/^(%2e|\.)exec/Ri"; reference:cve,2020-17530; classtype:attempted-admin; sid:2035009; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_17530, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Cpushpop.com Spyware User-Agent (CPUSH_UPDATER)"; flow:established,to_server; http.user_agent; content:"CPUSH_"; depth:6; reference:url,doc.emergingthreats.net/2006553; classtype:pup-activity; sid:2006553; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Possible Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Attempt (CVE-2019-12643)"; flow:established,to_server; flowbits:set,ET.Cisco_ABypass; http.request_line; content:"GET /api/v1/auth/token-services/debug HTTP/1.1"; nocase; fast_pattern; http.accept; content:"application/json"; bsize:16; reference:cve,2019-12643; classtype:attempted-admin; sid:2035010; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Debelizombi.com Spyware User-Agent (blahrx)"; flow:established,to_server; http.user_agent; content:"blahrx"; depth:6; reference:url,doc.emergingthreats.net/2006778; classtype:pup-activity; sid:2006778; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http [$HOME_NET,$HTTP_SERVERS] 55443 -> any any (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Successful Exploit (CVE-2019-12643)"; flow:established,from_server; flowbits:isset,ET.Cisco_ABypass; http.stat_code; content:"200"; file.data; content:"|5b 7b 22|last-access-time|22 3a|"; fast_pattern; content:"|22|token-id|22 3a 20 22|"; within:200; pcre:"/^[a-zA-Z0-9]{5,40}/R"; xbits:set,ET.Cisco_ABypass,track ip_pair,expire 60; reference:cve,2019-12643; classtype:successful-admin; sid:2035011; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Cash Spyware User-Agent (ZC-Bridgev26)"; flow:established,to_server; http.user_agent; content:"ZC-Bridgev"; depth:10; reference:url,doc.emergingthreats.net/2006780; classtype:pup-activity; sid:2006780; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)"; flow:established,to_server; xbits:isset,ET.Cisco_ABypass,track ip_pair,expire 60; http.method; content:"GET"; http.header_names; content:"X-auth-token"; nocase; reference:cve,2019-12643; classtype:successful-admin; sid:2035012; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; http.user_agent; content:"ZC XML-RPC"; depth:10; reference:url,doc.emergingthreats.net/2006781; classtype:pup-activity; sid:2006781; rev:42; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp any any -> any any (msg:"ET EXPLOIT Oracle WebLogic IIOP JNDI Injection (CVE-2020-14841)"; flow:established,to_server; content:"corbaloc|3a|iiop|3a|"; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]{7,200}/R"; content:"idl|3a|weblogic/corba/cos/naming/namingcontextany"; nocase; reference:cve,2020-14841; classtype:attempted-admin; sid:2035013; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_14841, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirage.ru Related Spyware User-Agent (szNotifyIdent)"; flow:established,to_server; http.user_agent; content:"szNotifyIdent"; depth:13; reference:url,doc.emergingthreats.net/2006782; classtype:pup-activity; sid:2006782; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp any any -> any any (msg:"ET EXPLOIT Sangoma Asterisk Originate AMI RCE (CVE-2019-18610) (PoC Based)"; content:"Action|3a 20|Originate"; nocase; distance:0; fast_pattern; content:"Data|3a|"; nocase; distance:0; content:"|20|/tmp/"; nocase; within:45; reference:cve,2019-18610; classtype:attempted-admin; sid:2035014; rev:2; metadata:created_at 2022_01_28, cve CVE_2019_18610, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...)"; flow: established,to_server; http.user_agent; content:"vikiller ctrl"; nocase; depth:13; reference:url,doc.emergingthreats.net/2007582; classtype:pup-activity; sid:2007582; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp-pkt any any -> $HOME_NET any (msg:"ET INFO Apache Spark RPC - CheckExistence Request (set)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_CE; flowbits:isnotset,ET.ApacheSpark_CE; flowbits:noalert; content:"endpoint-verifier"; fast_pattern; content:"CheckExistence"; distance:0; classtype:not-suspicious; sid:2035001; rev:2; metadata:attack_target Server, created_at 2022_01_28, deployment Internal, deployment Datacenter, former_category INFO, signature_severity Informational, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (B Register)"; flow:established,to_server; http.user_agent; content:"B Register"; nocase; depth:10; reference:url,doc.emergingthreats.net/2007597; classtype:pup-activity; sid:2007597; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp-pkt any any -> $HOME_NET any (msg:"ET INFO Apache Spark RPC - Auth Request (set)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_AuthAttempted; flowbits:noalert; content:"sparkSaslUser|00 00 00 00|"; endswith; classtype:not-suspicious; sid:2035002; rev:2; metadata:attack_target Server, created_at 2022_01_28, deployment Internal, deployment Datacenter, former_category INFO, signature_severity Informational, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (updatesodui)"; flow:established,to_server; http.user_agent; content:"updatesodui"; nocase; depth:11; reference:url,doc.emergingthreats.net/2007598; classtype:pup-activity; sid:2007598; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp-pkt any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Spark RPC - Unauthenticated RegisterApplication Request (CVE-2020-9480)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_UnauthRegisterApplication; flowbits:isnotset,ET.ApacheSpark_AuthAttempted; flowbits:isnotset,ET.ApacheSpark_CE; content:"org.apache.spark.deploy.DeployMessages$RegisterApplication"; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:attempted-admin; sid:2035003; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_01_28; target:dest_ip;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (aaaabbb)"; flow:established,to_server; http.user_agent; content:"aaaabbb"; nocase; depth:7; reference:url,doc.emergingthreats.net/2007599; classtype:pup-activity; sid:2007599; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp-pkt $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Apache Spark RPC - Unauthenticated RegisterApplication - Successfully Registered (CVE-2020-9480)"; flow:established,to_client; flowbits:isset,ET.ApacheSpark_UnauthRegisterApplication; content:"org.apache.spark.deploy.DeployMessages$RegisteredApplication"; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:successful-admin; sid:2035004; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_01_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TryMedia Spyware User-Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; http.user_agent; content:"TryMedia_DM_"; nocase; depth:12; reference:url,doc.emergingthreats.net/2007600; classtype:pup-activity; sid:2007600; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp-pkt any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Spark RPC - Unauthenticated RegisterApplication Request - RCE Attempt (CVE-2020-9480)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_UnauthRegisterApplication; flowbits:isnotset,ET.ApacheSpark_AuthAttempted; flowbits:isnotset,ET.ApacheSpark_CE; content:"org.apache.spark.deploy.DeployMessages$RegisterApplication"; content:"spark.driver.port="; distance:0; pcre:"/^\d+..(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))-XX:OnOutOfMemoryError=/R"; content:"-XX:OnOutOfMemoryError="; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:attempted-admin; sid:2035005; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; http.user_agent; content:"VirusProtectPro"; depth:15; reference:url,doc.emergingthreats.net/2007617; classtype:pup-activity; sid:2007617; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PowerShell Script Downloading Emotet DLL"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"image/png"; bsize:9; http.response_body; content:"|24|path"; startswith; content:".dll"; distance:0; within:200; pcre:"/\x24url[0-9]{1}\s=\s'(http|https):\/\/[^']*\x27\x3b/i"; content:"((Get-Item |24|path).Length -ge 30000)"; nocase; fast_pattern; reference:md5,c3cb504f97c7c7df9c25b0957dd60d9f; classtype:trojan-activity; sid:2035000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_28;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck)"; flow: established,to_server; http.user_agent; content:"viruscheck"; nocase; depth:10; reference:url,doc.emergingthreats.net/2007643; classtype:pup-activity; sid:2007643; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-17418)"; flow:established,to_server; http.uri; content:"/admin/?"; content:"a=doSearchParameter"; fast_pattern; distance:0; content:"appno=0"; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,nvd.nist.gov/vuln/detail/CVE-2019-17418; reference:cve,2019-17418; classtype:attempted-admin; sid:2035018; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_17418, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_31;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer)"; flow: established,to_server; http.user_agent; content:"Ultimate Fixer"; nocase; depth:14; reference:url,doc.emergingthreats.net/2007645; classtype:pup-activity; sid:2007645; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-16997)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/?"; content:"a=doExportPack"; fast_pattern; distance:0; http.request_body; content:"appno="; startswith; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,y4er.com/post/metinfo7-sql-tips/#sql-injection-2; reference:cve,2019-16997; classtype:attempted-admin; sid:2035019; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_16997, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (XXX)"; flow:established,to_server; http.user_agent; content:"XXX"; nocase; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; classtype:pup-activity; sid:2007648; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY 3proxy Domain Domain in DNS Lookup (3proxy .ru)"; dns.query; content:"3proxy.ru"; nocase; bsize:9; classtype:policy-violation; sid:2035020; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_31;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (QdrBi Starter)"; flow:established,to_server; http.user_agent; content:"QdrBi Starter"; nocase; depth:13; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; classtype:pup-activity; sid:2007659; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY 3proxy Domain Domain in DNS Lookup (3proxy .org)"; dns.query; content:"3proxy.org"; nocase; bsize:10; classtype:policy-violation; sid:2035021; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_01_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser)"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Browser"; nocase; depth:26; endswith; reference:url,doc.emergingthreats.net/2007660; classtype:pup-activity; sid:2007660; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phish Landing Page 2022-01-31"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e|Messages|20 7c 20|Linkedln|20 7c 20|Welcome|20|back|2e 2e 2e 3c 2f|title|3e|"; fast_pattern; nocase; reference:md5,05376d1db31ee300b1d567a91bcc22d5; classtype:credential-theft; sid:2035022; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (install_s)"; flow:established,to_server; http.user_agent; content:"install_"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; classtype:pup-activity; sid:2007666; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (yourls .org)"; dns.query; content:"yourls.org"; nocase; bsize:10; classtype:bad-unknown; sid:2035023; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (count)"; flow:established,to_server; http.user_agent; content:"count"; nocase; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; classtype:pup-activity; sid:2007667; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .LNK File Inside of Zip"; flow:established,from_server; file_data; content:"PK|03 04|"; startswith; content:".lnk"; nocase; fast_pattern; within:500; classtype:unknown; sid:2035026; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_02_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zredirector.com Related Spyware User-Agent (BndDriveLoader)"; flow:established,to_server; http.user_agent; content:"BndDriveLoader"; nocase; depth:14; reference:url,doc.emergingthreats.net/2007693; classtype:pup-activity; sid:2007693; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension ZIP File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".zip"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.zip$/"; classtype:unknown; sid:2035027; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Popads123.com Related Spyware User-Agent (LmaokaazLdr)"; flow:established,to_server; http.user_agent; content:"LmaokaazLdr"; nocase; depth:11; reference:url,doc.emergingthreats.net/2007694; classtype:pup-activity; sid:2007694; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension VBS File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".vbs"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.vbs$/"; classtype:unknown; sid:2035028; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ie) - Possible Trojan Downloader"; flow:established,to_server; http.user_agent; content:"ie"; depth:2; endswith; reference:url,doc.emergingthreats.net/2007827; classtype:pup-activity; sid:2007827; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension PIF File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".pif"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.pif$/"; classtype:unknown; sid:2035029; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit)"; flow:to_server,established; http.user_agent; content:"DrPCClean"; depth:9; reference:url,doc.emergingthreats.net/2007839; classtype:pup-activity; sid:2007839; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension EXE File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".exe"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.exe$/"; classtype:unknown; sid:2035030; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (microsoft) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"microsoft"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; classtype:pup-activity; sid:2007859; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater Rat CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"example/1.0"; bsize:11; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"-----"; startswith; content:"name=|22|token|22|"; content:"name=|22|tid|22|"; distance:0; content:"name=|22|apiData|22|"; distance:0; reference:url,cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; classtype:trojan-activity; sid:2035031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Firefox) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"Firefox"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; classtype:pup-activity; sid:2007868; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (example/1.0)"; flow:to_server,established; http.user_agent; content:"example/1.0"; bsize:11; startswith; reference:url,cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; classtype:bad-unknown; sid:2035032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_02_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vombanetwork Spyware User-Agent (VombaProductsInstaller)"; flow:to_server,established; http.user_agent; content:"Vomba"; depth:5; reference:url,doc.emergingthreats.net/2007869; classtype:pup-activity; sid:2007869; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING lordspartner Phish Kit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lordspartner"; fast_pattern; reference:md5,712d4b9fe781b9ad6b24786b9d14389d; classtype:credential-theft; sid:2035033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycomclean.com Spyware User-Agent (HTTP_GET_COMM)"; flow:to_server,established; http.user_agent; content:"HTTP_GET_COMM"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007881; classtype:pup-activity; sid:2007881; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DAWN Comment in Phish Landing Page 2022-02-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2f 24 24 24 24 24 24 24 20 20 20 2f 24 24 24 24 24 24 20 5c 20 5f 24 24 20 20 20 20 5f 24 5f 20 20 20 5f 24 24 5f 5f 20 20 5f|"; content:"|7c 5f 5f 5f 5f 5f 5f 5f 2f 20 7c 5f 5f 2f 20 20 7c 5f 5f 2f 20 7c 5f 5f 2f 20 20 20 20 5c 5f 5f 7c 20 7c 5f 5f 2f 20 20 5c 5f 5f 2f|"; fast_pattern; distance:0; reference:md5,a6848434487ce42102712c14f9c05e36; classtype:credential-theft; sid:2035034; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycomclean.com Spyware User-Agent (SHINI)"; flow:to_server,established; http.user_agent; content:"SHINI"; depth:5; endswith; reference:url,doc.emergingthreats.net/2007882; classtype:pup-activity; sid:2007882; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Create DAG (CVE-2020-11978)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/experimental/dags/sample_trigger_target_dag/dag_runs"; fast_pattern; reference:cve,2020-11978; classtype:attempted-admin; sid:2035035; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_11978, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3)"; flow:to_server,established; http.user_agent; content:"VirusHeat"; depth:9; reference:url,doc.emergingthreats.net/2007883; classtype:pup-activity; sid:2007883; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Unpause (CVE-2020-11978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/experimental/dags/sample_trigger_target_dag/paused/false"; fast_pattern; reference:cve,2020-11978; classtype:attempted-admin; sid:2035036; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_11978, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Example)"; flow:to_server,established; http.user_agent; content:"Example"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:pup-activity; sid:2007884; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache Airflow Experimental API Authentication Bypass Attempt (CVE-2020-13927)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/experimental/test"; fast_pattern; reference:cve,2020-13927; classtype:attempted-admin; sid:2035037; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_13927, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Informational, updated_at 2022_02_01;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kpang.com Spyware User-Agent (auctionplusup)"; flow:to_server,established; http.user_agent; content:"auctionplusup"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007900; classtype:pup-activity; sid:2007900; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater RAT CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|tid|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|apiData|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 3b 20|filename=|22|data|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; reference:md5,a70d6bbf2acb62e257c98cb0450f4fec; classtype:command-and-control; sid:2035040; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTPGETDATA)"; flow:to_server,established; http.user_agent; content:"HTTPGETDATA"; depth:11; endswith; reference:url,doc.emergingthreats.net/2007908; classtype:pup-activity; sid:2007908; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Requesting Remote Template (.dot)"; flow:established,to_server; flowbits:set,ETPRO.Maldoc.dot; http.method; content:"GET"; http.uri; content:".dot"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|MSOffice|20|"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2035038; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN)"; flow:to_server,established; http.user_agent; content:"HTTPFILEDOWN"; depth:12; endswith; reference:url,doc.emergingthreats.net/2007909; classtype:pup-activity; sid:2007909; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Variant.Zusy.402698 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?serial="; pcre:"/\.php\?serial=[a-z0-9]{16}/U"; http.user_agent; content:"Some USER-AGENT"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; reference:md5,8b9464c10764e08d5939d149dfa451b4; classtype:trojan-activity; sid:2035041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN)"; flow:to_server,established; http.user_agent; content:"HTTP_FILEDOWN"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007910; classtype:pup-activity; sid:2007910; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related VBS Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/help_"; fast_pattern; pcre:"/^[0-3]{2}_[0-2]{2}\.php$/R"; http.header_names; content:!"Referer"; content:"|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; reference:md5,2e70b2b0cf4e2d3ac2ed6d1ea967f18e; reference:url,www.trendmicro.com/en_us/research/20/d/gamaredon-apt-group-use-covid-19-lure-in-campaigns.html; classtype:trojan-activity; sid:2035039; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Moderate, signature_severity Major, updated_at 2022_02_02;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Donkeyhote.co.kr Spyware User-Agent (UDonkey)"; flow:to_server,established; http.user_agent; content:"UDonkey"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007927; classtype:pup-activity; sid:2007927; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.DSQR CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; pcre:"/^dBrowser\x20\d\x20CallGetResponse\x3a\d$/"; http.header_names; content:!"Referer"; http.request_body; content:"data|3d 7b 22|msg|22 3a 22|DataRecivied|2d 3e 7b 5c 22|message|5c 22 3a 5c 22|JSON.parse|5c|"; fast_pattern; startswith; reference:url,otx.alienvault.com/indicator/file/ded76741a5f551fac777d384b089db408565f666ddf33669d6b8eefd8f3d34c3; classtype:command-and-control; sid:2034936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gcashback.co.kr Spyware User-Agent (InvokeAd)"; flow:to_server,established; http.user_agent; content:"InvokeAd"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007928; classtype:pup-activity; sid:2007928; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command Injection (CVE-2021-24563)"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Type: image/jpeg"; content:"AT&TFORM|00 00 03 AF|DJVMDIRM"; fast_pattern; distance:80; within:40; http.header_names; content:!"Referer"; reference:cve,CVE-2021-24563; reference:url,about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/; reference:cve,2021-24563; classtype:trojan-activity; sid:2034961; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2022_01_24, cve CVE_2021_24563, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet)"; flow:to_server,established; http.user_agent; content:"Internet"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; classtype:pup-activity; sid:2008013; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ClipBanker.OC CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/exp.php?usr="; startswith; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0"; startswith; http.header_names; content:!"Referer"; reference:md5,40b3c1644d3bd1702fdde6eb08f961d2; classtype:trojan-activity; sid:2034982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; http.user_agent; content:"Ssol NetInstaller"; depth:17; reference:url,doc.emergingthreats.net/2008040; classtype:pup-activity; sid:2008040; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ClipBanker.OC CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\w$/Um"; http.user_agent; content:"MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400"; endswith; fast_pattern; http.content_len; content:"784"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; reference:md5,40b3c1644d3bd1702fdde6eb08f961d2; classtype:trojan-activity; sid:2034983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WinTouch)"; flow:established,to_server; http.user_agent; content:"WinTouch"; depth:8; reference:url,doc.emergingthreats.net/2008141; classtype:pup-activity; sid:2008141; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SManager Backdoor Domain in DNS Lookup"; dns.query; content:"aiwqi.aurobindos.com"; nocase; bsize:20; reference:url,twitter.com/TI_ESC/status/1489182130982825987; classtype:domain-c2; sid:2035091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SManager, malware_family PhantomNet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidebar Related Spyware User-Agent (Sidebar Client)"; flow:established,to_server; http.user_agent; content:"Sidebar"; depth:7; reference:url,doc.emergingthreats.net/2008201; classtype:pup-activity; sid:2008201; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SManager Backdoor Domain in DNS Lookup"; dns.query; content:"fuji1.aurobindos.com"; nocase; bsize:20; reference:url,twitter.com/TI_ESC/status/1489182130982825987; classtype:domain-c2; sid:2035092; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_02_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SManager, malware_family PhantomNet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZenoSearch Spyware User-Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|["; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/i"; reference:url,doc.emergingthreats.net/2008279; classtype:pup-activity; sid:2008279; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Template Downloaded from DDNS Site"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dot"; endswith; http.host; content:".ddns.net"; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2035078; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater)"; flow:to_server,established; http.user_agent; content:"AsmUpdater"; depth:10; reference:url,doc.emergingthreats.net/2008294; classtype:pup-activity; sid:2008294; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|3a 2f 2f 3f 2f|collector|2f|"; fast_pattern; reference:cve,2020-8271; classtype:attempted-admin; sid:2035093; rev:1; metadata:attack_target Server, created_at 2022_02_03, cve CVE_2020_8271, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; http.user_agent; content:"Connector v"; depth:11; reference:url,doc.emergingthreats.net/2008372; classtype:pup-activity; sid:2008372; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KHRAT DNS Lookup (upload-dropbox .com)"; dns.query; dotprefix; content:".upload-dropbox.com"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/; classtype:trojan-activity; sid:2024658; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_04, deployment Perimeter, former_category MALWARE, malware_family KHRAT, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; http.user_agent; content:"FavUpdate"; depth:9; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,doc.emergingthreats.net/2008457; classtype:pup-activity; sid:2008457; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacOS/UpdateAgent.A CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wrte?maid="; startswith; fast_pattern; pcre:"/^\/wrte\?maid=[A-Z0-9]{8}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{12}$/U"; http.user_agent; content:"curl"; startswith; http.header_names; content:!"Referer"; reference:md5,5dc4e1b8610aacc5941ccf68f823f366; reference:url,microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression; classtype:trojan-activity; sid:2035085; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (FTP)"; flow: to_server,established; http.user_agent; content:"Ftp"; nocase; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008735; classtype:pup-activity; sid:2008735; rev:11; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacOS/UpdateAgent.A CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/service?uuid="; depth:20; fast_pattern; pcre:"/^\/[a-z0-9]{1,3}\/service\?uuid=[A-Z0-9]{8}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{12}$/U"; http.user_agent; content:"curl"; startswith; http.header_names; content:!"Referer"; reference:md5,5dc4e1b8610aacc5941ccf68f823f366; reference:url,microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression; classtype:trojan-activity; sid:2035086; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Matcash Trojan Related Spyware Code Download"; flow:established,to_server; http.user_agent; content:"Windows 5.1 (2600)|3b 20|DMCP"; depth:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; classtype:pup-activity; sid:2008759; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET [443,7080,8080,80] -> $HOME_NET any (msg:"ET MALWARE W32/Emotet.v4 Checkin Fake 404 Payload Response"; flow:established,from_server; content:"404"; http_stat_code; http_content_type; content:"text/html"; http_content_len; byte_test:0,<=,999999,0,string,dec; byte_test:0,>,99999,0,string,dec; file_data; content:!"<html"; nocase; depth:1024; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035065; rev:1; metadata:created_at 2022_02_03, former_category MALWARE, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smileware Connection Spyware Related User-Agent (Smileware Connection)"; flow:established,to_server; http.user_agent; content:"Smileware"; depth:9; reference:url,doc.emergingthreats.net/2008892; classtype:pup-activity; sid:2008892; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Office Macro Emotet Download URI Nov 24 2021"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|3b 20|Windows|20|NT|20|6|2e|1|3b 20|en-US|29 20|WindowsPowerShell|2f|5.1.14409.1005"; fast_pattern; bsize:80; http.header; content:!"Referer"; http.connection; content:"Keep-Alive"; http.uri; pcre:"/^\/wp-includes\/[A-Za-z0-9]{10}\/$/U"; reference:md5,67ec9f81dd3970e3e5f66121a3502b5d; classtype:trojan-activity; sid:2035064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (FileDownloader)"; flow:to_server,established; http.user_agent; content:"FileDownloader"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2009027; classtype:pup-activity; sid:2009027; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Gophish X-Server"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:"|58 2d 53 65 72 76 65 72|"; http.header; content:"gophish"; fast_pattern; reference:md5,bf2162ca3c0cb9253af87d7a785a97a4; classtype:misc-activity; sid:2035087; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake AV User-Agent (N1)"; flow:to_server,established; http.user_agent; content:"N1"; depth:2; endswith; reference:url,doc.emergingthreats.net/2009157; classtype:pup-activity; sid:2009157; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (deangelomcnay .news)"; dns.query; content:"deangelomcnay.news"; nocase; bsize:18; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035079; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb User-Agent (Lobo Lunar)"; flow: established,to_server; http.user_agent; content:"Lobo Lunar"; depth:10; reference:url,doc.emergingthreats.net/2009222; classtype:pup-activity; sid:2009222; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (earlahenry .com)"; dns.query; content:"earlahenry.com"; nocase; bsize:14; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035080; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pigeon.AYX/AVKill Related User-Agent (CTTBasic)"; flow:established,to_server; http.user_agent; content:"CTT"; depth:3; reference:url,doc.emergingthreats.net/2009236; classtype:pup-activity; sid:2009236; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (nicholasuhl .website)"; dns.query; content:"nicholasuhl.website"; nocase; bsize:19; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035081; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySideSearch Browser Optimizer"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?aff="; nocase; content:"&act="; nocase; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; nocase; depth:20; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; classtype:pup-activity; sid:2009524; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (cooperron .me)"; dns.query; content:"cooperron.me"; nocase; bsize:12; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035082; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Microgaming Install Program"; nocase; depth:27; endswith; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; classtype:pup-activity; sid:2009783; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (dorothymambrose .live)"; dns.query; content:"dorothymambrose.live"; nocase; bsize:20; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035083; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"ERRN200"; depth:7; reference:url,doc.emergingthreats.net/2009861; classtype:pup-activity; sid:2009861; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (juliansturgill .info)"; dns.query; content:"juliansturgill.info"; nocase; bsize:19; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035084; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (User Agent) - Likely Hostile"; flow:established,to_server; http.user_agent; content:"User Agent"; depth:10; reference:url,doc.emergingthreats.net/2009930; classtype:pup-activity; sid:2009930; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Intuit Phish 2022-02-03"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"intuit"; content:".php"; distance:0; http.request_body; content:"pin"; fast_pattern; nocase; content:"&email="; distance:0; nocase; content:"&tel="; distance:0; nocase; content:"&SignUp="; distance:0; nocase; reference:md5,c8f50422c90b53d2d1aa253661e5b3df; classtype:credential-theft; sid:2035088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU)"; flow:established,to_server; http.user_agent; content:"VaccineKiller"; depth:13; reference:url,doc.emergingthreats.net/2009993; classtype:pup-activity; sid:2009993; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M17 (set)"; flow:established,to_server; content:"|46 6f fb 85|"; startswith; fast_pattern; content:"|86 b8 83|"; distance:1; within:3; flowbits:set,ET.Parallax-17; flowbits:noalert; reference:md5,65a0ec476aaefcf6aeb328ac1641ed29; classtype:command-and-control; sid:2035066; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-#alert http $HOME_NET any -> any any (msg:"ET USER_AGENTS Suspicious User-Agent (Sme32)"; flow: established, to_server; http.user_agent; content:"Sme32"; depth:5; endswith; reference:url,doc.emergingthreats.net/2010137; classtype:pup-activity; sid:2010137; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M17"; flow:established,to_client; content:"|46 6f fb 85 |"; startswith; fast_pattern; content:"|86 b8 83|"; distance:1; within:3; flowbits:isset,ET.Parallax-17; reference:md5,65a0ec476aaefcf6aeb328ac1641ed29; classtype:command-and-control; sid:2035067; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; http.user_agent; content:"SogouExplorerMiniSetup"; nocase; depth:22; reference:url,doc.emergingthreats.net/2010675; classtype:pup-activity; sid:2010675; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pin= in cleartext"; flow:established,to_server; http.request_body; content:"pin="; nocase; classtype:policy-violation; sid:2035089; rev:2; metadata:created_at 2022_02_03, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Fast Browser Search)"; flow:to_server,established; http.user_agent; content:"Fast Browser Search"; nocase; depth:19; reference:url,doc.emergingthreats.net/2010676; classtype:pup-activity; sid:2010676; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains otp= in cleartext"; flow:established,to_server; http.request_body; content:"otp="; nocase; classtype:policy-violation; sid:2035090; rev:2; metadata:created_at 2022_02_03, former_category POLICY, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan.Win32.InternetAntivirus User-Agent (General Antivirus)"; flow:to_server,established; http.user_agent; content:"General Antivirus"; nocase; depth:17; reference:url,doc.emergingthreats.net/2010679; classtype:pup-activity; sid:2010679; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Subterranean Security Domain in DNS Lookup"; dns.query; content:"subterranean-security.pw"; nocase; bsize:24; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; reference:md5,10729e87fa72432fbc009a15314d670b; classtype:trojan-activity; sid:2035068; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; http.user_agent; content:"Update1.0"; depth:9; reference:url,doc.emergingthreats.net/2010680; classtype:pup-activity; sid:2010680; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - AssignID Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_assignID"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (FaceCooker)"; flow:to_server,established; http.user_agent; content:"FaceCooker"; nocase; depth:10; reference:url,doc.emergingthreats.net/2010717; classtype:pup-activity; sid:2010717; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - FileManager List Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"FILEMANAGER_list"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Live Enterprise Suite)"; flow:to_server,established; http.user_agent; content:"Live Enterprise Suite"; nocase; depth:21; reference:url,doc.emergingthreats.net/2010727; classtype:pup-activity; sid:2010727; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - FileManager pwd Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"FILEMANAGER_pwd"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Infobox3 Spyware User-Agent (InfoBox)"; flow:established,to_server; http.user_agent; content:"InfoBox"; depth:7; reference:url,doc.emergingthreats.net/2010934; classtype:pup-activity; sid:2010934; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - GetClientLog Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_getClientLog"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (lineguide)"; flow:to_server,established; http.user_agent; content:"lineguide"; nocase; depth:9; reference:url,doc.emergingthreats.net/2011106; classtype:pup-activity; sid:2011106; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Subterranean Crimson Rat - Client Traffic"; flow:established,to_server; content:"crimson.universal.containers.Message"; nocase; fast_pattern; content:"java.lang.Object|3b|"; within:50; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Save)"; flow:to_server,established; http.user_agent; content:"Save"; depth:4; endswith; reference:url,poweredbysave.com; classtype:pup-activity; sid:2011120; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - GetInfo Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_getInfo"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InTeRNeT)"; flow:to_server,established; http.user_agent; content:"|5f|InTeRNeT"; depth:9; reference:url,doc.emergingthreats.net/2011127; classtype:pup-activity; sid:2011127; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"ET MALWARE W32.Geodo/Emotet Checkin Fake 404 Response"; flow:established,from_server; flowbits:isset,ETPRO.Emotet; http.stat_code; content:"404"; file.data; content:!"<html"; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family Geodo, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Master) - Possible Malware Downloader"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Download Master"; depth:15; reference:url,www.httpuseragent.org/list/Download+Master-n727.htm; reference:url,www.westbyte.com/dm/; reference:url,doc.emergingthreats.net/2011146; classtype:pup-activity; sid:2011146; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyNuke VNC Checkin M2"; flow:established,to_server; dsize:10; content:"AVE_MARIA|00|"; fast_pattern; reference:url,asec.ahnlab.com/en/27346/; classtype:trojan-activity; sid:2035094; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (webcount)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"webcount"; depth:8; reference:url,doc.emergingthreats.net/2011149; classtype:pup-activity; sid:2011149; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyNuke VNC Checkin M3"; flow:established,to_server; dsize:13; content:"LIGHT'S BOMB|00|"; fast_pattern; reference:url,asec.ahnlab.com/en/27346/; classtype:trojan-activity; sid:2035095; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou Toolbar Checkin"; flow:to_server,established; http.uri; content:"/seversion.txt"; http.user_agent; content:"SeFastSetup"; depth:11; reference:url,doc.emergingthreats.net/2011225; classtype:pup-activity; sid:2011226; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory="; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035106; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_27130, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.0 (SP3 WINLD))"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0 |28|SP3 WINLD|29 |"; depth:23; endswith; fast_pattern; reference:url,doc.emergingthreats.net/2011238; classtype:pup-activity; sid:2011238; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/athena/"; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035105; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Hostile User-Agent (Forthgoer)"; flow:to_server,established; http.user_agent; content:"Forthgoer"; depth:9; reference:url,doc.emergingthreats.net/2011247; classtype:pup-activity; sid:2011247; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator SQL Injection (CVE-2020-3984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portal/"; http.request_body; content:"softwareUpdate/getSoftwareUpdates"; fast_pattern; content:"|22|modulus|22 3a|"; content:"UNION SELECT"; nocase; distance:0; reference:cve,2020-3984; classtype:attempted-admin; sid:2035104; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_3984, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (XieHongWei-HttpDown/2.0)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"XieHongWei"; depth:10; reference:url,doc.emergingthreats.net/2011248; classtype:pup-activity; sid:2011248; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"portal/rest/meta/"; fast_pattern; content:"?"; content:"|2e 2e 2f|"; reference:cve,2020-4000; classtype:attempted-admin; sid:2035103; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_4000, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CustomSpy)"; flow:to_server,established; http.user_agent; content:"|28|CustomSpy|29 |"; depth:11; endswith; reference:url,doc.emergingthreats.net/2011271; classtype:pup-activity; sid:2011271; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Authentication Bypass (CVE-2020-4001)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|login|2f|doResetPassword|2e|html"; http.request_body; content:"super|40|velocloud|2e|net"; fast_pattern; content:"|7b|CLEAR|7b|"; nocase; content:"logicalId"; nocase; reference:cve,2020-4001; classtype:attempted-admin; sid:2035102; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_4001, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (C\\WINDOWS\\system32\\NetLogom.exe)"; flow:established,to_server; http.user_agent; content:"C|3a 5c|WINDOWS|5c|system32|5c|NetLogom.exe"; depth:32; classtype:pup-activity; sid:2011334; rev:9; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/GameHack.ADW CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?e="; offset:45; depth:12; content:"&k="; distance:0; http.user_agent; content:"Some USER-AGENT"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; reference:md5,89b7dd04a1f32b23a75c30a00523f7e8; classtype:pup-activity; sid:2035097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; http.user_agent; content:"http-get-demo"; depth:13; endswith; classtype:pup-activity; sid:2011392; rev:7; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Win32/Hancitor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum.php"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"DATA="; startswith; reference:md5,d90f5bb9e103ea6935e453a8bafe4a66; reference:url,twitter.com/james_inthe_box/status/1488521848467959810; classtype:trojan-activity; sid:2035096; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer 6.0"; depth:31; endswith; classtype:pup-activity; sid:2011393; rev:6; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Agent.FSTT CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?company_id="; depth:25; fast_pattern; content:"&lua="; distance:0; http.user_agent; content:"Installed"; startswith; http.header_names; content:!"Referer"; reference:md5,f1c404760bfac3c952d0f10dfa21e659; classtype:trojan-activity; sid:2035098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MSIL.Amiricil.gen HTTP Checkin"; flow:established,to_server; http.uri; content:"/registerSession.py?"; nocase; content:"proj="; nocase; content:"&country="; nocase; content:"&lang="; nocase; content:"&channel="; nocase; content:"source="; nocase; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:url,www.threatexpert.com/report.aspx?md5=af0bbdf6097233e8688c5429aa97bbed; reference:url,doc.emergingthreats.net/2011677; classtype:pup-activity; sid:2011677; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pteranodon CnC Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/deep-"; depth:20; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; http.request_body; content:"username="; startswith; content:"&cart="; distance:0; content:"&deep-"; distance:0; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021; reference:md5,b5120dcc0f2682cb6fb2a4f68dcbbb0b; classtype:trojan-activity; sid:2035099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP_Query)"; flow:to_server,established; http.user_agent; content:"HTTP_Query"; nocase; depth:10; endswith; reference:url,doc.emergingthreats.net/2011678; classtype:pup-activity; sid:2011678; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/newbm.pl"; nocase; fast_pattern; endswith; http.header_names; content:"|0d 0a|NSC_USER|0d 0a|"; nocase; content:"|0d 0a|NSC_NONCE|0d 0a|"; nocase; http.request_body; content:"template.new"; nocase; content:"url="; nocase; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2034279; rev:2; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2019_19781, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Gbot)"; flow:established,to_server; http.user_agent; content:"gbot"; depth:4; classtype:pup-activity; sid:2011872; rev:6; metadata:created_at 2010_10_29, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Landing Page 2022-02-04"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"action|3d 22 26|lt|3b|grabberurl|26|gt|3b 22|"; fast_pattern; content:"type|3d 22|password|22|"; distance:0; content:"|2f 2f 27 2f|signin|2f|apple|27 3b|"; distance:0; reference:md5,b9463c897aa313f4beba94da35e0c83a; classtype:credential-theft; sid:2035100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo.com SearchToolbar User-Agent (SearchToolbar)"; flow:established,to_server; http.user_agent; content:"Search Toolbar"; depth:14; reference:url,www.zugo.com/faq/; reference:url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF; classtype:pup-activity; sid:2013333; rev:7; metadata:created_at 2011_07_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phish 2022-02-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/<grabberurl>"; fast_pattern; http.request_body; content:"&pass="; reference:md5,b9463c897aa313f4beba94da35e0c83a; classtype:credential-theft; sid:2035101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SWInformer.B Checkin"; flow:to_server,established; http.uri; content:"log.php?"; http.user_agent; content:"FDMuiless"; depth:9; endswith; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:pup-activity; sid:2014004; rev:7; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?type=ping&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/R"; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; content:!"Referer"; reference:md5,a56fea310f3cf5e724ee4a9990047b78; reference:url,twitter.com/3xp0rtblog/status/1489245446883069954; classtype:command-and-control; sid:2035107; rev:1; metadata:created_at 2022_02_05, former_category MALWARE, updated_at 2022_02_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; http.uri; content:"/inst.php?"; http.user_agent; content:"psi"; depth:3; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:pup-activity; sid:2014262; rev:7; metadata:created_at 2012_01_21, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?type=update&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; startswith; content:!"Referer"; reference:md5,a56fea310f3cf5e724ee4a9990047b78; reference:url,twitter.com/3xp0rtblog/status/1489245446883069954; classtype:command-and-control; sid:2035108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_05, deployment Perimeter, former_category MALWARE, malware_family Colibri, signature_severity Major, updated_at 2022_02_05;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix On-demand User-Agent"; flow:to_server,established; http.user_agent; content:"WmpHostInternetConnection"; depth:25; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029206; rev:5; metadata:attack_target Server, created_at 2019_12_30, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Steal0r"; flow:established,to_server; http.uri; content:"info=Steam|20|Steal0r|20|"; fast_pattern; content:"&acc="; content:"&pw="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; depth:55; nocase; reference:url,doc.emergingthreats.net/2008360; classtype:trojan-activity; sid:2008360; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M4"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2035109; rev:2; metadata:attack_target Server, created_at 2022_02_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virusremover2008.com Checkin"; flow:to_server,established; http.method; content:"GET"; depth:3; nocase; http.uri; content:"?action="; nocase; content:"pc_id="; nocase; content:"abbr="; http.user_agent; content:"Statistican"; depth:11; reference:url,doc.emergingthreats.net/2008527; classtype:command-and-control; sid:2008527; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpns/cfg/smb.con"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035110; rev:2; metadata:created_at 2022_02_05, cve CVE_2019_19781, updated_at 2022_02_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.qh/xSock User-Agent Detected"; flow:established,to_server; http.user_agent; content:"xSock Config"; depth:12; nocase; reference:url,doc.emergingthreats.net/2007609; classtype:trojan-activity; sid:2007609; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> any any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt - Server Response (CVE-2019-19781)"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Via|3a 20|NS-CACHE-"; http.response_body; content:"|5b|global|5d|"; startswith; content:"encrypt passwords"; distance:0; fast_pattern; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035111; rev:2; metadata:attack_target Server, created_at 2022_02_05, cve CVE_2019_19781, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.pt User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Machaon"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007663; classtype:trojan-activity; sid:2007663; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (geoiplookup .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"geoiplookup.io"; bsize:14; fast_pattern; classtype:misc-activity; sid:2035114; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Opera/9.28 (Windows NT 6.0|3b 20|U|3b 20|en)"; depth:34; endswith; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009474; classtype:trojan-activity; sid:2009474; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus APT Related Domain (designautocad .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"designautocad.org"; bsize:17; fast_pattern; reference:url,twitter.com/s1ckb017/status/1489591023030448129; reference:md5,16b9ced590e449446f12c733f3e0b808; classtype:domain-c2; sid:2035115; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, signature_severity Major, updated_at 2022_02_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Opera/8.81 (Windows NT 6.0|3b 20|U|3b 20|en)"; depth:34; endswith; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009525; classtype:trojan-activity; sid:2009525; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (designautocad .org)"; dns.query; content:"designautocad.org"; nocase; bsize:17; reference:md5,16b9ced590e449446f12c733f3e0b808; reference:url,twitter.com/s1ckb017/status/1489591023030448129; classtype:domain-c2; sid:2035116; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_02_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)"; flow:established,to_server; http.user_agent; content:"YOK Agent"; depth:9; endswith; reference:url,doc.emergingthreats.net/2008752; classtype:pup-activity; sid:2008752; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Standard Bank Login Phish 2022-02-04"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Sign in</title>"; content:"id|3d 22|sign|20|in|22 20|name|3d 22|Sign|20|in|20|with|20|your|20|Standard|20|Bank|20|ID|22|"; distance:0; content:"|3c|div|20|class|3d 22|ping|2d|header|22 3e|Sign|20|in|20|with|20|your|20|Standard|20|Bank|20|ID|3c 2f|div|3e|"; distance:0; content:"Don|27|t|20|have|20|a|20|Standard|20|Bank|20|ID|3f 20 3c|a|20|onclick|3d 22|login|2e|postRegistration|28 29 22 3e|Register|20|here|3c 2f|a|3e 3c 2f|div|3e|"; fast_pattern; distance:0; reference:md5,444401e72463904c6ccd11654e7cc789; classtype:credential-theft; sid:2035124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"curl"; nocase; startswith; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002825; classtype:attempted-recon; sid:2002825; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pteranodon CnC Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer"; http.request_body; content:"username="; startswith; content:"_"; within:255; content:"&cart=FV&"; fast_pattern; distance:0; content:"-"; within:12; content:"="; within:12; pcre:"/^\d+$/R"; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021; reference:md5,b5120dcc0f2682cb6fb2a4f68dcbbb0b; classtype:trojan-activity; sid:2035119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_07;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus Dropper Infection - /loads.php"; flow:established,to_server; http.uri; content:"/loads.php"; content:"?r="; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; http.host; content:"knocker"; startswith; reference:url,doc.emergingthreats.net/2009213; classtype:trojan-activity; sid:2009213; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed CloudFlare Interstitial Phishing Page"; flow:established,from_server; http.header; content:"|0d 0a|cf-request-id|3a 20|"; file_data; content:"<title>Suspected phishing site|20 7c 20|Cloudflare</title>"; fast_pattern; reference:url,blog.cloudflare.com/protecting-cloudflare-sites-from-phishing; classtype:bad-unknown; sid:2032321; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2022_02_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (VIP2007)"; flow:established,to_server; http.user_agent; content:"VIP20"; depth:5; nocase; reference:url,doc.emergingthreats.net/2008156; classtype:trojan-activity; sid:2008156; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; pcre:"/^\/[A-Za-z0-9]{30}\.php$/U"; http.header_names; content:!"Referer"; http.request_body; content:"aW50ZXJuYWwgY2xhc3M"; startswith; fast_pattern; content:"IHs"; distance:0; within:20; content:"cHVibGljIHN0cmluZw"; within:20; classtype:trojan-activity; sid:2035112; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_02_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (MSIE 5.5)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"MSIE 5.5"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007833; classtype:trojan-activity; sid:2007833; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Payload Downloaded"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"import base64|0a|from datetime import date"; startswith; fast_pattern; content:"timestamp = date.today|28 29 2e|strftime|28 22 25|m|25|d|25|Y|22 29|"; distance:0; content:"base64.b64encode(bytes(timestamp"; distance:0; content:"print|28 22|http"; content:"|2f 25 73 25 73 22 20 25 20 28 22 52 22 2c 20 75 72 69 29 29|"; distance:0; classtype:trojan-activity; sid:2035113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_02_07;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan"; flow:established,to_server; http.user_agent; content:"get-minimal"; depth:11; reference:url,doc.emergingthreats.net/2003634; classtype:attempted-admin; sid:2003634; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (sdilok .com)"; dns.query; content:"sdilok.com"; nocase; bsize:10; reference:url,news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/; classtype:domain-c2; sid:2035127; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Winpcap Installation in Progress"; flow:established,to_server; http.uri; content:"/install/banner/"; nocase; pcre:"/\d/\d+.jpg/i"; http.user_agent; content:"NSISDL"; nocase; depth:6; http.host; content:"www.winpcap.org"; startswith; reference:url,www.winpcap.org; reference:url,doc.emergingthreats.net/2002866; classtype:policy-violation; sid:2002866; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Viptela vManage Directory Traversal (CVE-2020-27128)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dataservice/statistics/download/dr/filelist"; fast_pattern; http.request_body; content:"|2f 2e 2e 2f|"; reference:cve,2020-27128; classtype:web-application-attack; sid:2035136; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_27128, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; flow:to_server,established; http.user_agent; content:"WinFix Master"; nocase; depth:13; reference:url,doc.emergingthreats.net/2003545; classtype:pup-activity; sid:2003545; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco SD-WAN vManage Software Directory Traversal (CVE-2020-26073)"; flow:established,to_server; http.request_line; content:"GET /dataservice/disasterrecovery/download/token/"; startswith; fast_pattern; pcre:"/^(%2E%2E%2F|\.\.\/)/Ri"; reference:cve,2020-26073; classtype:web-application-attack; sid:2035137; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_26073, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malware Related msndown"; flow:established,to_server; http.user_agent; content:"msndown"; depth:7; endswith; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1; classtype:trojan-activity; sid:2012221; rev:5; metadata:created_at 2011_01_22, former_category USER_AGENTS, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Server OWA GetWacUrl Information Disclosure Attempt (CVE-2020-17143)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/owa/service.svc"; fast_pattern; http.header; content:"Action|3a 20|GetWacIframeUrlForOneDrive"; nocase; content:"|22|EndPointUrl|22 3a 22|"; nocase; reference:cve,2020-17143; classtype:web-application-attack; sid:2035138; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_17143, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Apple iDisk Sync Unencrypted"; flow:established,to_server; http.header; content:"|0d 0a|Host|3a 20|idisk.mac.com|0d 0a|"; nocase; http.user_agent; content:"DotMacKit-like, File-Sync-Direct"; depth:32; nocase; classtype:policy-violation; sid:2012331; rev:6; metadata:created_at 2011_02_21, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (world .healthamericacu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"world.healthamericacu.com"; bsize:25; fast_pattern; reference:md5,314a879c4cae8ae7c08d5fc207a5a22d; classtype:domain-c2; sid:2035128; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User Agent"; flow: established,to_server; http.user_agent; content:"w3af.sourceforge.net"; depth:20; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (world .healthamericacu .com)"; dns.query; content:"world.healthamericacu.com"; nocase; bsize:25; reference:md5,314a879c4cae8ae7c08d5fc207a5a22d; classtype:domain-c2; sid:2035129; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Hostname"; dns.query; bsize:>30; content:"61643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}6164(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){5,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)"; dns.query; content:"transfer.sh"; nocase; bsize:11; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035139; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Number of Queries"; dns.query; bsize:>30; content:"63643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6364(?:3[0-9]){4}\d{1,3}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028668; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)"; dns.query; content:"sendspace.com"; nocase; bsize:13; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035140; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Initial Hello Beacon"; dns.query; bsize:>30; content:"64643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6464(?:3[0-9]){4}\./"; reference:md5,ea66def6d653fb9e164751e007cbbe68; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (anonfiles .com in DNS Lookup)"; dns.query; content:"anonfiles.com,"; nocase; bsize:14; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035141; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Finished Sending Results"; dns.query; bsize:>30; content:"66643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6664(?:3[0-9]){4}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (send .exploit .in in DNS Lookup)"; dns.query; content:"send.exploit.in"; nocase; bsize:15; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035142; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Getting CnC Data"; dns.query; bsize:>30; content:"68643"; offset:5; depth:5; content:"31303"; distance:7; within:5; content:"|2e|"; distance:1; within:1; pcre:"/^[a-zA-Z0-9]{5}6864(?:3[0-9]){4}31303[0-9]\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (fex .net in DNS Lookup)"; dns.query; content:"fex.net"; nocase; bsize:7; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035143; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Command Results"; dns.query; bsize:>30; content:"72643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}7264(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){10,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028671; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (privatlab .net in DNS Lookup)"; dns.query; content:"privatlab.net"; nocase; bsize:13; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035144; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User Agent WebUpdate"; flow:established,to_server; http.user_agent; content:"WebUpdate"; bsize:9; reference:url,doc.emergingthreats.net/2010600; classtype:trojan-activity; sid:2010600; rev:5; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)"; flow:established,to_server; tls.sni; content:"transfer.sh"; bsize:11; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035145; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares traffic"; flow:established,to_server; http.user_agent; content:"Ares"; startswith; reference:url,www.aresgalaxy.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001059; classtype:policy-violation; sid:2001059; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"sendspace.com"; bsize:13; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035146; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/GMServer/GMServlet"; nocase; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (anonfiles .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"anonfiles.com,"; bsize:14; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035147; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Request Command Beacon"; dns.query; bsize:>30; content:"71643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}7164(?:3[0-9]){4}\./"; reference:md5,ea66def6d653fb9e164751e007cbbe68; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028674; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (send .exploit .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"send.exploit.in"; bsize:15; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035148; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Maxthon Browser Background Agent UA (MxAgent)"; flow:to_server,established; http.user_agent; content:"MxAgent"; nocase; depth:7; reference:url,doc.emergingthreats.net/2011125; classtype:not-suspicious; sid:2011125; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (fex .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"fex.net"; bsize:7; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035149; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent (securityinternet)"; flow:established,to_server; http.user_agent; content:"securityinternet"; depth:16; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (privatlab .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"privatlab.net"; bsize:13; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035150; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent - updating (Winlogon)"; flow:established,to_server; http.user_agent; content:"Winlogon"; depth:8; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?provider="; fast_pattern; http.cookie; content:"wordpress_"; startswith; http.user_agent; content:"Windows|20|NT|20|7.1|3b 20|"; http.header_names; content:!"Referer"; reference:md5,b4c716f08907cd4e848bb9ab541dc449; classtype:trojan-activity; sid:2035130; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; http.user_agent; content:"internetsecurity"; depth:16; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader Related Domain (lkjhgfgsdshja .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lkjhgfgsdshja.com"; bsize:17; fast_pattern; reference:url,research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/; classtype:domain-c2; sid:2035133; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, signature_severity Major, updated_at 2022_02_08;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; http.user_agent; content:"SexTrackerWSI"; depth:13; nocase; reference:url,doc.emergingthreats.net/2003627; classtype:pup-activity; sid:2003627; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applied Privacy DNS over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=doh.applied-privacy.net"; bsize:26; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=R3"; bsize:28; classtype:misc-activity; sid:2035125; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (???)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|???"; http.user_agent; content:!"|20|Sparkle|2f|"; reference:url,doc.emergingthreats.net/2010595; classtype:pup-activity; sid:2010595; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.censurfridns.dk"; bsize:26; fast_pattern; classtype:misc-activity; sid:2035126; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2022_02_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Azureus P2P Client User-Agent"; flow:to_server,established; http.user_agent; content:"Azureus"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007799; classtype:policy-violation; sid:2007799; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc Domain in DNS Lookup (travelcrimea .info)"; dns.query; dotprefix; content:".travelcrimea.info"; nocase; endswith; reference:md5,126110a4b240f1fedba2ff8d3d8e2ebe; reference:url,twitter.com/h2jazi/status/1490829405106569217; classtype:domain-c2; sid:2035134; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_02_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BTSP)"; flow:to_server,established; http.user_agent; content:"BTSP/"; depth:5; reference:url,doc.emergingthreats.net/2011713; classtype:policy-violation; sid:2011713; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (shopapptech .com)"; dns.query; content:"shopapptech.com"; nocase; bsize:15; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035158; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; http.user_agent; content:"BitComet/"; depth:9; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; classtype:policy-violation; sid:2011710; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (shopapptech .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopapptech.com"; bsize:15; fast_pattern; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035159; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BitTornado)"; flow:to_server,established; http.user_agent; content:"BitTornado/"; depth:11; reference:url,www.bittornado.com; reference:url,doc.emergingthreats.net/2011702; classtype:policy-violation; sid:2011702; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (shopapppro .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopapppro.com"; bsize:14; fast_pattern; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035160; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"; flow:to_server,established; http.user_agent; content:"Bittorrent"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2006372; classtype:trojan-activity; sid:2006372; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (shopapppro .com)"; dns.query; content:"shopapppro.com"; nocase; bsize:14; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035161; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent/3.x.x)"; flow:to_server,established; http.user_agent; content:"KTorrent/3"; depth:10; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011700; classtype:policy-violation; sid:2011700; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (www .datacentre .center)"; dns.query; content:"www.datacentre.center"; nocase; bsize:21; reference:md5,26cb5fdcbdfccfa05399709d7dc12319; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035162; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent 2.x)"; flow:to_server,established; http.user_agent; content:"ktorrent/2"; depth:10; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011711; classtype:policy-violation; sid:2011711; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Maldoc Domain (travelcrimea .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"travelcrimea.info"; bsize:20; fast_pattern; reference:md5,126110a4b240f1fedba2ff8d3d8e2ebe; reference:url,twitter.com/h2jazi/status/1490829405106569217; classtype:domain-c2; sid:2035135; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Client User-Agent (Shareaza 2.x)"; flow:to_server,established; http.user_agent; content:"Shareaza 2."; depth:11; reference:url,shareaza.sourceforge.net; reference:url,doc.emergingthreats.net/2011707; classtype:policy-violation; sid:2011707; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (datacentre .center in TLS SNI)"; flow:established,to_server; tls.sni; content:"datacentre.center"; bsize:17; fast_pattern; reference:md5,26cb5fdcbdfccfa05399709d7dc12319; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035163; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, signature_severity Major, updated_at 2022_02_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent Detected"; flow:established,to_server; http.user_agent; content:"DAV.pm/v"; depth:8; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; classtype:attempted-recon; sid:2011089; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"http://surname192.temp.swtest.ru"; nocase; bsize:32; reference:url,twitter.com/IntezerLabs/status/1491033616519876617; classtype:command-and-control; sid:2035172; rev:1; metadata:created_at 2022_02_09, former_category MALWARE, updated_at 2022_02_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grabber.py Web Scan Detected"; flow:to_server,established; http.user_agent; content:"Grabber"; depth:7; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; classtype:attempted-recon; sid:2009483; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused Github-like Site (codeberg .org in DNS Lookup)"; dns.query; content:"codeberg.org"; nocase; bsize:12; classtype:misc-activity; sid:2035173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_02_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Mini MySqlatOr SQL Injection Scanner"; flow:to_server,established; http.user_agent; content:"prog.CustomCrawler"; depth:18; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; classtype:attempted-recon; sid:2008729; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE sLoad Related CnC Domain in DNS Lookup (angedionisu .eu)"; dns.query; content:"angedionisu.eu"; nocase; bsize:14; reference:url,twitter.com/JAMESWT_MHT/status/1491058829903429640; reference:md5,73284816cf3182f446536c380f805b1f; classtype:domain-c2; sid:2035164; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQL Power Injector SQL Injection User Agent Detected"; flow:to_server,established; http.user_agent; content:"SQL Power Injector"; depth:18; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; classtype:attempted-recon; sid:2009769; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.censurfridns.nu"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035151; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Open-Proxy ScannerBot (webcollage-UA) "; flow:established,to_server; http.user_agent; content:"webcollage/"; depth:11; nocase; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; classtype:bad-unknown; sid:2010768; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.uncensoreddns.dk"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035152; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Attack Tool Revolt Scanner"; flow:established,to_server; http.user_agent; content:"revolt"; depth:6; reference:url,www.Whitehatsecurityresponse.blogspot.com; reference:url,doc.emergingthreats.net/2009288; classtype:web-application-attack; sid:2009288; rev:59; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.uncensoreddns.org"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035153; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x)"; flow:to_server,established; http.user_agent; content:"BearShare"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2006371; classtype:trojan-activity; sid:2006371; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN="; startswith; content:".anycast.censurfridns.dk"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035154; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DataCha0s Web Scanner/Robot"; flow:established,to_server; http.user_agent; content:"DataCha0s"; nocase; depth:9; reference:url,www.internetofficer.com/web-robot/datacha0s.html; reference:url,doc.emergingthreats.net/2003616; classtype:web-application-activity; sid:2003616; rev:41; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN="; startswith; content:".anycast.censurfridns.nu"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035155; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (ScrapeBox)"; flow:to_server,established; http.user_agent; content:"ScrapeBox"; depth:9; classtype:trojan-activity; sid:2011282; rev:6; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>150; content:"_2B"; content:"_2B"; fast_pattern; distance:0; content:!"&"; content:!"?"; content:!"="; content:!"/tr/v1/"; startswith; http.host; dotprefix; content:!".surveymonkey.com"; endswith; http.host; dotprefix; content:!".cisco.com"; endswith; content:!".trendmicro.com"; endswith; http.connection; content:"Keep-Alive"; http.header_names; http.user_agent; content:!"TMUFE"; bsize:5; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033203; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Moderate, signature_severity Major, updated_at 2022_02_09;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"4.75 [en] (Windows NT 5.0"; http.protocol; content:"HTTP/1.0"; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Keweon Center DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=dns.keweon.center"; fast_pattern; bsize:20; threshold:type both, count 1, seconds 600, track by_src; reference:url,serverinfo.keweon.center/; classtype:misc-activity; sid:2035156; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user-agent (REKOM)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"REKOM"; nocase; depth:5; classtype:trojan-activity; sid:2012295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_06, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Keweon Center DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=doh.asecdns.com"; fast_pattern; bsize:18; threshold:type both, count 1, seconds 600, track by_src; reference:url,serverinfo.keweon.center/; classtype:misc-activity; sid:2035157; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag DoH, updated_at 2022_02_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent VCTestClient"; flow:to_server,established; http.user_agent; content:"VCTestClient"; depth:12; nocase; classtype:trojan-activity; sid:2012386; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed sLoad Related Domain (angedionisu .eu in TLS SNI)"; flow:established,to_server; tls.sni; content:"angedionisu.eu"; bsize:14; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1491058829903429640; reference:md5,73284816cf3182f446536c380f805b1f; classtype:domain-c2; sid:2035165; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, signature_severity Major, updated_at 2022_02_09;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate"; flow:to_server,established; http.user_agent; content:"PrivacyInfoUpdate"; depth:17; nocase; classtype:trojan-activity; sid:2012387; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".h264"; fast_pattern; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6361957001782ae7fa09ae213eca2625; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035166; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Goolbot.E Checkin UA Detected iamx"; flow:established,to_server; http.user_agent; content:"iamx/"; depth:5; classtype:trojan-activity; sid:2012246; rev:7; metadata:created_at 2011_01_27, former_category USER_AGENTS, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/amazing.dot"; fast_pattern; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; reference:md5,937a55cd5d63b81b3ca6f19f2bda2573; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035171; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"stopsms.biz"; nocase; endswith; classtype:domain-c2; sid:2028817; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>150; content:"_2F"; fast_pattern; content:"_2F"; distance:0; content:"_2F"; distance:0; content:!"&"; content:!"?"; content:!"="; content:!"/tr/v1/"; startswith; http.host; dotprefix; content:!".surveymonkey.com"; endswith; content:!"cisco.com"; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Moderate, signature_severity Major, updated_at 2022_02_09;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"infospress.com"; nocase; endswith; classtype:domain-c2; sid:2028818; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Redline Stealer Related Domain in DNS Lookup (windows-upgraded .com)"; dns.query; content:"windows-upgraded.com"; nocase; bsize:20; reference:url,threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/; classtype:domain-c2; sid:2035174; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"hmizat.co"; nocase; endswith; classtype:domain-c2; sid:2028819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com)"; dns.query; content:"fouratlinks.com"; nocase; bsize:15; reference:url,intel471.com/blog/privateloader-malware; classtype:trojan-activity; sid:2035175; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"revolution-news.co"; nocase; endswith; classtype:domain-c2; sid:2028820; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PrivateLoader Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:"privacytoolzfor-you"; startswith; fast_pattern; reference:url,intel471.com/blog/privateloader-malware; classtype:trojan-activity; sid:2035176; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"videos-download.co"; nocase; endswith; classtype:domain-c2; sid:2028821; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)"; flow:established,to_client; file_data; content:"|3c|meta|20|name|3d 22|twitter|3a|description|22 20|content|3d 22|"; pcre:"/^[a-f0-9]{5}(?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})[a-f0-9]{2}-v[a-f0-9]{2}\x0a\x22\x3e\x0a\x3c/R"; content:"|3c|meta|20|name|3d 22|twitter|3a|app|3a|id|3a|iphone|22 20|content|3d 22|686449807|22|"; fast_pattern; reference:md5,0b2463e542ff395417ecb1cd37f77556; classtype:command-and-control; sid:2034960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_02_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"business-today.info"; nocase; endswith; classtype:domain-c2; sid:2028822; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?h="; fast_pattern; content:"|2a|"; distance:0; http.user_agent; content:"Windows Installer"; bsize:17; http.header_names; content:!"Referer"; reference:md5,1d7d9b2c46bd733f5270d34c4dd748e9; reference:url,twitter.com/h2jazi/status/1491852987324637185; classtype:trojan-activity; sid:2035180; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_02_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Mustang Panda Payload - CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?wd="; pcre:"/^[a-f0-9]{8}$/Ri"; http.header_names; content:"x-debug"; content:"x-request"; content:"x-content"; content:"x-storage"; reference:url,www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations; classtype:command-and-control; sid:2028823; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP ICM MPI Desynchronization Scanning Activity (CVE-2022-22536) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sap/public/bc/ur/Login/assets/corbu/sap_logo.png"; fast_pattern; http.content_len; byte_test:0,>=,82642,0,string,dec; reference:cve,2022-22536; classtype:attempted-admin; sid:2035182; rev:2; metadata:attack_target Server, created_at 2022_02_11, cve CVE_2022_22536, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_11;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT MustangPanda CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Adobe Reader"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=Adobe Reader"; tls.cert_serial; content:"62:CA:BE:68"; classtype:domain-c2; sid:2028824; rev:2; metadata:created_at 2019_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP ICM MPI Desynchronization Scanning Activity (CVE-2022-22536) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sap/admin/public/default.html?"; fast_pattern; http.content_len; byte_test:0,>=,82642,0,string,dec; reference:cve,2022-22536; classtype:attempted-admin; sid:2035183; rev:2; metadata:attack_target Server, created_at 2022_02_11, cve CVE_2022_22536, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_11;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java Archive sent when remote host claims to send an image"; flow:established,from_server; http.content_type; content:!"application/java-archive";content:"image"; nocase; startswith; file.data; content:"PK"; depth:2; content:"META-INF/MANIFEST"; distance:0; fast_pattern; classtype:trojan-activity; sid:2014288; rev:5; metadata:created_at 2012_02_27, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:75; http.content_type; content:"text/plain|3b 20|charset=UTF-8"; bsize:25; http.request_body; content:"T7"; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})$/"; reference:md5,108757a3cc9c5e9d529ca1a94f1432b2; classtype:command-and-control; sid:2035177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"xp101.dyn-dns.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin Response M4"; flow:established,to_client; file_data; content:"2HVWm7UNyz"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9+\/]+(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})$/"; reference:md5,108757a3cc9c5e9d529ca1a94f1432b2; classtype:command-and-control; sid:2035178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"svn-dns.ahnlabinc.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028839; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin Response M5"; flow:established,to_client; file_data; content:"VqiRa2vbXS"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9+\/]+(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})$/"; reference:md5,3acb8e439a1bd66a8a42c6bd5d8930b4; classtype:command-and-control; sid:2035179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"dns1-1.7release.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028840; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (ledikexive .com)"; dns.query; content:"ledikexive.com"; nocase; bsize:14; reference:md5,6b707cd8b8061a6d268812cff1d1f505; reference:url,twitter.com/Unit42_Intel/status/1492160514109149193; classtype:domain-c2; sid:2035181; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"ssl.dyn-dns.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028841; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/Anubis Registration Activity"; dsize:<400; content:"|54 67 69 2f 40|"; within:50; content:"|4f 6b 65 74 71 75 71 68 76 22 59 6b 70 66 71 79 75 22 5d 58 67 74 75 6b 71 70|"; fast_pattern; reference:md5,1f21b8e9ebc3b7480cc67ced7504916f; reference:url,medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e; classtype:trojan-activity; sid:2035184; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP"; flow:established,to_server; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1)"; depth:50; endswith; fast_pattern; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:"Cache-Control|0d 0a 0d 0a|"; distance:0; classtype:trojan-activity; sid:2012384; rev:5; metadata:created_at 2011_02_27, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Go/Anubis CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /callback HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"callback="; startswith; content:"®info="; distance:0; reference:md5,1f21b8e9ebc3b7480cc67ced7504916f; reference:url,medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e; classtype:command-and-control; sid:2035185; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Trojan.Agent.AXMO CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_line; content:"/log HTTP/1."; distance:0; fast_pattern; reference:url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html; classtype:command-and-control; sid:2016014; rev:4; metadata:created_at 2012_12_07, former_category MALWARE, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkWatchman Checkin Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"X-Client-Id|0d 0a|"; content:"X-Client-Controller|0d 0a|"; fast_pattern; content:"X-Client-Ut|0d 0a|"; http.request_body; content:"os="; startswith; content:"&cn="; distance:0; content:"&un="; distance:0; content:"&b="; distance:0; content:"&l="; distance:0; content:"av="; distance:0; reference:url,prevailion.com/darkwatchman-new-fileness-techniques/; reference:md5,2ccc9637823753de9cdcdf76a1d22725; classtype:trojan-activity; sid:2034745; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.EGZ Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/b.php?id="; fast_pattern; pcre:"/^\d{1,3}$/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; classtype:command-and-control; sid:2013947; rev:6; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkWatchman Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /index.php HTTP/1.1"; fast_pattern; http.header; content:"|0d 0a|X-Client-Id|3a 20|"; pcre:"/^[a-z0-9]{8}\r\n/R"; http.host; content:".top"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/5.0(Windows NT|20|"; startswith; reference:md5,2ccc9637823753de9cdcdf76a1d22725; classtype:trojan-activity; sid:2035186; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?page=SetMediaDir"; fast_pattern; content:"|3b|"; distance:0; isdataat:1,relative; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031056; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Moxa MxView RCE Attempt (CVE-2021-38454)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"api/sites/site/"; fast_pattern; pcre:"/^[a-zA-Z0-9]{5,45}/R"; content:"/ping"; endswith; reference:cve,2021-38454; classtype:attempted-admin; sid:2035194; rev:2; metadata:attack_target Server, created_at 2022_02_14, cve CVE_2021_38454, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_14;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031057; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Socelars.S CnC Activity M4 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/base/api/"; startswith; content:".php"; endswith; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"???bll"; bsize:6; fast_pattern; http.header_names; content:!"Referer"; reference:md5,119501b9e0c53984d4af54644d7a7b47; classtype:trojan-activity; sid:2035188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_14, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP NULL Pointer Dereference Attempt Inbound (CVE-2020-25858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; pcre:"/^[^=]{1,}$/RUi"; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-25858; classtype:attempted-admin; sid:2031058; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_25858, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Domain (judgebryantweekes .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"judgebryantweekes.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2035195; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_02_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=carlossaldanhacertificado"; bsize:28; fast_pattern; tls.cert_issuer; content:"CN=carlossaldanhacertificado"; bsize:28; classtype:command-and-control; sid:2031059; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Domain (lawyeryouwant .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"lawyeryouwant.com"; bsize:17; fast_pattern; classtype:domain-c2; sid:2035196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_02_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=PatataDorito"; bsize:15; fast_pattern; tls.cert_issuer; content:"CN=PatataDorito"; bsize:15; classtype:command-and-control; sid:2031060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected RULER.Hacktool HTML Payload"; flow:established,to_client; file.data; content:"OutlookApplication"; nocase; content:"CreateObject"; nocase; content:"0006F063-0000-0000-C000-000000000046"; nocase; reference:url,www.mandiant.com/resources/overruled-containing-a-potentially-destructive-adversary; reference:url,github.com/sensepost/ruler; classtype:trojan-activity; sid:2035187; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (bollywoods .co .in in DNS Lookup)"; dns.query; content:"bollywoods.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Retired Intermediate"; flow:from_server,established; tls_cert_issuer; content:"Let's Encrypt Authority X"; fast_pattern; depth:25; offset:0; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035189; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (chat2hire .net in DNS Lookup)"; dns.query; content:"chat2hire.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3"; flow:from_server,established; tls.cert_issuer; content:"R3"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035190; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (chuki .mozillaupdates .us in DNS Lookup)"; dns.query; content:"chuki.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, E1"; flow:from_server,established; tls.cert_issuer; content:"E1"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035191; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (click2chat .org in DNS Lookup)"; dns.query; content:"click2chat.org"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Backup Intermediate, R4"; flow:from_server,established; tls.cert_issuer; content:"R4"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035192; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (cvstyler .co .in in DNS Lookup)"; dns.query; content:"cvstyler.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031034; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Backup Intermediate, E2"; flow:from_server,established; tls.cert_issuer; content:"E2"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035193; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, signature_severity Informational, updated_at 2022_02_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (daily .windowsupdates .eu in DNS Lookup)"; dns.query; content:"daily.windowsupdates.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interference/"; fast_pattern; content:".mqo"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,64ce44c092145dfc80375159eaef5461; classtype:trojan-activity; sid:2035197; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (dailybuild .mozillaupdates .com in DNS Lookup)"; dns.query; content:"dailybuild.mozillaupdates.com"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intercourse/"; fast_pattern; content:".mdl"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,20bb6aec6889f9135d29ad40f4a25c23; classtype:trojan-activity; sid:2035198; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (enigma .net .in in DNS Lookup)"; dns.query; content:"enigma.net.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".stc"; endswith; fast_pattern; http.host; content:".ru"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,20bb6aec6889f9135d29ad40f4a25c23; classtype:trojan-activity; sid:2035199; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (gozap .co .in in DNS Lookup)"; dns.query; content:"gozap.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perceived/"; fast_pattern; content:".ts"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,7c75bd80374fed96018416a531983548; classtype:trojan-activity; sid:2035200; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (gyzu .mozillaupdates .us in DNS Lookup)"; dns.query; content:"gyzu.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (doc .filesaves .cloud)"; dns.query; content:"doc.filesaves.cloud"; nocase; bsize:19; reference:md5,85fe6affdb218b2d09a59e08e80eb1fa; reference:md5,de097c5ab5e31ac16b4466cd56e9bd2d; reference:url,twitter.com/h2jazi/status/1493598324053712915; classtype:domain-c2; sid:2035201; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (melodymate .co .in in DNS Lookup)"; dns.query; content:"melodymate.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Cloudflare Universal (Shared) Certificate, Retired"; flow:established,to_server; tls.sni; content:"sni."; depth:4; pcre:"/(?:/d{6})/R"; content:".cloudflaressl.com"; fast_pattern; offset:9; reference:url,community.cloudflare.com/t/cloudflare-universal-and-universal-shared-certificates/59523; classtype:misc-activity; sid:2035203; rev:2; metadata:created_at 2022_02_15, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nortonupdates .online in DNS Lookup)"; dns.query; content:".nortonupdates.online"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization RCE T3 (CVE-2015-4852)"; flow:established,to_server; content:"|00 00|"; startswith; content:"|01 65|"; distance:2; within:2; content:"|ac ed 00|"; distance:0; content:"weblogic.rjvm.ClassTableEntry"; fast_pattern; distance:0; reference:cve,2015-4852; reference:url,www.exploit-db.com/exploits/46628; classtype:attempted-admin; sid:2035204; rev:1; metadata:created_at 2022_02_15, cve CVE_2015_4852, former_category EXPLOIT, updated_at 2022_02_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nightly .windowsupdates .eu in DNS Lookup)"; dns.query; content:"nightly.windowsupdates.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?query=1"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; reference:md5,52f79913a72c1afe1cd6b22445aab3e5; reference:url,twitter.com/ShadowChasing1/status/1493902034453479431; classtype:trojan-activity; sid:2035206; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nightlybuild .mozillaupdates .com in DNS Lookup)"; dns.query; content:"nightlybuild.mozillaupdates.com"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Namecheap URL Forward"; flow:established,to_client; http.stat_code; content:"302"; http.header_names; content:"X-Served-By"; http.header; content:"Namecheap URL Forward"; fast_pattern; reference:md5,a85e405481368f8a3384149243577155; classtype:misc-activity; sid:2035208; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (orangevault .net in DNS Lookup)"; dns.query; content:"orangevault.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/2144FlashPlayer.E Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"computerName="; startswith; content:"diskId="; content:"&externalIp="; fast_pattern; content:"&machineId="; content:"&userName="; threshold:type limit, track by_src, count 1, seconds 600; reference:md5,99f1e8976f41e3089c7325af830a19e8; classtype:pup-activity; sid:2035205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_02_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (sake .mozillaupdates .us in DNS Lookup)"; dns.query; content:"sake.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GenKryptik.FQRH Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vbc.exe"; endswith; fast_pattern; pcre:"/^\/\d{2,3}\/vbc.exe$/U"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.1|3b|"; startswith; http.header_names; content:!"Referer"; reference:md5,180defaf66190b475e636e0d7bcf0aed; classtype:trojan-activity; sid:2035207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (savitabhabi .co .in in DNS Lookup)"; dns.query; content:"savitabhabi.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Moses Staff APT Related Domain in DNS Lookup (techzenspace .com)"; dns.query; content:"techzenspace.com"; nocase; bsize:16; reference:url,www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard; classtype:domain-c2; sid:2035209; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, malware_family MosesStaff, signature_severity Major, updated_at 2022_02_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (sharify .co .in in DNS Lookup)"; dns.query; content:"sharify.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET 222 -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/QuasarRAT CnC Traffic"; flow:established,to_client; content:"|40 00 00 00|"; startswith; dsize:68; fast_pattern; stream_size:server,<,210; reference:url,twitter.com/James_inthe_box/status/1494023718741286915; classtype:trojan-activity; sid:2035211; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (strongbox .in in DNS Lookup)"; dns.query; content:"strongbox.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MosesStaff APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"boundary=----BoundrySign"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard; classtype:trojan-activity; sid:2035210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, malware_family MosesStaff, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (teraspace .co .in in DNS Lookup)"; dns.query; content:"teraspace.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M1 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/PIN/?Authentication-EMAIL="; fast_pattern; nocase; http.host; content:"monzo"; http.request_body; content:"email="; depth:6; reference:md5,0a7b616bf44cb13fe0080b0c2d61305c; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035212; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (titaniumx .co .in in DNS Lookup)"; dns.query; content:"titaniumx.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M2 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/EMAIL/?Authentication-EMAIL="; nocase; http.host; content:"monzo"; http.request_body; content:"pin_1=&pin_2=&pin_3=&pin_4=&confirmemail="; fast_pattern; depth:41; reference:md5,ac598a7113392e86e9f00847a0732713; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035213; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (msoftserver .eu in DNS Lookup)"; dns.query; content:".msoftserver.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M3 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"start.php"; bsize:10; http.host; content:"monzo"; fast_pattern; http.request_body; content:"number="; depth:7; reference:md5,21365ef60a95f7453779fbd315ef5ec6; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (microsoftupdate .in in DNS Lookup)"; dns.query; content:".microsoftupdate.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Monzo Credential Phish Landing Page 2022-02-17"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?a=login&say=invalid_login&e=&username="; fast_pattern; depth:40; nocase; http.host; content:"monzo"; reference:md5,4b8c4160334f21dc7b64ef0a5292441d; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (wesharex .net in DNS Lookup)"; dns.query; content:"wesharex.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM - Cobalt Strike Malleable Profile M2"; flow:established,to_server; http.method; content:"GET"; http.cookie; bsize:>170; content:".html"; endswith; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:command-and-control; sid:2035216; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (x-trust .net in DNS Lookup)"; dns.query; content:"x-trust.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_"; content:"/office.txt"; within:26; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,97d3d3fe312514f33a44dcd9d5887b54; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035218; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (zen .mozillaupdates .us in DNS Lookup)"; dns.query; content:"zen.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/declaration.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"name="; startswith; content:"&count="; distance:0; reference:md5,c2e7a48d6bcf0c875d911f3e6c3896ee; reference:url,raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/2022_02_Gamaredon_UPDATE.txt; classtype:trojan-activity; sid:2035219; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GravityRAT CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"signatureHash="; fast_pattern; content:"signatureString="; content:"userName="; content:"pcName="; content:"macId="; content:"cpuId="; content:"agent="; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:command-and-control; sid:2031061; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/revers.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"name="; startswith; content:"&count="; distance:0; reference:md5,8c65c945a395d633f15b138e9aaf06f9; reference:url,raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/2022_02_Gamaredon_UPDATE.txt; classtype:trojan-activity; sid:2035220; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enosch.A gtalk connectivity check"; flow:to_server; http.uri; content:"/index.html"; http.user_agent; content:"gtalk"; fast_pattern; bsize:5; http.host; content:"www.google.com"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,b13db8b21289971b3c88866d202fad49; classtype:trojan-activity; sid:2018508; rev:5; metadata:created_at 2014_05_30, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/prevent/counter.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,5db3abc526fc334034f30e988a10c02a; classtype:trojan-activity; sid:2035221; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Fire-Cloud)"; flow:established,to_server; http.user_agent; content:"Fire-Cloud"; bsize:10; reference:md5,804c8f7d3b10b421ab5c09d675644212; classtype:trojan-activity; sid:2031065; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wsusa HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,f8af71e85f5bee6b3fee2fcfd15da893; classtype:trojan-activity; sid:2035222; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toplist.cz Related Spyware Checkin"; flow:to_server,established; http.user_agent; content:"BWL"; depth:3; pcre:"/^BWL(?:\sToplist|\d_UPDATE)/"; classtype:pup-activity; sid:2003505; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED test CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".to.sv"; nocase; endswith; classtype:trojan-activity; sid:2035217; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/php.php"; fast_pattern; http.host; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; http.user_agent; content:"Mozilla/4.0 (compatible)"; depth:24; reference:md5,cb53a6e8d65d86076fc0c94dac62aa77; classtype:command-and-control; sid:2019946; rev:4; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (wa .sv)"; dns.query; content:"wa.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suntrust Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<!-- Inserted by miarroba"; content:"<title>SunTrust</title>"; fast_pattern; nocase; content:">For your protection"; distance:0; content:"additional security step"; distance:0; content:"name=|22|captcha|22|"; distance:0; classtype:social-engineering; sid:2031062; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (in .sv)"; dns.query; content:"in.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=jspri.co"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2028835; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (fl .sv)"; dns.query; content:"fl.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=cssjs.co"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2028836; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (vk .sv)"; dns.query; content:"vk.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035227; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"acciaio.com.br"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:domain-c2; sid:2028843; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (2 .ua)"; dns.query; content:"2.ua"; nocase; bsize:4; classtype:misc-activity; sid:2035228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"ceycarb.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028844; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (fb .sv)"; dns.query; content:"fb.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"coachandcook.at"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028845; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (lc .sv)"; dns.query; content:"lc.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"fisioterapiabb.it"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028846; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (cli .co)"; dns.query; content:"cli.co"; nocase; bsize:6; classtype:misc-activity; sid:2035231; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"lorriratzlaff.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028847; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tg .sv)"; dns.query; content:"tg.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"mavin21c.dothome.co.kr"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028848; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (dl .sv)"; dns.query; content:"dl.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"motherlodebulldogclub.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (qq .sv)"; dns.query; content:"qq.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035234; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"powerpolymerindustry.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tt .sv)"; dns.query; content:"tt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035235; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"publiccouncil.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028851; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (ai .sv)"; dns.query; content:"ai.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035236; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"rulourialuminiu.co.uk"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028852; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (do .sv)"; dns.query; content:"do.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"sistemikan.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028853; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (youlinkto .com)"; dns.query; content:"youlinkto.com"; nocase; bsize:13; classtype:misc-activity; sid:2035238; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"varuhusmc.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028854; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (me .sv)"; dns.query; content:"me.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035239; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MiniDuke Domain Observed"; dns.query; content:"ecolesndmessines.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (bd .sv)"; dns.query; content:"bd.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MiniDuke Domain Observed"; dns.query; content:"salesappliances.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028856; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (link .sv)"; dns.query; content:"link.sv"; nocase; bsize:7; classtype:misc-activity; sid:2035241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"busseylawoffice.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028857; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (go .sv)"; dns.query; content:"go.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"fairfieldsch.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tra-ta-ta.it .com)"; dns.query; content:"tra-ta-ta.it.com"; nocase; bsize:16; classtype:misc-activity; sid:2035243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"ministernetwork.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (id .sv)"; dns.query; content:"id.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035244; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"skagenyoga.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028860; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (to .sv)"; dns.query; content:"to.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"westmedicalgroup.net"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028861; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (rt .sv)"; dns.query; content:"rt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LiteDuke Domain Observed"; dns.query; content:"bandabonga.fr"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028862; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (wc .sv)"; dns.query; content:"wc.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"encryptit.qc.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028870; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (4 .fo)"; dns.query; content:"4.fo"; nocase; bsize:4; classtype:misc-activity; sid:2035248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecure.uk.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028871; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (ya .sv)"; dns.query; content:"ya.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecurelite.uk.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028872; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (sa .sv)"; dns.query; content:"sa.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecurelite.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028873; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tw .sv)"; dns.query; content:"tw.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"privatehd.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028874; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (yt .sv)"; dns.query; content:"yt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"sex17.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028875; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc OneDrive Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/"; fast_pattern; startswith; http.user_agent; content:"MyAgent"; bsize:7; http.host; content:"api.onedrive.com"; bsize:16; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:url,twitter.com/cyberwar_15/status/1435260403127255043; reference:md5,baa9b34f152076ecc4e01e35ecc2de18; classtype:trojan-activity; sid:2033908; rev:2; metadata:created_at 2021_09_07, former_category MALWARE, updated_at 2022_02_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Steganographic Encoded WAV File Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"RIFF"; startswith; content:"WAVE"; distance:4; within:4; content:"|0B 87 06 53 DF 3A|"; distance:32; within:6; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html; classtype:trojan-activity; sid:2028876; rev:2; metadata:created_at 2019_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rejoice/clank.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,655f383e817a989e3114250232d0cd07; classtype:trojan-activity; sid:2035253; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Steganographic Encoded WAV File Inbound via HTTP M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"RIFF"; startswith; content:"WAVE"; distance:4; within:4; content:"|5C 99 13 6F F2 52|"; distance:32; within:6; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html; classtype:trojan-activity; sid:2028877; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/quietly/seedlings.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,9985bd33a8d129aba66feb1dd553fd22; classtype:trojan-activity; sid:2035254; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 10.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/10.0."; reference:url,www.oracle.com/technetwork/java/javase/10u-relnotes-4108739.html; classtype:bad-unknown; sid:2025518; rev:5; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sense/guarded.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,7b62f40f5986be36f783863fa45a9946; classtype:trojan-activity; sid:2035255; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 12.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/12.0."; content:!"2"; within:1; reference:url,www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html; classtype:bad-unknown; sid:2028868; rev:3; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Informational, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /refrigerator.dot HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,c36939365d244081d6860f42779a1503; classtype:trojan-activity; sid:2035256; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkRAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"request=YUhkcFpEM"; depth:17; fast_pattern; pcre:"/^[A-Za-z0-9\/\+\=]{100,}$/Rsi"; http.header_names; content:!"Referer"; reference:url,github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2; classtype:command-and-control; sid:2027886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, malware_family DarkRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /prediction.dot HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,f37095018deff37c70065ed5cf37e06b; classtype:trojan-activity; sid:2035257; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>iServer Pro V"; fast_pattern; content:"<p>Welcome to your iServer Pro V"; distance:0; content:"<input name=|22|Password|22|"; distance:0; classtype:web-application-attack; sid:2031063; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isnotset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; fast_pattern; content:"|04 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; endswith; threshold: type limit, count 1, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2030870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>iServer Pro V"; fast_pattern; content:"<p>Welcome to your iServer Pro V"; distance:0; content:"<input name=|22|Password|22|"; distance:0; classtype:web-application-attack; sid:2031064; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|0f 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035259; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=.extrafeature.xyz"; nocase; endswith; reference:md5,9d479cec86ea919694dab765bba9abbd; classtype:domain-c2; sid:2028893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|2d 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035263; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 or Win32/Nuclear HTTP Framework"; flow:established,to_server; http.uri; pcre:"/\.(?:txt|gif|exe|bmp)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32|29|"; depth:41; http.header_names; content:!"Referer"; content:!"Accept"; content:"|0d 0a|User-Agent|0d 0a|HOST|0d 0a|"; depth:20; fast_pattern; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020897; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_10_20;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|0f 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!5,relative; byte_test:1,!&,0x40,3,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035258; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Steam HTTP Client User-Agent"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"SteamHTTPClient"; depth:15; endswith; classtype:policy-violation; sid:2028650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_10_20;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!5,relative; byte_test:1,!&,0x40,3,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035260; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)"; flow:established,to_server; http.uri; content:"|25|OA"; nocase; content:"=/bin/sh+-c+'"; nocase; distance:0; fast_pattern; reference:url,github.com/neex/phuip-fpizdam; reference:url,github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043; reference:cve,2019-11043; classtype:web-application-attack; sid:2028895; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2019_10_23, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_20;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035261; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE R980/CRYPBEE.A Ransomware Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/assets/timepicker/x.php?"; fast_pattern; http.user_agent; content:"cpp"; depth:3; reference:md5,a38e156b5c7b337ffbde6cc1ddab1004; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/; classtype:trojan-activity; sid:2023085; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, malware_family Ransomware, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Online File Storage Domain in DNS Lookup (gofile .io)"; dns.query; dotprefix; content:".gofile.io"; nocase; endswith; classtype:bad-unknown; sid:2035264; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackTech Plead Encrypted Payload Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|91 00 13 87 33 00 90 06 19|"; fast_pattern; reference:url,www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/; classtype:trojan-activity; sid:2027364; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category MALWARE, malware_family Plead, performance_impact Low, signature_severity Major, tag APT, tag BlackTech, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /pre.dot HTTP/1.1"; fast_pattern; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,a9260f7ae7939637b9ae43dec8e03abb; classtype:trojan-activity; sid:2035265; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn.redirectme.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028898; rev:2; metadata:created_at 2019_10_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_10_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M1"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"filter_func"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035272; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"czinfo.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028899; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M2"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"script"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035273; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"pegasusco.net"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028900; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /barrier.dot HTTP/1.1"; fast_pattern; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,b55956fbc3cda1481c07fe08ce254706; classtype:trojan-activity; sid:2035266; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"smilekeepers.co"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028901; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intake/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,fa882c526ba36ec4219698ab6e64e699; classtype:trojan-activity; sid:2035267; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"crabbedly.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028902; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (tobaccosafe .xyz)"; dns.query; content:"tobaccosafe.xyz"; nocase; bsize:15; reference:md5,0faee3dfee432f821ceabeaa0f2d234c; reference:url,twitter.com/ShadowChasing1/status/1496054996177240068; classtype:domain-c2; sid:2035268; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"indagator.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028903; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extensis Portfolio Unrestricted File Upload (CVE-2022-24252)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/FileTransfer/upload?sessionId="; fast_pattern; content:"&action=customPreview"; content:"&catalogId="; http.request_body; content:"filename="; content:"\\.."; within:25; reference:url,whiteoaksecurity.com/blog/extensis-portfolio-vulnerability-disclosure/; classtype:attempted-admin; sid:2035274; rev:2; metadata:attack_target Server, created_at 2022_02_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"craypot.live"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028904; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (font .backuplogs .xyz)"; dns.query; content:"font.backuplogs.xyz"; nocase; bsize:19; reference:md5,92a78894568e2e7869ef7ec454c52db3; reference:md5,b4dcb52e46cfc0ed7deb25ff72bdf521; reference:url,twitter.com/JAMESWT_MHT/status/1496139517736148994; reference:url,twitter.com/malwrhunterteam/status/1496129802239201289; classtype:domain-c2; sid:2035269; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"microsofte-update.com"; nocase; endswith; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:trojan-activity; sid:2028909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (srvrfontsdrive .xyz)"; dns.query; content:"srvrfontsdrive.xyz"; nocase; bsize:18; reference:md5,92a78894568e2e7869ef7ec454c52db3; reference:md5,b4dcb52e46cfc0ed7deb25ff72bdf521; reference:url,twitter.com/JAMESWT_MHT/status/1496139517736148994; reference:url,twitter.com/malwrhunterteam/status/1496129802239201289; classtype:domain-c2; sid:2035270; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"pasta58.com"; nocase; endswith; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:trojan-activity; sid:2028910; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/TrojanDownloader.Agent.TXV CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/postUP.php"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; http.connection; content:"keep-alive"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1496172957726560257; classtype:trojan-activity; sid:2035271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky CnC Domain Observed in DNS Query"; dns.query; content:"study---hard.medianewsonline.com"; nocase; endswith; classtype:domain-c2; sid:2028921; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRat 2.0 CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"="; http.request_body; content:"|ed bb a7 14 24 02 2e cc 3f f4|"; startswith; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,8306b6dee8aca5ad5b3368cd070d5729; reference:url,twitter.com/malwrhunterteam/status/1494650167877935104; classtype:trojan-activity; sid:2035275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, signature_severity Major, updated_at 2022_02_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky CnC Domain Observed in DNS Query"; dns.query; content:"sportsgame.mypressonline.com"; nocase; endswith; classtype:domain-c2; sid:2028922; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .cc)"; dns.query; dotprefix; content:".microsofts.cc"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query"; dns.query; content:"cdnpps.us"; nocase; endswith; classtype:domain-c2; sid:2028924; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (08mma .com)"; dns.query; dotprefix; content:".08mma.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query"; dns.query; content:"thisadsfor.us"; nocase; endswith; classtype:domain-c2; sid:2028925; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .top)"; dns.query; dotprefix; content:".microsofts.top"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035278; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Microsoft Connection Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connecttest.txt"; bsize:16; http.host; content:"www.msftconnecttest.com"; bsize:26; classtype:bad-unknown; sid:2031071; rev:1; metadata:created_at 2020_10_21, former_category INFO, performance_impact Low, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (3mmlq .com)"; dns.query; dotprefix; content:".3mmlq.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035279; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?token="; fast_pattern; content:"&computername="; distance:0; content:"&username="; distance:0; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031072; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (7cnbo .com)"; dns.query; dotprefix; content:".7cnbo.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?api=40"; fast_pattern; endswith; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031073; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, tag RedDelta, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (u .to)"; dns.query; content:"u.to"; nocase; bsize:4; reference:md5,8c57fcf51e1d0f3fc1e1775d9fc624df; classtype:misc-activity; sid:2035281; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=TX, L=Texas, O=lol, OU=, CN=topbackupintheworld.com"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Texas, O=lol, OU=, CN=topbackupintheworld.com"; bsize:60; reference:url,twitter.com/malwrhunterteam/status/1318904041590718469; reference:md5,45ed8898bead32070cf1eb25640b414c; classtype:targeted-activity; sid:2031069; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-02-25"; http.stat_code; content:"200"; file.data; content:"|3c|script|20|type|3d 22|text|2f|javascript|22 3e|"; nocase; content:"window.location.hash"; nocase; distance:100; content:".substring"; nocase; distance:500; content:".split"; nocase; distance:200; content:"let|20|email|20 3d 20|window|2e|atob"; fast_pattern; nocase; distance:500; content:"window.atob"; nocase; distance:200; content:"window.location"; nocase; distance:200; content:".substring"; nocase; distance:500; content:"+email"; nocase; distance:500; content:"window.location"; nocase; distance:100; content:"</script>"; nocase; distance:100; classtype:credential-theft; sid:2035294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"0E:4D:5A:5C:F8:C9"; classtype:domain-c2; sid:2028926; rev:2; metadata:created_at 2019_10_31, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TOTOLINK Realtek SDK RCE (CVE-2019-19824)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/formSysCmd"; fast_pattern; http.request_body; content:"Run|2b|Command|26|sysCmd|3d|"; nocase; reference:cve,2019-19824; classtype:attempted-admin; sid:2035282; rev:2; metadata:attack_target Server, created_at 2022_02_23, cve CVE_2019_19824, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE StrongPity CnC Domain Observed in DNS Query"; dns.query; content:"upd32-secure-serv4.com"; nocase; endswith; classtype:trojan-activity; sid:2028927; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /chd.php HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,0981f1145c1cec6a5de51c7d585affe3; reference:md5,bcbcc87f61fad5d558b25c1200b2c34d; reference:md5,ab8a866434329d643273b3dab0473bbc; classtype:trojan-activity; sid:2035283; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_24, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer IP Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action=getIP"; fast_pattern; endswith; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028929; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, signature_severity Major, updated_at 2020_10_21;)
+#alert tls $HOME_NET any -> 195.22.26.192/26 443 (msg:"ET INFO invalid.cab domain in SNI"; flow:established,to_server; tls.sni; content:"invalid.cab"; fast_pattern; flowbits:set,ET.invalid.cab; flowbits:noalert; classtype:misc-activity; sid:2020888; rev:4; metadata:created_at 2015_04_10, former_category INFO, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer Screenshot Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action=upload&host="; fast_pattern; content:"@"; distance:0; http.request_body; content:"filename=|22|screenshot_"; content:".jpeg|22|"; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL Certificate IRC GEEKS Likely Encrypted IRC or CnC"; flow:established,to_client; tls.cert_subject; content:"O=IRC geeks"; fast_pattern; classtype:command-and-control; sid:2019387; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_10, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer Systeminfo Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action=upload&host="; fast_pattern; content:"@"; distance:0; http.request_body; content:"filename=|22|system.info|22|"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain in TLS SNI (litby .us)"; flow:established,to_server; tls.sni; content:"litby.us"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2035284; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_24, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptInject.BE!MTB Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logs=ey"; startswith; fast_pattern; isdataat:10000,relative; http.header_names; content:!"Referer"; reference:md5,644b45001c0e0af1c0a208ffad79e316; classtype:command-and-control; sid:2028932; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get.php"; bsize:8; fast_pattern; http.host; pcre:"/^[0-9]{6,10}\./"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; reference:md5,2dd5a4237122e73027404a91276f0235; reference:md5,9c8f6b38035c72421e1c71d2bb21ced9; reference:md5,860137d224440fd7c1cb3652199dcd58; classtype:trojan-activity; sid:2035288; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Connectivity Check"; flow:established,to_server; urilen:15; http.method; content:"HEAD"; http.uri; content:"/view/index.php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20 20|Windows NT 6.1)"; fast_pattern; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/junk.flv?"; startswith; fast_pattern; http.user_agent; content:"junk/"; http.header_names; content:!"Referer"; reference:md5,61c4a0ab7b156744fcc24fb0813fb9b3; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/apt_gamaredon.txt; classtype:trojan-activity; sid:2035289; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view/index.php?id="; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20 20|Windows NT 6.1)"; fast_pattern; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Buhtrap SourSnack Domain in DNS Lookup (widget .forum-pokemon .com)"; dns.query; content:".widget.forum-pokemon.com"; nocase; endswith; reference:url,cert.gov.ua/article/37246; reference:md5,4ac6e6c6668cac064b16cf786e3cab6f; classtype:domain-c2; sid:2035286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family SourSnack, performance_impact Low, signature_severity Major, tag Buhtrap, updated_at 2022_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Requesting Module"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/start?session="; depth:20; fast_pattern; content:"&imsi="; within:20; content:".exe"; distance:0; endswith; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028934; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious lnk Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /joking.html HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; content:".ru"; endswith; reference:md5,d6b182c825d961154b5415de1a061ae0; classtype:trojan-activity; sid:2035290; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http any any -> any any (msg:"ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC (CVE-2019-16662)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname="; fast_pattern; content:"exec"; distance:0; reference:url,packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.html; reference:cve,2019-16662; classtype:attempted-admin; sid:2028933; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_11_04, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (id .bigmir .space)"; dns.query; dotprefix; content:".id.bigmir.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Capesand EK Visitor Tracking"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add_visitor.php?referrer=http"; depth:30; fast_pattern; http.header; content:"/landing.php|0d 0a|"; classtype:exploit-kit; sid:2028939; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (aplikacje .ron-mil .space)"; dns.query; dotprefix; content:".aplikacje.ron-mil.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P FFTorrent P2P Client User-Agent (FFTorrent/x.x.x)"; flow:to_server,established; http.user_agent; content:"FFTorrent/"; depth:10; classtype:policy-violation; sid:2028942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (i .ua-passport .space)"; dns.query; dotprefix; content:".i.ua-passport.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Turla CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dsme.info"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028944; rev:2; metadata:created_at 2019_11_05, deployment Perimeter, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (akademia-mil .space)"; dns.query; dotprefix; content:".akademia-mil.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035298; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2019-11-06"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&ps="; nocase; distance:0; content:"&psRNGCDefaultType="; nocase; distance:0; fast_pattern; content:"&FoundMSAs="; nocase; distance:0; content:"&i19="; nocase; distance:0; classtype:credential-theft; sid:2029681; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_10_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (akademia-mil .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".akademia-mil.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035299; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-11-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; nocase; content:"&psw="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2028945; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_10_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (aplikacje .ron-mil .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".aplikacje.ron-mil.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-11-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pd="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2028946; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (id .bigmir .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".id.bigmir.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"|3b 20|Win64|3b 20|x64|3b 20|rv|3a|42.0"; http.header; content:"AcceptanceID|3a|"; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag PLATINUM, updated_at 2020_10_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (i .ua-passport .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".i.ua-passport.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"micro-set.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028961; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /joking.html HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; content:".ru"; endswith; reference:md5,d6b182c825d961154b5415de1a061ae0; classtype:trojan-activity; sid:2035291; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"micro-office.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028962; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected PlugX Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-z]{14}\//U"; content:"/update.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,ab96e541284afe6ffc3fcf4d05bc971e; reference:url,twitter.com/vupt_bka/status/1497147010927194112; classtype:trojan-activity; sid:2035292; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_02_25;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ViewUserHover.jspa?username="; fast_pattern; threshold: type limit, count 30, seconds 45, track by_src; reference:cve,2020-14181; classtype:attempted-recon; sid:2031066; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_14181, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-zA-z]{14}\//U"; content:"/plplpMj.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; http.request_body; content:"1="; startswith; reference:md5,ab96e541284afe6ffc3fcf4d05bc971e; reference:url,twitter.com/vupt_bka/status/1497147010927194112; classtype:trojan-activity; sid:2035293; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Almashreq CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"MS|20|Web|20|Services|20|Client|20|Protocol"; fast_pattern; http.request_body; content:"<?xml"; depth:5; content:"<PCName>"; distance:0; content:"<|2f|PCName>"; distance:0; content:!"<SiteID>"; http.header_names; content:"SOAPAction"; content:!"Referer"; classtype:command-and-control; sid:2027353; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2020_10_21;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Suspicious SVCCTL CreateService Command via SMB - Observed Zerologon Post Compromise Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; within:32; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; fast_pattern; distance:6; within:12; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|03 00 00 00|"; distance:10; within:4; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; reference:md5,59e7f22d2c290336826700f05531bd30; classtype:attempted-admin; sid:2035287; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_25, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Payload Extraction"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?a=exe"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_11_11;)
+alert smb any any -> $HOME_NET 445 (msg:"ET EXPLOIT CreateService via SMB to Reset-ComputerMachinePassword - Observed Post Zerologon Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|00|R|00|e|00|s|00|e|00|t|00|-|00|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00|M|00|a|00|c|00|h|00|i|00|n|00|e|00|P|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; distance:0; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_24, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_02_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Payload Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?a=run"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028965; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_10_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Nessus Server SSL certificate detected"; flow:established,to_client; tls.cert_issuer; content:"OU=Nessus Certification Authority"; fast_pattern; classtype:bad-unknown; sid:2013298; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_02_26;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Update Request"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/api/update/"; depth:12; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (0sh .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"0sh.org"; bsize:7; fast_pattern; classtype:bad-unknown; sid:2035304; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Buer Loader Successful Payload Download"; flow:established,to_client; flowbits:isset,ETPRO.wacatac.b.download; http.stat_code; content:"200"; http.content_type; content:"application/*"; fast_pattern; bsize:13; http.content_len; byte_test:0,>,1000000,0,string,dec; byte_test:0,<,3000000,0,string,dec; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029079; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (prourl .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"prourl.in"; bsize:9; fast_pattern; classtype:bad-unknown; sid:2035305; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Download Request"; flow:established,to_server; urilen:>200; flowbits:set,ETPRO.wacatac.b.download; http.method; content:"GET"; http.uri; content:"/api/download/"; depth:14; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029078; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"community.chocolatey.org"; bsize:24; fast_pattern; classtype:bad-unknown; sid:2035303; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Possible APT33 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dyn-intl.world-careers.org"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Chocolatey Windows Package Management Installation File Retrieval"; flow:established,to_server; http.request_line; content:"GET /install.ps1 HTTP/1.1"; http.host; content:"community.chocolatey.org"; fast_pattern; bsize:24; classtype:bad-unknown; sid:2035306; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_28;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"office-crash.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028969; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SunSeed Lua Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[0-9]{9,10}$/"; http.header_names; content:"|0d 0a|host|0d 0a|te|0d 0a|connection|0d 0a|user-agent|0d 0a 0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"LuaSocket|20|"; fast_pattern; startswith; classtype:trojan-activity; sid:2035360; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Internet Security Damaged !!! Call Help Desk"; nocase; classtype:social-engineering; sid:2028970; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SunSeed Downloader Retrieving Binary (set)"; flow:established,to_server; flowbits:set,ETPRO.SunSeed.Downloader; flowbits:noalert; http.request_line; content:"GET / HTTP/1.1"; http.user_agent; content:"Windows Installer"; bsize:17; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:trojan-activity; sid:2035361; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Official Windows Notification"; nocase; fast_pattern; content:"Call Windows Technical Support"; nocase; distance:0; classtype:social-engineering; sid:2028971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SunSeed Download Retrieving Binary"; flow:established,to_client; flowbits:isset,ETPRO.SunSeed.Downloader; http.response_line; content:"HTTP/1.1 200 OK"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".msi|0d 0a|"; distance:0; file.data; content:"http.lua"; fast_pattern; classtype:trojan-activity; sid:2035362; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Landing Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.htm$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2028979; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PurpleFox Backdoor Related Domain in DNS Lookup (qq .c1c .ren)"; dns.query; content:"qq.c1c.ren"; nocase; bsize:10; reference:md5,757e04a9da1083b797b9dadc94300937; reference:url,twitter.com/0xrb/status/1496747426505531398; classtype:domain-c2; sid:2035307; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Flash Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.swf$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2028980; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trickbot Checkin Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; bsize:10; http.header; content:"Content-Length|3a 20|3|0d 0a|"; fast_pattern; nocase; file.data; content:"/1/"; depth:3; endswith; reference:md5,5d2d59d6cbff1dc1d108bdcae0294c51; classtype:command-and-control; sid:2032218; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; depth:10; endswith; http.content_len; byte_test:0,>,100000,0,string,dec; file.data; content:"[Byte[]]$image = 0x4d, 0x5a,|20|"; depth:29; fast_pattern; pcre:"/^(?:0x[a-f0-9]{1,2}, ){500}/R"; classtype:exploit-kit; sid:2028982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.user_agent; content:"|3a 3a|"; content:"_"; distance:0; content:"|3a 3a|/."; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,dddd77f42bfb365f36762ad4db4a741e; reference:md5,f4e7c05fde022ec76f8c2f0a4cf2e1b3; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035309; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf"; endswith; http.host; content:".xyz"; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|x-flash-version|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cookie|0d 0a 0d 0a|"; depth:110; endswith; fast_pattern; classtype:exploit-kit; sid:2028973; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".html"; endswith; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; http.user_agent; content:!"Android"; content:!"Linux"; reference:md5,dddd77f42bfb365f36762ad4db4a741e; reference:md5,f4e7c05fde022ec76f8c2f0a4cf2e1b3; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035310; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"__cfduid="; http.content_type; content:"image/jpeg"; bsize:10; file.data; content:"|20 2e 20|$Env|3a|comSPEC["; depth:16; nocase; fast_pattern; content:"]-joIN|27 27|)( -JoiN(|20 27|"; nocase; within:30; classtype:exploit-kit; sid:2028976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (creditals-email .space)"; dns.query; dotprefix; content:".creditals-email.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Flash HEAD Request"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".swf"; endswith; http.host; content:"rawcdn.githack.com"; fast_pattern; depth:18; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; classtype:exploit-kit; sid:2028977; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (ua-passport .space)"; dns.query; dotprefix; content:".ua-passport.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035317; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Flash GET Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf"; endswith; http.host; content:"rawcdn.githack.com"; fast_pattern; depth:18; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; content:"|0d 0a|x-flash-version|0d 0a|"; distance:0; classtype:exploit-kit; sid:2028978; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mil-gov .space)"; dns.query; dotprefix; content:".mil-gov.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035318; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; content:"|0d 0a 0d 0a 20 28 20 27|"; fast_pattern; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; depth:10; endswith; http.content_len; byte_test:0,>,100000,0,string,dec; file.data; content:"|20 28 20 27|"; depth:4; pcre:"/^[0-9_,{AbZwP&-]{2000}/R"; classtype:exploit-kit; sid:2028981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (verify-email .space)"; dns.query; dotprefix; content:".verify-email.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035319; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Buer Loader)"; flow:established,to_client; tls.cert_subject; content:"CN=prioritywireless.club"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2029080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (weryfikacja-konta .space)"; dns.query; dotprefix; content:".weryfikacja-konta.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asd.stylesheet.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029004; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_19, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (konto-verify .space)"; dns.query; dotprefix; content:".konto-verify.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035321; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd%20/tmp|3b|wget%20"; depth:24; fast_pattern; http.header.raw; content:"Mozilla/5.0%20(Windows|3b|%20U|3b|%20Windows%20NT"; reference:md5,a26f67a1d0a50af72c5fd9c94e9f5a1c; classtype:web-application-attack; sid:2029008; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_11_20, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (walidacja-uzytkownika .space)"; dns.query; dotprefix; content:".walidacja-uzytkownika.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035322; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; http.uri; content:!"/CallParrotWebClient/"; http.header.raw; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http.user_agent; content:"Mozilla/4.0"; fast_pattern; nocase; bsize:11; http.host; content:!"www.google.com"; content:!"secure.logmein.com"; content:!"weixin.qq.com"; content:!"slickdeals.net"; content:!"cloudera.com"; content:!"secure.digitalalchemy.net.au"; content:!".ksmobile.com"; content:!"gstatic.com"; content:!".cmcm.com"; content:!".deckedbuilder.com"; content:!".mobolize.com"; content:!"wq.cloud.duba.net"; content:!"infoc2.duba.net"; content:!".bitdefender.net"; reference:url,doc.emergingthreats.net/2003492; classtype:bad-unknown; sid:2003492; rev:34; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (kontrola-poczty .space)"; dns.query; dotprefix; content:".kontrola-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (lol)"; flow:established,to_client; tls.cert_subject; content:", O=lol, "; fast_pattern; tls.cert_issuer; content:", O=lol, "; reference:md5,45ed8898bead32070cf1eb25640b414c; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031133; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (weryfikacja-poczty .space)"; dns.query; dotprefix; content:".weryfikacja-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarSys CnC Activity M1"; flow:established,to_server; http.request_line; content:"POST /login.php "; startswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"; bsize:114; fast_pattern; http.request_body; content:"id="; nocase; startswith; pcre:"/^[A-F0-9]{128}$/R"; reference:url,blog.360totalsecurity.com/en/secret-stealing-trojan-active-in-brazil-releases-the-new-framework-solarsys/; classtype:command-and-control; sid:2031070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (walidacja-poczty .space)"; dns.query; dotprefix; content:".walidacja-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Authentication Bypass Attempt Inbound (CVE-2020-8193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&sid=loginchallenge"; content:"&username=nsroot"; distance:0; fast_pattern; http.request_body; content:"<appfwprofile"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8193; classtype:attempted-admin; sid:2031067; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8193, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (bigmir .space)"; dns.query; dotprefix; content:".bigmir.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035326; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Information Disclosure Attempt Inbound (CVE-2020-8195)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?filter=path|3a 25|2F"; fast_pattern; http.request_body; content:"<clipermission"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8195; classtype:attempted-admin; sid:2031068; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8195, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mod-mil .site)"; dns.query; dotprefix; content:".mod-mil.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035327; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity"; flow:established,to_client; dsize:41; content:"|00 27 00 00 00 01 00 00 00 15 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 65 73 6b 74 6f 70 00 00 00 05 2a 2e 74 78 74 05|"; fast_pattern; reference:url,twitter.com/executemalware/status/1318689700882821120; reference:md5,aac706fe42b4a03cac17330bfcd8d9ea; classtype:trojan-activity; sid:2031074; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirrohost .space)"; dns.query; dotprefix; content:".mirrohost.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035328; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible T-RAT Encrypted Zip Request"; flow:established,to_server; http.uri; content:".jpg"; offset:7; depth:4; http.accept; content:"*/*"; bsize:3; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20 2e|NET4.0C|3b 20 2e|NET4.0E|3b 20 2e|NET CLR 2.0.50727|3b 20 2e|NET CLR 3.0.30729|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.3)"; bsize:162; fast_pattern; reference:url,twitter.com/3xp0rtblog/status/1304006897729761280; reference:url,www.gdatasoftware.com/blog/trat-control-via-smartphone; classtype:command-and-control; sid:2031081; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_10_22;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirohost .online)"; dns.query; dotprefix; content:".mirohost.online"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035329; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MassLogger Client Exfil (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?/upload"; endswith; fast_pattern; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"{|22|ID|22 3a 22|"; startswith; content:"|22 2c 22|User|22 3a 22|"; content:"|22 2c 22|Country|22 3a 22|"; content:"|22 2c 22|Date|22 3a 22|"; content:"|22 2c 22|Image|22 3a|"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/James_inthe_box/status/1305509852362338304; reference:url,app.any.run/tasks/010a8af5-97bd-4e27-961d-8d202a9d6f29/; reference:md5,0a838f0ecff085eb611e41acf78a9682; classtype:trojan-activity; sid:2030878; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (meta-ua .space)"; dns.query; dotprefix; content:".meta-ua.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035330; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bazaloader Variant Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/act/pause"; bsize:10; http.header; content:"Update|3a 20|/act/pause|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,1c3dde885aa3cc2d7c24b7e13cccc941; reference:url,twitter.com/James_inthe_box/status/1319298609255383040; classtype:trojan-activity; sid:2031084; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_22;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mod-mil .online)"; dns.query; dotprefix; content:".mod-mil.online"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035331; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bazaloader Variant Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/act/resume"; bsize:11; http.header; content:"Update|3a 20|/act/resume|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:url,twitter.com/James_inthe_box/status/1319298609255383040; classtype:trojan-activity; sid:2031085; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_22;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (kontrola-poczty .site)"; dns.query; dotprefix; content:".kontrola-poczty.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic File Upload Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031075; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (creditals-mirohost .space)"; dns.query; dotprefix; content:".creditals-mirohost.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic File Upload Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (verify-mail .space)"; dns.query; dotprefix; content:".verify-mail.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031077; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirohost .site)"; dns.query; dotprefix; content:".mirohost.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035335; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (creditals-email .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".creditals-email.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FLV/Youtube Downloader Install Activity"; flow:established,to_server; http.request_line; content:"GET /images/downloader/pixel.gif?action=install&"; startswith; content:"&lngid="; content:"cid="; content:"&kt=flvd"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,3af4b637e16922fdceaff00d64e98f53; classtype:pup-activity; sid:2031082; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (ua-passport .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".ua-passport.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035337; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mil-gov .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mil-gov.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035338; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031080; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (verify-email .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verify-email.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035339; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE [PTsecurity] Spyware.BondPath (PathCall/Dingwe) Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"backup.php"; http.header; content:"Content-Length|3a 20|"; depth:20; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; distance:0; http.user_agent; content:"Apache-HttpClient"; depth:17; http.request_body; content:"type="; depth:5; fast_pattern; content:"data="; content:"hash="; reference:url,www.fortinet.com/blog/threat-research/android-bondpath--a-mature-spyware.html; classtype:trojan-activity; sid:2026039; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, former_category MOBILE_MALWARE, malware_family BondPath, signature_severity Major, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (weryfikacja-konta .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".weryfikacja-konta.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035340; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=generalmusician.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (konto-verify .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".konto-verify.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)"; flow:established,from_server; tls.cert_serial; content:"76:DC:D7:09:68:53:16:74:BB:A8:7B:CC:DE:C4:9D:66:77:43:34:DC"; reference:url,www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/; classtype:domain-c2; sid:2029048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ACBackdoor, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (walidacja-uzytkownika .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".walidacja-uzytkownika.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035342; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)"; flow:established,from_server; tls.cert_serial; content:"0E:4F:8B:2C:65:0A"; reference:url,www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/; classtype:domain-c2; sid:2029049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ACBackdoor, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (kontrola-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kontrola-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Possible Godlua CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fullmeshnet.eu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029050; rev:3; metadata:created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family Godlua, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (weryfikacja-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".weryfikacja-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DoH Service)"; flow:from_server,established; tls.cert_subject; content:"CN=www.rubyfish.cn"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:policy-violation; sid:2029051; rev:3; metadata:created_at 2019_11_21, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag DNS_over_HTTPS, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (walidacja-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".walidacja-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035345; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (ph0ne)"; flow:established,to_server; http.user_agent; content:"ph0ne"; startswith; classtype:trojan-activity; sid:2028989; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2020_10_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /set.lgo/"; startswith; fast_pattern; content:!".php"; content:!".asp"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; reference:md5,30342cff84f9b4ea94b0415cd26e2ee2; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035312; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"DEMONS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029015; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (bigmir .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".bigmir.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hakai"; fast_pattern; startswith; classtype:attempted-admin; sid:2029016; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-mil .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mod-mil.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035347; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Messiah"; fast_pattern; startswith; classtype:attempted-admin; sid:2029017; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirrohost .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirrohost.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035348; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Liquor"; fast_pattern; startswith; classtype:attempted-admin; sid:2029018; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirohost .online in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirohost.online"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"B4ckdoor"; bsize:8; classtype:attempted-admin; sid:2029019; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (meta-ua .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".meta-ua.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Nija"; fast_pattern; startswith; classtype:attempted-admin; sid:2029020; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-mil .online in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mod-mil.online"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Gemini"; fast_pattern; startswith; classtype:attempted-admin; sid:2029021; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (kontrola-poczty .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kontrola-poczty.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Sector"; fast_pattern; startswith; classtype:attempted-admin; sid:2029024; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (creditals-mirohost .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".creditals-mirohost.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Kayla"; startswith; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/"; classtype:attempted-admin; sid:2029023; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (verify-mail .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verify-mail.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035354; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Phishing Landing 2020-10-23"; flow:established,to_client; file.data; content:"var str = 'Sign in to Outlook'|3b|"; content:"$(|22|#add_pass|22|).show()|3b|"; content:"$('#email').val('')|3b|"; content:"function set_brand("; content:"function true_email("; fast_pattern; classtype:social-engineering; sid:2031086; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirohost .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirohost.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029026; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /index.arc/"; startswith; fast_pattern; content:!".php"; content:!".asp"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; reference:md5,0d7d8cc1756b932854e20dbe5d233afd; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035311; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"DEMONS"; fast_pattern; startswith; classtype:web-application-attack; sid:2029027; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS Suspcious LeakIX User-Agent (l9explore)"; flow:established,to_server; http.user_agent; content:"l9explore"; startswith; fast_pattern; reference:url,ithub.com/LeakIX/l9format; classtype:bad-unknown; sid:2035314; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2022_02_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hakai"; fast_pattern; startswith; classtype:web-application-attack; sid:2029028; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linux/Attempted Hosts File Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?url=file|3a 2f 2f 2f|etc|2f|hosts"; endswith; http.header_names; content:!"Referer"; classtype:attempted-admin; sid:2035315; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2022_02_28, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Messiah"; fast_pattern; startswith; classtype:web-application-attack; sid:2029029; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert tcp-stream $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/Agent.UHC CnC Activity"; flow:established,to_client; stream_size:client,<,40; content:"|2e 2e 61 58 63 66|"; fast_pattern; reference:md5,042261407926beaaf0e3ed8bba5307cc; classtype:command-and-control; sid:2034219; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Liquor"; fast_pattern; startswith; classtype:web-application-attack; sid:2029030; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (gen)"; flow:established,to_server; content:"|0d 0a 0d 0a|gen="; fast_pattern; http.request_body; content:!"&syncID="; nocase; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2022_02_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"B4ckdoor"; bsize:8; classtype:web-application-attack; sid:2029031; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send)"; dns.query; bsize:>22; content:"266"; offset:3; depth:8; pcre:"/^[zjr9x]{1}[tmdhpz]{1}[0-9a-z]{1,6}266(?:[a-zA-Z0-9]{1,6})?+\./"; content:!".trendmicro.com"; content:!"cnr.io"; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; classtype:command-and-control; sid:2031194; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Nija"; fast_pattern; startswith; classtype:web-application-attack; sid:2029032; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleFox Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /i.php?i="; fast_pattern; startswith; http.user_agent; content:"Windows Installer"; bsize:17; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,7f757563585debbbccc3e34664de04fe; reference:md5,c793425d192af8f89b1b8c7e1ea6f792; reference:url,twitter.com/Max_Mal_/status/1498351091066589184; classtype:trojan-activity; sid:2035313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_02_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Gemini"; fast_pattern; startswith; classtype:web-application-attack; sid:2029033; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-03-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"method|3d 22|post|22 20|action|3d 22 2e 2f|index|2e|aspx|3f|code|3d|"; fast_pattern; content:"id|3d 22 5f 5f|VIEWSTATE|22|"; distance:0; content:"id|3d 22 5f 5f|VIEWSTATEGENERATOR|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; reference:md5,121de0ed6f4ec91eb75bae5ef1d9765b; classtype:credential-theft; sid:2035369; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Kayla"; fast_pattern; startswith; classtype:web-application-attack; sid:2029035; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Landing Page 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.aspx?code="; fast_pattern; pcre:"/[a-z0-9]{32}/Ri"; http.content_len; byte_test:0,>=,2000,0,string,dec; http.request_body; content:"__VIEWSTATE="; content:"&__VIEWSTATEGENERATOR="; distance:2000; reference:md5,121de0ed6f4ec91eb75bae5ef1d9765b; classtype:credential-theft; sid:2035377; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Sector"; fast_pattern; startswith; classtype:web-application-attack; sid:2029036; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected PlugX Checkin Activity (udp)"; dsize:24; content:"|30 00|"; startswith; content:"|00 00 00 bf 68|"; distance:1; within:5; content:"|00 04 00 00 00 10 00 00 00 00 00 00|"; distance:4; within:12; fast_pattern; threshold: type limit, count 1, seconds 20, track by_src; reference:md5,3db876a7ab11ce98687d381ec9207256; reference:md5,98b2faafb027cc4c225d9de1616f430c; reference:url,twitter.com/0xrb/status/1496747426505531398; classtype:trojan-activity; sid:2035308; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:web-application-attack; sid:2029038; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Daxin CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?htpmgcid="; startswith; fast_pattern; http.header_names; content:"Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; content:!"Referer"; reference:md5,fb7c61ef427f9b2fdff3574ee6b1819b; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage; classtype:command-and-control; sid:2035365; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (lessie)"; flow:established,to_server; http.user_agent; content:"lessie"; nocase; depth:6; pcre:"/^lessie(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027130; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M3"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|source|22 0d 0a 0d 0a|"; distance:0; content:"|20|cookies|0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Cakle)"; flow:established,to_server; http.user_agent; content:"Cakle"; nocase; depth:5; pcre:"/^Cakle(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027132; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Maldoc Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|3a 3a|"; content:"_"; distance:0; content:"|3a 3a|/."; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,cc088f6cdcc6536404d1527f5addbde6; reference:md5,3543111b570bd274ba5d0f1a10268c84; reference:url,twitter.com/500mk500/status/1497837117572980740; classtype:trojan-activity; sid:2035363; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Damien)"; flow:established,to_server; http.user_agent; content:"Damien"; nocase; depth:6; pcre:"/^Damien(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027134; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Filename in Outbound POST Request (Browsers/Cookies/Microsoft Edge_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Browsers/Cookies/Microsoft Edge_"; fast_pattern; reference:md5,758f815f3775e1b063eba3ab33479a9f; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035366; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Solar)"; flow:established,to_server; http.user_agent; content:"Solar"; nocase; depth:5; pcre:"/^Solar(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027136; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Information.txt"; fast_pattern; reference:md5,50f2b28aba4d4cb47544bcc98980a63e; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (muhstik)"; flow:established,to_server; http.user_agent; content:"muhstik"; nocase; depth:7; pcre:"/^muhstik(?:-scan)?(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027138; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET [465,993] (msg:"ET JA3 HASH - Possible AnchorMail CnC Traffic"; flow:established,to_server; ja3.hash; content:"c216e752cae6f8755fd27f561d031636"; reference:url,securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/; reference:md5,139e70aa7f26f998c1058c270a51783d; classtype:command-and-control; sid:2035359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category JA3, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Shaolin)"; flow:established,to_server; http.user_agent; content:"Shaolin"; nocase; depth:7; pcre:"/^Shaolin(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027140; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Telegram Activity"; flow:established,to_server; http.uri; content:"/bot2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY/"; fast_pattern; startswith; http.host; content:"api.telegram.com"; bsize:16; reference:url,www.ic3.gov/Media/News/2022/220224.pdf; classtype:trojan-activity; sid:2035364; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Rift)"; flow:established,to_server; http.user_agent; content:"Rift"; nocase; depth:4; pcre:"/^Rift(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027120; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?username="; bsize:<16; startswith; fast_pattern; pcre:"/^\/\x3fusername\x3d[a-z0-9]{2,3}_\d$/U"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,f1006f3968f9edf76090e34702e647e6; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035368; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Tsunami)"; flow:established,to_server; http.user_agent; content:"Tsunami"; nocase; depth:7; pcre:"/^Tsunami(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027122; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|source|22 0d 0a 0d 0a|"; distance:0; content:"|20|passwords|0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Yowai)"; flow:established,to_server; http.user_agent; content:"Yowai"; nocase; depth:5; pcre:"/^Yowai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027124; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M4"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|formdata|22 0d 0a 0d 0a 7b|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|billinfo|22 0d 0a 0d 0a 7b|"; distance:0; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|cardinfo|22 0d 0a 0d 0a 7b|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Yakuza)"; flow:established,to_server; http.user_agent; content:"Yakuza"; nocase; depth:6; pcre:"/^Yakuza(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027126; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/case"; bsize:5; fast_pattern; http.cookie; content:"wordpress_52345768e930f1ec699e4f12ab015a4f="; startswith; http.header_names; content:!"Referer"; http.header; content:"User-Agent|3a 20|Opera/9.61|20|(Windows|20|NT|20|5.1|3b 20|U|3b 20|ru)|20|Presto/2.1.1"; reference:md5,6b8d63299b70fb04a71bcadcf2f5f72b; reference:md5,2069c823d67e2d5d59606b3d8f6a7e22; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:trojan-activity; sid:2035370; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Hentai)"; flow:established,to_server; http.user_agent; content:"Hentai"; nocase; depth:6; pcre:"/^Hentai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027128; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jquery-3.3.2.min.js?__cfduid="; startswith; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; http.header; content:"Referer|3a 20|http|3a|//code.jquery.com/|0d 0a|"; reference:url,twitter.com/Unit42_Intel/status/1498802280992227330?s=20&t=iDY6vP8NF3muXpkS4ERenw; classtype:trojan-activity; sid:2035376; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/"; depth:8; http.host; content:!"login.live.com"; endswith; content:!"google.com"; endswith; content:!"www.bing.com"; endswith; content:!"yandex.ru"; endswith; content:!"linkedin.com"; endswith; http.connection; content:"close"; nocase; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:25; metadata:created_at 2010_10_01, updated_at 2020_10_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miras C2 Activity"; flow:established,to_server; dsize:<1000; content:"|36 36 36 36 58 36 36 36|"; offset:2; depth:8; reference:md5,98a3a68f76ed2eba763eb7bfb6648562; classtype:command-and-control; sid:2018979; rev:3; metadata:created_at 2014_08_22, former_category MALWARE, updated_at 2022_03_02;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Various Crimeware)"; flow:established,to_client; tls.cert_subject; content:"CN=uloab.com"; endswith; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; classtype:trojan-activity; sid:2029053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Royal Bank of Canada Credential Phish 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgibin/rbaccess/"; fast_pattern; http.request_body; content:"username="; content:"&password="; distance:0; reference:md5,e29fe69e683c7c04e9b14e46cdfd2e17; classtype:credential-theft; sid:2035378; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_02;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Zmap User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; depth:21; endswith; classtype:network-scan; sid:2029054; rev:2; metadata:created_at 2019_11_26, former_category SCAN, updated_at 2020_10_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947) (set)"; flow:established,to_server; flowbits:set,ET.vmware.2022.22947; http.request_line; content:"POST /actuator/gateway/routes/"; startswith; fast_pattern; http.request_body; content:"|22|filters|22 3a|"; nocase; content:"|22 23 7b|"; within:115; reference:cve,2022-22947; classtype:attempted-admin; sid:2035380; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_22947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (Mylegion666)"; flow:established,to_server; http.user_agent; content:"Mylegion666"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029061; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947)"; flow:established,to_server; flowbits:isset,ET.vmware.2022.22947; http.request_line; content:"POST /actuator/gateway/refresh"; startswith; fast_pattern; http.request_body; content:"|22|filters|22 3a|"; nocase; content:"|22 23 7b|"; within:115; reference:cve,2022-22947; classtype:attempted-admin; sid:2035381; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_22947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (YourUserAgent)"; flow:established,to_server; http.user_agent; content:"YourUserAgent"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029062; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT BabyShark Related Domain in DNS Lookup (worldinfocontact .club)"; dns.query; content:"worldinfocontact.club"; nocase; bsize:21; reference:md5,fe3ad944d07b66c83dc433c39fc054f4; reference:url,www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood; classtype:domain-c2; sid:2035374; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (salmonella-symptome)"; flow:established,to_server; http.user_agent; content:"salmonella-symptome"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (cop .osonlines .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"cop.osonlines.co"; bsize:16; fast_pattern; reference:url,twitter.com/cyber__sloth/status/1498698178585104385; classtype:domain-c2; sid:2035382; rev:1; metadata:created_at 2022_03_02, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (suspira)"; flow:established,to_server; http.user_agent; content:"suspiria"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup"; dns.query; content:"cop.osonlines.co"; nocase; bsize:16; reference:url,twitter.com/cyber__sloth/status/1498698178585104385; classtype:domain-c2; sid:2035383; rev:1; metadata:created_at 2022_03_02, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (lilith)"; flow:established,to_server; http.user_agent; content:"lilith"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mtl"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,11d19db057c4eee965878dd92181803e; reference:url,twitter.com/500mk500/status/1498769941998223366; classtype:trojan-activity; sid:2035375; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (legion)"; flow:established,to_server; http.user_agent; content:"legion"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"InVzZXJuYW1lX2F0dHJpYnV0ZSI6"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035371; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_23131, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (the devil)"; flow:established,to_server; http.user_agent; content:"The devil come to me"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"J1c2VybmFtZV9hdHRyaWJ1dGUiO"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035372; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed"; flow:established,to_server; http.user_agent; content:"fuck u"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"idXNlcm5hbWVfYXR0cmlidXRlIj"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035373; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, updated_at 2022_03_02;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (Amen)"; flow:established,to_server; http.user_agent; content:"Amen"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PurpleFox Related Domain in DNS Lookup"; dns.query; content:"oip.xioerabn.site"; nocase; bsize:17; reference:md5,57b8bccf9cb8592ae86b4453cf74b4e8; classtype:domain-c2; sid:2035384; rev:1; metadata:attack_target Client_and_Server, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (satan)"; flow:established,to_server; http.user_agent; content:"satan"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/PurpleFox Retrieving File (GET)"; flow:established,to_server; http.request_line; content:"GET /conf.dat HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 6.0|3b 20|Windows|20|NT|20|5.0)"; bsize:50; http.header_names; content:!"Referer"; reference:md5,57b8bccf9cb8592ae86b4453cf74b4e8; classtype:trojan-activity; sid:2035385; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (neva-project)"; flow:established,to_server; http.user_agent; content:"neva-project"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PlugX Related Domain in DNS Lookup"; dns.query; content:"aoisudoisadn.kkb.tv"; nocase; bsize:19; reference:md5,1634d4a7ffdd698f6ccb541719fbff5c; reference:url,twitter.com/0xrb/status/1499287458500194304; classtype:domain-c2; sid:2035386; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, signature_severity Major, updated_at 2022_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY PCHunter Download Observed"; flow:established,to_server; http.user_agent; content:"PCHunter"; depth:8; reference:url,www.bleepingcomputer.com/download/pc-hunter/; classtype:misc-activity; sid:2031087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_10_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Domain in DNS Lookup"; dns.query; content:"diet-days.com"; nocase; bsize:13; reference:md5,b76199c0aaaa9c676ac7c6041f73be57; classtype:domain-c2; sid:2035394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_03;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Magecart)"; flow:established,to_client; tls.cert_subject; content:"OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=marketplace-magento.com"; fast_pattern; tls.cert_issuer; content:"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"; classtype:trojan-activity; sid:2029072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Domain in DNS Lookup"; dns.query; content:"socialskinclub.com"; nocase; bsize:18; reference:md5,b76199c0aaaa9c676ac7c6041f73be57; classtype:domain-c2; sid:2035395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Pavica.FH Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/command.php?t=1&id="; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT)"; reference:md5,704f7e92de304744ad8b3a839550084c; reference:url,app.any.run/tasks/2acce298-8180-47fd-befc-9f380468dbe4/; reference:url,twitter.com/jstrosch/status/1319704698031640577; classtype:command-and-control; sid:2031096; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BumbleBee Loader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /gate HTTP/1.1"; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; http.request_body; content:"|22|client_id|22|"; content:"|22|group_name|22|"; distance:0; content:"|22|sys_version|22|"; distance:0; content:"User name|3a 20|"; distance:0; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; classtype:trojan-activity; sid:2035387; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Bumblebee_Loader, signature_severity Major, updated_at 2022_03_03;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Magecart Credit Card Information JS Script"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; depth:22; endswith; file.data; content:"|20|Sxml_cc_cid"; nocase; content:"Sxml_cc_number"; nocase; distance:0; content:"Sxml_expiration_yr"; nocase; distance:0; content:"ccnum+|22 3b 22|+exp_m+|22 3b 22|+exp_y+|22 3b 22|+cvv"; distance:0; fast_pattern; nocase; classtype:credential-theft; sid:2029073; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (jaxebiridi .com)"; dns.query; content:"jaxebiridi.com"; nocase; bsize:14; reference:md5,07d3e518022aec38af7cb4cb709fd4e3; reference:md5,1cd603a9c0f9f251552e070d16591bef; classtype:domain-c2; sid:2035388; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_03;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"marketplace-magento.com"; nocase; endswith; classtype:domain-c2; sid:2029074; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wp-includes/RELEASE.gif HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 6.0|3b 20|HTC One X10 Build/MRA58K|3b 20|wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0"; bsize:113; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:57; reference:md5,07d3e518022aec38af7cb4cb709fd4e3; reference:md5,1cd603a9c0f9f251552e070d16591bef; classtype:trojan-activity; sid:2035389; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .XYZ Domain with Minimal Headers"; flow:established,to_server; http.host; content:".xyz"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/descent.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"name="; startswith; content:"_"; distance:0; content:"&count="; distance:8; reference:md5,8184d72f1ce59bba32afc7a2b5953d52; classtype:trojan-activity; sid:2035390; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .TOP Domain with Minimal Headers"; flow:established,to_server; http.host; content:".top"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Arkei Stealer CnC Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tratata.php"; startswith; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; http.header; content:"Cache-Control: no-cache"; reference:url,blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer?utm_medium=social&utm_source=bambu; classtype:trojan-activity; sid:2035392; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to 000webhostapp Domain with Minimal Headers"; flow:established,to_server; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Arkei Stealer CnC Checkin (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tratata.php"; startswith; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; http.header; content:"Cache-Control: no-cache"; reference:url,blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer?utm_medium=social&utm_source=bambu; classtype:trojan-activity; sid:2035393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .ML Domain with Minimal Headers"; flow:established,to_server; http.host; content:".ml"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".maxc"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; content:!"Linux"; content:!"Android"; http.header_names; content:!"Referer"; reference:md5,8842acb150e1625ff20a84190073ece6; reference:url,twitter.com/500mk500/status/1498769941998223366; classtype:trojan-activity; sid:2035391; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_03;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .CF Domain with Minimal Headers"; flow:established,to_server; http.host; content:".cf"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031092; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Multiple User-Agent Components in a single UA"; flow:established,to_server; http.user_agent; content:"Compatible|3b 20|"; nocase; content:"Compatible|3b 20|"; nocase; distance:0; content:"MSIE|20|"; nocase; content:"MSIE|20|"; distance:0; nocase; fast_pattern; content:"|20|Windows|20|NT|20|"; nocase; content:"|20|Windows|20|NT|20|"; distance:0; nocase; reference:md5,0fc3d71e211f8d5101311d2800c459f7; classtype:misc-activity; sid:2035396; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_03_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .GQ Domain with Minimal Headers"; flow:established,to_server; http.host; content:".gq"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Credential Phish 2022-03-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"username|3a 20|this|2e|email"; content:"password|3a 20|this|2e|password"; distance:0; content:"from|3a 20 22|Microsoft|20|Login|22|"; distance:0; content:"this|2e|error|20 3d 20 22|An|20|error|20|occured|2c 20|please|20|check|20|input|20|and|20|try|20|again|22 3b|"; distance:0; content:"this|2e|submitCount"; distance:0; content:"window|2e|location|2e|replace|28|"; distance:0; classtype:credential-theft; sid:2035453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .TK Domain with Minimal Headers"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; http.method; content:"POST"; nocase; http.host; content:!".bitdefender.net"; http.content_len; byte_test:0,<=,200,0,string,dec; http.request_body; content:"id="; nocase; startswith; content:"&cn="; nocase; content:"&bid="; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,doc.emergingthreats.net/2010875; classtype:command-and-control; sid:2010875; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_03_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .GA Domain with Minimal Headers"; flow:established,to_server; http.host; content:".ga"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031095; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE CobaltStrike DNS Beacon Response"; content:"|81 80 00 01 00 01 00 00 00 00|"; offset:2; depth:10; content:"|c0 0c 00 01 00 01 00 00 00 00 00 04 00 00 00 00|"; endswith; threshold: type both, count 10, seconds 90, track by_dst; content:!"|06|nessus|03|org"; content:!"trr|03|dns|07|nextdns|02|io"; content:!"|08|cloudapp|03|net"; reference:url,www.youtube.com/watch?v=zAB5G-QOyx8; classtype:targeted-activity; sid:2026040; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2022_03_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:".php|22 20|method=|22|post|22|"; content:"src=|22|https://logo.clearbit.com/"; distance:0; content:"$.get(|22|https://logo.clearbit.com/"; distance:0; content:"$(|22|#logoimg|22|).attr(|22|src|22|,|20 22|https://logo.clearbit.com/"; distance:0; classtype:social-engineering; sid:2031097; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.php5"; http.request_body; content:"|3c 3f|php|20|system|28 24 5f|POST|5b 27|"; nocase; fast_pattern; reference:cve,2020-16152; classtype:attempted-admin; sid:2035401; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:").attr('src', 'https://logo.clearbit.com/' + my_slice)|3b|"; content:"//new injection//"; distance:0; content:"var|20|filter|20|=|20|/^([a-zA-Z0-9_|5c|.|5c|-])+|5c|@(([a-zA-Z0-9|5c|-])+|5c|.)+([a-zA-Z0-9]{2,4})+$/|3b|"; distance:0; classtype:social-engineering; sid:2031098; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/action.php5"; http.request_body; content:"|2f 2e 2e 2f 2e 2e|"; fast_pattern; content:"/tmp/messages"; reference:cve,2020-16152; classtype:attempted-admin; sid:2035402; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:").attr(|22|src|22|,|20 22|https://logo.clearbit.com/|22|+my_slice)|3b|"; content:"//new injection//"; distance:0; content:"var|20|filter|20|=|20|/^([a-zA-Z0-9_|5c|.|5c|-])+|5c|@(([a-zA-Z0-9|5c|-])+|5c|.)+([a-zA-Z0-9]{2,4})+$/|3b|"; distance:0; classtype:social-engineering; sid:2031099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed IP Tracking Domain (grabify .link in TLS SNI)"; flow:established,to_server; tls.sni; content:"grabify.link"; bsize:12; fast_pattern; classtype:bad-unknown; sid:2035419; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup BROLER.F CnC Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?"; content:!"&"; distance:0; content:"=google"; endswith; fast_pattern; http.request_body; pcre:"/^[a-zA-Z/+=]$/"; http.content_len; content:"72"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,285e25e31b498dd1c0827286e9b44cfe; classtype:command-and-control; sid:2029092; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Azure Automation Authentication Bypass"; flow:established,to_server; http.uri; content:"/oauth2/token"; http.request_body; content:"resource"; content:"management.azure.com"; within:60; fast_pattern; http.header; content:"metadata"; nocase; content:!"X-IDENTITY-HEADER"; nocase; reference:url,orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/; classtype:attempted-admin; sid:2035403; rev:2; metadata:attack_target Server, created_at 2022_03_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup ABK Backdoor CnC Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?uid="; fast_pattern; content:"&pid="; distance:0; pcre:"/\?uid=[A-F0-9]{15,}&pid=\d+$/i"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,ed363efd32984ed21e67cf618758b635; classtype:command-and-control; sid:2029093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/BlackGuard Stealer Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?user="; content:"&coockieCount="; distance:0; fast_pattern; content:"&searche="; distance:0; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22 28|"; content:"|29 5f 5b|"; within:255; content:"|5d 2e|"; within:255; content:"|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; within:53; reference:url,app.any.run/tasks/3c8c54c1-d39f-4a14-af0c-242fd364ef15/; reference:md5,bb5f22fc74149158b637a2bac5064ddb; classtype:command-and-control; sid:2035398; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Snack CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"WinHTTP AutoProxy Sample/1.0"; depth:28; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:34; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; classtype:command-and-control; sid:2029094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Skimmer Inbound (Likely MageCart) M2"; flow:established,to_client; http.response_body; content:"W1sibmFtZSIsICJmaXJzdG5hbWUiL"; offset:50; depth:40; fast_pattern; content:"WyJuYW1lIiwgImxhc3RuYW1lIiw"; distance:0; content:"WyJuYW1lIiwgInN0cmVldFs"; distance:0; content:"WyJpZCIsICJhdXRobmV0Y2ltLWNjLW51bWJlciIs"; distance:0; content:"BbImlkIiwgImF1dGhuZXRjaW0tY2MtZXhwLXllYXI"; distance:0; reference:url,twitter.com/felixaime/status/1500812201262829568?s=20&t=xfD8gOOJuH7IZav4YxGkcw; reference:md5,a41474baac5a91c8033cfee943cea903; classtype:trojan-activity; sid:2035400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2022_03_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Coolbee/Avenger CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id="; content:"&group="; distance:0; content:"&class="; distance:0; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,507daf07c6f8f0080b5c4f818cfe77cb; classtype:command-and-control; sid:2029095; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SystemBC Powershell bot registration"; flow:established,to_server; dsize:100; content: "|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31|"; offset: 0; depth: 50; reference:md5,d1fb59de13a2394622c84aca8d963071; reference:url,medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c; classtype:command-and-control; sid:2035399; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Casper CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1|3b 20|.NET4.0C|3b 20|.NET4.0E)"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|"; depth:38; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; classtype:command-and-control; sid:2029096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online)"; dns.query; content:"xbeta.online"; nocase; bsize:12; reference:url,cert.gov.ua/article/37626; reference:md5,e34d6387d3ab063b0d926ac1fca8c4c4; reference:url,twitter.com/h2jazi/status/1500607147989684224; classtype:domain-c2; sid:2035404; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:established,from_server; tls.cert_serial; content:"00:B3:4B:42:19:50:7A:3B:55:78:3D:6D:FD:12:54:C8:88"; classtype:domain-c2; sid:2029102; rev:2; metadata:created_at 2019_12_09, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/BlackGuard Stealer Variant Exfil via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; depth:4; content:"/sendDocument?chat_id="; distance:0; content:"&caption="; distance:0; content:"|e2 9a 99 ef b8 8f 20|Windows|20|"; distance:0; fast_pattern; content:"BROWSER|3a 0a|"; distance:0; content:"|0a 0a 20|Link|20|"; distance:0; http.host; content:"api.telegram.org"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|document|22 3b 20|filename|3d 22|"; content:".zip|22 0d 0a|Content-Type|3a 20|application/x-ms-dos-executable"; distance:0; reference:md5,d4e02002916f18576204a3f1722a958b; reference:md5,eb6c563af372d1af92ac2b60438d076d; reference:md5,ae84bf01058b29c178ae724df445c0c8; reference:url,twitter.com/3xp0rtblog/status/1499748871362261001; classtype:command-and-control; sid:2035397; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BlackGuard, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2022_03_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magento-statistics.com"; nocase; endswith; classtype:domain-c2; sid:2029100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08"; flow:established,to_client; http.response_line; content:"HTTP/1.1 200 OK"; file.data; content:"|22|https|3a 2f 2f|webhook.site/3cc37709-f3bd-47bf-8b79-f090f0e8075b"; fast_pattern; reference:url,blog.google/threat-analysis-group/update-threat-landscape-ukraine/; classtype:credential-theft; sid:2035405; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, malware_family APT28, malware_family Fancy_Bear, signature_severity Major, updated_at 2022_03_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"strds.ru"; nocase; bsize:8; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028639; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08"; flow:established,to_client; http.response_line; content:"HTTP/1.1 200 OK"; file.data; content:"|22|https|3a 2f 2f|webhook.site/d466f7a7-63a1-4c04-8347-fe2d0a96081f"; fast_pattern; reference:url,blog.google/threat-analysis-group/update-threat-landscape-ukraine/; classtype:credential-theft; sid:2035406; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, malware_family APT28, malware_family Fancy_Bear, signature_severity Major, updated_at 2022_03_08;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=upgrade-ms-home.com"; classtype:trojan-activity; sid:2029108; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual/STARWHALE Beacon Activity (POST)"; flow:established,to_server; urilen:>15; http.method; content:"POST"; http.uri; content:!".asp"; content:!".php"; content:!".htm"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:"|0d 0a|CharSet|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.request_body; content:"vl="; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035407; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family TA450, signature_severity Major, updated_at 2022_03_08;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT38 CnC Domain Observed in DNS Query"; dns.query; content:"updateinfos.com"; nocase; endswith; classtype:domain-c2; sid:2029114; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT38, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArmyOfUkraine Bot Activity"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"GET / HTTP/1.1"; bsize:14; http.header; content:"accept|3a 20 2a 2f 2a 0d 0a|"; content:"host|3a|"; http.host; content:".ru"; endswith; http.header_names; content:"|0d 0a|accept|0d 0a|host|0d 0a 0d 0a|"; fast_pattern; bsize:18; threshold:type both, seconds 600, count 20, track by_src; reference:md5,62d49fed7c54621b507a02541ee55066; reference:url,twitter.com/GossiTheDog/status/1497681806094737411; classtype:trojan-activity; sid:2035421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_10;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT38 CnC Domain Observed in DNS Query"; dns.query; content:"updatemain.com"; nocase; endswith; classtype:domain-c2; sid:2029115; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT38, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual/STARWHALE GoLang Beacon Activity (POST)"; flow:established,to_server; urilen:>15; http.method; content:"POST"; http.uri; content:!".asp"; content:!".php"; content:!".htm"; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.content_type; content:"application/json"; bsize:16; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.request_body; content:"|7b 22|vl|22 3a 22|"; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035408; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family TA450, signature_severity Major, updated_at 2022_03_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; endswith; http.content_len; byte_test:0,<,1000,0,string,dec; file.data; content:"<!doctype html>|0d 0a|<html lang=|22|ja|22|>|0d 0a|<head>|0d 0a|<meta http-equiv=|22|Content-Type|22 20|content=|22|text/html|3b 20|charset=UTF-8|22|>|0d 0a|<meta http-equiv=|22|x-ua-compatible|22 20|content=|22|IE=10|22|>|0d 0a|<meta http-equiv=|22|Expires|22 20|content=|22|0|22|>|0d 0a|<meta http-equiv=|22|Pragma|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache-control|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache|22 20|content=|22|no-cache|22|>"; content:"<body style=|22|background-color|3a 20|#F4F4F4|3b|font-family|3a|MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif|22|>"; distance:0; fast_pattern; content:"/ajax.min.js|22|></script>|0d 0a|<script type=|22|text/javascript|22 20|src=|22|"; distance:0; content:"/main.js|22|></script>|0d 0a|</body>|0d 0a|</html>"; distance:0; endswith; classtype:exploit-kit; sid:2029122; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 GRAMDOOR Telegram CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.host; content:"api.telegram.org"; bsize:16; http.uri; content:"/bot2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY/sendMessage?"; fast_pattern; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035409; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Plugin Check JS"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"hasFlash=0x1"; content:"flashVersion=parseInt(VSwf"; distance:0; fast_pattern; content:"new RegExp('MSIE|5c|x20(|5c|x5cd+|5c|x5c.|5c|x5cd+)|3b|')|3b|"; distance:0; content:"))|3b|if(user==''){setCookie("; distance:0; content:"'data':{'data1':chk,'data2':is64,'data3':fls"; distance:0; classtype:exploit-kit; sid:2029123; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TransparentTribe CnC Domain in DNS Lookup"; dns.query; content:"swissaccount.ddns.net"; nocase; bsize:21; reference:url,twitter.com/0xrb/status/1501061897604730881; classtype:domain-c2; sid:2035410; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BottleEK Plugin Check Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/conn.php?callback=?&data1="; fast_pattern; content:"&data2="; distance:0; content:"&data3="; distance:0; content:"&callback=JSONP_"; distance:0; http.cookie; content:"username="; http.accept; content:"application/javascript, */*|3b|q=0.8"; classtype:exploit-kit; sid:2029124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TransparentTribe CnC Domain in DNS Lookup"; dns.query; content:"sunjaydut.ddns.net"; nocase; bsize:18; reference:url,twitter.com/0xrb/status/1501061897604730881; classtype:domain-c2; sid:2035411; rev:1; metadata:created_at 2022_03_08, updated_at 2022_03_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious VBS Encoding Observed in BottleEK"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"Execute chr("; depth:12; fast_pattern; pcre:"/^-?\d+[/+]/R"; content:"CLng(&H"; within:7; pcre:"/^[A-F0-9]+/R"; content:"))&chr("; within:7; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; classtype:bad-unknown; sid:2029125; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (gmy .cimadlicks .net)"; dns.query; dotprefix; content:".gmy.cimadlicks.net"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035412; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BottleEK Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/conn.php?ge="; depth:13; fast_pattern; http.cookie; content:"username="; http.header_names; content:!"Referer"; classtype:exploit-kit; sid:2029126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (community .weblives .net)"; dns.query; dotprefix; content:".community.weblives.net"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035413; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-12-12"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029127; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (app .tomelife .com)"; dns.query; dotprefix; content:".app.tomelife.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=magento-statistics.com"; nocase; fast_pattern; classtype:trojan-activity; sid:2029128; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Free Hosting Domain (*.freehostia .com in DNS Lookup)"; dns.query; dotprefix; content:".freehostia.com"; nocase; endswith; classtype:misc-activity; sid:2035422; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=solomontoosas.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029116; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pripyat Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /api/endpoint.php HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"cpp-httplib/0.9"; bsize:15; http.request_body; content:"|22|computername|22 3a 22|"; content:"|22|username|22 3a 22|"; distance:0; content:"|22|hashrate|22 3a|"; distance:0; reference:md5,ffb7bbf6e3e3199555b979b46d3789a6; reference:url,twitter.com/3xp0rtblog/status/1501330153900703745; reference:md5,a12ba07fcdb4eb1c1ea65e8fa49ec4ad; classtype:trojan-activity; sid:2035420; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=colordrawyx.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029117; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoulSearcher Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/msn-msn/log/2/debug?tim="; startswith; fast_pattern; http.host; content:"trc.taboola.com"; http.request_body; content:"|00 00 00 11|"; startswith; byte_jump:4,8,relative,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; offset:16; depth:2; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; reference:md5,9a32e5a45336e705d23adc865bd30704; classtype:command-and-control; sid:2035415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, malware_family SoulSearcher, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=potronisl.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029118; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoulSearcher Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/en-my/CMSStyles/style.csx?k="; startswith; fast_pattern; http.host; content:"c.s-microsoft.com"; http.request_body; content:"|00 00 00 11|"; startswith; byte_jump:4,8,relative,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; offset:16; depth:2; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:command-and-control; sid:2035416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pontromosals.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Interactsh CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php|3f|Event|3d|"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; http.header_names; content:!"Referer"; threshold:type limit, seconds 600, count 5, track by_src; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:attempted-admin; sid:2034200; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_10_15, cve CVE_2020_28188, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pontrolimon.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB2 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|22 00|"; distance:0; content:"|63 00|"; distance:8; within:2; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l|00|"; within:8; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, performance_impact Moderate, signature_severity Major, updated_at 2022_03_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=motylino.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029130; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of Algorithm Generated Zeus CnC Domain (DGA)"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; pcre:"/(?:([a-z0-9])(?!\1)){33,}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014363; rev:8; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2022_03_09;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=motorlafd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029131; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB1 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|a2|"; within:1; content:"|27 00 00 5c 00 63 00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l|00|"; within:8; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mantoropols.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029121; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Oracle Access Manager RCE Attempt (CVE-2021-35587)"; flow:established,to_server; http.request_line; content:"POST /oam/server/opensso/sessionservice HTTP/1.1"; fast_pattern; http.request_body; content:"svcid"; content:"|5b|CDATA"; content:"requester|3d|"; distance:0; nocase; reference:cve,2021-35587; classtype:attempted-admin; sid:2035429; rev:2; metadata:attack_target Server, created_at 2022_03_10, cve CVE_2021_35587, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=janfioooslls.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.BankBot.11270 (DNS Lookup)"; dns_query; content:"xireycicin.xyz"; isdataat:!1,relative; reference:md5,c9ddaa4d670c262bf2621b8299ccf84e; classtype:domain-c2; sid:2035430; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=golitrops.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029133; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.BankBot.11270 (TLS SNI)"; flow:established,to_server; tls_sni; content:"xireycicin.xyz"; isdataat:!1,relative; nocase; reference:md5,c9ddaa4d670c262bf2621b8299ccf84e; classtype:domain-c2; sid:2035431; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=giltipolsfols.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029134; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".asp"; content:!".htm"; content:!".php"; http.header; content:"|0d 0a|CharSet|3a 20|UTF-8|0d 0a|"; fast_pattern; http.request_body; content:"c="; startswith; http.header_names; content:!"Referer"; reference:md5,69ff29b86ab5444197aeb0cf5eba0967; reference:url,blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html; classtype:trojan-activity; sid:2035425; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_10, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, malware_family TA450, signature_severity Major, updated_at 2022_03_10;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=finogorosod.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:trojan-activity; sid:2029135; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/protocol/function.php?page="; fast_pattern; startswith; http.header; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html; classtype:trojan-activity; sid:2035426; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_10, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, malware_family TA453, signature_severity Major, updated_at 2022_03_10;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029153; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.GWO Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"okhttp/"; http.header_names; content:!"Referer|3a 20|"; http.request_body; content:"{|22|logType|22 3a|"; depth:11; content:",|22|msg|22 3a 22|{|5c 22|auth|5c 22 3a|"; fast_pattern; content:"|5c 22|appVersionName|5c 22|"; reference:md5,dcfa846ca56e14e720d4a743ac5c9f0f; classtype:command-and-control; sid:2035432; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029152; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert smb any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE HermeticWizard - File Copy via SMB"; flow:established,to_server; content:"Wizard|2e|dll|00|DllInstall|00|DllRegisterServer|00|DllUnregisterServer"; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035424; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, updated_at 2022_03_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Outbound)"; flow:established,to_server; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029154; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - SMB Spreader - Remote Process Creation"; flow:established,to_server; content:"|05 00 00|"; content:"cmd|20 2f|c|20|start|20|regsvr32|20 2f|s|20 2f|i"; distance:0; fast_pattern; content:"|5c|c"; within:8; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dat|20 26 20|start|20|cmd|20 2f|c|20 22|ping|20|localhost|20 2d|n|20|7|20 26 20|wevtutil|20|cl|20|System|22|"; within:62; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029155; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M2"; flow:established,to_server; content:"|05 00 00|"; content:"|5c 00|c|00|m|00|d|00 2e 00|e|00|x|00|e|00 20 00 2f 00|c|00 20 00|s|00|t|00|a|00|r|00|t|00 20|"; distance:0; fast_pattern; content:"r|00|e|00|g|00|s|00|v|00|r|00|3|00|2|00 2e 00|e|00|x|00|e|00 20 00 2f 00|s|00 20 00 2f 00|i|00 20 00|C|00 3a 00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|c|00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l"; within:7; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029156; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2022-03-11 1)"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3a|"; pcre:"/(?:\x22mining\.authorize\x22\x2c|\x22login\x22\x2c)/R"; content:"|22|params|22|"; within:50; pcre:"/(?:\x22login\x22\x3a\x22x\.0929c\x22\x2c\x22pass\x22\x3a\x22x\x22|\x22login\x22\x3a\x2282ZEhnLaX3ggrz5HbJJyinFjt8JyLomMnXYctMHJZCg368RrSyjQgN3TgrfbjqjUVdBPTP5VgEBkBYEWnTVHUgtjPweS5gc\x22\x2c\x22pass\x22\x3a\x22\x22|\x22login\x22\x3a\x224GdoN7NCTi8a5gZug7PrwZNKjvHFmKeV11L6pNJPgj5QNEHsN6eeX3DaAQFwZ1ufD4LYCZKArktt113W7QjWvQ7CW864Ah1Quz41mP4MJy\x22\x2c\x22pass\x22\x3a\x22x\x22|\x22login\x22\x3a\x2249GB8ucxW13fM78PMN2X3ZDYunniTj3pfdoyjztCkjDZQLSxRuZARgKEsfMDtoGGuiGGxWqeh6uez8mxYsPfm8TEGFq48Ce\x22\x2c\x22pass\x22\x3a\x22SynopsisX\x22|\x22login\x22\x3a\x22tyrenke\x22\x2c\x22pass\x22\x3a\x22tyrenke\x22)/R"; reference:md5,5c8ccae9c6841583a026c8276992045f; reference:url,www.btcguild.com/new_protocol.php; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2035435; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_03_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029157; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2022-03-11 2)"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3a|"; pcre:"/(?:\x22mining\.authorize\x22\x2c|\x22login\x22\x2c)/R"; content:"|22|params|22|"; within:50; pcre:"/(?:\x22login\x22\x3a\x226243128\x22\x2c\x22pass\x22\x3a\x22myminer\x22|\x22login\x22\x3a\x226249832\x22\x2c\x22pass\x22\x3a\x22viristotal\x22|\x22login\x22\x3a\x226250474\x22\x2c\x22pass\x22\x3a\x22Minecraft\x22|\x22login\x22\x3a\x2244z5DkTXSYBfYECbt5TdQ2SUpyAQJmmGubyUsWqzcByeKwxwsWSZabZQMuE39hedNcTL15eK8kHrAeZMUdGGmHQHBzNH5db\x22\x2c\x22pass\x22\x3a\x22bomba3\x22|\x22login\x22\x3a\x2247WpQT7o5YMPeUjZ2AYqo2HNu9SnfQ3Le5MywXMgCuBS1DHqMTQFNY7MCsWkr466gQNC5G182ZCCDiKs69mwdvr4EjvhT5c\x22\x2c\x22pass\x22\x3a\x22Krutish\x22)/R"; reference:md5,63c361252b50f6099ef962a554501257; reference:url,www.btcguild.com/new_protocol.php; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2035436; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_03_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/SharkBot Related Domain in DNS Lookup"; dns.query; content:"statscodicefiscale.xyz"; nocase; bsize:22; reference:md5,1f32aa3ad68eac774cfcaeb0cd84de4d; reference:md5,acaed4c74eb9f0c85c603d4077a95697; reference:url,research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/; classtype:domain-c2; sid:2035439; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_03_11;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - SMB Spreader - File Copy via SMB1 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|a2|"; within:1; content:"|12 00 63|"; distance:0; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dat|00|"; within:5; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035437; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, performance_impact Moderate, signature_severity Major, updated_at 2022_03_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029160; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (DNS Lookup)"; dns_query; content:"panel.anuka1.a2hosted.com"; isdataat:!1,relative; reference:md5,2f8f1f7565872f8cbce615f5dbe03d7d; classtype:domain-c2; sid:2035433; rev:2; metadata:created_at 2022_03_11, former_category MOBILE_MALWARE, updated_at 2022_03_11;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029161; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (TLS SNI)"; flow:established,to_server; tls_sni; content:"panel.anuka1.a2hosted.com"; isdataat:!1,relative; nocase; reference:md5,451d41b60db0fc16f16c8cef92a8a97d; classtype:command-and-control; sid:2035434; rev:2; metadata:created_at 2022_03_11, former_category MOBILE_MALWARE, updated_at 2022_03_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT41 KEYPLUG Related Domain in DNS Lookup"; dns.query; content:"afdentry.workstation.eu.org"; nocase; bsize:27; reference:url,www.mandiant.com/resources/apt41-us-state-governments; classtype:domain-c2; sid:2035440; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, signature_severity Major, updated_at 2022_03_11;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029165; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x32)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc e8 89 00 00 00 60 89 e5 31 d2 64 8b 52 30 8b 52 0c 8b|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla) - Possible Spyware Related"; flow:to_server,established; http.host; content:!"smartcom.com"; endswith; content:!"iscoresports.com"; endswith; content:!"popslotscasino.com"; endswith; http.user_agent; content:"Mozilla"; bsize:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; classtype:pup-activity; sid:2007854; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc 48 83 e4 f0 eb 33 5d 8b 45 00 48 83 c5 04 8b|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029166; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc 48 83 e4 f0 e8 c0 00 00 00 41 51 41 50|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029167; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 781"; flow:established,to_server; content:"|b1 1a 8f 90 16 1e ff 80 76 38 01|"; startswith; fast_pattern; content:"|31 28|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2035438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2022_03_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029168; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL Cert Associated with Lazarus Downloader (JEUSD)"; flow:established,to_client; tls.cert_subject; content:"CN=celasllc.com"; bsize:15; fast_pattern; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,blogs.360.cn/blog/apt-c-26/; reference:url,crt.sh/?id=492527550; classtype:trojan-activity; sid:2025990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2022_03_13;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029169; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Self Signed SSL Certificate to 'My Company Ltd'"; flow:established,to_client; tls.cert_issuer; content:"My Company Ltd"; classtype:bad-unknown; sid:2013703; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029170; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,to_client; tls.cert_subject; content:"CN=4b7gf8bngf877"; bsize:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022919; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029171; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,to_client; tls.cert_subject; content:"CN=WIN-K462BJ3GEEC"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029172; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,to_client; tls.cert_serial; content:"00:CF:DD:B8:9F:9D:14:26:AD"; tls.cert_subject; content:"CN=localhost.localdomain"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029173; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,to_client; tls.cert_serial; content:"00:86:C5:19:74:50:39:69:7A"; tls.cert_issuer; content:"O=Internet Widgits Pty Ltd"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020372; rev:4; metadata:attack_target Client_and_Server, created_at 2015_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029174; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Denial, L=Springfield, O=Dis,"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021938; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029175; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,to_client; tls.cert_subject; content:"CN=sni237731.cloudflaressl.com"; fast_pattern; classtype:domain-c2; sid:2023490; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for APT40 Possible DADSTACHE CnC Domain"; dns.query; content:"nethosting.viewdns.net"; nocase; bsize:22; reference:md5,2e8d758b9bce51d25ea500d7b4ce4774; classtype:domain-c2; sid:2029151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, former_category MALWARE, malware_family APT40, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,to_client; tls.cert_subject; content:"C="; pcre:"/^(?P<letter>[a-z])(?P=letter)\,/R"; content:"L=Default City"; content:"O=Default Company Ltd"; fast_pattern; content:!"CN="; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023496; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029162; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"=certs_division@sslslf.info"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022100; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029163; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.hot-sex-tube.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022101; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon HEAD Request for .dot file on ddns.net"; http.method; content:"HEAD"; http.uri; content:".dot"; endswith; http.user_agent; content:"Microsoft Office"; fast_pattern; http.host; content:".ddns.net"; endswith; reference:md5,dbf4f92852cdae17aa3f2b1234f0140e; reference:md5,b221647d110bd2be2c6e9c5d727ca8db; classtype:command-and-control; sid:2028967; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"O=International Security Depart"; content:"CN=www.mgid.org"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022102; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2019-12-18"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Emailapp="; depth:9; content:"|25|40"; distance:0; content:"&passwordapp="; distance:0; fast_pattern; classtype:credential-theft; sid:2029682; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,to_client; tls.cert_serial; content:"00:99:60:FE:ED:86:B8:81:83"; tls.cert_subject; content:"O=Sinkhole.Ru"; fast_pattern; content:"CN=*"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022907; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.BrowSecX.AB Install Log Sent"; flow:established,to_server; http.request_line; content:"GET http://"; startswith; content:"/installLog.php?scheme="; fast_pattern; content:"&user="; content:"&cpuid="; content:"&execid="; content:"&chromeLog="; content:"&winVer="; reference:md5,336867c6cfe7aacc6aaa3107300f93b6; classtype:pup-activity; sid:2031116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,to_client; tls.cert_subject; content:"O=Sinkhole Party"; fast_pattern; content:"CN=sinkhole"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022908; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TinyNuke CnC Checkin"; flow:established,to_server; flowbits:set,ET.TinyNuke; http.method; content:"POST"; http.uri; content:!"&"; content:".php?"; pcre:"/\.php\?[A-F0-9]{15,25}$/i"; http.header; content:"|0d 0a|Content-Length|3a 20|9|0d 0a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,917124e4d53057324aa129520fca73fb; classtype:command-and-control; sid:2024991; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=jmfbrtbsmth.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023161; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amarula IRC Botnet Connection Request"; flow:established,to_server; content:"|55 53 45 52 20|"; startswith; content:"|20 3a 5a 75 4d 62 49 0a|"; endswith; fast_pattern; reference:md5,603841f6a7036311fa5bbc44d7435f83; reference:url,github.com/hackerama/Amarula-Python-Botnet/; classtype:command-and-control; sid:2031117; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls.cert_serial; content:"00:AC:80:A0:72:11:64:DF:3F"; tls.cert_subject; content:"CN=localhost.localdomain"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"arcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,to_client; tls.cert_subject; content:"O=Agency Protocols Management of Internet"; content:"CN=bestylish.com"; fast_pattern; reference:md5,ecda8c6613fb458102fcb6f70b1cd594; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022209; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, malware_family Bancos, malware_family DarkTequila, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"aucdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031102; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish 2022-03-11"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.server; content:"nginx/1.19.1"; bsize:12; http.location; content:"load.php?id="; startswith; fast_pattern; classtype:credential-theft; sid:2035447; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"frcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031103; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,to_client; tls.cert_subject; content:"O=Agency Protocols Management of Internet"; content:"=info@apmi.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022211; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, malware_family Bancos, malware_family DarkTequila, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtacdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,to_client; tls.cert_subject; content:"CN=server.domain.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022229; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtag.site"; nocase; endswith; classtype:trojan-activity; sid:2031105; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cmod"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,833cd8302870af5a50b3a09af0420297; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035448; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtage.site"; nocase; endswith; classtype:trojan-activity; sid:2031106; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".ndf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,eecaecd170ef3d7a5976d435f6d03ef8; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035449; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtamanag.site"; nocase; endswith; classtype:trojan-activity; sid:2031107; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=google.com"; content:"@google.com"; fast_pattern; tls.cert_issuer; content:"CN=google.com"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022234; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031108; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Wureuzisen"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022684; rev:3; metadata:attack_target Client_and_Server, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtgcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,to_client; tls.cert_subject; content:!"ST="; content:!"L="; content:"C=CH"; fast_pattern; pcre:"/O=(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)\.?,.+CN=[a-z]{5,}\.[a-z]{2,3}(?:$|,)/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022279; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtmcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031110; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=NY, L=NY"; fast_pattern; content:"CN="; distance:0; content:"=admin@"; distance:0; pcre:"/[eE]mail(?:Address)?=admin@/"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022534; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"ncdn.space"; nocase; endswith; classtype:trojan-activity; sid:2031111; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ItIsMe)"; flow:to_server,established; http.user_agent; content:"ItIsMe"; depth:6; fast_pattern; reference:url,resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts; classtype:trojan-activity; sid:2035445; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2022_03_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"usacdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,to_client; tls.cert_subject; content:"OU=obama team"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021513; rev:4; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"uscdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R6260 Mini_httpd Buffer Overflow Attempt - Possible RCE (CVE-2021-34979)"; flow:established,to_server; http.header; content:"SOAPAction|3a 20|"; content:"urn:NETGEAR-ROUTER:service:"; within:30; fast_pattern; content:!"|0d 0a|"; within:131; pcre:"/^SOAPAction\x3a\x20\x22?urn\x3aNETGEAR-ROUTER\x3aservice\x3a.{128,}(?!:\d#)/Hm"; http.request_body; content:"|3c 3f|xml"; startswith; reference:url,nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-netgear-nday.html; reference:cve,2021-34979; classtype:trojan-activity; sid:2035446; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_03_14, cve CVE_2021_34979, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_14;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/v1/createUser"; startswith; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|username|22|"; content:"|3a 20|"; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/PR"; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/%D0"; startswith; content:"-%D0%9F"; distance:0; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,91c27abec8fda1410e2fae396f592e93; reference:md5,8d1ce6280d2f66ff3e4fe1644bf24247; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035450; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_14;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Authentication Bypass Attempt Inbound (CVE-2020-26879)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|OlDkR+oocZg="; fast_pattern; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26879; classtype:attempted-admin; sid:2031115; rev:1; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26879, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP-Test-Program)"; flow:to_server,established; http.user_agent; content:"HTTP-Test-Program"; bsize:17; startswith; reference:md5,6e69e15ae55aee85ace66bb99e6ba885; classtype:bad-unknown; sid:2035452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_03_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terse Upload to Free Image Hosting Provider (uploads .im) - Likely Malware"; flow:established,to_server; http.request_line; content:"POST /api?upload"; startswith; http.host; content:"uploads.im"; bsize:10; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,897a5b60d609501e0feb06ff8e54d424; classtype:command-and-control; sid:2031118; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Ping Identity Landing Page 2022-03-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- template name: html.form.login.template.html -->"; content:"<!-- Configurable default behavior for the Remember Username checkbox -->"; content:"<!-- set the checkbox to unchecked -->"; content:"<title>Log in</title>"; content:"|24 2e|ajax"; content:"type|20 3a 20 27|POST|27 2c|"; content:"url|20 3a 20 27|files|2f|action|2e|php|3f|type|3d|login|27 2c|"; content:"data|20 3a 20 24 28 27 23|loginForm|27 29 2e|serialize|28 29 2c|"; content:"location|2e|href|20 3d 20 22|Loading|2e|php|22|"; content:"Ping Identity Corporation"; reference:md5,391dd3f15f5520a3bbfc654dbb3a4ac6; classtype:credential-theft; sid:2035454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_14;)
-alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Root"; flow:established,to_server; tls.sni; content:"Root"; depth:4; endswith; nocase; classtype:bad-unknown; sid:2029191; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Minor, updated_at 2020_10_26;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ghostwriter/UNC1151 Related Domain in DNS Lookup (tvasahi .online)"; dns.query; content:"tvasahi.online"; nocase; bsize:14; reference:url,ti.qianxin.com/blog/articles/Analysis-of-ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/; classtype:domain-c2; sid:2035451; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_14;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious ToTok Mobile Application DNS Request"; dns.query; content:"capi.im.totok.ai"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT29 Cache_DLL SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=private.directinvesting.com"; fast_pattern; reference:md5,8f154d23ac2071d7f179959aaba37ad5; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023931; rev:3; metadata:created_at 2017_02_16, former_category MALWARE, malware_family APT29_Cache_DLL, updated_at 2022_03_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious ToTok Mobile Application TLS Request"; tls.sni; content:"capi.im.totok.ai"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029199; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,to_client; tls.cert_subject; content:"CN=*.tor2web."; nocase; fast_pattern; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magesource.su"; nocase; endswith; classtype:trojan-activity; sid:2029203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,to_client; tls.cert_subject; content:"O=LogMeIn, Inc."; nocase; fast_pattern; pcre:"/CN=(?:[^\r\n\,]+?[\.-])?app\d/"; classtype:policy-violation; sid:2014756; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_10_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"magesource.su"; classtype:trojan-activity; sid:2029204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate"; flow:established,from_server; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; reference:url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx; classtype:trojan-activity; sid:2017816; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_15;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=magesource.su"; nocase; fast_pattern; classtype:trojan-activity; sid:2029205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/44Caliber Stealer Discord Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks/943188844625428520/64LwO5Gsh0pUZCcm80BNwTcVPihRnEmr1rZOPj02k6T5sRc5Lq4sdaB2KyttNgJHeX3T"; fast_pattern; bsize:101; http.host; content:"discord.com"; endswith; reference:md5,0238e5a4b41c4dcff77e8b01e88bed22; reference:url,twitter.com/c3rb3ru5d3d53c/status/1503449439868014592; classtype:trojan-activity; sid:2035471; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ghostwriter/UNC1151 Related Domain in DNS Lookup"; dns.query; content:"multilogin.online"; nocase; bsize:17; reference:url,ti.qianxin.com/blog/articles/Analysis-of-ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/; classtype:domain-c2; sid:2035457; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_15;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Dark Nexus IoT Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"dark_NeXus"; fast_pattern; startswith; classtype:attempted-admin; sid:2029208; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, signature_severity Minor, updated_at 2020_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound"; flow:established; content:"Windows PowerShell"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020084; rev:2; metadata:created_at 2015_01_05, updated_at 2022_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Nexus IoT Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"dark_NeXus"; fast_pattern; startswith; classtype:web-application-attack; sid:2029209; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Tor Proxy Domain in DNS Lookup (onion .pet)"; dns.query; dotprefix; content:".onion.pet"; nocase; endswith; classtype:domain-c2; sid:2035461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/B1txor20 Backdoor Related Domain in DNS Lookup"; dns.query; dotprefix; content:".webserv.systems"; nocase; endswith; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/; classtype:command-and-control; sid:2035458; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound"; flow:established,to_server; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029215; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M1"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/tst/ins_cont.php"; startswith; bsize:17; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:md5,f6cb005907be5516394525da16d427c7; reference:url,seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats; classtype:trojan-activity; sid:2035459; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Inbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:10; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_10_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain (discord .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:"discord.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035463; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Outbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; classtype:attempted-admin; sid:2029216; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain (discordapp .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:"discordapp.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035464; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GENERIC Likely Malicious Fake IE Downloading .exe"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; content:!"download_helper.ns"; http.header; content:!"softdl.360tpcdn.com"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"microsoft.com"; content:!"adobe.com"; content:!"360safe.com"; content:!"cfbeta.razersynapse.com"; content:!"download.windowsupdate.com"; content:!"gladmainnew.morningstar.com"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2018403; rev:15; metadata:created_at 2014_04_21, former_category TROJAN, updated_at 2020_10_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Webdor.NAC Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?m="; content:"&c="; distance:0; content:"&v="; distance:0; content:"&myID="; content:"/"; within:255; content:"/"; within:10; http.user_agent; content:"Catalyst"; bsize:8; fast_pattern; reference:md5,1e2a28d5f4f03420df7a6766e0e4277c; classtype:trojan-activity; sid:2035456; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"fuck u"; nocase; bsize:6; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2028991; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discord .com)"; dns.query; dotprefix; content:"discord.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035465; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"autizm"; nocase; fast_pattern; bsize:6; http.header_names; content:!"Referer"; reference:md5,0a73a5bf772fde4868283ce7d5228901; classtype:command-and-control; sid:2029101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dwn.php"; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header; content:"DNT: 1"; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|DNT|0d 0a|Connection|0d 0a 0d 0a|"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; bsize:61; reference:md5,f6cb005907be5516394525da16d427c7; reference:url,seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats; classtype:trojan-activity; sid:2035460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.header; content:"User-Agent|3a 20 63 6f 63 6b 0d 0a|"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:md5,5a4384f5e18cfbd993a135301141243e; classtype:command-and-control; sid:2029176; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)"; dns.query; dotprefix; content:"discordapp.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035466; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"get_you"; nocase; fast_pattern; bsize:7; http.header_names; content:!"Referer"; reference:md5,6d6a438b1687645b48cea729f235963e; classtype:command-and-control; sid:2029220; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi?2&2"; fast_pattern; http.request_body; content:"|0d 0a|X_TP_FirewallEnabled"; content:"|0d 0a|X_TP_ExternalIPv6Address="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2022-25064; classtype:attempted-admin; sid:2035455; rev:1; metadata:created_at 2022_03_15, cve CVE_2022_25064, former_category EXPLOIT, updated_at 2022_03_15;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (carlos_castaneda)"; flow:established,to_server; http.user_agent; content:"carlos_castaneda"; nocase; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,35d17e42e314a5ebf6ddd4a3d0b47712; classtype:command-and-control; sid:2029223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M1"; flow:established,to_server; content:"|05 00 00|"; content:"W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; distance:0; content:"C|00|r|00|e|00|a|00|t|00|e|00|"; within:200; content:"regsvr32|2e|exe|20 2f|s|20 2f|i|20|"; distance:0; fast_pattern; content:"|5c|c"; within:500; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dll|00|"; within:5; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"googlo-analytics.com"; nocase; endswith; classtype:domain-c2; sid:2029224; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+#alert tls [195.22.26.192/26,195.22.28.192/27,195.38.137.100,195.22.4.21,195.157.15.100,212.61.180.100] 443 -> $HOME_NET any (msg:"ET MALWARE AnubisNetworks Sinkhole SSL Cert lolcat - specific IPs"; flow:established,to_client; tls.cert_subject; content:"CN=lolcat"; fast_pattern; flowbits:isnotset,ET.invalid.cab; classtype:trojan-activity; sid:2019628; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=googlo-analytics.com"; nocase; fast_pattern; classtype:trojan-activity; sid:2029226; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0d 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; reference:md5,5003c00cdd28d6d1461e9a6a76c544a6; classtype:policy-violation; sid:2035467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"googlc-analytics.net"; nocase; endswith; classtype:domain-c2; sid:2029227; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; tls.cert_subject; content:"CN=ssl"; content:".ovh.net"; within:10; fast_pattern; pcre:"/CN=ssl\d{1,2}.ovh.net(?:$|,)/"; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_05, deployment Perimeter, former_category POLICY, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=googlc-analytics.net"; nocase; fast_pattern; classtype:trojan-activity; sid:2029229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE rat-test CnC Response"; flow:established,to_client; dsize:8; content:"d|00|o|00|n|00|e|00|"; nocase; flowbits:isset,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; reference:url,twitter.com/James_inthe_box/status/1501604645759709186; classtype:trojan-activity; sid:2035477; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"bestbuy.zapto.org"; nocase; endswith; classtype:domain-c2; sid:2029230; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX Related Activity"; flow:established,to_server; dsize:6; content:"feiji."; fast_pattern; reference:url,twitter.com/0xrb/status/1503983616321552384; reference:md5,ff82ecc7bee903f3eb2e168855598d37; reference:md5,ae0bd618eedec0b1ba9f149333d08837; classtype:trojan-activity; sid:2035473; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain Observed in DNS Query"; dns.query; content:"comodo.world"; nocase; endswith; classtype:domain-c2; sid:2029239; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING ZIP file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"PK|03 04|"; fast_pattern; startswith; byte_test:1,<=,20,0,relative; content:"|00 00 00|"; distance: 1; within:3; reference:url,users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html; classtype:misc-activity; sid:2035478; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed"; flow:established,to_server; http.user_agent; content:"pussy"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029238; rev:2; metadata:created_at 2020_01_08, former_category MALWARE, updated_at 2020_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING RAR file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035479; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] PS/PowDesk Checkin (APT34)"; flow:to_server,established; http.uri; content:".php?devicename="; fast_pattern; content:"&result="; pcre:"/^(?:Sucessful|Failed|Missing\x20CBA8|Missing\x20LANDesk\x20Agent)$/R"; reference:url,www.clearskysec.com/powdesk-apt34/; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:targeted-activity; sid:2029253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING PNG image exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,160; dsize:>11; content:"|89|PNG|0d 0a 1a 0a 00 00 00 0d|IHDR|00 00|"; startswith; flowbits:set,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; classtype:misc-activity; sid:2035476; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"mimestyle.xyz"; nocase; endswith; classtype:domain-c2; sid:2029254; rev:3; metadata:created_at 2020_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO imPcRemote Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloads/impcremote"; depth:21; http.host; content:"impcremote.com"; bsize:14; reference:md5,3d72ee8e1e59b143fa496fa63ca33994; classtype:attempted-admin; sid:2035475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig APT PowDesk Powershell Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reclaimlandesk.php?devicename="; fast_pattern; content:"&result="; distance:0; http.uri.raw; content:!"Missing%20LANDESK"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:url,twitter.com/ClearskySec/status/1209055280090288131; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:command-and-control; sid:2029189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RAR file download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035481; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Lets Encrypt Certificate for Suspicious TLD (.top)"; flow:established,to_client; tls.cert_subject; content:".top"; endswith; tls.cert_issuer; content:"Lets Encrypt"; classtype:bad-unknown; sid:2029257; rev:3; metadata:created_at 2020_01_13, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_10_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING ZIP file download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"PK|03 04|"; fast_pattern; startswith; byte_test:1,<=,20,0,relative; reference:url,users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html; classtype:misc-activity; sid:2035482; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".sslproviders.net"; nocase; endswith; classtype:trojan-activity; sid:2029268; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!80,!443,!25,!22,!110] (msg:"ET MALWARE SideCopy APT MargulasRAT Related Activity"; flow:established,to_server; dsize:19; content:"|31 36 00 2b 9c 02 0d 6e 46 11 42 7e e5 8f 99 94 1d fe 24|"; fast_pattern; reference:md5,b361a415cb5fe33f54957b1aa58fffd6; reference:md5,ae29fbacb0a0aba4b8f82924551fae4d; classtype:trojan-activity; sid:2035474; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY GG Url Shortener Observed in DNS Query"; dns.query; content:"gg.gg"; nocase; bsize:5; classtype:policy-violation; sid:2029258; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_10_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TA471/UNC2589 Go Downloader User-Agent (-hobot-)"; flow:established,to_server; http.user_agent; content:"-hobot-"; bsize:7; reference:md5,15c525b74b7251cfa1f7c471975f3f95; reference:url,cert.gov.ua/article/37704; classtype:trojan-activity; sid:2035468; rev:1; metadata:created_at 2022_03_16, former_category MALWARE, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,1400,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\shttp\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.0\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:64; classtype:command-and-control; sid:2029279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain in DNS Lookup (nirsoft .me)"; dns.query; content:"nirsoft.me"; nocase; bsize:10; reference:url,cert.gov.ua/article/37704; reference:md5,aa5e8268e741346c76ebfd1f27941a14; classtype:domain-c2; sid:2035469; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SMS-Bomber Activity"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&v="; depth:3; http.referer; content:"SMS-Bomber"; fast_pattern; startswith; reference:md5,65ee077b7917f85234061082806f0352; classtype:trojan-activity; sid:2029281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_15, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Stike CnC Domain (nirsoft .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"nirsoft.me"; bsize:10; fast_pattern; reference:md5,aa5e8268e741346c76ebfd1f27941a14; reference:url,cert.gov.ua/article/37704; classtype:domain-c2; sid:2035470; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Group 21 CnC Domain Observed in DNS Query"; dns.query; content:"quwa-paf.servehttp.com"; nocase; endswith; classtype:domain-c2; sid:2029289; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Group21, updated_at 2020_10_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Server Banner)"; flow:established,from_server; content:"***|0d 0a|*|20 20 20 20 20 20 20 20|WELCOME TO THE BALL PIT|20 20 20 20 20 20 20 20|*|0d 0a|"; fast_pattern; content:"*|20 20 20 20 20|Now with|20|"; distance:0; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022214; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ssl.cccccsssss.com"; nocase; endswith; reference:md5,0224334fbec16d74b4101c270a3566bf; classtype:domain-c2; sid:2031119; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Raiffeisen Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Raiffeisen ELBA-internet</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart CnC Domain Observed in DNS Query"; dns.query; content:"jqueryextplugin.com"; nocase; endswith; classtype:domain-c2; sid:2029297; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Oct 09 2013"; flow:established,from_server; file_data; content:"|27|urn|3a|schemas-microsoft-com|3a|vml|27|"; content:"=String.fromCharCode|3b|"; fast_pattern; content:"return parseInt"; content:"return |27 27|"; classtype:exploit-kit; sid:2017577; rev:5; metadata:created_at 2013_10_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)"; flow:established,to_server; http.uri; content:"/vpns/"; fast_pattern; http.uri.raw; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Win32.Genome.boescz Checkin"; flow:to_server,established; content:"|0d 0a|Subject|3a 20|TenInfect"; fast_pattern; content:"|0d 0a 0d 0a|TenInfect"; distance:0; reference:md5,313535d09865f3629423cd0e9b2903b2; reference:url,www.virustotal.com/en/file/75c454bbcfc06375ad1e8b45d4167d7830083202f06c6309146e9a4870cddfba/analysis/; classtype:command-and-control; sid:2018033; rev:4; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ELF/Rekoobe CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kooktijd.acc.dynapps.be"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:domain-c2; sid:2029307; rev:2; metadata:affected_product Linux, created_at 2020_01_22, former_category MALWARE, malware_family Rekoobe, updated_at 2020_10_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024132; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Website Hosting Service Observed in DNS Query"; dns.query; content:"dynapps.be"; nocase; endswith; classtype:policy-violation; sid:2029308; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Zemot Fake Search Page"; flow:established,from_server; file_data; content:"background|3a 20|url(btn_search.png|29 2f 2a|tpa=http"; fast_pattern; reference:md5,38cad3170f85c4f9903574941bd282a8; classtype:trojan-activity; sid:2021107; rev:3; metadata:created_at 2015_05_15, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Rekoobe CnC Observed in DNS Query"; dns.query; content:"huawel.site"; nocase; endswith; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:domain-c2; sid:2029309; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Rekoobe, signature_severity Major, updated_at 2020_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET MALWARE Predator Pain Sending Data over SMTP"; flow:established,to_server; content:"Subject|3a 20|Predator Pain v"; fast_pattern; reference:md5,e774a7e6ca28487db649458f48230199; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018688; rev:4; metadata:created_at 2014_07_17, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=jqueryextplugin.com"; nocase; fast_pattern; classtype:trojan-activity; sid:2029302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:4; metadata:created_at 2012_07_24, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"jquerysmartstack.com"; nocase; endswith; classtype:domain-c2; sid:2029303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET FTP Outbound Java Anonymous FTP Login"; flow:to_server,established; content:"USER anonymous|0d 0a|PASS Java1."; fast_pattern; pcre:"/^\d\.\d(_\d+)?\@\r\n/R"; flowbits:set,ET.Java.FTP.Logon; classtype:misc-activity; sid:2016687; rev:4; metadata:created_at 2013_03_29, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Binary Request"; flow:established,to_server; http.request_line; content:"GET /getrandombase64.php?get="; fast_pattern; content:"|20|HTTP/1.1"; distance:32; within:9; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:command-and-control; sid:2031127; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,ET.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern; classtype:exploit-kit; sid:2022465; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DTLoader Encoded Binary - Server Response"; flow:established,to_client; http.response_body; content:"<html><head></head><body><p>Code|3a 20|"; startswith; fast_pattern; content:"</p><p>@@@"; distance:32; within:10; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:command-and-control; sid:2031128; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M1 July 24 2015"; flow:to_client,established; file_data; content:"<title>Document Shared</title>"; nocase; fast_pattern; content:"name=|22|GENERATOR|22 22|>"; nocase; distance:0; content:"name=|22|HOSTING|22 22|>"; nocase; distance:0; content:"Login with your email"; nocase; distance:0; content:"Choose your email provider"; nocase; distance:0; classtype:social-engineering; sid:2021535; rev:4; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Domain (ahgwqrq .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"ahgwqrq.xyz"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:domain-c2; sid:2031129; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category MALWARE, malware_family DTLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Chase Online - Identification</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2025674; rev:4; metadata:created_at 2015_12_01, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Improperly Spaced Accept Header in User-Agent"; flow:established,to_server; http.user_agent; content:"Accept|3a|*/*"; classtype:misc-activity; sid:2031120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M4"; flow:established,to_server; content:"GET"; http_method; content:"WINDOWS HEALTH IS CRITICAL"; http_uri; fast_pattern; classtype:social-engineering; sid:2021966; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerysmartstack.com"; nocase; fast_pattern; classtype:trojan-activity; sid:2029305; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"domestic transit area.<br>"; fast_pattern; content:"display"; nocase; pcre:"/^[\r\n\s]*?\x3a[\r\n\s]*?none/Ri"; content:"<li"; nocase; pcre:"/^[^>]*?\>/R"; content:!"</li>"; nocase; within:500; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017634; rev:8; metadata:created_at 2013_10_25, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Observed in DNS Query"; dns.query; content:"masseffect.space"; nocase; endswith; classtype:domain-c2; sid:2029310; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Gamaredon, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"<title>Sign in - Apple Store</title>"; nocase; fast_pattern; content:"function isemail|28|email|29|"; nocase; content:"Double-check that you typed a valid Apple ID."; nocase; content:"Double-check that you have typed the right password."; nocase; classtype:social-engineering; sid:2031715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=askkkkkkassaa.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029311; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:4; metadata:created_at 2015_08_25, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mantropoliops.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029312; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=prontosloshop.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029313; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ultimate HAckerz Team User-Agent (Made by UltimateHackerzTeam) - Likely Trojan Report"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made by UltimateHackerzTeam)"; http_header; fast_pattern; reference:url,doc.emergingthreats.net/2010346; classtype:trojan-activity; sid:2010346; rev:7; metadata:created_at 2010_07_30, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=miiiiisdkkkksd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029314; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 6.0.1 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 6.0.1 (Windows)"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016650; rev:3; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=faniposlskd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029315; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Successful ETERNALROMANCE MS17-010 - Windows Executable Observed"; flow:to_server,established; flowbits:isset,ETPRO.ETERNALROMANCE; content:"|FF|SMB|26 00 00 00 00|"; offset:4; depth:9; content:"|4d 5a|"; distance:0; content:"This program cannot be run"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024207; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ferilppdslos.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029316; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wire Transfer Phishing Landing 2015-11-19"; flow:established,from_server; file_data; content:"<TITLE>Foreign Transfer"; nocase; fast_pattern; content:"view Online TT Copy"; nocase; distance:0; content:"Online TT(CURRENCY"; nocase; distance:0; content:"Email Address"; nocase; distance:0; content:"Secure access"; nocase; distance:0; classtype:social-engineering; sid:2031700; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031121; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DoS.Linux/Elknot.G Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|Linux|20|"; offset:2; depth:21; fast_pattern; pcre:"/^\d/R"; reference:md5,917a2a3d8c30282acbe7b1ff121a4336; classtype:command-and-control; sid:2018808; rev:2; metadata:created_at 2014_07_30, former_category MALWARE, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031122; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, signature_severity Minor, updated_at 2020_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BleedingLife EK Payload Delivered"; flow:from_server,established; flowbits:isset,ET.BleedingLife.Payload; content:"200"; http_stat_code; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2023291; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2022_03_17;)
-alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"exec("; fast_pattern; within:500; classtype:attempted-admin; sid:2031123; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Sept 3"; flow:established,from_server; file_data; content:"<title>Google Drive</title>"; fast_pattern; content:"For security reasons"; distance:0; content:"access shared files and folders"; distance:0; content:"select your email provider below"; distance:0; content:"-- Select your email provider --"; distance:0; content:"G Mail"; distance:0; content:"Others"; distance:0; content:"Email:"; distance:0; content:"Password:"; distance:0; classtype:social-engineering; sid:2025004; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"exec("; fast_pattern; within:500; classtype:attempted-admin; sid:2031124; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M3"; flow:established,to_client; file_data; content:"<title>VIRUS WARNING!</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; nocase; distance:0; content:"gp-msg.mp3"; nocase; distance:0; classtype:social-engineering; sid:2021258; rev:4; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"/bin/bash"; fast_pattern; within:500; classtype:attempted-admin; sid:2031125; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Nov 6 2015 M1"; flow:established,from_server; file_data; content:"<title>Google Docs</title>"; nocase; distance:0; fast_pattern; content:"input[type=email]"; nocase; distance:0; content:"input[type=number]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; content:"input[type=tel]"; nocase; distance:0; content:"signin-card #Email"; nocase; distance:0; content:"signin-card #Pass"; nocase; distance:0; classtype:social-engineering; sid:2025681; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"/bin/bash"; fast_pattern; within:500; classtype:attempted-admin; sid:2031126; rev:2; metadata:attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; urilen:6; content:".htm"; http_uri; content:"Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.0|3B| Trident/5.0)"; fast_pattern; http_user_agent; pcre:"/^\x2F[a-z]{1}\x2Ehtm$/U"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html; reference:url,www.fortiguard.com/latest/av/4057936; reference:md5,92899c20da4d9db5627af89998aadc58; classtype:command-and-control; sid:2016211; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-01-27"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&month="; nocase; content:"&year="; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029684; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FortDisco POP3 Site list download"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|PrototypeB|0d 0a|"; http_header; fast_pattern; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,538a4cedad8791e27088666a4a6bf9c5; reference:md5,87c21bc9c804cefba6bb4148dbe4c4de; reference:url,www.abuse.ch/?p=5813; classtype:trojan-activity; sid:2017546; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Telegram API Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=api.telegram.org"; fast_pattern; nocase; endswith; classtype:misc-activity; sid:2029322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Account Phishing Landing 2015-11-18"; flow:established,from_server; file_data; content:"<title>Verify Apple ID"; nocase; fast_pattern; content:"Please input a valid Email"; nocase; distance:0; content:"Your password is required"; nocase; distance:0; content:"Please sign in to verify"; nocase; distance:0; content:"iCloud Account"; nocase; distance:0; content:"Account Verification"; nocase; distance:0; classtype:social-engineering; sid:2031740; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Generic RAT over Telegram API"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"Microsoft"; nocase; content:"Windows"; nocase; content:"Pass"; nocase; http.header; content:"|0d 0a|Host|3a 20|api.telegram.org|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2029323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Horde Webmail Phish 2015-08-21"; flow:established,to_client; file_data; content:"<title>|2e 2e 3a 3a|Account Details"; fast_pattern; content:"Successfully Submitted|3a 3a 2e 2e|</title>"; distance:1; content:"Your request has been received"; distance:0; content:"and will be processed shortly."; distance:1; classtype:credential-theft; sid:2031726; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".portmap."; nocase; pcre:"/^(?:com|io|host)/Ri"; classtype:policy-violation; sid:2027941; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; http_method; content:"0/"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; fast_pattern; content:"%"; http_client_body; pcre:"/^\/[a-z]+\/[a-z]+\//U"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/P"; classtype:exploit-kit; sid:2021038; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Unk.PowerShell Loader CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"internationalrule.com"; bsize:21; reference:url,app.any.run/tasks/9b18c721-13b2-4151-9a1d-22b5c8478ad4; classtype:domain-c2; sid:2029325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Remote Cam)"; flow:to_server,established; content:"USB Video Device[endof]"; depth:23; fast_pattern; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017425; rev:3; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"6google.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:domain-c2; sid:2029327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin"; flow:to_server,established; content:"/index.dat?"; http_uri; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)|0D 0A|Host|3a| "; fast_pattern; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; classtype:command-and-control; sid:2014466; rev:5; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M2"; flow:to_server,established; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"username="; nocase; depth:9; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2029656; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern; classtype:social-engineering; sid:2021537; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti DNS Lookup"; dns.query; content:".dnslookup.services"; nocase; endswith; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029347; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic 2"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; fast_pattern; content:!"|0d 0a|Accept|3a|"; content:!"|0d 0a|Referer|3a|"; content:"GET "; depth:4; pcre:"/^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443|8080|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/R"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2017784; rev:5; metadata:created_at 2013_11_27, former_category MALWARE, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"mangasiso.top"; nocase; endswith; classtype:trojan-activity; sid:2029348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:social-engineering; sid:2023037; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 2"; flow:established,to_server; content:"|01 02 01 01|"; fast_pattern; http.method; content:"GET"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".htm HTTP/1.1"; http.content_len; byte_test:0,<,100,0,string,dec; http.header_names; content:"Host|0d 0a|"; content:"Content-Length|0d 0a|"; classtype:command-and-control; sid:2012139; rev:10; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:social-engineering; sid:2022853; rev:4; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lici Initial Checkin"; flow:established,to_server; http.uri; content:".php?email="; content:"&lici="; content:"&ver="; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,2f4d35e797249e837159ff60b827c601; classtype:command-and-control; sid:2014119; rev:5; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2023888; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kelihos/Hlux GET jucheck.exe from CnC"; flow:established,to_server; http.uri; content:"/jucheck.exe"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,www.abuse.ch/?p=3658; classtype:command-and-control; sid:2014330; rev:5; metadata:created_at 2012_03_06, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spartan EK Secondary Flash Exploit DL"; flow:established,from_server; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a|"; fast_pattern; http_header; file_data; content:"|3c 74 6f 70 70 69 6e 67 73 3e|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:exploit-kit; sid:2021762; rev:3; metadata:created_at 2015_09_12, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Win32.Autorun HTTP Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"cbID="; content:"cbVer="; distance:0; content:"cbTit="; distance:0; http.request_body; content:"cbBody="; depth:7; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.threatexpert.com/threats/worm-win32-autorun.html; reference:url,doc.emergingthreats.net/2009516; classtype:trojan-activity; sid:2009516; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Horde Webmail Phishing Landing 2015-08-21"; flow:established,to_client; file_data; content:"<title>Mail |3a 3a 20|Welcome to Admin Portal</title>"; content:"Kindly update your information"; fast_pattern; distance:0; content:"Email Address"; distance:0; content:"Confirm Password"; distance:0; classtype:social-engineering; sid:2031725; rev:4; metadata:created_at 2015_08_21, former_category PHISHING, updated_at 2022_03_17;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tiki-login.php"; http.request_body; content:"&user=admin&pass=&"; fast_pattern; reference:url,github.com/S1lkys/CVE-2020-15906; reference:cve,2020-15906; classtype:attempted-admin; sid:2031130; rev:1; metadata:created_at 2020_10_27, cve CVE_2020_15906, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic AES Phish M1 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:credential-theft; sid:2024997; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonBot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/gateway/index"; http.protocol; content:"HTTP/1.0"; reference:url,labs.m86security.com/2011/06/new-bots-old-bots-ii-donbot/; classtype:command-and-control; sid:2013047; rev:6; metadata:created_at 2011_06_16, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fake Webmail Account Phishing Landing 2015-09-10"; flow:established,to_client; file_data; content:"<title>Verify Your Account</title>"; fast_pattern; content:"ACCOUNT UPGRADE"; distance:0; content:"VERIFY YOUR WEBMAIL ACCOUNT"; distance:0; content:"Domain|5c|Username"; distance:0; content:"Department|3a|"; distance:0; content:"inconveniences"; distance:0; classtype:social-engineering; sid:2031696; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Bot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/gateway/index"; http.request_body; content:"botver="; content:"&build="; content:"&profile="; reference:url,www.threatexpert.com/report.aspx?md5=be3aed34928cb826030b462279a1c453; classtype:command-and-control; sid:2013168; rev:7; metadata:created_at 2011_07_01, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M4"; flow:established,to_client; file_data; content:"div class=|22|what-to-do|22|"; content:"div class=|22|more-about-the-virus|22|"; fast_pattern; distance:0; content:"div class=|22|service|22|"; distance:0; content:"div class=|22|windows-logo|22|"; distance:0; classtype:social-engineering; sid:2021365; rev:4; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Bing checking Internet connectivity"; flow:established,to_server; http.header; content:"|3a 20|no-cache"; http.host; content:"www.bing.com"; depth:12; endswith; http.start; content:"GET / HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|"; depth:60; http.header_names; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013488; rev:5; metadata:created_at 2011_08_30, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"</script></head>|0d 0a|<body>"; fast_pattern; content:" id="; pcre:"/^\s*?[\x22\x27][A-Za-z]{3,10}[\x22\x27]/R"; content:" title="; content:!"<"; within:100; pcre:"/^\s*?[\x22\x27](?=[A-Z]{0,19}[a-z]{1,19}[A-Z])[a-zA-Z]{14,20}[\x22\x27][^<>]*?>(?=[A-Za-z]{0,99}\d)[A-Za-z0-9\x20]{100}/R"; classtype:exploit-kit; sid:2020354; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.MUD Variant Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/total_visitas.php"; fast_pattern; http.start; content:".php HTTP/1.1|0d 0a|Host|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc; reference:md5,989ba48e0a9e39b4b6fc5c6bf400c41b; classtype:trojan-activity; sid:2014113; rev:6; metadata:created_at 2012_01_11, former_category MALWARE, updated_at 2020_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.bing.com)"; flow:established,to_server; dsize:38; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.bing.com|0d 0a 0d 0a|"; distance:1; within:24; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018432; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.RShot HTTP Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3b 20|name=|22|bot_id|22 0d 0a 0d 0a|"; fast_pattern; content:"|3b 20|name=|22|os_version|22 0d 0a 0d 0a|"; distance:0; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:command-and-control; sid:2014269; rev:7; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021044; rev:3; metadata:created_at 2015_05_01, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - redirect received"; flow:established,to_client; http.stat_code; content:"302"; http.cookie; content:"SL_"; depth:3; content:"_0000="; within:8; fast_pattern; classtype:exploit-kit; sid:2014542; rev:5; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Post Checkin Activity 2"; flow:established,to_server; urilen:20<>100; content:!"Referer|3a|"; http_header; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; pcre:"/^Host\x3a\x20(?=[a-z0-9]{0,19}[A-Z])(?=[A-Z0-9]{0,19}[a-z])[a-zA-Z0-9]{4,20}\.[a-z]{2,3}/H"; content:"|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|Mozilla/"; http_header; within:41; fast_pattern; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:command-and-control; sid:2020302; rev:7; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set"; flow:established,to_client; http.stat_code; content:!"302"; http.cookie; content:"=_"; content:"_|3b 20|domain="; distance:1; within:10; fast_pattern; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/"; classtype:exploit-kit; sid:2014548; rev:5; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AES Crypto Observed in Javascript - Possible Phishing Landing"; flow:established,from_server; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:social-engineering; sid:2025656; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - redirect received"; flow:established,to_client; http.stat_code; content:"302"; http.cookie; content:"=_"; content:"_|3b 20|domain="; distance:1; within:10; fast_pattern; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/"; classtype:exploit-kit; sid:2014547; rev:7; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre IE Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|attachment|3b 20|"; http_header; content:".zip|20 3b 0d 0a|"; distance:0; http_header; content:"Content-Type|3a 20|$ctype|0d 0a|"; http_header; fast_pattern; file_data; content:"PK|03 04|"; within:4; classtype:trojan-activity; sid:2020160; rev:6; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; depth:49; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:5; metadata:created_at 2011_08_30, updated_at 2020_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net start Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"These Windows services are started|3a 0d|"; fast_pattern; content:"The command completed successfully|2e|"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019001; rev:2; metadata:created_at 2014_08_26, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - POST 1-letter.php"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:".php"; pcre:"/^\/[a-z]\.php/"; http.user_agent; content:"Indy Library"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015504; rev:6; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Renewal Phish Landing 2015-08-14"; flow:to_client,established; file_data; content:"<title>Mailbox Added services</title>"; nocase; fast_pattern; content:"autorised email address"; nocase; distance:0; content:"complete this autorization"; nocase; distance:0; classtype:social-engineering; sid:2031722; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/news/?s="; fast_pattern; pcre:"/^\d{1,6}$/R"; http.header_names; content:!"Referer"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:trojan-activity; sid:2011825; rev:11; metadata:created_at 2010_10_18, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 14 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern; content:"|24 2c|"; distance:0; pcre:"/^\s*?(?P<var1>[^\x29]+)\x29[^\n]*?=\s*?(?P=var1)\s*?\x7c{2}\s*?\d+?\s*?\x2c/R"; classtype:exploit-kit; sid:2020180; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/security.jsp"; nocase; fast_pattern; http.request_body; content:"f0="; depth:3; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:command-and-control; sid:2013327; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:exploit-kit; sid:2016144; rev:4; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP Addresses"; flow:established,to_server; http.uri; content:"/distrib_serv/ip_list_"; fast_pattern; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013536; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024125; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity M2"; flow:established,to_client; dsize:1051; content:"|04 19 00 00 00 1a 00 00 00 17 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 6f 63 75 6d 65 6e 74 73 00 00 00 08 55 54 43 2d 2d|"; depth:42; reference:url,twitter.com/malware_traffic/status/1321182175916679168; reference:md5,25cddcec88ee81aab4db84bbd19a64d6; reference:url,app.any.run/tasks/228c144e-90a0-4e8f-87d8-102bc04b0335/; classtype:trojan-activity; sid:2031131; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016493; rev:12; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity M3"; flow:established,to_server; dsize:8; content:"|0c 00 0f 0a 0b 0a 0b 0a|"; reference:url,twitter.com/malware_traffic/status/1321182175916679168; reference:md5,25cddcec88ee81aab4db84bbd19a64d6; reference:url,app.any.run/tasks/228c144e-90a0-4e8f-87d8-102bc04b0335/; classtype:trojan-activity; sid:2031132; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Limitless Logger|20 3a 20 3a|"; nocase; fast_pattern; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018015; rev:3; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP Addresses From Server"; flow:established,to_server; http.uri; content:"/search=ip_list_"; fast_pattern; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013537; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Fake Document Loading Error 2015-10-01"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; content:"Verifying Login, Please wait"; nocase; fast_pattern; distance:0; content:"Loading"; nocase; distance:0; content:"and collaborate documents"; nocase; distance:0; content:"Initializing"; distance:0; classtype:social-engineering; sid:2031697; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware From Server"; flow:established,to_server; http.uri; content:"/search="; fast_pattern; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013538; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Job314 EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"embedSWF(|22|index.swf?action=swf|22|"; fast_pattern; content:"src=|22|index.js?action=swfobject|22|"; classtype:exploit-kit; sid:2019689; rev:4; metadata:created_at 2014_11_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Server Checkin"; flow:established,to_server; http.uri; content:"knock.php?ver="; fast_pattern; content:"&sid="; distance:0; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013539; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 02"; flow:established,from_server; file_data; content:"|2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 5d 2e 62 6f 72 64 65 72 20 3d 20 22 6e 6f 6e 65 22 3b|"; fast_pattern; content:" +="; pcre:"/^\s+\d{1,2}\x3b\s+else\s+(?P<var>[a-z]+)\s+\-=\s+\d{1,2}\x3b\s+return\s+[a-z]+\.charAt\x28(?P=var)\/\d{1,2}\x29\x7d/R"; classtype:exploit-kit; sid:2021374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (listdir)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/listdir.php?dir="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; depth:26; endswith; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013668; rev:4; metadata:created_at 2011_09_19, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Stoberox.B"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"Host|3a|"; http_header; depth:5; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:"Accept-Encoding|3a 20|none|0d 0a|"; http_header; fast_pattern; content:!"Referer"; http_header; pcre:"/^[a-zA-Z0-9\+\/]+={0,2}$/P"; reference:md5,6ca1690720b3726bc76ef0e7310c9ee7; classtype:trojan-activity; sid:2018300; rev:4; metadata:created_at 2014_03_20, former_category MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (mkdir)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mkdir.php?dir="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; depth:26; endswith; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013669; rev:4; metadata:created_at 2011_09_19, updated_at 2020_10_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024126; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 1"; flow:established,to_server; http.request_line; content:"GET @"; depth:5; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013791; rev:4; metadata:created_at 2011_10_24, updated_at 2020_10_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/SGCommand.aspx?sgcommand="; fast_pattern; content:"&uid="; distance:0; content:"&sid="; distance:0; content:"&value="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; http.user_agent; content:"|20|Android|20|"; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_11_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_03_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT34 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=manygoodnews.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029385; rev:3; metadata:created_at 2020_02_06, former_category MALWARE, malware_family APT34, tag SSL_Malicious_Cert, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 30"; flow:established,from_server; file_data; content:"<title>*** Security Error Code"; fast_pattern; content:"Suspicious Connection Was Trying"; nocase; distance:0; content:"Your Accounts May be Suspended"; nocase; distance:0; classtype:social-engineering; sid:2022011; rev:4; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fiffaslslslld.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029386; rev:3; metadata:created_at 2020_02_06, former_category MALWARE, malware_family BrushaLoader, tag SSL_Malicious_Cert, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:social-engineering; sid:2022366; rev:4; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=loppappsas.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029387; rev:3; metadata:created_at 2020_02_06, former_category MALWARE, malware_family BrushaLoader, tag SSL_Malicious_Cert, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater)"; flow:established,to_server; content:"User-Agent|3a| Microsoft|20|Internet|20|Updater|0d 0a|"; http_header; fast_pattern; reference:md5,2c832d51e4e72dc3939c224cc282152c; classtype:trojan-activity; sid:2015528; rev:5; metadata:created_at 2012_07_26, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=conversia91.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029388; rev:3; metadata:created_at 2020_02_06, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, tag SSL_Malicious_Cert, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern; classtype:social-engineering; sid:2021538; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=123faster.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029389; rev:3; metadata:created_at 2020_02_06, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, tag SSL_Malicious_Cert, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:3; metadata:created_at 2012_11_14, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fatoftheland.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029390; rev:3; metadata:created_at 2020_02_06, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, tag SSL_Malicious_Cert, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Fake Mailbox Quota Increase Messages 2016-05-25"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; content:"Upgrading your mailbox"; nocase; fast_pattern; distance:0; content:"Upgrade Successful"; nocase; distance:0; content:"added to your mail quota"; nocase; distance:0; content:"//Do not edit below this line"; distance:0; nocase; classtype:social-engineering; sid:2031989; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=creatorz123.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029391; rev:3; metadata:created_at 2020_02_06, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, tag SSL_Malicious_Cert, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern; classtype:exploit-kit; sid:2023513; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=compilator333.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029392; rev:3; metadata:created_at 2020_02_06, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, tag SSL_Malicious_Cert, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:social-engineering; sid:2023051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set"; flow:established,to_client; http.stat_code; content:!"302"; http.cookie; content:"SL_"; depth:3; content:"_0000="; within:8; fast_pattern; classtype:exploit-kit; sid:2014544; rev:6; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"Content-Type|3a 20|application/postscript|0d 0a|"; http_header; fast_pattern; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; http_header; content:"Content-Disposition|3a 20|inline|3b| filename="; http_header; pcre:"/^[a-z]{10}\.[a-z]{3}\r?$/RHm"; classtype:exploit-kit; sid:2021064; rev:4; metadata:created_at 2015_05_07, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CLOVER Checkin APT1 Related"; flow:established,to_server; http.uri; content:"/Default.asp"; http.header; content:"Accept: image/gif,image/x-xbitmap"; content:"|20|MSIE|20|"; http.cookie; content:"PREF=86845632017245"; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:targeted-activity; sid:2016452; rev:4; metadata:created_at 2013_02_21, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andromeda Download"; flow:from_server,established; flowbits:isset,ET.andromeda; content:"200"; http_stat_code; content:"Server|3a 20|nginx"; http_header; content:"Content-Description|3a 20|File Transfer|0d 0a|"; http_header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; content:"Content-Transfer-Encoding|3a| binary|0d 0a|"; fast_pattern; pcre:"/filename=[a-f0-9]{32}v\.(?:docm|zip)\x0d\x0a/Hmi"; classtype:trojan-activity; sid:2022573; rev:3; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan Checkin (UA VBTagEdit)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"VBTagEdit"; depth:9; nocase; http.protocol; content:"HTTP/1.0"; reference:url,doc.emergingthreats.net/2010439; classtype:command-and-control; sid:2010439; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016490; rev:13; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; http.content_type; content:"audio|2F|"; startswith; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:11; metadata:created_at 2011_08_22, updated_at 2020_10_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|25|www.signliquideducationdaughter.final"; distance:1; within:38; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022247; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSpy - MySQL"; flow:established,to_server; http.request_body; content:"dbhost="; content:"dbuser="; content:"dbpass="; classtype:trojan-activity; sid:2017086; rev:4; metadata:created_at 2013_07_02, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:exploit-kit; sid:2016721; rev:5; metadata:created_at 2013_04_04, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=get&applicationID="; nocase; depth:25; fast_pattern; content:"&developerId="; nocase; distance:0; content:"&deviceId="; nocase; distance:0; content:"android.permission"; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:6; metadata:created_at 2011_06_16, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Metro Document Phishing Landing 2015-11-17"; flow:established,from_server; file_data; content:"invited to download DATASHEET"; nocase; content:"<title>Metro Download Online"; fast_pattern; nocase; content:"simplest and secure way"; nocase; distance:0; content:"view your documents and files"; nocase; distance:0; content:"View Document"; nocase; distance:0; content:"Confirm email address to download"; nocase; distance:0; classtype:social-engineering; sid:2031699; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Avatar RootKit Yahoo Group Search"; flow:to_server,established; http.uri; content:"/search?query="; depth:14; content:"&sort=relevance"; within:15; pcre:"/^[A-Z0-9]{8}/R"; http.host; content:"groups.yahoo.com"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:4; metadata:created_at 2013_08_22, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 10 2015"; flow:established,from_server; file_data; content:"60*60*24*7*1000|29 3b| document.cookie=|22|PHP_SESSION_PHP="; fast_pattern; pcre:"/^\d+\x3b/R"; classtype:exploit-kit; sid:2021338; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Styx EK SilverLight Payload"; flow:established,to_server; urilen:19; http.uri; content:"/1"; depth:2; fast_pattern; pcre:"/^[a-z0-9]{13}\.[a-z]{3}$/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:exploit-kit; sid:2017731; rev:5; metadata:created_at 2013_11_19, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing Page 2015-10-17"; flow:established,to_client; file_data; content:"<TITLE> DHL|7c 20|Trackinng</TITLE>"; nocase; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|rv|3a|32.0)"; nocase; distance:0; content:"fnSubmitOnEnter"; nocase; distance:0; classtype:social-engineering; sid:2031728; rev:4; metadata:created_at 2015_09_16, former_category PHISHING, updated_at 2022_03_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/getLastVersion"; depth:15; http.header; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2017999; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 01 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22| title="; within:29; fast_pattern; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:exploit-kit; sid:2020342; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_01, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.MyDNS DNSChanger - HTTP POST"; flow:established,to_server; content:"|0d 0a 0d 0a|r="; fast_pattern; http.method; content:"POST"; nocase; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http.request_body; content:"r="; depth:2; nocase; content:"&f="; nocase; distance:0; content:"&p="; nocase; distance:0; content:"&u="; nocase; distance:0; content:"&i="; nocase; distance:0; content:"&g="; nocase; distance:0; reference:url,doc.emergingthreats.net/2009813; classtype:trojan-activity; sid:2009813; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject|3a| Perfect Keylogger was installed successfully|3a|"; fast_pattern; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:10; metadata:created_at 2010_07_30, updated_at 2022_03_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE possible OneLouder header structure"; flow:to_server,established; flowbits:set,ET.OneLouder.Header; flowbits:noalert; http.header; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b|)|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"Accept-Encoding|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018463; rev:11; metadata:created_at 2014_05_12, updated_at 2020_10_28;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA SMB Naming Format"; flow:to_server,established; content:"SMB|A2|"; content:"|5c 00|W|00|I|00|N|00|D|00|O|00|W|00|S|00 5c 00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00 5c|"; distance:0; fast_pattern; pcre:"/^(?:(?!\x00\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?\x2e\x00t\x00x\x00t/Rsi"; flowbits:set,ET.kaptoxa; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018058; rev:2; metadata:created_at 2014_02_04, former_category MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_src; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:5; metadata:created_at 2014_08_21, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016492; rev:13; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_dst; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:4; metadata:created_at 2014_08_21, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"xmlhttp.open(|22|POST|22|, |22|/foo|22|, false)|3b|"; fast_pattern; content:"xmlhttp.send(sendstr)|3b|"; distance:0; classtype:exploit-kit; sid:2019690; rev:4; metadata:created_at 2014_11_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dirt Jumper/Russkill3 Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|k="; fast_pattern; http.method; content:"POST"; nocase; http.request_body; content:"k="; depth:2; pcre:"/^\d{15}/R"; http.protocol; content:"HTTP/1.0"; reference:md5,10e7af7057833a19097cb22ba0bd1b99; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; reference:url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html; classtype:command-and-control; sid:2013439; rev:12; metadata:created_at 2011_08_03, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Secondary Landing"; flow:from_server,established; file_data; content:"<body onload=|27|Exploit()|3b 27|>"; fast_pattern; content:"|3a|stroke"; nocase; classtype:exploit-kit; sid:2017852; rev:3; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HB_Banker16 Get"; flow:to_server,established; http.method; content:"GET"; http.header; content:"Content-Type|3a 20|text/html|0d 0a|Host|3a|"; depth:30; fast_pattern; content:!"Indy Library"; http.user_agent; content:"Firefox/12.0"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:44; endswith; classtype:trojan-activity; sid:2019608; rev:6; metadata:created_at 2014_10_30, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"<title>Norton Firewall Warning</title>"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:social-engineering; sid:2021207; rev:4; metadata:created_at 2015_06_09, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 fb 28 39 fc 28 39 fb 4c 2f fb 3f 4f 8b 28 38 8c 28 39 fe|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Nov 4 2014"; flow:established,from_server; file_data; content:"var main_request_data_content"; within:29; fast_pattern; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/27/index2.html; classtype:exploit-kit; sid:2019642; rev:3; metadata:created_at 2014_11_04, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3e 2f fb 39 2f fb 3e 4b ed 3e 38 8d 4e 2f fa 49 2f fb 3b|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK"; flow:established,from_server; file_data; content:"document.write((|22|<iframe src=|27|http|3a|"; within:35; pcre:"/^[^\x27]+[\x27]\s*/R"; content:"width=12 height=12 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></|22| + |22|iframe>|22|))|3b|"; fast_pattern; within:93; isdataat:!3,relative; classtype:exploit-kit; sid:2019798; rev:4; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 39 ed 3e 3e ed 3e 39 89 28 39 fa 48 49 ed 3f 4e ed 3e 3c|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern; nocase; content:"src="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016337; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2022_03_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sem/"; nocase; content:".php"; nocase; content:"uniqueid="; nocase; content:"|3B|"; pcre:"/\/sem\/\w+\.php.*(\?|&)uniqueid=\d*\;/i"; reference:url, www.securityfocus.com/bid/37375/info; reference:url,doc.emergingthreats.net/2010510; classtype:web-application-attack; sid:2010510; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK September 04 2015"; flow:established,from_server; content:"Set-Cookie|3a 20|_PHP_SESSION_PHP="; fast_pattern; pcre:"/^\d+\x3b/R"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2021746; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_05, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Thumbnail.php?"; nocase; content:"base_path="; nocase; pcre:"/^\s*(ftps?|https?|php)\:\//Ri"; reference:url,securityvulns.com/Odocument913.html; reference:url,doc.emergingthreats.net/2009053; classtype:web-application-attack; sid:2009053; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adilbo HTML Encoder Observed"; flow:established,to_client; file_data; content:"|2f 2a 20 61 64 69 6c 62 6f 20 48 54 4d 4c 20 45 6e 63 6f 64 65 72|"; fast_pattern; content:"*|20 20|Checksum|3a 20|927c770095e0daa48298343b8fd14624"; within:200; classtype:policy-violation; sid:2024763; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat upload from external source"; flow:to_server,established; flowbits:isset,ET.Tomcat.login.attempt; http.method; content:"POST"; http.uri; content:"/manager/html/upload"; nocase; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009220; classtype:successful-admin; sid:2009220; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Credential Phish - Loading Messages 2015-08-12"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; fast_pattern; content:"Contacting email provider"; nocase; distance:0; content:"Authenticating password for"; nocase; distance:0; content:"Authentication Success"; nocase; distance:0; content:"in spam list"; nocase; distance:0; content:"in fraudlent list"; nocase; distance:0; content:"Please Wait"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:credential-theft; sid:2031719; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/statuswml.cgi?"; nocase; content:"ping"; nocase; pcre:"/^\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B)/Ri"; reference:bugtraq,35464; reference:url,doc.emergingthreats.net/2009670; classtype:web-application-attack; sid:2009670; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/includes/components/graphexplorer/visApi.php?"; nocase; fast_pattern; content:"type="; nocase; content:"div="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014950; rev:6; metadata:created_at 2012_06_22, updated_at 2022_03_17;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/unathenticated/"; http.uri.raw; content:"/unauthenticated//..%01/..%01/..%01/"; reference:url,bliki.rimuhosting.com/comments/knowledgebase/linux/miscapplications/webmin; reference:url,doc.emergingthreats.net/2010009; classtype:web-application-attack; sid:2010009; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phish Landing 2015-11-14"; flow:established,from_server; file_data; content:"<title>Adobe PDF</title>"; fast_pattern; nocase; content:"Adobe PDF Online"; nocase; distance:0; content:"You are not signed in yet"; nocase; distance:0; content:"Confirm your identity"; nocase; distance:0; content:"receiving email account to view document"; nocase; distance:0; classtype:social-engineering; sid:2031737; rev:4; metadata:created_at 2015_11_14, former_category PHISHING, updated_at 2022_03_17;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)"; flow:established,to_server; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase; content:"=http%3A%2F%2F"; within:40; http.method; content:"POST"; http.uri; content:"/jmx-console/HtmlAdaptor"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010379; classtype:web-application-attack; sid:2010379; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 06 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern; pcre:"/^(?=[A-Z0-9]*?[a-z])(?=[a-z0-9]*?[A-Z])[A-Za-z0-9]+\x2a\x2f[^\n]*?Function\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28\s*?(?P=var1)\s*[=!]{2}\s*?[\x27\x22][\x22\x27]\s*?\x29\s*?\{/Rs"; classtype:exploit-kit; sid:2020103; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{25,40}$/"; http.user_agent; content:"UpdaterResponse"; fast_pattern; depth:15; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018025; rev:6; metadata:created_at 2014_01_27, former_category ADWARE_PUP, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Commonwealth Bank Phish Fake Error Page 2015-08-20"; flow:established,to_client; file_data; content:"MSHTML 10.00.9200.16750"; content:"You |3b|already read this statement!"; fast_pattern; distance:0; content:"System Error Code"; distance:0; content:"CommBank technical departament"; distance:0; classtype:credential-theft; sid:2031724; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin 2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/?8080"; fast_pattern; http.request_body; content:"name=|22|action|22 0d 0a 0d 0a|"; pcre:"/^(?:Get(?:Subscription(?:EmailsBlock|Content)|PTR|IP)|Port25(?:Close|Open))\x0d\x0a/R"; content:"name=|22|location|22 0d 0a 0d 0a|"; distance:0; pcre:"/^(?:winload(?:32)?|cmms)\x0d\x0a/R"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018257; rev:6; metadata:created_at 2014_03_12, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:exploit-kit; sid:2022479; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; content:"DeploymentScanner"; nocase; content:"methodName=addURL"; nocase; content:"=http"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010380; classtype:web-application-attack; sid:2010380; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mini Mail Dashboard Widget abspath Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?"; nocase; fast_pattern; content:"abspath="; distance:0; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/105238/WordPress-Mini-Mail-Dashboard-Widget-1.36-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014450; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/send_sim_no.php"; fast_pattern; endswith; http.request_body; content:"_no="; depth:16; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017787; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Fake Webmail Quota Phish 2015-09-10"; flow:established,to_client; file_data; content:"<title>SUCCESSFULLY VALIDATED</title>"; nocase; fast_pattern; content:"MAILBOX HAVE BEEN SUCCESSFULLY"; nocase; distance:0; content:"QUOTA HAVE BEEN SCHEDUELED"; nocase; distance:0; content:"WITHIN 24 HOURS"; nocase; distance:0; classtype:credential-theft; sid:2031727; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; http.uri; content:"/Check.ashx?"; depth:12; content:"&e="; content:"&n="; content:"&mv="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018026; rev:5; metadata:created_at 2014_01_27, former_category ADWARE_PUP, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Survey Credential Phish 2015-08-12"; flow:to_client,established; file_data; content:"HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"<title>Survey Successful"; distance:0; nocase; fast_pattern; content:"Survey completed"; distance:0; nocase; content:"included in spam or fraudulent list."; distance:0; nocase; content:"email verification survey system."; distance:0; nocase; classtype:credential-theft; sid:2031720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Final.html Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; content:"/final.html"; distance:0; endswith; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017869; rev:4; metadata:created_at 2013_12_16, updated_at 2020_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.msn.com)"; flow:established,to_server; dsize:37; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.msn.com|0d 0a 0d 0a|"; distance:1; within:23; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018431; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FortDisco Reporting Status"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cmd.php"; fast_pattern; endswith; http.user_agent; content:"|3b 20|Synapse"; http.request_body; content:"status="; depth:7; pcre:"/^\d$/R"; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017309; rev:6; metadata:created_at 2013_08_12, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern; content:"META-INF/services/java.lang.Object"; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:5; metadata:created_at 2013_10_04, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin"; flow:established,to_server; flowbits:set,ETGamut; http.uri; content:"file=SenderClient.conf"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018245; rev:6; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:exploit-kit; sid:2022779; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Popwin Checkin"; flow:to_server,established; http.uri; content:"/soft/xiaomi"; fast_pattern; content:".asp"; distance:0; http.user_agent; content:"API-Guide test program"; depth:22; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,www.virustotal.com/en/file/79dfb0ea0d788dd388a1d1856402f04ddcdc42b7134ffc80747b339937216cbb analysis/; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:command-and-control; sid:2018143; rev:8; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|visibility|3a|hidden|22| title="; within:34; fast_pattern; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:exploit-kit; sid:2020352; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Almanahe.B Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"ClientUpdate"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/f80fc95e44d90a8e02de4fde0ea5e58227cbbde7b6d3848c1f8afbd5ed0affe7/analysis/; reference:md5,1d331ef7d24f6316947e94f737d1f219; classtype:command-and-control; sid:2018123; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing Sept 14 2015"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; fast_pattern; content:"<title>TRADE FILE</title>"; nocase; distance:0; content:"Sign In With Your Correct Email"; nocase; distance:0; classtype:social-engineering; sid:2025690; rev:6; metadata:created_at 2015_09_15, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan with Fake Java User-Agent"; flow:established,to_server; http.user_agent; content:"Java/"; depth:5; http.request_line; content:"GET /1.php HTTP/1.1"; fast_pattern; http.accept; content:"text/html, image/gif, image/jpeg, *|3b 20|q=.2, */*|3b 20|q=.2"; depth:52; endswith; http.connection; content:"keep-alive"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:trojan-activity; sid:2018640; rev:7; metadata:created_at 2014_07_03, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Account Phish Landing 2015-10-23"; flow:established,from_server; file_data; content:"<title>Yahoo"; nocase; content:"You Have Been Signed Out"; fast_pattern; nocase; distance:0; content:"Yahoomail For Yahoo Security"; nocase; distance:0; content:"please Relogin"; nocase; distance:0; classtype:social-engineering; sid:2031688; rev:3; metadata:created_at 2015_10_22, former_category PHISHING, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banload.BTQP Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?IDPC="; fast_pattern; content:"&so="; nocase; content:"&user"; nocase; content:"&versao"; nocase; content:"&pcname="; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:command-and-control; sid:2018650; rev:6; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_10_28;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; offset:4; depth:30; fast_pattern; content:"|00 09 00 00 00 10|"; distance:1; within:6; content:"|00 00 00 00 00 00 00 10|"; within:8; content:"|00 00 00 10|"; distance:4; within:4; pcre:"/^[a-zA-Z0-9+/]{1000,}/R"; threshold: type both, track by_src, count 3, seconds 30; classtype:trojan-activity; sid:2024217; rev:4; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EUPUDS.A Requests for Boleto replacement "; flow:established,to_server; urilen:10; http.request_line; content:"POST /index.php HTTP/1."; fast_pattern; http.header_names; content:"Content-Type|0d 0a|"; content:"Content-Length|0d 0a|"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Cache-Control|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; reference:url,blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research-July-2-FINALr2.pdf; classtype:trojan-activity; sid:2018793; rev:6; metadata:created_at 2014_07_28, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:10; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Fake Server Header"; flow:established,to_client; http.protocol; content:"HTTP/1."; http.server; content:"Stalin"; fast_pattern; startswith; reference:md5,7e3e28320d209a586917668e3b8eac40; classtype:trojan-activity; sid:2018775; rev:6; metadata:created_at 2014_07_25, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M1"; flow:established,from_server; file_data; content:"<title>Microsoft Official Support</title>"; nocase; fast_pattern; content:"function myFunction()"; nocase; distance:0; content:"setInterval(function(){alert"; nocase; distance:0; classtype:social-engineering; sid:2022033; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Initial Macro Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?u="; content:"&h="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028963; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021043; rev:3; metadata:created_at 2015_05_01, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (9)"; flow:established,to_server; http.uri; content:".txt?f="; fast_pattern; pcre:"/^\d+$/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016976; rev:12; metadata:created_at 2013_06_05, former_category EXPLOIT_KIT, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-16"; flow:established,from_server; file_data; content:"Temporarily unable to load your account"; nocase; content:"Temporarily unable to load your account"; nocase; distance:0; content:"confirm your informations"; fast_pattern; nocase; distance:0; content:"fix this problem"; nocase; distance:0; content:"access to your account"; nocase; distance:0; reference:md5,ce07d8a671e2132f404e13ff8e1959b5; classtype:credential-theft; sid:2031687; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Retrieving Second Stage"; flow:established,to_server; http.host; pcre:"/^[^\r\n]+\x20[a-z]/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"POST / HTTP/1.1"; fast_pattern; reference:md5,6948d4f22e8d57369988be219ab70335; classtype:trojan-activity; sid:2020470; rev:8; metadata:created_at 2015_02_18, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:social-engineering; sid:2022525; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaScriptBackdoor HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"username="; content:"memory_total="; content:"os_caption="; content:"os_serialnumber="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:command-and-control; sid:2021133; rev:5; metadata:created_at 2015_05_21, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:exploit-kit; sid:2024037; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Wordpress Errorcontent CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?ip="; fast_pattern; content:"&referer="; distance:0; content:"&ua="; pcre:"/^\/[a-z]+\/\?ip=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,isc.sans.edu/diary/Possible+Wordpress+Botnet+C&C:+errorcontent.com/19733; classtype:command-and-control; sid:2021153; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_05_26, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Wordpress, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shady Rat/HTran style HTTP Header Pattern Request UHCa and Google MSIE UA"; flow:established,to_server; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32|3b|Google|3b|)|0d 0a|Host|3a| "; fast_pattern; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:70; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:2016429; rev:5; metadata:created_at 2011_08_05, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-folder)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-fa"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017520; rev:6; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.yahoo.com)"; flow:established,to_server; dsize:39; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.yahoo.com|0d 0a 0d 0a|"; distance:1; within:25; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018433; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Mumblehard Initial Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|7.0.1) Gecko/20100101 Firefox/7.0.1"; fast_pattern; depth:67; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Accept-Charset|0d 0a|Connection|0d 0a 0d 0a|"; depth:92; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021051; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:social-engineering; sid:2022527; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Mumblehard Command Status CnC"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|7.0.1) Gecko/"; fast_pattern; depth:45; pcre:"/^\d{1,5}\.[2-5]0[0-5]\.\d+? Firefox\/7\.0\.1/Ri"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Accept-Charset|0d 0a|Connection|0d 0a 0d 0a|"; depth:92; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021052; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern; content:"spawAnyone("; nocase; distance:0; classtype:exploit-kit; sid:2016927; rev:12; metadata:created_at 2013_05_25, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic CnC Beacon 5"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/6."; fast_pattern; startswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"/ HTTP/1.1"; http.accept; content:"*/*"; depth:3; endswith; http.content_len; content:!"0"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:command-and-control; sid:2020944; rev:7; metadata:created_at 2015_04_17, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M1"; flow:established,to_client; file_data; content:"<title>WINDOWS WARNING ERROR</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; distance:0; classtype:social-engineering; sid:2021285; rev:4; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic CnC Beacon 6"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/7."; fast_pattern; startswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"/ HTTP/1.1"; http.accept; content:"*/*"; depth:3; endswith; http.content_len; content:!"0"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:command-and-control; sid:2020946; rev:5; metadata:created_at 2015_04_17, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016240; rev:6; metadata:created_at 2013_01_18, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type="; fast_pattern; pcre:"/^(?:update_hash|js|key|arsiv_(?:hash|link))$/R"; http.user_agent; content:!"Mozilla|2f|"; http.host; content:!"threatseeker.com"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,dad57ec2d5d99b725acc726b0a644c00; reference:url,seclists.org/fulldisclosure/2015/Jan/131; classtype:command-and-control; sid:2021030; rev:7; metadata:created_at 2015_04_29, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern; classtype:trojan-activity; sid:2016298; rev:5; metadata:created_at 2013_01_29, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Scanbox Sending Host Data"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg"; pcre:"/\/(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})\.jpg$/"; http.cookie; content:"recordid="; fast_pattern; depth:9; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2021229; rev:5; metadata:created_at 2015_06_10, updated_at 2020_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows ipconfig Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Windows IP Configuration|0d|"; fast_pattern; content:"Ethernet adapter Local Area Connection|3a|"; distance:0; content:"Physical Address"; content:"IP Address"; content:"Subnet Mask"; content:"Default Gateway"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019000; rev:4; metadata:created_at 2014_08_26, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor Intial Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|28|0d 0a|"; fast_pattern; http.request_body; pcre:"/^[a-z0-9]{11}=\d{16}$/"; http.header_names; content:!"Accept"; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:command-and-control; sid:2020345; rev:5; metadata:created_at 2015_02_02, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Zimbra Phish 2015-11-03"; flow:established,from_server; file_data; content:"<title>Thank You</title>"; fast_pattern; nocase; content:"enable us complete your security updates"; nocase; distance:0; content:"wrongly kindly click back"; nocase; distance:0; content:"resulting to the deactivation"; nocase; distance:0; classtype:credential-theft; sid:2031689; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M2"; flow:to_server,established; content:"Cookie|3a 20|A="; fast_pattern; http.method; content:"GET"; http.uri; content:"/"; offset:9; depth:1; content:".html"; distance:0; nocase; endswith; pcre:"/^\/[a-f0-9]{8}\/\D+\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021275; rev:8; metadata:created_at 2015_06_16, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv|3a|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern; content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:6; metadata:created_at 2011_10_20, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potao CnC"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22|?>"; depth:21; content:"10a7d030-1a61-11e3-beea-001c42e2a08b"; distance:24; fast_pattern; http.content_type; content:"application/xml"; classtype:command-and-control; sid:2021554; rev:4; metadata:created_at 2015_07_30, former_category MALWARE, updated_at 2020_10_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024131; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS CnC"; flow:established,to_server; flowbits:set,ET.centerpos; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mode="; depth:5; nocase; content:"&uid="; nocase; distance:0; content:"&osname="; nocase; distance:0; content:"&compname="; nocase; distance:0; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:command-and-control; sid:2022469; rev:4; metadata:created_at 2016_01_28, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptic Checkin with Opera/9 User-Agent"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&c="; http_uri; content:"&d="; http_uri; content:"|0d 0a|User-Agent|3a 20|Opera/9 (Windows"; fast_pattern; http_header; reference:url,malwr.com/analysis/18c5b31198777f93a629a0357b22f2f8/; reference:md5,18c5b31198777f93a629a0357b22f2f8; reference:url,www.virustotal.com/file/94cf780fa829c16cd0b09a462b5419cd1175bac01ba935e906a109d97b4dadaa/; classtype:command-and-control; sid:2014777; rev:3; metadata:created_at 2012_05_18, former_category MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS CnC 2"; flow:established,to_server; flowbits:set,ET.centerpos; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mode="; depth:5; nocase; content:"&uid="; nocase; distance:0; content:"&comid="; nocase; fast_pattern; distance:0; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:command-and-control; sid:2022472; rev:4; metadata:created_at 2016_01_28, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing 2015-11-14"; flow:established,from_server; file_data; content:"<title>DHL |7c| EzyBill</title>"; fast_pattern; nocase; content:"GlobalEzybill"; nocase; distance:0; content:"NOW YOUR BILLS ARE JUST"; nocase; distance:0; content:"receivable parcel in real time"; nocase; distance:0; content:"Dispute your invoices online"; nocase; distance:0; classtype:social-engineering; sid:2031739; rev:4; metadata:created_at 2015_11_14, former_category PHISHING, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Generic - POST To gate.php with no accept headers"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; nocase; fast_pattern; http.header_names; content:!"Accept"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022985; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category TROJAN, malware_family Zeus, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern; classtype:trojan-activity; sid:2016297; rev:5; metadata:created_at 2013_01_29, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; flowbits:set,ET.Sage.Primer; flowbits:noalert; http.start; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:command-and-control; sid:2023766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Sage, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Phish M3 2016-07-11"; flow:from_server,established; file_data; content:"<title>Verifying |7c| Authentication"; nocase; fast_pattern; content:"<META HTTP-EQUIV="; nocase; distance:0; content:"refresh"; distance:1; within:8; nocase; content:"You have been logged"; nocase; distance:0; content:"view shared files"; nocase; distance:0; classtype:credential-theft; sid:2031953; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Bancos ProxyChanger Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//admin/imagens/icones/new/get.php"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; reference:md5,d34912a19473fe41abdd4764e7bec5f9; classtype:command-and-control; sid:2024028; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag Banking_Trojan, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:5; metadata:created_at 2010_09_28, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Update Phish 2016-02-17"; flow:to_server,established; content:"|0d 0a 0d 0a|username="; fast_pattern; nocase; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"username="; depth:9; nocase; content:"&email="; nocase; content:"&pass"; nocase; classtype:credential-theft; sid:2029655; rev:5; metadata:created_at 2016_02_17, former_category PHISHING, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 12 2013"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern; classtype:social-engineering; sid:2017135; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_07_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-08-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CardNumber="; nocase; fast_pattern; content:"&Exp"; nocase; content:"CVV="; nocase; classtype:credential-theft; sid:2029676; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021090; rev:4; metadata:created_at 2015_05_13, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ldrctl.php"; endswith; http.request_body; content:"os="; depth:3; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; fast_pattern; distance:0; content:"&data="; nocase; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:command-and-control; sid:2010217; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern; classtype:social-engineering; sid:2021540; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; http.start; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; classtype:exploit-kit; sid:2022990; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024130; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (123faster .top)"; dns.query; content:"123faster.top"; nocase; bsize:13; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029426; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Common Multiple JS Unescape May 25 2017"; flow:from_server,established; file_data; content:"<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|"; nocase; content:"document.write(unescape(|27|"; nocase; fast_pattern; within:25; content:"|27 29 29 3b 0d 0a|//-->|0d 0a|</script>"; nocase; distance:0; content:"<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|"; nocase; distance:0; content:"document.write(unescape(|27|"; nocase; within:25; content:"|27 29 29 3b 0d 0a|//-->|0d 0a|</script>"; nocase; distance:0; classtype:social-engineering; sid:2025227; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Websocket Credential Phish Sep 15 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&transport=websocket&sid="; fast_pattern; http.header; content:"Sec-WebSocket-Version|3a 20|13|0d 0a|"; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate"; content:"Sec-WebSocket-Key|3a 20|"; content:"Upgrade|3a 20|websocket"; content:"origin|3a 20|"; pcre:"/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign\-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/Ri"; http.cookie; content:"connect.sid="; content:"io="; classtype:credential-theft; sid:2025001; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Webmail Account Phish 2015-09-02"; flow:established,to_client; file_data; content:"<title>Outlook Web App</title>"; fast_pattern; content:"Outlook Web Validation Successful"; distance:0; content:"email details correctly|3b|"; distance:0; content:"wrongly kindly click"; distance:0; content:"refill in details"; distance:0; classtype:credential-theft; sid:2031685; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (conversia91 .top)"; dns.query; content:"conversia91.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comrerop Checkin to FTP server"; flow:established,to_server; content:"USER griptoloji|0d 0a|"; fast_pattern; reference:md5,6b16290b05afd1a9d638737924f2ab5c; classtype:command-and-control; sid:2014757; rev:5; metadata:created_at 2012_05_16, former_category MALWARE, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (fatoftheland .top)"; dns.query; content:"fatoftheland.top"; nocase; bsize:16; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET MALWARE Predator Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Predator Logger|20|"; fast_pattern; reference:md5,91f885e08d627097fb1116a3d4634b82; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018017; rev:4; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (creatorz123 .top)"; dns.query; content:"creatorz123.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe LiveCycle Designer ES 8.2"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe LiveCycle Designer ES 8.2"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016647; rev:4; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (compilator333 .top)"; dns.query; content:"compilator333.top"; nocase; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET MALWARE Pain File Stealer sending wallet.dat via SMTP"; flow:to_server,established; content:"Subject|3a| Pain File Stealer"; fast_pattern; content:"Content|2d|Type|3a 20|application|2f|octet|2d|stream|3b 20|name|3d|wallet.dat"; reference:url,www.cyphort.com/blog/nighthunter-massive-campaign-steal-credentials-revealed; classtype:trojan-activity; sid:2018738; rev:2; metadata:created_at 2014_07_18, former_category MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 f0 28 39 fe 4e 2f fb 3e 4e 8e 4e 2f fa 49 2f fb 3a|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029436; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M2"; flow:established,from_server; file_data; content:"<!-- saved from url="; content:"<title>WARNING-ERROR</title>"; fast_pattern; distance:0; classtype:social-engineering; sid:2021964; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 35 2f fb 3b 49 ed 3e 39 8c 4b 49 ed 3f 4e ed 3e 3d|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phishing Landing Aug 11 2015"; flow:to_client,established; file_data; content:"<title>Email Service Provider</title>"; nocase; fast_pattern; content:"<title>Signin</title>"; nocase; distance:0; classtype:social-engineering; sid:2025665; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 32 ed 3e 3c 8b 28 39 fb 49 4c 8b 28 38 8c 28 39 ff|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:social-engineering; sid:2023752; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_20, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (Texsa)"; flow:established,to_client; tls.cert_subject; content:", L=Texsa, "; fast_pattern; tls.cert_issuer; content:", L=Texsa, "; reference:md5,45ed8898bead32070cf1eb25640b414c; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031135; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Gate"; flow:established,from_server; file_data; content:"AgControl.AgControl"; content:"document.cookie.indexOf|28 22|xap|22 29|"; fast_pattern; content:"Math.random()|3b|"; classtype:exploit-kit; sid:2019183; rev:4; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (Mountainvew)"; flow:established,to_client; tls.cert_subject; content:", L=Mountainvew, "; nocase; fast_pattern; tls.cert_issuer; content:", L=Mountainvew, "; nocase; reference:md5,5c1fce8fa3e228b8f2641bb1f7a29c3f; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; reference:url,gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456; classtype:targeted-activity; sid:2031136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern; content:"contact Microsoft Support"; nocase; distance:0; classtype:social-engineering; sid:2022409; rev:4; metadata:created_at 2016_01_26, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 ff 28 39 fa 49 2f fb 3b 2f fb 3a 2f fb 34 48 ed 3f 4e 8a|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern; distance:0; content:"myFunction()|3b|"; classtype:social-engineering; sid:2022365; rev:7; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3a 2f fb 3f 4e ed 3e 3c ed 3e 3d ed 3e 33 8a 28 38 8c 4f|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Jar Download Method 2"; flow:established,from_server; content:"Content-Type|3a 20|application/octed-stream"; http_header; fast_pattern; flowbits:isset,ET.http.javaclient; classtype:exploit-kit; sid:2018545; rev:4; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 3d ed 3e 38 8c 28 39 fe 28 39 ff 28 39 f1 4f 2f fa 49 48|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/mailz/lists/config/config.php?"; fast_pattern; nocase; content:"wpabspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/105236/WordPress-Mailing-List-1.3.2-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016117; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE POWERTON CnC Domain in DNS Lookup"; dns.query; content:"dailystudy.org"; nocase; bsize:14; reference:url,blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/; classtype:domain-c2; sid:2029448; rev:2; metadata:created_at 2020_02_13, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP Wordpress enable-latex plugin url Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/enable-latex/core.php?"; fast_pattern; nocase; content:"url="; distance:0; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/107260/WordPress-Enable-Latex-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014448; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Multibank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<title>Document</title>"; distance:0; content:"href=|22|run/images/"; distance:0; content:"<img src=|22|run/captcha.php?rand="; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|captcha|22|>"; distance:0; fast_pattern; classtype:social-engineering; sid:2031100; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 9.0.0 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 9.0.0 (Windows)"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016649; rev:3; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MoleRAT/Pierogi Backdoor Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cname="; depth:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; content:"&av="; within:40; content:"&osversion="; within:50; content:"&aname="; within:50; fast_pattern; content:"&ver="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:targeted-activity; sid:2029431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Injected iframe Oct 22 2014"; flow:established,from_server; file_data; content:"|2f 2a 0a 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 30 37 20 46 72 65 65 20 53 6f 66 74 77 61 72 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2c 20 49 6e 63 2e 20 68 74 74 70 3a 2f 2f 66 73 66 2e 6f 72 67 2f 0a 2a 2f 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 6f 6f 6b 69 65 28 65 29|"; within:93; fast_pattern; classtype:exploit-kit; sid:2019497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2020-01-29 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; content:"|0d 0a 0d 0a|user"; fast_pattern; http.method; content:"POST"; http.request_body; content:"user"; depth:4; nocase; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2029338; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M1"; flow:to_client,established; file_data; content:"eval|28|"; pcre:"/^[a-z]\x29/Rsi"; content:"Problems in loading internet explorer"; distance:0; content:"Try again after update your systems."; distance:0; fast_pattern; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021609; rev:3; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hello, World"; nocase; fast_pattern; startswith; classtype:attempted-admin; sid:2029022; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive External IP Leak"; flow:established,from_server; file_data; content:"<span id=|22|lblIPBehindProxy|22|>{"; within:29; fast_pattern; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:external-ip-check; sid:2020811; rev:4; metadata:created_at 2015_03_31, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hello, World"; nocase; fast_pattern; startswith; classtype:web-application-attack; sid:2029034; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProjectSauron Remsec CnC Beacon (hardcoded HTTP headers)"; flow:established,to_server; content:"|41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 74 65 78 74 2F 70 6C 61 69 6E 2C 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 2A 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43 61 63 68 65|"; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:command-and-control; sid:2023032; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|48 2f fb 38 2f fb 39 2f fb 39 48 ed 3e 3f ed 3e 3d ed 3f 4e ed 3e 3e|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert tcp any any -> $SMTP_SERVERS [25,587] (msg:"ET SMTP Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)"; flow:to_server,established; content:"|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"; fast_pattern; content:"|0d 0a 2d 2d|"; distance:0; pcre:"/^(?P<boundary>[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{0,69}?[^\x2d])--(?:\x0d\x0a(?!--|\x2e|RSET)[^\r\n]*?)*\x0d\x0a--(?P=boundary)\x0d\x0a/R"; reference:url,www.certego.local/en/news/badepilogue-the-perfect-evasion/; classtype:bad-unknown; sid:2023255; rev:2; metadata:attack_target SMTP_Server, created_at 2016_09_22, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4f ed 3e 3f ed 3e 3e ed 3e 3e 8a 28 39 fd 28 39 ff 28 38 8c 28 39 fc|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029458; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M3 T1"; flow:established,from_server; file_data; content:"|5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 5d 3b|"; fast_pattern; classtype:exploit-kit; sid:2021544; rev:3; metadata:created_at 2015_07_28, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8d 28 39 fd 28 39 fc 28 39 fc 4f 2f fb 38 2f fb 3a 2f fa 49 2f fb 39|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029459; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CazinoSilver Checkin"; flow:established,to_server; content:".php?key="; http_uri; content:"User-Agent|3A 20|DMFR|0D 0A|"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2013511; rev:4; metadata:created_at 2011_08_31, former_category MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 f1 28 39 fc 28 39 f9 28 39 fc 28 39 f1 28 39 f8 28 39 ff 28 38 8c 4c|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Fedex Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>FedEx|20 7c 20|Login Page</title>"; fast_pattern; content:"form name=|22|logonForm|22|"; content:"method=|22|POST|22|"; distance:1; content:!"action=|22|/fcl/logon.do|22|"; distance:1; content:"onsubmit=|22|addWSSInfo|28|username.value|29 3b 22 3e|"; distance:1; classtype:social-engineering; sid:2031714; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 34 2f fb 39 2f fb 3c 2f fb 39 2f fb 34 2f fb 3d 2f fb 3a 2f fa 49 4b|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024129; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029465; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"<title>INTERNET BROWSER PROCESS WARNING ERROR</title>"; nocase; fast_pattern; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:social-engineering; sid:2021206; rev:4; metadata:created_at 2015_06_09, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&handle=java."; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031144; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:social-engineering; sid:2022526; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"%252e%252e%252f"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031145; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GondadEK Landing Sept 03 2013"; flow:established,from_server; file_data; content:"expires=|22|+expires.toGMTString()"; fast_pattern; nocase; content:"51yes.com/click.aspx?"; nocase; content:"|22|gb2312|22|"; nocase; content:"delete "; nocase; content:"eval"; nocase; pcre:"/^[^A-Za-z0-9]/R"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit; classtype:exploit-kit; sid:2017408; rev:4; metadata:created_at 2013_09_03, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (vighik .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"vighik.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031150; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|<iframe src=|27|"; pcre:"/^http\x3a\x2f[^\x27]+[\x27](?:\swidth=\d{1,2}\sheight=\d{1,2}\s|\sheight=\d{1,2}\swidth=\d{1,2}\s)/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no> </|22 20|+|20 22|iframe>|22 29 29 3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2021249; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (cntrhum .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"cntrhum.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031151; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 1"; flow:from_server,established; file_data; content:"/title><script>window.setTimeout(function () { window.location="; fast_pattern; content:"<title>"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title/R"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020748; rev:8; metadata:created_at 2015_03_25, former_category MALWARE, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (doldig .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"doldig.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031152; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE PredatorPain Keylogger FTP Activity"; flow:established,to_server; dsize:21; content:"USER|20|panzerhund2015|0d 0a|"; fast_pattern; reference:url,malwareconfig.com/stats/PredatorPain; reference:md5,e5ddca929924e4f34cb18692f09ac424; classtype:trojan-activity; sid:2021745; rev:2; metadata:created_at 2015_09_04, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (sh78bug .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"sh78bug.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031153; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016491; rev:12; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (dghns .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"dghns.xyz"; bsize:9; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern; classtype:social-engineering; sid:2021539; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (bigjamg .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigjamg.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031155; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M2"; flow:established,from_server; file_data; content:"<title>SYSTEM ERROR WARNING"; nocase; fast_pattern; content:"Window's Defender"; nocase; distance:0; content:"right-click has been disabled"; nocase; distance:0; classtype:social-engineering; sid:2022030; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (numklo .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"numklo.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Win32/Antilam.2_0 Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|CigiCigi Logger"; fast_pattern; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018018; rev:3; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (gut45bg .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gut45bg.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; fast_pattern; content:"pid="; distance:0; nocase; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2022_03_17;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (moig .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"moig.xyz"; bsize:8; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:social-engineering; sid:2022993; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA67 CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?v="; content:"&g="; distance:0; http.user_agent; content:"Mozilla/5.0 Gecko/41.0 Firefox/41.0"; bsize:35; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3e5d4de6c6e2c18da8c1f75b10ca9cac; classtype:trojan-activity; sid:2031146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"data-title=|22|Need a new Password?|22|>"; fast_pattern; nocase; content:"We|27|ll contact your admin to reset the password for|3a|"; nocase; distance:0; content:"We notified your admin to reset your password."; nocase; distance:0; content:"Now you'll need to wait until they do"; nocase; distance:0; content:"(or go ask them nicely, yourself)."; nocase; distance:0; content:"Once your admin resets your password"; nocase; distance:0; content:"you should receive an email with steps to login."; nocase; distance:0; classtype:social-engineering; sid:2031690; rev:5; metadata:created_at 2015_11_05, former_category PHISHING, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:!"?"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; pcre:"/^[A-Za-z]{5,20}\x22\x3b\x20filename=\x22[A-Za-z]{5,20}\x22/R"; content:"|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; within:44; content:"|2d 2d 00 00 00 00 00 00 00 00 00 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; pcre:"/^\d{15}$/R"; http.content_len; byte_test:0,<,5000,0,string,dec; byte_test:0,>,4000,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}\/){1,10})\sHTTP\/1\.1\r\nReferer\x3a\x20http:\/\/(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:59; classtype:command-and-control; sid:2029380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:exploit-kit; sid:2023074; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Parallax RAT CnC Domain Observed in DNS Query"; dns.query; content:"vahlallha.duckdns.org"; nocase; bsize:21; reference:url,twitter.com/malwrhunterteam/status/1227196799997431809; classtype:domain-c2; sid:2029454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_14, former_category MALWARE, malware_family Parallax, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Phishing Landing 2015-11-05"; flow:established,from_server; file_data; content:"<script language=|22|javascript|22| type=|22|text/javascript|22|>var "; depth:57; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"var o1,o2,o3,h1,h2,h3,h4,bits,i"; fast_pattern; distance:0; classtype:social-engineering; sid:2031698; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 13.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/13.0."; content:!"2"; within:1; reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html; classtype:bad-unknown; sid:2028869; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_10_30;)
+alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern; classtype:attempted-recon; sid:2021024; rev:2; metadata:created_at 2015_04_28, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4e 2f fb 3c 4b 8e 49 48 ed 3e 3a ed 3f 4e 89|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029479; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malware Connectivity Check to Google"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Host|3a| google.com|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|29 0d 0a 0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2019729; rev:4; metadata:created_at 2014_11_18, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|49 ed 3e 3b 89 4b 4e 8a 28 39 f8 28 38 8c 4c|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029480; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern; classtype:attempted-recon; sid:2021023; rev:2; metadata:created_at 2015_04_28, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8b 28 39 f9 4c 4c 8c 4f 2f fb 3d 2f fa 49 4b|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Nov 6 2015 M2"; flow:established,from_server; file_data; content:"Welcome to Google Docs"; nocase; fast_pattern; content:"Upload and Share Your Documents Securely"; nocase; distance:0; content:"Enter your email"; nocase; distance:0; content:"Enter a valid email"; nocase; distance:0; content:"Enter your password"; nocase; distance:0; content:"Sign in to view attachment"; nocase; distance:0; content:"Access your documents securely"; nocase; distance:0; classtype:social-engineering; sid:2025680; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M19"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4f 4e ed 3e 3a ed 3e 32 ed 3e 3e ed 3e 3e ed 3e 3c ed 3f 4e 8a|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Sep 08 2017"; flow:established,to_client; file_data; content:"background-color|3a|#CE3426|3b|"; nocase; fast_pattern; content:"=window[|22|eval|22|](|22|eval|22|)|3b|"; nocase; distance:0; content:"charCodeAt"; distance:0; content:"fromCharCode"; distance:0; classtype:social-engineering; sid:2024688; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|48 8c 28 39 f8 28 39 f0 28 39 fc 28 39 fc 28 39 fe 28 38 8c 4f|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 3"; flow:to_server,established; content:"GET"; http_method; content:"/images/logo.gif"; http_uri; urilen:16; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.study-centers.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; fast_pattern; depth:92; classtype:trojan-activity; sid:2013351; rev:4; metadata:created_at 2011_08_04, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8a 49 2f fb 3d 2f fb 35 2f fb 39 2f fb 39 2f fb 3b 2f fa 49 48|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M3"; flow:established,from_server; file_data; content:".net frame work file missing"; fast_pattern; nocase; content:"Debug malware error"; nocase; distance:0; content:"Please do not open"; nocase; distance:0; content:"avoid data corruption"; nocase; distance:0; content:"PLEASE DO NOT SHUT DOWN"; nocase; distance:0; content:"RESTART YOUR COMPUTER"; nocase; distance:0; classtype:social-engineering; sid:2021965; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Flowbit set for POST to Quicken Updater"; flow:established,to_server; flowbits:set,ET.QuickenUpdater; flowbits:noalert; http.method; content:"POST"; http.header; content:"quicken.com|0d 0a|"; content:"Date|3a|"; http.user_agent; content:"InetClntApp"; fast_pattern; depth:11; classtype:misc-activity; sid:2022803; rev:4; metadata:created_at 2016_05_11, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SECURITY WARNING"; fast_pattern; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:social-engineering; sid:2022364; rev:4; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ReactorBot .bin Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi/"; content:".bin"; fast_pattern; endswith; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"kankan.com"; endswith; content:!"aocdn.net"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022841; rev:5; metadata:created_at 2016_05_27, former_category CURRENT_EVENTS, updated_at 2020_10_30;)
+#alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"ET MALWARE MSIL/Banker.M Downloading Binary from SQL"; flow:established,to_client; content:"|03 00|d|00|b|00|o|00 09 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 03|i|00|m|00|g"; fast_pattern; content:"This program cannot be run"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021931; rev:2; metadata:created_at 2015_10_08, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_dispatch.php"; fast_pattern; endswith; http.header; content:"|0d 0a|x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http.request_body; pcre:"/^[0-9a-zA-Z=%-]{0,48}(?:%[A-F0-9]{2}){4}/si"; http.content_type; content:"www-form-urlencoded"; endswith; reference:md5,6f8987e28fed878d08858a943e7c6e7c; classtype:command-and-control; sid:2022952; rev:4; metadata:created_at 2016_07_06, former_category MALWARE, tag Locky, updated_at 2020_10_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6)"; flow:established,to_server; content:"X-Mailer|3a| XimianEvolution1.4.6"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; content:!"X-Barracuda-"; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/438-asprox-botnet-trojan-run-malware-spamming-1; reference:url,stopmalvertising.com/tag/asprox.html; classtype:trojan-activity; sid:2018336; rev:6; metadata:created_at 2014_03_31, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyCar V2 CnC Beacon"; flow:established,to_server; http.header; content:"=12&"; content:"=2"; distance:1; within:8; content:"=="; distance:12; within:6; content:"=="; distance:18; within:10; http.request_line; content:".php? HTTP/1."; fast_pattern; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:command-and-control; sid:2023966; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_CozyCar, updated_at 2020_10_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script"; flow:established,to_client; content:"document.cookie=|22|dadong"; fast_pattern; nocase; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:bad-unknown; sid:2014308; rev:2; metadata:created_at 2012_03_05, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; http.method; content:"POST"; http.uri; content:"/signin"; endswith; http.header; content:"/signin|0d 0a|"; fast_pattern; http.request_body; content:"_token="; depth:7; nocase; content:"&email="; nocase; distance:0; content:"|25|40"; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024015; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, tag Phishing, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; fast_pattern; nocase; content:"gall_id="; distance:0; nocase; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:10; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GET Request to Jaff Domain (orhangazitur . com)"; flow:to_server,established; http.method; content:"GET"; http.host; content:"orhangazitur.com"; fast_pattern; bsize:16; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024338; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:exploit-kit; sid:2023480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, malware_family SunDown, signature_severity Major, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.host; content:"comboratiogferrdto.com"; fast_pattern; bsize:22; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:command-and-control; sid:2024340; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M1"; flow:established,from_server; file_data; content:"|76 69 65 77 2d 73 6f 75 72 63 65 3a|"; nocase; content:"|61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73|"; fast_pattern; nocase; content:"|73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74|"; nocase; content:"return "; pcre:"/\We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W/"; reference:cve,2015-4495; classtype:attempted-user; sid:2021601; rev:3; metadata:created_at 2015_08_10, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"?id="; content:"&act="; distance:0; fast_pattern; pcre:"/\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024306; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2015-11-14"; flow:established,from_server; file_data; content:"<title>PDF ONLINE</title>"; fast_pattern; nocase; content:"Document Has Been Removed"; nocase; distance:0; classtype:credential-theft; sid:2031738; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Posting Host Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?id="; content:"&act="; fast_pattern; distance:0; pcre:"/\?id=\d+&act=\d$/"; http.host; content:!".money-media.com"; http.request_body; content:"rprt="; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024307; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M2"; flow:established,to_client; file_data; content:"<title>Firewall Alert!</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; nocase; distance:0; content:"warning_message.png"; nocase; distance:0; classtype:social-engineering; sid:2021256; rev:4; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OilRig QUADAGENT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cpuproc.com"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:command-and-control; sid:2025892; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /s/2MYmbwpSJLZRAtXRgNTAUjJSH6SSoicLPIrQl/field-keywords/"; startswith; fast_pattern; http.cookie; content:"PREF=ID="; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,aa5e8268e741346c76ebfd1f27941a14; reference:url,cert.gov.ua/article/37704; classtype:trojan-activity; sid:2035508; rev:2; metadata:created_at 2022_03_17, former_category MALWARE, malware_family Cobalt_Strike, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MICROPSIA CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=new.young-spencer.com"; fast_pattern; reference:md5,738b3370230bd3168a97a7171d17ed64; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:command-and-control; sid:2025918; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_27, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PE EXE Download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"MZ"; startswith; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,github.com/corkami/docs/blob/master/PE/PE.md; classtype:misc-activity; sid:2035480; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BadPatch CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"python-requests/"; depth:16; http.request_body; content:"="; pcre:"/^(?:[A-F0-9]{2}%3A){5}[A-F0-9]{2}&/R"; content:"=Py+version+"; distance:0; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/badpatch-campaign-uses-python-malware.html; classtype:command-and-control; sid:2028913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, malware_family BadPatch, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE Android.Trojan.AndroRAT.CE Checkin"; flow:to_server,established; content:"info=user"; depth:20; content:"simCountryCode="; distance:0; fast_pattern; content:"posnetwork="; distance:0; content:"recMic="; distance:0; content:"callMoniter="; distance:0; content:"callWhere="; distance:0; reference:md5,5cffec9d80acd836e945e410061363ca; classtype:command-and-control; sid:2035483; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Various Malicious AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; http.uri; content:!"="; content:!"&"; content:!"?"; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022503; rev:5; metadata:created_at 2016_02_10, former_category MALWARE, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Public Cloud Domain (cld .pt in TLS SNI)"; flow:established,to_server; tls.sni; content:"cld.pt"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2035514; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Powershell Download Command Observed within Flash File - Probable EK Activity"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/x-shockwave-flash"; file.data; content:"cmd.exe /c powershell"; fast_pattern; content:"DownloadFile("; nocase; within:100; classtype:exploit-kit; sid:2028941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Public Cloud Domain in DNS Lookup (cld .pt)"; dns.query; content:"cld.pt"; nocase; bsize:6; classtype:bad-unknown; sid:2035515; rev:1; metadata:created_at 2022_03_17, former_category INFO, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Mailer Module Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?&1001="; fast_pattern; content:"&req="; distance:1; within:5; content:"&"; distance:0; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"Accept-Charset"; content:!"Referer"; content:!"Cache"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027810; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_10_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loki Locker Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"Loki/"; startswith; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035510; rev:1; metadata:created_at 2022_03_17, former_category MALWARE, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/optout/set/lt?jsonp="; fast_pattern; content:"key="; distance:16; within:27; content:"cv="; distance:18; within:27; content:"t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027427; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup"; dns.query; content:"loki-locker.one"; nocase; bsize:15; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:domain-c2; sid:2035511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/addons/lnkr5.min.js"; fast_pattern; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027425; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup)"; dns_query; content:"dostkafa.tk"; isdataat:!1,relative; reference:md5,5ea8d0f4f87b76dd1c7b6c2a34ece434; classtype:domain-c2; sid:2035484; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/addons/lnkr30_nt.min.js"; fast_pattern; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027426; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI)"; flow:established,to_server; tls_sni; content:"dostkafa.tk"; isdataat:!1,relative; nocase; reference:md5,5ea8d0f4f87b76dd1c7b6c2a34ece434; classtype:command-and-control; sid:2035485; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET GAMES Wolfteam HileYapak Server Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; file.data; content:"Temizleme Yapildi HileYapak"; depth:27; fast_pattern; reference:md5,85cf4df17fcf04286fcbbdf9fbe11077; classtype:policy-violation; sid:2027417; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 2"; dns_query; content:"hamta-fan-ir.gq"; isdataat:!1,relative; reference:md5,5dab8a38324deadd7a9738a6c59b69da; classtype:command-and-control; sid:2035486; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GanDownloader CnC Checkin"; flow:established,to_server; http.request_body; content:"|2f 00 00 00|"; depth:4; content:"_"; distance:6; content:"202020202020|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; endswith; fast_pattern; pcre:"/^\x2f\x00{3}[A-Z0-9]{6}_[a-f0-9]+\x00{16}$/s"; http.request_line; content:"POST / HTTP/1.1"; depth:15; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,8f0017ed89c2f6639cc2a08bc1e83f1e; classtype:command-and-control; sid:2026946; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"hamta-fan-ir.gq"; isdataat:!1,relative; nocase; reference:md5,5dab8a38324deadd7a9738a6c59b69da; classtype:command-and-control; sid:2035487; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xwo CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept-Charset|3a 20|ISO-8859-1"; http.request_body; content:"wanip="; depth:6; fast_pattern; content:"&username="; distance:0; content:"&password="; distance:0; content:"&lanip="; distance:0; content:"&port="; distance:0; reference:url,www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner; reference:md5,fd67a98599b08832cf8570a641712301; classtype:command-and-control; sid:2027144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Xwo, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 3"; dns_query; content:"alfa-toxic.xyz"; isdataat:!1,relative; reference:md5,2ea18b97e95171afabd9cfafa4813812; classtype:domain-c2; sid:2035488; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M5"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/code?id="; fast_pattern; content:"subid="; distance:3; within:19; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027429; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"alfa-toxic.xyz"; isdataat:!1,relative; nocase; reference:md5,2ea18b97e95171afabd9cfafa4813812; classtype:command-and-control; sid:2035489; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spark Backdoor CnC Domain Query"; dns.query; content:"nysura.com"; nocase; bsize:10; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one; classtype:domain-c2; sid:2029492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 4"; dns_query; content:"sahm-melli.tk"; isdataat:!1,relative; reference:md5,56b25d666bb8174d822d8d4c558bad81; classtype:domain-c2; sid:2035490; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerycdnlib.at"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029501; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 4"; flow:established,to_server; tls_sni; content:"sahm-melli.tk"; isdataat:!1,relative; nocase; reference:md5,56b25d666bb8174d822d8d4c558bad81; classtype:trojan-activity; sid:2035491; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=storefrontcdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029502; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 5"; dns_query; content:"kos-nnt.com"; isdataat:!1,relative; reference:md5,c6a3b408175410cd6b5204b804dee2ed; classtype:domain-c2; sid:2035492; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=e4.ms"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029503; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 5"; flow:established,to_server; tls_sni; content:"kos-nnt.com"; isdataat:!1,relative; nocase; reference:md5,c6a3b408175410cd6b5204b804dee2ed; classtype:command-and-control; sid:2035493; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=givemejs.cc"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029504; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 6"; dns_query; content:"samane.site"; isdataat:!1,relative; reference:md5,1cf18d4f51326c4409fccff0b05bd254; classtype:domain-c2; sid:2035494; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=opendoorcdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029505; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 6"; flow:established,to_server; tls_sni; content:"samane.site"; isdataat:!1,relative; nocase; reference:md5,1cf18d4f51326c4409fccff0b05bd254; classtype:command-and-control; sid:2035495; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=wappallyzer.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029506; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 7"; dns_query; content:"test-mrx-domin.ml"; isdataat:!1,relative; reference:md5,fa0c00e7e37c6bdd423a01819a1b8d66; classtype:domain-c2; sid:2035496; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerycdn.su"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029507; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 7"; flow:established,to_server; tls_sni; content:"test-mrx-domin.ml"; isdataat:!1,relative; nocase; reference:md5,fa0c00e7e37c6bdd423a01819a1b8d66; classtype:command-and-control; sid:2035497; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=toplevelstatic.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029508; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 8"; dns_query; content:"405.bar"; isdataat:!1,relative; reference:md5,836c642b75b7d063bc663c9612f0f736; classtype:domain-c2; sid:2035498; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions Spyware Keywords Download"; flow: to_server,established; http.method; content:"GET"; http.uri; content:"keywords/kyf"; nocase; content:"partner_id="; distance:0; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; classtype:pup-activity; sid:2002001; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 8"; flow:established,to_server; tls_sni; content:"405.bar"; isdataat:!1,relative; nocase; reference:md5,836c642b75b7d063bc663c9612f0f736; classtype:command-and-control; sid:2035499; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Related User-Agent (UtilMind HTTPGet)"; flow: to_server,established; threshold: type limit, count 1, track by_src, seconds 360; http.header; content:"UtilMind HTTPGet"; fast_pattern; http.host; content:!"www.blueocean.com"; content:!"www.backupmaker.com"; content:!"promo.ascomp.de"; content:!"www.synchredible.com"; content:!"support.numarasoftware.com"; reference:url,www.websearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; classtype:pup-activity; sid:2002402; rev:25; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup"; dns.query; content:"maritimepakistan.kpt-pk.net"; nocase; bsize:27; reference:md5,bbc955b1289b4f90fdfb8906606597e9; reference:url,twitter.com/ShadowChasing1/status/1504347312838959106; classtype:domain-c2; sid:2035516; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_03_17;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query"; dns.query; content:"accounts.protonvpn.store"; nocase; bsize:24; reference:url,securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/; classtype:command-and-control; sid:2029523; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loki Locker Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"unique-id="; fast_pattern; content:"disk-size="; content:"|20|GB&"; within:10; content:"user="; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query for Suspicious TLD (.management)"; dns.query; content:".management"; nocase; endswith; classtype:policy-violation; sid:2029509; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 9"; dns_query; content:"dolat-sahm-ir.tk"; isdataat:!1,relative; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035500; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert dns any any -> $HOME_NET any (msg:"ET PHISHING Suspected Appspot Hosted Phishing Domain"; dns.query; content:!"www."; content:"-dot-"; content:".appspot.com"; fast_pattern; isdataat:!1,relative; pcre:"/^[a-z]{36,38}\-dot\-[a-z]+\-[a-z]+\-\d{6}\.[a-z]{2}\.[a-z]\.appspot\.com$/"; classtype:social-engineering; sid:2031149; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Loki Locker Ransomware Server Response (Public Key) M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text|2f|html|3b 20|charset|3d|UTF|2d|8"; bsize:24; http.response_body; content:"bgABExk3KwQzPic3bF9YcnJuHz02Jz4nI"; fast_pattern; content:"259Hz02Jz4nIWxfWHJybhcqIj08NzwmbBMDExBufRcqIj08NzwmbF9Ybn0AARMZNysEMz4nN2w="; distance:0; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.uri.raw; content:"/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel="; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; distance:0; within:75; http.uri; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; fast_pattern; content:"java.lang.Runtime.getRuntime("; distance:0; content:".exec"; distance:0; reference:url,isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-user; sid:2031147; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 9"; flow:established,to_server; tls_sni; content:"dolat-sahm-ir.tk"; isdataat:!1,relative; nocase; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:command-and-control; sid:2035501; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python/PBot Browser Hijacker Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?streamId="; fast_pattern; content:"&isAdvpp="; distance:0; content:".js?streamId="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&isAdvpp=(?:true|false)$/Rsi"; http.header; content:"|0d 0a|Origin|3a 20|http"; reference:md5,f741a2febf0630407ba17945362f3bce; classtype:trojan-activity; sid:2031148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 10"; dns_query; content:"namosan-nakon.tk"; isdataat:!1,relative; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035502; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=stat-group.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.goggleheadedhacker.com/blog/post/16; classtype:trojan-activity; sid:2029524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_10_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 10"; flow:established,to_server; tls_sni; content:"namosan-nakon.tk"; isdataat:!1,relative; nocase; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035503; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apkv6.endurecif.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031162; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, tag DonotGroup, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perceive.cfg"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1504444062425747456; reference:md5,ef5017d8e7724f73d370e1b77d276d3c; classtype:trojan-activity; sid:2035517; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fif0.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031163; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, tag DonotGroup, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 11"; dns_query; content:"peygiri.tech"; isdataat:!1,relative; reference:md5,9262943f8fc52b77eedff18c7f122748; classtype:domain-c2; sid:2035504; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=seahome.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031164; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, tag DonotGroup, updated_at 2020_11_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 11"; flow:established,to_server; tls_sni; content:"peygiri.tech"; isdataat:!1,relative; nocase; reference:md5,9262943f8fc52b77eedff18c7f122748; classtype:trojan-activity; sid:2035505; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=inapturst.top"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2031165; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, tag DonotGroup, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 12"; dns_query; content:"sunlovelapi.xyz"; isdataat:!1,relative; reference:md5,f0c894498a890c3afc67916eac3e9c5d; classtype:domain-c2; sid:2035506; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; urilen:10; content:"/hello.php"; fast_pattern; http.method; content:"GET"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020339; rev:5; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2020_11_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 12"; flow:established,to_server; tls_sni; content:"sunlovelapi.xyz"; isdataat:!1,relative; nocase; reference:md5,f0c894498a890c3afc67916eac3e9c5d; classtype:command-and-control; sid:2035507; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; endswith; http.header; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/si"; http.host; content:!"www.carrona.org"; classtype:exploit-kit; sid:2021293; rev:6; metadata:created_at 2015_06_18, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO stopify .co Domain in DNS Lookup"; dns.query; content:"stopify.co"; nocase; bsize:10; reference:md5,fff7de030fe2f4dfdedc7e8bab7e48a5; classtype:misc-activity; sid:2035519; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, signature_severity Major, updated_at 2022_03_17;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; http.uri; content:!"/"; offset:1; content:".asp"; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/"; pcre:"/[a-z].*?[a-z]/"; pcre:"/[A-Z].*?[A-Z]/"; pcre:"/\d.*?\d/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2021407; rev:6; metadata:created_at 2015_07_13, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TA422 Credential Phish 2022-03-17 M1"; flow:established,to_server; http.method; content:"POST"; http.host; content:"webhook.site"; bsize:12; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035520; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Duqu 2.0 Request"; flow:established,to_server; http.start; content:"Cookie|3a 20|COUNTRY="; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.symantec.com/connect/blogs/duqu-20-reemergence-aggressive-cyberespionage-threat; classtype:trojan-activity; sid:2021247; rev:5; metadata:created_at 2015_06_11, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TA422 Credential Phish 2022-03-17 M2"; flow:established,to_server; http.method; content:"POST"; http.host; content:"pipedream.net"; bsize:12; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/apply.cgi"; endswith; http.request_body; content:"submit_button=index"; depth:19; content:"&action=Apply"; distance:0; nocase; content:"&lan_dns0="; distance:0; fast_pattern; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:4; metadata:created_at 2015_04_07, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful TA422 Credential Phish 2022-03-17"; flow:established,to_server; http.method; content:"POST"; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Autoupdate)"; flow:to_server,established; http.header; content:!" Creative AutoUpdate v"; http.user_agent; content:"Autoupdate"; nocase; depth:10; content:!"McAfeeAutoUpdate"; nocase; http.host; content:!"update.nai.com"; content:!"nokia.com"; content:!"sophosupd.com"; content:!"sophosupd.net"; content:!"wholetomato.com"; content:!".acclivitysoftware.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; classtype:pup-activity; sid:2003337; rev:22; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_11_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.B Domain in SNI"; flow:established,to_server; tls.sni; content:"handbrake.biz"; bsize:13; fast_pattern; classtype:trojan-activity; sid:2024285; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; fast_pattern; content:"style="; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004023; classtype:web-application-attack; sid:2004023; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (eltima .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"eltima.in"; bsize:9; fast_pattern; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024889; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.VBSLoader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGk"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2c727910738e0a381acf00fd0e1d636d; classtype:trojan-activity; sid:2030139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc in TLS SNI)"; flow:established,to_server; tls.sni; content:"handbrake.cc"; bsize:12; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024893; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Elite Windows Implant Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.jsp"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021626; rev:9; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"handbrakestore.com"; bsize:18; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024891; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Scout Windows Implant Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021627; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake org name)"; flow:established,from_server; tls.cert_subject; content:"C=AU"; content:"ST=Some-State"; fast_pattern; tls.certs; content:"|06 03 55 04 0a|"; distance:0; pcre:"/^.{2}(?=[a-z]{0,15}\d)(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=var)/Rs"; reference:md5,c35b37203859b9c0be0e3255a79ed64d; classtype:trojan-activity; sid:2019832; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Android Implant Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.header; content:"Android"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021628; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 2"; flow:established,to_server; dsize:51; content:"|01 00 30 01 01 00|"; fast_pattern; startswith; flowbits:set,ET.Tesch; reference:md5,872763d48730506af7eee0bf22c2f47b; classtype:command-and-control; sid:2018620; rev:6; metadata:created_at 2014_07_01, former_category MALWARE, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Implant Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021629; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA471/UNC2589 Related Activity (GET)"; flow:established,to_server; urilen:2; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z]$/"; http.user_agent; content:"-hobot-"; bsize:7; fast_pattern; http.accept_enc; content:"gzip"; bsize:4; http.header_names; content:!"Referer"; reference:md5,1b161170a6b025b3f44746e20afd130f; reference:url,www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/; classtype:trojan-activity; sid:2035531; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 3"; flow:to_server,established; urilen:4; http.header; content:"Empty|0d 0a|"; http.request_line; content:"GET /cl1"; depth:8; fast_pattern; http.referer; content:"1|3a|"; depth:2; pcre:"/^\d\.\d_(?:64|32)_\d\x3a/R"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021259; rev:6; metadata:created_at 2015_06_12, former_category MALWARE, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (runfs .icu)"; dns.query; content:"runfs.icu"; nocase; bsize:9; reference:url,isc.sans.edu/diary/rss/28448; classtype:domain-c2; sid:2035532; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK Nov 09 2015 M1"; flow:to_server,established; http.uri; content:".php?sid="; pcre:"/^\/[a-z]{3,20}\.php\?sid=[A-F0-9]{40,200}$/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2022070; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/B1txor20 Backdoor Connectivity Check"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 00 00 01|"; distance:1; within:16; endswith; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; classtype:trojan-activity; sid:2035526; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK Nov 09 2015 M2"; flow:to_server,established; http.uri; content:".php?id=4"; fast_pattern; pcre:"/^\/[a-z]{3,20}\.php\?id=4[A-F0-9]{39,200}$/"; http.host; content:!".hostingcatalog.com"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2022071; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_11_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Backdoor Related Activity"; flow:established,to_server; dsize:3; content:"|03 00 dc|"; fast_pattern; threshold: type both, count 2, seconds 5, track by_src; reference:md5,bd054c4f43808ef37352f36129bf0c3d; reference:md5,06a7eccd74a6aa5aa12755cd48829f90; reference:md5,532345089619a1881176588a587d3cf1; reference:url,ShadowChasing1/status/1504833720489951234; classtype:trojan-activity; sid:2035533; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid DELETE"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; fast_pattern; content:"gid="; nocase; distance:0; content:"DELETE"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005850; classtype:web-application-attack; sid:2005850; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Checkin Reply"; flow:established,to_client; content:"|02 00 06|"; startswith; content:"|01 BB|"; endswith; fast_pattern; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018477; rev:2; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; fast_pattern; content:"passwordNew="; nocase; distance:0; content:"UNION"; nocase; distance:0; pcre:"/^\s+SELECT/Ri"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006022; classtype:web-application-attack; sid:2006022; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+#alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|02 00 06|"; startswith; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018624; rev:6; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; fast_pattern; content:"sent="; nocase; distance:0; content:"UPDATE"; nocase; distance:0; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006116; classtype:web-application-attack; sid:2006116; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO infinityfree .net Domain in DNS Lookup"; dns.query; dotprefix; content:".infinityfree.net"; nocase; endswith; reference:md5,bf3ce5b341d021b4a03123fe81aa854e; classtype:misc-activity; sid:2035538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, signature_severity Major, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ASCII"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; fast_pattern; content:"ID="; nocase; distance:0; content:"ASCII("; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006145; classtype:web-application-attack; sid:2006145; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [8000:8001] (msg:"ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil"; flow:established,to_server; dsize:571; content:"|b9 b6 b5 c8 f1 ef ef d3 f1 ef ef ee ef ef ef 2c|"; startswith; fast_pattern; content:"|99 91 31 a9 39 97 27 81 f1|"; endswith; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,782cbc8660ff9e94e584adfcbc4cb961; reference:url,asec.ahnlab.com/en/32572; classtype:trojan-activity; sid:2035536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Gh0stCringe, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful My ADP Phish (set) 2017-02-16"; flow:to_server,established; flowbits:set,ET.adpphish; flowbits:noalert; http.method; content:"POST"; http.host; content:!".adp.com"; endswith; http.request_body; content:"target="; depth:7; nocase; fast_pattern; content:"user"; nocase; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2027957; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Pult Downloader Activity (POST)"; flow:established,to_server; urilen:8<>25; http.method; content:"POST"; http.uri; content:!".php"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"batac="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:!"Linux|3b|"; content:!"iPhone|3b|"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,765c01936caae2ba1b1b50ae1ed76cc0; classtype:trojan-activity; sid:2035534; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE jFect HTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping"; http.user_agent; content:"Java/"; depth:5; http.request_body; content:"uid="; depth:4; content:"&group="; content:"&lan="; content:"&nameAtPc="; fast_pattern; nocase; content:"&os="; content:"&country="; content:"&uptime="; content:"&installDate="; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d19261cf449afc52532028cca110eb36; classtype:command-and-control; sid:2022582; rev:4; metadata:created_at 2016_03_02, former_category MALWARE, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (CobaltStrike)"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0_Frsg_stredf_o21_crown_type"; startswith; fast_pattern; reference:md5,b8b7a10dcc0dad157191620b5d4e5312; classtype:trojan-activity; sid:2035537; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category USER_AGENTS, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible WinHttpRequest (no .exe)"; flow:to_server,established; flowbits:set,et.MS.WinHttpRequest.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022652; rev:4; metadata:created_at 2016_03_24, updated_at 2020_11_02;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Empty Payload (set)"; flow:established,to_server; flowbits:set,ET.facefish; flowbits:noalert; dsize:8; content:"|00 00 00 02 00 00 00 00|"; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033109; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; http.user_agent; content:"TEST"; fast_pattern; bsize:4; http.host; content:!"messagecenter.comodo.com"; content:!"symantec.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:pup-activity; sid:2006357; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_11_02;)
+alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ELF/Facefish Server Response (201)"; flow:established,to_client; flowbits:isset,ET.facefish; dsize:8; content:"|18 00 01 02|"; startswith; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033110; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ASCII"; flow:established,to_server; content:"SELECT"; nocase; distance:0; http.uri; content:"/kullanicilistesi.asp?"; nocase; fast_pattern; content:"ak="; nocase; distance:0; content:"ASCII("; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006829; classtype:web-application-attack; sid:2006829; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Client Response (202)"; flow:established,to_server; flowbits:set,ET.facefish; dsize:8; content:"|08 00 02 02|"; startswith; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033111; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler DELETE"; flow:established,to_server; content:"FROM"; nocase; distance:0; http.uri; content:"/aramayap.asp?"; nocase; fast_pattern; content:"kelimeler="; nocase; distance:0; content:"DELETE"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006834; classtype:web-application-attack; sid:2006834; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Session Closing (400)"; flow:established,to_server; flowbits:isset,ET.facefish; dsize:8; content:"|00 00 00 04 00 00 00 00|"; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033112; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno DELETE"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; fast_pattern; content:"mesajno="; nocase; distance:0; content:"DELETE"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006846; classtype:web-application-attack; sid:2006846; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-03-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"check.php"; bsize:10; http.referer; content:"login.php"; endswith; http.host; content:".duckdns.org"; http.request_body; content:"email="; startswith; content:"&password="; distance:0; content:"&link_grup="; distance:0; reference:md5,221ce301229b990a02f433a0f2e25a18; classtype:credential-theft; sid:2035539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid INSERT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; fast_pattern; content:"pid="; nocase; distance:0; content:"INSERT"; nocase; distance:0; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006935; classtype:web-application-attack; sid:2006935; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish 2022-03-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".html"; endswith; http.host; content:"selcdn.ru"; endswith; http.request_body; content:"email=&password="; content:"&s_rememberMe=true"; fast_pattern; classtype:credential-theft; sid:2035540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/update.logmein.com/"; nocase; fast_pattern; http.header_names; content:!"Host|0d 0a|"; reference:url,doc.emergingthreats.net/2007766; classtype:policy-violation; sid:2007766; rev:9; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET INFO Non Standard Port DNS Query to google .com (udp)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|google|03|com"; fast_pattern; classtype:bad-unknown; sid:2035472; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Trojan (General) HTTP Checkin (vit)"; flow:established,to_server; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; http.request_body; content:"vit="; nocase; distance:0; content:"&bk="; nocase; distance:0; content:"&dados="; fast_pattern; nocase; distance:0; reference:url,doc.emergingthreats.net/2007999; classtype:command-and-control; sid:2007999; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET INFO DNS Query to google .com Non Standard Port (tcp)"; content:"|01|"; offset:4; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|google|03|com"; fast_pattern; classtype:bad-unknown; sid:2035535; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/OvCgi/"; nocase; content:"/OpenView5.exe?"; nocase; distance:0; fast_pattern; content:"Action=../../"; nocase; distance:0; http.protocol; content:"HTTP/1."; reference:bugtraq,28745; reference:cve,CVE-2008-0068; reference:url,aluigi.altervista.org/adv/closedviewx-adv.txt; reference:url,doc.emergingthreats.net/2008171; classtype:web-application-attack; sid:2008171; rev:12; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EMAIL SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"2F:09:DD:E0:FF:81:B7:6C:BF:2F:17:92:0C:D8:BD:57"; tls.cert_subject; content:"CN=EMAIL"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016464; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; http.user_agent; content:"Mozila"; nocase; fast_pattern; bsize:6; http.host; content:!"rd.jword.jp"; endswith; content:!".lge.com"; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; classtype:pup-activity; sid:2008210; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_11_02;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M1"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZwc"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035527; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KLog Nick Keylogger Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0|20|(compatible|3b 20|Indy|20|Library)"; depth:38; http.request_body; content:"Nick+Key+Ativado"; fast_pattern; reference:url,doc.emergingthreats.net/2008338; classtype:command-and-control; sid:2008338; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M2"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZzH"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035528; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RSS Simple News news.php pid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/news.php?"; nocase; fast_pattern; content:"pid="; nocase; distance:0; content:"UNION"; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7541; reference:bugtraq,32962; reference:url,doc.emergingthreats.net/2009000; classtype:web-application-attack; sid:2009000; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M3"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZxA"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035529; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClaSS export.php ftype parameter Information Disclosure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/scripts/export.php?"; nocase; fast_pattern; content:"ftype="; nocase; distance:0; pcre:"/(\.\.\/){1,}/"; reference:url,secunia.com/advisories/33222; reference:bugtraq,32929; reference:url,doc.emergingthreats.net/2009009; classtype:web-application-attack; sid:2009009; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,to_client; tls.cert_serial; content:"00:92:87:8F:35:B4:AA:08:D1"; tls.cert_subject; content:"L=Taipei"; fast_pattern; classtype:trojan-activity; sid:2020289; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_19;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/books/getConfig.php?"; nocase; fast_pattern; content:"book_id="; nocase; distance:0; pcre:"/(\.\.\/){1,}/"; reference:url,www.milw0rm.com/exploits/7543; reference:bugtraq,32966; reference:url,doc.emergingthreats.net/2009010; classtype:web-application-attack; sid:2009010; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^[A-Za-z0-9]{4}$/"; http.user_agent; content:"FunWebProducts|3b|IE0006_ver1|3b|EN_GB"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/; classtype:trojan-activity; sid:2035546; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-admin login credentials"; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:"/manager/html"; nocase; http.header; content:"|0d 0a|Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4=|0d 0a|"; fast_pattern; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009217; classtype:attempted-admin; sid:2009217; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/submit.php?id="; startswith; http.user_agent; content:"|3b 20|MANM|3b 20|MANM)"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"Cookie"; reference:url,unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/; classtype:trojan-activity; sid:2035547; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?action=add&a="; fast_pattern; content:"&c="; distance:0; content:"&u="; distance:0; content:"&l="; distance:0; content:"&p="; distance:0; http.host; content:!"whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:command-and-control; sid:2009458; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (grace-fraser .site)"; dns.query; content:"grace-fraser.site"; nocase; bsize:17; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035548; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"15438.xyz"; nocase; endswith; pcre:"/(?:^|\.)15438\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029534; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (pam-beesly .site)"; dns.query; content:"pam-beesly.site"; nocase; bsize:15; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035549; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"12724.xyz"; nocase; endswith; pcre:"/(?:^|\.)12724\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029535; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (mozelllittel .com)"; dns.query; content:"mozelllittel.com"; nocase; bsize:16; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035550; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"21736.xyz"; nocase; endswith; pcre:"/(?:^|\.)21736\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029536; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Mustang Panda APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/newtap.css"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,twitter.com/StillAzureH/status/1505823479945625604; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; classtype:trojan-activity; sid:2035551; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Drop.Agent.bfsv HTTP Activity (UsER-AgENt)"; flow:established,to_server; http.method; content:"GeT"; http.protocol; content:"HttP"; http.header_names; content:"HoST|0d 0a|"; content:"UsER-AgENt|0d 0a|"; fast_pattern; reference:url,doc.emergingthreats.net/2010129; classtype:trojan-activity; sid:2010129; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Invitation.jpg"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,twitter.com/StillAzureH/status/1505823479945625604; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; classtype:trojan-activity; sid:2035552; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/html"; depth:9; nocase; content:!"application"; nocase; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:17; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed testcookie-nginx-module"; flow:established,to_client; http.stat_code; content:"200"; bsize:3; http.server; content:"nginx"; depth:5; file.data; content:"toNumbers"; content:"d.replace"; distance:30; content:"e.push(parseInt"; distance:30; content:"toHex"; distance:200; content:"e.toLowerCase"; distance:0; content:"toNumbers"; distance:20; content:"toNumbers"; distance:0; content:"toNumbers"; distance:0; content:"toHex(slowAES.decrypt"; distance:100; content:"<noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript>"; fast_pattern; distance:100; reference:url,github.com/kyprizel/testcookie-nginx-module; classtype:credential-theft; sid:2035554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/css"; depth:8; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:12; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wp-content/plugins/akismet/control/en/en.jpg HTTP/1.1"; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,854903e0b284ef78322082de46dcd160; reference:url,twitter.com/h2jazi/status/1505965580075114498; classtype:trojan-activity; sid:2035545; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_03_21;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; threshold:type threshold,track by_src,count 10,seconds 60; http.stat_code; content:"401"; http.stat_msg; content:"Unauthorized"; nocase; file.data; content:"<script"; nocase; depth:280; fast_pattern; reference:url,doc.emergingthreats.net/2010513; classtype:web-application-attack; sid:2010513; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE LAME SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"0E:97:88:1C:6C:A1:37:96:42:03:BC:45:42:24:75:6C"; tls.cert_subject; content:"CN=LM-68AB71FBD8F5"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016465; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/HNAP1/"; nocase; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; nocase; content:"/HNAP1/"; distance:0; pcre:"/^(?:set|get)/Ri"; content:"DeviceSettings"; within:14; reference:url,www.securityfocus.com/bid/37690; reference:url,doc.emergingthreats.net/2010698; classtype:web-application-attack; sid:2010698; rev:6; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE StrongPity APT Related Domain in DNS Lookup (sessionprotocol .com)"; dns.query; content:"sessionprotocol.com"; nocase; bsize:19; reference:md5,98cca7f2f6ad00771f50e97f97b5b38e; reference:url,twitter.com/HONKONE_K/status/1505920551503626242; classtype:domain-c2; sid:2035553; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family StrongPity, signature_severity Major, updated_at 2022_03_21;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OvCgi/Toolbar.exe"; nocase; fast_pattern; http.header; content:"Accept-Language|3a 20|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; content:"Content-Length|3a|"; distance:0; reference:cve,2009-0921; reference:url,doc.emergingthreats.net/2010864; classtype:web-application-attack; sid:2010864; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake loc)"; flow:established,from_server; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<fake_loc>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x07.{2}(?P=fake_loc)/Rs"; classtype:trojan-activity; sid:2018457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Significant, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Agent.PMS Variant CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|command="; fast_pattern; http.method; content:"POST"; nocase; http.request_body; content:"command="; depth:8; content:"&result="; within:12; classtype:pup-activity; sid:2011391; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_11_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NS SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"72:A2:5C:8A:B4:18:71:4e:BF:C6:6F:3F:98:D6:F7:74"; tls.cert_subject; content:"CN=NS"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016466; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Anchor ICMP Request"; itype:8; content:"hanc"; depth:4; pcre:"/^[a-f0-9]+\x08\x00$/Rs"; reference:md5,3690c361f7f2bdb1d1aed67c142bb90b; classtype:trojan-activity; sid:2031159; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, malware_family Anchor, signature_severity Major, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Fake Edu Host with __test Cookie"; flow:established,to_server; http.method; content:"GET"; http.host; content:"edu"; pcre:"/(?!\.[a-z]{2}$|$)/R"; http.cookie; content:"__test="; fast_pattern; depth:7; classtype:misc-activity; sid:2035555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LolliCrypt Ransomware Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"key="; depth:4; fast_pattern; content:"&id="; distance:100; content:"&date="; distance:0; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rs"; http.header_names; content:!"Referer"; reference:md5,8e23b560b66134dcc4e21c461ed1a399; classtype:trojan-activity; sid:2031160; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKE AOL SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"7C:A2:74:D0:FB:C3:D1:54:B3:D1:A3:00:62:E3:7E:F6"; tls.cert_subject; content:"CN=mail.aol.com"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016469; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE D1onis Stealer Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&p1="; content:"&p2="; content:"®ion="; fast_pattern; content:"&ip="; content:"&p3="; content:"&p4="; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,6cf4f85e3907d4f0a0c1e653d6c6943f; classtype:trojan-activity; sid:2031161; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family D1onis, signature_severity Major, updated_at 2020_11_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake IBM SSL Cert APT1"; flow:established,to_client; tls.cert_issuer; content:"O=Internet Widgits Pty Ltd"; content:"CN=IBM"; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; content:"CN=IBM"; fast_pattern; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016463; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OnePlus phone data leakage"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cloud/pushdata"; endswith; fast_pattern; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"data="; depth:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025134; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_12_06, deployment Perimeter, former_category POLICY, malware_family Android_OnePlus, signature_severity Minor, tag Android, updated_at 2020_11_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Virtually SSL Cert APT1"; flow:established,to_client; tls.cert_issuer; content:"O=www.virtuallythere.com"; content:"OU=new"; content:"CN=new"; tls.cert_subject; content:"O=www.virtuallythere.com"; fast_pattern; content:"OU=new"; content:"CN=new"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016462; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] MSIL/Biskvit.A Check-in"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/api/auth/token"; http.header; content:"Authorization|3a 20 0d 0a|"; depth:18; fast_pattern; content:"Expect|3a 20|100-continue"; http.request_body; content:"{|22|ApiKey|22 3a 22|"; depth:11; isdataat:!100,relative; http.connection; content:"Keep-Alive"; depth:10; http.content_type; content:"application/json"; depth:16; http.header_names; content:"|0d 0a|Authorization|0d 0a|"; depth:17; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026007; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_22, deployment Perimeter, former_category MALWARE, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKE YAHOO SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"0A:38:C9:27:08:6F:96:4B:BE:75:DC:9F:C0:1A:C6:28"; tls.cert_subject; content:"CN=mail.yahoo.com"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016470; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN abdullkarem Wordpress PHP Scanner"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"&php"; nocase; distance:0; content:"&wphp"; nocase; distance:0; content:"&abdullkarem="; nocase; fast_pattern; distance:0; http.protocol; content:"HTTP/1.0"; depth:8; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:web-application-attack; sid:2021949; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_10_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely CryptoWall .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:"kpai7ycr7jxqkilp."; fast_pattern; startswith; classtype:trojan-activity; sid:2018610; rev:3; metadata:created_at 2014_06_27, former_category MALWARE, updated_at 2022_03_21;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Darkleech C2"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; fast_pattern; content:"&utm_source="; distance:0; pcre:"/^\/blog\/\?[a-z]{3,20}+\&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:command-and-control; sid:2022260; rev:4; metadata:created_at 2015_12_14, former_category WEB_SERVER, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Loki Locker Ransomware Server Response (Public Key) M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text|2f|html|3b 20|charset|3d|UTF|2d|8"; bsize:24; http.content_len; byte_test:0,<=,1000,0,string,dec; http.response_body; content:"|7b 22|public|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|message|5f|id|22 3a 22|"; distance:0; content:!"|22 2c 22|"; distance:0; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; threshold:type threshold, track by_src, count 20, seconds 120; http.method; content:"POST"; http.cookie; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?$/"; http.accept_enc; content:"gzip"; depth:4; http.content_type; content:"application/octet-stream"; fast_pattern; nocase; bsize:24; http.header_names; content:"Content-Length|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Connection"; content:!"Cache-Control"; content:!"Accept|0d 0a|"; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:6; metadata:created_at 2016_03_28, updated_at 2020_11_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Gopher Related User-Agent (aimxxhwpcc)"; flow:established,to_server; http.user_agent; content:"aimxxhwpcc"; bsize:10; fast_pattern; reference:md5,1f1969481fe9bca52d5c01e1a093c1b8; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:trojan-activity; sid:2035556; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M1"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"1"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022197; rev:6; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (product2020 .mrbasic .com)"; dns.query; content:"product2020.mrbasic.com"; nocase; bsize:23; reference:url,twitter.com/h2jazi/status/1505887653111209994; reference:md5,1af894a5f23713b557c23078809ed01c; reference:md5,1aba36f72685c12e60fb0922b606417c; classtype:domain-c2; sid:2035557; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, signature_severity Major, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"2"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022198; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT ID Command Observed"; flow:established,to_server; content:"|3c 7c|ID|7c 3e|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M3"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"3"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022199; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore RAT CnC Checkin"; flow:established,to_server; content:"|3c 7c|mainzsoccer|7c|"; fast_pattern; startswith; classtype:attempted-admin; sid:2035542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M4"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"4"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022200; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidecopy APT Backdoor Related Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /logs_files HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:trojan-activity; sid:2035558; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M5"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"5"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022201; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Backdoor Related Domain in DNS Lookup (kokotech .xyz)"; dns.query; content:"kokotech.xyz"; nocase; bsize:12; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:domain-c2; sid:2035559; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M6"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"6"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022202; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SUR SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"20:82:92:3F:43:2C:8F:75:B7:EF:0F:6A:D9:3C:8E:5D"; fast_pattern; tls.cert_subject; content:"CN=SUR"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016468; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M7"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022203; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".kdc/"; fast_pattern; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; content:"&cacogenics="; distance:0; reference:md5,1182940dca705e0b3a8349c9fdf99e10; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035560; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M8"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022204; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT Set Keep-Alive Observed"; flow:established,to_server; content:"|3c 7c|SETPING|7c|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M9"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"9"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022205; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mesh"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035561; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"oq="; fast_pattern; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024020; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_03;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FlawedGrace CnC Activity"; flow:to_server,established; dsize:14; content:"|47 43 52 47|"; offset:4; depth:4; threshold: type both, track by_src, count 10, seconds 60; reference:md5,2b1215fb65d33fc6206ab227a3b7e75a; classtype:command-and-control; sid:2026773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.host; content:"fkksjobnn43.org"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; endswith; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,942c6a039724ed5326c3c247bfce3461; classtype:command-and-control; sid:2024288; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_03;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response abuse.ch"; flow:established,to_client; dsize:22; content:"Sinkholed by abuse.ch|0a|"; fast_pattern; classtype:trojan-activity; sid:2020223; rev:4; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enigma Locker Checkin"; flow:to_server,established; urilen:8; http.method; content:"GET"; http.uri; content:"/get.php"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/i"; http.connection; content:"close"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:command-and-control; sid:2023334; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Enigma, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:CD:2D:4A:53:08:27:AA:B4"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021289; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Malware Suite Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|0d 0a 0d 0a 0d 0a 2f 2f 2f 2f 2f 2f 2f|"; content:"System Infomation"; within:30; content:"|0d 0a 0d 0a|Boot Device|3a 20 5c|"; fast_pattern; content:"|0d 0a|Build Number|3a 20|"; distance:0; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:80:5C:5F:EC:50:39:a2:14"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021772; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Malware Suite Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"up.php?id="; pcre:"/^[A-Z]+$/R"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; content:"01234567890"; fast_pattern; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9F:B1:5C:37:90:8A:2E:B7"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022095; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned IRS Page - Possible Phishing Landing"; flow:established,to_client; file.data; content:"<!-- saved from url=("; within:500; content:".irs.gov/"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2031166; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_11_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:81:32:F4:D9:2C:39:C3:06"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor Secondary Payload Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=news&id="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0."; startswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:B4:78:3D:3F:BF:60:B9:94"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022097; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious HttpSocket User-Agent Observed"; flow:established,to_server; http.user_agent; content:"HttpSocket By Xswallow"; depth:22; classtype:misc-activity; sid:2031167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, signature_severity Major, updated_at 2020_11_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit)"; flow:established,to_client; tls.cert_serial; content:"00:B4:E9:29:AF:96:2B:99:E2"; fast_pattern; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022098; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky CSPY Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"dwn.php?van="; fast_pattern; pcre:"/^\d+$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SWORD Sending Sword Marker"; flow:established,to_server; content:"|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40|"; fast_pattern; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:3; metadata:created_at 2013_02_20, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor CnC Activity"; flow:established,to_server; http.uri; content:"?id="; content:"&act="; content:"&ver=x"; distance:3; within:6; fast_pattern; pcre:"/^(?:64|86)$/R"; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY onion.cab tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:".onion.cab"; fast_pattern; endswith; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018879; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moose CnC Request M2"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.cookie; content:"PHPSESSID="; content:"|3b 20|nhash="; distance:0; content:"|3b 20|chash="; fast_pattern; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a 0d 0a|"; depth:76; endswith; content:!"Referer|0d 0a|"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023479; rev:5; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014"; flow:established,to_server; tls.sni; content:"zxjfcvfvhqfqsrpz."; fast_pattern; startswith; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018892; rev:4; metadata:created_at 2014_08_05, former_category TROJAN, updated_at 2022_03_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"info"; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/"; http.request_line; content:"/get.php|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:10; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_04_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Hqwar, signature_severity Critical, tag Android, updated_at 2020_11_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; tls.sni; content:"bridges.torproject.org"; bsize:22; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:3; metadata:created_at 2014_01_04, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WS/JS Downloader Mar 07 2017 M2"; flow:established,to_server; http.uri; content:"/counter/?"; fast_pattern; pcre:"/\/counter\/(?:\?[a-z]?\d{1,2}$|[^\x2f]*\d\.exe$|.*?[?=](?=[A-Za-z_-]{0,200}[0-9][A-Za-z_-]{0,200}[0-9])(?=[A-Z0-9_-]{0,200}[a-z][A-Z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}[A-Z][a-z0-9_-]{0,200}[A-Z])[A-Za-z0-9_-]{50,}(?:&|$))/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:trojan-activity; sid:2024036; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (vtaurl .com)"; dns.query; content:"vtaurl.com"; nocase; bsize:10; classtype:bad-unknown; sid:2035562; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-02-06"; flow:established,to_server; http.uri; content:".vbn"; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2023875; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family Nemucod, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (vtaurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vtaurl.com"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2035563; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Xtunnel Activity"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; pcre:"/^\/(?:\w+\/){1,5}\?[a-z]{1,6}=[a-z0-9]{2,40}(?:&[a-z]{1,6}=(?:[a-z0-9]){1,40}(%3D){0,2}){1,4}$/i"; http.header; content:"deflate,sdch|0d 0a|Accept|3a 20|text|2f|html,application|2f|xhtml"; fast_pattern; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|MSIE|20|7.0"; http.connection; content:"Close"; http.header_names; content:!"Referer"; content:!"Cache"; classtype:targeted-activity; sid:2027405; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, former_category MALWARE, malware_family XTunnel, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Send-Safe Bulk Mailer SSL Cert - Observed in Spam Campaigns"; flow:established,to_client; tls.cert_subject; content:"C=Unknown, ST=Unknown, L=Unknown, O=Send-Safe, OU=Unknown, CN=Send-Safe"; bsize:71; fast_pattern; reference:md5,837c7af7f376722a0315cb0a7cb12399; classtype:trojan-activity; sid:2022194; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Onliner Receiving Commands from CnC"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b|id|3a|"; depth:4; pcre:"/^\d{5,10}\x7d/R"; content:"|7b|ok|3a 5b|task|5d|"; distance:0; fast_pattern; content:"|7b|urls|7d|"; distance:0; content:"|7b|tasks|7d|"; distance:0; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027808; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_11_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shifr Ransomware Malicious Domain in SNI Observed"; flow:established,to_server; tls.sni; content:"v5t5z6a55ksmt3oh.onion"; startswith; fast_pattern; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024486; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Post Check-in Activity"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 60; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|10.0) like Gecko"; fast_pattern; depth:61; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.connection; content:"Close"; depth:5; endswith; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"Connection|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:md5,ac6ea1e500de772341a2075a7d916d63; classtype:trojan-activity; sid:2020064; rev:5; metadata:created_at 2014_12_23, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Spora Ransomware SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=spora.bz"; fast_pattern; classtype:trojan-activity; sid:2024043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 3 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".html"; nocase; endswith; pcre:"/\/\d{8,10}\.html$/i"; http.cookie; content:"BX="; http.start; content:"Cookie|3a 20|XX="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021278; rev:7; metadata:created_at 2015_06_16, former_category MALWARE, updated_at 2020_11_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SteamStealer Domain in SNI"; flow:established,to_server; tls.sni; content:"steamdesktopauthenticator.com"; bsize:29; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"webscriptly.com"; nocase; bsize:15; reference:url,twitter.com/felixaime/status/1234111603831910400; classtype:domain-c2; sid:2029566; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SteamStealer Malicious SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=steamdesktopauthenticator.com"; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:domain-c2; sid:2025388; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=huivaritaslloa.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029556; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE StrongPity APT SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=mevlut.oncu.example.com"; fast_pattern; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:targeted-activity; sid:2025416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=infinitydevelooperspes.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConPtyShell Client Response"; flow:established,to_server; content:"|1b 5b 32 4a 1b 5b 6d 1b 5b 48 1b 5b 48 1b 5d 30 3b|"; startswith; fast_pattern; content:"|5b 32 33 58 1b 5b 32 33|"; distance:0; content:"|43 0d 0a 1b 5b 38 30 58 1b 5b 38 30 43 0d 0a 1b|"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=unverifiedintigoosjai.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Command (whoami)"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"whoami"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"app.dynamicrosoft.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029559; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family TScookie, malware_family BlackTech, signature_severity Major, updated_at 2020_11_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Close Shell"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"exit"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"home.mwbsys.org"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029560; rev:3; metadata:affected_product Web_Browsers, affected_product Linux, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family TScookie, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,to_client; tls.cert_issuer; content:"O=Superfish, Inc."; content:"CN=Superfish, Inc."; fast_pattern; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; http.method; content:"POST"; nocase; http.request_body; content:"&z"; pcre:"/^\d{1,3}=/Ri"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:5; metadata:created_at 2013_08_12, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,to_client; tls.cert_subject; content:"OU=SomeOrganizationalUnit"; fast_pattern; classtype:policy-violation; sid:2013659; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_09_15, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot POST Request to C2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla"; depth:32; fast_pattern; pcre:"/(?:Proxy-)?Connection\x3a[^\r\n]+?\r\n(?:Pragma|Cache-Control)\x3a[^\r\n]+?\r\n(?:\r\n)?$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:44; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c86f7ec18b78055a431f7cd1dca65b82; classtype:command-and-control; sid:2019141; rev:5; metadata:created_at 2014_09_08, former_category MALWARE, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,to_client; tls.cert_issuer; content:"CN=Snake Oil CA"; fast_pattern; classtype:policy-violation; sid:2013295; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin"; flow:established,to_server; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; http.method; content:"POST"; http.content_len; byte_test:0,>,99,0,string,dec; http.start; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:command-and-control; sid:2019168; rev:7; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2020_11_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11; content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; fast_pattern; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:command-and-control; sid:2029910; rev:5; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Dervec.gen Connectivity Check to Google"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00 00 00|"; offset:35; depth:10; http.header; content:"HOST|3a 20|www.google.com|0d 0a|"; depth:22; fast_pattern; reference:md5,5eaae2d6a4b5d338b83ea5d97af93672; classtype:trojan-activity; sid:2019129; rev:12; metadata:created_at 2012_06_12, updated_at 2020_11_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M4"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\?m=[a-z]&p1=[a-z0-9]{8,12}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; content:"/?m="; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,2d1f1132ab7e80a6a8546dd2ac45bd89; reference:url,download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf; classtype:targeted-activity; sid:2035564; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|20|MSIE|20|"; nocase; fast_pattern; content:!"Mozilla/4.0 (compatible|3b 20|MSIE|20|6.0|3b 20|DynGate)"; content:!"Windows Live Messenger"; content:!"MS Web Services Client Protocol"; http.host; content:!"groove.microsoft.com"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.request_body; content:!"grooveDNS|3a|//"; http.header_names; content:!"X-Requested-With"; nocase; content:!"Accept-Encoding"; content:!"Referer"; classtype:bad-unknown; sid:2018358; rev:10; metadata:created_at 2014_04_04, former_category INFO, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Remote Access - RView - SSL Certificate Seen"; flow:established,to_client; tls.cert_subject; content:"CN=*.rview.com"; fast_pattern; classtype:policy-violation; sid:2020805; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST (fsockopen)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"serverKey="; fast_pattern; content:"data="; content:"key="; http.method; content:"POST"; http.connection; content:"close"; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019749; rev:4; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_03;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropboxusercontent.com"; fast_pattern; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:7; metadata:created_at 2013_06_13, updated_at 2022_03_23;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:from_server,established; tls.cert_subject; content:"CN=sucuritester.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029571; rev:3; metadata:affected_product Web_Browsers, created_at 2020_03_04, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03;)
+alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:from_server,established; tls.cert_subject; content:"CN=reportgns.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029572; rev:3; metadata:affected_product Web_Browsers, created_at 2020_03_04, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request 2"; flow:established,to_server; content:"CONNECT="; depth:8; content:"8_=_8"; endswith; classtype:trojan-activity; sid:2022707; rev:3; metadata:created_at 2016_04_06, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.FETCH CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?n="; fast_pattern; content:"&m="; distance:0; content:"&i="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,ed9e14a932b28f1ebdc4cd5b549af9da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023951; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_related, signature_severity Major, updated_at 2020_11_03;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC Password Exfil"; flow:established,to_server; content:"PASSWORDS="; depth:10; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022709; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Uploader Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"."; content:"/?"; distance:0; content:"="; distance:1; within:3; pcre:"/\/?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.host; content:!"google.com"; endswith; http.start; content:".1|0d 0a|User-Agent|3a 20|Mozi"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:targeted-activity; sid:2023916; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family APT28_Uploader, signature_severity Major, updated_at 2020_11_03;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC"; flow:established,to_server; content:"ACT="; depth:4; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022710; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor CnC Activity M2"; flow:established,to_server; http.uri; content:".php?wShell="; fast_pattern; pcre:"/^\d+$/R"; http.user_agent; content:"|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.2)"; endswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"; flow:established,to_server; tls.sni; content:"ipinfo.io"; bsize:9; fast_pattern; classtype:external-ip-check; sid:2025331; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spora Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"=XDATABASE64ENCRYPTED"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_11_04;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; fast_pattern; endswith; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2017_06_16, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WSF/JS Downloader Jan 30 2017 M1"; flow:to_server,established; urilen:>65; http.uri; content:"/counter/?"; fast_pattern; depth:10; content:"a="; content:"i="; pcre:"/[&?]i=[A-Za-z0-9_-]{50,}(?:&|$)/"; pcre:"/[&?]a=(?:[a-zA-Z0-9_-]{25,}|(?:0\.)?\d+)(?:&|$)/"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,852cbd70766feb96923a79b210e94646; classtype:trojan-activity; sid:2023816; rev:4; metadata:created_at 2017_01_31, updated_at 2020_11_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil System Info"; flow:established,to_server; content: "|2b 20 2b 20 2b 20 5b 20|VicTim Info|20 5d 20 2b 20 2b 20 2b|"; depth:120; nocase; fast_pattern; content:"End Stealer|20 3d 20 3d 20 3d 20 3d 20 3d 20 3d|"; nocase; endswith; classtype:trojan-activity; sid:2024790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, malware_family BlackStealer, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Redirect to Joom AG Hosted Document - Potential Phishing"; flow:to_client,established; http.stat_code; content:"302"; http.location; content:"https://view.joomag.com/"; fast_pattern; startswith; classtype:misc-activity; sid:2031173; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag Phishing, updated_at 2020_11_04;)
+alert http any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern; content:"Connection: close|0a 0a|"; endswith; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:3; metadata:attack_target Client_and_Server, created_at 2018_03_13, deployment Datacenter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031174; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026581; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031175; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kimsuky Sending Encrypted System Information to CnC"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"WebKitFormBoundarywhpFxMBe19cSjFnG"; endswith; fast_pattern; reference:md5,92001e9cebec0f0f0ac2b7c7e04f017d; reference:url,vblocalhost.com/uploads/VB2020-46.pdf; classtype:command-and-control; sid:2031178; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky WildCommand CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"4cef22e90f"; endswith; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-46.pdf; classtype:command-and-control; sid:2031180; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_11_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Winnti Payload - XORed Check-in to Infected System (0xd4413890)"; flow:established,to_server; dsize:<300; content:"|b0 1c 03 d4 90 38 41 d4 2a b4 80 7f|"; depth:12; content:"|04 00|"; endswith; reference:url,medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a; classtype:trojan-activity; sid:2027361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag APT, tag Winnti, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; content:">MAILER INBOX SENDING"; distance:0; fast_pattern; classtype:web-application-attack; sid:2031176; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC USR Init Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 12 01 00 00 2d 55 53 52|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027831; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; fast_pattern; content:">MAILER INBOX SENDING"; distance:0; classtype:web-application-attack; sid:2031177; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022780; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"oq="; fast_pattern; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024048; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_04;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022781; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"QMvXcJ"; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_04;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022782; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony Payload DL"; flow:established,to_server; http.uri; content:"/inst.exe"; fast_pattern; endswith; http.host; content:!"360safe.com"; endswith; content:!"qhcdn.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Accept-"; content:"User-Agent|0d 0a|"; content:"Accept|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2023740; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_13, deployment Perimeter, former_category TROJAN, malware_family Pony, signature_severity Major, updated_at 2020_11_04;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022783; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO IE7UA No Cookie No Referer"; flow:to_server,established; flowbits:set,et.IE7.NoRef.NoCookie; flowbits:noalert; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:bad-unknown; sid:2023670; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2020_11_04;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022784; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin Dec 5 M1"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/checkupdate"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/s"; classtype:command-and-control; sid:2023576; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022785; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"type="; depth:5; content:"&version="; content:"&lid="; content:"&c="; content:"&i="; http.request_line; content:"/stat/locker|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:command-and-control; sid:2024123; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_03_31, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_11_04;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|g|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022786; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Kwampirs Outbound GET request"; flow:to_server,established; urilen:>21; http.method; content:"GET"; http.uri; content:"?q=KT"; fast_pattern; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/"; http.user_agent; content:"Mozilla/"; depth:8; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Accept"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|v|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022787; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET HUNTING Generic IOT Downloader Malware in POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"wget"; content:".sh|3b 20|chmod +x|20|"; within:200; fast_pattern; content:"|3b 20|./"; within:100; classtype:bad-unknown; sid:2029011; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, signature_severity Minor, updated_at 2020_11_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SDBbot CnC Checkin"; flow:established,to_server; content:"|00 00 de c0|"; depth:4; content:"ver="; distance:0; content:"|0a|domain="; distance:0; content:"|0a|pc="; distance:0; content:"|0a|geo="; distance:0; content:"|0a|os="; distance:0; content:"|0a|rights="; distance:0; content:"|0a|proxyenabled="; distance:0; fast_pattern; content:"|0a|"; endswith; reference:md5,892be85dc60df6bc82568384e83b9b4c; classtype:command-and-control; sid:2031217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, malware_family SDBbot, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"wget"; content:".sh|3b 20|chmod +x|20|"; within:200; fast_pattern; content:"|3b 20|./"; within:100; classtype:bad-unknown; sid:2029009; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/1xxbot CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|<EOM>Windows|20|"; startswith; fast_pattern; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOF>"; endswith; reference:md5,9eb50c6cdb59d11b01ca9f069e8ba79d; classtype:command-and-control; sid:2028984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family 1xxbot, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Router EK Landing Page Inbound 2019-05-24"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:">Loading ...<|2f|title>"; content:"|3b|base64,"; distance:0; content:"ZnVuY3Rpb24gTWFrZShDcmVkZW50aWF"; distance:0; fast_pattern; content:"ZG5zU2Vjb25kYXJ5OiAn"; distance:0; classtype:exploit-kit; sid:2027380; rev:3; metadata:created_at 2019_05_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Reporting Error to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=hmo"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baldr Stealer Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Encrypted.zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; fast_pattern; content:!"PK"; within:25; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family BALDR, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Submitting Encrypted Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=A1f"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Post-Compromise Data Dump"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/?"; depth:2; http.request_body; content:"|06 00 00 00 01 00 00 00|"; depth:8; content:"|00 00 02 00 00 00|"; offset:8; depth:16; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2027075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_11_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:2; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed External IP Lookup SSL Cert"; flow:from_server,established; tls.cert_subject; content:".iplocation.com"; nocase; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:external-ip-check; sid:2026882; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_11_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Finished"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|finished|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/imageload.cgi"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^[A-Za-z]{1,10}=[^&]+(?:&[A-Za-z]{1,10}=[^&]+){10,}$/s"; reference:md5,40ebefdec6870263827ce6425702e785; classtype:command-and-control; sid:2026517; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Locky, updated_at 2020_11_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Init"; flow:established,from_server; dsize:<150; content:"|7b 22 54 79 70 65 22 3a 22 45 6e 63 72 79 70 74 69 6f 6e 53 74 61 74 75 73 22 2c 22 53 74 61 74 75 73 22 3a|"; fast_pattern; depth:80; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"client?mac_address="; content:"&agent_id="; distance:0; content:"agent_file_version"; http.user_agent; content:"cpprestsdk/"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026435; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Keep-Alive"; flow:established,from_server; dsize:<100; content:"|7b 22 54 79 70 65 22 3a 22 53 65 73 73 69 6f 6e 49 44 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:50; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029219; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba (Banking Trojan) Check-in"; flow:established,to_server; content:"|0d 0a 0d 0a|"; depth:2000; byte_extract:2,0,byte0,relative; byte_extract:2,0,byte1,relative; byte_test:2,=,byte1,6,relative; byte_test:2,!=,byte1,7,relative; byte_test:2,=,byte1,10,relative; byte_test:2,!=,byte1,11,relative; byte_test:2,!=,byte1,23,relative; byte_test:2,!=,byte0,25,relative; byte_test:2,!=,byte1,27,relative; byte_test:2,=,byte0,40,relative; byte_test:2,=,byte1,42,relative; byte_test:2,=,byte0,44,relative; byte_test:2,=,byte1,46,relative; byte_test:2,=,byte0,48,relative; byte_test:2,=,byte1,50,relative; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; depth:64; fast_pattern; http.request_body; content:!"|00 00|"; depth:30; content:"|00 00|"; offset:34; depth:2; content:"|00 00|"; distance:2; within:2; content:"|00 00|"; distance:2; within:2; http.header_names; content:!"Referer|0d 0a|"; reference:md5,be312fdb94f3a3c783332ea91ef00ebd; classtype:trojan-activity; sid:2026002; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Tinba, updated_at 2020_11_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; http.method; content:"POST"; http.uri; content:"/ReportServer/pages/ReportViewer.aspx"; http.request_body; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; startswith; fast_pattern; content:"|26 5f 5f|VIEWSTATE|3d|"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitList Argument Injection"; flow:established,to_server; http.request_body; content:"query=--open-files-in-pager"; fast_pattern; content:"php%20"; content:"%22eval"; content:"base64_decode"; reference:url,exploit-db.com/exploits/44993/; classtype:attempted-user; sid:2025820; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_07_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK JSE"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-UA-Compatible|3a 20|IE=EmulateIE8|0d 0a|"; file_data; content:"|3c 21|DOCTYPE html|3e 3c|html|3e 3c|head|3e 3c|script language|3d 22|JScript.Encode|22 3e 23 40 7e 5e|"; startswith; fast_pattern; pcre:"/^[^<]+\x0d\x0a<\/script>/R"; content:"|3c 2f|head|3e 3c|body|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:exploit-kit; sid:2029582; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL Injection"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?page=pie-invitation-codes&orderby="; nocase; content:"&order="; nocase; distance:0; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44867/; classtype:web-application-attack; sid:2025747; rev:4; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2018_06_26, cve cve_2018_10969, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected SandCat Related CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?EIO="; depth:16; content:"&transport=polling"; endswith; http.request_body; content:"|5b 22|add|20|user|22|,|22|ID_"; offset:5; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eeecfa2999aea400deb8029d27db125e; classtype:command-and-control; sid:2029619; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Wordpress Redirect - Possible Phishing Landing Jan 7 2016"; flow:to_client,established; flowbits:isset,ET.wpphish; http.stat_code; content:"302"; http.header; content:"|0d 0a|Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"|0d 0a|location|3a 20|"; nocase; pcre:"/^[a-f0-9]{32}(?:\/index\.php)?\x0d\x0a/R"; classtype:social-engineering; sid:2025671; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2016_01_07, deployment Perimeter, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, tag Wordpress, updated_at 2020_11_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealRat Checkin"; flow:established,to_server; http.uri; content:"/d/"; startswith; fast_pattern; content:".jpg"; endswith; pcre:"/^\/d\/[a-z]+\d+\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"www.google.com"; bsize:14; classtype:command-and-control; sid:2017263; rev:4; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2022_03_24;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)"; flow:established,to_server; http.cookie; content:"DNNPersonalization="; fast_pattern; content:"ObjectStateFormatter"; content:"ObjectDataProvider"; reference:cve,2017-9822; reference:url,f5.com/labs/articles/threat-intelligence/cyber-security/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks?sf176487178; classtype:attempted-admin; sid:2025545; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_04_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_11_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Woai.Dropper Config Request"; flow:established,to_server; http.uri; content:"/client/config.ini"; fast_pattern; http.user_agent; content:"MSIE"; content:"|3B 29|"; endswith; reference:md5,0425a66e3b268ef8cbdd481d8e44b227; classtype:trojan-activity; sid:2018102; rev:7; metadata:created_at 2014_02_10, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus.D Requesting Commands from CnC"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:".css"; endswith; http.user_agent; content:"curl/"; http.cookie; content:"m_pixel_ratio="; fast_pattern; depth:14; pcre:"/^[a-f0-9]{32}\x3b$/R"; http.header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025465; rev:4; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Firebird RAT CnC Checkin"; flow:established,to_server; dsize:<100; content:"|01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 00 06 01 00 00 00|"; startswith; fast_pattern; content:"|0b|"; endswith; reference:md5,ede8ebfc82463d1e7e6f29ca66f96514; classtype:command-and-control; sid:2029606; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family Firebird, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; http.method; content:"POST"; http.uri; content:"/editor.php"; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern; nocase; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:attempted-admin; sid:2025459; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2018_04_03, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Online%20Scheduling%20System/login.php"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&lgn=Login"; nocase; endswith; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/SocStealer.Socelars C2 Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server-Key|3a 20|"; pcre:"/[A-Za-z0-9]{62}/R"; file.data; content:"[DATA]"; depth:6; fast_pattern; content:"[DATA]"; distance:0; endswith; classtype:command-and-control; sid:2025458; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family SocStealer, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request"; flow:established,to_server; http.uri; content:"2p/"; content:".exe"; fast_pattern; endswith; pcre:"/\/p?2p\/[0-9]{1,2}\.exe$/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018184; rev:7; metadata:created_at 2014_02_27, updated_at 2022_03_24;)
-alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12635)"; flow:established,to_server,only_stream; http.method; content:"PUT"; http.uri; content:"/_users/"; http.request_body; content:"_admin"; fast_pattern; reference:cve,2017-12635; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025435; rev:4; metadata:attack_target Server, created_at 2018_03_19, deployment Datacenter, former_category EXPLOIT, malware_family CoinMiner, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; http.uri; content:"/2p/"; depth:4; content:".exe"; endswith; fast_pattern; pcre:"/^\/2p\/[a-z]{1,2}\.exe$/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:5; metadata:created_at 2014_04_11, updated_at 2022_03_24;)
-alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)"; flow: established,to_server,only_stream; urilen:26; http.method; content:"PUT"; http.uri; content:"/_config/query_servers/cmd"; http.header; content:"Authorization|3a 20|Basic"; http.request_body; pcre:"/^\s*[\x22\x27]/"; reference:cve,2017-12636; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025432; rev:4; metadata:created_at 2018_03_13, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hyteod.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/payment_gateway/"; startswith; content:".gz"; endswith; pcre:"/\/[a-z0-9]{3,}\.gz$/"; http.user_agent; content:"OperaMini"; depth:9; reference:md5,8258c3d8bab63cacf143cf034e2e7c1a; classtype:command-and-control; sid:2019824; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Delf Checkin"; flow:established,to_server; http.uri; content:"/autoupdate/versaoatual.txt"; fast_pattern; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; reference:md5,52765b346c12d55e255a669bb8cfebb8; classtype:command-and-control; sid:2025283; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category MALWARE, malware_family Dropper, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE rechnung zip file download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rechnung"; fast_pattern; nocase; content:".zip"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020622; rev:5; metadata:created_at 2015_03_05, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (rl. ammyy. com)"; flow:to_server,established; urilen:1; http.host; content:"rl.ammyy.com"; depth:12; endswith; fast_pattern; classtype:policy-violation; sid:2025149; rev:5; metadata:created_at 2017_12_13, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/mss"; fast_pattern; content:".exe"; endswith; pcre:"/\/mss\d+\.exe$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:trojan-activity; sid:2035043; rev:4; metadata:created_at 2015_03_17, former_category MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent when remote host claims to send an image "; flow:established,from_server; http.content_type; content:"image/jpeg"; startswith; file.data; content:"New-Object"; nocase; content:"System.Net.WebClient"; nocase; content:"Start-Process"; fast_pattern; classtype:trojan-activity; sid:2025007; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert dns $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617)"; content:"|00|"; distance:0; byte_extract:1,1,rec_name,relative; content:"|00 00 fa 00 ff|"; distance:rec_name; within:5; fast_pattern; content:"|00 10 00 00|"; endswith; reference:cve,2020-8617; classtype:denial-of-service; sid:2030221; rev:2; metadata:attack_target DNS_Server, created_at 2020_05_26, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)"; flow:from_server,established; http.content_type; content:"multipart/related"; fast_pattern; startswith; file.data; content:"<xsl"; pcre:"/^((?!<\/xsl).)+?src\s*=\s*[\x27\x22](?P<loc>[^\x22\x27]+?)[\x27\x22].+?Content-Location\x3a\s+(?P=loc)/Rsi"; reference:cve,2017-5124; classtype:attempted-user; sid:2024996; rev:6; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/ftp/grabftp"; fast_pattern; content:".bin"; endswith; pcre:"/^\/download\/ftp\/(?:grabftp|grabftp64)\.bin$/"; http.header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Win64|3B 20|x64)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:4; metadata:created_at 2015_06_23, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Payload Request"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:kas|ser|mac)[0-9]+\.png$/i"; http.start; content:".png HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,2c6cd25a31fe097ee7532422fc8eedc8; classtype:trojan-activity; sid:2024901; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Trickbot, updated_at 2020_11_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedControle Communicating with CnC"; flow:established,to_server; content:"SE_ND_CO_NN_EC|23|"; depth:15; fast_pattern; content:"|23|"; within:20; content:"|23|"; endswith; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:command-and-control; sid:2026724; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"|3b 20|Android|20|"; http.request_line; content:"/gt|20|HTTP/1."; fast_pattern; http.connection; content:"keep-alive"; depth:10; endswith; http.content_type; content:"application/json"; depth:16; endswith; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Connection|0d 0a|Content-Type|0d 0a|"; reference:md5,b66010a9c91b17f4d26dc973a97419ac; reference:url,info.phishlabs.com/blog/redalert2-mobile-banking-trojan-actively-updating-its-techniques; classtype:command-and-control; sid:2024765; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_RedAlert, signature_severity Major, tag Android, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&changing=Value"; nocase; endswith; classtype:credential-theft; sid:2032461; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod JS Downloader Aug 01 2017"; flow:established,to_server; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; depth:29; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,cb558b04216e0e7a9c936945ebee6611; classtype:trojan-activity; sid:2024508; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Adobe PDF Online Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?e="; nocase; fast_pattern; pcre:"/\.php\?e=[a-zA-Z0-9+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/"; http.request_body; content:"p="; depth:2; nocase; content:"&submit="; nocase; endswith; classtype:credential-theft; sid:2032462; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Downloader Aug 18 2017"; flow:established,to_server; http.uri; content:"/s.php?id="; depth:10; pcre:"/^\/s\.php\?id=[a-z0-9]{2,6}$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,5285f1adfc0013fa86218a7d76c0016d; classtype:trojan-activity; sid:2024600; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Bank Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"cpf="; depth:4; nocase; content:"&senha="; nocase; distance:0; content:"&ok=continuar"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032463; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky VB/JS Loader Download Sep 08 2017"; flow:established,from_server; http.header_names; content:!"Cookie|0d 0a|"; file.data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 70 61 64 64 69 6e 67 3a 35 70 78 20 31 30 70 78 3b 22 3e 59 6f 75 72|"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9!\x22#$%&'()*+,.\/\x3a\x3b<=>?@\[\] ^_`{|}~\s-]+?downloading\.?\s*Please wait\x2e*<\/div\>\s*<iframe src\s*=\s*[\x22\x27]http\:\/\/[^\x22\x27]+\.php[\x22\x27]\s*style\s*=\s*[\x22\x27]display\x3a\s*none\x3b\s*[\x22\x27]>\s*<\/iframe\>\s*$/Rsi"; classtype:trojan-activity; sid:2024678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&atmpin="; nocase; distance:0; fast_pattern; content:"&add="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&continue=Submit+Now"; nocase; endswith; classtype:credential-theft; sid:2032464; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; content:"&il="; distance:0; nocase; content:"&vr="; distance:0; nocase; content:"&bt="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BB&T Bank Phish 2016-12-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&input=Go"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032467; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/LoadMoney Adware Activity"; flow:to_server,established; flowbits:set,ETPTadmoney; http.method; content:"POST"; http.uri; content:".htm?v="; fast_pattern; content:"&eh="; distance:0; content:"&ts="; distance:0; content:"&u2="; distance:0; http.cookie; content:"a=h+"; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,681501695c12112aaf2129ab614481bd; reference:md5,1282b899c41b06dac0adb17e0e603d30; classtype:pup-activity; sid:2024693; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category ADWARE_PUP, malware_family Neshta, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 3"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0"; depth:33; content:"Windows 98)"; fast_pattern; endswith; http.accept; content:"*/*"; http.connection; content:"close"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; classtype:command-and-control; sid:2014234; rev:14; metadata:created_at 2012_02_17, former_category MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:to_server,established; http.uri; content:".hta"; nocase; fast_pattern; pcre:"/\.hta(?:[?&]|$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; depth:34; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_07, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; http.uri; content:"/image/"; depth:7; content:".exe"; endswith; fast_pattern; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/i"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2022622; rev:6; metadata:created_at 2016_03_16, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible BeEF HTTP Headers Inbound"; flow:established,from_server; http.header; content:"Content-Type|3a 20|text/javascript|0d 0a|Server|3a 20|Apache/2.2.3 (CentOS)|0d 0a|Pragma|3a|"; fast_pattern; depth:69; content:"|0d 0a|Expires|3a 20|0|0d 0a|"; http.header_names; content:!"Set-Cookie|0d 0a|"; content:!"X-Powered-By|0d 0a|"; classtype:attempted-user; sid:2024421; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ho"; content:"ping/mod_"; within:10; fast_pattern; content:"/"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:8; metadata:created_at 2014_11_20, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Jun 13 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"/?"; depth:2; content:"=x"; fast_pattern; distance:0; pcre:"/^[HX3][^&]Q[cdM][^&]{3}[ab]R/R"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024381; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/config"; fast_pattern; content:".jpg"; endswith; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/"; http.header; content:"Cache-Control|3a 20|no-cache"; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:8; metadata:created_at 2015_07_23, former_category TROJAN, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod JS Downloader June 12 2017"; flow:established,to_server; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; depth:29; http.user_agent; content:"Firefox/51.0"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, performance_impact Low, signature_severity Major, tag WS_JS_Downloader, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Intial Check-in"; flow:established,to_server; http.user_agent; content:"Windows NT 5.1|3b 20|ru|3b|"; content:"Gecko/20100722 Firefox/3.6.12"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2016748; rev:6; metadata:created_at 2013_04_10, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bingo EK Payload Download"; flow:established,to_server; urilen:116; http.uri; content:"/?"; depth:2; pcre:"/^\/\?[a-f0-9]{114}$/"; http.user_agent; content:"WinHttp.WinHttpRequest.5"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024367; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Bingo, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; depth:1; content:"/"; endswith; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025119; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin M1"; flow:to_server,established; urilen:4; http.request_line; content:"GET /a5/ HTTP/1."; depth:16; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:command-and-control; sid:2024290; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/"; http.cookie; content:"=|3b 20|"; content:"=|3b 20|"; distance:0; content:"=|3b|"; endswith; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:command-and-control; sid:2025291; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category MALWARE, malware_family elise, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet CnC Beacon 1"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host|3a|"; fast_pattern; http.cookie; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; http.header_names; content:"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:command-and-control; sid:2024274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Successful 163 Webmail Phish 2018-07-25"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"application/json"; file.data; content:"{|22|user_id|22|:|22|"; nocase; within:20; content:"|22|,|22|ip|22|:|22|"; nocase; within:15; content:"|22|,|22|add_time|22|:|22|"; nocase; distance:0; content:".163.com|5c 2f 22 2c 22|code|22 3a 22|ok|22|}"; nocase; endswith; fast_pattern; classtype:credential-theft; sid:2025893; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443] (msg:"ET MALWARE W32.Geodo/Emotet Checkin"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host"; fast_pattern; http.cookie; pcre:"/[a-z0-9]{3,4}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/i"; http.header_names; content:"|0d 0a|Cookie|0d 0a|"; depth:10; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2024272; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family Geodo, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-26"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&formtext1="; nocase; distance:0; content:"&formimage1.x=1&formimage1.y=1"; fast_pattern; nocase; endswith; classtype:credential-theft; sid:2026412; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Runsome Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?name="; content:"&key=ENC"; distance:0; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,70c27926e54732a579b0004ede566fc6; reference:url,github.com/ShaneNolan/Runsome; classtype:command-and-control; sid:2024223; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Runsome, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware Start Activity 1"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|Begin"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup"; dns.query; content:".boyput.site"; nocase; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:domain-c2; sid:2029580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, malware_family Magniber, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kraken Ransomware Start Activity 2"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|StartU"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aStartU$/"; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2026472; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup"; dns.query; content:".byteson.space"; nocase; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:domain-c2; sid:2029581; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, malware_family Magniber, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/"; depth:9; content:"/true/true/done"; fast_pattern; endswith; http.user_agent; content:"WinHttp.WinHttpRequest."; http.header_names; content:"Referer"; content:!"Cache"; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag VBS, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Turla Carbon Paper CnC Beacon (Fake User-Agent)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"."; distance:1; within:2; content:".0|3b 20|Windows NT|20|"; distance:0; content:"Trident/"; distance:0; http.user_agent; pcre:"/^Mozilla\/4\.0\x20\(compatible\x3b\x20MSIE\x20\d{1,2}\.0\.\d+\.\d+\.0\x3b\x20Windows\x20NT\x20/"; content:"Mozilla/4.0 (compatible|3b 20|MSIE|20|"; startswith; http.start; content:"Cookie|3a 20|PHPSESSID="; fast_pattern; http.header_names; content:"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/; classtype:command-and-control; sid:2024183; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_06, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".microsoftonedrive.org"; nocase; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:command-and-control; sid:2026680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red Leaves HTTP CnC Beacon (APT10 implant)"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:"/index.php"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,28}[^\x20-\x7e\r\n]/s"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Keep-Alive"; depth:10; endswith; http.start; content:"dex.php|20|HTTP/1.1|0d 0a|Co"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024175; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT, tag APT10, tag RedLeaves, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"outlooklive.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026704; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:to_server,established; http.uri; content:"/lang_check.html"; content:"timestamp="; http.request_body; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; classtype:attempted-admin; sid:2024121; rev:6; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.toshiba.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; http.method; content:"GET"; http.uri; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/"; http.user_agent; content:"Firefox"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|"; depth:62; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2023583; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category TROJAN, malware_family Downloader, malware_family Locky_JS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.fujitsu.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:"/index.php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023203; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family Locky, malware_family Pony9, signature_severity Major, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.asus.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026707; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; http.uri; content:"/distr/Proxifier"; nocase; depth:16; fast_pattern; http.host; content:"proxifier.com"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; nocase; content:!"Referer|0d 0a|"; content:!"Accept-"; content:!"Cookie|0d 0a|"; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.miria.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026708; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/index"; http.start; content:"Content-length|3a 20|0|0d 0a|Cookie|3a 20|APSCOOKIE=Era=0&Payload="; fast_pattern; pcre:"/^[A-Za-z0-9+/]{0,4}?[^\x20-\x7e]/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-length|0d 0a|"; depth:24; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:attempted-admin; sid:2023075; rev:4; metadata:affected_product Fortigate, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"cloudpallets32.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026709; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pottieq.A Check-in"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20 7b|"; fast_pattern; http.user_agent; pcre:"/^\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}$/i"; http.request_body; content:"pc="; content:"mail="; content:"guid="; nocase; pcre:"/(?:^|&)id=\d+(?:$|&)/"; http.header_names; content:!"Accept"; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_27, deployment Perimeter, malware_family Pottieq, performance_impact Low, signature_severity Major, tag Pottieq, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"contents.bz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026710; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dll"; http.header; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; fast_pattern; http.user_agent; content:"MSIE 7"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"usasecurefiles.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026711; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; http.uri; content:"/~"; depth:2; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/i"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"freecloud.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026712; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony DLL Download"; flow:established,to_server; http.uri; content:"/pm"; pcre:"/^\d?\.dll$/R"; http.request_line; content:".dll HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:6; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"alotile.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026713; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Yuok)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Youk$$"; fast_pattern; content:"Youk"; distance:0; endswith; pcre:"/^(?:php)?Yuok\$\$\d\d/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022902; rev:5; metadata:created_at 2016_06_15, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"transef.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026714; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Data)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Data$$"; fast_pattern; content:"Data"; distance:0; endswith; pcre:"/Data\$\$\d\d/"; http.header_names; content:!"Content-Type"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022900; rev:8; metadata:created_at 2016_06_15, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"fundsxe.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; http.uri; content:!".swf"; nocase; content:!".flv"; nocase; content:!"/crossdomain.xml"; http.header; content:"x-flash-version|3a|"; fast_pattern; content:!"/crossdomain.xml"; content:!".swf"; nocase; content:!".flv"; nocase; content:!"[DYNAMIC]"; content:!"sync-eu.exe.bid"; http.host; pcre:"/^[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)/i"; http.header_names; content:!"|0d 0a|Cookie|0d 0a|"; classtype:trojan-activity; sid:2022894; rev:8; metadata:created_at 2016_06_13, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"document.cdn-one.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 4"; flow:established,to_server; http.request_body; content:"a="; depth:2; content:"&c="; distance:0; content:"&r="; distance:0; pcre:"/^a=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&h=[a-zA-Z0-9_-]+&r=[0-9]{15,}$/"; http.request_line; content:"POST /u/"; depth:8; fast_pattern; http.connection; content:"Close"; nocase; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; nocase; reference:md5,3ea75d62966f8c52de16d7849eeb3691; classtype:pup-activity; sid:2022723; rev:5; metadata:created_at 2016_04_11, former_category ADWARE_PUP, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=begin"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026726; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:social-engineering; sid:2022697; rev:6; metadata:created_at 2016_04_04, former_category WEB_CLIENT, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucky Ransomware Reporting Successful File Encryption"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=done"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026727; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IrcBot Downloading .old"; flow:established,to_server; http.start; content:".old|20|HTTP/1.1|0d 0a|Host"; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022657; rev:4; metadata:created_at 2016_03_24, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Unk Downloader 0 Byte POST CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|0|0d|"; http.user_agent; content:"xmsSofts_1.0.0_"; depth:15; fast_pattern; content:"|5c|"; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026760; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound"; flow:to_server,established; http.uri.raw; content:"%"; content:"temp%"; nocase; fast_pattern; within:7; pcre:"/\%(?:25)?temp\%/i"; reference:url,labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/; classtype:misc-attack; sid:2022554; rev:5; metadata:created_at 2016_02_22, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"4D53473A213A"; content:"20457865637574656420417320"; distance:0; fast_pattern; content:"0D0A"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027078; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Keitaro TDS Redirect"; flow:established,from_server; http.stat_code; content:"302"; http.header; content:"LOCATION|3a 20|http"; nocase; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; fast_pattern; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/s"; http.content_type; content:"text/html|3b 20|charset=utf-8"; depth:24; endswith; classtype:exploit-kit; sid:2022466; rev:7; metadata:created_at 2016_01_27, updated_at 2020_11_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"secure-message.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027222; rev:5; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Torte Downloading Binary"; flow:established,to_server; urilen:8; http.uri; content:"/crond"; fast_pattern; pcre:"/^(?:32|64)$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|rv|3a|18.0) Gecko/20100101 Firefox/18.0"; endswith; depth:72; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:trojan-activity; sid:2022357; rev:5; metadata:created_at 2016_01_13, updated_at 2020_11_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"internal-message.app"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027223; rev:4; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WeBaCoo Web Backdoor Detected"; flow:to_server,established; http.method; content:"GET"; http.cookie; content:"cm="; content:"cn=M-cookie|3b|"; fast_pattern; content:"cp="; reference:url,panagioto.com/webacoo-backdoor-detection; classtype:web-application-activity; sid:2022295; rev:5; metadata:created_at 2015_12_21, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Binance Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"binance"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027240; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; http.method; content:"GET"; http.uri; content:!"."; content:"/en-us/"; depth:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/R"; content:!"/im/"; http.start; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:10; metadata:created_at 2015_03_25, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Ebay Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"ebay"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 or Win32/Nuclear HTTP Framework POST"; flow:established,to_server; content:"|0d 0a 0d 0a|"; byte_jump:4,1,relative,little,post_offset -6; isdataat:!2,relative; http.method; content:"POST"; http.header; content:"|20 28|compatible|3b 20|MSIE 6.0|3b 20|Win32|29 0d 0a|HOST|3a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020898; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Webmail Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"webmail"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027243; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:6; content:"/"; distance:1; within:2; content:"/"; distance:1; within:1; content:"/"; distance:1; within:1; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/"; http.host.raw; pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}$/i"; http.start; content:"|20|HTTP/1.1|0d 0a|User-Agent"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020369; rev:6; metadata:created_at 2015_02_05, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Account Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"account"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027244; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Onion2Web Tor Proxy Cookie"; flow:established,to_server; http.cookie; content:"onion2web_confirmed="; fast_pattern; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,github.com/starius/onion2web; classtype:policy-violation; sid:2020324; rev:5; metadata:created_at 2015_01_28, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Outlook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"outlook"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027246; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 2"; flow:established,to_server; content:"|0d 0a 0d 0a|env="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^env=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022281; rev:4; metadata:created_at 2015_12_18, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible DHL Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"dhl"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027247; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (no .exe)"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:45; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022049; rev:5; metadata:created_at 2015_11_09, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Docusign Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"docusign"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027248; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Oct 28"; flow:established,to_server; http.uri; content:"/pict."; fast_pattern; content:"?id="; distance:0; pcre:"/\/pict\.(?:jpg|php|xsp)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2022008; rev:6; metadata:created_at 2015_10_28, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Facebook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"facebook"; content:".github.io"; endswith; fast_pattern; content:!"facebook.github.io"; depth:18; endswith; classtype:policy-violation; sid:2027275; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PSEmpire Checkin via POST"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/admin/get.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http.cookie; pcre:"/^SESSIONID=[A-Z0-9]{16}/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.powershellempire.com; classtype:command-and-control; sid:2021616; rev:5; metadata:created_at 2015_08_12, former_category MALWARE, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Paypal Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"paypal"; fast_pattern; content:".github.io"; endswith; content:!"paypal.github.io"; depth:16; endswith; classtype:policy-violation; sid:2027241; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST CnC Beacon 2"; flow:established,to_server; urilen:1; content:"|0d 0a 0d 0a|"; byte_extract:1,0,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; http.method; content:"POST"; http.header; content:"Content-Type|3a 20|text/css|0d 0a|Accept|3a 20|image/**|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; depth:8; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:command-and-control; sid:2020301; rev:4; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Information Disclosure CVE-2017-1000395"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/api/xml"; endswith; http.header_names; content:!"Referer"; reference:cve,2017-1000395; reference:url,jenkins.io/security/advisory/2017-10-11/#user-remote-api-disclosed-users-email-addresses; classtype:web-application-attack; sid:2027347; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2017_1000395, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019748; rev:4; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Office Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"office"; fast_pattern; content:".github.io"; endswith; content:!"officedev.github.io"; classtype:policy-violation; sid:2027245; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ursnif Checkin"; flow:established,to_server; content:"no-cache|0d 0a 0d 0a 0d 0a|"; endswith; http.method; content:"POST"; http.uri; pcre:"/^(?:\/\w{3,12}){2,4}\?[a-z]{3,12}=(?:[A-Za-z0-9+/\x20]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/"; http.header; content:"|0d 0a|Content-Length|3a 20|2|0d 0a|Connection|3a 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dfeaae9cb1bc24ac467411955e48483b; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019377; rev:8; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Screenshot to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=sc&i="; distance:0; fast_pattern; content:".png"; endswith; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stobox Connectivity Check"; flow:established,to_server; threshold: type both, count 5, seconds 300, track by_src; http.uri; content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; fast_pattern; http.host; content:"update.microsoft.com"; depth:20; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; sid:2019166; rev:7; metadata:created_at 2014_09_11, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|command|2f|"; depth:9; fast_pattern; content:".cmd"; endswith; pcre:"/^\/command\/[A-Fa-f0-9]{8}\-(?:[A-Fa-f0-9]{4}\-){3}[A-Fa-f0-9]{12}\.cmd$/"; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banking Trojan HTTP Cookie"; flow:established,to_server; http.cookie; content:"tcpopunder"; fast_pattern; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/updates-to-the-citadel-trojan/; classtype:trojan-activity; sid:2018119; rev:5; metadata:created_at 2014_02_12, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Command Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK><COMMAND>"; distance:0; fast_pattern; content:"</COMMAND>"; endswith; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027708; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller"; flow:to_server,established; urilen:>31; http.method; content:"GET"; http.uri; content:"/launch/?c="; fast_pattern; content:"&m="; content:"&l="; content:"&b="; content:"&sid="; content:"&os="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,3eaaf0de35579e5af89ae3dd81d0c592; reference:md5,ac030896aad1b6b0eeb00952dee24c3f; classtype:pup-activity; sid:2018095; rev:9; metadata:created_at 2014_01_13, former_category ADWARE_PUP, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eris Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/check"; depth:13; fast_pattern; endswith; http.request_body; content:"|7b 22 75 69 64 22 3a 22|"; depth:8; content:"|22 7d|"; endswith; pcre:"/^\{\x22uid\x22\x3a\x22[a-f0-9]+\x22\}$/si"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,a4eeec442799c56c3e1aa9761661fb42; reference:url,www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/; classtype:command-and-control; sid:2027802; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family Eris, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot Generic URI/Header Struct .bin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"aocdn.net"; content:!"kankan.com"; endswith; content:!"conf.v.xunlei.com"; endswith; http.request_line; content:".bin HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018052; rev:10; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rogue.WinPCDefender Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?machine_id={"; depth:14; fast_pattern; content:"}"; endswith; http.host; content:"anti"; depth:4; http.header_names; content:!"Referer"; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:pup-activity; sid:2025358; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed JS/Skimmer (likely Magecart) CnC Domain in DNS Lookup"; dns.query; content:"imprintcenter.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1236321303902269441; classtype:domain-c2; sid:2029597; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlitchPOS CnC Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gate.php?ped="; fast_pattern; content:"&s=1"; endswith; http.header_names; content:!"Referer"; reference:md5,8cfa2adde150918062eb5d6af59d0e2a; classtype:command-and-control; sid:2027912; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"cybermon.fortigatecloud.com"; nocase; depth:27; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029587; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/dnscfg.cgi?dnsPrimary="; fast_pattern; content:"&dnsSecondary="; distance:0; content:"&dnsDynamic=0&dnsRefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027906; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)"; flow:from_server,established; tls.cert_subject; content:"CN=mikkymax.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029594; rev:3; metadata:affected_product Web_Browsers, created_at 2020_03_09, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1="; fast_pattern; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&dnsrefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027910; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)"; flow:from_server,established; tls.cert_subject; content:"CN=linkojager.org"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029595; rev:2; metadata:affected_product Web_Browsers, created_at 2020_03_09, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"dhl"; nocase; content:".php"; endswith; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"pass="; nocase; distance:0; classtype:credential-theft; sid:2032505; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/EJBInvokerServlet/"; nocase; fast_pattern; http.content_type; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017574; rev:6; metadata:created_at 2013_10_09, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (DE) Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"login_password="; depth:15; nocase; content:"&submit.x=Soumettre"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032561; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; fast_pattern; http.content_type; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017573; rev:6; metadata:created_at 2013_10_09, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid="; depth:6; nocase; fast_pattern; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032573; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeLoader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; nocase; http.header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^\d+$/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; classtype:command-and-control; sid:2017261; rev:7; metadata:created_at 2013_07_31, former_category MALWARE, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid2="; depth:7; nocase; fast_pattern; content:"&compw2="; nocase; distance:0; content:"&addr="; nocase; distance:0; classtype:credential-theft; sid:2032574; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?action=twikidraw"; fast_pattern; content:"&target="; distance:0; content:"../moin.wsgi"; distance:0; endswith; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:4; metadata:created_at 2013_06_27, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M3 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comname="; depth:8; nocase; fast_pattern; content:"&comnum="; nocase; distance:0; content:"&common="; nocase; distance:0; content:"&comy="; nocase; distance:0; content:"&comc="; nocase; distance:0; classtype:credential-theft; sid:2032575; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alina Server Response Code"; flow: established,from_server; http.response_line; content:"|20|666 OK"; fast_pattern; endswith; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; reference:md5,7d6ec042a38d108899c8985ed7417e4a; classtype:trojan-activity; sid:2016991; rev:7; metadata:created_at 2013_06_08, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HBL Bank Phish M1 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"tp="; depth:3; nocase; content:"&tp2="; nocase; distance:0; content:"&form6="; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032583; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Kazy.174106 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?T="; http.user_agent; content:"Tesla"; fast_pattern; startswith; reference:md5,ff7a263e89ff01415294470e1e52c010; classtype:command-and-control; sid:2016939; rev:5; metadata:created_at 2013_05_28, former_category MALWARE, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NatWest Bank Phish M3 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"nwolb"; nocase; content:".aspx"; nocase; distance:0; content:".php"; nocase; endswith; http.header; content:"nwolb"; nocase; http.request_body; content:"c1="; nocase; content:"&c2="; nocase; distance:0; fast_pattern; content:"&c3="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032597; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Post Exploit Payload Download"; flow:to_server,established; urilen:17; http.method; content:"POST"; http.uri; pcre:"/^\/[a-f0-9]{16}$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.connection; content:"close"; depth:5; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; depth:38; endswith; classtype:exploit-kit; sid:2016869; rev:6; metadata:created_at 2013_05_20, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NAB Bank Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&sbt=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032599; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GrandSoft PDF Payload Download"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.method; content:"GET"; http.user_agent; content:"http|3a|//"; fast_pattern; startswith; http.start; pcre:"/^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; classtype:exploit-kit; sid:2016764; rev:19; metadata:created_at 2013_04_17, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"mpp/"; content:".php"; nocase; endswith; distance:0; http.header; content:"mpp/"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032608; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Redyms.A Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; offset:6; depth:7; http.header; content:".net|0d 0a|Content-Length|3a 20|128|0d 0a|"; fast_pattern; http.start; pcre:"/^POST \/(?P<filep>[a-z]{5,8})\.php HTTP.+?\r\nHost\x3a\x20(?P=filep)[a-z]+?\.net\r\n/s"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; classtype:command-and-control; sid:2016759; rev:4; metadata:created_at 2013_04_16, former_category MALWARE, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&SI=Verify"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032594; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT_NGO_wuaclt"; flow:to_server,established; http.uri; content:"/pics/"; content:".asp?id="; distance:0; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SP Q"; depth:55; http.header_names; content:"|0d 0a|Cookies|0d 0a|"; fast_pattern; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016573; rev:5; metadata:created_at 2013_03_13, former_category MALWARE, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"X1="; depth:3; nocase; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032568; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/COOKIEBAG Cookie APT1 Related"; flow:established,to_server; http.start; content:"|0a|Cookie|3a 20|CAQGBgoFD1Y"; fast_pattern; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016434; rev:6; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032625; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"symbol"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]symbol[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:6; metadata:created_at 2013_01_09, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (1 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Next=Next"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032648; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"yaml"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]yaml[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:6; metadata:created_at 2013_01_09, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (3 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"phoneNumber="; depth:12; nocase; content:"&altemail="; nocase; distance:0; content:"&City="; nocase; distance:0; content:"&submitChallenge=Continue"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032650; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Magento XMLRPC-Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/api/xmlrpc"; http.request_body; content:"file|3a 2f 2f 2f|"; fast_pattern; reference:url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/; reference:url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update; reference:url,www.exploit-db.com/exploits/19793/; classtype:web-application-attack; sid:2015625; rev:4; metadata:created_at 2012_08_15, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PDF Online Phish 2016-12-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"pdf"; nocase; content:".php"; nocase; endswith; http.request_body; content:"t1="; depth:3; nocase; content:"X1="; nocase; distance:0; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032726; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer Requesting Config"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/config"; endswith; content:!"."; http.header; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|id|22 3b 0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mpp/"; nocase; fast_pattern; content:".php"; nocase; endswith; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; pcre:"/^1=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032704; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP STOPzilla Download Accelerator Activity"; flow:established,to_server; http.user_agent; content:"STOPzilla Download Accelerator"; depth:30; reference:md5,6748824b325cbc1be57394469e361d63; classtype:pup-activity; sid:2031182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&submit="; nocase; endswith; pcre:"/^username=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032700; rev:9; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|spamerhash|22 3b 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|screenshot|22 3b 20|filename=|22|screenshot|22|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2031181; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (asrgd-uz .weedns.com)"; dns.query; content:"asrgd-uz"; fast_pattern; depth:8; content:".weedns.com"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023025; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SilverSpeedup Generic PUA Software UA"; flow:established,to_server; http.user_agent; content:"SilverSpeedup"; depth:13; reference:md5,b6640c915f827013c4cbfece4d5fb7c0; classtype:pup-activity; sid:2031183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (sx4-ws42 .yi.org)"; dns.query; content:"sx4-ws42"; fast_pattern; depth:8; content:".yi.org"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023026; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local File Inclusion vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_edir"; nocase; fast_pattern; distance:0; content:"view="; nocase; distance:0; content:"controller="; nocase; distance:0; content:"|2e 2e 2f|"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95604/Joomla-eDir-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015471; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_11_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)"; dns.query; content:"we"; depth:2; content:".q.tcow.eu"; nocase; fast_pattern; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023027; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kuarela.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029602; rev:3; metadata:created_at 2020_03_10, former_category MALWARE, malware_family ServHelper, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tflower Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&state=start"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,53c923d4e39b966ab951f9a3b9d090be; reference:url,www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/; classtype:command-and-control; sid:2028597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Tflower_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=gabardina.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029603; rev:3; metadata:created_at 2020_03_10, former_category MALWARE, malware_family ServHelper, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; depth:8; content:".min.js"; endswith; http.header; content:"Referer|3a 20|http|3a|//code.jquery.com/|0d 0a|Accept"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"__cfduid="; depth:9; isdataat:!172,relative; pcre:"/^[A-Za-z0-9_-]{171}$/Rs"; reference:md5,8c9903db02a29847d04d0fd81dd67046; classtype:command-and-control; sid:2033658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=almagel.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029604; rev:3; metadata:created_at 2020_03_10, former_category MALWARE, malware_family ServHelper, performance_impact Low, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Requesting Module"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/start?session="; depth:20; fast_pattern; content:"&imsi="; within:20; content:".exe"; endswith; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028934; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dsnnguyrygfu.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029605; rev:3; metadata:created_at 2020_03_10, former_category MALWARE, malware_family ServHelper, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; endswith; http.content_len; byte_test:0,<,1000,0,string,dec; file.data; content:"<!doctype html>|0d 0a|<html lang=|22|ja|22|>|0d 0a|<head>|0d 0a|<meta http-equiv=|22|Content-Type|22 20|content=|22|text/html|3b 20|charset=UTF-8|22|>|0d 0a|<meta http-equiv=|22|x-ua-compatible|22 20|content=|22|IE=10|22|>|0d 0a|<meta http-equiv=|22|Expires|22 20|content=|22|0|22|>|0d 0a|<meta http-equiv=|22|Pragma|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache-control|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache|22 20|content=|22|no-cache|22|>"; content:"<body style=|22|background-color|3a 20|#F4F4F4|3b|font-family|3a|MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif|22|>"; distance:0; fast_pattern; content:"/ajax.min.js|22|></script>|0d 0a|<script type=|22|text/javascript|22 20|src=|22|"; distance:0; content:"/main.js|22|></script>|0d 0a|</body>|0d 0a|</html>"; endswith; classtype:exploit-kit; sid:2029122; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ofiughfuu.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029610; rev:3; metadata:created_at 2020_03_11, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Final.html Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; content:"/final.html"; endswith; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017869; rev:5; metadata:created_at 2013_12_17, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kiparis.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029611; rev:3; metadata:created_at 2020_03_11, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M2"; flow:to_server,established; content:"Cookie|3a 20|A="; fast_pattern; http.method; content:"GET"; http.uri; content:"/"; offset:9; depth:1; content:".html"; nocase; endswith; pcre:"/^\/[a-f0-9]{8}\/\D+\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021275; rev:9; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dfsgu747hugr.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029612; rev:3; metadata:created_at 2020_03_11, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder FreeMobile (FR) Phishing 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; fast_pattern; content:".php"; nocase; endswith; http.header; content:"free.fr"; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032703; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sgahugu4ijgji.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029613; rev:3; metadata:created_at 2020_03_11, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:!"?"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; pcre:"/^[A-Za-z]{5,20}\x22\x3b\x20filename=\x22[A-Za-z]{5,20}\x22/R"; content:"|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; within:44; content:"|2d 2d 00 00 00 00 00 00 00 00 00 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; pcre:"/^\d{15}$/R"; http.content_len; byte_test:0,<,5000,0,string,dec; byte_test:0,>,4000,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}\/){1,10})\sHTTP\/1\.1\r\nReferer\x3a\x20http:\/\/(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:59; classtype:command-and-control; sid:2029380; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2022_03_24;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asggh554tgahhr.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029614; rev:3; metadata:created_at 2020_03_11, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Mailer Module Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?&1001="; fast_pattern; content:"&req="; distance:1; within:5; content:"&"; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"Accept-Charset"; content:!"Referer"; content:!"Cache"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; http.header; content:"-Disposition|3a 20|inline"; nocase; content:".jar"; fast_pattern; pcre:"/[=\"]\w{8}\.jar/i"; file.data; content:"PK"; depth:2; classtype:trojan-activity; sid:2015050; rev:6; metadata:created_at 2012_07_12, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GanDownloader CnC Checkin"; flow:established,to_server; http.request_body; content:"|2f 00 00 00|"; depth:4; content:"_"; distance:6; content:"202020202020|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; fast_pattern; pcre:"/^\x2f\x00{3}[A-Z0-9]{6}_[a-f0-9]+\x00{16}$/s"; http.request_line; content:"POST / HTTP/1.1"; depth:15; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,8f0017ed89c2f6639cc2a08bc1e83f1e; classtype:command-and-control; sid:2026946; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cridex Post to CnC"; flow:established,to_server; content:"|0d 0a 0d 0a de ad be ef|"; fast_pattern; http.method; content:"POST"; http.uri; content:!"."; http.host; content:!"hbi-ingest.net"; reference:url,vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:command-and-control; sid:2015028; rev:8; metadata:created_at 2012_07_06, former_category MALWARE, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/SocStealer.Socelars C2 Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server-Key|3a 20|"; pcre:"/[A-Za-z0-9]{62}/R"; file.data; content:"[DATA]"; depth:6; fast_pattern; content:"[DATA]"; endswith; classtype:command-and-control; sid:2025458; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, malware_family SocStealer, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie is set RULEZ"; flow:established,to_server; http.cookie; content:"sutraRULEZcookiessupport"; fast_pattern; classtype:exploit-kit; sid:2014612; rev:5; metadata:created_at 2012_04_17, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Yuok)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Youk$$"; fast_pattern; content:"Youk"; endswith; pcre:"/^(?:php)?Yuok\$\$\d\d/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022902; rev:6; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set RULEZ"; flow:established,from_server; http.cookie; content:"sutraRULEZcookiessupport"; fast_pattern; classtype:exploit-kit; sid:2014611; rev:5; metadata:created_at 2012_04_17, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Data)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Data$$"; fast_pattern; content:"Data"; endswith; pcre:"/Data\$\$\d\d/"; http.header_names; content:!"Content-Type"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022900; rev:9; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; fast_pattern; http.accept_enc; content:"*|3b|q=0"; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:trojan-activity; sid:2014562; rev:5; metadata:created_at 2012_04_13, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?action=twikidraw"; fast_pattern; content:"&target="; distance:0; content:"../moin.wsgi"; endswith; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:5; metadata:created_at 2013_06_28, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; http.method; content:"GET"; http.uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; http.host; content:!"pandora.com"; content:!"wordpress.com"; http.start; content:"= HTTP/1.1|0D 0A|Host|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:command-and-control; sid:2014409; rev:8; metadata:created_at 2012_03_21, former_category MALWARE, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot CnC Initial Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"/5/file/"; endswith; fast_pattern; http.user_agent; content:"curl/"; depth:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2033659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_24;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M1 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"console.portal?"; content:".sh.ShellSession|28|"; distance:0; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-admin; sid:2031143; rev:3; metadata:created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (OneDrive)"; flow:established,to_server; http.cookie; content:"E=P|3a|"; content:"=|3a|PFzM9cj"; endswith; fast_pattern; http.request_line; content:"GET|20|/preload?manifest=wac|20|HTTP/1.1"; bsize:34; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile; classtype:command-and-control; sid:2029743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:".FileSystemXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031184; rev:2; metadata:created_at 2020_11_05, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible eDellRoot Rogue Root CA"; flow:established,to_client; tls.cert_issuer; content:"CN=eDellRoot"; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_24;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M4 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.header; content:"|0d 0a|cmd|3a 20|"; fast_pattern; http.request_body; content:"_nfpb=true"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031186; rev:1; metadata:created_at 2020_11_05, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/ProtonBot CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"newtask|3b|"; depth:8; fast_pattern; content:"|3b|1|3b|http"; within:15; content:".exe"; endswith; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:command-and-control; sid:2027382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M5 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal?"; http.request_body; content:".ClassPathXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031187; rev:1; metadata:created_at 2020_11_05, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server; urilen:8; threshold: type limit, track by_dst, seconds 30, count 1; http.method; content:"POST"; http.uri; content:"/waiting"; fast_pattern; http.user_agent; content:"BC_Vic_"; depth:7; content:"BC_SPL"; endswith; http.header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:command-and-control; sid:2025370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Small, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 60"; flow:established,to_server; content:"|30 d0 52 71 74 3c 46 41 ac f3 4e|"; depth:11; fast_pattern; content:"|4e 3b|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026500; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/action?dns_status=1&dns_poll_timeout="; fast_pattern; content:"&id="; distance:0; content:"&dns_serv_ip_1="; distance:0; content:"&dns_serv_ip_2="; distance:0; content:"&dns_serv_ip_3="; distance:0; content:"&dns_serv_ip_4="; distance:0; content:"&priority=1&cmdadd=add"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027908; rev:8; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 28"; flow:established,to_server; content:"|ea 7f 70 7a 80 7c 4a a9 1b 68 8e|"; depth:11; fast_pattern; content:"|81 9c|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,29a0d1bc5abfbbf0bdf15ffa762cac27; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.htm; classtype:command-and-control; sid:2026018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud .com"; dns.query; content:".appsync-api."; content:"avsvmcloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 63"; flow:established,to_server; content:"|d1 ef 79 30 f1 d3 16 52 6d e9 f3|"; depth:11; fast_pattern; content:"|25 fc|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026503; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to avsvmcloud .com"; flow:established,to_server; http.host; content:".appsync-api."; dotprefix; content:".avsvmcloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 67"; flow:established,to_server; content:"|0b 7e 42 80 62 68 98 84 a8 66 28|"; depth:11; fast_pattern; content:"|39 f3|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (avsvmcloud .com)"; flow:established,to_client; tls.cert_subject; content:".appsync-api."; content:".avsvmcloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos RAT Checkin 23"; flow:established,to_server; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,f4f2425e9735f92cc9f75711aa8cb210; classtype:command-and-control; sid:2025637; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bestof/"; content:".exe"; within:20; endswith; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2184931b6412cc900837890a6c5685f6; classtype:trojan-activity; sid:2033044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 58"; flow:established,to_server; content:"|05 3b 09 6a f6 9e f9 65 e5 38 b3|"; depth:11; fast_pattern; content:"|4d 70|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Adobe Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"adobe"; fast_pattern; content:".github.io"; endswith; content:!"adobe.github.io"; depth:15; endswith; content:!"adobe-fonts.github.io"; depth:21; endswith; content:!"adobe-type-tools.github.io"; depth:26; endswith; content:!"adobe-apiplatform.github.io"; depth:27; classtype:policy-violation; sid:2027249; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 62"; flow:established,to_server; content:"|46 4f 3e 16 69 12 4c e2 9a c2 28|"; depth:11; fast_pattern; content:"|a3 09|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Bing Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search/?q="; startswith; content:"&go=Search&qs=bs&form="; distance:0; fast_pattern; http.cookie; content:"DUP="; startswith; content:"&T="; distance:0; content:"&A="; distance:0; content:"&IG"; endswith; http.header_names; content:!"Referer"; reference:url,twitter.com/TheDFIRReport/status/1376878123061551104; reference:md5,18b0ca0508f92c5ac6e75b9865b77a51; classtype:trojan-activity; sid:2032354; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 30"; flow:established,to_server; content:"|81 29 6b 48 7f c7 22 ec 9b 9e b6|"; depth:11; fast_pattern; content:"|d8 95|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,63d36de591491d04071b4dc0a39d5fab; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026020; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Redirect to Adobe Shared Document Phishing M3 2016-04-18"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pdf.adobe.cloud/"; fast_pattern; content:".php"; endswith; http.referer; content:".php"; endswith; classtype:social-engineering; sid:2032678; rev:10; metadata:attack_target Client_Endpoint, created_at 2016_04_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Remcos RAT Checkin 25"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; fast_pattern; content:"|35 03|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,41c292b0cb2a4662381635a3316226f4; classtype:command-and-control; sid:2025984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_09, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM Win32/VaporRage Loader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/class-chll.php?session_info=60"; content:"5d"; distance:0; content:"&session="; distance:0; content:"&view_type=12"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4183.83 Safari/537.36"; bsize:102; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache-"; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset; classtype:trojan-activity; sid:2033057; rev:2; metadata:created_at 2021_06_01, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 55"; flow:established,to_server; content:"|2f 81 e4 ab 65 ab 1c 0d b9 8c e8|"; depth:11; fast_pattern; content:"|b6 13|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026495; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE S400 RAT Client Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"content=S-400+RAT+%3a"; startswith; fast_pattern; content:"%0d%0ainformation"; distance:0; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 109"; flow:established,to_server; content:"|5b bc 1f 13 45 60 61 fd 0d 43 7f|"; depth:11; fast_pattern; content:"|3e 41|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:url,research.checkpoint.com/operation-tripoli/; classtype:command-and-control; sid:2027660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2021-11-10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"check.php"; distance:0; http.referer; content:".otzo.com/verification.php"; fast_pattern; endswith; http.request_body; content:"email="; distance:0; content:"&password="; distance:0; reference:md5,11133fb1cdc61aa33e3de226dcdf92d4; classtype:credential-theft; sid:2034412; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 29"; flow:established,to_server; content:"|5e 0d 10 db 92 bf 73 6c 7d 6f 5d|"; depth:11; fast_pattern; content:"|67 04|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,5cb07299cedd69f096b09358754831e0; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026019; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Credential Phish 2021-11-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/my___fb/meme"; fast_pattern; startswith; content:".php"; endswith; http.request_body; content:"email="; content:"&pass="; distance:0; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 56"; flow:established,to_server; content:"|7d b5 14 83 61 23 20 d9 44 8a a7|"; depth:11; fast_pattern; content:"|2c da|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fpui/"; nocase; fast_pattern; content:"|2e|jsp"; within:30; endswith; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034531; rev:3; metadata:created_at 2021_11_22, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 27"; flow:established,to_server; content:"|bf 9b b2 d8 b7 a9 86 78 26 d6 10|"; depth:11; fast_pattern; content:"|0e 24|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,5c52234cf35ab8d08b10fcc3c2a9d32b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026017; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034045; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Remcos RAT Checkin 24"; flow:established,to_server; content:"|e8 ee 51 c7 05 29 cd 17 31 7b fd|"; depth:11; fast_pattern; content:"|55 47|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,98202283d7752779abd092665e80af71; classtype:command-and-control; sid:2025921; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2018_07_31, former_category MALWARE, malware_family Remcos, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 59"; flow:established,to_server; content:"|ed d1 72 f7 67 72 6f 57 ec 23 3c|"; depth:11; fast_pattern; content:"|59 73|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeBB Path Traversal (CVE-2021-43788)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nodebb|2e|org|2f 3f 5b 5b 2e 2e 2f|"; nocase; fast_pattern; content:"|3a|"; content:"|5d 5d|"; within:50; endswith; reference:url,blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot; reference:cve,2021-43788; classtype:attempted-admin; sid:2034590; rev:2; metadata:attack_target Server, created_at 2021_12_06, cve CVE_2021_43788, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 61"; flow:established,to_server; content:"|f3 85 1c e5 6c 10 d9 78 fa 64 de|"; depth:11; fast_pattern; content:"|78 49|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026501; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Banking Phish Landing Page 2022-01-11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"banks"; startswith; content:"pin.php"; fast_pattern; endswith; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 54"; flow:established,to_server; content:"|bc f5 5e 86 40 fa 48 95 a8 9e 28|"; depth:11; fast_pattern; content:"|ba 38|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC BOT Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 13 01 00 00 2d 42 4f 54|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 57"; flow:established,to_server; content:"|56 1e 2c fa 6e cc e4 74 40 48 df|"; depth:11; fast_pattern; content:"|22 30|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026497; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ALEXANDR/"; fast_pattern; startswith; content:".rmvb"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,0fee6bb95bfbfeee768f742387d3ddce; reference:md5,81ada96074cbc01655fc3b9b570308cd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035117; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 26"; flow:established,to_server; content:"|24 8a 91 18 92 bb 4b 55 39 bc ed|"; depth:11; fast_pattern; content:"|c5 de|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,81cecc440bd57a736ef6e473e77d5a1b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026016; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/clamp/"; fast_pattern; content:".cbl"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,fac3f024711fc5fd3e1d69b994b159bd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035118; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 64"; flow:established,to_server; content:"|d7 9e f0 38 3f f1 9a ab d6 74 00|"; depth:11; fast_pattern; content:"|15 46|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026504; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/globe/"; fast_pattern; content:".cam"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035131; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 84"; flow:established,to_server; content:"|d5 c2 f9 4e 0a 7b 1c 62 a1 49 05|"; depth:11; fast_pattern; content:"|5d fe|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,12346b292b752af5ad924239eac02a09; classtype:command-and-control; sid:2026901; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/courageous/"; fast_pattern; content:".eft"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035132; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 66"; flow:established,to_server; content:"|12 37 57 b2 1e 20 12 3d f1 8a 24|"; depth:11; fast_pattern; content:"|d3 86|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/endless/"; fast_pattern; content:".arj"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,2a0269cf18f2f1c055153408f85ab4c6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035167; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 68"; flow:established,to_server; content:"|62 8d 57 43 81 41 32 36 55 5e 26|"; depth:11; fast_pattern; content:"|ec 50|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026508; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allocation/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,1579a5a8bdca4eda62315116e418b9d6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035168; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 65"; flow:established,to_server; content:"|ba e7 11 d6 b7 9f b5 c9 1d 10 58|"; depth:11; fast_pattern; content:"|4f 3a|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sour/"; fast_pattern; content:".kdp"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,bb1c8ad9f422a39ce6329e93dc060438; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035169; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; threshold: type both, track by_src, count 225, seconds 60; http.header.raw; content:"User-Agent|3a 20 20|"; fast_pattern; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:8; metadata:created_at 2012_01_27, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pretend/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,ca9fa910806f5aafd33f0dd48fdc8415; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035170; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; fast_pattern; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; content:"|1e 00|"; offset:22; depth:2; content:"|24 00 00 00 06|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035262; rev:3; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; fast_pattern; content:"only_hostid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013984; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; classtype:trojan-activity; sid:2024213; rev:5; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_content"; distance:0; content:"sflDir="; nocase; content:"|2e 2e 2f|"; nocase; distance:0; reference:url,exploit-db.com/exploits/17736; classtype:web-application-attack; sid:2013870; rev:5; metadata:created_at 2011_11_08, updated_at 2020_11_06;)
+alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService Pong response"; id:1; content:"101|3b|0000|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030055; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 2"; flow:established,to_server; http.uri; content:"|3a|@"; http.request_line; content:"GET|20 3a|@"; depth:6; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013792; rev:6; metadata:created_at 2011_10_24, updated_at 2020_11_06;)
+alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService OSInfo response"; id:1; content:"100|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030056; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1"; flow:established,to_server; http.uri; content:"/ibrowser/scripts/random.php?"; nocase; fast_pattern; content:"dir="; nocase; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013757; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_11_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (theskoolieblog .com)"; dns.query; content:"theskoolieblog.com"; nocase; bsize:18; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035596; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; threshold:type threshold, track by_dst, count 10, seconds 20; http.header; content:"TE|3a 20|deflate,gzip|3b|q=0.3|0d 0a|Connection|3a 20|TE, close|0d 0a|Host|3a 20|"; depth:53; content:"User-Agent|3a 20|"; within:100; http.user_agent; content:!"libwww-perl/"; http.request_line; content:"GET //"; fast_pattern; depth:6; http.header_names; content:"|0d 0a|TE|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:26; endswith; classtype:attempted-recon; sid:2013416; rev:11; metadata:created_at 2011_08_16, updated_at 2020_11_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (ernesttheskoolie .com)"; dns.query; content:"ernesttheskoolie.com"; nocase; bsize:20; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035597; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible FakeAV Binary Download (Security)"; flow:established,to_client; http.header; content:"filename=|22|"; nocase; content:"security"; fast_pattern; nocase; within:50; content:!"ALLOW-FROM www.onecallnow.com"; pcre:"/filename\x3D\x22[^\r\n]*security[^\n]+\.exe/i"; http.content_type; content:!"text/xml"; depth:8; classtype:trojan-activity; sid:2012981; rev:7; metadata:created_at 2011_06_09, former_category TROJAN, updated_at 2020_11_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:C1:3B:57:1A:83:A5:B1:4A"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022099; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/accounts/ValidateAnswers?methodToCall=validateAll"; nocase; fast_pattern; http.request_body; content:"&Hide_Captcha=0"; nocase; content:"&LOGIN_NAME="; nocase; distance:0; content:"&quesList="; nocase; distance:0; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3272; classtype:web-application-attack; sid:2012979; rev:4; metadata:created_at 2011_06_08, updated_at 2020_11_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F2:66:4A:29:E0:7E:C2:78"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022227; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php?"; nocase; fast_pattern; content:"sleep="; nocase; distance:0; content:"file="; nocase; distance:0; http.uri.raw; content:"..%2f"; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012657; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_11_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:E0:78:4E:9C:A4:AD:AB:24"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2022228; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (myip .com)"; flow:established,to_server; http.host; content:"api.myip.com"; depth:12; isdataat:!1,relative; classtype:policy-violation; sid:2031188; rev:1; metadata:created_at 2020_11_06, updated_at 2020_11_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F6:DA:A5:22:B2:8B:91:BE"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022232; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!5938,!1935,!3265,!2394] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; dsize:>11; content:"|00 00|"; offset:2; depth:2; content:!"|00 00|"; depth:2; content:"|9c 4b|"; offset:8; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -9; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,edc84c505d101301459dafab296fb743; classtype:command-and-control; sid:2023349; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Low, signature_severity Major, tag Gh0st, updated_at 2020_11_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9D:A8:74:C5:50:98:DD:09"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022306; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/options-runnow-iframe.php?wpabs=/"; nocase; content:"%00&"; distance:0; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012407; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_issuer; content:"AsyncRAT Server"; reference:md5,f69cadedae72d9d1a1d1578b56c39404; classtype:domain-c2; sid:2030673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/options-view_log-iframe.php?wpabs=/"; nocase; content:"%00&logfile=/"; distance:0; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012408; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_subject; content:"AsyncRAT Server"; nocase; classtype:domain-c2; sid:2035607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_banners/banners.class.php?"; nocase; content:"mosConfig_absolute_path="; nocase; distance:0; pcre:"/^\s*(ftps?|https?|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/1010-exploits/joomlabanners-rfi.txt; classtype:web-application-attack; sid:2011929; rev:5; metadata:created_at 2010_11_19, updated_at 2020_11_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (OSX/Keydnap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=g5wcesdfjzne7255.onion.to"; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:domain-c2; sid:2022953; rev:3; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2016_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag TROJAN_OSX_Keydnap, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; distance:0; content:"mailform_send="; nocase; distance:0; content:"confirm_value="; nocase; distance:0; content:"mailform_1="; nocase; distance:0; fast_pattern; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/1008-exploits/siteloomcms-xss.txt; classtype:web-application-attack; sid:2011927; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_11_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fecommand.acm"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035605; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; fast_pattern; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011839; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,to_client; tls.cert_subject; content:"O=infosec.jp"; fast_pattern; content:"CN=www.infosec.jp"; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022323; rev:3; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"data.php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"|2e|passthru|28|"; content:"|2e|die|28 29 3b|"; distance:0; http.header_names; content:"horde_secret_key|0d 0a|"; nocase; fast_pattern; reference:url,https://cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/; reference:cve,2020-8518; classtype:attempted-admin; sid:2029636; rev:3; metadata:attack_target Web_Server, created_at 2020_03_13, cve 2020_8518, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zs_url.txt?dl=0"; endswith; fast_pattern; http.host; content:"dl.dropboxusercontent.com"; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"feb.kkooppt.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SERVER SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"52:55:38:16:FB:0D:1A:8A:4B:45:04:CB:06:BC:C4:AF"; tls.cert_subject; content:"CN=SERVER"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016467; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"compdate.my03.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029627; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern; content:"|0B 00|"; startswith; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018479; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"jocoly.esvnpe.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"uid="; startswith; content:"&avtype="; distance:0; content:"&majorv="; fast_pattern; content:"&minorv="; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:command-and-control; sid:2035592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI"; flow:established,to_server; content:"SET"; nocase; distance:0; http.uri; content:"SHOW"; nocase; content:"CHARACTER"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html; reference:url,doc.emergingthreats.net/2010964; classtype:web-application-attack; sid:2010964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command (inbound)"; flow:established,to_client; dsize:<20; content:"|69 6e 66 32 6f 3d 63 6f 64 61 6e 64|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035598; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bmy.hqoohoa.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029629; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command M2 (inbound)"; flow:established,to_client; dsize:<20; content:"|67 65 74 32 61 76 73 3d 61 76 70 72 6f|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035599; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bur.vueleslie.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dl.dropboxusercontent.com"; bsize:25; fast_pattern; classtype:misc-activity; sid:2035593; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"wind.windmilldrops.com"; bsize:22; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DropBox User Content Download Access over SSL M2"; flow:established,to_client; tls.cert_subject; content:"CN=dl.dropbox.com"; fast_pattern; classtype:misc-activity; sid:2035594; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gsb/datetime.php"; nocase; http.request_body; content:"delBackupName"; nocase; content:"backupRestoreFormSubmitted"; distance:0; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; classtype:web-application-attack; sid:2010863; rev:9; metadata:created_at 2010_07_30, updated_at 2020_11_07;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending System Information (outbound)"; flow:established,to_server; dsize:<120; content:"|69 6e 73 35 66 6f 3d 75 73 66 73 65 72 3b|"; fast_pattern; depth:20; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035600; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php"; nocase; content:"page="; nocase; distance:0; pcre:"/\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(?:\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp)/i"; reference:url,www.securityfocus.com/bid/35584; reference:cve,2009-2334; reference:url,doc.emergingthreats.net/2010728; classtype:web-application-attack; sid:2010728; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI)"; flow:established,to_server; tls_sni; content:"update.imdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:command-and-control; sid:2035568; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/OvCgi/ovalarm.exe"; nocase; fast_pattern; content:"OVABverbose="; nocase; distance:0; pcre:"/^(1|on|true)/Ri"; http.accept_lang; isdataat:100,relative; reference:cve,2009-4179; reference:url,doc.emergingthreats.net/2010704; classtype:web-application-attack; sid:2010704; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"imbbq.co"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035569; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt"; flow:established,to_server; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; distance:0; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010673; classtype:web-application-attack; sid:2010673; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"ds-super-admin.imtokens.money"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035570; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010672; classtype:web-application-attack; sid:2010672; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 4"; flow:established,to_server; tls_sni; content:"imtokenss.token-app.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035571; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010670; classtype:web-application-attack; sid:2010670; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 5"; flow:established,to_server; tls_sni; content:"xdhbj.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035572; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"INTO"; nocase; content:"OUTFILE"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010669; classtype:web-application-attack; sid:2010669; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 6"; flow:established,to_server; tls_sni; content:"update.xzxqsf.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035573; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; http.uri; content:"+CSCOE+/files/browse.html"; nocase; fast_pattern; content:"code=init"; nocase; distance:0; content:"path=ftp"; nocase; distance:0; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; reference:url,doc.emergingthreats.net/2010457; classtype:attempted-user; sid:2010457; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 7"; flow:established,to_server; tls_sni; content:"metamask.tptokenm.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035574; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010134; classtype:web-application-attack; sid:2010134; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 8"; flow:established,to_server; tls_sni; content:"two.shayu.la"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035575; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010133; classtype:web-application-attack; sid:2010133; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 9"; flow:established,to_server; tls_sni; content:"jdzpfw.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035576; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS *.dyn-ip24 .de Domain"; dns.query; content:".dyn-ip24.de"; nocase; endswith; classtype:policy-violation; sid:2029638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 10"; flow:established,to_server; tls_sni; content:"bp.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035577; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 11"; flow:established,to_server; tls_sni; content:"ok.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035578; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Joia CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ABCDIMQ"; depth:7; fast_pattern; http.start; content:".php|20|HTTP/1.0|0d 0a|Host|3a 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,7e10e615edd111a5b77266c862aca78a; classtype:command-and-control; sid:2029641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 12"; flow:established,to_server; tls_sni; content:"mm.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035579; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Sogou.H Variant Request"; flow:established,to_server; http.request_line; content:"GET /appinfo?num="; startswith; fast_pattern; pcre:"/^\d+\sHTTP/1.1$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.user_agent; content:"HttpDownload"; bsize:12; reference:md5,29db559062d82a56c53c70c68dc160ec; classtype:pup-activity; sid:2031191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 20"; flow:established,to_server; tls_sni; content:"token-lon.me"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035580; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MZRevenge Ransomware CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.request_body; content:"filename|3d 22|TVpS"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=--------"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029647; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 13"; flow:established,to_server; tls_sni; content:"bh.imtoken.sx"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035581; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Aug 31 2015"; flow:to_server,established; content:"|0d 0a 0d 0a|email="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; content:"&pass="; distance:0; classtype:credential-theft; sid:2029652; rev:7; metadata:created_at 2015_09_01, former_category PHISHING, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 14"; flow:established,to_server; tls_sni; content:"ht.imtoken.cn.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035582; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Office Phishing Landing 2016-12-18"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<title>Microsoft Office"; fast_pattern; nocase; content:"Login below to access file"; nocase; distance:0; classtype:social-engineering; sid:2029658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 15"; flow:established,to_server; tls_sni; content:"api.tipi21341.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035583; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Account Phish 2015-11-03"; flow:to_server,established; content:"|0d 0a 0d 0a|fullname="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"fullname="; depth:9; nocase; content:"&address="; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; content:"&postcode="; nocase; distance:0; classtype:credential-theft; sid:2029653; rev:6; metadata:created_at 2015_09_03, former_category PHISHING, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 16"; flow:established,to_server; tls_sni; content:"ariodjs.xyz"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035584; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful DHL Phish (Meta HTTP-Equiv Refresh) 2017-02-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<meta name=|22|publisher|22 20|content=|22|DHL"; fast_pattern; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; classtype:credential-theft; sid:2029659; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_08, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 17"; flow:established,to_server; tls_sni; content:"walletappforbit.web.app"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035585; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2019-10-18"; flow:established,to_server; content:"|0d 0a 0d 0a|epass="; fast_pattern; http.method; content:"POST"; http.uri; content:"/Logon.php"; nocase; endswith; http.request_body; content:"epass="; depth:6; nocase; content:!"&"; distance:0; classtype:credential-theft; sid:2029679; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 18"; flow:established,to_server; tls_sni; content:"jaxx.su"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035586; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xyz"; endswith; fast_pattern; http.request_body; content:"pass"; nocase; classtype:misc-activity; sid:2031189; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, signature_severity Informational, updated_at 2020_11_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GhostWriter APT Related Cobalt Strike Domain (ao3 .hmgo .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"ao3.hmgo.pw"; bsize:11; fast_pattern; reference:url,cert.gov.ua/article/38155; reference:url,twitter.com/netresec/status/1506990534547709972; reference:url,tria.ge/220324-p4dl5adghn; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:domain-c2; sid:2035601; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"APEP"; fast_pattern; startswith; classtype:attempted-admin; sid:2029025; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 19"; flow:established,to_server; tls_sni; content:"jaxx.tf"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035587; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"APEP"; fast_pattern; startswith; classtype:web-application-attack; sid:2029037; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 21"; flow:established,to_server; tls_sni; content:"master-consultas.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035588; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert tcp-pkt $HOME_NET any -> any any (msg:"ET MALWARE Pay2Key Ransomware - Sending RSA Key"; flow:established,to_server; dsize:286; content:"|10 10 00 00 00 00 14 01 00 00 06 02 00 00 00 a4 00 00 52 53 41 31 00 08 00 00 01 00 01 00|"; startswith; reference:url,research.checkpoint.com/2020/ransomware-alert-pay2key/; classtype:command-and-control; sid:2031192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 22"; flow:established,to_server; tls_sni; content:"jaxxwalletinc.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035589; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"546874.tk"; nocase; endswith; classtype:domain-c2; sid:2029715; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Domain in DNS Lookup (hmgo .pw)"; dns.query; dotprefix; content:".hmgo.pw"; nocase; endswith; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; reference:url,tria.ge/220324-p4dl5adghn; classtype:domain-c2; sid:2035602; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0xf4a54cf56.tk"; nocase; endswith; classtype:domain-c2; sid:2029716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; tls.cert_subject; content:"C=, ST=, L=, O=, OU=, CN="; endswith; bsize:25; fast_pattern; classtype:targeted-activity; sid:2023629; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0x4fc271.tk"; nocase; endswith; classtype:domain-c2; sid:2029717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 23"; flow:established,to_server; tls_sni; content:"jaxx.podzone.org"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035590; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"change-password.ml"; nocase; endswith; classtype:domain-c2; sid:2029718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 24"; flow:established,to_server; tls_sni; content:"saaditrezxie.store"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035591; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id24556.tk"; nocase; endswith; classtype:domain-c2; sid:2029719; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/works"; endswith; http.header; content:"Accept|3a 20|application/json|0d 0a|Content-Type|3a 20|application/json|3b 20|charset=UTF-8|0d 0a|"; http.cookie; content:"_token"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:url,cert.gov.ua/article/38155; reference:url,tria.ge/220324-p4dl5adghn; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:trojan-activity; sid:2035603; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id451295.com"; nocase; endswith; classtype:domain-c2; sid:2029720; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY tor4u tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:"tor4u.net"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018878; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"yahoo-change-password.com"; endswith; classtype:domain-c2; sid:2029721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker knowledgewiki.info in SNI July 31 2014"; flow:established,to_server; tls.sni; content:"knowledgewiki.info"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018877; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0xf4a5.tk"; nocase; endswith; classtype:domain-c2; sid:2029722; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 8"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; tls.cert_serial; content:"5f:31"; startswith; tls.cert_subject; content:"C=--"; startswith; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:md5,f58a4369b8176edbde4396dc977c9008; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-030500-0430-99; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; classtype:targeted-activity; sid:2020974; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id6589.com"; nocase; endswith; classtype:domain-c2; sid:2029723; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"formyip.com"; fast_pattern; classtype:external-ip-check; sid:2024832; rev:4; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2022_03_24;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful EDU Phish 2017-12-04"; flow:established,to_client; flowbits:isset,ET.eduphish; http.stat_code; content:"302"; http.header; content:"|0d 0a|Location|3a 20|"; nocase; pcre:"/^[^\r\n]+\.edu/Ri"; http.content_len; byte_test:0,=,0,0,string,dec; classtype:credential-theft; sid:2025114; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_11_09;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,to_client; tls.cert_subject; content:"DivX, Inc. Certificate Authority"; fast_pattern; classtype:policy-violation; sid:2013300; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Patchwork.Backdoor CnC Check-in M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?b="; nocase; pcre:"/^[A-F0-9]{30}$/Ri"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:command-and-control; sid:2025164; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; tls.cert_subject; content:"CN=IOS-Self-Signed-Certificate-"; fast_pattern; classtype:misc-activity; sid:2014617; rev:4; metadata:created_at 2012_04_20, updated_at 2022_03_25;)
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon"; dns.query; bsize:>19; content:"646"; offset:2; depth:5; pcre:"/^[qbedm]{1}[a-zA-Z]{1,3}646[a-zA-Z0-9]{1,3}+\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; reference:md5,162959ebfd839229969d5e830c7d1dbc; classtype:command-and-control; sid:2031193; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_09;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster domain observed in DNS query (www. rare-coisns. com)"; dns.query; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send)"; dns.query; bsize:>22; content:"266"; offset:3; depth:8; pcre:"/^[zjr9x]{1}[tmdhpz]{1}[0-9a-z]{1,6}266(?:[a-zA-Z0-9]{1,6})?+\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; classtype:command-and-control; sid:2031194; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster domain observed in TLS SNI (www. rare-coisns. com)"; flow:established,to_server; tls.sni; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?cx="; nocase; fast_pattern; content:"&b="; nocase; distance:0; content:">="; nocase; distance:0; content:"&tx="; nocase; distance:0; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+>=[A-F0-9]+&tx=[A-F0-9]+$/i"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:command-and-control; sid:2025163; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Initial Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?t="; depth:4; content:"&&s="; distance:0; content:"&&p="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:65; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027439; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20| MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035617; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?e="; depth:4; content:"&&t="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.cookie; content:"id="; depth:3; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:73; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027440; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,a5bad2da096e9ebbb90845dbadec91fe; reference:md5,253cb5361e43bfb1931fa115336e7c16; reference:md5,dd6d09e0e565ea18b85a18af8e95eb75; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035608; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo VBS Payload Downloaded"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&00000111&11"; fast_pattern; endswith; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a 0d 0a|"; depth:49; classtype:exploit-kit; sid:2028865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Spelevo_EK, signature_severity Major, tag Spelevo_EK, updated_at 2020_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,6f743e8fda2031db9907a8d6bd0a41a8; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035609; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConstructorWin32/Agent.V"; flow:to_server,established; http.header; content:"|0d 0a|Pragma|3a 20|no-catch|0d 0a|"; http.request_line; content:"GET http://"; depth:11; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"X-HOST|0d 0a|"; reference:md5,3305ad96bcfd3a406dc9daa31e538902; classtype:trojan-activity; sid:2014643; rev:10; metadata:created_at 2012_04_26, updated_at 2020_11_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 JSSLoader Related Domain in DNS Lookup"; dns.query; content:"securmeawards.com"; nocase; bsize:17; reference:md5,0cd9c62063026d4199c941b5f644c5ce; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:domain-c2; sid:2035610; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, signature_severity Major, updated_at 2022_03_25;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"System Idle Process"; fast_pattern; content:"|49 6d 61 67 65 20 4e 61 6d 65|"; content:"|50 49 44 20 53 65 73 73 69 6f 6e 20 4e 61 6d 65|"; distance:0; content:"|53 65 73 73 69 6f 6e 23|"; distance:0; content:"|4d 65 6d 20 55 73 61 67 65|"; distance:0; content:"svchost.exe"; content:"winlogon.exe"; classtype:trojan-activity; sid:2018886; rev:4; metadata:created_at 2014_08_04, updated_at 2020_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M5"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\?m=[abcde]&p1=[a-f0-9-]{8,25}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; http.uri.raw; content:"//?m="; depth:5; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0684d80e91581730f814e831f703bf5b; reference:url,twitter.com/s1ckb017/status/1507316584079142915; classtype:trojan-activity; sid:2035611; rev:1; metadata:created_at 2022_03_25, former_category MALWARE, updated_at 2022_03_25;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2"; flow:established,to_server; http.uri; content:"/vpns/"; fast_pattern; http.header; content:"|0d 0a|NSC_USER|3a 20|"; nocase; content:"|0d 0a|NSC_NONCE|3a 20|"; nocase; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029255; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_01_13, deployment Perimeter, signature_severity Critical, updated_at 2020_11_10;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Domain in DNS Lookup (info-getting-eu. com)"; dns.query; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035618; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/n2019cov (COVID-19) Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"usuario="; startswith; content:"|20|-|20|"; distance:0; content:"|20|-|20|"; distance:0; content:"&llave1="; distance:0; content:"&llave2="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,f02e5ae5b997e447a43ace281bc2bae9; classtype:command-and-control; sid:2029736; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_11_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing domain observed in TLS SNI (info-getting-eu. com)"; flow:established,to_server; tls.sni; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035619; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded via ge.tt Filesharing Service"; flowbits:set,ET.ge.tt.download; http.method; content:"GET"; http.uri; content:"/gett/"; fast_pattern; depth:6; content:"?index="; distance:0; content:"&user="; distance:0; content:"&referrer="; distance:0; content:"&download="; distance:0; http.host; content:"ge.tt"; endswith; classtype:misc-activity; sid:2029745; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_10;)
+alert dns $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox)"; dns.query; content:"anonymousfox."; startswith; fast_pattern; pcre:"/(?:is|mx|info|co)$/"; reference:url,twitter.com/unmaskparasites/status/1507038308789936150; classtype:bad-unknown; sid:2035612; rev:2; metadata:attack_target Web_Server, created_at 2022_03_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Uploaded to ge.tt Filesharing Service"; flow:established,to_server; content:"/upload/"; depth:8; http.method; content:"POST"; http.host; content:"ge.tt"; fast_pattern; http.request_body; content:"|22 3b 20|filename=|22|"; classtype:misc-activity; sid:2029746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_11_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to BaitAndPhish Domain"; dns.query; dotprefix; content:".important-notification.com"; nocase; endswith; threshold: type limit, track by_dst, count 1, seconds 120; fast_pattern; classtype:misc-activity; sid:2035613; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Meterpreter)"; flow:established,to_server; http.uri; pcre:"/^\/ucD[A-Za-z0-9_\/\-+]{171}$/"; http.request_line; content:"GET|20|/ucD"; fast_pattern; content:"|20|HTTP/1.1"; distance:171; within:9; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/meterpreter.profile; classtype:command-and-control; sid:2029742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937)"; flow:established,from_server; http.stat_code; content:"200"; http.cookie; content:"85937=eyJ0e"; fast_pattern; pcre:"/^[A-Z0-9_\-.]{20,300}\x3b/Ri"; classtype:trojan-activity; sid:2035620; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (OneDrive)"; flow:established,to_server; http.cookie; content:"E=P|3a|"; content:"=|3a|PFzM9cj"; distance:0; endswith; fast_pattern; http.request_line; content:"GET|20|/preload?manifest=wac|20|HTTP/1.1"; bsize:34; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile; classtype:command-and-control; sid:2029743; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 7"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"2c:2f"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,9ad55b83f2eec0c19873a770b0c86a2f; classtype:targeted-activity; sid:2020972; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Adobe RTMP)"; flow:established,to_server; http.user_agent; content:"Shockwave Flash"; bsize:15; http.cookie; bsize:172; content:"="; offset:171; depth:1; endswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/"; http.request_line; content:"GET|20|/idle/1376547834/1|20|HTTP/1.1"; fast_pattern; bsize:31; http.content_type; content:"application/x-fcs"; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/rtmp.profile; classtype:command-and-control; sid:2029744; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10;)
+alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropbox.com"; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:7; metadata:created_at 2011_04_07, updated_at 2022_03_25;)
-alert smb any any -> $HOME_NET any (msg:"ET POLICY Possible winexe over SMB - Possible Lateral Movement"; flow:to_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|5c 00|a|00|h|00|e|00|x|00|e|00|c|00 00 00|"; fast_pattern; endswith; nocase; reference:url,attack.mitre.org/software/S0191/; classtype:bad-unknown; sid:2026879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Informational, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"09:a9"; fast_pattern; depth:5; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:targeted-activity; sid:2020971; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Upaste Paste Site"; dns.query; content:"upaste.me"; nocase; endswith; classtype:trojan-activity; sid:2031195; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_10, deployment Perimeter, signature_severity Informational, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 5"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; tls.cert_serial; content:"03:5f"; depth:5; tls.cert_subject; content:"*.corp.utilitytelephone.com"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,4121414c63079b7fa836be00f8d0a93b; classtype:targeted-activity; sid:2020970; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Upaste)"; flow:established,to_client; tls.cert_subject; content:"CN=upaste.me"; classtype:misc-activity; sid:2031196; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 4"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"0f:0d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,0e0182694c381f8b68afc5f3ff4c4653; classtype:targeted-activity; sid:2020969; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful COVID-19 Related Phish M1"; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"covid"; nocase; classtype:credential-theft; sid:2029757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 3"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"1b:3c"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,181a88c911b10d0fcb4682ae552c0de3; classtype:targeted-activity; sid:2020968; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful COVID-19 Related Phish M2"; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"corona"; nocase; classtype:credential-theft; sid:2029758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 2"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"65:5d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,859f167704b5c138ed9a9d4d3fdc0723; classtype:targeted-activity; sid:2020967; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Telerik.Web.UI.WebResource.axd"; fast_pattern; content:"type=rau"; nocase; distance:0; http.request_body; content:"rauPostData"; nocase; reference:url,github.com/noperator/CVE-2019-18935; reference:cve,2019-18935; classtype:web-application-attack; sid:2029761; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 1"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"31:d5"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,d5a82520ebf38a0c595367ff0ca89fae; classtype:targeted-activity; sid:2020966; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M2"; http.method; content:"GET"; http.uri; content:"/Telerik.Web.UI.WebResource.axd?dp="; fast_pattern; reference:url,www.exploit-db.com/exploits/43874; classtype:web-application-attack; sid:2029762; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHARMSPAM image requested layout viagra_super_active.jpg"; flow:established,to_server; content:"layout"; http_uri; content:"viagra_super_active.jpg"; http_uri; classtype:bad-unknown; sid:2011339; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/ViewLog.asp"; depth:20; endswith; http.request_body; content:"remote_submit_Flag="; depth:19; content:"&remote_host="; distance:0; content:"&remoteSubmit=Save"; endswith; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Jan/40; classtype:attempted-user; sid:2027092; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV redirecting to fake scanner page - /?777"; flow:established,to_server; content:"/?777"; http_uri; classtype:bad-unknown; sid:2011421; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Plurox Backdoor CnC Checkin"; flow:established,to_server; content:"|aa 95 82 71|"; depth:4; content:"|01 00 00 00 00 00 00 00|"; distance:4; within:8; content:"|95 82 71 aa 95 82 71|"; endswith; fast_pattern; reference:md5,c5b42399a6636de5014e2934ef08278f; reference:url,securelist.com/plurox-modular-backdoor/91213/; classtype:command-and-control; sid:2027506; rev:4; metadata:created_at 2019_06_21, former_category MALWARE, updated_at 2020_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential-Hiloti/FakeAV site access"; flow:established,to_server; content:"?p=p52dcW"; http_uri; pcre:"/\/\?p=p52dcW[A-Za-z]{4}/U"; classtype:trojan-activity; sid:2011591; rev:5; metadata:created_at 2010_10_06, former_category MALWARE, updated_at 2022_03_27;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Check Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK>"; endswith; fast_pattern; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>$/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027707; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre or Dyre SSL Cert Jan 22 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=CN, ST=ST"; fast_pattern; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x06\x03\x55\x04\x07.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2020290; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch C2 Domain"; dns.query; content:"system0_update04driver_roots.dynamic-dns.net"; bsize:44; nocase; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:domain-c2; sid:2029766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Stitch, signature_severity Major, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M1 (L O)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch C2 Domain"; dns.query; content:"sys_andriod20_designer.dynamic-dns.net"; bsize:38; nocase; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:domain-c2; sid:2029767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Stitch, signature_severity Major, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M2 (L CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M2"; http.method; content:"POST"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029714; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M3 (O CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M1"; http.method; content:"POST"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 2 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; pcre:"/C=[A-Z]{2}\,/"; content:"ST="; distance:0; content:"L="; distance:0; content:"O="; distance:0; pcre:"/CN=[A-Z]/"; content:"OU="; distance:0; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_03, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M2"; http.method; content:"GET"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected SmokeLoader Retrieving Next Stage (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smoke/loader/uploads/"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,bfbf171b4ebc5286c78d718e445c65fb; classtype:trojan-activity; sid:2035623; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M1"; http.method; content:"GET"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Windows Binary Observed in SSL/TLS Certificate"; flow:established,from_server; tls.certs; content:"This program cannot be run in DOS mode"; nocase; bsize:>768; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025315; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 URI M2"; http.method; content:"POST"; http.uri; content:"corona"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029756; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800,!445] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; fast_pattern; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:command-and-control; sid:2020215; rev:6; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2022_03_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 URI M1"; http.method; content:"POST"; http.uri; content:"covid"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029755; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.request_body; content:"symetric="; startswith; fast_pattern; content:"&unsyms="; distance:0; content:"&polls="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5cbcc3485f4286098b3a111ceec8ce54; reference:md5,14a7002d7787ebc78d76479c73fc2856; classtype:trojan-activity; sid:2035624; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2"; http.method; content:"GET"; http.uri; content:"corona"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029754; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE TransparentTribe APT Related Backdoor Activity"; flow:established,to_server; dsize:6; content:"|36 6e 46 74 24 31|"; fast_pattern; reference:md5,bc2ef641fc8d709f4c111937353c0ac2; reference:md5,b03e0568a5f26addc51c8a3e32baeb7f; reference:md5,9dadf9ce41994f869e8c35e1917b8238; classtype:trojan-activity; sid:2035625; rev:2; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M1"; http.method; content:"GET"; http.uri; content:"covid"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029753; rev:3; metadata:created_at 2020_03_28, former_category HUNTING, updated_at 2020_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|dll"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035621; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_03_28;)
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Anubis/BitSight - 35.205.61.67"; content:"|00 01 00 01|"; content:"|00 04 23 cd 3d 43|"; distance:4; within:6; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; reference:url,travisgreen.net/2019/08/13/anubis-sinhole.html; classtype:trojan-activity; sid:2031197; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_11_11, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M4"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|lnk"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035622; rev:1; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/HunterStealer/AlfonsoStealer CnC Exfil"; flow:established,to_server; content:"|50 4b 03 04 14 00|"; depth:6; content:"Desktop.png"; distance:0; fast_pattern; reference:md5,20f025a45247cc0289e666057149c28e; reference:md5,7f053ba33d6e4bf07a15ee65dd2b0d92; classtype:command-and-control; sid:2031198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_11, deployment Perimeter, former_category MALWARE, malware_family HunterStealer, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2022-03-28"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"M09009944646.php"; endswith; fast_pattern; http.request_body; content:"user="; content:"pass="; distance:0; reference:md5,40eff169fa7b8cacdde4499290a57aa5; classtype:credential-theft; sid:2035628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-standard.com"; bsize:22; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030966; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (ntpserver .xyz)"; dns.query; content:"ntpserver.xyz"; fast_pattern; nocase; bsize:13; reference:md5,09c120d23f986040af202607db6157f0; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035626; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=bing-analytics.com"; bsize:21; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030967; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (cxks8 .com)"; dns.query; content:"cxks8.com"; fast_pattern; nocase; bsize:9; reference:md5,99ee1e21a34b0536b120d4a6977fd252; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035627; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-money.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030968; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"12:85"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021591; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypal-assist.com"; bsize:20; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030970; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 2"; flow:established,from_server; tls.cert_subject; content:"www.visionresearch.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021419; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypal-debit.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030971; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 5"; flow:established,from_server; tls.cert_subject; content:"extranet.qualityplanning.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021422; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=connect-facebook.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030972; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 6"; flow:established,from_server; tls.cert_subject; content:"edadmin.kearsney.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021423; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=cdn-jquery.com"; bsize:17; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030973; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 7"; flow:established, from_server; tls.cert_subject; content:"redbluffchamber.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021424; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-assistant.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030974; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 8"; flow:established,to_client; tls.cert_subject; content:"Connectads.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021425; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypalapiobjects.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030975; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"3d:d6"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021420; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-tasks.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030976; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Group SSL Certificate Detected"; flow:established,from_server; tls.cert_subject; content:"dns-verifon.com"; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:targeted-activity; sid:2025438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_26, deployment Perimeter, former_category TROJAN, malware_family Cobalt_Group, performance_impact Low, signature_severity Major, updated_at 2022_03_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=jquery-insert.com"; bsize:20; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030977; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; nocase; http.request_body; content:"|3c|methodName|3e|"; content:"login|3c 2f|methodName|3e|"; within:50; fast_pattern; nocase; content:"|3c|member|3e 3c|value|3e 3c|"; distance:0; nocase; content:!"|3e|"; within:400; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035633; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=googleapimanager.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030978; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.request_body; content:"|3c|methodName|3e|"; nocase; content:"login|3c 2f|methodName|3e|"; within:50; nocase; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035634; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (info)"; flow:established,from_server; dsize:<50; content:"info|7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; distance:0; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.header; content:"Content-Encoding|3a 20|gzip"; http.request_body; content:"|1f 8b|"; startswith; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035635; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (aw)"; flow:established,from_server; dsize:<50; content:"aw|7c 7c 7c|"; fast_pattern; nocase; depth:5; content:"|7c|"; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (kutti .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"kutti.co"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2035640; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF Linux/Dnsamp.AB Variant CnC"; flow:established,to_server; dsize:84; content:"|54|"; depth:1; content:"|11|"; distance:6; within:1; content:"|95 08 00 00 01 00 00 00|"; distance:68; within:8; fast_pattern; isdataat:!1,relative; reference:md5,b1fcab441a1221b33206924f12af64a0; reference:url,intezer.com/blog/ddos/chinaz-updates-toolkit-by-introducing-new-undetected-malware/; classtype:command-and-control; sid:2029839; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; fast_pattern; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033681; rev:4; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11;content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; fast_pattern; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:command-and-control; sid:2029910; rev:4; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"Email=autodiscover/"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; reference:cve,2021-31207; classtype:attempted-admin; sid:2033701; rev:3; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_10, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE M3RAT CnC Checkin Outbound"; flow:established,to_server; content:"infoHacKed*"; depth:11; fast_pattern; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*Beta"; isdataat:!1,relative; reference:md5,5627e7aba7168aefe878e9251392542e; classtype:command-and-control; sid:2030144; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family M3RAT, signature_severity Major, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; reference:cve,2021-31207; classtype:attempted-admin; sid:2035648; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Outbound (aw)"; flow:established,to_server; dsize:<50; content:"aw|7c 7c 7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; content:"Email="; distance:0; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2033711; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (in)"; flow:established,from_server; dsize:<50; content:"in|7c 7c|Screen_Numbers|7c 7c|"; nocase; depth:20; fast_pattern; content:"|7c|"; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2030141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Abused File Hosting Domain in DNS Lookup (transferxl .com)"; dns.query; dotprefix; content:".transferxl.com"; nocase; endswith; classtype:misc-activity; sid:2035636; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Outbound (ds)"; flow:established,to_server; dsize:<50; content:"ds|7c 7c|"; nocase; depth:5; fast_pattern; content:"|7c 7c|"; distance:0; content:"|7c|"; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035637; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Screenshot Outbound"; flow:established,to_server; content:"|40 7c 7c|"; depth:3; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01|"; within:100; content:"|7c|Boss2019|7c|"; fast_pattern; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030143; rev:3; metadata:affected_product Windows_DNS_server, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl-download .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl-download.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035638; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer Init Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"guid="; depth:5; content:"&crederror="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Backdoor Related Domain (swordoke .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"swordoke.com"; bsize:12; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035645; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Download URI Struct with no referer"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\d+\/\d+\.exe$/"; http.user_agent; content:!"LogitechUpdate"; depth:14; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2021245; rev:9; metadata:created_at 2015_06_10, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; http.cookie; content:"Email="; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2035649; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - MAL_REFERER"; flow:established,to_server; http.method; content:"GET"; http.header; content:"&bvm=bv.81"; fast_pattern; content:"|2c|d."; distance:6; within:3; content:"|0d 0a|"; distance:3; within:2; content:"Referer|3a 20|https|3a|//www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd="; pcre:"/^(?:[02-9]|1[01]?)&ved=0C[A-L]{2}QFjA[A-L]&url=/R"; content:"&ei="; distance:0; pcre:"/^[A-Za-z0-9]{20,22}&usg=[A-Za-z0-9_]{34}&bvm=bv\.81[1-7]{6}\,d\.[A-Za-z0-9_]{3}\r\n/R"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2024004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_Implant8, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; nocase; fast_pattern; http.request_body; content:"<s"; content:"<m:ResolveNames ReturnFullContactData=|22|true|22| SearchScope=|22|ActiveDirectory|22|>"; distance:0; content:"</m:ResolveNames>"; distance:0; reference:cve,2021-34473; classtype:attempted-admin; sid:2035650; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031199; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-03-29"; http.stat_code; content:"200"; http.content_len; byte_test:0,>=,68000,0,string,dec; file.data; content:!"<html>"; content:"<!-- ####### THIS IS A COMMENT - Visible only in the source editor #########-->"; content:"action="; pcre:"/\.php/Ri"; content:"name=|22|o8|22|"; fast_pattern; content:!"</html>"; reference:md5,60b2c87b34d51bb1ee2196d5b2db4c73; classtype:credential-theft; sid:2035647; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031200; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031201; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031202; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:1; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031203; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (kutti .co)"; dns.query; content:"kutti.co"; fast_pattern; nocase; bsize:8; classtype:bad-unknown; sid:2035639; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_29;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031204; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com)"; dns.query; content:"swordoke.com"; fast_pattern; nocase; bsize:12; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035644; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Postcode.php?sslchannel="; fast_pattern; content:"&sessionid="; distance:0; http.request_body; content:"postcode="; depth:9; content:!"&"; distance:0; classtype:credential-theft; sid:2029849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Warzone RAT Variant CnC Domain in DNS Lookup (dost .igov-service .net)"; dns.query; content:"dost.igov-service.net"; fast_pattern; nocase; bsize:21; reference:url,decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/; reference:md5,49e8853801554d9de4dd281828094c8a; classtype:domain-c2; sid:2035646; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|7c 20|Processor|3a 20|"; content:"|7c 20|Cores|3a 20|"; distance:0; content:"|7c 20|Videocard|3a 20|"; distance:0; content:"|7c 20|SmartScreen|3a 20|"; distance:0; content:"|7c 20|Defender|3a 20|"; distance:0; content:"|7c 20|Antivirus|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/zoomed-in-a-look-into-a-coinminer-bundled-with-zoom-installer; classtype:command-and-control; sid:2029813; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (wikipedia-book .vote)"; dns.query; content:"wikipedia-book.vote"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; reference:md5,e98774bee4ed490089f6c63b6c676112; classtype:domain-c2; sid:2035652; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2022_03_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ModPipe CnC Activity (POST)"; flow:established,to_server; http.start; content:"POST /robots.txt HTTP/1."; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 8.0|3b 20|Windows|20|NT|20|6.1|3b 20|Trident/4.0)"; depth:63; isdataat:!1,relative; http.header_names; content:"Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:url,www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/; classtype:command-and-control; sid:2031208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon User Agent Observed"; flow:established,to_server; http.user_agent; content:"VerbleConnectTM"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035659; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Java .jar request to dotted-quad domain"; flow:established,to_server; http.uri; content:".jar"; fast_pattern; http.header; content:"|20|Java/1"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:bad-unknown; sid:2015483; rev:6; metadata:created_at 2012_07_17, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax)"; dns.query; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035660; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2022_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot downloader Installing Zeus"; flow:to_server,established; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.uri; content:".exe"; fast_pattern; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; depth:30; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 29 0d 0a|Host|3a 20|"; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; endswith; classtype:trojan-activity; sid:2018421; rev:5; metadata:created_at 2014_04_24, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (gaymers .ax in TLS SNI)"; flow:established,to_server; tls.sni; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035661; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to .burpcollector .net Domain"; dns.query; content:".burpcollector.net"; nocase; endswith; classtype:policy-violation; sid:2029826; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me)"; dns.query; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035662; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Lazarus Nukesped Downloader"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.header; content:"Accept-Language|3a 20|ko-KR|3b|q="; http.request_body; content:"fn="; depth:3; nocase; content:".gif&code="; nocase; distance:0; fast_pattern; pcre:"/^fn=[^&]*\.gif&code=\d+$/i"; reference:url,www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/; classtype:command-and-control; sid:2031207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, signature_severity Major, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (jonathanhardwick .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035663; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Knowb4 Simulated Phish Domain"; dns.query; content:".password.land"; nocase; endswith; classtype:credential-theft; sid:2029829; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Abused Hosting Domain in DNS Lookup (digital-ministry .ru)"; dns.query; content:"digital-ministry.ru"; fast_pattern; nocase; bsize:19; reference:md5,fbe79895053b29ec2cfe99cad3eb83d5; reference:md5,29fe7a619970157adfcecfade1b204be; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:bad-unknown; sid:2035654; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Knowb4 Simulated Phish Domain"; dns.query; content:".phishtrain.org"; nocase; endswith; classtype:credential-theft; sid:2029830; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (.verble .rocks)"; dns.query; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035664; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Knowb4 Simulated Phish Domain"; dns.query; content:".phish.farm"; nocase; endswith; classtype:credential-theft; sid:2029831; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (.verble .rocks in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035665; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Knowb4 Simulated Phish Domain"; dns.query; content:".phishing.guru"; nocase; endswith; classtype:credential-theft; sid:2029832; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (verble .software)"; dns.query; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035666; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Knowb4 Simulated Phish Domain"; dns.query; content:".strongencryption.org"; nocase; endswith; classtype:credential-theft; sid:2029833; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (verble .software in TLS SNI)"; flow:established,to_server; tls.sni; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035667; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Knowb4 Simulated Phish Domain"; dns.query; content:".comano.us"; nocase; endswith; classtype:credential-theft; sid:2029835; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Retrieving Task (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"R0VUVEFTSyUlJQ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035642; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Knowb4 Simulated Phish Domain"; dns.query; content:".microransom.us"; nocase; endswith; classtype:credential-theft; sid:2029836; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Sending Task Status (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"UFVUVEFTSyUlJ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035643; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KPOT Stealer Initial CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/util.php?id="; fast_pattern; pcre:"/^[A-F0-9]+$/Rsi"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:md5,5aa703c714e3fa012289bb521687cb0f; classtype:command-and-control; sid:2029837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, malware_family KPOT_Stealer, signature_severity Major, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"SU5JVCUl"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035641; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent"; flow:established,to_server; http.user_agent; content:"AnyDesk"; depth:7; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027762; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (hizliresim .com)"; dns.query; dotprefix; content:".hizliresim.com"; nocase; endswith; classtype:misc-activity; sid:2035655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DACLS RAT CnC (Log Server Reporting)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"log=save&session_id="; depth:20; fast_pattern; content:"&value="; distance:0; pcre:"/^log=save&session_id=[^&]+&value=[^&]+$/"; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:command-and-control; sid:2029879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert (hizliresim .com)"; flow:established,to_client; tls.cert_subject; content:"hizliresim.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?hizliresim\.com(?!\.)/"; classtype:misc-activity; sid:2035656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.AAIB Variant CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jpg"; endswith; http.user_agent; content:"WinHttpClient"; bsize:13; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; fast_pattern; reference:md5,0e3b41da52382744e5b2c1c38be00f04; reference:url,www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf; classtype:command-and-control; sid:2029893; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (kisa .link)"; dns.query; dotprefix; content:".kisa.link"; nocase; endswith; classtype:misc-activity; sid:2035657; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Redkeeper Ransomware Domain"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwex.com"; nocase; endswith; classtype:domain-c2; sid:2029898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Service Domain (www .kisa .link in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.kisa.link"; bsize:13; fast_pattern; classtype:misc-activity; sid:2035658; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, signature_severity Major, updated_at 2022_03_30;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN7/JSSLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=domenuscdm.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029920; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style service note .youdao .com in DNS query"; dns.query; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035668; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_30;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Malicious (HTA-VBS-PowerShell) obfuscated command"; flow: established,to_client; http.stat_code; content:"200"; file.data; content:"<?xml"; depth:5; content:"|22|JScript|22|><![CDATA[ eval("; within:500; fast_pattern; pcre:"/%comSpec%\s\/c\s(?:(?:\\x50)|(?:\\x70)|[Pp])\^?(?:(?:\\x4f)|(?:\\x5f)|[Oo])\^?(?:(?:\\x57)|(?:\\x77)|[Ww])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x52)|(?:\\x72)|[Rr])\^?(?:(?:\\x53)|(?:\\x73)|[Ss])\^?(?:(?:\\x48)|(?:\\x68)|[Hh])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x2e)|\.)\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x58)|(?:\\x78)|[Xx])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?\s/R"; classtype:trojan-activity; sid:2025558; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style service (note .youdao .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035669; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_30;)
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ModPipe CnC Activity (Response)"; flow:established,to_client; http.stat_code; content:"405"; file.data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d|"; fast_pattern; reference:url,www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector; classtype:command-and-control; sid:2031209; rev:1; metadata:created_at 2020_11_16, former_category MALWARE, performance_impact Moderate, updated_at 2020_11_16;)
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake state)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=AU"; fast_pattern; content:!"ST=Some-State"; tls.certs; content:"|06 03 55 04 06 13 02 41 55|"; content:"|06 03 55 04 08|"; distance:0; pcre:"/^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P<var>[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019833; rev:10; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GandCrab Ransomware CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,20}(?:\?[a-z]{3,20}=[a-z]{0,10}&[a-z]{3,20}=[a-z]{0,10})?$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http.host; pcre:"/\.(?:bit|coin|sex|com|gandcrab\d*)$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.content_len; byte_test:0,>,4000,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:67; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,8b7d3093c477b2e99effde5065affbd5; classtype:command-and-control; sid:2025455; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspicious Long NULL DNS Request - Possible DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; distance:70; fast_pattern; content:!"microsoft.com|03|"; classtype:trojan-activity; sid:2029995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trojan.JS.Agent.dwz Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept|3a 20|*/*"; content:"Accept-Language|3a 20|"; distance:0; content:"auth255|3a 20|login"; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; distance:0; content:"Accept-Encoding|3a 20|gzip, deflate"; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"a="; depth:2; pcre:"/^(?:[a-f0-9]{2}){23,60}$/R"; classtype:command-and-control; sid:2025530; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)"; dns.query; content:"eterprx.net"; nocase; bsize:11; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035683; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin M6"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>200; content:"/q/?q="; startswith; pcre:"/^[a-zA-Z0-9_-]+/R"; http.user_agent; content:"User-Agent|3a 20|"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; classtype:pup-activity; sid:2029055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)"; dns.query; content:"eternitypr.net"; nocase; bsize:14; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035684; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.parody)"; dns.query; content:".parody"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029954; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eternitypr.net"; bsize:14; fast_pattern; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035685; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)"; dns.query; content:".libre"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029958; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eterprx.net"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; reference:md5,21ccad42f936524b311a8bc102b16752; classtype:domain-c2; sid:2035686; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.bbs)"; dns.query; content:".bbs"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029960; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eternity Stealer Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /api/accounts HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"growid="; startswith; content:"&password="; distance:0; content:"&stub_token="; distance:0; content:"&mac="; distance:0; content:"&token="; distance:0; content:"&creds="; distance:0; content:"&pcname="; distance:0; content:"&scrurl="; distance:0; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:trojan-activity; sid:2035687; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.null)"; dns.query; content:".null"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029963; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Social Media Credential Phish 2022-03-31"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php?nick="; fast_pattern; classtype:credential-theft; sid:2035688; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.pirate)"; dns.query; content:".pirate"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029964; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX/Talisman Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"MCookie|3a 20|"; fast_pattern; pcre:"/^[0-9]-[0-9]-[0-9]{5}-[0-9]\r\n/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ecab63b6de18073453310a9c4551074b; reference:url,www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html; classtype:trojan-activity; sid:2035689; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.oss)"; dns.query; content:".oss"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029966; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Lightning Stealer Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|LogChromes|22 3a|"; content:"|22|LogGecko|22 3a|"; content:"|22|Screen|22 3a 7b|"; fast_pattern; content:"|22|Width|22 3a 22|"; distance:0; content:"|22|ScreenshotBase64|22 3a 22|"; distance:0; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:trojan-activity; sid:2035679; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Stealer, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.epic)"; dns.query; content:".epic"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029967; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)"; flow:to_server,established; http.header; content:"spring.cloud.function.routing-expression|3a|"; fast_pattern; reference:cve,2022-22963; classtype:attempted-admin; sid:2035670; rev:1; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22963, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.indy)"; dns.query; content:".indy"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029968; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M1"; flow:to_server,established; http.header; content:"request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035671; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.gopher)"; dns.query; content:".gopher"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029969; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M2"; flow:to_server,established; http.header; content:"executeCmd|28|request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035672; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)"; dns.query; content:".coin"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029971; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M3"; flow:to_server,established; http.header; content:"getRuntime|28 29|.exec"; fast_pattern; nocase; classtype:attempted-admin; sid:2035673; rev:1; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.emc)"; dns.query; content:".emc"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029972; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Custom Logo Domain in DNS Lookup (seeklogo .com)"; dns.query; dotprefix; content:".seeklogo.com"; nocase; endswith; classtype:misc-activity; sid:2035690; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.bazar)"; dns.query; content:".bazar"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029973; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/Lightning Stealer Domain (panelss .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"panelss.xyz"; bsize:11; fast_pattern; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:domain-c2; sid:2035680; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for FurNIC TLD (.fur)"; dns.query; content:".fur"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029974; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, signature_severity Informational, updated_at 2020_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Custom Logo Domain (seeklogo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"seeklogo.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Informational, updated_at 2022_03_31;)
-alert http $HOME_NET any -> [92.63.0.0/16,91.218.114.0/24,149.56.245.196] any (msg:"ET MALWARE Maze/ID Ransomware Activity"; flow:established,to_server; urilen:>1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|AS|3b 20|rv|3a|11.0) like Gecko"; depth:72; endswith; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,f83fb9ce6a83da58b20685c1d7e1e546; reference:md5,9823800f063a1d4ee7a749961db7540f; classtype:trojan-activity; sid:2027392; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Maze, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request to note .youdao .com - Possible Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/yws/api/personal/file/"; content:"?method=download&shareKey="; distance:0; pcre:"/[a-f0-9]{32}$/UR"; http.host; content:"note.youdao.com"; fast_pattern; bsize:15; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; classtype:misc-activity; sid:2035681; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS Skimmer Domain in DNS Lookup"; dns.query; content:"clipbutton.com.br"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1252338975265546242; classtype:trojan-activity; sid:2029991; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MustangPanda APT Dropper Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:46; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:">"; offset:8; content:">"; distance:1; within:1; content:">"; distance:7; within:1; content:"|2e|exe|5c|"; distance:0; fast_pattern; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; reference:url,twitter.com/StillAzureH/status/1505823479945625604; classtype:trojan-activity; sid:2035682; rev:2; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS Skimmer Domain in DNS Lookup"; dns.query; content:"tivents.de"; nocase; bsize:10; reference:url,twitter.com/MBThreatIntel/status/1252338975265546242; classtype:trojan-activity; sid:2029992; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Killav.CM CnC Response"; flow:to_client,established; dsize:11; content:"|09 01 00 00 00 00 0b 00 00 00 00|"; startswith; fast_pattern; classtype:trojan-activity; sid:2035693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader - HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"mac="; fast_pattern; nocase; content:"key="; content:"ver="; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,doc.emergingthreats.net/2009549; classtype:trojan-activity; sid:2009549; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Killav.CM Checkin M2"; dsize:<50; flow:to_server,established; content:"|04 00 00 00 00|"; startswith; content:"|00 00 7E 00 00 00 7E 00|"; distance:0; fast_pattern; content:"|00 00|"; endswith; classtype:trojan-activity; sid:2035694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Set"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/count.php?m=c&n="; content:"_"; distance:0; content:"@"; distance:0; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; classtype:trojan-activity; sid:2014803; rev:9; metadata:created_at 2011_11_04, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Downloader User-Agent (mozilla_horizon) GET request observed"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"mozilla_horizon"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,62d52076d41ab6e429a976d48173f29d; classtype:trojan-activity; sid:2035703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Malvertising Related Domain"; dns.query; content:"gdprcountryrestriction.com"; nocase; bsize:26; reference:url,duo.com/labs/research/crxcavator-malvertising-2020; classtype:pup-activity; sid:2030014; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (vpn2 .smi1egate .com)"; dns.query; content:"vpn2.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.2access.xyz"; nocase; bsize:15; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030023; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (svn1 .smi1egate .com)"; dns.query; content:"svn1.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035705; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.nsogroup.com"; nocase; bsize:16; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030024; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft .com)"; dns.query; content:"giga.gnisoft.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035706; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.qtechnologies.com"; nocase; bsize:21; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030025; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda CnC Check-In"; flow:established,to_server; content:"CGKU"; fast_pattern; offset:16; depth:4; content:"MB|00 00|"; distance:128; within:4; content:"Win|20|"; distance:24; within:4; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"oldgoldcities.com"; nocase; bsize:17; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030026; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Redirection 2022-03-14"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"location|3a 20|Alert.php|0d 0a|"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,07b9f93e06a83868a8b9ede2dff48346; classtype:credential-theft; sid:2035462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Drive DDoS Check-in"; flow:established,to_server; flowbits:set,ET.Drive.DDoS.Checkin; http.method; content:"POST"; http.header; pcre:"/-urlencoded\r\n(?:\r\n)?$/"; http.request_body; content:"k="; fast_pattern; startswith; pcre:"/^[0-9]*?[a-z]/PR"; http.content_len; byte_test:0,=,17,0,string,dec; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; classtype:trojan-activity; sid:2017045; rev:5; metadata:created_at 2013_06_21, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.response_body; content:"Get-WMIObject"; startswith; content:"|24|miner_url"; distance:0; fast_pattern; content:"|24|miner_name"; distance:0; content:"|24|miner_cfg_url"; content:"|24|miner_cfg_path"; distance:0; reference:md5,6447bc87415b35532d9c8237a376ba70; classtype:trojan-activity; sid:2035695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Win32/Cridex Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z0-9+]+?\/){3}$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Host|3a 20|"; depth:19; content:"Cache-Control|3a 20|no-cache"; distance:0; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080$/"; http.connection; content:"Keep-Alive"; bsize:10; http.content_len; byte_test:0,>,99,0,string,dec; byte_test:0,<,1000,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:command-and-control; sid:2017305; rev:5; metadata:created_at 2013_08_08, former_category MALWARE, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/WindowsDefender Bypass Download Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/kill.bat"; bsize:9; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.accept_enc; content:"gzip, deflate"; bsize:13; http.accept; content:"text/html"; startswith; reference:md5,a59277f422139a3c2341eee166eda629; classtype:trojan-activity; sid:2035696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ASNAROK Related Domain in DNS Lookup"; dns.query; content:"sophosfirewallupdate.com"; nocase; bsize:24; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:trojan-activity; sid:2030031; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (imgyukle .com)"; dns.query; dotprefix; content:".imgyukle.com"; nocase; endswith; classtype:misc-activity; sid:2035697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ASNAROK CnC Domain in DNS Lookup"; dns.query; content:"sophosproductupdate.com"; nocase; bsize:23; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:command-and-control; sid:2030033; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (imgyukle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"imgyukle.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 11.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/11.0."; content:!"7"; within:1; reference:url,www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html; classtype:bad-unknown; sid:2028867; rev:5; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Informational, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimag .com)"; dns.query; dotprefix; content:".resimag.com"; nocase; endswith; classtype:misc-activity; sid:2035699; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"forgame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030041; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimag .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimag.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"bestgame.bazar"; nocase; bsize:14; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030042; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimupload .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimupload.org"; bsize:15; fast_pattern; classtype:misc-activity; sid:2035701; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"thegame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030043; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimupload .org)"; dns.query; dotprefix; content:".resimupload.org"; nocase; endswith; classtype:misc-activity; sid:2035702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"newgame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030044; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (win .mirtonewbacker .com)"; dns.query; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035708; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"portgame.bazar"; nocase; bsize:14; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030045; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (win .mirtonewbacker .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035709; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns.query; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026486; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (umpulumpu .ru)"; dns.query; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035710; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; flow:established,to_server; tls.sni; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026487; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (umpulumpu .ru) in TLS SNI"; flow:established,to_server; tls.sni; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035711; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"mine.remaariegarcia.com"; nocase; bsize:23; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030089; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (greenblguard .shop)"; dns.query; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035712; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"egg.stralisemariegar.com"; nocase; bsize:24; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030090; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (greenblguard .shop) in TLS SNI"; flow:established,to_server; tls.sni; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035713; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"api.anaehler.com"; nocase; bsize:16; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030091; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)"; dns.query; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035714; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IXWARE Stealer Domain in DNS Lookup"; dns.query; content:"ixware.dev"; nocase; bsize:10; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:domain-c2; sid:2030096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (onetwostep .at) in TLS SNI"; flow:established,to_server; tls.sni; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IXWARE Stealer Domain in DNS Lookup"; dns.query; content:"ixware.xyz"; nocase; bsize:10; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:domain-c2; sid:2030097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackGuard_v2 Data Exfiltration Observed"; flow:established,to_server; content:"POST"; content:"?user="; content:"&hwid="; distance:0; content:"&antivirus="; distance:0; content:"&os=Windows"; distance:0; content:"&passCount="; distance:0; content:"&coockieCount="; distance:0; fast_pattern; content:"&walletCount="; distance:0; content:"&telegramCount="; distance:0; content:"&vpnCount="; distance:0; content:"&ftpCount="; distance:0; content:"&country="; content:"multipart/form-data|3b 20|boundary="; distance:0; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_01;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IXWARE Stealer CnC Activity"; flow:established,to_server; http.request_body; content:"checkAcc="; startswith; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.start; content:"POST /stubCheck HTTP/"; depth:21; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:command-and-control; sid:2030098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear R6700v3 upnpd Buffer Overflow Inbound (CVE-2022-27643)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; nocase; content:"urn:NETGEARROUTER:service:ParentalControl:1#Authenticate"; fast_pattern; nocase; pcre:"/^SOAPAction\x3a\s?urn\x3aNETGEARROUTER\x3aservice\x3aParentalControl\x3a1#Authenticate/Hmi"; http.request_body; content:"<NewMACAddress>"; nocase; pcre:"/^[^<]{30,}<\/NewMACAddress>/Ri"; reference:url,blog.relyze.com/2022/03/cve-2022-27643-netgear-r6700v3-upnpd.html; reference:cve,2022-27643; classtype:attempted-admin; sid:2035717; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_03, cve CVE_2022_27643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_03;)
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT SEO Injection/Fraud DNS Lookup (count.trackstatisticsss .com)"; dns.query; content:"count.trackstatisticsss.com"; nocase; bsize:27; classtype:bad-unknown; sid:2030099; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /async/newtab_ogb HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Sec-Fetch-Site|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-Dest|0d 0a|"; content:!"Referer|0d 0a|"; http.cookie; content:"1P_JAR="; startswith; content:"NID="; distance:6; within:4; pcre:"/^[A-Za-z0-9\/_\-\+]{171}=$/R"; reference:md5,e98774bee4ed490089f6c63b6c676112; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:trojan-activity; sid:2035653; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE WEBMONITOR RAT CnC Domain in DNS Lookup (dabmaster.wm01 .to)"; dns.query; content:"dabmaster.wm01.to"; nocase; bsize:17; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/webmonitor-rat-bundled-with-zoom-installer/?web_view=true; classtype:command-and-control; sid:2030100; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; fast_pattern; classtype:pup-activity; sid:2014286; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (1 space)"; flow:to_server,established; http.header; content:"User-Agent|3a 20 0d 0a|"; http.host; content:!"connectivitycheck.gstatic.com"; endswith; content:!".mcafee.com"; content:!"deezer.com"; endswith; content:!"googlezip.net"; content:!"metrics.tbliab.net"; endswith; content:!"dajax.com"; endswith; content:!"update.eset.com"; endswith; content:!".sketchup.com"; endswith; content:!".yieldmo.com"; endswith; content:!"ping-start.com"; endswith; content:!".bluekai.com"; content:!".stockstracker.com"; content:!".doubleclick.net"; content:!".pingstart.com"; content:!".colis-logistique.com"; content:!"android-lrcresource.wps.com"; content:!"track.package-buddy.com"; content:!"talkgadget.google.com"; endswith; content:!".visualstudio.com"; endswith; content:!".slack-edge.com"; endswith; content:!".slack.com"; endswith; content:!".lifesizecloud.com"; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:24; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category INFO, signature_severity Major, tag User_Agent, updated_at 2020_11_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,to_client; content:"ashburn@gmail.com"; fast_pattern; classtype:exploit-kit; sid:2015717; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT SEO Injection/Fraud Domain in DNS Lookup (stat.trackstatisticsss .com)"; dns.query; content:"stat.trackstatisticsss.com"; nocase; bsize:26; reference:url,www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/; classtype:bad-unknown; sid:2030118; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; distance:0; content:".popen|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035718; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY moanmyip .com DNS Lookup"; dns.query; content:"moanmyip.com"; nocase; endswith; classtype:policy-violation; sid:2030127; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035720; rev:2; metadata:affected_product Redis, created_at 2022_04_04, cve CVE_2022_0543, former_category EXPLOIT, updated_at 2022_04_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EVILNUM CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/register.php"; http.request_body; content:"av="; depth:3; content:"&cpu-name="; fast_pattern; distance:0; content:"&ref="; distance:0; content:"&user="; distance:0; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030125; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, signature_severity Major, updated_at 2020_11_17;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; content:".execute|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035719; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal CnC Checkin"; flow:established,to_server; http.uri; content:".txt"; pcre:"/^\/[a-z]{4}(?:\d{1,3}\.){3}\d{1,3}[a-z]{6}\.txt/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|0d 0a|Host|3a 20|"; depth:88; fast_pattern; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; reference:url,blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html; classtype:command-and-control; sid:2025922; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".modestoobgyn.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035721; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAZE Ransomware Payment Domain in DNS Lookup"; dns.query; content:"aoacugmutagkwctu.onion"; nocase; bsize:22; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:trojan-activity; sid:2030133; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".chyprediction.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035722; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAZE Ransomware Payment Domain DNS Lookup"; dns.query; content:"mazedecrypt.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:trojan-activity; sid:2030134; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".againcome.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup (mazenews .top)"; dns.query; content:"mazenews.top"; nocase; bsize:12; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:bad-unknown; sid:2030135; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".myshortbio.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup (newsmaze .top)"; dns.query; content:"newsmaze.top"; nocase; bsize:12; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:bad-unknown; sid:2030136; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".bestsecure2020.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035725; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY ipchicken .com DNS Lookup"; dns.query; content:"ipchicken.com"; nocase; endswith; classtype:policy-violation; sid:2030138; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".findoutcredit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.VBSLoader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid=VwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcg"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,f1864d53ba7512471182cd100fb96c4b; classtype:trojan-activity; sid:2030148; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".estetictrance.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup (corpleaks .net)"; dns.query; content:"corpleaks.net"; nocase; bsize:13; reference:url,app.any.run/tasks/c8d61923-ae7c-42e4-9b92-f4be92b2b04e; classtype:policy-violation; sid:2030161; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".internethabit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup (hxt254aygrsziejn .onion) DNS Lookup"; dns.query; content:"hxt254aygrsziejn.onion"; nocase; bsize:22; reference:url,app.any.run/tasks/c8d61923-ae7c-42e4-9b92-f4be92b2b04e; classtype:policy-violation; sid:2030162; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (Query)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"UVVFUlk="; bsize:8; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035729; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet.C Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/download.php?listfiles="; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,cd74438c04b09baa5c32ad0e5a0306e7; classtype:command-and-control; sid:2020157; rev:4; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (INIT)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"SU5JVA=="; depth:8; fast_pattern; content:"TWljcm9zb2Z0IFdpbmRvd3M"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035730; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header CERT.PL"; flow:established,from_server; http.content_len; byte_test:0,=,24,0,string,dec; file.data; content:"Sinkholed by CERT.PL"; within:24; fast_pattern; classtype:trojan-activity; sid:2020172; rev:4; metadata:created_at 2015_01_13, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (dumpor .com)"; dns.query; dotprefix; content:".dumpor.com"; nocase; endswith; classtype:misc-activity; sid:2035736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub botnet CnC Domain in DNS Lookup (irc.eleethub .com)"; dns.query; content:"irc.eleethub.com"; nocase; bsize:16; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:command-and-control; sid:2030195; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (smihub .com)"; dns.query; dotprefix; content:".smihub.com"; nocase; endswith; classtype:misc-activity; sid:2035737; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub botnet CnC Domain in DNS Lookup (ghost.eleethub .com)"; dns.query; content:"ghost.eleethub.com"; nocase; bsize:18; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:command-and-control; sid:2030196; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (greatfon .com)"; dns.query; dotprefix; content:".greatfon.com"; nocase; endswith; classtype:misc-activity; sid:2035738; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub .com Domain in DNS Lookup (eleethub .com)"; dns.query; content:"eleethub.com"; nocase; bsize:12; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:trojan-activity; sid:2030197; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (dumpor .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dumpor.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jsp?view="; fast_pattern; content:"&os="; distance:0; content:"&address="; distance:0; reference:cve,2017-12615; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027517; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".incongruousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Avaddon Ransomware Payment Domain"; dns.query; content:"avaddonbotrxmuyl.onion.pet"; bsize:26; reference:md5,c9ec0d9ff44f445ce5614cc87398b38d; classtype:trojan-activity; sid:2030251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Avaddon, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".fashionableeder.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035732; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"yourcontents.xyz"; nocase; endswith; classtype:domain-c2; sid:2030333; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (smihub .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"smihub.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"filepage.icu"; nocase; endswith; classtype:domain-c2; sid:2030332; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".electroncador.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"datasecure.icu"; nocase; endswith; classtype:domain-c2; sid:2030331; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".spontaneousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035734; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M1"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"x-flash-version|3a 20|"; content:!"32.0.0.387|0d 0a|"; within:12; content:!"32,0,0,387|0d 0a|"; within:12; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:127; metadata:affected_product Adobe_Flash, created_at 2012_05_09, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (greatfon .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"greatfon.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,200,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Domain in DNS Lookup (lk .tc)"; dns.query; dotprefix; content:".lk.tc"; nocase; endswith; classtype:misc-activity; sid:2035742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zebrocy Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/"; http.accept; content:"text/html, */*"; depth:14; endswith; http.accept_enc; content:"identity"; depth:8; endswith; http.content_len; byte_test:0,>,50000,0,string,dec; byte_test:0,<,120000,0,string,dec; http.start; content:".php HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Length|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,5b2eca6abe1903955d1dfd41e301e0af; classtype:targeted-activity; sid:2030122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Domain (lk .tc in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lk.tc"; endswith; fast_pattern; classtype:misc-activity; sid:2035743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Informational, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (urlpush .net)"; dns.query; content:".urlpush.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/; classtype:trojan-activity; sid:2030379; rev:3; metadata:attack_target Mobile_Client, created_at 2020_06_22, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LOADOUT CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:6.0) Gecko/20110101 Firefox/69.0"; http.header_names; content:"|0d 0a|content-type|0d 0a|"; content:"|0d 0a|user-agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"yoyo="; depth:5; fast_pattern; reference:md5,4d56a1ca28d9427c440ec41b4969caa2; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035735; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (free247downloads .com)"; dns.query; content:"free247downloads.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/; classtype:trojan-activity; sid:2030380; rev:3; metadata:attack_target Mobile_Client, created_at 2020_06_22, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Staging Domain in DNS Query"; dns.query; content:"dnsresolve.live"; nocase; endswith; classtype:domain-c2; sid:2030378; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Patchwork, updated_at 2020_11_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"|26|user|5b|password|5d 3d|123qweQWE|21 40 23|"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035751; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil Google Drive Download"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; http.host; content:"drive.google.com"; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030438; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .com)"; dns.query; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035762; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms6-upload-serv3.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030418; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"updt-servc-app2.com"; bsize:19; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030419; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .eu)"; dns.query; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035764; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"cdn2-system3-secrv.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030420; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .eu) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035765; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"file3-netwk-system.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030421; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26210)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; http.request_body; content:"setUpgradeFW"; fast_pattern; content:"FileName|3a 20 3a|"; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26210; classtype:attempted-admin; sid:2035744; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26210, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"service-net2-file.com"; bsize:21; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030422; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:to_server,established; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"system2-access-sec43.com"; bsize:24; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030423; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-25075)"; flow:to_server,established; http.uri; content:"/cgi-bin/downloadFlile.cgi"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-25075; classtype:attempted-admin; sid:2035746; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_25075, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"network-msx-system33.com"; bsize:24; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030424; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mx3-rewc-state.com"; bsize:18; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030425; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035748; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"upd3-srv-system-app.com"; bsize:23; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030426; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035749; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"syse-update-app4.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030427; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jsessid=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035692; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"system2-cdn5-mx8.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030428; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jcookie=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035766; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"secure-upd21-app2.com"; bsize:21; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030429; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Proxy Domain in DNS Lookup (proxynet .io)"; dns.query; dotprefix; content:".proxynet.io"; nocase; endswith; classtype:misc-activity; sid:2035757; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms21-app3-upload.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030430; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Proxy Domain (proxynet .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"proxynet.io"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035758; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Informational, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"apt5-secure3-state.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030431; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.USB Variant CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|2e d4 d6 19 57 d4 85 ba 0e 9d e5 56 fa 72 db af e5 17 e8 3e 3b 21 b7 26 fc 59 03 db d2 36 32 bb c3 c4 ab 7b 66 74 c4 68 ac 23 5b a3 fc e7 82 6a|"; offset:7; depth:48; reference:md5,c911d93b90bdef05be681a3b31c81679; reference:url,twitter.com/0xrb/status/1509396448387153920; classtype:trojan-activity; sid:2035752; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"upd8-sys2-apt.com"; bsize:17; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030432; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.content_type; content:"text/plain"; startswith; http.response_body; content:"Remove known miners by known process names"; content:"Write-Output|20 22|Miner Running|22|"; fast_pattern; reference:md5,6ae2d7ab6701bd9b46efe7f5d52b2c46; classtype:trojan-activity; sid:2035753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"update5-sec3-system.com"; bsize:23; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030433; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=thechinastyle.com"; bsize:20; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"state-awe3-apt.com"; bsize:18; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030434; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=divorceradio.com"; bsize:19; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035755; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"advertstv.com"; bsize:13; classtype:domain-c2; sid:2030459; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=physiciansofficenews.com"; bsize:27; fast_pattern; reference:md5,3985b60c6aba7cb38998e3f898fba79a; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035756; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"amazingdonutco.com"; bsize:18; classtype:domain-c2; sid:2030461; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M1 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Bfrt4DSob5.ico"; fast_pattern; content:"|2e|php|22 20|enctype|3d 22|multipart|2f|form|2d|data|22|"; nocase; distance:0; content:"src|3d 22|poina|2e|png|22|"; distance:0; classtype:credential-theft; sid:2035759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mwebsoft.com"; bsize:12; classtype:domain-c2; sid:2030463; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M2 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|inzo|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035760; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"rostraffic.com"; bsize:14; classtype:domain-c2; sid:2030465; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M3 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"inzo"; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|cmzs|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035761; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"typiconsult.com"; bsize:15; classtype:domain-c2; sid:2030467; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.pattern="; fast_pattern; classtype:attempted-admin; sid:2035674; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cddn .site)"; dns.query; content:"cddn.site"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030480; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.suffix="; fast_pattern; classtype:attempted-admin; sid:2035675; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cxizi .net)"; dns.query; content:"cxizi.net"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030481; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.directory="; fast_pattern; classtype:attempted-admin; sid:2035676; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (yzxi .net)"; dns.query; content:"yzxi.net"; nocase; bsize:8; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030482; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.prefix="; fast_pattern; classtype:attempted-admin; sid:2035677; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TaurusStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"zyvcin.xyz"; bsize:10; classtype:domain-c2; sid:2030477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, malware_family Taurus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound (CVE-2022-22965)"; flow:to_server,established; http.request_body; content:"pipeline.first.pattern="; fast_pattern; content:"pipeline.first.suffix="; content:"pipeline.first.directory="; content:"pipeline.first.prefix="; classtype:attempted-admin; sid:2035678; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 6 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|YOU|20|BETTER|20|READ|20|THIS|0d|"; fast_pattern; content:"COLLECTED|20|ALL|20|YOUR|20|FILES"; content:"in|20|Bitcoin"; nocase; content:"receiving|20|the|20|Bitcoin"; nocase; threshold: type limit, count 1, seconds 30, track by_src; classtype:command-and-control; sid:2031210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_11_17, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android Infostealer CnC Check-In"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/socket.io/?"; fast_pattern; startswith; content:"model="; content:"EIO="; content:"id="; content:"transport="; content:"release="; content:"manf="; reference:url,lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/; reference:md5,4f5617ec4668e3406f9bd82dfcf6df6b; classtype:command-and-control; sid:2035770; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi (Outbound)"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2030503; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com)"; dns.query; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035771; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ml Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ml"; endswith; fast_pattern; classtype:credential-theft; sid:2026532; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spytector Domain (mail .spytector .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035772; rev:1; metadata:created_at 2022_04_06, former_category MALWARE, updated_at 2022_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .cf Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".cf"; endswith; fast_pattern; classtype:credential-theft; sid:2026533; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Kaspov Related Hex In HTTP Accept Header"; flow:to_server,established; http.method; content:"GET"; http.accept; content:"|d1 69 4a cd 4f a4 77 44 bb 85 c3 6d 8d 4a 84 d6 86 a0 fa 1a af 8b d8 98 05 5e a0|"; startswith; fast_pattern; reference:md5,767370995ad5bdbcdaee2e3123cfe47c; classtype:bad-unknown; sid:2035768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ga Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ga"; endswith; fast_pattern; classtype:credential-theft; sid:2026534; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT28/Sednit SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=ngefqevwe"; fast_pattern; reference:md5,f7ee38ca49cd4ae35824ce5738b6e587; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023423; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .gq Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".gq"; endswith; fast_pattern; classtype:credential-theft; sid:2026535; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com)"; dns.query; content:"akhbar-almasdar.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035773; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .gqn Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".gqn"; endswith; fast_pattern; classtype:credential-theft; sid:2026536; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah .com)"; dns.query; content:"akhbar-islamyah.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035774; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .icu Domain 2019-02-06"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".icu"; endswith; fast_pattern; classtype:credential-theft; sid:2026886; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com)"; dns.query; content:"akhbarnew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035775; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO Suspicious Outbound SIG DNS Query"; content:"|00 00 18 00 01|"; fast_pattern; dns.query; pcre:"/^\d/"; classtype:bad-unknown; sid:2030547; rev:2; metadata:created_at 2020_07_16, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net)"; dns.query; content:"al-nusr.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035776; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M1"; flow:established,to_server; http.uri; content:"/+CSCOT+/translation-table?type=mst&textdomain=/|2b|CSCOE|2b|/"; fast_pattern; content:"&default-language&lang="; distance:0; http.uri.raw; content:"&default-language&lang=../"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030581; rev:3; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews .net)"; dns.query; content:"al-taleanews.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035777; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M2"; flow:established,to_server; http.uri; content:"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform="; fast_pattern; content:"&name=|2b|CSCOE|2b 2f|"; distance:0; http.uri.raw; content:"&platform=..&resource-type=.."; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030582; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline .net)"; dns.query; content:"al-taleanewsonline.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035778; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-06-27 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id1="; depth:4; nocase; content:"&id2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025630; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com)"; dns.query; content:"al7erak247.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035779; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ThiefQuest CnC Domain in DNS Lookup"; dns.query; content:"andrewka6.pythonanywhere.com"; nocase; bsize:28; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/updates-on-thiefquest-the-quickly-evolving-macos-malware/; classtype:command-and-control; sid:2030613; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO BrowseTor .onion Proxy Service SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=*.browsetor.com"; fast_pattern; classtype:bad-unknown; sid:2018396; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cloud-sources .com)"; dns.query; content:"cloud-sources.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1287409263623770112; classtype:trojan-activity; sid:2030636; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pegasus Domain in DNS Lookup (alrai .com)"; dns.query; content:"alrai.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035780; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cdn-filestorm .com)"; dns.query; content:"cdn-filestorm.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1287409263623770112; classtype:trojan-activity; sid:2030637; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com)"; dns.query; content:"alrainew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035781; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (chretiendaujoudhui .com)"; dns.query; content:"chretiendaujoudhui.com"; nocase; bsize:22; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Hex Executable String"; flow:to_client,established; file_data; content:"4D5A"; content:"63616E6E6F74"; fast_pattern; distance:178; within:12; content:"72756E"; distance:8; within:6; content:"444F53"; distance:8; within:6; classtype:misc-activity; sid:2035769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (leprotestant .com)"; dns.query; content:"leprotestant.com"; nocase; bsize:16; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030639; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion .com)"; dns.query; content:"arabia-islamion.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035782; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (vie-en-islam .com)"; dns.query; content:"vie-en-islam.com"; nocase; bsize:16; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030640; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Form with Action Value Equal to bit .ly"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form"; content:"action=|22|http://bit.ly"; fast_pattern; distance:0; classtype:credential-theft; sid:2035767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_06;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (viedechretien .org)"; dns.query; content:"viedechretien.org"; nocase; bsize:17; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030641; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"login-service.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035860; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAIDOOR CnC Domain in DNS Lookup (www.cnaweb.mrslove .com)"; dns.query; content:"www.cnaweb.mrslove.com"; nocase; bsize:22; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-216a; classtype:command-and-control; sid:2030642; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"rss-me.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035861; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAIDOOR CnC Domain in DNS Lookup (www.infonew.dubya .net)"; dns.query; content:"www.infonew.dubya.net"; nocase; bsize:21; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-216a; classtype:command-and-control; sid:2030643; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"talabatt.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035862; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://www.dropbox.com/"; file.data; content:"<title>Dropbox Business</title>"; nocase; classtype:social-engineering; sid:2024403; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.hona-alrabe3.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035863; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M1"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"|73 63 72 69 70 74 3a 20 6e 6f 64 65 2c 20 74 65 6d 70 6c 61 74 65 3a 20 20 2c 20 64 61 74 65 3a 20 4a 75 6c 20 33|"; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"cozmo-store.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035864; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"<title>"; nocase; content:"your PayPal account"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:log\s*in|sign\s*in)/i"; classtype:social-engineering; sid:2024391; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.al7eraknews.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035865; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"<title>"; nocase; content:"|20|-|20|paypal"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:s(?:e(?:nd money, pay online or set up a merchant|cure) account|uspicious (?:transaction |activities))|con(?:firm card security information|to limitato)|(?:profile updat|mot de pass)e|login)\s*-\s*paypal\s*<\/title>/i"; classtype:social-engineering; sid:2024970; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"khilafah-islamic.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035866; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iCloud Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"X-Apple-Request-UUID|3a|"; file.data; content:"<title>iCloud</title>"; nocase; classtype:social-engineering; sid:2024385; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mobiles-security.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035867; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title>Welcome to Facebook</title>"; nocase; classtype:social-engineering; sid:2024402; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"unsubscribe-now.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035868; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title>"; nocase; content:"facebook email security"; within:40; nocase; fast_pattern; classtype:social-engineering; sid:2024451; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mangoutlet.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035869; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title"; nocase; content:"Log in to Facebook"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2024807; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in DNS Lookup)"; dns_query; content:"frances-thomas.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035783; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title"; nocase; content:"About Copyright|20 7c 20|Facebook Help Center"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025137; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"frances-thomas.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035784; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Wells Fargo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"wellsfargo.com/"; file.data; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; classtype:social-engineering; sid:2025360; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in DNS Lookup)"; dns_query; content:"scott-chapin.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035785; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M4"; flow:established,to_client; http.header; content:!".wellsfargo.com/"; file.data; content:"antiClickjack.parentNode.removeChild"; within:1000; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025295; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"scott-chapin.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035786; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; http.header; content:"!*.paypal.com"; file.data; content:"<title></title>"; nocase; fast_pattern; content:"<meta name=|22|application-name|22 20|content=|22|PayPal"; distance:0; classtype:social-engineering; sid:2024019; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in DNS Lookup)"; dns_query; content:"linda-gaytan.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035787; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"cdnapis.com"; nocase; endswith; depth:11; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"linda-gaytan.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035788; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jun 28 2017"; flow:from_server,established; http.stat_code; content:"200"; http.header; content:!"https://*.paypal.com"; http.content_type; content:"text/html"; startswith; file.data;content:"<title>"; content:"|26 23|x50|3b 26 23|x61|3b 26 23|x79|3b 26 23|x50|3b 26 23|x61|3b 26 23|x6C|3b|"; fast_pattern; within:50; content:"</title>"; distance:0; classtype:social-engineering; sid:2025660; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in DNS Lookup)"; dns_query; content:"david-gardiner.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035789; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Mobile Phish 2017-08-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; classtype:credential-theft; sid:2029661; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"david-gardiner.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035790; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2018-01-26"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&prefill_contact_point="; nocase; distance:0; content:"&prefill_source="; nocase; distance:0; content:"&prefill_type="; nocase; distance:0; content:"&first_prefill_source="; nocase; distance:0; content:"&first_prefill_type="; nocase; distance:0; content:"&had_cp_prefilled="; nocase; distance:0; content:"&had_password_prefilled="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029665; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in DNS Lookup)"; dns_query; content:"amanda-hart.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035791; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-04-26"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&jazoest="; nocase; distance:0; fast_pattern; content:"&m_ts="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&prefill_contact_point="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; classtype:credential-theft; sid:2029673; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_26, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"amanda-hart.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035792; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-08-29"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2029678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in DNS Lookup)"; dns_query; content:"javan-demsky.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035793; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2020-01-10"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&login="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"javan-demsky.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035794; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing Aug 19 2015"; flow:to_client,established; http.header; content:!"X-BOA-RequestID|3a|"; file.data; content:"boaVIPAAuseGzippedBundles"; fast_pattern; content:"boaVIPAAjawrEnabled"; distance:0; classtype:social-engineering; sid:2025666; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ET INFO URL Shortening Service Domain in DNS Lookup (s59 .site)"; dns.query; content:"s59.site"; fast_pattern; classtype:bad-unknown; sid:2035870; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M2"; flow:established,to_client; http.header; content:!"X-LI-UUID|3a|"; file.data; content:"<title"; nocase; content:"Sign In|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025338; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ET INFO Observed URL Shortening Service Domain (s59 .site) in TLS SNI"; flow:established,to_server; tls.sni; content:"s59.site"; fast_pattern; classtype:misc-activity; sid:2035871; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"X-Apple-I-Request-ID|3a|"; file.data; content:"<title>Manage your Apple ID</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024707; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .org)"; dns.query; dotprefix; content:".enerflex.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible CIBC Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|ServerNoWhere"; file.data; content:"<title>CIBC</title>"; nocase; classtype:social-engineering; sid:2024797; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (supportskype .com)"; dns.query; dotprefix; content:".supportskype.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 1"; flow:established,to_server; urilen:>100; flowbits:set,ET.Anunanak.HTTP.1; content:"Accept|3a 20 2a 2f 2a 0d 0a 0d 0a|"; fast_pattern; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/"; http.method; content:"GET"; http.uri; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/"; http.host; content:!".imodules.com"; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; depth:30; endswith; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020027; rev:7; metadata:created_at 2014_12_22, former_category MALWARE, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (alharbitelecom .co)"; dns.query; dotprefix; content:".alharbitelecom.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ave Maria RAT CnC Domain in DNS Lookup (uknwn.linkpc .net)"; dns.query; content:"uknwn.linkpc.net"; nocase; bsize:16; reference:url,twitter.com/James_inthe_box/status/1293267162258272256?cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email; reference:url,app.any.run/tasks/49ba0acb-fd7a-47ec-9998-cacc6eb875d5/; classtype:command-and-control; sid:2030679; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaupdate .co)"; dns.query; dotprefix; content:".cortanaupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-04-12"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; content:!".messenger.com"; endswith; http.request_body; content:"jazoest="; depth:8; nocase; fast_pattern; content:"&lsd="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2029672; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaservice .com)"; dns.query; dotprefix; content:".cortanaservice.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035808; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GratefulPOS Covert DNS CnC Initial Checkin"; dns.query; content:".grp"; within:12; content:"ping.adm."; within:15; fast_pattern; isdataat:30,relative; pcre:"/^[a-f0-9]{8}\.grp[0-9]*\.ping\.adm\.(?:[a-f0-9]+\.){2,}/"; reference:md5,67a53bd24ee8499fed79c8c368e05f7a; reference:url,community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season; classtype:command-and-control; sid:2025144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Grateful_POS, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle .co)"; dns.query; dotprefix; content:".cloudgoogle.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035809; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; pcre:"/^\/v0\/b\/(?:send|hit|few|lik|mtn|eli|rfda)\d.*\.appspot\.com\//i"; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031211; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedrivelive .me)"; dns.query; dotprefix; content:".onedrivelive.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035810; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; depth:5; content:"&pt="; within:20; fast_pattern; http.user_agent; pcre:"/^[a-f0-9]{32}$/i"; http.request_body; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Cache"; content:!"Referer"; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:command-and-control; sid:2025598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, malware_family Autoit_NU, performance_impact Low, signature_severity Major, tag Dropper, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (edge-cloudservices .com)"; dns.query; dotprefix; content:".edge-cloudservices.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake 404 With Hidden Login Form"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>404 Not Found</title>"; fast_pattern; depth:28; content:"background-color|3a 23|fff|3b|"; distance:0; content:"<form method=post>"; distance:0; content:"input type=password"; within:50; classtype:trojan-activity; sid:2025872; rev:3; metadata:attack_target Client_and_Server, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-audible .com)"; dns.query; dotprefix; content:".online-audible.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/Ramnit Stage 0 Communicating with CnC"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"WAIT|20|"; depth:15; content:"CERT|20|"; fast_pattern; within:20; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; reference:md5,20148e48668cb5e0b22d437ee0443cfe; reference:url,research.checkpoint.com/ramnits-network-proxy-servers/; classtype:command-and-control; sid:2026113; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_14, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedefender .net)"; dns.query; dotprefix; content:".updatedefender.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possibly Malicious VBS Writing to Persistence Registry Location"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"on|20|error|20|resume|20|next"; nocase; content:".regwrite|20 22|"; distance:0; content:"|5c|software|5c|microsoft|5c|windows|5c|currentversion|5c|run"; within:80; fast_pattern; reference:md5,cac1aedbcb417dcba511db5caae4b8c0; classtype:trojan-activity; sid:2026427; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_28, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Persistence, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sparrowsgroup .org)"; dns.query; dotprefix; content:".sparrowsgroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pvtchat.live"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031215; rev:1; metadata:created_at 2020_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (helpdesk-product .com)"; dns.query; dotprefix; content:".helpdesk-product.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"email="; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031212; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (defenderupdate .ddns .net)"; dns.query; dotprefix; content:".defenderupdate.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035816; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"#"; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031213; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .ddns .net)"; dns.query; dotprefix; content:".enerflex.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"login="; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (linkedinz .me)"; dns.query; dotprefix; content:".linkedinz.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound PowerShell Executing Base64 Decoded VBE from Temp 2018-11-29"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|FromBase64String"; nocase; content:"-Path|20|C|3a 5c|windows|5c|temp|5c|"; distance:0; nocase; content:"start-process|20|c|3a 5c|windows|5c|system32|5c|wscript.exe|20|-ArgumentList|20 22|c|3a 5c|windows|5c|temp|5c|"; distance:0; nocase; fast_pattern; content:".vbe|22|"; within:20; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:trojan-activity; sid:2026677; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (khaleejtimes .co)"; dns.query; dotprefix; content:".khaleejtimes.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035819; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/LamePyre Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?uid="; pcre:"/^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$/Ri"; http.user_agent; content:"curl/"; depth:5; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|scr|22 3b 20|filename=|22|"; fast_pattern; content:".png|22 0d 0a|"; within:30; http.header_names; content:!"Referer"; reference:md5,1dc949fbb35b816b3046731d8db98a3d; reference:url,objective-see.com/blog/blog_0x3C.html; classtype:trojan-activity; sid:2026823; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family LamePyre, performance_impact Moderate, signature_severity Major, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftdefender .info)"; dns.query; dotprefix; content:".microsoftdefender.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Receiving Redirect/Inject List"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"REDIR|3b|"; depth:15; content:"|7c 2d 7c|http"; within:50; fast_pattern; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026563; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookde .live)"; dns.query; dotprefix; content:".outlookde.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035821; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/apply.cgi"; depth:10; http.request_body; content:"submit_button="; depth:14; content:"&submit_type=start_ping"; distance:0; fast_pattern; content:"&ping_size="; distance:0; content:"|3b|"; within:30; reference:url,www.exploit-db.com/exploits/24936; classtype:attempted-user; sid:2027099; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in)"; dns.query; dotprefix; content:".lukoil.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035822; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"cookies.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027104; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (careers-finder .com)"; dns.query; dotprefix; content:".careers-finder.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"passwords.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027106; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-chess .live)"; dns.query; dotprefix; content:".online-chess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (wallet.dat) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"wallet.dat"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027115; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (exprogroup .org)"; dns.query; dotprefix; content:".exprogroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"screenshot."; distance:26; within:300; nocase; fast_pattern; pcre:"/^(?:(?:jp|pn)g|bmp)/Ri"; classtype:trojan-activity; sid:2027108; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (saipem .org)"; dns.query; dotprefix; content:".saipem.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035826; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookie.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"cookie.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mastergatevpn .com)"; dns.query; dotprefix; content:".mastergatevpn.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035827; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (ccdata.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"ccdata.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027272; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sauditourismguide .com)"; dns.query; dotprefix; content:".sauditourismguide.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035828; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (google_chrome_default_) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"google_chrome_default_"; distance:26; within:100; nocase; fast_pattern; pcre:"/^(?:logins|c(?:cdata|ookie))/Ri"; classtype:trojan-activity; sid:2027277; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (listen-books .com)"; dns.query; dotprefix; content:".listen-books.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035829; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Mozilla_Firefox_Cookies) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"Mozilla_Firefox_Cookies"; distance:26; within:100; nocase; fast_pattern; classtype:trojan-activity; sid:2027279; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateservices .co)"; dns.query; dotprefix; content:".updateservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035830; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wide HTA with PowerShell Execution Inbound"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/hta"; file.data; content:"W|00|s|00|c|00|r|00|i|00|p|00|t"; nocase; content:"S|00|h|00|e|00|l|00|l|00|"; distance:0; nocase; content:"p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; distance:0; nocase; fast_pattern; content:"h|00|i|00|d|00|d|00|e|00|n"; within:200; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftcdn .co)"; dns.query; dotprefix; content:".microsoftcdn.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"=|20|ReadSmbResponse|28|"; content:"|20|==|20|0x72|20|&&|20|"; within:400; fast_pattern; content:"|20|==|20|00"; within:400; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027336; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (office-shop .me)"; dns.query; dotprefix; content:".office-shop.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035832; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|=|20|new|20|byte|5b 5d|"; content:"0xff,0x53,0x4d,0x42"; within:300; fast_pattern; content:"0x01,0x28"; distance:0; content:"0x02,0x4c,0x41,0x4e"; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sharepointnotify .com)"; dns.query; dotprefix; content:".sharepointnotify.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035833; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Inbound PowerShell Capable of Enumerating Internal Network via WMI"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|Win32_NetworkAdapterConfiguration"; nocase; content:"_.IPEnabled|20|-ne|20|$null"; within:200; nocase; content:"_.DefaultIPGateway|20|-ne|20|$null"; within:200; nocase; content:"select|20|IPAddress"; within:200; nocase; fast_pattern; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027338; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (globaltalent .in)"; dns.query; dotprefix; content:".globaltalent.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<%@|20|Page|20|Language=|22|Jscript|22|%><eval|28|Request.Item|5b|"; fast_pattern; content:"|22 29 3b|%>"; within:50; classtype:trojan-activity; sid:2027341; rev:4; metadata:created_at 2019_05_09, former_category WEB_SERVER, performance_impact Low, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (savemoneytrick .com)"; dns.query; dotprefix; content:".savemoneytrick.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035835; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown VBScript Loader with Encoded PowerShell Execution Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"powershell"; nocase; content:"-e"; within:40; nocase; content:".Get|28 22|Win32_ProcessStartup|22 29|"; distance:0; nocase; fast_pattern; content:"Process.Create|28|"; distance:0; nocase; reference:md5,f17e15a9d28a85bd41d74233859d4df4; classtype:trojan-activity; sid:2027374; rev:4; metadata:created_at 2019_05_23, former_category CURRENT_EVENTS, tag Loader, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vidar Stealer CnC Domain in DNS Lookup"; dns.query; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER BlackSquid JSP Webshell Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<|25 25|java.io.InputStream|20|"; depth:25; content:"Runtime.getRunetime|28 29|.exec|28|request"; within:50; content:".getInputStream|28 29 3b|int|20|"; distance:0; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/; classtype:attempted-admin; sid:2027433; rev:3; metadata:attack_target Web_Server, created_at 2019_06_04, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftedgesh .info)"; dns.query; dotprefix; content:".microsoftedgesh.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035836; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script language=|22|"; content:"VBScript"; within:8; nocase; content:"|2e|scrollLeft"; distance:0; content:"|26|h4003|09 27 20|VT_BYREF|20 7c 20|VT_I4"; distance:0; fast_pattern; content:"|28 28 28 28 5c 2e 2e 5c|"; distance:0; content:"Powershell"; within:10; nocase; content:"|26|h40|2c 20 22 23 3e 24|"; within:400; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use; reference:url,www.zerodayinitiative.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer; reference:cve,CVE-2019-0752; classtype:attempted-admin; sid:2027721; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookdelivery .com)"; dns.query; dotprefix; content:".outlookdelivery.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035837; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible FFSniff Inject Observed"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:".type|20|==|20 22|password|22 29|"; nocase; content:"=|20 22|Subject|3a 20 22 20|+|20|"; distance:0; nocase; content:"|20 22 5c|r|5c|n|5c|r|5c|n|22 20|+|20|window.top.content.document.location|20|"; within:150; nocase; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027814; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup .com)"; dns.query; dotprefix; content:".remgrogroup.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035838; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page Contents M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var|20|_0x"; content:"|27 5c|x61|5c|x57|5c|x35|5c|x75|5c|x5a|5c|x58|5c|x4a|5c|x49|5c|x5a"; within:150; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027815; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedriveupdate .net)"; dns.query; dotprefix; content:".onedriveupdate.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035839; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page Contents M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"location.href.search|28|atob|28 27|Y"; pcre:"/^[2'][2h'+][2hl'+][2hlY'+][2hlY2'+][2hlY2t'+][2hlY2tv'+][2hlY2tvd'+][2hlY2tvdX'+][2hlY2tvdXQ'+](?:[2hlY2tvdXQ='+]){1,10}/R"; content:"|20|=|20|atob|28 27|aHR0cHM6L"; within:300; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027816; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI"; flow:established,to_server; tls.sni; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035873; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Inbound JS with Possible 1px-1px Exfiltration Image"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"document.createElement|28 22|"; content:".width=|22|1px|22|"; within:30; content:".height=|22|1px|22|"; within:30; content:"atob|28 22|aHR0cHM6Ly9"; within:100; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027817; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .ddns .net)"; dns.query; dotprefix; content:".getadobe.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX ADWARE/AD Injector"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mvr="; within:5; pcre:"/[a-fA-F0-9]{8}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{12}/"; http.user_agent; content:"Python-urllib/"; depth:14; fast_pattern; reference:url,objective-see.com/blog/blog_0x3F.html; classtype:pup-activity; sid:2027319; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_11_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleservices .co)"; dns.query; dotprefix; content:".googleservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M1"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/optout/set/"; depth:12; fast_pattern; content:"?jsonp="; within:20; content:"&key="; distance:16; within:23; content:"&cv="; distance:18; within:23; content:"&t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027419; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (librarycollection .org)"; dns.query; dotprefix; content:".librarycollection.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M3"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/metric/?mid="; depth:13; fast_pattern; content:"&wid="; within:20; content:"&sid="; within:20; content:"&tid="; within:20; content:"&rid="; within:20; content:"&t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027421; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (freechess .live)"; dns.query; dotprefix; content:".freechess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035843; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Win32/DealPly Configuration File Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<Data|20|"; depth:6; content:"|20|step1=|22|"; within:100; content:"|20|step2=|22|"; within:30; content:"|20|step3=|22|"; within:30; content:"<|2f|FName><FHash>"; distance:0; fast_pattern; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027829; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (elecresearch .org)"; dns.query; dotprefix; content:".elecresearch.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035844; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing M1 2019-04-15"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"alert|28 22|Windows|20|Firewall|20|has|20|detected|20|that|20|your|20|Windows"; fast_pattern; content:"system|20|files|20|are|20|automatically|20|deleted"; within:200; content:"Please|20|follow|20|the|20|instructions"; within:200; classtype:social-engineering; sid:2027197; rev:4; metadata:created_at 2019_04_15, former_category WEB_CLIENT, tag Tech_Support_Scam, tag Malvertising, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (applytalents .com)"; dns.query; dotprefix; content:".applytalents.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035845; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M1"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"descriptorByName/"; distance:0; content:"checkScriptCompile"; distance:0; content:"value=|40|GrabConfig"; distance:0; content:"|40|GrabResolver|28|"; distance:0; content:"|27|http"; within:60; content:"|27 29 0a 40|Grab|28|"; distance:0; http.header_names; content:!"Referer"; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027349; rev:5; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateddns .ddns .net)"; dns.query; dotprefix; content:".updateddns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"eval|28|function|28|p,a,c,k,e,r|29|"; depth:26; content:"|20|TASKID|3d|"; distance:0; content:"|20|MAGICNUM|3d|"; within:25; content:"|20|EXECNUM|3d|"; within:25; content:"|20|FEEDBACKADDR|3d|"; within:25; content:"|28 2f|chrome|5c 5c 2f 28 5b 5c 5c 64 5d 2b 29 2f|gi"; distance:0; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027961; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mideasthiring .com)"; dns.query; dotprefix; content:".mideasthiring.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035847; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a"; depth:6; content:"|27 2c|_b"; within:120; content:"|27 2c|_c"; within:120; content:"|2c|TASKID|3d|"; distance:0; content:"|2c|MAGICNUM|3d|"; within:25; content:"|2c|EXECNUM|3d|"; within:25; content:"|2c|FEEDBACKADDR|3d|"; within:25; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:27; within:11; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027962; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (appslocallogin .online)"; dns.query; dotprefix; content:".appslocallogin.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 27|"; depth:8; content:"|27 2c|_b|3d 27|"; within:120; content:"|27 2c|_c|3d 27|"; within:120; content:"|27 2c|e|3d|"; within:120; content:"|2c|t|3d|"; within:10; content:"|2c|n|3d|"; within:15; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:26; within:12; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027963; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs .com)"; dns.query; dotprefix; content:".apply-jobs.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035849; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M4"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 22|"; depth:8; content:"|22 2c|_b|3d 22|"; within:120; content:"|22 2c|_c|3d 22|"; within:120; content:"|22 3b|eval|28|function|28 5f 2c|"; within:120; content:"|29 7b|if|28|n|3d|function|28 5f 29 7b|return|28 5f|"; distance:9; within:27; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027964; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (funnychess .online)"; dns.query; dotprefix; content:".funnychess.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035850; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending LAN Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; depth:12; fast_pattern; content:"|22 7d|"; within:3; endswith; http.header_names; content:!"Referer"; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talent-recruitment .org)"; dns.query; dotprefix; content:".talent-recruitment.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scarsi Variant CnC Activity"; flow:to_server,established; http.uri; content:"/WP"; content:".php"; within:50; endswith; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/i"; http.header; content:"Content-Length|3a 20|"; byte_test:1,>,0x30,0,relative; http.request_body; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/si"; http.content_type; content:"application/x-www-form-urlencoded|3b 20|Charset=UTF-8"; fast_pattern; bsize:48; http.header_names; content:!"Referer|0d 0a|"; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:command-and-control; sid:2024758; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleupdate .co)"; dns.query; dotprefix; content:".googleupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Sending JPG Screenshot to CnC with .his Extension"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.request_body; content:"name=|22|kerna|22 3b 20|filename"; fast_pattern; content:".his|22 0d 0a|"; within:20; content:"|0d 0a 0d 0a ff d8 ff|"; distance:0; content:"JFIF"; within:15; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedns .ddns .net)"; dns.query; dotprefix; content:".updatedns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.request_body; content:"pingstr="; depth:8; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:5; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (thefreemovies .net)"; dns.query; dotprefix; content:".thefreemovies.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000"; flow:established,to_server; http.method; content:"POST"; depth:4; endswith; http.uri; content:"config.xml"; endswith; http.request_body; content:"|3c|script|3e 0a|"; content:"import|20|org|2e|buildobjects|2e|process|2e|ProcBuilder"; distance:0; fast_pattern; content:"|40|Grab|28 27|org|2e|buildobjects|3a|jproc|3a|"; distance:0; content:"|27 29 0a|"; within:12; content:"print|20|new|20|ProcBuilder|28 22 2f|"; distance:0; content:"|22 29 2e|run|28 29|"; within:200; content:"|2e|getOutputString|28|"; within:18; content:"|3c 2f|script|3e|"; within:30; reference:url,github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc; classtype:web-application-attack; sid:2027346; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2019_1003000, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talktalky .azurewebsites .net)"; dns.query; dotprefix; content:".talktalky.azurewebsites.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/ProtonBot CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"newtask|3b|"; depth:8; fast_pattern; content:"|3b|1|3b|http"; within:15; content:".exe"; distance:0; endswith; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:command-and-control; sid:2027382; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (etisalatonline .com)"; dns.query; dotprefix; content:".etisalatonline.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035856; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027454; rev:4; metadata:created_at 2019_06_11, cve 2018_7841, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .net)"; dns.query; dotprefix; content:".getadobe.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035857; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027455; rev:4; metadata:created_at 2019_06_11, cve 2018_7841, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Ordns DNS over HTTPS Domain (Ordns .he .net in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"ordns.he.net"; endswith; reference:url,www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike; classtype:misc-activity; sid:2035858; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; fast_pattern; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027486; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Ordns DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"CN=ordns.he.net"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:misc-activity; sid:2035859; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027487; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".host.skybad.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027488; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".s2.yk.hyi8mc.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Farfli.CUY CnC Server Response"; flow:established,to_client; content:"|68 78 20 10 00 00 00 01 00 00 00 01 00 00 00 11|"; dsize:16; startswith; fast_pattern; stream_size:server,=,17; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:command-and-control; sid:2035879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Godlua Backdoor Downloading Encrypted Lua"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png"; http.user_agent; content:"Mozilla|2f|5.0|20 28|"; pcre:"/^(?:i686|x86_64|arm|mipsel)\-(?:static-linux|w64|iamsatan)\-(?:mingw32|uclibc(?:gnueabi)?)/R"; content:"|29 20|Chrome|2f|20"; within:11; http.referer; content:"https://www.google.com"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Referer|0d 0a 0d 0a|"; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027677; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2020_11_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY KeepAlive M2"; flow:established,to_server; content:"|68 78 20 cf 01 00 00 c0 01 00 00 01 00 00 00 cb|"; startswith; fast_pattern; stream_size:client,>,200; reference:md5,87100cb600d876bd022a4d93ce6305a0; classtype:command-and-control; sid:2035880; rev:2; metadata:created_at 2022_04_08, updated_at 2022_04_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR Possible Response for LNKR js file"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"lnkr_redirecting"; fast_pattern; content:"_lnkr"; content:"excludeDomains"; within:40; content:"document.createElement|28 22|script|22|"; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027424; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22"; nocase; fast_pattern; content:"%6e%65%77%28%29"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035876; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
-alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; depth:42; fast_pattern; content:"|3b|"; within:40; content:"&targetUri="; distance:0; content:"&scaleType="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:5; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035875; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; threshold: type both, track by_src, count 2, seconds 60; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&group="; fast_pattern; content:"&os="; content:"&cpu="; http.header_names; content:!"Referer|0d 0a|"; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:command-and-control; sid:2025253; rev:6; metadata:created_at 2018_01_26, former_category MALWARE, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; distance:0; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035874; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_08;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.4."; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011584; rev:14; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; http.header; content:!"Keep-Alive|3a 20|"; nocase; content:!"Conncection|3a 20|Keep-Alive"; nocase; file_data; content:"|3c|mega http|2d|equiv|3d|"; fast_pattern; content:"|3c 2f|head|3e 3c|body|3e|"; within:200; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018244; rev:5; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"|26 23|"; within:5; content:"|3b 26 23|"; fast_pattern; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024228; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_11_19;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self-Signed Cert Observed in Various Zbot Strains"; flow:established,to_client; tls.cert_subject; content:"O=XX"; fast_pattern; tls.cert_issuer; content:"O=XX"; reference:md5,00e7afce84c84cd70fe329d8bb8c0731; classtype:trojan-activity; sid:2018284; rev:4; metadata:created_at 2014_03_17, updated_at 2022_04_11;)
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls.cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/resolve?name=gw.denonia.xyz&type=A"; bsize:35; endswith; fast_pattern; http.host; content:"dns.google.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035891; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls.cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dns-query?name=gw.denonia.xyz&type=A"; bsize:37; endswith; fast_pattern; http.host; content:"cloudflare-dns.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035886; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Google)"; tls.cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via TCP (CVE-2022-0778)"; flow:established,to_server; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035887; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls.cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; tls.cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via UDP (CVE-2022-0778)"; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035888; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer IP Lookup"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; http.host; content:"ip-api.com"; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Commonly Abused Domain in DNS Lookup (blogattach .naver .com)"; dns.query; content:"blogattach.naver.com"; nocase; bsize:20; classtype:bad-unknown; sid:2035889; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer Config Download Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/grubConfig"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Commonly Abused Domain (blogattach .naver .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"blogattach.naver.com"; bsize:20; fast_pattern; classtype:bad-unknown; sid:2035890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, signature_severity Major, updated_at 2022_04_11;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/upload.php"; fast_pattern; http.request_body; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:5; metadata:created_at 2015_07_20, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ACMS/"; pcre:"/[a-zA-Z0-9]{8}\//UR"; content:"blockchainTemplate"; fast_pattern; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035902; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; http.header; content:"QHBhc3N0aHJ1KC"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:7; metadata:created_at 2011_11_21, former_category WEB_SERVER, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Win32/TrojanDownloader.Agent.GEM Domain"; dns.query; dotprefix; content:".naveicoip"; pcre:"/^[a-z]\.(?:tech|online)$/R"; reference:md5,ecd47e596048ad1af9973a21af303465; reference:url,twitter.com/jaydinbas/status/1506987283630768138; classtype:trojan-activity; sid:2035604; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 1"; flow:established,to_server; http.uri; content:"/_users/org.couchdb.user|3a|"; http.request_body; content:"|22|roles|22 3a 20 5b 22 5f|admin|22 5d 2c|"; fast_pattern; content:"password"; reference:cve,2017-12635; classtype:attempted-user; sid:2025740; rev:4; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Colibri Loader Domain in DNS Lookup (securetunnel .co)"; dns.query; dotprefix; content:".securetunnel.co"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, signature_severity Major, updated_at 2022_04_12;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/index.php?cmd=submitcommand&command="; content:"&command_data=$("; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:4; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible NGINX Reference LDAP Query Injection Attack"; flow:established,to_server; http.header; content:"|0d 0a|X-Ldap-Template|3a 20|"; fast_pattern; nocase; content:"|28 7c|"; distance:0; within:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/nginxinc/nginx-ldap-auth/issues/93; classtype:attempted-admin; sid:2035897; rev:2; metadata:attack_target Web_Server, created_at 2022_04_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Bank of America"; nocase; content:"// the field has a value it's a spam bot"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025698; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xghk.exe"; bsize:9; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header_names; content:!"Referer"; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_12;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; http.uri; content:"/handle_iscsi.php"; http.request_body; content:"act=discover&address="; fast_pattern; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snatch Ransomware Checkin (POST)"; flow:established,to_server; http.request_line; content:"POST /news HTTP/1.1"; fast_pattern; http.request_body; content:"|22|pid|22 3a|"; content:"|22|host|22 3a|"; distance:0; content:"|22|type|22 3a|"; distance:0; content:"|22|username|22 3a|"; distance:0; reference:md5,5a9ae5f51c41f2de4f3eca94ddb4ccfd; classtype:trojan-activity; sid:2035898; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; http.user_agent; content:"|20|MySearch"; reference:url,doc.emergingthreats.net/2002080; classtype:pup-activity; sid:2002080; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (mail .igov-service .net)"; dns.query; content:"mail.igov-service.net"; nocase; bsize:21; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035914; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Win32/EoRezo Reporting"; flow:established,to_server; http.uri; content:"/advert/get"; nocase; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/i"; reference:url,threatexpert.com/report.aspx?md5=b5708efc8b478274df4b03d8b7dbbb26; classtype:pup-activity; sid:2013983; rev:9; metadata:created_at 2011_12_02, former_category ADWARE_PUP, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js"; endswith; http.cookie; content:"Version=defaultSession-Id="; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9-_]{171}$/R"; http.user_agent; content:!"Android"; content:!"Linux"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:trojan-activity; sid:2035915; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; fast_pattern; http.request_body; content:"from="; depth:5; content:"&type="; distance:0; content:"&pubid="; distance:0; content:"&BundleVersionID="; distance:0; classtype:pup-activity; sid:2018148; rev:7; metadata:created_at 2014_02_17, former_category ADWARE_PUP, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (mail .igov-service .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail.igov-service.net"; bsize:21; fast_pattern; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035916; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; fast_pattern; nocase; bsize:15; classtype:trojan-activity; sid:2024197; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (ebook .port25 .biz)"; dns.query; content:"ebook.port25.biz"; nocase; bsize:16; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,bb505ef946a80d9d0ff64923a6ca79d9; classtype:domain-c2; sid:2035912; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; http.uri.raw; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_31, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (mert .my03 .com)"; dns.query; content:"mert.my03.com"; nocase; bsize:13; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,acd062593f70c00e310c47a3e7873df4; classtype:domain-c2; sid:2035913; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nvserver"; http.request_body; content:"cmd="; content:"¶ms="; content:"Netviewer Proxy Test"; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:7; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ACMS/"; fast_pattern; content:"?"; distance:16; within:10; pcre:"/[a-z0-9]{8}\/.*\?[a-z0-9]{3,10}=[a-z0-9]{8,11}$/Ui"; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035901; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/settings.php"; http.header; content:"facebook.com|0d 0a|"; reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:7; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (showsvc .com)"; dns.query; dotprefix; content:".showsvc.com"; nocase; endswith; classtype:trojan-activity; sid:2035918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006353; classtype:web-application-attack; sid:2006353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (wicommerece .com)"; dns.query; dotprefix; content:".wicommerece.com"; nocase; endswith; classtype:trojan-activity; sid:2035919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004168; classtype:web-application-attack; sid:2004168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (upservicemc .com)"; dns.query; dotprefix; content:".upservicemc.com"; nocase; endswith; classtype:trojan-activity; sid:2035920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mods/hours/data/get_hours.php?"; nocase; content:"take="; nocase; content:"skip="; nocase; content:"pageSize="; nocase; content:"id="; nocase; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/i"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:6; metadata:created_at 2012_04_27, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (netpixelds .com)"; dns.query; dotprefix; content:".netpixelds.com"; nocase; endswith; classtype:trojan-activity; sid:2035921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Checkin via POST"; flow: to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"f="; content:"&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:command-and-control; sid:2009156; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (allmyad .com)"; dns.query; dotprefix; content:".allmyad.com"; nocase; endswith; classtype:trojan-activity; sid:2035922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; dns.query; content:".pw"; nocase; endswith; content:!".u.pw"; endswith; nocase; classtype:bad-unknown; sid:2016778; rev:8; metadata:created_at 2013_04_19, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (ananoka .com)"; dns.query; dotprefix; content:".ananoka.com"; nocase; endswith; classtype:trojan-activity; sid:2035923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; http.method; content:"GET"; http.uri; content:"/cfg.bin"; nocase; fast_pattern; endswith; http.header; content:"no-cache|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2008100; classtype:trojan-activity; sid:2008100; rev:15; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (gvgnci .com)"; dns.query; dotprefix; content:".gvgnci.com"; nocase; endswith; classtype:trojan-activity; sid:2035924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:7; metadata:created_at 2016_02_10, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (msfbckupsc .com)"; dns.query; dotprefix; content:".msfbckupsc.com"; nocase; endswith; classtype:trojan-activity; sid:2035925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gdn Domain"; dns.query; content:".gdn"; nocase; endswith; classtype:bad-unknown; sid:2025098; rev:5; metadata:created_at 2017_12_02, former_category HUNTING, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (polanicia .com)"; dns.query; dotprefix; content:".polanicia.com"; nocase; endswith; classtype:trojan-activity; sid:2035926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update.php"; endswith; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rsi"; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025171; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (informaxima .org)"; dns.query; dotprefix; content:".informaxima.org"; nocase; endswith; classtype:trojan-activity; sid:2035927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"xyz="; depth:4; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2025187; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (worldchangeos .com)"; dns.query; dotprefix; content:".worldchangeos.com"; nocase; endswith; classtype:trojan-activity; sid:2035928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server; urilen:8; threshold: type limit, track by_dst, seconds 30, count 1; http.method; content:"POST"; http.uri; content:"/waiting"; fast_pattern; http.user_agent; content:"BC_Vic_"; depth:7; content:"BC_SPL"; distance:0; endswith; http.header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:command-and-control; sid:2025370; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Small, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (liongracem .com)"; dns.query; dotprefix; content:".liongracem.com"; nocase; endswith; classtype:trojan-activity; sid:2035929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot User-Agent"; flow:established,to_server; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category TROJAN, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (jmarrycs .com)"; dns.query; dotprefix; content:".jmarrycs.com"; nocase; endswith; classtype:trojan-activity; sid:2035930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Cobalt Strike Beacon"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025635; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (am-reader .com)"; dns.query; dotprefix; content:".am-reader.com"; nocase; endswith; classtype:trojan-activity; sid:2035931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> any any (msg:"ET MALWARE [PT MALWARE] Hacked Mikrotik C2 Request"; flow:established, to_server; threshold:type threshold, track by_src, count 1, seconds 35; http.method; content:"GET"; http.uri; content:"/mikrotik.php"; endswith; http.user_agent; content:"Mikrotik/6.x Fetch"; depth:18; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,forum.mikrotik.com/viewtopic.php?t=137217; classtype:command-and-control; sid:2026027; rev:5; metadata:created_at 2018_08_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Checkin"; flow:established,to_server; dsize:5; content:"|ee 00 00 11 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035939; rev:1; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS ESET Installer"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"ESET Installer"; depth:14; endswith; classtype:policy-violation; sid:2027219; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_17, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag PUA, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M1 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"vic_browser=n%2Fa&vic_os=n%2Fa&vic_screen=n%2Fa&vic_lang=n%2Fa&vic_flash=n%2Fa&vic_java=n%2Fa&vic_mime=n%2Fa&vic_plugins=n%2Fa&vic_fonts=n%2Fa"; depth:142; fast_pattern; content:"=Submit&login_name="; distance:0; content:"&pin="; distance:0; classtype:credential-theft; sid:2035933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.center"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027576; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M2 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"=Submit&old_sortcode="; fast_pattern; classtype:credential-theft; sid:2035934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027577; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M1 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encryptedmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027578; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M2 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"type=|22|password|22|"; distance:0; content:"window.screen.availWidth"; distance:0; content:"window.screen.availHeight"; within:40; content:"jscd.browser"; distance:0; content:"jscd.browserMajorVersion"; within:45; content:"jscd.browserVersion"; within:45; content:"jscd.os"; distance:0; content:"jscd.osVersion"; within:30; content:"jscd.screen"; distance:0; content:"avail_res"; within:50; content:"screen.colorDepth"; within:40; content:"screen.deviceXDPI"; within:45; content:"screen.deviceYDPI"; within:45; content:"language"; distance:0; content:"jscd|2e|flashVersion|3b|"; distance:0; content:"navigator.javaEnabled()"; distance:0; content:"mime"; distance:0; content:"plugins"; distance:0; content:"listFonts().join(',')"; distance:0; classtype:credential-theft; sid:2035936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027579; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M3 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveypro.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027580; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M4 2022-04-13"; flow:established,to_client; flowbits:isset,ET.sparkassephishlanding; http.stat_code; content:"200"; file.data; content:"type|3d 22|tel|22|"; distance:0; content:"Personal?sslchannel=true&sessionid="; fast_pattern; content:"sortcode"; classtype:credential-theft; sid:2035938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveyservice.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027581; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (ifn1h8ag1g .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"ifn1h8ag1g.com"; bsize:14; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035905; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ifileupload.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027582; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (s22231232fdnsjds .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"s22231232fdnsjds.top"; bsize:20; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035906; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027583; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (equisdeperson .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"equisdeperson.space"; bsize:19; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035907; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-secure.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027584; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (xipxesip .design in TLS SNI)"; flow:established,to_server; tls.sni; content:"xipxesip.design"; bsize:15; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035908; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027585; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (FastInvoice)"; flow:established,to_server; http.user_agent; content:"FastInvoice"; bsize:11; startswith; fast_pattern; reference:md5,42218b0ce7fc47f80aa239d4f9e000a1; classtype:bad-unknown; sid:2035932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"internal-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027586; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"@"; content:".php"; endswith; http.user_agent; content:"Python-urllib/"; startswith; http.request_body; content:".exe|25|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f9d7e0af85fd918dd5daf1b50bf649f6; reference:md5,68d73d596a7103e517967f7f4e22cecb; reference:url,blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html; classtype:trojan-activity; sid:2035917; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"itunesrewardscode.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027587; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android/SpyLoan.9ef8bf95 Domain (api .dreamloan .cc in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.dreamloan.cc"; bsize:16; fast_pattern; reference:md5,5038f1ae69db7682e99c04947fa467aa; classtype:command-and-control; sid:2035909; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafeeonlinescanner.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027588; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"fserverone.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035944; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafee-scan.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027589; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"cmaildowninvoice.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035945; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"online-microsoft-update.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=error"; fast_pattern; content:"Sand="; content:"Data="; content:"Em="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"outlook-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.abe Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62.de"; bsize:43; fast_pattern; reference:md5,ad6f124d00ca05f2a19b5215b85e25a8; classtype:command-and-control; sid:2035910; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"searscorporategiftcard.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=fail"; fast_pattern; content:"Sand="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035947; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-corp.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027593; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET HUNTING FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a 5c|WINDOWS|5c|system32|5c|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:7; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027594; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"temp|5c|"; nocase; distance:0; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-online.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027595; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".webm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,af944c93405d60adc350f94e24a3d5a1; reference:url,twitter.com/souiten/status/1511552820863852544; classtype:trojan-activity; sid:2036210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_13;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Cache=error&Sand="; startswith; fast_pattern; content:"&Data="; distance:0; content:"&Em="; distance:50; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:url,asec.ahnlab.com/ko/33141/; classtype:trojan-activity; sid:2036211; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secmail-us.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027597; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Grafana 8.x Path Traversal (CVE-2021-43798)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/public/plugins/"; fast_pattern; content:"|2f 2e 2e 2f|"; distance:0; within:40; reference:url,github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p; classtype:attempted-admin; sid:2034629; rev:2; metadata:attack_target Server, created_at 2021_12_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secureimailonline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027598; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNominatus Ransomware Related Domain in DNS Lookup"; dns.query; content:"i-love-evilnominatuscrypt.000webhostapp.com"; nocase; bsize:43; reference:url,www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf; classtype:domain-c2; sid:2036212; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-data.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027599; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/seized.xml"; endswith; fast_pattern; http.user_agent; content:!"Linux"; content:!"Android"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:".ru"; endswith; reference:md5,d6fe6243a9b4293db6384f22524ff709; reference:url,cert.gov.ua/article/39386; classtype:trojan-activity; sid:2036213; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027600; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET INFO Empty POST with Terse Headers Over Non Standard Port"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,twitter.com/3xp0rtblog/status/1509267848958562305; reference:md5,52a46f058ec6b726fe2829a590a15155; classtype:bad-unknown; sid:2036225; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2022_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027601; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; content:"%3B%"; distance:0; within:5; nocase; reference:cve,2020-17456; classtype:attempted-admin; sid:2035950; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2020_17456, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-ssl.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027602; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2020-17456; classtype:attempted-admin; sid:2035951; rev:1; metadata:created_at 2022_04_14, cve CVE_2020_17456, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securessl-vpn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027603; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130 RCE Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; http.request_body; content:"&queriesCnt="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2035952; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-vpn.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027604; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/chkisg.htm"; content:"%3FSip%"; fast_pattern; nocase; distance:0; content:"%7C"; nocase; distance:0; reference:cve,2018-10823; classtype:attempted-admin; sid:2035953; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2018_10823, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-account.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-login.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027606; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2035955; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-secure.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027607; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|read|22|,|7b 22|path|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50864; classtype:attempted-admin; sid:2035956; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-upgrade.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027608; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"details="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssofiles.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027609; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Requesting Commands"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; http.request_body; content:"news="; content:"&request_for_read="; fast_pattern; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027610; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Submitting Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"answer="; content:"&cid="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon APT Related Malicious Shortcut Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon.ico"; endswith; http.host; content:"military-ukraine."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c0d3a0ab9b47ab9bc81cf5d831053431; reference:md5,7b20e3ac2a4ebf507f6c8358245d5db5; classtype:trojan-activity; sid:2036214; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vpn-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027612; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supership .dynv6 .net)"; dns.query; content:"supership.dynv6.net"; nocase; bsize:19; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036216; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vsecuremail.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027613; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (greatsong .soundcast .me)"; dns.query; content:"greatsong.soundcast.me"; nocase; bsize:22; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036217; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-cloud.net"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027614; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supermarket .ownip .net)"; dns.query; content:"supermarket.ownip.net"; nocase; bsize:21; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036218; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027615; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|25 7b|"; content:".exec|28|"; distance:0; fast_pattern; content:"|29 7d|"; distance:0; reference:url,github.com/CyborgSecurity/CVE-2020-17530; reference:cve,2020-17530; classtype:attempted-admin; sid:2033408; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_17530, former_category WEB_SPECIFIC_APPS, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"wu-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027616; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba Lure (Package Delivery)"; flow:established,to_client; content:"|82|"; startswith; content:"jsonrpc"; distance:5; within:8; content:"Your parcel has been sent out.Please check and accept it. http"; fast_pattern; reference:url,team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion; classtype:trojan-activity; sid:2036215; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_04_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027617; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.longmusic .com Domain"; flow:established,to_server; http.host; content:".longmusic.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035961; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027618; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.longmusic .com Domain"; dns.query; content:".longmusic.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035962; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (downloader)"; flow:to_server,established; http.user_agent; content:"downloader"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:pup-activity; sid:2007885; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035963; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey CnC Check-In"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; nocase; content:"&vs="; nocase; content:"&ar="; nocase; content:"&bi="; nocase; content:"&lv="; nocase; content:"&os="; nocase; content:"&av="; nocase; fast_pattern; reference:md5,a83a58cbcd200461b1a80de45e436d9c; classtype:command-and-control; sid:2027700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Amadey, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035964; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi MVEL Eval RCE Inbound M1 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"|22|script|3a 3a|"; distance:0; fast_pattern; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031219; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain"; flow:established,to_server; http.host; content:".zzux.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035965; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Usteal.B Checkin"; flow:to_server,established; http.uri; content:"/ufr.php"; fast_pattern; http.request_body; content:"name="; content:"filename="; content:"UFR|21|"; reference:url,www.threatexpert.com/report.aspx?md5=3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:command-and-control; sid:2014616; rev:8; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035966; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; http.uri; content:"/kspp/do?imei="; fast_pattern; content:"&wid="; content:"&type="; content:"&step="; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:9; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035967; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi OGNL Eval RCE Inbound M2 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"getClass|28|"; distance:0; nocase; content:".runtime"; distance:0; nocase; content:"getDeclaredMethods|28|"; distance:0; fast_pattern; content:".invoke|28|"; distance:0; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031220; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dumb1 .com Domain"; dns.query; content:".dumb1.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035968; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:established,to_server; urilen:<13; http.method; content:"GET"; http.uri; content:".htm"; fast_pattern; pcre:"/^\/[^\x2f]+?\.htm$/"; http.header; content:"Content-Length|3a 20|"; content:!"0|0d 0a|"; within:3; content:"|0d 0a|"; distance:0; http.user_agent; content:!"BridgitAgent"; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:command-and-control; sid:2017191; rev:6; metadata:created_at 2013_07_24, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dumb1 .com Domain"; flow:established,to_server; http.host; content:".dumb1.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035969; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK PDF URI Struct"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; content:"/1"; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.pdf$/"; http.header; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2017636; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onedumb .com Domain"; dns.query; content:".onedumb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035970; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK URI Struct"; flow:established,to_server; http.uri; content:"/3/"; fast_pattern; pcre:"/\/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$/"; classtype:exploit-kit; sid:2018534; rev:6; metadata:created_at 2014_06_05, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onedumb .com Domain"; flow:established,to_server; http.host; content:".onedumb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035971; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; http.user_agent; content:"Zollard"; nocase; fast_pattern; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:6; metadata:created_at 2013_12_09, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.youdontcare .com Domain"; dns.query; content:".youdontcare.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035972; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/replace/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,4d1d43789e038c6a03c07083ca0b0809; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018749; rev:9; metadata:created_at 2014_07_21, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.youdontcare .com Domain"; flow:established,to_server; http.host; content:".youdontcare.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035973; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; http.request_body; content:"|28 29 20 7b|"; fast_pattern; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:7; metadata:created_at 2014_09_24, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.yourtrap .com Domain"; dns.query; content:".yourtrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035974; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Checkin"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/random.php"; fast_pattern; http.user_agent; content:"Mozilla/5."; pcre:"/^\d{2,7}$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,01be3fc3243d582d9f93d01401c4f95e; classtype:command-and-control; sid:2019353; rev:6; metadata:created_at 2014_10_03, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.yourtrap .com Domain"; flow:established,to_server; http.host; content:".yourtrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035975; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Blocker.fwlm Checkin"; flow:established,to_server; urilen:497; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/; classtype:command-and-control; sid:2019538; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.2waky .com Domain"; dns.query; content:".2waky.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035976; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Citrix XenMobile Server Directory Traversal Attempt Inbound (CVE-2020-8209)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sbFileName=../"; fast_pattern; reference:url,github.com/B1anda0/CVE-2020-8209/blob/main/CVE-2020-8209.py; reference:cve,2020-8209; classtype:attempted-admin; sid:2031221; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_8209, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.2waky .com Domain"; flow:established,to_server; http.host; content:".2waky.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035977; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action="; fast_pattern; content:"&sent_all="; content:"&sent_success="; distance:0; content:"&active_connections="; distance:0; content:"&queue_connections="; distance:0; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020329; rev:6; metadata:created_at 2015_01_29, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexidude .com Domain"; dns.query; content:".sexidude.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035978; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Bayrob Keepalive"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/isup.php"; fast_pattern; http.header.raw; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:6; metadata:created_at 2015_03_05, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexidude .com Domain"; flow:established,to_server; http.host; content:".sexidude.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035979; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.asp?search="; fast_pattern; http.header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\r?$/mi"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:command-and-control; sid:2020913; rev:5; metadata:created_at 2015_04_15, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mefound .com Domain"; dns.query; content:".mefound.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035980; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nette"; content:"?callback=shell_exec"; distance:0; fast_pattern; reference:url,github.com/hu4wufu/CVE-2020-15227/blob/master/exploit-CVE-2020-15227.py; reference:cve,2020-15227; classtype:attempted-admin; sid:2031222; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_15227, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mefound .com Domain"; flow:established,to_server; http.host; content:".mefound.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035981; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; fast_pattern; pcre:"/\.php$/"; http.header; content:"HOST|3a|"; depth:5; content:"User-Agent|3a|"; distance:0; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/mi"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021584; rev:7; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.organiccrap .com Domain"; dns.query; content:".organiccrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035982; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; http.header; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; content:"Next|2d|Polling"; fast_pattern; content:"Content|2d|Salt|3a 20|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/i"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:13; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.organiccrap .com Domain"; flow:established,to_server; http.host; content:".organiccrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035983; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent Post"; flow:established,to_server; http.uri; content:!"/uup.php"; http.header; content:!".360.cn|0d 0a|"; content:!".360.com|0d 0a|"; http.user_agent; content:"Post"; fast_pattern; bsize:4; classtype:trojan-activity; sid:2014366; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toythieves .com Domain"; dns.query; content:".toythieves.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035984; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:",|22|model|22 3a|"; content:",|22|apps|22 3a 5b 22|"; content:",|22|imei|22 3a|"; fast_pattern; pcre:"/^\{\x22(?:os|type)\x22\x3a/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:8; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toythieves .com Domain"; flow:established,to_server; http.host; content:".toythieves.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035985; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Glupteba/ClIEcker CnC Checkin"; flow:established,to_server; http.uri; content:"&downlink="; content:"&uplink="; content:"&id="; content:"&statpass="; fast_pattern; content:"&version="; content:"&features="; content:"&guid="; content:"&comment="; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:command-and-control; sid:2013293; rev:7; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.justdied .com Domain"; dns.query; content:".justdied.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035986; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot User-Agent (Charon/Inferno)"; flow:established,to_server; http.user_agent; content:"(Charon|3b 20|Inferno)"; fast_pattern; classtype:trojan-activity; sid:2021641; rev:9; metadata:created_at 2015_08_17, former_category TROJAN, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.justdied .com Domain"; flow:established,to_server; http.host; content:".justdied.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035987; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.header; content:"WinHttp.WinHttpRequest."; http.host; content:!"download.nai.com"; classtype:trojan-activity; sid:2022658; rev:8; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain"; dns.query; content:".jungleheart.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035988; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"application/x-httpd-php"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|"; pcre:"/^[^\r]*?name=[\x22\x27]image_file"\x3b[^(?>\r\n|\n|\r)]*?(?>\r\n|\n|\r)(?>\r\n|\n|\r)?Content-Type: application\/x-httpd-php/Rsi"; reference:url,www.exploit-db.com/exploits/34681/; reference:cve,2014-5460; classtype:trojan-activity; sid:2019728; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_11_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jungleheart .com Domain"; flow:established,to_server; http.host; content:".jungleheart.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035989; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; flowbits:set,ET.iTunes.vuln; flowbits:noalert; http.header; pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/m"; http.user_agent; content:"iTunes/10.6."; depth:12; classtype:policy-violation; sid:2014954; rev:12; metadata:created_at 2012_06_25, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbonus .com Domain"; dns.query; content:".mrbonus.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035990; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2F"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbonus .com Domain"; flow:established,to_server; http.host; content:".mrbonus.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035991; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin Dec 29 2014"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_body; content:"EPF#"; depth:4; fast_pattern; http.connection; content:"close"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:command-and-control; sid:2020076; rev:5; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.x24hr .com Domain"; dns.query; content:".x24hr.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035992; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 3"; flow:established,to_server; urilen:1; http.request_line; content:"POST / 1.1"; depth:10; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; depth:28; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021632; rev:5; metadata:created_at 2015_08_14, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.x24hr .com Domain"; flow:established,to_server; http.host; content:".x24hr.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035993; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"l=dj0"; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/Rs"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029803; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.fartit .com Domain"; dns.query; content:".fartit.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035994; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Ouija_x.86)"; flow:established,to_server; http.user_agent; content:!"OuijaBoardWigi"; content:"Ouija"; startswith; classtype:trojan-activity; sid:2028990; rev:6; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.fartit .com Domain"; flow:established,to_server; http.host; content:".fartit.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035995; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Ahmyth.f (DNS Lookup)"; dns.query; content:"tryanotherhorse.com"; endswith; reference:md5,cf71ba878434605a3506203829c63b9d ; classtype:domain-c2; sid:2030822; rev:3; metadata:attack_target Mobile_Client, created_at 2020_09_02, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ahmyth, signature_severity Critical, tag Android, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itemdb .com Domain"; dns.query; content:".itemdb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035996; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"lib.hostareas.com"; nocase; bsize:17; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030891; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itemdb .com Domain"; flow:established,to_server; http.host; content:".itemdb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035997; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"lib.jsquerys.net"; nocase; bsize:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030892; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.instanthq .com Domain"; dns.query; content:".instanthq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035998; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"web.miscrosaft.com"; nocase; bsize:18; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.instanthq .com Domain"; flow:established,to_server; http.host; content:".instanthq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035999; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"cnc.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030925; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxuz .com Domain"; dns.query; content:".xxuz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036000; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"back.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030926; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxuz .com Domain"; flow:established,to_server; http.host; content:".xxuz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036001; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"q9uvveypiB.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030927; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jkub .com Domain"; dns.query; content:".jkub.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036002; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint Update CnC Domain in DNS Query"; dns.query; content:"uhyg8v.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030928; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jkub .com Domain"; flow:established,to_server; http.host; content:".jkub.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036003; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerGhost Checkin CnC in DNS Query"; dns.query; content:"log.conf1g.com"; nocase; endswith; classtype:domain-c2; sid:2030999; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itsaol .com Domain"; dns.query; content:".itsaol.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036004; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerGhost Staging CnC in DNS Query"; dns.query; content:"box.conf1g.com"; nocase; endswith; classtype:domain-c2; sid:2030998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itsaol .com Domain"; flow:established,to_server; http.host; content:".itsaol.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036005; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style Service nrecom in DNS Query"; dns.query; content:"paste.nrecom.net"; nocase; endswith; classtype:policy-violation; sid:2031001; rev:3; metadata:created_at 2020_10_12, former_category POLICY, signature_severity Informational, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.faqserv .com Domain"; dns.query; content:".faqserv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036006; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-11-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"em="; depth:3; nocase; fast_pattern; content:"&ps="; nocase; distance:0; pcre:"/^em=[^&]*&ps=[^&]*$/i"; classtype:credential-theft; sid:2031218; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.faqserv .com Domain"; flow:established,to_server; http.host; content:".faqserv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036007; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoetRAT CnC Domain in DNS Lookup"; dns.query; content:"volt220.kozow.com"; nocase; bsize:17; reference:url,twitter.com/ShadowChasing1/status/1314847032155074562; classtype:domain-c2; sid:2031007; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, malware_family PoetRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jetos .com Domain"; dns.query; content:".jetos.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036008; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (office)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST="; startswith; content:", O=Office, OU=, CN="; nocase; fast_pattern; tls.cert_issuer; content:"C=US, ST="; startswith; content:", O=Office, OU=, CN="; nocase; reference:md5,880a45ff31bc540e80ecf2cf93134c12; reference:url,gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031134; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jetos .com Domain"; flow:established,to_server; http.host; content:".jetos.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036009; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"duke6.tk"; nocase; bsize:8; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031137; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qpoe .com Domain"; dns.query; content:".qpoe.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036010; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"wekanda.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031138; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qpoe .com Domain"; flow:established,to_server; http.host; content:".qpoe.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036011; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"sanitar.ml"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qhigh .com Domain"; dns.query; content:".qhigh.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036012; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"branter.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qhigh .com Domain"; flow:established,to_server; http.host; content:".qhigh.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036013; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"bronerg.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.vizvaz .com Domain"; dns.query; content:".vizvaz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036014; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"crusider.tk"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.vizvaz .com Domain"; flow:established,to_server; http.host; content:".vizvaz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036015; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Unknown Router Remote DNS Change Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/setup.htm"; nocase; http.request_body; content:"wan_proto=dhcp"; nocase; content:"dhcps_dns_1="; nocase; fast_pattern; content:"dhcps_mode=enabled"; nocase; content:"lan_proto=enable"; nocase; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; classtype:attempted-admin; sid:2023468; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrface .com Domain"; dns.query; content:".mrface.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036016; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"|20|Java/1.8.0_"; content:!"271"; within:3; reference:url,www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html; classtype:bad-unknown; sid:2019401; rev:32; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrface .com Domain"; flow:established,to_server; http.host; content:".mrface.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036017; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.7.0_"; content:!"281"; within:3; reference:url,www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html; classtype:bad-unknown; sid:2014297; rev:59; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2012_03_01, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.isasecret .com Domain"; dns.query; content:".isasecret.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036018; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain in DNS Lookup"; dns.query; content:"ab1de19d80ae6.com"; nocase; bsize:17; reference:md5,ef694b89ad7addb9a16bb6f26f1efaf7; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2031206; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.isasecret .com Domain"; flow:established,to_server; http.host; content:".isasecret.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036019; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DonotGroup CnC in DNS Query"; dns.query; content:"pvtchat.live"; nocase; endswith; classtype:domain-c2; sid:2031216; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrslove .com Domain"; dns.query; content:".mrslove.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036020; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2"; dns.query; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!"covid19.wisc.edu"; isdataat:!1,relative; content:!"services.corona.be"; isdataat:!1,relative; classtype:bad-unknown; sid:2029710; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_11_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrslove .com Domain"; flow:established,to_server; http.host; content:".mrslove.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036021; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.gdn)"; flow:from_server,established; tls.cert_subject; content:".gdn"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031223; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.americanunfinished .com Domain"; dns.query; content:".americanunfinished.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036022; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.ml)"; flow:from_server,established; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031224; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.americanunfinished .com Domain"; flow:established,to_server; http.host; content:".americanunfinished.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036023; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.gq)"; flow:from_server,established; tls.cert_subject; content:".gq"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031225; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveusers .com Domain"; dns.query; content:".serveusers.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036024; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.ga)"; flow:from_server,established; tls.cert_subject; content:".ga"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031226; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveusers .com Domain"; flow:established,to_server; http.host; content:".serveusers.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036025; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.cf)"; flow:from_server,established; tls.cert_subject; content:".cf"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031227; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveuser .com Domain"; dns.query; content:".serveuser.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036026; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.xyz)"; flow:from_server,established; tls.cert_subject; content:".xyz"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031228; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveuser .com Domain"; flow:established,to_server; http.host; content:".serveuser.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036027; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.icu)"; flow:from_server,established; tls.cert_subject; content:".icu"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031229; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myftp .info Domain"; dns.query; content:".myftp.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036028; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.top)"; flow:from_server,established; tls.cert_subject; content:".top"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031230; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .info Domain"; flow:established,to_server; http.host; content:".myftp.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036029; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL SSL/TLS Certificate"; flow:from_server,established; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031231; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mydad .info Domain"; dns.query; content:".mydad.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036030; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.pw)"; flow:from_server,established; tls.cert_subject; content:".pw"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031232; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mydad .info Domain"; flow:established,to_server; http.host; content:".mydad.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036031; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.header; content:"|0d 0a|Content-Length|3a 20|95|0d 0a|"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Pragma"; content:!"Referer"; reference:md5,a3c4951687b39e58550309dbbf2e5c85; reference:md5,1c1d7bf3ad926f3cdf0befbc5205a1fe; classtype:trojan-activity; sid:2031233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mymom .info Domain"; dns.query; content:".mymom.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036032; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:800; content:")https://www.instagram.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2031238; rev:1; metadata:created_at 2020_11_25, former_category PHISHING, updated_at 2020_11_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mymom .info Domain"; flow:established,to_server; http.host; content:".mymom.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036033; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackrota Domain (blackrato .ga in TLS SNI)"; flow:established,to_server; tls.sni; content:"blackrato.ga"; bsize:12; fast_pattern; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031235; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, malware_family Blackrota, performance_impact Low, signature_severity Major, updated_at 2020_11_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypicture .info Domain"; dns.query; content:".mypicture.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036034; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Blackrota)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Arizona, L=Scottsdale, O=Amazon, OU=Starfield Class, CN=blackrato.ga"; bsize:77; fast_pattern; tls.cert_issuer; content:"C=US, ST=Arizona, L=Scottsdale, O=Amazon, OU=Starfield Class, CN=blackrato.ga"; bsize:77; reference:md5,04dab9530bbcb7679ff5498400417e40; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031236; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, malware_family Blackrota, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypicture .info Domain"; flow:established,to_server; http.host; content:".mypicture.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036035; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Geocon CnC Request"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.0|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENUS)"; fast_pattern; bsize:76; http.cookie; bsize:172; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; reference:url,github.com/darkr4y/geacon/blob/5d9a9101c1f3b7dfb71484a58db5cc51ea279583/cmd/packet/http.go; reference:md5,6e020db51665614f4a2fd84fb0f83778; classtype:command-and-control; sid:2031237; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myz .info Domain"; dns.query; content:".myz.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036036; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phish Landing 2020-11-26"; flow:established,to_client; file.data; content:"<title>Ch&alpha|3b|se &Beta|3b|&alpha|3b|n&Kappa|3b|"; fast_pattern; classtype:social-engineering; sid:2031239; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myz .info Domain"; flow:established,to_server; http.host; content:".myz.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036037; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|proclist|22|"; content:"svchost.exe"; content:"name=|22|sysinfo|22|"; content:"ipconfig"; content:"net view /all"; fast_pattern; content:"nltest"; distance:0; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:command-and-control; sid:2031241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.squirly .info Domain"; dns.query; content:".squirly.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036038; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Windows.net Hosted Phish 2020-10-14"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".windows.net"; isdataat:!1,relative; fast_pattern; http.uri; content:!"/getEffectiveAccess?api-version="; classtype:credential-theft; sid:2031012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.squirly .info Domain"; flow:established,to_server; http.host; content:".squirly.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036039; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-11-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"number="; nocase; content:"exp"; nocase; content:"cvv="; nocase; fast_pattern; http.host; content:!".ez-chow.com"; endswith; classtype:credential-theft; sid:2029680; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toh .info Domain"; dns.query; content:".toh.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036040; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc 2020-11-30)"; flow:established,to_client; tls.cert_subject; content:"CN=filestream.download"; nocase; endswith; reference:md5,1e0d96c551ca31a4055491edc17ce2dd; classtype:domain-c2; sid:2031240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_30, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_11_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toh .info Domain"; flow:established,to_server; http.host; content:".toh.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036041; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY ToDesk Remote Access Control Tool"; flow:established,to_server; content:"|00 00 00|"; startswith; content:"|01 0a 20|"; offset:4; depth:3; content:"|12|"; offset:39; depth:1; byte_jump:1,0,relative; content:"|18 01 22|"; within:3; byte_jump:1,0,relative; content:"|3a 3f|"; within:2; content:"B$"; distance:63; within:2; isdataat:!68,relative; reference:md5,d428709903e8c86bc02dfc29ab903634; classtype:policy-violation; sid:2031242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_30, deployment Perimeter, former_category POLICY, performance_impact Significant, signature_severity Informational, updated_at 2020_11_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .info Domain"; dns.query; content:".xxxy.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036042; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031243; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, signature_severity Major, updated_at 2020_12_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .info Domain"; flow:established,to_server; http.host; content:".xxxy.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036043; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031244; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, signature_severity Major, updated_at 2020_12_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.freewww .info Domain"; dns.query; content:".freewww.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036044; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M6 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:"com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031245; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_01, cve CVE_2020_14882, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_12_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.freewww .info Domain"; flow:established,to_server; http.host; content:".freewww.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036045; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:!".jpg',no','no',no'"; nocase; distance:0; content:!".pdf,no','no',no'"; nocase; distance:0; content:!".SlideMenu1_Folder div"; content:!"PhotoGallery"; nocase; classtype:social-engineering; sid:2026047; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .biz Domain"; dns.query; content:".xxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036046; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible SombRAT Initial DNS Lookup"; dns.query; content:"images"; nocase; depth:6; fast_pattern; content:!"images."; depth:7; content:"."; distance:8; within:1; pcre:"/^images[a-f0-9]{8}\./i"; reference:md5,f43377b04b66d1aed783cd6037e3298d; reference:url,blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced; classtype:trojan-activity; sid:2031251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .biz Domain"; flow:established,to_server; http.host; content:".xxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036047; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file.data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"¤t_page=Advanced_System_Content.asp"; nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:5; metadata:attack_target Networking_Equipment, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexxxy .biz Domain"; dns.query; content:".sexxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036048; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/action?dns_status=1&dns_poll_timeout="; fast_pattern; content:"&id="; distance:0; content:"&dns_serv_ip_1="; distance:0; content:"&dns_serv_ip_2="; distance:0; content:"&dns_serv_ip_3="; distance:0; content:"&dns_serv_ip_4="; distance:0; content:"&priority=1&cmdadd=add"; distance:0; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027908; rev:7; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexxxy .biz Domain"; flow:established,to_server; http.host; content:".sexxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036049; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"acunetix_wvs_security_test"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023687; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.www1 .biz Domain"; dns.query; content:".www1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036050; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix variable in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"|24|acunetix"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023688; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.www1 .biz Domain"; flow:established,to_server; http.host; content:".www1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036051; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT General MSN Chat Activity"; flow:established; http.header; content:"Content-Type|3A|"; content:"application/x-msn-messenger"; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009375; classtype:policy-violation; sid:2009375; rev:9; metadata:created_at 2010_07_30, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dhcp .biz Domain"; dns.query; content:".dhcp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036052; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Forms/dns_1?"; fast_pattern; content:"Enable_DNSFollowing=1"; distance:0; content:"dnsPrimary="; distance:0; reference:url,www.exploit-db.com/exploits/35917; classtype:attempted-admin; sid:2023466; rev:8; metadata:created_at 2015_01_29, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dhcp .biz Domain"; flow:established,to_server; http.host; content:".dhcp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036053; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Blackrota Domain"; dns.query; content:"blackrato.ga"; nocase; bsize:12; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031234; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, malware_family Blackrota, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.edns .biz Domain"; dns.query; content:".edns.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036054; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"european-who.com"; nocase; bsize:16; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031246; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.edns .biz Domain"; flow:established,to_server; http.host; content:".edns.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036055; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"who-international.com"; nocase; bsize:21; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031247; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftp1 .biz Domain"; dns.query; content:".ftp1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036056; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"office-pulgin.com"; nocase; bsize:17; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031248; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftp1 .biz Domain"; flow:established,to_server; http.host; content:".ftp1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036057; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"health-world-org.com"; nocase; bsize:20; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031249; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mywww .biz Domain"; dns.query; content:".mywww.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036058; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"adverting-cdn.com"; nocase; bsize:17; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031250; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mywww .biz Domain"; flow:established,to_server; http.host; content:".mywww.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036059; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (hotspot .accesscam .org)"; dns.query; content:"hotspot.accesscam.org"; nocase; bsize:21; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031252; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftpserver .biz Domain"; dns.query; content:".ftpserver.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036060; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (highcolumn .webredirect .org)"; dns.query; content:"highcolumn.webredirect.org"; nocase; bsize:26; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031253; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftpserver .biz Domain"; flow:established,to_server; http.host; content:".ftpserver.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036061; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (ethdns .mywire .org)"; dns.query; content:"ethdns.mywire.org"; nocase; bsize:17; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031254; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .biz Domain"; dns.query; content:".wwwhost.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036062; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (theguardian .webredirect .org)"; dns.query; content:"theguardian.webredirect.org"; nocase; bsize:27; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031255; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .biz Domain"; flow:established,to_server; http.host; content:".wwwhost.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036063; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (allmedicalpro .com)"; dns.query; content:"allmedicalpro.com"; nocase; bsize:17; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031256; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.moneyhome .biz Domain"; dns.query; content:".moneyhome.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036064; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (mediqhealthcare .com)"; dns.query; content:"mediqhealthcare.com"; nocase; bsize:19; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031257; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.moneyhome .biz Domain"; flow:established,to_server; http.host; content:".moneyhome.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036065; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (gofinancesolutions .com)"; dns.query; content:"gofinancesolutions.com"; nocase; bsize:22; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031258; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.port25 .biz Domain"; dns.query; content:".port25.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036066; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M3 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:".sh.ShellSession"; fast_pattern; pcre:"/^(?:\x28|%28)/R"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031185; rev:3; metadata:created_at 2020_11_05, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_12_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.port25 .biz Domain"; flow:established,to_server; http.host; content:".port25.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036067; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkIRC Bot CnC Domain Lookup"; dns.query; content:"cnc."; startswith; fast_pattern; content:".xyz"; endswith; bsize:22; pcre:"/^cnc\.[a-fA-F0-9]{14}.xyz$/"; reference:url,blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability; classtype:command-and-control; sid:2031260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_04;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.esmtp .biz Domain"; dns.query; content:".esmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036068; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_12_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.esmtp .biz Domain"; flow:established,to_server; http.host; content:".esmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036069; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information"; flow:established,to_server; http.uri; content:"?q=7b2268776964223a22"; nocase; fast_pattern; content:"222c22706e223a22"; nocase; distance:0; content:"222c226f73223a2257696e646f7773"; nocase; distance:0; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:trojan-activity; sid:2030393; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family Jupyter, signature_severity Major, updated_at 2020_12_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .biz Domain"; dns.query; content:".dsmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036070; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (gogohid .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gogohid.com"; bsize:11; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .biz Domain"; flow:established,to_server; http.host; content:".dsmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036071; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (blackl1vesmatter .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"blackl1vesmatter.org"; bsize:20; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031262; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sixth .biz Domain"; dns.query; content:".sixth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036072; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (vincentolife .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vincentolife.com"; bsize:16; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031263; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sixth .biz Domain"; flow:established,to_server; http.host; content:".sixth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036073; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M2"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"X-Requested-With|3a 20|ShockwaveFlash/"; fast_pattern; content:!"32.0.0.453|0d 0a|"; within:12; content:!"32.0.0.445|0d 0a|"; within:12; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2024379; rev:37; metadata:affected_product Adobe_Flash, created_at 2017_06_13, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_12_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ninth .biz Domain"; dns.query; content:".ninth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036074; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031271; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ninth .biz Domain"; flow:established,to_server; http.host; content:".ninth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036075; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031272; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.misecure .com Domain"; dns.query; content:".misecure.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036076; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.misecure .com Domain"; flow:established,to_server; http.host; content:".misecure.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036077; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert udp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.got-game .org Domain"; dns.query; content:".got-game.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036078; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] POSSIBLE HackTool.TCP.Rubeus.[User32LogonProcesss]"; flow:to_server; content:"User32LogonProcesss"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.got-game .org Domain"; flow:established,to_server; http.host; content:".got-game.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036079; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[Build ID]"; content:"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dns2 .us Domain"; dns.query; content:".dns2.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036080; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.SSL.BEACON.[CSBundle Ajax]"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=WA, L=Seattle, O=Microsoft, OU=Information Technologies, CN=ajax.microsoft.com"; bsize:87; fast_pattern; tls.cert_issuer; content:"C=US, ST=WA, L=Seattle, O=Microsoft, OU=Information Technologies, CN=ajax.microsoft.com"; bsize:87; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns2 .us Domain"; flow:established,to_server; http.host; content:".dns2.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036081; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|0a|_domainkey"; distance:0; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .us Domain"; dns.query; content:".changeip.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036082; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert udp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .us Domain"; flow:established,to_server; http.host; content:".changeip.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036083; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .biz Domain"; dns.query; content:".changeip.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036084; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M2"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 31 00 30 00 20 00 44 00 65 00 66 00 65 00 6e 00 64 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031301; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .biz Domain"; flow:established,to_server; http.host; content:".changeip.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036085; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M1"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 55 00 70 00 64 00 61 00 74 00 65 00 20 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031300; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.almostmy .com Domain"; dns.query; content:".almostmy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036086; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M3"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4c 00 69 00 63 00 65 00 6e 00 73 00 65 00 20 00 4b 00 65 00 79 00 20 00 41 00 63 00 74 00 69 00 76 00 61 00 74 00 69 00 6f 00 6e|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.almostmy .com Domain"; flow:established,to_server; http.host; content:".almostmy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036087; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M4"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4f 00 66 00 66 00 69 00 63 00 65 00 20 00 33 00 36 00 35 00 20 00 50 00 72 00 6f 00 78 00 79|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ocry .com Domain"; dns.query; content:".ocry.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036088; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M5"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 43 00 65 00 6e 00 74 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ocry .com Domain"; flow:established,to_server; http.host; content:".ocry.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036089; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M6"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4f 00 6e 00 65 00 44 00 72 00 69 00 76 00 65 00 20 00 53 00 79 00 6e 00 63 00 20 00 43 00 65 00 6e 00 74 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031305; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ourhobby .com Domain"; dns.query; content:".ourhobby.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036090; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M7"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|42 00 61 00 63 00 6b 00 67 00 72 00 6f 00 75 00 6e 00 64 00 20 00 41 00 63 00 74 00 69 00 6f 00 6e 00 20 00 4d 00 61 00 6e 00 61 00 67 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031306; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ourhobby .com Domain"; flow:established,to_server; http.host; content:".ourhobby.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036091; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M8"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|53 00 65 00 63 00 75 00 72 00 65 00 20 00 54 00 6f 00 6b 00 65 00 6e 00 20 00 4d 00 65 00 73 00 73 00 61 00 67 00 69 00 6e 00 67 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsfailover .net Domain"; dns.query; content:".dnsfailover.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036092; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M9"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 20 00 55 00 70 00 64 00 61 00 74 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsfailover .net Domain"; flow:established,to_server; http.host; content:".dnsfailover.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036093; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original GET]"; flow:established,to_server; http.method; content:"GET"; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-US"; bsize:5; http.accept_enc; content:"gzip, deflate"; bsize:13; content:"Cookie|3a 20|"; content:"display-culture=en|3b|check=true|3b|lbcs=0|3b|sess-id="; content:"|3b|SIDCC=AN0-TY21iJHH32j2m|3b|FHBv3=B"; fast_pattern; http.uri; pcre:"/^\/(?:v(?:1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|4\/links\/activity-stream|3\/links\/ping-centre)|gp\/(?:aj\/private\/reviewsGallery\/get-(?:application-resource|image-gallery-asset)s|cerberus\/gv)|en-us\/(?:p\/(?:onerf\/MeSilentPassport|book-2\/8MCPZJJCC98C)|store\/api\/checkproductinwishlist)|wp-(?:content\/themes\/am43-6\/dist\/records|includes\/js\/script\/indigo-migrate)|api2\/json\/(?:cluster\/(?:resource|task)s|access\/ticket))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031264; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ygto .com Domain"; dns.query; content:".ygto.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036094; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; flow:established,from_server; file.data; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031294; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ygto .com Domain"; flow:established,to_server; http.host; content:".ygto.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036095; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:established,from_server; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031293; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gettrials .com Domain"; dns.query; content:".gettrials.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036096; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Accept-Ranges|3a 20|bytes"; content:"Age|3a 20|5806"; content:"Cache-Control|3a 20|public,max-age=31536000"; content:"Content-Encoding|3a 20|gzip"; content:"Content-Length|3a 20|256398"; content:"Content-Type|3a 20|application/javascript"; content:"Server|3a 20|UploadServer"; content:"Vary|3a 20|Accept-Encoding, Fastly-SSL"; content:"x-api-version|3a 20|F-X"; content:"x-cache|3a 20|HIT"; content:"x-Firefox-Spdy|3a 20|h2"; content:"x-nyt-route|3a 20|vi-assets"; content:"x-served-by|3a 20|cache-mdw17344-MDW"; content:"x-timer|3a 20|S1580937960.346550,VS0,VE0"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031267; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gettrials .com Domain"; flow:established,to_server; http.host; content:".gettrials.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036097; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; flow:established,to_server; content:"|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a 22|"; fast_pattern; content:"nid"; content:"msg-"; http.method; content:"POST"; http.uri; content:"/notification"; startswith; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031292; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4dq .com Domain"; dns.query; content:".4dq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036098; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server 3]"; flow:established,from_server; content:"{|22|alias|22 3a 22|apx|22|,|22|prefix|22 3a 22 22|,|22|suffix|22 3a|null,|22|suggestions|22 3a|[],|22|responseId|22 3a 22|15QE9JX9CKE2P|22|,|22|addon|22 3a 20 22|"; fast_pattern; content:"|22|,|22|shuffled|22 3a|false}"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031268; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4dq .com Domain"; flow:established,to_server; http.host; content:".4dq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036099; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[POST]"; flow:established,to_server; urilen:1; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.connection; content:"upgrade"; depth:7; http.header; content:"|0d 0a|Upgrade|3a 20|tcp/1|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie:"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4pu .com Domain"; dns.query; content:".4pu.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036100; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server 2]"; flow:established,from_server; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031291; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4pu .com Domain"; flow:established,to_server; http.host; content:".4pu.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036101; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:from_server,established; file.data; content:"{|22|navgd|22 3a 22|<div class=gnt_n_dd_ls_w><div class=gnt_n_dd_nt>ONLY AT USA TODAY:</div><div class=gnt_n_dd_ls><a class=gnt_n_dd_ls_a href=https|3a|//supportlocal.usatoday.com/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031273; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036102; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server]"; flow:established,from_server; content:"{|22|meta|22|:{},|22|status|22 3a 22|OK|22|,|22|saved|22 3a 22|1|22|,|22|starttime|22 3a|17656184060,|22|id|22 3a 22 22|,|22|vims|22 3a|{|22|dtc|22 3a|"; fast_pattern; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Content-Type|3a 20|text/json|0d 0a|"; content:"Server|3a 20|Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By|3a 20|ASP.NET|0d 0a|"; content:"Cache-Control|3a 20|no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"X-Frame-Options|3a 20|SAMEORIGIN|0d 0a|"; content:"Connection|3a 20|close|0d 0a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031275; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036103; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]"; flow:established,to_server; content:"sess-="; content:"auth=0|3b|loc=US|7d|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)/"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036104; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; flow:established,to_server; content:"nyt-a="; content:"nyt-gdpr=0|3b|nyt-purr=cfh|3b|nyt-geo=US}"; fast_pattern; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; http.request_line; pcre:"/^GET\s(?:\/(?:(?:v(?:i-assets\/static-asset|[12]\/preference)|idcta\/translation)s|ads\/google))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031276; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036105; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp Request]"; flow:established,to_server; http.cookie; content:"hl=en|3b|bse="; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9_\/\+\-]{2}==|[a-zA-Z0-9_\/\+\-]{3}=|[a-zA-Z0-9_\/\+\-]{4})\x3b/"; content:"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b|"; endswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynumber .org Domain"; dns.query; content:".mynumber.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036106; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Connection|3a 20|close"; content:"Content-Type|3a 20|application/json|3b 20|charset=utf-8"; content:"Content-Security-Policy|3a 20|upgrade-insecure-requests"; content:"Strict-Transport-Security|3a 20|max-age=10890000"; content:"Cache-Control|3a 20|public, immutable, max-age=315360000"; content:"Accept-Ranges|3a 20|bytes"; content:"X-Cache|3a 20|HIT, HIT"; content:"X-Timer|3a 20|S1593010188.776402,VS0,VE1"; content:"Vary|3a 20|X-AbVariant, X-AltUrl, Accept-Encoding"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031274; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynumber .org Domain"; flow:established,to_server; http.host; content:".mynumber.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036107; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]"; flow:established,to_server; content:"|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a|"; fast_pattern; http.method; content:"POST"; http.uri; pcre:"/^(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/"; http.accept; content:"*/*"; startswith; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.rebatesrule .net Domain"; dns.query; content:".rebatesrule.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036108; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[SID1]"; flow:established,to_server; http.start; content:"|0d 0a|Cookie: SID1="; fast_pattern; http.method; content:"GET"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.rebatesrule .net Domain"; flow:established,to_server; http.host; content:".rebatesrule.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036109; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Stager]"; flow:established,from_client; http.accept; content:"*/*"; depth:3; http.accept_lang; content:"en-US"; depth:5; http.accept_enc; content:"gzip, deflate"; depth:13; http.cookie; content:"SIDCC=AN0-TYutOSq-fxZK6e4kagm70VyKACiG1susXcYRuxK08Y-rHysliq0LWklTqjtulAhQOPH8uA"; depth:80; fast_pattern; http.uri; content:"/api/v1/user/"; content:"/avatar/"; distance:3; within:8; pcre:"/\/api\/v1\/user\/(?:512|124)\/avatar/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ezua .com Domain"; dns.query; content:".ezua.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036110; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (wherisdomaintv .com in DNS Lookup)"; dns_query; content:"wherisdomaintv.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031309; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ezua .com Domain"; flow:established,to_server; http.host; content:".ezua.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036111; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (whoisdomainpc .com in DNS Lookup)"; dns_query; content:"whoisdomainpc.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031310; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sendsmtp .com Domain"; dns.query; content:".sendsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036112; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (fullplayersoftware .com in DNS Lookup)"; dns_query; content:"fullplayersoftware.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031311; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sendsmtp .com Domain"; flow:established,to_server; http.host; content:".sendsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036113; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (softwareplayertop .com in DNS Lookup)"; dns_query; content:"softwareplayertop.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031312; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssmailer .com Domain"; dns.query; content:".ssmailer.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036114; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Stager 2]"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Content-Type|3a 20|text/json|0d 0a|"; content:"Server|3a 20|Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By|3a 20|ASP.NET|0d 0a|"; content:"Cache-Control|3a 20|no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"X-Frame-Options|3a 20|SAMEORIGIN|0d 0a|"; content:"Connection|3a 20|close|0d 0a|"; content:"Content-Type|3a 20|image/gif"; file_data; content:"|01 00 01 00 00 02 01 44 00 3b|"; content:"|ff ff ff 21 f9 04 01 00 00 00 2c 00 00 00 00|"; fast_pattern; content:"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssmailer .com Domain"; flow:established,to_server; http.host; content:".ssmailer.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036115; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp GET]"; flow:established,to_server; content:"request_origin=user"; http.method; content:"GET"; http.request_line; content:"&parent_request_id="; within:256; fast_pattern; content:"|20|HTTP/1"; within:1024; pcre:"/^GET [^\r\n]{0,256}&parent_request_id=(?:[A-Za-z0-9_\/\+\-%]{128,1024})={0,2}[^\r\n]{0,256} HTTP\/1\.[01]/"; http.header; content:"|0d 0a|Sec-Fetch-Dest|3a 20|empty|0d 0a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .net Domain"; dns.query; content:".trickip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036116; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle CDN GET]"; flow:established,to_server; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US"; bsize:5; http.header; content:"client-="; fast_pattern; content:"|3b|auth=1}"; http.uri; pcre:"/^\/v1\/(?:queue|profile|docs\/wsdl|pull)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .net Domain"; flow:established,to_server; http.host; content:".trickip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036117; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:from_server,established; http.response_line; content:"HTTP/1."; depth:7; file.data; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .org Domain"; dns.query; content:".trickip.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036118; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday GET]"; flow:established,to_server; content:"gnt_ub=86|3b|gnt_sb=18|3b|usprivacy=1YNY|3b|DigiTrust.v1.identity="; fast_pattern; content:"%3D|3b|GED_PLAYLIST_ACTIVITY=W3sidSI6IkZtTWUiLCJ0c2wiOjE1OTMwM|3b|"; http.method; content:"GET"; http.connection; content:"close"; bsize:5; http.accept; content:"*/*"; bsize:3; http.header; content:"Cookie|3a 20|"; http.request_line; pcre:"/^GET\s(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/tangsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .org Domain"; flow:established,to_server; http.host; content:".trickip.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036119; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|03|"; within:15; content:"|0a|_domainkey"; distance:3; within:11; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031265; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsrd .com Domain"; dns.query; content:".dnsrd.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036120; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original POST]"; flow:established,to_server; content:"ses-"; content:"{|22|locale|22 3a 22|en|22|,|22|channel|22 3a 22|prod|22|,|22|addon|22 3a 22|"; fast_pattern; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-US"; bsize:5; http.accept_enc; content:"gzip, deflate"; bsize:13; http.request_line; pcre:"/^POST\s(?:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsrd .com Domain"; flow:established,to_server; http.host; content:".dnsrd.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036121; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; flow:established,to_server; content:"{|22|locale|22 3a 22|en|22|,|22|channel|22 3a 22|prod|22|,|22|addon|22 3a 22|"; fast_pattern; content:"cli"; content:"l-"; http.request_line; content:"POST /v1/push"; depth:13; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .com Domain"; dns.query; content:".lflinkup.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036122; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sofacy Zebrocy CnC DNS Lookup (support-cloud .life)"; dns_query; content:"support-cloud.life"; nocase; bsize:18; reference:url,www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/; classtype:domain-c2; sid:2031315; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .com Domain"; flow:established,to_server; http.host; content:".lflinkup.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036123; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Account Phish Dec 04 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"continue="; content:"followup="; content:"checkedDomains="; http.host; content:!".microsoft.com"; isdataat:!1,relative; classtype:credential-theft; sid:2015980; rev:6; metadata:created_at 2012_12_03, former_category CURRENT_EVENTS, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .net Domain"; dns.query; content:".lflinkup.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036124; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Docusign Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Docusign</title>"; nocase; classtype:social-engineering; sid:2024387; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .net Domain"; flow:established,to_server; http.host; content:".lflinkup.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036125; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cgi/?SSID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031314; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .org Domain"; dns.query; content:".lflinkup.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036126; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cgi?SoID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031313; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .org Domain"; flow:established,to_server; http.host; content:".lflinkup.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036127; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Astrum EK URI Struct"; flow:established,to_server; urilen:60<>100; http.request_line; content:"|2e 20|HTTP/1."; fast_pattern; http.uri; pcre:"/^\/(?=[A-Za-z_-]*?\d)(?=[a-z0-9_-]*?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$/"; classtype:exploit-kit; sid:2019176; rev:5; metadata:created_at 2014_09_15, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflink .com Domain"; dns.query; content:".lflink.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036128; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak <v9 - Stage 2 - Request"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:"_aWQ9"; fast_pattern; content:".html"; endswith; pcre:"/_aWQ9[a-zA-Z0-9\/]{43,46}(?:JmdpZD|Z2lkP|ZnaWQ9)/"; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflink .com Domain"; flow:established,to_server; http.host; content:".lflink.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036129; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Trojan.APT.9002 POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-f0-9]+$/"; http.user_agent; content:"lynx"; depth:4; isdataat:!1,relative; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:targeted-activity; sid:2017702; rev:4; metadata:created_at 2013_11_10, former_category MALWARE, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0tnet .com Domain"; dns.query; content:".b0tnet.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036130; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[A-F0-9]{24}$/"; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; depth:13; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017714; rev:8; metadata:created_at 2013_11_13, former_category MALWARE, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0tnet .com Domain"; flow:established,to_server; http.host; content:".b0tnet.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036131; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage1 CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?host="; fast_pattern; content:"&password="; distance:0; pcre:"/\.php\?host=[^&]+&password=[a-f0-9]{32}$/"; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029499; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .net Domain"; dns.query; content:".changeip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036132; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011108; classtype:web-application-attack; sid:2011108; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .net Domain"; flow:established,to_server; http.host; content:".changeip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036133; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011109; classtype:web-application-attack; sid:2011109; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mysecondarydns .com Domain"; dns.query; content:".mysecondarydns.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036134; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011110; classtype:web-application-attack; sid:2011110; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mysecondarydns .com Domain"; flow:established,to_server; http.host; content:".mysecondarydns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036135; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011111; classtype:web-application-attack; sid:2011111; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dynssl .com Domain"; dns.query; content:".dynssl.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036136; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011112; classtype:web-application-attack; sid:2011112; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dynssl .com Domain"; flow:established,to_server; http.host; content:".dynssl.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036137; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kuluoz.B Request"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-f0-9]+$/i"; http.header; content:"Windows NT 9.0|3b|"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:6; metadata:created_at 2012_12_04, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mylftv .com Domain"; dns.query; content:".mylftv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036138; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox CnC Beacon"; flow:established,to_server; http.host; pcre:"/\x3a\d{1,5}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016528; rev:8; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mylftv .com Domain"; flow:established,to_server; http.host; content:".mylftv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036139; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Java Installer Landing Page Oct 21"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download.php?id="; content:"&sid="; distance:0; content:"&name=Java|20|Runtime|20|Environment|20|"; distance:0; fast_pattern; pcre:"/^\/[0-9]+\/download\.php\?id=/"; pcre:"/&name=[a-z0-9\x20]+$/i"; reference:url,heimdalsecurity.com/blog/security-alert-blackhat-seo-campaign-passes-around-malware-to-unsuspecting-users; classtype:trojan-activity; sid:2021991; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .com Domain"; dns.query; content:".mynetav.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036140; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT32/Oceanlotus Maldoc CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?"; content:"=e010000127"; distance:0; fast_pattern; content:".exe|3b|"; nocase; pcre:"/^[^\r\n]+\.exe(?:\x3b)?$/Ri"; reference:md5,e2511f009b1ef8843e527f765fd875a7; reference:md5,cc2027319a878ee18550e35d9b522706; reference:url,twitter.com/HONKONE_K/status/1290511333343993856; classtype:command-and-control; sid:2030652; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .com Domain"; flow:established,to_server; http.host; content:".mynetav.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036141; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MontysThree HTTPTransport Module Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|image|22 3b 20|filename=|22|image.jpg|22|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1f0461dba1aefdd124f8333afe7f5982; reference:url,https://twitter.com/Int2e_/status/1314479575523446784; classtype:trojan-activity; sid:2030994; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fodcha Bot CnC Client Heartbeat"; flow:established,to_client; dsize:5; content:"|69 00 00 96 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035940; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded from Discord"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; http.uri; content:"/attachments/"; startswith; fast_pattern; pcre:"/^[0-9]{18}\/[0-9]{18}\/[a-zA-Z0-9]{7}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:25; reference:md5,1ef671ebe0e5efd44cf05c630fbe9cb5; classtype:policy-violation; sid:2031083; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .net Domain"; dns.query; content:".mynetav.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036142; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ask.com Toolbar/Spyware User-Agent (AskPBar)"; flow:established,to_server; http.user_agent; content:"AskPBar"; fast_pattern; reference:url,doc.emergingthreats.net/2006381; classtype:pup-activity; sid:2006381; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .net Domain"; flow:established,to_server; http.host; content:".mynetav.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036143; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 4"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"."; pcre:"/\.(?:gif|bmp|jpeg|png)$/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; fast_pattern; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:command-and-control; sid:2021829; rev:5; metadata:created_at 2015_09_23, former_category MALWARE, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .org Domain"; dns.query; content:".mynetav.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036144; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M6"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/mi"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023679; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .org Domain"; flow:established,to_server; http.host; content:".mynetav.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036145; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M7"; flow:from_server,established; flowbits:isset,min.gethttp; http.header; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/mi"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023711; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.homingbeacon .net Domain"; dns.query; content:".homingbeacon.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036146; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 3"; flow:to_server,established; content:"/rico.php"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020656; rev:5; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.homingbeacon .net Domain"; flow:established,to_server; http.host; content:".homingbeacon.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036147; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli)"; flow:established,to_server; http.user_agent; content:"JDatabaseDriverMysqli"; fast_pattern; http.header; pcre:"/^User-Agent\x3a[^\r\n]*JDatabaseDriverMysqli/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022261; rev:4; metadata:created_at 2015_12_14, updated_at 2020_12_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ikwb .com Domain"; dns.query; content:".ikwb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036148; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 2"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|Pragma|3a 20|no-cache|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:104; fast_pattern; content:"Connection|3a 20|Keep-Alive|0d 0a|Content-Length|3a 20|"; distance:0; pcre:"/User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a)[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\nContent-Length\x3a\x20\d+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/m"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021631; rev:4; metadata:created_at 2015_08_14, former_category MALWARE, updated_at 2020_12_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ikwb .com Domain"; flow:established,to_server; http.host; content:".ikwb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036149; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> any any (msg:"ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP with Multiple Callbacks (CVE-2020-12695)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"CALLBACK|3a 20|"; fast_pattern; nocase; content:"<http"; distance:0; content:"><http"; distance:0; pcre:"/^Callback\x3a\x20<http[^>]+><http/mi"; reference:url,github.com/yunuscadirci/CallStranger; reference:cve,2020-12695; classtype:attempted-dos; sid:2030339; rev:2; metadata:affected_product UPnP, attack_target IoT, created_at 2020_06_15, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.acmetoy .com Domain"; dns.query; content:".acmetoy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036150; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC checkin Nov 21"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[^\x2e\x3f\x3d\x26]+\.[^\x2e\x2f\x3f\x3d\x26]+$/"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.referer; pcre:"/^http\x3a\x2f\x2f[^\x2f]+\x2f$/"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023551; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.acmetoy .com Domain"; flow:established,to_server; http.host; content:".acmetoy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036151; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic .EDU Phish Aug 17 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; flowbits:isnotset,ET.realEDUrequest; http.stat_code; content:"302"; http.location; content:".edu"; nocase; fast_pattern; pcre:"/https?:\/\/[^/]+\.edu/i"; classtype:credential-theft; sid:2029662; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, performance_impact Moderate, signature_severity Major, tag Phishing, updated_at 2020_12_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnset .com Domain"; dns.query; content:".dnset.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036152; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2019-02-13"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?rand=13InboxLightaspxn."; fast_pattern; content:"&email="; distance:0; content:"@"; distance:0; classtype:credential-theft; sid:2029669; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnset .com Domain"; flow:established,to_server; http.host; content:".dnset.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036153; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO McAfee AV Download (set)"; flow:established,to_server; flowbits:set,ET.Mcafee.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"McAfee ePO"; fast_pattern; http.host; content:"update.nai.com"; classtype:not-suspicious; sid:2031317; rev:1; metadata:created_at 2020_12_11, former_category INFO, performance_impact Low, updated_at 2020_12_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.as19557 .net Domain"; dns.query; content:".as19557.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036154; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"Passwords.txt"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2029846; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.as19557 .net Domain"; flow:established,to_server; http.host; content:".as19557.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036155; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 401TRG Liferay RCE (CVE-2020-7961)"; flow:established,to_server; http.uri; content:"/api/jsonws/expandocolumn/update-column"; nocase; http.request_body; content:"userOverridesAsString=HexAsciiSerializedMap"; nocase; fast_pattern; reference:cve,2020-7961; reference:url,www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html; classtype:attempted-admin; sid:2031318; rev:1; metadata:created_at 2020_12_11, cve CVE_2020_7961, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toshibanetcam .com Domain"; dns.query; content:".toshibanetcam.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036156; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) M2"; flow:established,to_server; http.header; content:"JDatabaseDriverMysqli"; fast_pattern; content:"JSimplepieFactory"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2031319; rev:1; metadata:created_at 2020_12_11, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toshibanetcam .com Domain"; flow:established,to_server; http.host; content:".toshibanetcam.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036157; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getPolicy?a="; fast_pattern; startswith; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031320; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_11, deployment Perimeter, former_category MALWARE, malware_family apt27, malware_family luckymouse, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Heartbeat Response"; flow:established,to_server; dsize:5; content:"|70 00 00 8f ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035941; rev:2; metadata:created_at 2022_04_13, former_category MALWARE, malware_family Fodcha, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic 302 Redirect to Google"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"https://google.com"; fast_pattern; startswith; classtype:misc-activity; sid:2030594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, signature_severity Informational, updated_at 2020_12_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .net Domain"; dns.query; content:".authorizeddns.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036158; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Poloniex Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://poloniex.com"; fast_pattern; startswith; classtype:credential-theft; sid:2024617; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .net Domain"; flow:established,to_server; http.host; content:".authorizeddns.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036159; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Exmo Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://exmo.com"; fast_pattern; startswith; classtype:credential-theft; sid:2024618; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_12_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .org Domain"; dns.query; content:".authorizeddns.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036160; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paxful Cryptocurrency Wallet Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://paxful.com"; startswith; classtype:credential-theft; sid:2024621; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .org Domain"; flow:established,to_server; http.host; content:".authorizeddns.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036161; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful LocalBitcoins Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://localbitcoins.com"; startswith; classtype:credential-theft; sid:2024640; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_12_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .us Domain"; dns.query; content:".authorizeddns.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036162; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paxful Cryptocurrency Wallet Phish 2020-08-17"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://www.paxful.com"; startswith; classtype:credential-theft; sid:2030695; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .us Domain"; flow:established,to_server; http.host; content:".authorizeddns.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036163; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M1"; flow:established,to_server; http.uri; content:"/swip/Events"; endswith; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .biz Domain"; dns.query; content:".cleansite.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036164; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M2"; flow:established,to_server; http.uri; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .biz Domain"; flow:established,to_server; http.host; content:".cleansite.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036165; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M3"; flow:established,to_server; http.uri; content:"swip/Upload.ashx"; endswith; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031339; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .info Domain"; dns.query; content:".cleansite.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036166; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M4"; flow:established,to_server; http.uri; content:"/swip/upd/"; within:75; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"folded.in"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035942; rev:3; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to digitalcollege .org"; flow:established,to_server; http.host; dotprefix; content:".digitalcollege.org"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .info Domain"; flow:established,to_server; http.host; content:".cleansite.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036167; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to freescanonline .com"; flow:established,to_server; http.host; dotprefix; content:".freescanonline.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .us Domain"; dns.query; content:".cleansite.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036168; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to deftsecurity .com"; flow:established,to_server; http.host; dotprefix; content:".deftsecurity.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031349; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .us Domain"; flow:established,to_server; http.host; content:".cleansite.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036169; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to thedoccloud .com"; flow:established,to_server; http.host; dotprefix; content:".thedoccloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .net Domain"; dns.query; content:".https443.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036170; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to virtualdataserver .com"; flow:established,to_server; http.host; dotprefix; content:".virtualdataserver.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .net Domain"; flow:established,to_server; http.host; content:".https443.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036171; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M2"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Server: nginx/1.14.0 (Ubuntu)"; content:"Connection|3a 20|close"; distance:0; content:"Cache-Control|3a 20|max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options|3a 20|nosniff"; distance:0; content:"X-AspNetMvc-Version|3a 20|3.0"; fast_pattern; distance:0; content:"X-AspNet-Version|3a 20|4.0.30319"; distance:0; content:"X-Powered-By|3a 20|ASP.NET"; distance:0; content:"Content-Length|3a 20|"; content:"|0d 0a|"; distance:6; within:4; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .org Domain"; dns.query; content:".https443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036172; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M3"; flow:established,from_server; file.data; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .org Domain"; flow:established,to_server; http.host; content:".https443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036173; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M4"; flow:established,from_server; file.data; content:"<p>Companies-Best-Man-Vendors-Best</p>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .net Domain"; dns.query; content:".mypop3.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036174; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M5"; flow:established,from_server; file.data; content:"<meta name=|22|msvalidate.01|22| content=|22|ECEE9516DDABFC7CCBBF1EACC04CAC20|22|>"; content:"<meta name=|22|google-site-verification|22| content=|22|CD5EF1FCB54FE29C838ABCBBE0FA57AE|22|>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .net Domain"; flow:established,to_server; http.host; content:".mypop3.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036175; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M6"; flow:from_server,established; file.data; content:"<p>Million-Support-Years-Week-Agents</p>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, signature_severity Major, updated_at 2020_12_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"fridgexperts.cc"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035943; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|"; content:"|22 3b|filename=|22|"; content:"|22 0a|Content-Type|3a|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031323; rev:2; metadata:created_at 2020_12_13, former_category MALWARE, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .org Domain"; dns.query; content:".mypop3.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036176; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tocaoonline .com)"; dns_query; content:"tocaoonline.com"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031372; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .org Domain"; flow:established,to_server; http.host; content:".mypop3.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036177; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (qh2020 .org)"; dns_query; content:"qh2020.org"; nocase; bsize:10; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031373; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssl443 .org Domain"; dns.query; content:".ssl443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036178; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tinmoivietnam .com)"; dns_query; content:"tinmoivietnam.com"; nocase; bsize:17; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031374; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssl443 .org Domain"; flow:established,to_server; http.host; content:".ssl443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036179; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tocaoonline .org)"; dns_query; content:"tocaoonline.org"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031375; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .biz Domain"; dns.query; content:".iownyour.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036180; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (facebookdeck .com)"; dns_query; content:"facebookdeck.com"; nocase; bsize:16; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031376; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .biz Domain"; flow:established,to_server; http.host; content:".iownyour.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036181; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (nhansudaihoi13 .org)"; dns_query; content:"nhansudaihoi13.org"; nocase; bsize:18; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031377; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .org Domain"; dns.query; content:".iownyour.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036182; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (thundernews .org)"; dns_query; content:"thundernews.org"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031378; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .org Domain"; flow:established,to_server; http.host; content:".iownyour.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036183; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to thedoccloud .com"; dns.query; content:"thedoccloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .biz Domain"; dns.query; content:".onmypc.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036184; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to deftsecurity .com"; dns.query; content:"deftsecurity.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .biz Domain"; flow:established,to_server; http.host; content:".onmypc.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036185; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to freescanonline .com"; dns.query; content:"freescanonline.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .info Domain"; dns.query; content:".onmypc.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036186; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to websitetheme .com"; dns.query; content:"websitetheme.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031328; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .info Domain"; flow:established,to_server; http.host; content:".onmypc.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036187; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to highdatabase .com"; dns.query; content:"highdatabase.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031329; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .net Domain"; dns.query; content:".onmypc.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036188; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to incomeupdate .com"; dns.query; content:"incomeupdate.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031330; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .net Domain"; flow:established,to_server; http.host; content:".onmypc.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036189; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to databasegalore .com"; dns.query; content:"databasegalore.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031331; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .org Domain"; dns.query; content:".onmypc.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036190; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to panhardware .com"; dns.query; content:"panhardware.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .org Domain"; flow:established,to_server; http.host; content:".onmypc.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036191; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to zupertech .com"; dns.query; content:"zupertech.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .us Domain"; dns.query; content:".onmypc.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036192; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to virtualdataserver .com"; dns.query; content:"virtualdataserver.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .us Domain"; flow:established,to_server; http.host; content:".onmypc.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036193; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to digitalcollege .org"; dns.query; content:"digitalcollege.org"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031335; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .info Domain"; dns.query; content:".dubya.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036194; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IP Grabber CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/datarecord/"; endswith; http.request_body; content:"username="; startswith; content:"&content=IP%3a+"; distance:0; fast_pattern; content:"%0a"; endswith; reference:md5,635b08c141465abf86eaec88391b5ee6; classtype:command-and-control; sid:2030599; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .info Domain"; flow:established,to_server; http.host; content:".dubya.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036195; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (thedoccloud .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".thedoccloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .us Domain"; dns.query; content:".dubya.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036196; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (incomeudpate .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".incomeupdate.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .us Domain"; flow:established,to_server; http.host; content:".dubya.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036197; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (panhardware .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".panhardware.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031364; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .biz Domain"; dns.query; content:".dubya.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036198; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (freescanonline .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".freescanonline.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031365; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .biz Domain"; flow:established,to_server; http.host; content:".dubya.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036199; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (databasegalore .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".databasegalore.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031366; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .net Domain"; dns.query; content:".dubya.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036200; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (highdatabase .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".highdatabase.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031367; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .net Domain"; flow:established,to_server; http.host; content:".dubya.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036201; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (websitetheme .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".websitetheme.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .us Domain"; dns.query; content:".wwwhost.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036202; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (zupertech .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".zupertech.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .us Domain"; flow:established,to_server; http.host; content:".wwwhost.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036203; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (deftsecurity .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".deftsecurity.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zyns .com Domain"; flow:established,to_server; http.host; content:".zyns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036204; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Requesting Remote Template (.dotm)"; flow:established,to_server; flowbits:set,ETPRO.Maldoc.dotm; http.method; content:"GET"; http.uri; content:".dotm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|MSOffice|20|"; classtype:bad-unknown; sid:2031379; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.otzo .com Domain"; flow:established,to_server; http.host; content:".otzo.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036205; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|Googlebot/2.1|3b 20|+http|3a 2f 2f|www.google|2e|com/bot.html)"; bsize:72; http.request_body; content:"="; depth:25; content:"&"; distance:0; content:"="; distance:0; within:25; content:"=V2luZG93cy"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/pymicropsia/; classtype:trojan-activity; sid:2031371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-report .com Domain"; flow:established,to_server; http.host; content:".dns-report.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036206; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windows Explorer Tab Add-on Post Install Checkin"; flow:established,to_server; http.request_line; content:"POST /api HTTP/1.1"; bsize:18; http.request_body; content:"f=100&p=ew0KICAgIk0iOi"; startswith; fast_pattern; reference:md5,47d9aee3497bed660b640194dbab5879; classtype:pup-activity; sid:2031386; rev:2; metadata:created_at 2020_12_15, former_category ADWARE_PUP, updated_at 2020_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns1 .us Domain"; flow:established,to_server; http.host; content:".dns1.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036207; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud .com"; dns.query; content:".appsync-api."; content:"avsvmcloud.com"; distance:0; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031324; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .co Domain"; dns.query; content:".changeip.co"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036208; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to avsvmcloud .com"; flow:established,to_server; http.host; content:".appsync-api."; dotprefix; content:".avsvmcloud.com"; distance:0; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031338; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .co Domain"; flow:established,to_server; http.host; content:".changeip.co"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036209; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (avsvmcloud .com)"; flow:established,to_client; tls.cert_subject; content:".appsync-api."; content:".avsvmcloud.com"; distance:0; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031341; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Connectivity Check"; flow:established,to_server; http.method; http.request_line; content:"POST /GO/"; fast_pattern; content:".php"; endswith; http.accept_enc; bsize:1; content:"*"; http.content_len; bsize:1; content:"0"; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:command-and-control; sid:2035957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_14;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to solartrackingsystem .net"; dns.query; dotprefix; content:".solartrackingsystem.net"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031387; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (maxiurl .com)"; dns.query; content:"maxiurl.com"; nocase; bsize:11; classtype:misc-activity; sid:2036226; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to webcodez .com"; dns.query; dotprefix; content:".webcodez.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031388; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (maxiurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxiurl.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2036227; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, signature_severity Informational, updated_at 2022_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to lcomputers .com"; dns.query; dotprefix; content:".lcomputers.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031389; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (bnt2 .live)"; dns.query; content:"bnt2.live"; nocase; bsize:9; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036231; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to seobundlekit .com"; dns.query; dotprefix; content:".seobundlekit.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031390; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (signin .dedyn .io)"; dns.query; content:"signin.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036232; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to kubecloud .com"; dns.query; dotprefix; content:".kubecloud.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031391; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (archery .dedyn .io)"; dns.query; content:"archery.dedyn.io"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036233; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to globalnetworkissues .com"; dns.query; dotprefix; content:".globalnetworkissues.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031392; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .vinam .me)"; dns.query; content:"market.vinam.me"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036234; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (solartrackingsystem .net in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".solartrackingsystem.net"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031393; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .dedyn .io)"; dns.query; content:"market.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036235; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (webcodez .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".webcodez.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031394; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".db2"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,db9df7f1bcfba0346d9e7de729c018a2; reference:url,twitter.com/500mk500/status/1515002456882786310; classtype:trojan-activity; sid:2036228; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (lcomputers .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lcomputers.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031395; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bluebox Data Exfiltration"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; fast_pattern; content:"corp="; content:"os="; content:"softid="; content:"hid="; content:"macadd="; content:"md5="; content:"rand="; content:"subid="; http.user_agent; content:"IEhook"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b13718f353c8c0ea51a15733e035199e; classtype:pup-activity; sid:2036236; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (seobundlekit .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".seobundlekit.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031396; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [TW] IPFS Protocol HTTP Headers Observed"; flow:established,to_client; http.header_names; content:"|0d 0a|X-Ipfs-"; nocase; fast_pattern; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (kubecloud .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kubecloud.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031397; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY [TW] IPFS File Request Observed"; flow:established,to_server; http.uri; content:"/ipfs/"; fast_pattern; pcre:"/^[a-z0-9]{40,}/Ri"; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (globalnetworkissues .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".globalnetworkissues.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031398; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee)"; flow:established,to_server; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; reference:url,blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/; classtype:trojan-activity; sid:2036237; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, malware_family Bumblebee_Loader, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (solartrackingsystem .net)"; flow:established,to_client; tls.cert_subject; content:"CN=solartrackingsystem.net"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031380; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hojimizeg .com)"; dns.query; content:"hojimizeg.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036238; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (webcodez .com)"; flow:established,to_client; tls.cert_subject; content:"CN=webcodez.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031381; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (notixow .com)"; dns.query; content:"notixow.com"; nocase; bsize:11; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036239; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (lcomputers .com)"; flow:established,to_client; tls.cert_subject; content:"CN=lcomputers.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031382; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (rewujisaf .com)"; dns.query; content:"rewujisaf.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:trojan-activity; sid:2036240; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (seobundlekit .com)"; flow:established,to_client; tls.cert_subject; content:"CN=seobundlekit.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031383; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matrix Max Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"zipx=UEsDBBQ"; startswith; fast_pattern; reference:md5,e8573f06d342ae05ece8d1be111669c4; reference:url,twitter.com/James_inthe_box/status/1516049381539004418; classtype:trojan-activity; sid:2036245; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment SSLDecrypt, former_category MALWARE, malware_family Matrix_Max, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (kubecloud .com)"; flow:established,to_client; tls.cert_subject; content:"CN=kubecloud.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031384; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updateb)"; flow:established,to_server; http.uri; content:"/updateb.php?p="; nocase; pcre:"/updateb\.php\?p=\d/i"; flowbits:isset,BT.ppagent.updatea; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (globalnetworkissues .com)"; flow:established,to_client; tls.cert_subject; content:"CN=globalnetworkissues.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031385; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005478; classtype:web-application-attack; sid:2005478; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (panhardware .com)"; flow:established,to_client; tls.cert_subject; content:"CN=panhardware.com"; bsize:18; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031355; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"D="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006614; classtype:web-application-attack; sid:2006614; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (deftsecurity .com)"; flow:established,to_client; tls.cert_subject; content:"CN=deftsecurity.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; http.uri; content:"php?i="; content:"&v="; content:"&win=Windows"; content:"&un="; content:"&uv="; content:"&s="; content:"&onl="; content:"&ip="; content:"&f="; reference:url,doc.emergingthreats.net/2007700; classtype:command-and-control; sid:2007700; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (thedoccloud .com)"; flow:established,to_client; tls.cert_subject; content:"CN=thedoccloud.com"; bsize:18; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031345; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Rat CnC Exfil"; flow:established,to_server; content:"|00 00 00|ent4rme"; offset:2; depth:10; fast_pattern; content:"|20 7c 20|"; distance:0; content:"|23|runtimebroker"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (virtualdataserver .com)"; flow:established,to_client; tls.cert_subject; content:"CN=virtualdataserver.com"; bsize:24; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointpack.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"php?"; content:"kind="; content:"&pid="; content:"&ver="; content:"&uniq="; content:"&addresses="; content:"&hdmacid="; content:"&dllver="; content:"&subv="; reference:url,doc.emergingthreats.net/2008260; classtype:command-and-control; sid:2008260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (incomeupdate .com)"; flow:established,to_client; tls.cert_subject; content:"CN=incomeupdate.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; http.uri; content:"m="; content:"&a="; content:"&r="; content:"&os="; content:"00000"; pcre:"/\/s_\d\d_\d+\?/"; pcre:"/&os=[0-9a-z]{40}/i"; reference:url,doc.emergingthreats.net/2008412; classtype:command-and-control; sid:2008412; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (digitalcollege .org)"; flow:established,to_client; tls.cert_subject; content:"CN=digitalcollege.org"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031342; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Password Stealer (PSW.Win32.Magania Family) GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"pass="; content:"type="; content:"host="; content:"port="; content:"name="; content:"pc="; content:"user="; content:"ip="; content:"version="; http.header; content:"User-Agent|3a| NR"; reference:url,www.f-secure.com/v-descs/trojan-psw_w32_magania.shtml; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-PWS.Magania; reference:url,doc.emergingthreats.net/2009094; classtype:trojan-activity; sid:2009094; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (zupertech .com)"; flow:established,to_client; tls.cert_subject; content:"CN=zupertech.com"; bsize:16; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031353; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Family GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"szclientid="; content:"szmac="; content:"szusername="; content:"szver="; content:"mode="; content:"value="; content:"systype="; content:"rid="; content:"szname="; content:"szpaname="; content:"palen="; content:"szpapaname="; content:"chksum="; reference:md5,ed06e3cd6f57fc260194bf9fa224181e; reference:url,doc.emergingthreats.net/2009441; classtype:trojan-activity; sid:2009441; rev:7; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (databasegalore .com)"; flow:established,to_client; tls.cert_subject; content:"CN=databasegalore.com"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031354; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antivirus2010 Checkin port 8082"; flow:established,to_server; http.uri; content:"/ask?"; content:"&u="; content:"a="; content:"&m="; content:"&h="; reference:url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/; reference:url,doc.emergingthreats.net/2011473; classtype:command-and-control; sid:2011473; rev:5; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (freescanonline .com)"; flow:established,to_client; tls.cert_subject; content:"CN=freescanonline.com"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031343; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java Archive sent when remote host claims to send an image"; flow:established,to_client; http.content_type; content:!"application/java-archive"; content:"image"; nocase; startswith; file.data; content:"PK"; depth:2; content:"META-INF/MANIFEST"; distance:0; fast_pattern; classtype:trojan-activity; sid:2014288; rev:6; metadata:created_at 2012_02_28, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (websitetheme .com)"; flow:established,to_client; tls.cert_subject; content:"CN=websitetheme.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET MISC RuggedCom factory account backdoor"; flow:established,to_client; flowbits:isset,ET.RUGGED.BANNER; content:"Enter User Name|3A|"; pcre:"/Enter User Name\x3a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*\s*(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*f(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*c(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*t(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*o(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*r(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*y(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*[\r\n]/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:5; metadata:created_at 2012_04_28, updated_at 2022_04_18;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (highdatabase .com)"; flow:established,to_client; tls.cert_subject; content:"CN=highdatabase.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Downloading Payload"; flow:established,to_server; http.uri; content:"get"; content:"?src="; fast_pattern; distance:0; content:"snet"; endswith; pcre:"/\?src=[a-z]+snet$/"; http.user_agent; content:" WinHttp.WinHttpRequest"; classtype:exploit-kit; sid:2016566; rev:5; metadata:created_at 2013_03_14, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] Observed SUNBURST DGA Request"; dns.query; content:".appsync-api."; nocase; content:".avsvmcloud.com"; distance:9; within:15; endswith; nocase; fast_pattern; pcre:"/^[a-z0-9]+\.appsync-api\.(?:eu|us)-(?:ea|we)st-[12]\.avsvmcloud\.com$/"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031359; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_12_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file.data; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/R"; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/Ri"; content:"|22 20|>|0a|<applet"; within:11; fast_pattern; classtype:exploit-kit; sid:2017177; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031449; rev:9; metadata:attack_target Client_Endpoint, created_at 2017_12_19, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot Check-in 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".aspx"; http.user_agent; content:!"SmadavStat"; http.host; content:!"lavasoft.com"; http.request_body; content:!"Zerto.ZVM"; content:!"id1="; content:"1="; content:"2="; distance:0; content:"3="; distance:0; content:"4="; distance:0; fast_pattern; pcre:"/&(?P<vname>[a-z]+)1=[A-F0-9]+&(?P=vname)2=[A-F0-9]+&(?P=vname)3=[A-F0-9]+&(?P=vname)4=[A-F0-9]/"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; depth:16; content:!"Referer"; content:!"Accept"; reference:md5,5eada3ed47d7557df375d8798d2e0a8b; classtype:trojan-activity; sid:2018784; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category TROJAN, malware_family Neurevt, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"&"; http.request_body; content:"="; within:15; content:"|00 00 00 00 00 00|"; fast_pattern; isdataat:!1,relative; pcre:"/=[a-z0-9\(_~\-\.\x00]{300,}\x00$/i"; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.connection; content:"close"; depth:5; endswith; http.content_len; byte_test:0,>,300,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Content-Length|0d 0a|"; depth:36; reference:md5,6f5d2b42f4a74886ac3284fa9a414a87; classtype:command-and-control; sid:2031413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)"; flow:established,to_client; tls.cert_serial; content:"1F:23:9D:BD"; tls.cert_subject; content:"O=assylias.Inc"; fast_pattern; reference:md5,4e5c28fab23b35dea2d48a1c2db32b56; reference:md5,b102c26e04e97bda97b11bfe7366e61e; classtype:trojan-activity; sid:2020728; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Tombol Microsoft Account Phishing Landing 2020-12-16"; flow:established,to_client; file.data; content:"$('#password').keyup("; content:"$('#Tombol1').click("; distance:0; fast_pattern; content:"data: { u : email, p : password_v"; distance:0; classtype:social-engineering; sid:2031414; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_12_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 14 2016"; flow:established,to_client; file.data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R"; content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:exploit-kit; sid:2022898; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"baldwin-gonzalez.live"; depth:21; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031399; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO QUIC UDP Internet Connections Protocol Client Hello (OUTBOUND)"; flow:to_server; content:"|80 01|CHLO"; content:"PAD"; content:"SNI"; content:"CCS"; content:"PDMD"; content:"VERS"; nocase; flowbits:set,ET.QUIC.FirstClientHello; reference:url,tools.ietf.org/html/draft-tsvwg-quic-protocol-00; classtype:protocol-command-decode; sid:2022996; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/de/?d="; startswith; fast_pattern; content:"&v="; distance:0; content:"&t="; distance:0; http.header_names; content:!"Referer"; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,d01bcca6255a4f062fc59a014f407532; reference:md5,2d459929135993959cacceb0dd81a813; classtype:command-and-control; sid:2031417; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS Path to BusyBox"; flow:established,to_server; content:"/bin/busybox"; flowbits:set,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:suspicious-filename-detect; sid:2023016; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/en/?2"; startswith; fast_pattern; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; http.request_body; content:"f="; startswith; content:"&c="; distance:0; content:"&u="; distance:0; content:"&v="; distance:0; content:"&s="; distance:0; content:"&mi="; distance:0; content:"&t="; distance:0; content:"&txt="; distance:0; content:"&e=EOF"; endswith; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,2d459929135993959cacceb0dd81a813; reference:md5,d01bcca6255a4f062fc59a014f407532; classtype:command-and-control; sid:2031418; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023271; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031415; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023272; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031416; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jaime-martinez.info"; depth:19; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"x7soyTdaNq94NWpdLGZ4NWpd"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"judystevenson.info"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"MlADchNaR0LGZ4NWpdLGZ4N"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"robert-keegan.life"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"azTEhyWNbKGpdLGZ4NWpdLG"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023276; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"benyallen.club"; depth:14; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017 M2"; flow:established,to_client; file.data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri"; content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:exploit-kit; sid:2024093; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"chad-jessie.info"; depth:16; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B643"; flow:established,to_client; file.data; content:"|4e6f636e636f4d7a49334e6a6370|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024361; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"escanor.live"; depth:12; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Landing Aug 23 2017"; flow:established,to_client; flowbits:isset,ET.DisDain.EK; http.stat_code; content:"200"; file.data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0; within:75; classtype:exploit-kit; sid:2024612; rev:4; metadata:created_at 2017_08_23, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"krasil-anthony.icu"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; flowbits:isset,ETPTadmoney; http.stat_code; content:"200"; file.data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12; depth:4; classtype:pup-activity; sid:2024699; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Internet, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"nicoledotson.icu"; depth:16; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031407; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server,<,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_0; flowbits:unset, FB332502_0; flowbits:set, FB332502_1; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"samwinchester.club"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031408; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow:established,to_server; content:"|1703|"; depth:2; byte_test:2, >=,1024, 1, relative; byte_test:2, <=,1100, 1, relative; stream_size:server, >,1889; stream_size:server, <,2124; stream_size:client, >,1476; stream_size:client, <,1722; flowbits:isset, FB332502_1; flowbits:unset, FB332502_1; flowbits:set, FB332502_2; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tatsumifoughtogre.club"; depth:22; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031409; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016"; flow:established,to_client; file.data; content:"Windows Defender Alert"; nocase; fast_pattern; content:"Virus Detected"; nocase; distance:0; content:"Reset Your Computer"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2024845; rev:4; metadata:created_at 2017_10_16, former_category WEB_CLIENT, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup (vgca.homeunix .org)"; dns.query; content:"vgca.homeunix.org"; nocase; bsize:17; reference:url,www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/; classtype:domain-c2; sid:2031431; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dyoravdkiavfkbkx in DNS Lookup)"; dns.query; content:"dyoravdkiavfkbkx"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025507; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup (office365.blogdns .com)"; dns.query; content:"office365.blogdns.com"; nocase; bsize:21; reference:url,www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/; classtype:domain-c2; sid:2031432; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dypmoywmjrevboat in DNS Lookup)"; dns.query; content:"dypmoywmjrevboat"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025508; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031429; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (jjjooyeohgghgtwn in DNS Lookup)"; dns.query; content:"jjjooyeohgghgtwn"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025509; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031430; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (lvanwwbyabcfevyi in DNS Lookup)"; dns.query; content:"lvanwwbyabcfevyi"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025510; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"advertrex20.xyz"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031419; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (uxwavkmttywsuynt in DNS Lookup)"; dns.query; content:"uxwavkmttywsuynt"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025511; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"gentexman37.xyz"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (yaynawvtuqcarjwc in DNS Lookup)"; dns.query; content:"yaynawvtuqcarjwc"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025512; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"advertsp74.xyz"; nocase; depth:14; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns.query; content:"3whyfziey2vr41yq"; depth:16; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"shopweb95.xyz"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031422; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jun 28 2017"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:!"https://*.paypal.com"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"|26 23|x50|3b 26 23|x61|3b 26 23|x79|3b 26 23|x50|3b 26 23|x61|3b 26 23|x6C|3b|"; fast_pattern; within:50; content:"</title>"; distance:0; classtype:social-engineering; sid:2025660; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"mexstat128.com"; nocase; depth:14; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts ognl inbound OGNL injection remote code execution attempt"; flow:established,to_server; http.uri; content:"${"; content:"ognl|2E|"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026031; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"sdadvert197.com"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031424; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server; stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:command-and-control; sid:2026433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"decatos30.com"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031425; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kraken C2 Domain Observed (kraken656kn6wyyx in DNS Lookup)"; dns.query; content:"kraken656kn6wyyx"; depth:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1030.pdf; classtype:command-and-control; sid:2026640; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"decatos30.xyz"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031426; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Agent.NZH CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"File not found.|0a 3c 21 2d 2d|"; within:30; fast_pattern; content:"-->"; distance:0; classtype:command-and-control; sid:2026987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"asdasd08.com"; nocase; depth:12; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"aptgetgxqs3secda"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027351; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"asdasd08.xyz"; nocase; depth:12; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"rapid7cpfqnwxodo"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027352; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A MalDoc Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[0-9]{6,16}-(?:pro|xl2)$/s"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Connection"; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) Pico/"; startswith; classtype:trojan-activity; sid:2029306; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; http.request_body; content:"&log=passwords|3a 20|"; depth:16; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031434; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:"|0d 0a|Accept-Language|3a 20|en-US,*|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|Host|3a 20|"; fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec; http.request_line; content:"POST /api HTTP/1.1"; depth:18; isdataat:!1,relative; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:98; isdataat:!1,relative; reference:md5,fe5338aee73b3aae375d7192067dc5c8; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/; classtype:misc-activity; sid:2029634; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; http.request_body; content:"************************"; depth:24; content:"************************"; distance:0; content:"************************"; distance:0; content:"username|3a 20|"; distance:0; content:"password|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031435; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ActionSpy CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ps/upinfo"; bsize:10; fast_pattern; http.user_agent; content:"android"; bsize:7; http.header; content:"Content-Encoding|3a 20|encrypted|0d 0a|"; reference:md5,43f1891a9c0d8fc69e273095708d9238; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/; classtype:command-and-control; sid:2030342; rev:2; metadata:attack_target Mobile_Client, created_at 2020_06_15, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Nitol.K Variant CnC"; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; content:"Windows|20|"; distance:4; within:8; content:"|00|"; within:5; content:"|7c b4 ab b2 a5 7c|"; fast_pattern; reference:md5,56bff68317a0af08f749a1c717125cf3; classtype:command-and-control; sid:2022337; rev:4; metadata:created_at 2016_01_06, former_category MALWARE, updated_at 2020_12_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gootkit Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?"; startswith; fast_pattern; pcre:"/^[1-z]{13}=[0-9]{16}$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; http.header_names; content:!"Referer"; reference:md5,82ddc740b8ff3aa4d818d1b421e0231e; classtype:trojan-activity; sid:2033022; rev:2; metadata:created_at 2021_05_24, former_category MALWARE, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?A="; fast_pattern; pcre:"/^[A-Z0-9\-]{30,42}$/R"; http.header; content:"Accept-Language|3a 20|zh-TW"; http.header_names; content:"Referer|0d 0a|"; content:!"Cache"; reference:md5,344c04216840312cad17b6610b723825; classtype:command-and-control; sid:2025145; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Randrew_A, performance_impact Low, signature_severity Major, updated_at 2020_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed OWA Phishing Landing Page 2021-08-20"; flow:established,to_client; file.data; content:"<title>Outlook Web App</title>"; fast_pattern; content:"<form action|3d 22|save.php|22|"; content:"method|3d 22|POST|22|"; distance:0; content:"name|3d 22|logonForm|22|"; distance:0; content:"id|3d 22|logonForm|22|"; distance:0; content:"enctype|3d 22|application/x-www-form-urlencoded|22|"; distance:0; content:"autocomplete|3d 22|off|22 3e|"; distance:0; reference:url,app.any.run/tasks/40a14763-96a6-4897-86c4-2b4693a0034b/; classtype:social-engineering; sid:2033748; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_20, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; http.uri; content:".html"; pcre:"/^\/\d+?\/\d+?\.html$/i"; http.header; content:"From|3a| "; depth:6; pcre:"/^\d+?\r\n/Ri"; content:"Via|3a| "; content:!"1|2e|"; within:2; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:command-and-control; sid:2015786; rev:5; metadata:created_at 2012_10_09, former_category MALWARE, updated_at 2020_12_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!80,!443] (msg:"ET MALWARE Win32/Numando Banker CnC Activity"; flow:established,to_server; content:"<|7c|>1<|7c|>"; offset:7; content:"<|7c|>Microsoft|20|Windows"; distance:0; content:"<|7c|>0<|7c|>"; distance:0; reference:md5,fec2f560619b88d9846fe03db6841e91; reference:url,www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/; classtype:trojan-activity; sid:2033983; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M5"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__io_r="; fast_pattern; http.cookie; content:"__io_r="; startswith; content:"|3b 20|__io_vl="; distance:0; content:"|3b 20|__io_bl="; distance:0; content:"|3b 20|Session_id="; distance:0; content:"|3b 20|__io_uniq="; distance:0; content:"|3b 20|__io_f="; isdataat:!38,relative; pcre:"/^__io_r=[0-9]{10}_[01]_[0-9]{4,5}_[0-9]{7,8}_[0-9]{1,2}\x3b\x20__io_vl=[0-9]_[0-9]{6}_[0-9]{3}_[0-9]{2}\x3b\x20__io_bl=[0-9]{1,2}:[0-9]:[0-9]{4,5}:[0-9]{2}\x3b\x20Session_id=[0-9A-F]{12}\x3b\x20__io_uniq=[0-9A-F]{8,22}_[0-9A-F]{12,20}\x3b\x20__io_f=[0-9]{2}::[0-9]{10}::[0-9]{9,10}::[0-9]{9,10}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; classtype:command-and-control; sid:2031298; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2020_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Outdated Browser Landing Page M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"!|5c|n|5c|nWebsite work well"; fast_pattern; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (img565vv6 .holdmydoor .com)"; flow:established,to_server; tls.sni; dotprefix; content:".img565vv6.holdmydoor.com"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/; classtype:domain-c2; sid:2031439; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential Phish Credit Card Payment Data Exfil"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|c5.php|22|"; fast_pattern; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (crashparadox .net)"; flow:established,to_server; tls.sni; dotprefix; content:".crashparadox.net"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031440; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $HOME_NET any -> any any (msg:"ET INFO Python BaseHTTP ServerBanner"; flow:established; http.server; content:"BaseHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034635; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (f15fwd322 .regularhours .net)"; flow:established,to_server; tls.sni; dotprefix; content:".f15fwd322.regularhours.net"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031441; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kimsuky Related Malicious VBScript"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip"; http.response_body; content:"language|3d|javascript|3e|document|2e|write|28|unescape|28 27|"; content:"%47%65%74%4F%62%6A%65%63%74%28%22%22%6E%65%77%3A"; content:"%2E%76%62%73%20%26%40%65%63%68%6F%20%55%52%4C%20%3D%20%22%22"; distance:0; within:285; fast_pattern; content:"%73%65%6C%66%2E%63%6C%6F%73%65"; reference:md5,d74f268b986fecfa03b81029dd134811; classtype:trojan-activity; sid:2034697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (bananakick .net)"; flow:established,to_server; tls.sni; content:"bananakick.net"; bsize:14; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031442; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Maldoc Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand?guid="; startswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,c9ab403bd43649b5fd57efac4bf83b7c; reference:md5,748ae5af58e52e940ab806bdbbe61c4c; reference:url,twitter.com/ShadowChasing1/status/1475819281648553986; classtype:trojan-activity; sid:2034844; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_12_28, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (stilloak .net)"; flow:established,to_server; tls.sni; content:"stilloak.net"; bsize:12; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031443; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Metawallet Phish 2022-01-13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"metawallet"; fast_pattern; content:".php"; endswith; http.request_body; content:"WoRd1="; content:"WoRd2="; distance:0; content:"WoRd3="; distance:0; content:"WoRd4="; distance:0; content:"WoRd5="; distance:0; content:"WoRd6="; distance:0; content:"WoRd7="; distance:0; content:"WoRd8="; distance:0; content:"WoRd9="; distance:0; content:"WoRd10="; distance:0; content:"WoRd11="; distance:0; content:"WoRd12="; distance:0; reference:md5,7ddee3930807ab2a21afe8c5760b2b13; classtype:credential-theft; sid:2034915; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (flowersarrows .com)"; flow:established,to_server; tls.sni; content:"flowersarrows.com"; bsize:17; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031444; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tiggre Variant Activity Sending System Files (POST)"; flow:established,to_server; http.request_line; content:"POST /up/up.php HTTP/1.1"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"form-data|3b 20|name=|22|file|22 3b|"; reference:md5,a023ece310a490a87e77c9bb28b6415b; classtype:trojan-activity; sid:2034962; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031437; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Valyria.6015 CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/eln-images/"; startswith; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; http.header_names; content:!"Referer"; reference:md5,a118a3030807156eca8f805b8b83ce1f; classtype:trojan-activity; sid:2035223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031438; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, signature_severity Major, updated_at 2020_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/proccess/log.php"; fast_pattern; http.request_body; content:"FromPreSignIn_SIP=Y"; content:"&RSA_DEVPRINT="; distance:0; content:"&QQ1="; distance:0; reference:md5,023f93be3b12f211c5db927f234290ad; classtype:credential-theft; sid:2035379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http any any -> any any (msg:"ET MALWARE Possible MSIL/Solorigate.G!dha/SUPERNOVA Webshell Access Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logoimagehandler.ashx"; content:"clazz="; fast_pattern; content:"method="; content:"args="; content:"codes="; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect; reference:url,unit42.paloaltonetworks.com/solarstorm-supernova; classtype:trojan-activity; sid:2031436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_12_21, deployment Perimeter, former_category MALWARE, malware_family Solorigate, signature_severity Major, updated_at 2020_12_21;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1; depth:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:8; metadata:created_at 2010_09_23, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE LIKEACHARM Stealer Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/poll.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn)$/W"; reference:url,twitter.com/bl4ckh0l3z/status/1340960422485213184; reference:md5,43f75535144f3315e402a0aa5f181e7d; classtype:trojan-activity; sid:2031445; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_21;)
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Rat CnC Server Response"; flow:established,to_client; content:"|00 00 00|ent2rmezi="; offset:2; depth:13; fast_pattern; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Redirect to Download EXE from Bitbucket"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"https://bitbucket.org"; startswith; content:".exe"; endswith; classtype:bad-unknown; sid:2026515; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_12_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/g1nzo.php?"; startswith; fast_pattern; content:"data="; content:"countc="; content:"countp="; content:"country="; content:"ip="; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036246; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; http.stat_code; content:"3"; depth:1; http.location; content:"data|3a|"; fast_pattern; depth:5; classtype:misc-activity; sid:2015674; rev:6; metadata:created_at 2012_09_04, updated_at 2020_12_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackguard_v3.5 Domain (ritmflow .online) in TLS SNI"; flow:established,to_server; tls.sni; content:"ritmflow.online"; bsize:15; fast_pattern; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036247; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?cmd=_update-information&account_bank="; nocase; fast_pattern; content:"&dispatch="; distance:32; within:10; nocase; http.content_len; byte_test:0,=,0,0,string,dec; classtype:social-engineering; sid:2024016; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2020_12_22;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M3"; flow:established,to_client; dsize:18; content:"|0d 00 00 00 00|inf2o=command"; threshold:type limit,track by_dst, count 5,seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Fedex/DHL Phish 2018-10-22"; flow:established,from_server; flowbits:isset,ET.Fedex_DHL_Phish; http.stat_code; content:"302"; http.location; content:"tracking2.php"; startswith; classtype:credential-theft; sid:2029667; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_12_22;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Client Command Response (info)"; flow:established,to_server; content:"|00 00 00 00|"; offset:1; depth:4; content:"inx7fo=usder"; distance:0; fast_pattern; content:"|00 00 00 00 7c|"; distance:1; within:5; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?c="; fast_pattern; pcre:"/\.php\?c=[a-f0-9]{160}$/"; http.referer; content:".php?q="; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021228; rev:4; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_12_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Blackguard_v3.5 Domain in DNS Lookup (ritmflow .online)"; dns.query; content:"ritmflow.online"; nocase; bsize:15; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036248; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent in Referer Field - Likely Malware"; flow:established,to_server; http.referer; content:"Mozilla/4.0|20|"; startswith; classtype:trojan-activity; sid:2013423; rev:10; metadata:created_at 2011_08_18, updated_at 2020_12_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful CSIS Credential Phish"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/policy/id1383729472034823098/United-States-Nonpaper-on-Iran.pdf/"; fast_pattern; http.referer; content:!"csis.org"; http.request_body; content:"email="; content:"password"; classtype:credential-theft; sid:2034255; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.content_len; byte_test:0,=,0,0,string,dec; http.header; content:"location|3a 20|"; fast_pattern; content:"|2f 3f|"; distance:32; within:2; content:"|0d 0a|"; distance:32; within:2; http.content_type; content:"text/html"; startswith; classtype:social-engineering; sid:2024008; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_12_22;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; http.uri; content:"utl_inaddr.get_host"; nocase; fast_pattern; classtype:attempted-admin; sid:2015749; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check (2)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/timezone/0/0"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.host; content:"www.earthtools.org"; bsize:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,malware-traffic-analysis.net/2014/09/09/index.html; classtype:trojan-activity; sid:2020491; rev:10; metadata:created_at 2015_02_19, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/%2e%2e/%2e%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,twitter.com/HackerGautam/status/1445412108863041544; reference:cve,2021-41773; classtype:attempted-admin; sid:2034124; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Poweliks GET Request"; flow:established,to_server; urilen:4; http.method; content:"GET"; http.uri; content:"/dll"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,malware-traffic-analysis.net/2014/08/01/index3.html; classtype:trojan-activity; sid:2019138; rev:6; metadata:created_at 2014_09_08, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/.%2e/.%2e/.%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,github.com/iilegacyyii/PoC-CVE-2021-41773/blob/main/CVE-2021-41773.py; reference:cve,2021-41773; classtype:attempted-admin; sid:2034125; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zeprox.B Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?a=n|60|e|3e|"; fast_pattern; http.header; content:"Proxy-Connection|3a|"; http.header_names; content:!"Referer|0d 0a|"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,bc27f28e5fe47b78202fd3108d39aac1; reference:md5,38c89cca7806fde08bba82b3cb533e5a; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3AWin32/Zeprox.B; classtype:command-and-control; sid:2020203; rev:8; metadata:created_at 2015_01_16, former_category MALWARE, updated_at 2020_12_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M3"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/.%2e/"; reference:cve,2021-41773; classtype:attempted-admin; sid:2034128; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_06, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Smanager CnC Domain in DNS Lookup"; dns.query; content:"coms.documentmeda.com"; nocase; bsize:21; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031446; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, updated_at 2020_12_22;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Header"; flow:to_server,established; http.header; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036223; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Smanager CnC Domain in DNS Lookup"; dns.query; content:"freenow.chickenkiller.com"; nocase; bsize:25; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031447; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, updated_at 2020_12_22;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Body"; flow:to_server,established; http.request_body; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036224; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (PhantomNet/Smanager CnC)"; flow:established,to_client; tls.cert_subject; content:"C=AU, ST=Hello, L=China, O=Microsoft, OU=dirweb, CN=secfire/emailAddress=iunkown1987@gmail.com"; bsize:94; fast_pattern; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:command-and-control; sid:2031448; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_22;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP URI"; flow:to_server,established; http.uri; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036222; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT LuckyMouse BlueTraveller CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/home/"; startswith; pcre:"/^[0-9]{4}\/[0-9]{4}\/[^\r\n]+(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a|"; startswith; fast_pattern; content:!"Referer"; content:!"Accept"; pcre:"/Cache-Control\r\n(?:\r\n|Cookie\r\n\r\n)$/"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031316; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_11, deployment Perimeter, former_category MALWARE, malware_family apt27, malware_family luckymouse, performance_impact Moderate, signature_severity Major, updated_at 2020_12_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"nominally.ru"; bsize:12; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:domain-c2; sid:2036249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031453; rev:9; metadata:attack_target Client_Endpoint, created_at 2017_12_19, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|ginzoarchive|2e|zip|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain in TLS SNI (mobilnweb .com)"; flow:established,to_server; tls.sni; content:"mobilnweb.com"; bsize:13; reference:url,unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline; classtype:domain-c2; sid:2031451; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_23, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Downloading Additional Payloads"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; dotprefix; content:".nominally.ru"; endswith; fast_pattern; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain in DNS Query"; dns_query; content:"mobilnweb.com"; nocase; depth:13; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline; classtype:domain-c2; sid:2031452; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_23, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M1"; flow:established,to_server; http.uri; content:".asp?prd_fld=racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036257; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sephardimension .com)"; dns.query; content:"sephardimension.com"; nocase; bsize:19; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031454; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M2"; flow:established,to_server; http.uri; content:".jsp?prd_fld_racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036258; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (besaintegration .com)"; dns.query; content:"besaintegration.com"; nocase; bsize:19; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031455; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (dafom .dev)"; dns.query; content:"dafom.dev"; nocase; bsize:9; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036259; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (dmnadmin .com)"; dns.query; content:"dmnadmin.com"; nocase; bsize:12; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031456; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed DPRK Related APT User-Agent (dafom)"; flow:established,to_server; http.user_agent; content:"dafom"; bsize:5; fast_pattern; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:bad-unknown; sid:2036260; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sendbits .m2stor4ge .xyz)"; dns.query; content:"sendbits.m2stor4ge.xyz"; nocase; bsize:22; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031457; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (tokenais .com)"; dns.query; content:"tokenais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036261; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (myrric-uses .singlejets .com)"; dns.query; content:"myrric-uses.singlejets.com"; nocase; bsize:26; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031458; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (cryptais .com)"; dns.query; content:"cryptais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036262; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT PurpleFox EK Domain in DNS Lookup"; dns.query; content:"rawcdn.githack.cyou"; nocase; bsize:19; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:domain-c2; sid:2031461; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (alticgo .com)"; dns.query; content:"alticgo.com"; nocase; bsize:11; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036263; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Payload Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/up.php?key="; startswith; bsize:13; fast_pattern; pcre:"/^\d$/R"; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:exploit-kit; sid:2031462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (esilet .com)"; dns.query; content:"esilet.com"; nocase; bsize:10; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036264; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_19;)
-alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web.config.i18n.ashx?"; nocase; fast_pattern; reference:cve,2020-10148 reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; classtype:web-application-attack; sid:2031459; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2020_12_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (vasepinay .com)"; dns.query; content:"vasepinay.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036265; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
-alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/SWNetPerfMon.db.i18n.ashx?"; nocase; fast_pattern; reference:cve,2020-10148 reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; classtype:web-application-attack; sid:2031460; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2020_12_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (dixavokij .com)"; dns.query; content:"dixavokij.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036266; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Redirect"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"/?key="; fast_pattern; pcre:"/^[A-F0-9]{16}$/R"; file.data; content:"<body>"; content:"<a HREF=|22|http"; distance:0; content:"/?key="; within:400; pcre:"/^[A-F0-9]{16}\x22>/R"; content:!"<html>"; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:exploit-kit; sid:2031463; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
+alert tcp any any -> any 3389 (msg:"ET SCAN RDP Connection Attempt from Nmap"; flow:established,to_server; content:"|00 00 00 00 00|Cookie|3a 20|mstshash|3d|nmap|0d 0a|"; fast_pattern; reference:url,github.com/nmap/nmap/blob/4b46fa7097673f157e7b93e72f0c8b3249c54b4c/nselib/rdp.lua#L211; classtype:network-scan; sid:2036252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category SCAN, performance_impact Low, signature_severity Minor, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Jpg Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; content:".jpg"; endswith; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-zA-Z0-9]{16}\/[a-f0-9]{40}\/[a-zA-Z0-9]+\.jpg$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2031466; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (key)"; flow:established,to_server; http.uri; content:"/key"; startswith; bsize:4; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; fast_pattern; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /update HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031464; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (payload)"; flow:established,to_server; http.uri; content:"/payload"; startswith; bsize:8; fast_pattern; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /banner HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031465; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/A.php"; bsize:6; fast_pattern; http.user_agent; content:"wx"; http.request_body; content:"a"; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE NuggetPhantom Module Download Request"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:".moe"; endswith; fast_pattern; pcre:"/^\/[a-fA-F0-9]{8}\.moe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf; classtype:command-and-control; sid:2031467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/bind/?appid="; depth:18; content:"&version="; distance:0; content:"&hwid="; distance:0; content:"&runid="; distance:0; http.host; content:"dayzcheats.ru"; bsize:13; fast_pattern; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Clydesdale Bank Phish 2020-12-30"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uzername="; depth:9; nocase; fast_pattern; content:"&ip="; nocase; distance:0; content:"&ua="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031468; rev:2; metadata:created_at 2020_12_30, former_category PHISHING, updated_at 2020_12_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/B.php?a="; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.TRM Data Exfil (sysinfo)"; flow:established,to_server; http.method; content:"POST"; http.start; content:"Cookie|3a 20|dkv="; fast_pattern; http.cookie; content:"dkv="; startswith; content:"|3b|YSC="; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/C"; http.header_names; content:!"Referer"; content:!"Content-Type"; http.request_body; content:"DQpIb3N0IE5hbWU6"; startswith; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; classtype:command-and-control; sid:2029855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_31;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M1"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0|3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036254; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain in TLS SNI (cs .lg22l .com)"; flow:established,to_server; tls.sni; content:"cs.lg22l.com"; bsize:12; reference:md5,774419bb738a2a4fa18aacee88850d2c; classtype:domain-c2; sid:2031469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_31;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46"; fast_pattern; content:!"|0d 0a|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036255; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Simple Bot"; flow:established,to_server; http.user_agent; content:"Simple Bot v"; startswith; fast_pattern; reference:md5,3cf04350400299844abb17a0e1640975; classtype:bad-unknown; sid:2031471; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_12_31;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"auInfo|3d|YWRtaW46"; fast_pattern; content:!"|3b|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036256; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Azula Logger CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"username=azula+logger&avatar_url="; startswith; fast_pattern; reference:md5,7ad3777dfb916150e21e9414dd24c1da; reference:url,github.com/CythosaSec/Azula-Logger; classtype:command-and-control; sid:2031470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_31;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC WebUI RCE ADD Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editBlackAndWhiteList"; bsize:22; http.request_body; content:"clientType|3d 22|WEB|22 3e|"; content:"|3c|addressType|3e|ip|3c 2f|addressType|3e 3c|ip|3e|"; distance:0; fast_pattern; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036253; rev:2; metadata:created_at 2022_04_19, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (mykessef .com)"; dns.query; content:"mykessef.com"; nocase; bsize:12; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031474; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc Login Attempt"; flow:established,to_server; stream_size:server,<,5; dsize:38; content:"{D79E94C5-70F0-46BD-965B-E17497CCB598}"; startswith; flowbits:set,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036272; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (mihannevis .com)"; dns.query; content:"mihannevis.com"; nocase; bsize:14; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031475; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc System Details Request"; flow:established,to_server; content:"GET /"; startswith; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|1|0d 0a 0d 0a|"; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036273; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (idtpl .org)"; dns.query; content:"idtpl.org"; nocase; bsize:9; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031476; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M2"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|cm9vdDp7MTIyMTNCRDEtNjlDNy00ODYyLTg0M0QtMjYwNTAwRDFEQTQwfQ|3d 3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036274; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_20;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, signature_severity Major, updated_at 2021_01_04;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC ConfigSyncProc RCE Attempt"; flow:established,to_server; content:"GET /saveSystemConfig"; depth:21; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|2|0d 0a 0d 0a|DAAAAAEAAAADAAAAIQACAAEABA"; distance:0; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036275; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, signature_severity Major, updated_at 2021_01_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Microsoft Connection Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connecttest.txt"; bsize:16; http.host; content:"www.msftconnecttest.com"; bsize:23; fast_pattern; classtype:bad-unknown; sid:2031071; rev:2; metadata:created_at 2020_10_21, former_category INFO, performance_impact Low, updated_at 2022_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA1C Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?REQ="; fast_pattern; content:"&ID="; distance:0; http.user_agent; content:"|29 20|WindowsPowerShell/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,b100f0ab63a2b74a5d5ff54d533fc60f; classtype:trojan-activity; sid:2031477; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"c__"; content:"ENTERWindows"; distance:0; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:trojan-activity; sid:2036277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information M2"; flow:established,to_server; http.uri; content:"?i=7B226964223A22"; nocase; fast_pattern; content:"222C2268776964223A22"; nocase; distance:0; content:"227D"; nocase; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; reference:md5,a9c8b293fdb84ceb9478f8043ff19b71; classtype:trojan-activity; sid:2031481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family Jupyter, signature_severity Major, updated_at 2021_01_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (beastmodser .club)"; dns.query; content:"beastmodser.club"; nocase; bsize:16; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:domain-c2; sid:2036278; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Wireless IP Camera (P2) WIFICAM Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/set_ftp.cgi?next_url=ftp.htm&loginuse="; fast_pattern; content:"&loginpas="; distance:0; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:attempted-admin; sid:2030309; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2021_01_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Macro_Opened_"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; classtype:trojan-activity; sid:2036279; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious XSL file download (FTP)"; flow:established,to_server; content:"RETR|20|/frog/usoprive.xsl"; fast_pattern; reference:md5,dd0124264f131a203ecfc70314dcec04; reference:url,asec.ahnlab.com/ko/19439/; classtype:trojan-activity; sid:2031482; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin"; flow:established,to_server; http.uri; content:"/apiv8/"; startswith; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ElectroRAT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|go-resty/"; content:"|20|(https|3a|//github.com/go-resty/resty)|0d 0a|"; distance:0; within:50; http.request_body; content:"{|22|id|22 3a 22|"; depth:7; content:"|22 2c 22|mac_name|22 3a 22|"; nocase; distance:0; content:"|22 2c 22|os_version|22 3a 22|"; nocase; fast_pattern; distance:0; content:"|22 2c 22|user_name|22 3a 22|"; nocase; distance:0; content:"|22 2c 22|os|22 3a 22|"; nocase; distance:0; http.header_names; content:!"Referer"; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike X-Client Header (notevil)"; flow:established,to_server; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ElectroRAT Command from Server (Screenshot)"; flow:established,from_server; content:"{|22|type|22 3a 22|Screenshot|22 2c 22|uid|22 3a|"; offset:2; depth:27; fast_pattern; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031479; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.APBB Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//alert/7/"; bsize:10; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,d2e2f0a2e553075d7968e55e15cd49a1; classtype:command-and-control; sid:2036318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_22;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ElectroRAT Command from Server (Get folder content)"; flow:established,from_server; content:"{|22|type|22 3a 22|Get folder content|22 2c 22|uid|22 3a|"; offset:2; depth:35; fast_pattern; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031480; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.RFS Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin?ver="; fast_pattern; content:"&lip="; distance:0; content:"&mac="; isdataat:!13,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|6|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|SV1|3b 20 2e|NET|20|CLR|20|2|2e|0|2e|50727|3b 29|"; bsize:76; reference:md5,014d2e1a31ce397e7a5e3ba8edc45344; classtype:trojan-activity; sid:2036276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IceRat CnC Acitivty"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow_"; startswith; fast_pattern; content:".txt"; endswith; http.user_agent; content:"Java/"; startswith; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; classtype:trojan-activity; sid:2031485; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/STEALBIT Data Exfiltration Tool Activity (PUT)"; flow:established,to_server; http.uri; pcre:"/^\/[A-F0-9]{33}$/"; http.method; content:"PUT"; http.request_body; content:"DAV2"; depth:10; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/; reference:url,www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool; classtype:trojan-activity; sid:2036280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceRat Backdoor Checkin"; flow:established,to_server; http.request_line; content:"GET /users.php?"; startswith; fast_pattern; pcre:"/^(?:resp|onl|pr)=/R"; content:"|3a|windows|20|"; distance:0; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; reference:md5,dae90ae7fe103fc7e1866b4e13389101; classtype:command-and-control; sid:2031486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Pastebin Style Domain in DNS Lookup (pastetext .net)"; dns.query; content:"pastetext.net"; nocase; bsize:13; classtype:bad-unknown; sid:2036287; rev:1; metadata:created_at 2022_04_21, former_category INFO, updated_at 2022_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceRat CnC Acitivty M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/execuser.php?login="; startswith; fast_pattern; content:"&pass="; content:"&user="; http.user_agent; content:"Java/"; startswith; reference:url,malwaretips.com/threads/jphp-icerat-analysis.105233/; reference:md5,5e864667d91e3867a29df90dbcadb6b2; classtype:command-and-control; sid:2031487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Pastebin Style Domain (pastetext .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"pastetext.net"; bsize:13; fast_pattern; classtype:bad-unknown; sid:2036288; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, signature_severity Informational, updated_at 2022_04_21;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031483; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M1"; flow:established,to_server; http.uri; content:"/baby.php"; startswith; content:"/baby"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0)"; startswith; content:"::/.beagle/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031484; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M2"; flow:established,to_server; http.uri; content:"/begun.php"; startswith; bsize:10; http.user_agent; content:"Mozilla/5.0 (Linux"; startswith; content:"::/.balance/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv2 Used in Session"; flow:to_server,established; ssl_version:sslv2; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031488; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5612 (msg:"ET MALWARE Win32/Pterodo CnC VNC Connect Request"; flow:established,to_server; content:"|49 44 3a|"; depth:3; pcre:"/^\d+?\x00/R"; content:"|3a 5c|"; distance:0; content:"\\Contacts|00|Driver"; fast_pattern; distance:0; content:"Hood.exe"; distance:0; within:10; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:command-and-control; sid:2036293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv3 Used in Session"; flow:to_server,established; ssl_version:sslv3; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031489; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
+alert dns $HOME_NET any -> any any (msg:"ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)"; dns.query; content:"pool.hashvault.pro"; nocase; bsize:18; classtype:coin-mining; sid:2036289; rev:1; metadata:created_at 2022_04_21, former_category COINMINER, performance_impact Significant, signature_severity Major, updated_at 2022_04_21;)
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.1 Used in Session"; flow:to_server,established; tls.version:1.1; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031490; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CrimsonRAT Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /indexer.php HTTP/1.1"; http.request_body; content:"q="; startswith; content:"|7c|ver="; distance:0; fast_pattern; content:"|7c 7c|"; within:4; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,twitter.com/0xrb/status/1517052777167732736?s=21&t=zTZ6AqU3_DB36dZ3DE1HCg; reference:md5,41702a1959b1b7038237d75330b904b6; classtype:trojan-activity; sid:2036290; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family CrimsonRAT, signature_severity Major, updated_at 2022_04_21;)
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.0 Used in Session"; flow:to_server,established; tls.version:1.0; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031491; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1"; flow:to_client,established; file_data; content:"var _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; pcre:"/(localhost|127\.0\.0\.1)/W"; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2"; flow:to_client,established; file_data; content:"function _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"client=ssh"; fast_pattern; content:"ssh_priv="; content:"%20"; distance:0; reference:cve,CVE-2020-16846; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2031495; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_16846, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3"; flow:to_client,established; file_data; content:"return _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspicious TikTok Domain Request - Possible Phishing or Scam"; dns.query; content:"tiktok"; fast_pattern; pcre:"/(?:verify|support|account|copyright|help|verified|service|badge|verification|safety|\.ml$|\.ga$|\.cf$|\.gq$|\.tk$|\.xyz$)/"; classtype:social-engineering; sid:2031492; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category PHISHING, signature_severity Informational, updated_at 2021_01_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Extention Payload Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/archive.zip?iver="; startswith; bsize:<20; fast_pattern; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Instagram Phishing or Scam Landing Page"; flow:established,to_client; file.data; content:"lnstagram"; nocase; fast_pattern; within:1000; content:"</title>"; within:50; nocase; classtype:social-engineering; sid:2031493; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_01_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/un?iver="; startswith; fast_pattern; content:"&did="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.ULH CnC Activity"; flow:established,to_server; http.start; content:"GET /swidget/d23r523t4id HTTP/1.1|0d 0a|Host|3a 20|whos.amung.us|0d 0a 0d 0a|"; bsize:58; fast_pattern; reference:md5,2679be8b6b76fb765191c9854af39e9f; classtype:command-and-control; sid:2031496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Query Redirection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"search?ext=properties&is"; startswith; fast_pattern; content:"&q="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17132)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ecp/DLPPolicy/ManagePolicyFromISV.aspx"; startswith; http.request_body; content:"ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; content:"[Diagnostics.Process]::start|28|"; distance:0; reference:cve,CVE-2020-17132; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-17132/CVE-2020-17132.rules; reference:cve,2020-17132; classtype:attempted-admin; sid:2031506; rev:2; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17132, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Sync"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"sync?ext=Properties&ver="; startswith; fast_pattern; content:"&dd="; distance:0; content:"&info="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey Stealer CnC"; flow:established,to_server; http.request_line; content:"POST //"; depth:7; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&cred="; fast_pattern; distance:0; content:"|7c|"; within:10; pcre:"/^id=\d+&cred=[a-z]+\x7c/"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ca467e332368cbae652245faa4978aa4; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/; classtype:command-and-control; sid:2031498; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_01_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Home Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"hb?ext="; startswith; fast_pattern; content:"&ver="; distance:0; content:"&is="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
-alert http any any -> any any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17141)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; startswith; http.request_body; content:"<m:RouteComplaint|20|"; content:"<m:Data>"; distance:0; base64_decode:bytes 300, offset 0, relative; base64_data; content:"<!DOCTYPE"; content:"SYSTEM"; distance:0; reference:cve,CVE-2020-17141; reference:cve,2020-17141; classtype:web-application-attack; sid:2031507; rev:1; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17141, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035881; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
-alert http any any -> $HOME_NET any (msg:"ET INFO PHP Xdebug Extension Query Parameter (XDEBUG_SESSION_START)"; flow:established,to_server; http.uri; content:"?XDEBUG_SESSION_START="; classtype:web-application-activity; sid:2031499; rev:1; metadata:attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker (getAd)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ad?ext=Properties"; startswith; fast_pattern; content:"&ver="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
-alert http any any -> $HOME_NET any (msg:"ET INFO Spring Boot Actuator Health Check Request"; flow:established,to_server; http.uri; content:"/actuator/health"; endswith; classtype:web-application-activity; sid:2031500; rev:1; metadata:attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035882; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
-alert http any any -> $HOME_NET any (msg:"ET INFO Netlink GPON Login Attempt (GET)"; flow:established,to_server; http.uri; content:"/boaform/admin/formLogin"; fast_pattern; content:"username="; content:"psd="; classtype:attempted-admin; sid:2031501; rev:2; metadata:created_at 2021_01_08, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035883; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ElegyRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=ElegyRAT Server"; fast_pattern; endswith; tls.cert_issuer; content:"CN=ElegyRAT Server"; endswith; reference:md5,a24cae9f6cf137e0e72817a1879f0acf; classtype:domain-c2; sid:2031497; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_08, deployment Perimeter, former_category MALWARE, malware_family ElegyRAT, signature_severity Major, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035884; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
-alert http any any -> $HOME_NET any (msg:"ET INFO Request to Hidden Environment File"; flow:established,to_server; http.uri; content:"/.env"; endswith; classtype:misc-attack; sid:2031502; rev:1; metadata:created_at 2021_01_08, updated_at 2021_01_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Agent.OGR!tr.pws Stealer"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile_id|22|"; fast_pattern; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|hwid|22|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22|"; distance:0; reference:url,twitter.com/James_inthe_box/status/1517238542434414592; reference:md5,21e2215738a8e9c9d1ed1e1f66cff10e; classtype:trojan-activity; sid:2036316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
-alert http any any -> $HOME_NET any (msg:"ET INFO Liferay JSON Web Services Invoker"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/jsonws/invoke"; http.content_type; content:"application/json"; classtype:web-application-activity; sid:2031503; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io)"; dns.query; content:"filetransfer.io"; nocase; bsize:15; classtype:bad-unknown; sid:2036310; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_22;)
-alert http any any -> $HOME_NET any (msg:"ET INFO Apache Solr System Information Request"; flow:established,to_server; http.uri; content:"/solr/admin/info/system"; classtype:web-application-activity; sid:2031504; rev:1; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"filetransfer.io"; bsize:15; fast_pattern; classtype:bad-unknown; sid:2036311; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
-alert http any any -> $HOME_NET any (msg:"ET SCAN WordPress Scanner Performing Multiple Requests to Windows Live Writer XML"; flow:established,to_server; http.uri; content:"/wp-includes/wlwmanifest.xml"; threshold: type both, track by_src, count 4, seconds 8; classtype:network-scan; sid:2031505; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_01_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackCat Ransomware Related Domain in TLS SNI (updatedaemon .com)"; flow:established,to_server; tls.sni; content:"updatedaemon.com"; startswith; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036312; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Attempted Executable Drop via VBScript"; flow:established,to_client; file.data; content:"<SCRIPT Language=VBScript"; nocase; content:"DropFileName"; nocase; within:100; content:".exe"; within:100; nocase; content:"WriteData =|20 22|4D5A"; nocase; within:100; fast_pattern; classtype:trojan-activity; sid:2031508; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_01_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackCat Ransomware Related Domain in DNS Lookup (updatedaemon .com)"; dns.query; content:"updatedaemon.com"; fast_pattern; endswith; nocase; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (bald-panel .firebaseio .com in DNS Lookup)"; dns_query; content:"bald-panel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed BlackCat Ransomware Related SSL Cert (updatedaemon .com)"; flow:established,to_client; tls.cert_subject; content:"CN=updatedaemon.com"; bsize:19; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036314; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (hawkshaw-cae48 .firebaseio .com in DNS Lookup)"; dns_query; content:"hawkshaw-cae48.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031510; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"icanhazip.com"; bsize:13; fast_pattern; classtype:external-ip-check; sid:2036304; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (spitfirepanel .firebaseio .com in DNS Lookup)"; dns_query; content:"spitfirepanel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031511; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kratos Silent Miner Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"|22|name|22 3a 22|Kratos|20|Silent|20|"; fast_pattern; content:"|22|name|22 3a 22|PC|20|Name|3a 22 2c 22|value|22 3a 22|"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:command-and-control; sid:2036305; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (phoenix-panel .firebaseio .com in DNS Lookup)"; dns_query; content:"phoenix-panel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031512; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?m="; fast_pattern; pcre:"/^[0-9]{10}$/R"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|8.0|3b 20|Win32)"; bsize:41; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036315; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed KnowB4/Popcorn Training Simulated Phish Landing Page M1"; flow:established,to_client; file.data; content:"/popcorn/logos/Popcorn+Training+Logo.png|22 20 2f 3e|"; fast_pattern; classtype:credential-theft; sid:2031516; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Command List Fetch"; flow:established,to_server; http.request_line; content:"GET /ginzolist.txt HTTP/1.1"; bsize:27; fast_pattern; isdataat:!1,relative; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,twitter.com/struppigel/status/1506933328599044100; reference:md5,5009e04920d5fb95f8a02265f89d25a5; classtype:trojan-activity; sid:2036317; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, malware_family Ginzo, signature_severity Major, updated_at 2022_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed KnowB4/Popcorn Training Simulated Phish Landing Page M2"; flow:established,to_client; file.data; content:"|3c|meta|20|name|3d 22|IMPORTANT|22 20|content|3d 22|This|20|page|20|is|20|part|20|of|20|a|20|simulated|20|phishing|20|attack|20|initiated|20|by|20|KnowBe4"; classtype:credential-theft; sid:2031517; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banca Monte dei Paschi di Siena Credential Phish 2022-04-22"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"userType=&cod="; fast_pattern; content:"&pin="; distance:0; content:"&tel="; distance:0; classtype:credential-theft; sid:2036319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed KnowB4/Popcorn Training Simulated Phish Landing Page M3"; flow:established,to_client; file.data; content:"|3c|div|20|class|3d 22|oops|2d|banner|2d|header|22 3e 3c|strong|3e|OOPS|21 20|YOU|20|CLICKED|20|ON|20|A|20|SIMULATED|20|PHISHING|20|TEST|2e 3c 2f|strong|3e 3c 2f|div|3e 0d 0a|"; classtype:credential-theft; sid:2031518; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/call?key="; bsize:42; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; bsize:69; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; content:"ProcessList.txt"; fast_pattern; distance:0; content:"Screenshot.png"; distance:0; reference:md5,3f9c1455992239f4efe31f0e56773433; classtype:trojan-activity; sid:2036321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed KnowB4/Popcorn Training Simulated Phish Landing Page M4"; flow:established,to_client; file.data; content:"|3c|div|20|class|3d 22|disclaimer|22 3e 0d 0a 3c|p|3e|Please|20|Note|3a 20|This|20|message|20|came|20|from|20|KnowBe4|2c 20|Inc|2e 20|"; classtype:credential-theft; sid:2031519; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/ping|20|"; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.content_len; byte_test:0,=,36,0,string,dec; http.request_body; content:"key="; startswith; pcre:"/^key=[A-F0-9]{32}$/"; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036306; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX DNS Lookup"; dns.query; content:"sery.brushupdata.com"; nocase; bsize:20; reference:url,twitter.com/KorbenD_Intel/status/1346193938277949443; reference:md5,a587a2af22c7e18a0260cab5c06d980d; classtype:domain-c2; sid:2031520; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, former_category MALWARE, malware_family PlugX, performance_impact Low, signature_severity Major, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banca Monte dei Paschi di Siena Credential Phish Landing Page 2022-04-22"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Banca MPS"; content:"|3c|form|20|method|3d 22|POST|22 20|id|3d 22|includeCodUser|22 20|class|3d 22|margin|5f|login|5f|header|20|includeCodUser|20|dB|5f|box|5f|container|22 3e|"; nocase; distance:0; fast_pattern; content:"name=|22|userType|22|"; distance:0; content:"name=|22|cod|22|"; distance:0; content:"name=|22|pin|22|"; distance:0; content:"name=|22|tel|22|"; distance:0; content:"id=|22|loginOtp1|22|"; distance:0; classtype:credential-theft; sid:2036320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031513; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (forummanazera .sk)"; dns.query; dotprefix; content:".forummanazera.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036322; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031514; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (reality .skarabeus .sk)"; dns.query; dotprefix; content:".reality.skarabeus.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036323; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Kryptos Logic"; flow:to_client,established; file.data; content:"<title>Sinkholed by Kryptos Logic"; fast_pattern; content:"<h1>Sinkholed!</h1><p>This domain has been sinkholed"; distance:0; classtype:misc-activity; sid:2031515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (msrousinov .cz)"; dns.query; content:"msrousinov.cz"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036324; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MassLogger)"; flow:established,to_client; tls.cert_subject; content:"CN=bestpccare.best"; bsize:18; fast_pattern; reference:url,twitter.com/jorgemieres/status/1306608136623718401; classtype:domain-c2; sid:2031521; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_13, deployment Perimeter, former_category MALWARE, malware_family MassLogger, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (googleprovider .ru)"; dns.query; content:"googleprovider.ru"; nocase; bsize:17; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036325; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Qihoo360.J Variant Install Report"; flow:established,to_server; http.request_line; content:"POST /v1/client/report"; startswith; fast_pattern; http.request_body; content:"|5b 7b 22|action|22 3a 22|"; startswith; content:"|22 2c 22|device|5f|id|22 3a 22|"; distance:0; reference:md5,93dc18be56153f41fd1e12b686cca9fe; classtype:pup-activity; sid:2031522; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_13, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2021_01_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (profiit .fiit .stuba .sk)"; dns.query; content:"profiit.fiit.stuba.sk"; nocase; bsize:21; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036326; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1"; flow:established,to_server; tls.sni; content:"covid"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!"covid19.wisc.edu"; isdataat:!1,relative; content:!".canada.ca"; isdataat:!1,relative; content:!".nicovideo.jp"; isdataat:!1,relative; content:!"strib-covid-data.s3.amazonaws.com"; isdataat:!1,relative; classtype:bad-unknown; sid:2029707; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2021_01_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (freetips .php5 .sk)"; dns.query; content:"freetips.php5.sk"; nocase; bsize:16; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036327; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST Only Containing Password - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2031523; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_01_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (sivpici .php5 .sk)"; dns.query; content:"sivpici.php5.sk"; nocase; bsize:15; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036328; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST Only Containing Pass - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"pass="; nocase; depth:5; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2031524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_01_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (hotel-boss .eu)"; dns.query; content:"hotel-boss.eu"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036329; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ITW Android Post-Exploit Downloader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api2/v9/pass"; bsize:13; fast_pattern; http.content_type; content:"application/octet-stream"; bsize:24; reference:url,googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html; classtype:command-and-control; sid:2031525; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (limousine-service .cz)"; dns.query; content:"limousine-service.cz"; nocase; bsize:20; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036330; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - POST To .php w/Extended ASCII Characters"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; pcre:"/[\x80-\xff]/"; http.content_type; content:"www-form-urlencoded"; http.header_names; content:!"Referer"; http.host; content:!".webex.com"; endswith; classtype:trojan-activity; sid:2017259; rev:15; metadata:created_at 2013_07_31, updated_at 2021_01_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (ms .rousinov .cz)"; dns.query; content:"ms.rousinov.cz"; nocase; bsize:14; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036331; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-#alert tcp any any -> any any (msg:"ET EXPLOIT Possible NTFS Index Attribute Corruption Vulnerability"; flow:established; file_data; content:"|63 3a 5c 3a 24 69 33 30 3a 24 62 69 74 6d 61 70|"; classtype:attempted-admin; sid:2031526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_15, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Informational, updated_at 2021_01_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (vavave .xf .cz)"; dns.query; content:"vavave.xf.cz"; nocase; bsize:12; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036332; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arbitrium-RAT CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/checkupdate.js?id="; startswith; fast_pattern; content:"&token="; distance:0; content:"&platform="; distance:0; reference:url,github.com/BenChaliah/Arbitrium-RAT/; classtype:command-and-control; sid:2031528; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, malware_family Arbitrium_RAT, performance_impact Low, signature_severity Major, updated_at 2021_01_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M1"; flow:established,to_server; http.request_line; content:"POST|20|/call?key="; fast_pattern; pcre:"/^[a-f0-9]{32}\x20/R"; http.header; content:"Content|2d|Type|3a 20|multipart|2f|form|2d|data|3b 20|boundary|3d|"; pcre:"/^[a-f0-9]{60}\x0d\x0a/R"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22 5b|"; distance:0; content:"|5d 20|"; distance:2; within:2; content:"|20 5b|"; distance:32; within:2; content:"|5d 22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; distance:19; within:50; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arbitrium-RAT Observed User-Agent (JustKidding)"; flow:established,to_server; http.user_agent; content:"JustKidding"; bsize:11; reference:url,github.com/BenChaliah/Arbitrium-RAT; classtype:command-and-control; sid:2031529; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, malware_family Arbitrium_RAT, performance_impact Low, signature_severity Major, updated_at 2021_01_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech FlagPro Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".htmld?flag"; fast_pattern; pcre:"/^(?:pro)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,1b39dcc5de43d2840d6992a561e34eec; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036309; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] DeDeCMS RFI Attempt"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data"; http.uri; content:"/select_soft_post.php"; nocase; http.request_body; content:"cfg_basedir"; nocase; content:"uploadfile"; nocase; content:"upload"; nocase; reference:cve,2010-1097; reference:url,www.exploit-db.com/exploits/33685; classtype:attempted-admin; sid:2031527; rev:2; metadata:created_at 2021_01_19, former_category EXPLOIT, updated_at 2021_01_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check"; flow:established,to_server; http.request_line; content:"GET / "; startswith; http.host; dotprefix; content:".google.com"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:trojan-activity; sid:2036303; rev:2; metadata:created_at 2022_04_22, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_22;)
projects / thirdparty / suricata-verify.git / commitdiff
